TopicX | Matric Rewrite Programme | Registrations Open
REGISTER HERE

Privacy

Policy

1. Purpose

This Privacy Policy applies to personal information that Just Brands Africa (PTY) Ltd, Reg. 2013/228381/07, (‘Just Brands Africa’ or ‘Company’) may process in regard to any or all of the services contemplated by this notice directly, through and to the benefit of the platform TOPIC, or contracted third party affiliates which will be collected.

This policy also serves to protect the Company from compliance risks associated with the protection of personal information which includes:

  • Breaches of confidentiality
  • Failing to offer choice to Data subjects to choose how and for what purpose their information is used for
  • Reputational damage

The policy also demonstrates the Company’s commitment to protecting the privacy rights of  Data subjects.

2. Scope

This document applies to the Company’s Board of Directors, all employees, contractors, suppliers, clients, persons acting on behalf of the company and all potential and existing Data subjects.

3. Introduction

The Protection of Personal Information Act, 4 of 2013 (‘POPIA’) requires the Company to inform Data subjects as to how their personal information is used, collected, disclosed and destroyed.

The Company is committed to compliance with POPIA and other applicable legislation, protecting the privacy of Data subjects and ensuring that their personal information is used appropriately, transparently and securely.

This policy is made available on the Company’s website https://topic.co.za/  and should be read in conjunction with the Company’s Website Privacy Notice.

4. Definitions

4.1 PERSONAL INFORMATION

Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an existing, identifiable juristic person and may include but is not  limited to:

  1. information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic- or social- origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  2. information relating to the education or the medical, financial, criminal or employment history of the person;
  3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  4. the biometric information of the person;
  5. the personal opinions, views or preferences of the person;
  6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  7. information regarded as confidential business information;
  8. the views or opinions of another individual about the person; and
  9. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

4.2. DATA SUBJECT

This refers to the natural or juristic person to whom personal information relates, such as employees, clients, delegates, sub-contractors or a company that supplies the Company with goods or services.

4.3. BREACH

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

4.4. PROCESSING

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

5. Rights of data subjects

The Company will ensure that it makes Data subjects aware of their rights as appropriate and specifically with regards to the following:

5.1. THE RIGHT TO ACCESS PERSONAL INFORMATION

Data subjects have the right to establish whether the Company holds personal information related to them, including the right to request access to that personal information.

5.2. THE RIGHT TO HAVE PERSONAL INFORMATION CORRECTED OR DELETED

Data subjects also have the right to ask the Company to update, correct or delete their personal information on reasonable grounds.

5.3. THE RIGHT TO OBJECT TO THE PROCESSING OF PERSONAL INFORMATION

Data subjects have the right on reasonable grounds, to object to the processing of their personal information.

The Company will consider such requests and the requirements of POPIA and may cease to  process such personal information and may, subject to statutory and contractual record keeping requirements, also destroy the personal information.

5.4. THE RIGHT TO OBJECT TO DIRECT MARKETING

Data subjects have the right to object to their personal information being used for the purposes of direct marketing by means of unsolicited electronic communications.

5.5. THE RIGHT TO COMPLAIN TO THE INFORMATION REGULATOR

Data subjects have the right to submit a complaint to the Information Regulator regarding infringements of any of their rights protected under POPIA and to institute civil proceedings against alleged non-compliance with the protection of their personal information.

5.6. THE RIGHT TO BE INFORMED

Data subjects have the right to be informed that their personal information is being  collected by the Company and should also be notified in any situation where the Company  reasonably believe that the personal information of data subjects has been accessed by  unauthorised person/s.

6. General principles

All employees and persons acting on behalf of the Company will be subject to the following guiding principles:

6.1. ACCOUNTABILITY

Compliance failure could damage the reputation of the company and its shareholder, the  Company. The Company could also be exposed to a civil claim for damages. The  protection of personal information is therefore everybody’s responsibility.

The Company will take appropriate steps including disciplinary action against individuals who through intentional or negligent actions and/or omissions fail to comply with this policy.

6.2. PROCESSING LIMITATION

The Company collects personal information directly from Data subjects only as pertains to business requirements. The type of information will depend on the need for which it is  collected and will be processed for that purpose only. Just Brands Africa (PTY) Ltd will inform Data subjects as to  what information is mandatory or deemed optional, as far as possible.

Personal information will only be used for the purpose for which it was collected, intended  and as agreed. This may include: 

  1. Registering delegates on training courses;
  2. Issuing certificates to delegates upon successful completion of training courses;
  3. Processing claims received from subcontractors;
  4. Issuing tax certificates to subcontractors;
  5. Recruitment activities of students and employees;
  6. Record keeping and payment of employees;
  7. Administration of employment benefits;
  8. Recording and payment of suppliers;
  9. Confirming, verifying and updating client information;
  10. For registration purposes with statutory bodies (CIPC, SARS) and institutions (banks);
  11. Contractual obligations;
  12. In connection with legal proceedings;
  13. In connection with and to comply with legal and regulatory requirements or when allowed by law;
  14. For audit and reporting purposes; and
  15. Marketing activities as provided in POPIA and the Consumer Protection Act 68 of 2008 (‘CPA’).

 

According to Section 10 of POPIA, personal information may only be processed if the purpose for which it is processed, is adequate, relevant and not excessive. Certain conditions must be met for the Company to process personal information as in Section 11 of POPIA. These are listed below:

  1. Data subjects consent to the processing – consent is obtained during early stages of the relationship.
  2. Processing is necessary – personal information is required to facilitate the provision of services to the Data subject or for the conclusion of a contract to which the Data subject is a party.
  3. The Company is under obligation by law.
  4. The legitimate interest of the Data subject is protected – it is in their best interest to provide the personal information.
  5. Processing is in the best interest of the Company – in order to provide our services to the Data subject.

7. Specific duties and responsibilities

7.1. BOARD OF DIRECTORS

The Company’s Board of Directors is ultimately accountable for ensuring that the Company  meets its obligations under POPIA. The Board of Directors may however delegate some of  its responsibilities to management or other capable individuals.

7.2. CHIEF EXECUTIVE OFFICER

The Chief Executive Officer is by virtue of the position, appointed automatically as  Information Officer in terms of the Promotion of Access to Information Act and POPIA and  may authorise any person in the Company to act as the Information Officer of the  Company. The CEO however retains the responsibility and accountability for any powers or  the functions authorised to that person and has the right to amend and/or withdraw any of  these powers, duties and responsibilities.

7.3. THE COMPANY’S INFORMATION OFFICER IS RESPONSIBLE FOR THE FOLLOWING:

  1. Taking steps to ensure the Company’s reasonable compliance to POPIA;
  2. Reviewing the Company’s information protection procedures and policies;
  3. Ensuring that the Company makes it convenient for Data subjects to communicate with the Company regarding their personal information;
  4. Encourage compliance with the lawful processing of personal information;
  5. Ensure that employees and persons acting on behalf of the Company are aware of the risks associated with the processing of personal information;
  6. Ensure that employees are trained in the processing of personal information;
  7. Address employees’ POPIA related questions;
  8. Address POPIA related requests and complaints made by the Company’s Data subjects; and
  9. Act as contact point for the Information Regulator on issues pertaining to the processing of personal information.

7.4. THE COMPANY’S EXECUTIVE MANAGER IN CHARGE OF INFORMATION TECHNOLOGY IS RESPONSIBLE FOR:

  1. Ensuring that the Company’s IT infrastructure and any other devices used for processing personal information meet acceptable security standards;
  2. Ensuring that servers containing personal information are sited in a secure location;
  3. Ensuring that all electronically stored information is backed-up and tested on a regular basis;
  4. Ensuring that all back-ups are protected from unauthorised access, accidental deletion and malicious hacking attempts;
  5. Ensuring that information being transferred electronically is encrypted;
  6. Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software;
  7. Performing regular IT audits to ensure that the security of the Company’s hardware and software systems are functioning properly;
  8. Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by unauthorised persons; and
  9. Performing a proper due diligence review prior to contracting with third party providers to process personal information on the Company’s behalf.

7.5. EMPLOYEES AND OTHER PERSONS ACTING ON BEHALF OF THE COMPANY ARE RESPONSIBLE FOR:

  1. Keeping all personal information that they come into contact with secure by taking precautions and complying with this policy;
  2. Ensuring that personal information is kept in as few places as is necessary;
  3. Ensuring that personal information is encrypted prior to sharing the information electronically;
  4. Ensuring that all devices such as computers, flash drives, etc. are password protected and never left unattended (refer to the Company’s Electronic Communications policy);
  5. Ensure that computer screens and other devices are switched off when not in use;
  6. Ensure that removable storage devices such as external drives that contain personal information are locked away securely when not being used;
  7. Ensure that where personal information is stored on paper, that such hard copies are kept in a secure place where unauthorised persons are not able to access it;
  8. Ensure that where personal information has been printed out, that the printouts are not left unattended where unauthorised individuals could see them;
  9. Take reasonable steps to ensure that personal information is stored only for as long as it is needed or required;
  10. Undergo POPIA awareness training from time to time.
  11. Employees and other persons acting on behalf of the company will under not circumstances:
  12. Process personal information where it is not a requirement to perform their workrelated duties;
  13. Save copies of personal information directly to their own private computers or mobile devices; and
  14. Share personal information informally.

8. Data breach procedure

8.1 REPORTING A POSSIBLE BREACH

Any employee who becomes aware of a possible breach of Personal Information must immediately inform their line manager and the Information Officer and/or the Deputy Information Officers.

The employee must ensure to retain any evidence they have in relation to the breach and provide a written statement setting out any relevant information relating to the suspected data breach using the Data Breach Record.

Employees may not attempt to investigate the suspected breach themselves and must not notify the affected data subjects. The data breach team  will investigate and assess the suspected breach and will determine who will be notified and how.

8.2. RESPONSE PLAN

The Company’s CEO,the Information Officer, or designated deputy Information Officer will assemble a team to  investigate, manage and respond to the data breach.

The breach team will then:

  1. Make an urgent preliminary assessment of what data have been lost, why and how.
  2. Take immediate steps to contain the breach and recover any lost data.
  3. Undertake a full and detailed assessment of the breach.
  4. Record the breach in the company’s data breach register.
  5. Notify the Information Regulator, if necessary.
  6. Notify affected data subjects, if necessary.
  7. Put in place any measures to address it and to mitigate its possible adverse effects and to prevent further breaches.

9. Data breach register

The company will maintain a register of all personal data breaches regardless of whether or  not it is notifiable to the Information Regulator. The register will include a record of:

  1. The facts relating to the breach including the cause, what happened and what personal data were effected;
  2. the effects of the breach; and
  3. the remedial actions Just Brands Africa (PTY) Ltd have taken.

10. Notification to the Information Regulator

Not all personal data breaches have to be notified to the Information Regulator. The  breach will only have to be notified if it is likely to result in a risk to the rights and freedoms  of data subjects and this will be assessed by the company on a case-by-case basis.

11. Notifications to data subjects

The data breach team will consider several factors in determining the notifications to  individuals affected by the data breach including but not limited to:

  1. Contractual obligations;
  2. Risk of identity theft or fraud because of the type of information lost such as contact details, bank information or identity numbers;
  3. Risk of physical harm;
  4. Risk of hurt, humiliation or damage to reputation if the information includes medical or disciplinary records; and
  5. Number of data subjects affected.


Affected individuals must be notified without unreasonable delay, unless such notification  will impair a criminal investigation. Notices must be in plain language and include basic  information such as what happened, type of information involved, steps being taken, steps  individuals should take and contact information.

12. Disciplinary action

The Company may recommend appropriate legal or disciplinary action to be taken against  any employee found to be implicated in any non-compliant activity outlined within this  policy.

Any gross negligence or intentional mismanagement of personal information will be considered a serious form of misconduct under the Company’s Disciplinary code and may lead to dismissal.

Examples of actions that may be taken subsequent to an investigation include:

  1. A recommendation to commence with disciplinary action
  2. A referral to law enforcement agencies for criminal investigation
  3. Recovery of funds in order to limit any damages caused.

How to contact us

Information Officer:

Francois van Louw

E: francois@jbafrica.com

T: +27 73 102 4961

Deputy Information Officers:

Nicholas Manuel 

E: nick@jbafrica.com

T: +27 76 546 7153

Ben Henning

E: ben@jbafrica.com

T: +27 63 802 2173

Nicholas Curtin

E: nicholas@jbafrica.com

T: +27 81 454 9493

Study on your own terms!

Sign Up Now

Augmenting Mainstream Schooling

Sign Up
Facebook-f Instagram Tiktok

Grade 10

Grade 11

Grade 12

Quick Links

Further Reading

Help Center

  • Call Us
    021 879 5803
  • Email Us
    info@topic.co.za
© 2023 Topic | All Rights Reserved | Powered by SOCO_ED