PRIVACY POLICY
Introduction
This Policy regulates the Processing of Personal Information/Personal Data by the Company and sets forth the requirements with which the Company undertakes to comply with when Processing Personal Information/Personal Data pursuant to undertaking its operations and fulfilling its contractual obligations in respect of Data Subjects and Third Parties in general.
The Company places a high premium on the privacy of every person or organisation with whom it interacts or engages with and therefore acknowledges the need to ensure that Personal Information/Personal Data is handled with a reasonable standard of care as may be expected from it. The Company is therefore committed to ensuring that it complies with the requirements of POPIA, and also with the terms of the GDPR to the extent that the GDPR applies.
When a Data Subject or Third Party engages with the Company, whether it be physically or via any digital, electronic interface, the Data Subject or Third Party acknowledges that they trust the Company to Process their Personal Information/Personal Data, including the Personal Information/Personal Data of their dependents, beneficiaries, customers / clients, members, or employees as the case may be, which further entrenches the importance of the Company’s compliance with Applicable Laws in regards to the Processing of Personal Information/Personal Data.
All Data Subjects and Third Parties have the right to object to the processing of their Personal Information/Personal Data. It should be voluntary to accept the Terms and Conditions to which this Policy relates. However, the Company does require the Data Subject or Third Party’s acceptance thereof to enable the proper use of the Company’s Website and/or Services.
​
Purpose and application
The purposes of this Policy are not only to inform Data Subjects of what Personal Information/Personal Data of theirs the Company may Process, where the Company may have collected such Personal Information/Personal Data from (if not directly from them as the Data Subject), how the Company Processes their Personal Information/Personal Data, but also to establish a standard by which the Company and its employees, representatives and operators shall comply in as far as the Processing of Personal Information/Personal Data is concerned.
The Company, in its capacity as a Responsible Party and/or Operator and/or Controller, as the case may be, shall strive to observe and comply with its obligations under POPIA and the GDPR (as may be applicable and to the extent necessary) when it Processes Personal Information/Personal Data from or in respect of any Data Subject.
​
Collecting and processing of personal information/personal data
Whenever any Data Subject engages with the Company, whether it be physically or electronically, or through the use of its Services, facilities or Website, the Company will in effect be Processing the Data Subject’s Personal Information/Personal Data.
It may be, from time to time, that the Company has collected a Data Subject’s Personal Information/Personal Data from other sources and in such instances the Company will inform the Data Subject by virtue of any privacy notices it deploys from time to time. In the event that a Data Subject has shared their Personal Information/Personal Data with any third parties, the Company will not be responsible for any loss suffered by the Data Subject, their dependents, beneficiaries, customers / clients, representatives, agents or employees (as the case may be).
When a Data Subject provides the Company with the Personal Information of any other Third Party, the Company will process the Personal Information/Personal Data of such Third Party in line with this Policy, as well as any terms and conditions or privacy notices to which this Policy relates.
The Company will primarily Process Personal Information/Personal Data in order to facilitate and enhance the delivery of Products and/or Services to its Clients, manage and administer its business, foster a legally compliant workplace environment, as well as safeguard the Personal Information/Personal Data relating to any Data Subjects which it in fact holds. In such an instance, the Data Subject providing the Company with such Personal Information/Personal Data may also be required to confirm that they are a Competent Person and that they have authority to give the requisite consent to enable the Company to process such Personal Information/Personal Data.
The Company undertakes to process any Personal Information/Personal Data in a manner which promotes the constitutional right to privacy, retains accountability and Data Subject participation.
Prior to recording the purpose(s) for which the Company may, or will, process the Personal Information/Personal Data of Data Subjects, the Company hereby records the types of Personal Information/Personal Data of Data Subjects it may process from time to time:
-
Full names;
-
Identity numbers;
-
Registration numbers;
-
Financial information, including banking account information;
-
Statutory information;
-
Physical and postal address particulars;
-
Telephone numbers;
-
Email addresses; and
-
Unique Identifiers.
In supplementation of the above and any information privacy notices provided to any Data Subjects from time to time pursuant to any engagement with them, the Company may process Personal Information/Personal Data for the following purposes:
-
To provide or manage any information, Products and/or Services requested by or delivered to Data Subjects in general;
-
To establish a Data Subject’s needs, wants and preferences in relation to the Products and/or Services provided by the Company or any other Affiliate of the Company;
-
To help the Company identify Data Subjects when they engage with the Company;
-
To facilitate the delivery of Products and/or Services to Clients;
-
To allocate to Clients and Data Subjects Unique Identifiers for the purpose of securely storing, retaining and recalling their Personal Information/Personal Data from time to time;
-
To maintain records of Data Subjects and specifically Client records;
-
For employment purposes;
-
For general administration purposes;
-
For legal and/or contractual purposes;
-
For health and safety purposes;
-
To monitor access, secure and manage any facilities operated by the Company regardless of location;
-
To transact with Data Subjects;
-
To improve the quality of the Company’s Products and/or Services;
-
To transfer Personal Information/Personal Data to any other Affiliate of the Company so as to enable the relevant Affiliate of the Company to market its products and/or services to the Company’s Client(s) or Third Parties, as well as to render specific services to the Company itself which would in turn enable the Company to render its Services to its Client(s);
-
To transfer Personal Information/Personal Data to Third Party service providers so as to enable the Company to deliver Products and/or Services to its Client(s);
-
To analyse the Personal Information/Personal Data collected for research and statistical purposes;
-
To help recover bad debts;
-
To transfer Personal Information/Personal Data across the borders of South Africa to other jurisdictions if it is required;
-
To carry out analysis and Client profiling;
-
To identify other products and services which might be of interest to our Clients and Data Subjects in general, as well as to inform them of such products and/or services;
-
To comply with any Applicable Laws applicable to the Company and in some instances other Affiliates of the Company.
When collecting Personal Information/Personal Data from a Data Subject, the Company shall comply with the notification requirements as set out in Section 18 of POPIA, and to the extent applicable, Articles 13 and 14 of the GDPR.
The Company will collect and Process Personal Information/Personal Data in compliance with the conditions as set out in POPIA and/or the Processing principles in the GDPR (as the case may be), to ensure that it protects the Data Subject's privacy.
The Company will not Process the Personal Information/Personal Data of a Data Subject for any purpose other than for the purposes set forth in this Policy or in any other privacy notices which may be provided to Data Subjects from time to time, unless the Company is permitted or required to do so in terms of Applicable Laws or otherwise by law.
​
Personal information/personal data for direct marketing purposes
The Company acknowledges that it may only use Personal Information/Personal Data to contact Data Subjects for purposes of direct marketing where the Company has complied with the provisions of POPIA and GDPR (where applicable) and when it is generally permissible to do so in terms of Applicable Laws.
In the event that the Company may lawfully direct market to a Data Subject in terms of section 69 of POPIA, the Company will ensure that a reasonable opportunity is given to such Data Subjects to object (opt-out) to the use of their Personal Information/Personal Data for the Company’s marketing purposes when collecting the Personal Information/Personal Data and on the occasion of each communication to the Client for purposes of direct marketing.
Storage and retention of personal information/personal data
The Company will retain Personal Information/Data it has Processed, in an electronic or hardcopy file format, with a Third-Party service provider appointed for this purpose (the provisions of clause 9 below will apply in this regard).
Personal Information/Personal Data will only be retained by the Company for as long as necessary to fulfil the legitimate purposes for which that Personal Information/Personal Data was collected in the first place and/or as permitted or required in terms of Applicable Law.
It is specifically recorded that any Data Subject has the right to object to the Processing of their Personal Information and the Company shall retain and store the Data Subject’s Personal Information/Personal Data for the purposes of dealing with such an objection or enquiry as soon and as swiftly as possible.
​
Failure to provide personal information
Where the Company is required to collect Personal Information/Personal Data from a Data Subject by law or in order to fulfil a legitimate business purpose of the Company and the Data Subject fails to provide such Personal Information/Personal Data, the Company may, on notice to the Data Subject, decline to render services without any liability to the Data Subject.
​
Securing personal information/personal data
The Company will always implement appropriate, reasonable, physical, organisational, contractual and technological security measures to secure the integrity and confidentiality of Personal Information/Personal Data, including measures to protect against the loss or theft, unauthorised access, disclosure, copying, use or modification of Personal Information/Personal Data in compliance with Applicable Laws.
In further compliance with Applicable Laws, the Company will take steps to notify the relevant Regulator(s) and/or any affected Data Subjects in the event of a security breach and will provide such notification as soon as reasonably possible after becoming aware of any such breach.
Notwithstanding any other provisions of this Policy, it should be acknowledged that the transmission of Personal Information/Personal Data, whether it be physically in person, via the internet or any other digital data transferring technology, is not completely secure. Whilst the Company has taken all appropriate, reasonable measures to secure the integrity and confidentiality of the Personal Information/Personal Data its Processes, in order to guard against the loss of, damage to or unauthorised destruction of Personal Information/Personal Data and unlawful access to or processing of Personal Information/Personal Data, the Company in no way guarantees that its security system(s) are 100% secure or error-free. Therefore, the Company does not guarantee the security or accuracy of the information (whether it be Personal Information/Personal Data or not) which it collects from any Data Subject.
Any transmission of Personal Information/Personal Data will be solely at the own risk of a Data Subject. Once the Company has received the Personal Information/Personal Data, it will deploy and use strict procedures and security features to try to prevent unauthorised access to it. As indicated above, the Company reiterates that it restricts access to Personal Information/Personal Data to Third Parties who have a legitimate operational reason for having access to such Personal Information/Personal Data. The Company also maintains electronic and procedural safeguards that comply with the Applicable Laws to protect your Personal Information from any unauthorised access.
The Company shall not be held responsible and by accepting any terms and conditions to which this Policy relates, any Data Subject agrees to indemnify and hold the Company harmless for any security breaches which may potentially expose the Personal Information/Personal Data in the Company’s possession to unauthorised access and or the unlawful processing of such Personal Information/Personal Data by any Third-Party.
Provision of personal information/personal data to third parties
The Company may disclose Personal Information/Personal Data to Third-Party service providers and any Affiliate of the Company where necessary and to achieve the purpose(s) for which the Personal Information/Personal Data was originally collected and Processed. The Company will enter into written agreements with such Third-Party service providers where necessary to ensure that they comply with Applicable Laws pursuant to the Processing of Personal Information/Personal Data provided to it by the Company from time to time.
​
Transfer of personal information/personal data outside of South Africa
The Company may, under certain circumstances, transfer Personal Information/Personal Data to a jurisdiction outside of the Republic of South Africa in order to achieve the purpose(s) for which the Personal Information/Data was collected and Processed, including for Processing and storage by Third-Party service providers.
If it is required, the Company will obtain the Data Subject's consent to transfer the Personal Information/Personal Data to such foreign jurisdiction.
The Data Subject should also take note that, where the Personal Information/Personal Data is transferred to a foreign jurisdiction, the Processing of Personal Information/Personal Data in the foreign jurisdiction may be subject to the laws of that foreign jurisdiction.
Access to personal information/personal data
A Data Subject has the right to a copy of the Personal Information/Personal Data which is held by the Company (subject to a few limited exemptions as provided for under Applicable Law).
The Data Subject must make a written request (which can be by email) to the Information Officer designated by the Company from time to time and whose contact details can be sourced in the Company’s PAIA Manual.
The Company will provide the Data Subject with any such Personal Information/Personal Data to the extent required by Applicable Law and subject to and in accordance with the provisions of the Company’s PAIA Manual, which PAIA Manual can be sourced on the Company’s website.
The Data Subject can challenge the accuracy or completeness of his/her/its Personal Information/Personal Data in the Company’s records at any time in accordance with the process set out in the Company’s PAIA Manual.
Keeping personal information/personal data accurate
The Company will take reasonable steps to ensure that Personal Information/Personal Data that it Processes is kept updated where reasonably possible. For this purpose, the Company shall provide Data Subjects with the opportunity to update their information at appropriate times.
The Company may not always expressly request the Data Subject to verify and update his/her/its Personal Information/Personal Data and expects that the Data Subject will notify the Company from time to time in writing:
-
of any updates or amendments required in respect of his/her/its Personal Information/Personal Data;
-
where the Data Subject requires the Company to delete his/her/its Personal Information/Personal Data; or
-
where the Data Subject wishes to restrict the Processing of his/her/its Personal Information/Personal Data
​
Costs to access personal information/personal data
In the event that a cost is applicable, the prescribed fees to be paid for copies of the Data Subject's Personal Information/Personal Data are listed in the Company’s PAIA Manual.
The Company reserves the right to make amendments to this Policy from time to time.
​
Complaints to the Information Regulator
If any Data Subject or Third Party is of the view or belief that the Company has Processed their Personal Information/Personal Data in a manner or for a purpose which is contrary to the provisions of this Policy, the Data Subject is requested to first attempt to resolve the matter directly with the Company, failing which the Data Subject or Third Party shall have the right to lodge a complaint with the Information Regulator, under the provisions of POPIA.
The current contact particulars of the Information Regulator are:
The Information Regulator (South Africa)
Website: https://inforegulator.org.za/
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
PO Box 31533
Braamfontein, Johannesburg, 2107
Contacting us
All comments, questions, concerns or complaints regarding Personal Information/Personal Data or this Policy, should be forwarded to the Company’s Information Officer at the following email address: ds@dninvest.co.za.
​
​
​