Privacy
Policy
1. Purpose
- Breaches of confidentiality
- Failing to offer choice to Data subjects to choose how and for what purpose their information is used for
- Reputational damage
- The policy also demonstrates the Company’s commitment to protecting the privacy rights of Data subjects.
2. Scope
This document applies to the Company’s Board of Directors, all employees, contractors, suppliers, clients, persons acting on behalf of the company and all potential and existing Data subjects.
3. Introduction
The Protection of Personal Information Act, 4 of 2013 (‘POPIA’) requires the Company to inform Data subjects as to how their personal information is used, collected, disclosed and destroyed.
The Company is committed to compliance with POPIA and other applicable legislation, protecting the privacy of Data subjects and ensuring that their personal information is used appropriately, transparently and securely.
This policy is made available on the Company’s website https://topicx.co.za/ and should be read in conjunction with the Company’s Website Privacy Notice.
4. Definitions
4.1 PERSONAL INFORMATION
Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an existing, identifiable juristic person and may include but is not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic- or social-origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- information regarded as confidential business information;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
4.2. DATA SUBJECT
This refers to the natural or juristic person to whom personal information relates, such as employees, clients, delegates, sub-contractors or a company that supplies the Company with goods or services.
4.3. BREACH
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
4.4. PROCESSING
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
5. Rights of data subjects
The Company will ensure that it makes data subjects aware of their rights as appropriate and specifically with regards to the following:
5.1. THE RIGHT TO ACCESS PERSONAL INFORMATION
Data subjects have the right to establish whether the Company holds personal information related to them, including the right to request access to that personal information.
5.2. THE RIGHT TO HAVE PERSONAL INFORMATION CORRECTED OR DELETED
Data subjects also have the right to ask the Company to update, correct or delete their personal information on reasonable grounds.
5.3. THE RIGHT TO OBJECT TO THE PROCESSING OF PERSONAL INFORMATION
Data subjects have the right on reasonable grounds, to object to the processing of their personal information.
The Company will consider such requests and the requirements of POPIA and may cease to process such personal information and may, subject to statutory and contractual record-keeping requirements, also destroy the personal information.
5.4. THE RIGHT TO OBJECT TO DIRECT MARKETING
Data subjects have the right to object to their personal information being used for the purposes of direct marketing by means of unsolicited electronic communications.
5.5. THE RIGHT TO COMPLAIN TO THE INFORMATION REGULATOR
Data subjects have the right to submit a complaint to the Information Regulator regarding infringements of any of their rights protected under POPIA and to institute civil proceedings against alleged non-compliance with the protection of their personal information.
5.6. THE RIGHT TO BE INFORMED
Data subjects have the right to be informed that their personal information is being collected by the Company and should also be notified in any situation where the Company reasonably believes that the personal information of data subjects has been accessed by unauthorised person/s.
6. General principles
All employees and persons acting on behalf of the Company will be subject to the following guiding principles:
6.1. ACCOUNTABILITY
Compliance failure could damage the reputation of the company and its shareholder, the Company. The Company could also be exposed to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.
The Company will take appropriate steps including disciplinary action against individuals who through intentional or negligent actions and/or omissions fail to comply with this policy.
6.2. PROCESSING LIMITATION
The Company collects personal information directly from Data subjects only as pertains to business requirements. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Just Brands Africa (PTY) Ltd will inform Data subjects as to what information is mandatory or deemed optional, as far as possible.
Personal information will only be used for the purpose for which it was collected, intended and as agreed.
- This may include:
- Registering delegates on training courses;
- Issuing certificates to delegates upon successful completion of training courses;
- Processing claims received from subcontractors;
- Issuing tax certificates to subcontractors;
- Recruitment activities of students and employees;
- Record keeping and payment of employees;
- Administration of employment benefits;
- Recording and payment of suppliers;
- Confirming, verifying and updating client information;
- For registration purposes with statutory bodies (CIPC, SARS) and institutions (banks);
- Contractual obligations;
- In connection with legal proceedings;
- In connection with and to comply with legal and regulatory requirements or when allowed by law;
- For audit and reporting purposes; and
- Marketing activities as provided in POPIA and the Consumer Protection Act 68 of 2008 (‘CPA’).
- According to Section 10 of POPIA, personal information may only be processed if the purpose for which it is processed is adequate, relevant and not excessive. Certain conditions must be met for the Company to process personal information as in Section 11 of POPIA. These are listed below:
- Data subjects consent to the processing – consent is obtained during early stages of the relationship.
- Processing is necessary – personal information is required to facilitate the provision of services to the Data subject or for the conclusion of a contract to which the Data subject is a party.
- The Company is under obligation by law.
- The legitimate interest of the Data subject is protected – it is in their best interest to provide the personal information.
Processing is in the best interest of the Company – in order to provide our services to the Data subject.
7. Specific duties and responsibilities
7.1. BOARD OF DIRECTORS
The Company’s Board of Directors is ultimately accountable for ensuring that the Company meets its obligations under POPIA. The Board of Directors may however delegate some of its responsibilities to management or other capable individuals.
7.2. CHIEF EXECUTIVE OFFICER
The Chief Executive Officer is by virtue of the position, appointed automatically as Information Officer in terms of the Promotion of Access to Information Act and POPIA and may authorise any person in the Company to act as the Information Officer of the Company.
The CEO however retains the responsibility and accountability for any powers or the functions authorised to that person and has the right to amend and/or withdraw any of these powers, duties and responsibilities.
7.3. THE COMPANY’S INFORMATION OFFICER IS RESPONSIBLE FOR THE FOLLOWING:
- Taking steps to ensure the Company’s reasonable compliance to POPIA;
- Reviewing the Company’s information protection procedures and policies;
- Ensuring that the Company makes it convenient for Data subjects to communicate with the Company regarding their personal information;
- Encourage compliance with the lawful processing of personal information;
- Ensure that employees and persons acting on behalf of the Company are aware of the risks associated with the processing of personal information;
- Ensure that employees are trained in the processing of personal information;
- Address employees’ POPIA-related questions;
- Address POPIA-related requests and complaints made by the Company’s Data subjects; and
- Act as contact point for the Information Regulator on issues pertaining to the processing of personal information.
7.4. THE COMPANY’S EXECUTIVE MANAGER IN CHARGE OF INFORMATION TECHNOLOGY IS RESPONSIBLE FOR:
- Ensuring that the Company’s IT infrastructure and any other devices used for processing personal information meet acceptable security standards;
- Ensuring that servers containing personal information are sited in a secure location;
- Ensuring that all electronically stored information is backed up and tested on a regular basis;
- Ensuring that all back-ups are protected from unauthorised access, accidental deletion and malicious hacking attempts;
- Ensuring that information being transferred electronically is encrypted;
- Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software;
- Performing regular IT audits to ensure that the security of the Company’s hardware and software systems are functioning properly;
- Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by unauthorised persons; and
- Performing a proper due diligence review prior to contracting with third-party providers to process personal information on the Company’s behalf.
7.5. EMPLOYEES AND OTHER PERSONS ACTING ON BEHALF OF THE COMPANY ARE RESPONSIBLE FOR:
- Keeping all personal information that they come into contact with secure by taking precautions and complying with this policy;
- Ensuring that personal information is kept in as few places as is necessary;
- Ensuring that personal information is encrypted prior to sharing the information electronically;
- Ensuring that all devices such as computers, flash drives, etc. are password protected and never left unattended (refer to the Company’s Electronic Communications policy);
- Ensure that computer screens and other devices are switched off when not in use;
- Ensure that removable storage devices such as external drives that contain personal information are locked away securely when not being used;
- Ensure that where personal information is stored on paper, that such hard copies are kept in a secure place where unauthorised persons are not able to access it;
- Ensure that where personal information has been printed out, that the printouts are not left unattended where unauthorised individuals could see them;
- Take reasonable steps to ensure that personal information is stored only for as long as it is needed or required;
- Undergo POPIA awareness training from time to time.
- Employees and other persons acting on behalf of the company will under not circumstances:
- Process personal information where it is not a requirement to perform their work related duties;
- Save copies of personal information directly to their own private computers or mobile devices; an
- Share personal information informally.
8. Data breach procedure
8.1 REPORTING A POSSIBLE BREACH
Any employee who becomes aware of a possible breach of Personal Information must immediately inform their line manager and the Information Officer and/or the Deputy Information Officers.
The employee must ensure to retain any evidence they have in relation to the breach and provide a written statement setting out any relevant information relating to the suspected data breach using the Data Breach Record.
Employees may not attempt to investigate the suspected breach themselves and must not notify the affected data subjects. The data breach team will investigate and assess the suspected breach and will determine who will be notified and how.
8.2. RESPONSE PLAN
The Company’s CEO,the Information Officer, or designated deputy Information Officer will assemble a team to investigate, manage and respond to the data breach.
The breach team will then:
- Make an urgent preliminary assessment of what data has been lost, why and how.
- Take immediate steps to contain the breach and recover any lost data.
- Undertake a full and detailed assessment of the breach.
- Record the breach in the company’s data breach register.
- Notify the Information Regulator, if necessary.
- Notify affected data subjects, if necessary.
- Put in place any measures to address it and to mitigate its possible adverse effects and to prevent further breaches.
9. Data breach register
The company will maintain a register of all personal data breaches regardless of whether or not it is notifiable to the Information Regulator.
The register will include a record of:
- The facts relating to the breach including the cause, what happened and what personal data were affected;
- the effects of the breach; and
- the remedial actions Just Brands Africa (PTY) Ltd have taken.
10. Notification to the Information Regulator
Not all personal data breaches have to be notified to the Information Regulator. The breach will only have to be notified if it is likely to result in a risk to the rights and freedoms of data subjects and this will be assessed by the company on a case-by-case basis.
11. Notifications to data subjects
The data breach team will consider several factors in determining the notifications to individuals affected by the data breach including but not limited to:
- Contractual obligations;
- Risk of identity theft or fraud because of the type of information lost such as contact details, bank information or identity numbers;
- Risk of physical harm;
- Risk of hurt, humiliation or damage to reputation if the information includes medical or disciplinary records; and
- Number of data subjects affected.
Affected individuals must be notified without unreasonable delay, unless such notification will impair a criminal investigation. Notices must be in plain language and include basic information such as what happened, type of information involved, steps being taken, steps individuals should take and contact information.
12. Disciplinary action
The Company may recommend appropriate legal or disciplinary action to be taken against any employee found to be implicated in any non-compliant activity outlined within this policy.
Any gross negligence or intentional mismanagement of personal information will be considered a serious form of misconduct under the Company’s Disciplinary code and may lead to dismissal.
Examples of actions that may be taken subsequent to an investigation include:
- A recommendation to commence with disciplinary action
- A referral to law enforcement agencies for criminal investigation
- Recovery of funds in order to limit any damages caused.
How to contact us
Information Officer:
Francois van Louw
E: francois@jbafrica.com
T: +27 73 102 4961
Deputy Information Officers:
Nicholas Manuel
E: nick@jbafrica.com
T: +27 76 546 7153
Ben Henning
E: ben@jbafrica.com
Nicholas Curtin
E: nicholas@jbafrica.com
