PROTECTION OF PERSONAL INFORMATION ACT (POPIA)
What do ‘Personal Information’ and ‘Processing’ mean and what do they include?
Personal Information is defined in POPIA as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. It includes but is not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Processing is defined in POPIA as any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information. It includes – (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination, by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information.
What Personal Information do we collect?
The Personal Information we collect may include:
- Basic personal details such as the data subject’s name and job title.
- Contact details such as telephone numbers and postal or email addresses.
- Financial data such as payment related information or bank account details.
- Demographic data such as addresses, preferences or interests.
- Website usage and other technical data such as details of visits to our website or information collected through cookies and other tracking technologies.
- Information provided to us by or on behalf of our clients or generated by us in the course of providing our services.
- Identification and other background verification as part of our client onboarding and ongoing monitoring procedures.
- Information that is provided to us in course of registering for and attending events or meetings, including access and dietary requirements.
- Information relating to prospective employees such as curricula vitae, your education and employment history, professional and other memberships, references and other information relevant to recruitment.
- Any other personal data that you may provide.
How do we obtain Personal Information?
Usually, we will collect the information we require directly from you. We may also collect information from publicly available sources (such as LinkedIn and the CIPC) or from third parties (such as credit bureaux or recruitment agencies).
Why do we collect Personal Information?
We collect Personal Information primarily to conclude and perform contracts with our clients, service providers and other parties, and to pursue our legitimate business interests, including recruitment. We also collect Personal Information in order to comply with relevant legislation, regulatory requirements and the requirements of other Government agencies.
How do we use Personal Information?
We will only use Personal Information where we are permitted to do so by applicable law, including POPIA. The most important legal justifications for our use of Personal Information are:
- Contract performance: if the information is necessary to finalise or perform our contract with the data subject;
- Legal obligations: if we need to use the information to comply with our legal obligations.
- Legitimate interests: if we need the information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to the data subject’s data privacy rights. We may use Personal Information to provide you with informative material relating to our services and products, new products and services, events or changes of TBI personnel, in which event you will be afforded the opportunity to ‘opt out’ of further communications.
- Legal claims: if the information is necessary for us to defend a claim against us or to make or prosecute a claim.
- Consent: if you have given your voluntary, specific and informed consent to our use of your Personal Information.
Who do we share Personal Information with?
We may share your information with the following categories of third parties:
- Service providers to whom we outsource certain functions such as specialised marketing services, payroll, administration, compliance and IT services.
- Software providers used to perform our contract.
- Our banks, auditors, legal and other advisors.
We will ensure that with each of these categories, we have agreements in place to protect the confidentiality and security of the Personal Information we share with them and that this is done in strict adherence to the requirements of POPIA.
We will also share Personal Information with regulators and other government agencies but only to the extent that we are legally required to do so. Where we are requested to provide specific information about you, we will only do so, if permissible, after notifying you of the request.
How long do we keep Personal Information?
We retain Personal Information for as long as is necessary to fulfil the purpose for which it was collected and any other related permitted purpose (for example in order to comply with regulatory requirements regarding the retention of information). If Personal Information is used for more than one permitted purpose, we will retain it until the purpose with the longest permitted expires but we will stop using it for the purpose with a shorter period once the relevant period expires. Our retention periods are also based on our business needs and good practice.
How do we protect Personal Information?
Please be aware that no data transmission (including over the Internet or any website) can be guaranteed to be secure from intrusion. We implement a range of commercially reasonable and appropriate technical and procedural measures to help protect Personal Information from unauthorised access, use, disclosure, alteration or destruction in accordance with POPIA requirements.
Personal Information that we collect is stored on our servers and accessed and used subject to our security practices and procedures, which we will ensure are consistent with those generally accepted and applicable in our industry.
What rights do you have in relation to your Personal Information?
Under certain circumstances and in accordance with POPIA, you may have the right to require us to:
- Provide you with further details on the use we make of your Personal Information.
- Provide you with a copy of Personal Information that we hold about you.
- Update any inaccuracies in the Personal Information we hold.
- Delete any Personal Information that we no longer have a lawful reason to use.
- Where processing is based on consent, withdraw your consent so that we stop that particular processing.
- Stop any processing that we undertake on the basis of legitimate interests unless our reasons for undertaking that processing outweigh any prejudice to your data privacy rights.
- Restrict how we use your Personal Information whilst a complaint is being investigated.
You may also ask us not to process your Personal Information for marketing purposes. We will inform you if we intend to disclose your information to any third party service provider for this purpose. You can exercise your right to prevent such processing at any time by using the relevant unsubscribe facility or by contacting us via email at email@example.com.
We are also required to take reasonable steps to ensure that your Personal Information remains accurate. In order to assist us with this, please let us know of any changes to the Personal Information that you have provided to us by contacting us via email at firstname.lastname@example.org.
Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). And some of these rights may be limited (for example the right to withdraw consent) where we are required or permitted by law to continue processing your Personal Information to defend our legal rights or meet our legal and regulatory obligations.
If you contact us to exercise any of these rights, we will check your entitlement and respond within a month.
If you have any questions about our use of your Personal Information, please contact us via email at email@example.com.
Please feel free to contact me to discuss any questions or concerns you may have by email by firstname.lastname@example.org.
If you require any additional information or have any concerns regarding your Personal Information, you can contact the Information Regulator:
Tel: 012 406 4818
Last updated on 30 June 2021