This Data Protection and Information Sharing Policy describes the way that CloudCo SADC (Pty) Ltd. (the “Group”), will meet its legal obligations and requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon the Protection of Personal Information Act, No 4 of 2013, as that is the key piece of legislation covering security and confidentiality of personal information.
Consent
means the voluntary, specific and informed expression of will;
Data Subject
means the natural or juristic person to whom the Personal Information relates;
Direct Marketing
means approaching a Data Subject personally for the purpose of selling them a product or service, of requesting a donation;
Group
means CloudCo SADC (Pty) Ltd.
POPI
means the Protection of Personal Information Act, No. 4 of 2013;
Personal Information
Processing
means an operation or activity, whether or not by automatic means, concerning Personal Information;
The Policy applies to all Group employees, directors, sub-contractors, agents, and appointees. The provisions of the Policy are applicable to both on and off-site processing of personal information.
The Group collects and uses Personal Information of the individuals and corporate entities with whom it works in order to operate and carry out its business effectively. The Group regards the lawful and appropriate processing of all Personal Information as crucial to successful service delivery and essential to maintaining confidence between the Group and those individuals and entities who deal it. The Group therefore fully endorses and adheres to the principles of the Protection of Personal Information Act (“POPI”).
The Group uses the Personal Information under its care in the following ways:
The Group may possess records relating to suppliers, shareholders, contractors service providers, staff and customers:
The Group may share the Personal Information with its agents, affiliates, and associated companies who may use this information to send the Data Subject information on products and services. The Group may supply the Personal Information to any party to whom the Group may have assigned or transferred any of its rights or obligations under any agreement, and/or to service providers who render the following services:
Personal Information may be transmitted transborder to the Group's authorised dealers and its suppliers in other countries, and Personal Information may be stored in data servers hosted outside South Africa, which may not have adequate data protection laws. The Group will endeavour to ensure that its dealers and suppliers will make all reasonable efforts to secure said data and Personal Information.
The Group may retain Personal Information records indefinitely, unless the Data Subject objects thereto. If the Data Subject objects to indefinite retention of its Personal Information the Group shall retain the Personal Information records to the extent permitted or required by law.
The Group employs up to date technology to ensure the confidentiality, integrity and availability of the Personal Information under its care. Measures include:
All individuals and entities may request access, amendment, or deletion of their own Personal Information held by the Group. Any requests should be directed, on the prescribed form, to the Information Officer.
The Group does not have internal appeal procedures. As such, the decision made by the Information Officer pertaining to a request is final, and requestors will have to exercise such external remedies at their disposal if a request is refused, and the requestor is not satisfied with the response provided by the information officer.
A requestor that is dissatisfied with the information officer's refusal to disclose information, may within 30 days of notification of the decision, apply to a court for relief. Likewise, a third party dissatisfied with the information officer's decision to grant a request for information, may within 30 days of notification of the decision, apply to a court for relief. For purposes of the Act, courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another court of similar status.
The Group may legitimately refuse to grant access to a requested record that falls within a certain category. Grounds on which the Group may refuse access include:
If the Group has searched for a record and it is believed that the record does not exist or cannot be found, the requester will be notified by way of an affidavit or affirmation. This will include the steps that were taken to try to locate the record.
This Policy has been put in place throughout the Group, training on the Policy and POPI will take place with all affected employees.
All new employees will be made aware at induction, or through training programmes, of their responsibilities under the terms of this Policy and POPI.
Modifications and updates to data protection and information sharing policies, legislation, or guidelines will be brought to the attention of all staff.
Each new employee will sign an Employment Contract containing the relevant consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however it is stored. Failure to comply will result in the instigation of a disciplinary procedure.
Each employee currently employed within the Group will sign an addendum to their Employment Contract containing the relevant consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however it is stored. Failure to comply will result in the instigation of a disciplinary procedure.
POPI is implemented by abiding by eight processing conditions. The Group shall abide by these principles in all its possessing activities.
The Group shall ensure that all processing conditions, as set out in POPI, are complied with when determining the purpose and means of processing Personal Information and during the processing itself. The Group shall remain liable for compliance with these conditions, even if it has outsourced it processing activities.
The processing of Personal Information is only lawful if, given the purpose of processing, the information is adequate, relevant and not excessive.
The Group may only process Personal Information if one of the following grounds of lawful processing exists:
Special Personal Information includes:
The Group may only process Special Personal Information under the following circumstances:
All Data Subjects have the right to refuse or withdraw their consent to the processing of their Personal Information, and a Data Subject may object, at any time, to the processing of their Personal Information on any of the above grounds, unless legislation provides for such processing. If the Data subject withdraws consent or objects to processing then the Group shall forthwith refrain from processing the Personal Information.
Personal Information must be collected directly from the Data Subject, unless:
The Group shall only process Personal Information for the specific purposes as set out and defined above at paragraph 5.1
New processing activity must be compatible with original purpose of processing. Further processing will be regarded as compatible with the purpose of collection if:
The Group shall take reasonable steps to ensure that Personal Information is complete, accurate, not misleading and updated. The Group shall periodically review Data Subject records to ensure that the Personal Information is still valid and correct.
Employees should as far as reasonably practicable follow the following guidance when collecting Personal Information:
The Group shall take reasonable steps to ensure that the Data Subject is made aware of:
Data Subject have the right to request access to, amendment, or deletion of their Personal Information.
All such requests must be submitted in writing to the Information Officer. Unless there are grounds for refusal as set out in paragraph 6.2, above, the Group shall disclose the requested Personal Information:
The Group shall not disclose any Personal Information to any party unless the identity of the requester has been verified
The Group shall ensure the integrity and confidentiality of all Personal Information in its possession, by taking reasonable steps to:
Any loss or theft of, or unauthorised access to, Personal Information must be immediately reported to the Information Officer.
Any loss or theft of computers, laptops or other devices which may contain Personal Information must be immediately reported to the Information Officer, who shall notify the IT department, who shall take all necessary steps to remotely delete the information, if possible.
All Direct Marketing communications shall contain the Group's, and/or the Company's details, and an address or method for the customer to opt-out of receiving further marketing communication.
Direct Marketing by electronic means to existing customers is only permitted:
The customer must be given the opportunity to opt-out of receiving direct marketing on each occasion of direct marketing.
The Group may send electronic Direct Marketing communication to Data Subjects who have consented to receiving it. The Group may approach a Data Subject for consent only once.
The Group shall keep record of:
Any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act.
Notice and minutes of all shareholders meeting, including resolutions adopted and documents made available to holders of securities.
Copies of reports presented at the annual general meeting of the company.
Copies of annual financial statements required by the Act.
Copies of accounting records as required by the Act.
Record of directors and past directors, after the director has retired from the company.
Written communication to holders of securities and Minutes and resolutions of directors' meetings, audit committee and directors' committees.
7 Years
Registration certificate.
Memorandum of Incorporation and alterations and amendments.
Rules.
Securities register and uncertified securities register.
Register of company secretary and auditors and Regulated Companies (companies to which chapter 5, part B, C and Takeover Regulations apply) - Register of disclosure of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued.
Indefinitely
Consumer Protection Act Full names, physical address, postal address and contact details.
ID number and registration number.
Contact details of public officer in case of a juristic person.
Service rendered.
Cost to be recovered from the consumer.
Frequency of accounting to the consumer.
Amounts, sums, values, charges, fees, remuneration specified in monetary terms.
Conducting a promotional competition refer to Section 36(11)(b) and Regulation 11 of Promotional Competitions.
3 Years
Whenever a reportable transaction is concluded with a customer, the institution must keep record of the identity of the customer.
If the customer is acting on behalf of another person, the identity of the person on whose behalf the customer is acting and the customer's authority to act on behalf of that other person.
If another person is acting on behalf of the customer, the identity of that person and that other person's authority to act on behalf of the customer.
The manner in which the identity of the persons referred to above was established.
The nature of that business relationship or transaction.
In the case of a transaction, the amount involved and the parties to that transaction.
All accounts that are involved in the transactions concluded by that accountable institution in the course of that business relationship and that single transaction.
The name of the person who obtained the identity of the person transacting on behalf of the accountable institution.
Any document or copy of a document obtained by the accountable institution.
5 Years
Register, record or reproduction of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees.
4 Years
Section 20(2) documents:
Asbestos Regulations, 2001, regulation 16(1):
Hazardous Biological Agents Regulations, 2001, Regulations 9(1) and (2):
Lead Regulations, 2001, Regulation 10:
Noise - induced Hearing Loss Regulations, 2003, Regulation 11:
40 Years
Hazardous Chemical Substance Regulations, 1995, Regulation 9:
30 Years
Section 29(4):
Section 31:
Records in respect of the company's workforce, employment equity plan and other records relevant to compliance with the Act.
Section 21 report which is sent to the Director General.
Records to be retained by the employer are the collective agreements and arbitration awards.
An employer must retain prescribed details of any strike, lock-out or protest action involving its employees.
Records of each employee specifying the nature of any disciplinary transgressions, the actions taken by the employer and the reasons for the actions.
indefinite
Employers must retain personal records of each of their current employees in terms of their names, identification number, monthly remuneration and address where the employee is employed.
Section 29 documents which:
Amount of remuneration paid or due by him to the employee.
The amount of employees tax deducted or withheld from the remuneration paid or due.
The income tax reference number of that employee.
Any further prescribed information.
Employer Reconciliation return.
Where a vendor's basis of accounting is changed the vendor shall prepare lists of debtors and creditors showing the amounts owing to the creditors at the end of the tax period immediately preceding the changeover period.
Importation of goods, bill of entry, other documents prescribed by the Custom and Excise Act and proof that the VAT charge has been paid to SARS.
Vendors are obliged to retain records of all goods and services, rate of tax applicable to the supply, list of suppliers or agents, invoices and tax invoices, credit and debit notes, bank statements, deposit slips, stock lists and paid cheques.
Documentary proof substantiating the zero rating of supplies.
Where a tax invoice, credit or debit note, has been issued in relation to a supply by an agent or a bill of entry as described in the Customs and Excise Act, the agent shall maintain sufficient records to enable the name, address and VAT registration number of the principal to be ascertained.