1. PURPOSE OF THIS POLICY
The purpose of this Policy is to inform Data Subjects about how PAS PROKUREURS PRETORIA Processes their Personal Information.
DEFINITIONS
“Data Subject” means the person to whom the personal information relates;
“Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including – The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use; Dissemination by means of transmission, distribution or making available in any other form; or Merging, linking, as well as restriction, degradation, erasure, or destruction of information.
“Personal Information” – information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –
“Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means of personal processing information, the agent/agency;
2. APPLICATION
2.1 PAS PROKUREURS PRETORIA, in its capacity as Responsible Party and/or Operator, shall strive to observe, and comply with its obligations under POPIA as well as accepted information protection principles, practices, and guidelines when it Processes Personal Information from or in respect of a Data Subject.
2.2 This Policy applies to Personal Information collected by PAS PROKUREURS PRETORIA in connection with the services which we offer and provide. This includes information collected directly from you as a Data Subject, as well as information we collect indirectly through our Direct marketing campaigns and online through our websites, branded pages on Third Party platforms, and applications accessed or used through such websites or Third Party platforms which are operated by or on behalf of PAS PROKUREURS PRETORIA.
2.3 This Privacy Policy does not apply to the information practice of Third Party companies whom we may engage with in relation to our business operations (including, without limitation, their websites, platforms, and/or applications) which we do not own or control; or individuals that PAS PROKUREURS PRETORIA does not manage or employ. These Third Party sites may have their own privacy policies and terms and conditions and we encourage you to read them before using them.
3. PROCESS OF COLLECTING PERSONAL INFORMATION
3.1 PAS PROKUREURS PRETORIA collects Personal Information directly from Data Subjects unless an exception is applicable (such as, for example where the Data Subject’s Personal Information is made public or of public record)
3.2 PAS PROKUREURS PRETORIA will always collect Personal information in a fair, lawful, and reasonable manner to ensure that it protects the Data Subject’s privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect the Data Subject in question.
3.3 PAS PROKUREURS PRETORIA often collects Personal Information directly from the Data Subject and/or in some cases, from Third Parties.
3.4 Where PAS PROKUREURS PRETORIA obtains Personal Information from Third Parties, PAS PROKUREURS PRETORIA will ensure that it obtains the consent of the Data Subject to do so or will only Process the Personal Information without the Data Subject’s consent where PAS PROKUREURS PRETORIA is permitted to do so in terms of clause 3.1 above.
3.5 An example of such Third Parties include (i) our clients when PAS PROKUREURS PRETORIA handles Personal Information on their behalf; (ii) credit reference agencies; (iii) other companies providing services to PAS PROKUREURS PRETORIA; and (iv) where PAS PROKUREURS PRETORIA makes use of publicly available sources of information.
4. LAWFUL PROCESSING OF PERSONAL INFORMATION
4.1 Where PAS PROKUREURS PRETORIA is the Responsible Party, it will only Process a Data Subject’s Personal Information (other than for Special Personal Information) where –
4.1.1 consent of the Data Subject (or a competent person where the Data Subject is a Child) is obtained;
4.1.2 Processing is necessary to carry out the actions for the conclusion of a contract to which a Data Subject is a party;
4.1.3 Processing complies with an obligation imposed by law on PAS PROKUREURS PRETORIA;
4.1.4 Processing protects a legitimate interest of the Data Subject;
4.1.5 Processing is necessary for pursuing the legitimate interests of PAS PROKUREURS PRETORIA or of a third party to whom the information is supplied; and/or
4.1.6 Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in PAS PROKUREURS PRETORIA.
4.2 PAS PROKUREURS PRETORIA will only Process Personal Information where one of the legal bases referred to in paragraph 4.1 above is present.
4.3 PAS PROKUREURS PRETORIA will make the manner and reason for which the Personal Information will be processed clear to the Data Subject;
4.4 Where PAS PROKUREURS PRETORIA is relying on a Data Subject’s consent as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to PAS PROKUREURS PRETORIA’s Processing of the Personal Information at any Processing carried out prior to the withdrawal of consent.
4.5 If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information. PAS PROKUREURS PRETORIA will ensure that the Personal Information is no longer Processed.
5. SPECIAL PERSONAL INFORMATION AND PERSONAL INFORMATION OF CHILDREN
5.1 Special Personal Information is sensitive Personal Information of a Data Subject and CDH acknowledges that it will generally not Process Special Personal Information unless (i) processing is carried out in accordance with the Data Subject’s explicit consent; or (ii) information has been deliberately made public by the Data Subject; or (iii) processing is necessary for the establishment, exercise or defence of a right or legal claim or obligation in law); or (iv) processing is for historical, statistical or research purposes, subject to stipulated safeguards; or –
For purposes of POPIA
5.1.1 specific authorisation has been obtained in terms of POPIA; and For purposes of GDPR
5.1.2 Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of PAS PROKUREURS PRETORIA or if the Data Subject is physically or legally incapable of giving consent;
5.1.3 Processing is necessary to protect the vital interest of the data subject or of another natural person where the Data Subject is physically or legally incapable of giving consent;
5.1.4 Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
5.1.5 Processing is necessary for reasons of substantial public interest;
5.1.6 Processing is necessary for the purposes of preventative or occupational medicine; or
5.1.7 Processing is necessary for reasons of public interest in the area of public health.
5.2 PAS PROKUREURS PRETORIA acknowledges that it may not Process any Personal Information concerning a Child and will only do so where it has obtained the consent of the parent or guardian of that Child or where it is permitted to do so in accordance with applicable laws.
6. PURPOSE FOR PROCESSING PERSONAL INFORMATION
6.1 PAS PROKUREURS PRETORIA understands its obligation to make Data Subjects aware of the fact that it is Processing their Personal Information and inform them of the purpose for which PAS PROKUREURS PRETORIA Processes such Personal Information.
6.2 PAS PROKUREURS PRETORIA will only Process a Data Subject’s Personal Information for a specific, lawful, and clear purpose (or for specific, lawful, and clear purposes) and will ensure that it makes the Data Subject aware of such purpose(s) as far as possible.
6.3 It will ensure that there is a legal basis for the Processing of any Personal Information. Further, PAS PROKUREURS PRETORIA will ensure that Processing will relate only to the purpose for of which the Data Subject has been made aware (and where relevant, consented to) and will not Process any Personal Information for any other purpose(s).
6.4 PAS PROKUREURS PRETORIA will generally use Personal Information for purposes required to operate and manage its normal business operations and these purposes include one or more of the following non-exhaustive purposes –
6.4.1 For the purpose of providing its services to the Data Subject from time to time;
6.4.2 Personal Information is processed as part of the process as per requirements of the Financial Intelligence Centre Act 38 of 2001;
6.4.3 Personal Information is processed in order to conduct due diligence processes on PAS PROKUREURS PRETORIA Clients;
6.4.4 Personal Information is processed in order to comply with obligations imposed on PAS PROKUREURS PRETORIA under the Based Black Economic Empowerment Act 53 of 2003 (BEE Act).
6.4.5 Personal Information is processed for the purpose of performing general information technology-related functions for all business functions within PAS PROKUREURS PRETORIA.
6.4.6 For purposes of interacting with you on our Website and generally monitoring your use of our Website.
6.4.7 Personal Information is processed in connection with internal audit purposes;
6.4.8 Personal Information is processed for employment-related purposes such as administering payroll, assessing credit and criminal history, and determining Employment Equity Act 55 of 1998 statistics;
6.4.9 To respond to any correspondence that the Data Subject may send to PAS PROKUREURS PRETORIA, including via email, PAS PROKUREURS PRETORIA’s site(s), or by telephone;
6.4.10 In connection with the executor of payment processing functions, including payment of PAS PROKUREURS PRETORIA’s suppliers’ invoices;
6.4.11 For such other purposes to which the Data Subject may consent from time to time; and
6.5 For such other purposes as authorised in terms of applicable law.
7. KEEPING PERSONAL INFORMATION ACCURATE
7.1 PAS PROKUREURS PRETORIA will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up to date as reasonably possible depending on the purpose of which Personal Information is collected or further processed.
7.2 PAS PROKUREURS PRETORIA may not always expressly request the Data Subject to verify and update his/her/its Personal Information, unless this process is specifically necessary.
7.3 PAS PROKUREURS PRETORIA, however, experts that the Data Subject will notify PAS PROKUREURS PRETORIA form time to time in writing of any updates required in respect of his/her/its Personal Information.
8. STORAGE AND PROCESSING OF PERSONAL INFORMATION BY PAS PROKUREURS PRETORIA AND THIRD PARTY SERVICE PROVIDERS
8.1 PAS PROKUREURS PRETORIA may store your Personal Information in hardcopy format and/or in electronic format using PAS PROKUREURS PRETORIA’s own secure on-site servers or other internally hosted technology. Your Personal Information may also be stored by Third Parties, via cloud services or other technology, with whom PAS PROKUREURS PRETORIA has contracted, to support PAS PROKUREURS PRETORIA’s business operations.
8.2 PAS PROKUREURS PRETORIA’s third-party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.
8.3 PAS PROKUREURS PRETORIA will ensure that such third-party service providers will process the Personal Information in accordance with the provisions of the Policy, all other relevant internal policies and procedures, and POPIA and, where relevant, GDPR.
8.4 These Third Parties o not use or have access to your Personal Information other than for purposes specified by us, and PAS PROKUREURS PRETORIA requires such parties to employ at least the same level of security that PAS PROKUREURS PRETORIA uses to protect your personal data.
8.5 Your Personal Information may be Processed in South Africa or another country where PAS PROKUREURS PRETORIA, its affiliates, and their Third-Party service providers maintain servers and facilities and that it continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under applicable law.
9. PERSONAL INFORMATION FOR DIRECT MARKETING PURPOSES
9.1 To the extent that PAS PROKUREURS PRETORIA acts in its capacity as a Direct Marketer, it shall strive to observe and comply with its obligations under POPIA and, were relevant, the GDPR when implementing principles and practices in relation to Direct Marketing.
9.2 PAS PROKUREURS PRETORIA acknowledges that it may only use Personal Information to contact the Data Subject for purposes of Direct Marketing from time to time where it is permissible to do so.
9.3 It may use Personal Information to contact any Data Subject and/or market PAS PROKUREURS PRETORIA’s services directly to the Data Subject(s) if the Data Subject is one of PAS PROKUREURS PRETORIA’s existing clients, the Data Subject has requested to receive marketing material from PAS PROKUREURS PRETORIA or PAS PROKUREURS PRETORIA has the Data Subject’s consent to market its services directly to the Data Subject.
9.4 If the Data Subject is an existing client, PAS PROKUREURS PRETORIA will only use his/her/its Personal Information if it has obtained the Personal Information through the provision of a service to the Data Subject and only in relation to similar services to the ones PAS PROKUREURS PRETORIA previously provided to the Data Subject.
9.5 PAS PROKUREURS PRETORIA will ensure that a reasonable opportunity is given to the Data Subject to object to the use of their Personal Information for PAS PROKUREURS PRETORIA’s marketing purposes when collecting the Personal Information and on the occasion of each communication to the Data Subject for purposes of Direct Marketing.
9.6 PAS PROKUREURS PRETORIA will not use your Personal Information to send you marketing materials if you have requested not to receive them. I request that we stop Processing your Personal Information for marketing purposes. PAS PROKUREURS PRETORIA shall do so. We encourage that such requests to opt out of marketing be made via forms and links provided for that purpose in the marketing materials sent to you.
10. RETENTION OF PERSONAL INFORMATION
10.1 PAS PROKUREURS PRETORIA may keep records of the Personal Information it has collected, correspondence, or comments in an electronic or hardcopy file format.
10.2 PAS PROKUREURS PRETORIA will not retain personal information for a period longer than is necessary to achieve the purpose for which it was collected or processed and is required to delete, destroy, or de-identify the information as soon as is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances –
10.2.1 where the retention of the record is required or authorised by law;
10.2.2 PAS PROKUREURS PRETORIA requires the record to fulfill its lawful functions or activities.
10.2.3 Retention of the record is required by a contract between the parties hereto;
10.2.4 The data subject has consented to such longer retention; or
10.2.5 The record is retained for historical, research, or statistical purposes provided safeguards are put in place to prevent use for any other purpose.
10.3 Accordingly, PAS PROKUREURS PRETORIA will. Subject to the exceptions noted herein, retain Personal Information for a long as necessary to fulfil the purpose for which that Personal Information was collected and/or as permitted or required by applicable law.
10.4 Where PAS PROKUREURS PRETORIA retains Personal Information for longer periods for statistical, historical or research purposes. PAS PROKUREURS PRETORIA will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and the applicable laws.
10.5 Once the purpose for which the Personal Information was initially collected and processed no longer applies or becomes obsolete, PAS PROKUREURS PRETORIA will ensure that the Personal Information is deleted, destroyed, or de-identified sufficiently so that a person cannot re-identify such Personal Information.
10.6 In instances where we de-identified information indefinitely.
11. FAILURE TO PROVIDE PERSONAL INFORMATION
11.1 Should PAS PROKUREURS PRETORIA need to collect Personal Information by law or under the terms of a contract the PAS PROKUREURS PRETORIA may have with you and you fail to provide the Personal Information when requested, we may be unable to perform the contract we have or are attempting to enter into with you.
11.2 In such a case, PAS PROKUREURS PRETORIA may have to decline to provide or receive the relevant services, and you will be notified where this is the case.
12. SAFE-KEEPING OF PERSONAL INFORMATION
12.1 PAS PROKUREURS PRETORIA shall preserve the security of Personal Information and, in particular, prevent its alteration, loss, and damage, or access by non-authorized third parties.
12.2 PAS PROKUREURS PRETORIA will ensure the security and integrity of Personal Information in its possession or under its control with appropriate, reasonable technical and organisational measures to prevent the loss, unlawful access, and unauthorised destruction of Personal Information.
12.3 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing a swell as the risk of varying likelihood and severity for the right and freedoms of Data Subjects, PAS PROKUREURS PRETORIA implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, including measures protecting any Personal Information from loss or theft, and unauthorized access, disclosure, copying, use or modification including –
12.3.1 the pseudonymization and encryption of Personal Information;
12.3.2 the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services.
12.3.3 The ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; and
12.3.4 A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing.
12.4 Further, PAS PROKUREURS PRETORIA maintains and regularly verifies that the security measures are effective and regularly updates the same in response to new risks.
13. BREACHES OF PERSONAL INFORMATION
13.1 A Data Breach refers to any incident in terms of which reasonable grounds exist to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.
13.2 A Data Breach refers to any incident in terms of which reasonable grounds exist to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.
13.3 PAS PROKUREURS PRETORIA will address any Data Breach in accordance with the terms of POPIA and, where relevant, the GDPR.
13.4 PAS PROKUREURS PRETORIA will notify the Regulator and the affected Data Subject in respect of that Data Subject’s Personal Information.
13.5 Where PAS PROKUREURS PRETORIA acts as an “Operator” and should any Data Breach affect the data of Data Subjects whose information PAS PROKUREURS PRETORIA processed as an Operator, PAS PROKUREURS PRETORIA shall notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of relevant Data Subjects has been accessed or acquired by any unauthorised person.
14. PROVISIONS OF PERSONAL INFORMATION TO THIRD-PARTY SERVICE PROVIDERS
14.1 PAS PROKUREURS PRETORIA may disclose Personal Information to Third Parties and will enter into written agreements with such Third Parties to ensure that they Process any Personal Information in accordance with the provisions of this Policy, and POPIA and where relevant, the GDPR.
14.2 PAS PROKUREURS PRETORIA notes that such Third Parties may assist PAS PROKUREURS PRETORIA with the purposes listed in paragraph 7.4 above – for example, service providers may be used, inter alia: (i) to notify the Data subjects of any pertinent information concerning PAS PROKUREURS PRETORIA, (ii) for data storage and/or (iii) to assist PAS PROKUREURS PRETORIA with auditing processed.
14.3 PAS PROKUREURS PRETORIA will disclose Personal Information with the consent of the Data Subject or if PAS PROKUREURS PRETORIA is permitted to do so without such consent in accordance with the applicable laws.
14.4 Further, PAS PROKUREURS PRETORIA may also send Personal Information to foreign jurisdictions outside of the Republic of South Africa, including for Processing and storage by Third Parties.
14.5 When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa, PAS PROKUREURS PRETORIA will obtain the necessary consent to transfer th Personal Information where PAS PROKUREURS PRETORIA is permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under POPIA and, where applicable, the GDPR.
14.6 The Data Subject should also take note that the Processing of Personal Information in a foreign jurisdiction may be subject to the laws of the country in which the Personal Information is held and may be subject to disclosure to the government, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.
15. ACCESS TO PERSONAL INFORMATION
15.1 A Data subject has certain rights under POPIA and, where applicable, the GDPR, including the following:
15.1.1 a right of access; a Data Subject having provided adequate proof of identity has the right to (i) request a Responsible Party to confirm whether any Personal Information is held about the Data Subject; and/or (ii) request from a Responsible Party a description of the Personal Information held by the Responsible Party including information about Third Parties who have or ha had access to the personal Information. A Data Subject may request:
15.1.1.1 PAS PROKUREURS PRETORIA to confirm, free of charge, whether it holds any personal Information about him/her/it; and
15.1.1.2 To obtain from PAS PROKUREURS PRETORIA the record or description of Personal Information concerning him/her/it and any information regarding the recipients or categories of recipients who have or had access to the Personal Information. Such record or description is to be provided:
15.1.1.2.1 within a reasonable time; and
15.1.1.2.2 in a reasonable manner and format and in a form that is generally understandable.
15.1.2 A right to request correction or deletion; a Data Subject may also request PAS PROKUREURS PRETORIA to –
15.1.2.1 correct or delete personal Information about the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
15.1.2.2 destroy or delete a record of Personal Information about the Data Subject that PAS PROKUREURS PRETORIA is no longer authorised to retain records in terms of POPIA’s and, where applicable, the GDPR’s retention and restriction of records provisions.
On receipt of such a request, PAS PROKUREURS PRETORIA is required to, as soon as is reasonably practicable –
15.1.2.2.1 correct the information.
15.1.2.2.2 delete or destroy the information;
15.1.2.2.3 Provide the Data Subject with evidence in support of the information; or
15.1.2.2.4 where the Data Subject and Responsible Party cannot reach an agreement on the request and if the Data Subject requests this. PAS PROKUREURS PRETORIA will take reasonable steps to attach to the information an indication that correction has been requested but has not been made;
15.1.3 a right to withdraw consent and to object to processing; a Data Subject that has previously consented to the Processing of his/her/its Personal Information has the right to withdraw such consent and may do so by providing PAS PROKUREURS PRETORIA with notice to such effect at the address set out in paragraph 21. Further, a Data Subject may object, on reasonable grounds, to the Processing of Personal Information relating to him/her/it.
15.2 Accordingly, PAS PROKUREURS PRETORIA may request the Data Subject to provide sufficient identification to permit access to or provide information regarding the existence, use, or disclosure of the Data Subject’s Personal Information.
15.3 Any such identifying information shall only be used for the purpose of facilitating access to or information regarding the Personal Information.
15.4 The Data Subject can request in writing to review any Personal Information about the Data Subject that PAS PROKUREURS PRETORIA holds including Personal Information that PAS PROKUREURS PRETORIA has collected, utilised or disclosed, as well as the following information: (i) the purposes of Processing; (ii) the categories of Personal Information concerned; (iii) where possible, the envisaged period for which the Personal Information will be stored or, if not possible, the criteria used to determine that period; (iv) the existence of the right to request from PAS PROKUREURS PRETORIA rectification or erasure of Personal Information or restriction of Processing of Personal Information concerning the Data subject or to object to such processing; (v) the right to loge a complaint with the Regulator; (vi) where the Personal Information is not collected from the Data Subject, any available information as to their source; and (vii) the existence of automated Processing, including profiling and, at least in those cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the Data Subject.
15.5 PAS PROKUREURS PRETORIA shall respond to these requests in accordance with POPIA and, where applicable, the GDPD and will provide the Data Subject with any uh Personal Information to extend required by law and any of PAS PROKUREURS PRETORIA’s policies and procedures which apply in terms of the Promotion of Access to Information Act 2 of 200 (PAIA).
15.6 The Data Subject can challenge the accuracy or completeness of his/her/its Personal Information in PAS PROKUREURS PRETORIA’s records at any time in accordance with the process set out in PAS PROKUREURS PRETORIA’s manual developed in terms of PAIA for accessing information.
15.7 If a Data Subject successfully demonstrates that their Personal Information in PAS PROKUREURS PRETORIA’s records is inaccurate or incomplete, PAS PROKUREURS PRETORIA will ensure that such Personal Information is amended or deleted as required.
16. CHANGES TO THIS POLICY
16.1 PAS PROKUREURS PRETORIA reserves the right to make amendments to this Policy from time to time and will use reasonable efforts to notify Data Subjects of such amendments.
16.2 The current version of this Policy will govern the respective rights an obligations between you and PAS PROKUREURS PRETORIA each time that you access and use our Website.