POPIA Policy and Data Privacy Consent Notice
POPIA Policy
Omega Capital (PTY) Ltd
FSP No. 17311
Protection of Personal Information Act, 2013
Omega Capital
(hereinafter referred to as “THE COMPANY” or “OMEGA CAPITAL”)
POLICY ON DATA PRIVACY AND THE PROTECTION OF PERSONAL INFORMATION
The Protection of Personal Information Policy establishes, explains and sets out—
- Legal requirements relating to Personal Information and Data Privacy;
- What Personal Information is, and who it belongs to;
- What Personal Information will be processed by THE COMPANY;
- Why THE COMPANY needs to process a Data Subject’s Personal Information;
- What THE COMPANY will be doing with a Data Subject’s Personal Information;
- Who THE COMPANY will share a Data Subject’s Personal Information with;
- What THE COMPANY will do with a Data Subject’s Personal Information, once the purpose for the processing comes to an end;
- How all at THE COMPANY are to treat Personal Information belonging to another.
Table of Contents
- Introduction
- POPIA References
- Purpose and Objectives
- Application and Scope
- The Data Protection Principles and Conditions
- How Personal Information is Processed and Used
- Safeguarding Personal Information
- Access and Correction of Personal Information
- Information Officer
- Operators and Service Providers
- General
- Version and Amendments
ANNEXURE A – Data Privacy Consent Notice
1. Introduction
The Protection of Personal Information Act, 4 of 2013 (POPIA) regulates and controls the processing of Personal Information.
OMEGA CAPITAL is a private company which conducts business as a Financial Services Provider with FSP No. 17311.
THE COMPANY for the purposes of carrying out its business and related objectives, does and will from time to time, process the Personal Information of natural individuals and legal entities, including public and private entities, such as Personal Information relating to employees and staff, prospective employees and job applicants, students and interns, service providers and contractors, vendors, clients, customers, and other third parties.
OMEGA CAPITAL is obligated to comply with POPIA, and the data protection conditions set out under POPIA with respect to the processing of all and any Personal Information.
This Policy describes how OMEGA CAPITAL will discharge its duties to ensure continuing compliance with POPIA in general and the information protection conditions and rights of Data Subjects.
2. POPIA References
To understand the implications of this document and the objectives of POPIA, the reader must take note of the following explanatory notes and POPIA definitions, which will be used throughout this POLICY and which may be used in the interpretation of this document.
POPIA makes use of certain references, as explained below.
“Biometrics”
means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;
THE COMPANY may from time to time make use of your / the Data Subject’s Biometrics for security access control and related identification procedures.
“Child”
means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him-or herself;
THE COMPANY will from time to time have to process Personal Information of a child who may belong to you / a Data Subject, for amongst other reasons employment and benefit related purposes, which use will require the competent person’s consent as defined below.
“Competent Person”
means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;
“Consent”
means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information;
All Personal Information which you / the Data Subject provides to THE COMPANY will be subject to the Data Privacy Consent Notice contained in this POLICY and when / by providing THE COMPANY with your / the Data Subject’s Personal Information, you / the Data Subject gives us, THE COMPANY your / the Data Subject’s implied consent to use your / the Data Subject’s Personal Information in accordance with said Data Privacy Consent Notice.
“Data Subject”
means you, the person who will provide THE COMPANY or its Operator/s with Personal Information and who consents when providing such Personal Information, to THE COMPANY’s use thereof in accordance with its Data Privacy Consent Notice.
A Data Subject will include you / the Data Subject, the reader of this notice who will be providing THE COMPANY with your / or your business’s / the Data Subject’s Personal Information and which you and your business / the Data Subject, by providing such Personal Information to THE COMPANY, give THE COMPANY the required consent to use the Personal Information, in accordance with its Data Privacy Consent Notice.
“Operator”
means a natural person or a juristic person who processes your / a Data Subject’s Personal Information on behalf of THE COMPANY in terms of a contract or mandate, without coming under the direct authority of THE COMPANY;
THE COMPANY will, in order to pursue and protect its legitimate interests and in many cases to protect you / the Data Subject, under a written contract ask Operators to process certain categories of your / the Data Subject’s Personal Information on its behalf including, without detracting from the generality thereof, CRM Providers, Advertising Agencies, PR agencies, Payroll service providers, Core Benefits Providers, Medical Aid/Cover providers, Retirement Funding Providers, Auditors, Legal Practitioners, and Government and Provincial Departments (e.g. Department of Labour).
“Person”
means a natural person or a juristic person;
“Personal Information”
means information relating to any identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, namely the Data Subject, including, but not limited to: Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
THE COMPANY will need to process race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birthdates of all potential and actual employees for security, employment and benefit related purposes.
THE COMPANY will need to process race, gender, pregnancy, marital status, national, ethnic or social origin, colour, age, physical or mental health, well-being, disability, language and birthdates of all potential and actual sole proprietors and individual service providers who intend to or already provide products and services to THE COMPANY for security, business and contractual related purposes.
THE COMPANY will need to process race, gender, marital status, national, ethnic or social origin, colour, age, language and birthdates of all potential and actual customers and consumers and/or beneficiaries, who intend to or already use THE COMPANY’s products and services for security, business, contractual and marketing and promotional related purposes.
THE COMPANY will need to process race, gender, marital status, national, ethnic or social origin, colour, age, language and birthdates of persons who ask THE COMPANY for information or for THE COMPANY to reply to any query or request made by such person.
- Information relating to the education or the medical, financial, criminal or employment history of the person;
THE COMPANY will need to process information relating to the education, medical, financial, criminal and employment history of all potential and actual employees for security, employment and benefit related purposes.
THE COMPANY will need to process information relating to the financial, criminal and employment history of all potential and actual sole proprietors and individual service providers who intend to or already provide products and services to THE COMPANY for security, business and contractual related purposes, or who apply for any form of funding or assistance.
THE COMPANY will need to process information relating to the financial and criminal history of all potential and actual service providers who are legal entities, who intend to or already provide products and services to THE COMPANY for security, business and contractual related purposes.
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assignment to the person;
THE COMPANY will need to process all Data Subjects’ identity or registration numbers, email address, physical and postal address, telephone and contact numbers, location information, and other required identifiers relating to a Data Subject from time to time for security, employment, business, marketing, promotional and contractual related purposes, or in order for THE COMPANY to attend to a person’s request or enquiry for information, including any person or Data Subject who applies for funding or assistance of any kind.
- The biometric information of the person;
THE COMPANY may from time to time make use of a Data Subject’s Biometrics for security access control, employment, contractual and related identification procedures.
- The individual opinions, views or preferences of the person;
THE COMPANY may from time to time make use of individual opinions, views or preferences of a Data Subject for business, sponsorship, funding, marketing, promotional, security, employment or contractual purposes.
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
THE COMPANY may from time to time make use of private or confidential correspondence received from a Data Subject for business, investigative and/or security purposes, as well as for employment or contractual purposes.
- The views or opinions of another individual about the person;
THE COMPANY may from time to time make use of views or opinions of another individual about the Data Subject for business, marketing, promotional, security, employment or contractual purposes.
- The name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;
“Processing”
means any operation or activity or any set of operations, whether by automatic means or not, concerning Personal Information, including:
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- Dissemination by means of transmission, distribution or making available in any other form;
- Merging, linking, as well as restriction, degradation, erasure or destruction of information, and
- Sharing with, transfer and further processing, to and with such information.
“Record”
means any recorded information, regardless of form or medium, including any of the following:
- Writing on any material;
- Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- Book, map, plan, graph or drawing;
- Photograph, film, negative, tape or other device in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced—
-
- in the possession or under the control of a Responsible Party;
- whether it was created by a Responsible Party, and
- regardless of when it came into existence;
-
THE COMPANY and its Operators will from time-to-time process Personal Information relating to you/a Data Subject for business, marketing, promotional, investigative, security, employment and contractual purposes. All Personal Information processed by THE COMPANY and its Operators will be set out on record.
“Responsible Party”
means THE COMPANY including without detracting from the generality thereof, its directors, management, executives, HR practitioners, payroll department, core benefits provider, medical aid department, retirement funding department, internal auditors, legal practitioners and compliance officers, company secretary, and all other employees and Operators who need to process your / a Data Subject’s Personal Information for THE COMPANY.
“Special Personal Information”
includes any information relating to an individual’s- Ethnicity, Gender, Religious or other beliefs, Political opinions, Membership of a trade union, Sexual orientation, Medical history, Offences committed or alleged to have been committed by that individual, Biometric details, and Children’s details.
THE COMPANY and its Operators will from time-to-time process Special Personal Information relating to you / a Data Subject for business, security, employment and contractual purposes.
“You”
means the person who is reading this POLICY and Data Privacy Consent Notice, namely the Data Subject, who by providing THE COMPANY with your Personal Information, gives THE COMPANY and its Operators consent to use and process your Personal Information in accordance with the provisions of said Data Privacy Consent Notice. The word “your / yours” bears a corresponding meaning as the context may indicate.
3. Purpose and Objectives
- THE COMPANY collects and processes Personal Information belonging to Data Subjects on an ongoing basis to carry out and pursue its business and related operational interests. This may, without detracting from the generality thereof, include:
-
- recruitment and employment purposes;
- concluding contracts and business transactions;
- for risk assessments, insurance and underwriting purposes;
- assessing and processing queries, enquiries, complaints, and/or claims;
- conducting criminal reference checks and/or conducting credit reference searches or verification;
- confirming, verifying and updating persons details;
- for purposes of personal claims history;
- for the detection and prevention of fraud, crime, money laundering or other malpractice;
- conducting market or customer satisfaction research;
- promotional, marketing and direct marketing purposes;
- financial, audit and record-keeping purposes;
- in connection with legal proceedings;
- providing services to clients to carry out the services requested and to maintain and constantly improve the relationship;
- communicating with employees, third parties, customers, suppliers and/or governmental officials and regulatory agencies, and
- in connection with and to comply with legal and regulatory requirements or when it is otherwise required or allowed by law.
-
- The objective and purpose of this Policy is therefore to set out OMEGA CAPITAL’S policy on the processing of Personal Information, and to provide guidelines on how Personal Information is to be processed and safeguarded to ensure compliance with POPIA.
4. Application and Scope
- This Policy will apply to the processing of all and any Data Subject’s Personal Information by THE COMPANY.
- This Policy without exception will apply to:
-
- OMEGA CAPITAL and its subsidiary companies, including all employees thereof, including permanent, fixed term, and temporary staff, directors, executives, and secondees;
- Any entity or person who processes Personal Information on behalf of THE COMPANY, whether residing or operating in South Africa, or overseas, who will hereinafter be referred to as an “Operator”, provided they have been made aware of this Policy.
-
5. The Data Protection Principles and Conditions
- Any Employee or Operator who processes Personal Information belonging to a Data Subject on behalf of THE COMPANY, shall comply with all the provisions of POPIA, including the 8 data protection conditions set out under section 4 of POPIA, which are as follows:
-
- Personal Information shall be obtained and processed fairly and lawfully;
- Personal Information shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes, unless specific consent to do so has been obtained;
- Personal Information shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- Personal Information shall be accurate and, where necessary, kept up to date;
- Personal Information processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes;
- Personal Information shall be processed in accordance with the rights of Data Subjects under POPIA;
- Appropriate technical and organisational safeguards and measures must be put in place to protect and guard against unauthorised or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to, Personal Information;
- Personal Information shall not be transferred outside South Africa to another country unless that country has similar Data Privacy laws to those set out under POPIA in place, or the person / organisation to whom the Personal Information is being transferred provides a written undertaking to apply the principles set out under POPIA to the processing of the Personal Information.
-
6. How Personal Information is Processed and Used
- Before any Personal Information is processed, the person processing such information on behalf of THE COMPANY must bring to the Data Subject’s attention the provisions set out under THE COMPANY DATA PRIVACY CONSENT NOTICE which, for ease of reference, is attached hereto marked Annexure “A.” The Consent Notice includes, amongst others, the following instructions and details:
-
- Why the processing of the Data Subject’s Personal Information is necessary;
- What Personal Information is required and the purpose for the requirement;
- What will be done with the Personal Information;
- That in order to use the Personal Information, the Data Subject must provide consent for such processing, unless such processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party; or is required and complies with an obligation imposed by law on either the Data Subject or the Responsible Party; or is necessary to protect the legitimate interest (s) of the Data Subject or the Responsible Party; or is necessary for the proper performance of a public law duty by a public body; or is necessary for pursuing the Data Subject or the Responsible Party’s legitimate interests, or that of a third party to whom the Personal Information is supplied;
- Who the Personal Information will be shared with;
- Whether the Personal Information will be sent outside the borders of South Africa and what data security measures are in place to protect the information;
- What will be done with the Personal Information once the purpose for its collection and use has expired.
-
- When processing a Data Subject’s Personal Information, the person processing such information must ensure that:
-
- They only process Personal Information, which is relevant and accurate and only for the purpose for which it is required;
- Special Personal Information will only be processed in line with the provisions set out under POPIA and in accordance with instructions set out by the Information Officer from time to time.
-
7. Safeguarding Personal Information
- All Company employees and where applicable, Operators and persons acting on behalf of THE COMPANY must before the processing of Personal Information, ensure that the records/facility housing the Personal Information will be kept secure and that appropriate measures and safeguards are in place to prevent any unauthorised access, disclosure and/or loss of such Personal Information.
- Removing and downloading Personal Information onto portable devices from workplace equipment, or taking soft copies of Personal Information off-site, must be agreed to by the Information Officer. Removal of such information will be subject to the following provisions:
-
- The person removing the Personal Information must explain and justify the operational need for the removal in relation to the volume and sensitivity of the Personal Information and ensure that the details of the Personal Information being removed is documented and recorded under a “removal register”;
- The Personal Information to be removed must be strongly encrypted;
- The person removing and using said data should only store the data necessary for their immediate needs and should remove the data as soon as possible once dealt with. Such removal should be confirmed by way of recordal in the removal register;
- To avoid loss of encrypted data, or in case of failure of the encryption software, an unencrypted copy of the data must be held in a secure environment.
-
- Where it is necessary to store Personal Information on portable devices such as laptops, USB flash drives, portable hard drives, CDs, DVDs, or any computer not owned by THE COMPANY, employees and where applicable, Operators and persons acting on behalf of THE COMPANY, must, without exception before storing said Personal Information, ensure that the data is encrypted and is kept secure, and that appropriate measures and safeguards are in place to prevent unauthorised access, disclosure and loss of such Personal Information. Clause 7.2.1- 7.2.4 will apply mutatis mutandi to said data.
- Where paper or hard copies of Personal Information are removed from THE COMPANY premises, employees and where applicable, Operators and persons acting on behalf of THE COMPANY must, without exception before removing said Personal Information ensure that only that data necessary for the purpose for which it is being removed is taken, is documented in a removal register and is thereafter, whilst away from THE COMPANY premises, kept safe and secure, and that appropriate measures and safeguards are in place to prevent any unauthorised access, disclosure and loss of such Personal Information.
- Paper or hard copies of Personal Information and portable electronic devices housing Personal Information should be stored in locked units, which should not be left on desks overnight or in view of other employees or third parties.
- Personal Information, which is no longer required, should be securely archived and retained, as per THE COMPANY GROUP RECORD RETENTION AND DESTRUCTION POLICY.
- Personal Information must not be disclosed unlawfully to any third party.
- Where an OPERATOR is to process Personal Information on behalf of THE COMPANY, such processing will be subject to a written OPERATOR agreement concluded between THE COMPANY and the OPERATOR, which agreement is to be substantially in the same format as the standard THE COMPANY OPERATOR agreement.
- All losses of Personal Information must be reported to the Information Officer.
- Negligent loss or unauthorised disclosure of Personal Information, or failure to report such events, may be treated as a disciplinary matter.
- THE COMPANY, via its Information Security Officer and IT department, will continuously review its security controls and processes to ensure that all Personal Information is secure.
8. Access and Correction of Personal Information
- In terms of POPIA, a Data Subject has the right to:
-
- Request access to their Personal Information which THE COMPANY holds, if they follow the “Access to Information Procedure” set out under THE COMPANY PAIA Manual on THE COMPANY website & via the Personal Information Request Form;
- Ask THE COMPANY to update, correct or delete any of its Personal Information, which THE COMPANY thereafter has a duty to correct, save where THE COMPANY is of the view that the request is incorrect, invalid and/or unreasonable;
- Object to THE COMPANY processing their Personal Information, which THE COMPANY holds about them, by filing a notice of objection.
-
- In the event of any of the abovementioned instances, any such request should not be acted on but should be submitted to THE COMPANY Information Officer for further attention and action.
9. Information Officer
- THE COMPANY has appointed an Information Officer who has been tasked with the primary responsibility for compliance with POPIA.
- All the Company employees are under a duty to:
-
- Raise any concerns in respect of the processing of Personal Information with the Information Officer;
- Promptly pass on to the Information Officer all Data Subject access requests and requests from third parties for Personal Information;
- Report losses or unauthorised disclosures of Personal Information to the Information Officer as soon as such loss or disclosure has been noted; and
- Address any queries or concerns about this Policy and/or compliance with POPIA with the Information Officer.
-
10. Operators and Service Providers
Where any COMPANY employee requires a COMPANY service provider, contractor and/or agents (Operators) to process Personal Information for or on behalf of THE COMPANY, such employee shall ensure that prior to such processing a standard COMPANY POPIA Consent Form or Data Privacy Consent Notice is concluded with the Operator in respect of such processing.
11. General
Any transgression of this Policy will be investigated and may lead to disciplinary action being taken against the offender.
12. Version and Amendments
This Policy is effective as from 1 July 2021.
ANNEXURE A – Data Privacy Consent Notice
Protection of Personal Information Act, 2013
Data Privacy Consent Notice
Declaration
This Data Privacy Consent Notice will apply to
OMEGA CAPITAL (“Responsible Party”)
On the one hand,
AND
The Responsible Party EMPLOYEES, and/or ANY OTHER PERSON including without detracting from the generality thereof, any juristic or natural person, full time, fixed term, part time and temporary Responsible Party employees, prospective Responsible Party employees, employment candidates, bursary and study recipients, Responsible Party service providers, Responsible Party Operators, Responsible Party consumers and customers, governmental, provincial and municipal agencies or entities, regulators, persons making enquiries and/or other third parties, including all associated, related and/or family members of such Data Subjects, or any person who may be acting on behalf of/or in a representative capacity in respect of the Data Subject, and- from whom the Responsible Party receives Personal Information, (“Data Subject”), on the other hand.
Table of Contents
- Introduction
- Explanatory Notes and POPIA Definitions
- Application of this Data Privacy Consent Notice
- Purpose for the Collection
- Consequences of the Data Subject withholding Consent / Personal Information
- Storage, Retention and Destruction of Information
- Access by others and Cross Border Transfer
- Right to Object and Complaints
- Accuracy of Information and Onus
- Access to Information by the Data Subject
- Amendments and Binding on Successors in Title
- Declaration and Data Privacy Consent
1. Introduction
The Protection of Personal Information Act, 4 of 2013, (“POPIA”) regulates and controls the processing, including the collection, use, and transfer of a person’s Personal Information.
In terms of POPIA, a person (“Responsible Party”) has a legal duty to collect, use, transfer and destroy “(Process”) another’s (“Data Subject”) Personal Information (“Personal Information”) in a lawful, legitimate, and responsible manner and in accordance with the provisions and the eight processing conditions set out under POPIA.
Furthermore, unless the processing is—
- necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party; or
- required and complies with an obligation imposed by law on either the Data Subject or the Responsible Party; or
- necessary to protect the legitimate interest(s) of the Data Subject or the Responsible Party; or
- necessary for the proper performance of a public law duty by a public body; or
- necessary for pursuing the Data Subject or the Responsible Party’s legitimate interests, or that of a third party to whom the Personal Information is supplied,
all processing of a Data Subject’s Personal Information must be done with the Data Subject’s permission i.e. the Data Subject must consent to the processing of its Personal Information.
The Responsible Party does and will from time to time process Personal Information which belongs to or is held by a Data Subject. Following this, to comply with POPIA, the Responsible Party in its capacity as the Responsible Party, requires the Data Subject’s permission to process the Data Subject’s Personal Information.
2. Explanatory Notes and POPIA Definitions
This Data Privacy Consent Notice explains and sets out:
-
-
- What Personal Information belonging to the Data Subject will be processed by the Responsible Party;
- Why the Responsible Party needs the Data Subject’s Personal Information;
- What the Responsible Party will be do with the Data Subject’s Personal Information;
- Who the Responsible Party will share the Data Subject’s Personal Information with, and
- What the Responsible Party will do with the Data Subject’s Personal Information as and when the purpose for the processing comes to an end.
-
Definitions which are used in this Data Privacy Consent Notice
“Biometrics”
means a technique of personal identification that is based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition;
“Child”
means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him-or herself;
“Competent Person”
means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;
“Consent”
means any voluntary, specific and Data Privacy expression of will in terms of which permission is given for the processing of Personal Information;
“Data Subject”
means the person who will provide the Responsible Party or its Operator(s) with Personal Information and who consents, when providing such Personal Information, to the Responsible Party’s use thereof, in accordance with this Data Privacy Consent Notice.
“Operator”
means a natural person or a juristic person who processes a Data Subject’s Personal Information on behalf of the Responsible Party, in terms of a contract or mandate, without coming under the direct authority of the Responsible Party;
“Person”
means a natural person or a juristic person;
“Personal Information”
means information relating to any identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, namely the Data Subject, including, but not limited to:
-
-
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other assignment to the person;
- The biometric information of the person;
- The individual opinions, views, or preferences of the person;
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the person, and
- The name of the person if it appears with other Personal information relating to the person, or if the disclosure of the name itself would reveal information about the person.
-
“Processing”
means any operation or activity or any set of operations, whether by automatic means or not, concerning Personal Information, including:
-
-
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
- Dissemination by means of transmission, distribution or making available in any other form;
- Merging, linking, as well as restriction, degradation, erasure, or destruction of information;
- Sharing with, transfer and further processing, to and with such information.
-
“Record”
means any recorded information, regardless of form or medium or when it came into existence, in the possession of the Responsible Party, whether it was created by the Responsible Party or not, including:
-
-
- Information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded, or stored;
- Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- Book, map, plan, graph, or drawing;
- Photograph, film, negative, tape or other device in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced.
-
“Responsible Party”
means our entity, including without detracting from the generality thereof, its directors, management, executives, HR practitioners, payroll department, core benefits provider, medical aid department, retirement funding department, internal auditors, legal practitioners, compliance officers, Responsible Party secretary, and all other employees and Operators who need to process a Data Subject/your Personal Information for the Responsible Party business purposes.
“Special Personal Information”
includes any information relating to an individual’s Ethnicity, Gender, Religious or other beliefs, Political opinions, Membership of a trade union, Sexual orientation, Medical history, Offences committed or alleged to have been committed by that individual, Biometric details, and Children’s details.
3. Application of this Data Privacy Consent Notice
This Data Privacy Consent Notice will apply to the Responsible Party, and to the Data Subject, and/or the Data Subject’s Personal Information which is processed or may be processed by the Responsible Party, including any processing of the Data Subject’s Personal Information by any Operators duly appointed by the Responsible Party.
4. Purpose for the Collection
In order for the Responsible Party to pursue its business objectives and strategies, the Responsible Party needs to process the Data Subject’s Personal Information, which Personal Information will be used for several lawful purposes, including, inter alia, the following:
- For the purposes of complying with various of lawful obligations, including without detracting from the generality thereof:
-
- Administrative laws
- Responsible Party laws
- Corporate Governance codes
- Communication laws
- Customs and Excise laws
- Environmental laws
- Financial and Tax laws
- Health and Safety laws
- Labour and Employment laws
- Medical Aid laws
- Pension Fund laws
-
- For the purposes of carrying out actions for the conclusion and performance of a contract between the Responsible Party and the Data Subject;
- For the purposes of protecting the Data Subject’s and/or the Responsible Party’s legitimate interest(s), including the performance of risk assessments and risk profiles;
- Where required by law or Responsible Party policy receiving from or providing to any credit bureau or credit provider or credit association information about the Data Subject’s credit record, including Personal Information about any judgement or default history;
- For the purposes of any proposed or actual merger, acquisition, or any form of sale of some or all the Responsible Party’s assets, providing the Data Subject’s Personal Information to third parties, in connection with the evaluation of the transaction and related due diligence procedures;
- For the purposes of contacting the Data Subject and attending to the Data Subject’s enquiries and requests;
- For the purposes of providing the Data Subject from time to time with information regarding the Responsible Party, its directors, employees, services and goods and other ad hoc business-related information. Should the Data Subject not want to receive these specific communications, please specifically decline the opportunity by contacting us with your request.
- For academic research and statistical analysis purposes, including data analysis, testing, research and product development and product review purposes;
- For the purposes of a pursuing the Data Subject’s and/or the Responsible Party’s legitimate interests, or that of a third party to whom the Personal Information is supplied;
- For the purposes of providing, maintaining, and improving the Responsible Party’s products and services, and to monitor and analyse various usage and activity trends regarding thereto;
- For the purposes of performing internal operations, including management of employees, employee wellness programmes, the performance of all required HR and IR functions, call centres, customer care lines and enquiries, attending to all financial matters including budgeting, planning, invoicing, facilitating, and making payments, making deliveries, sending receipts, and generally providing commercial support, where needed, requested, or required;
- For the purposes of preventing fraud and abuse of the Responsible Party’s processes, systems, procedures, and operations, including conducting internal and external investigations and disciplinary enquiries and hearings.
The Data Subject agrees that the Responsible Party may use all the Personal Information which the Data Subject provides to the Responsible Party, which the Responsible Party requires for the purposes of pursuing its business objectives and strategies.
The Responsible Party in turn undertakes that it will only use the Data Subject’s Personal Information for the purposes mentioned above and for no other reason, unless with the Data Subject’s prior authorisation.
5. Consequences of withholding Consent or Personal Information
Should the Data Subject refuse to provide the Responsible Party with his/her/its Personal Information, which is required by the Responsible Party for the purposes indicated above, and the required consent to process the Personal Information, then the Responsible Party will be unable to engage with the Data Subject or enter into any agreement or relationship with the Data Subject.
6. Storage, Retention and Destruction of Information
The Data Subject’s Personal Information will be stored electronically in a centralised database, which, for operational reasons, will be accessible to all within the Responsible Party on a need to know and business basis, save that where appropriate, some of the Data Subject’s Personal Information may be retained in hard copy.
All Personal Information which the Data Subject provides to the Responsible Party, will be held and/or stored securely. In this regard the Responsible Party undertakes to conduct regular audits in respect of the safety and the security of the Data Subject’s Personal Information. As and when the Data Subject’s Personal Information is no longer required, due to the fact that the purpose for which the Personal Information was held has come to an end and expired, such Personal Information will be safely and securely archived for a period of 7 years, as per the requirements of the Companies Act, 71 of 2008, or longer should this be required by any other law applicable in South Africa. The Responsible Party will thereafter ensure that such Personal Information is permanently destroyed.
7. Access by Others and Cross-Border Transfer
The Responsible Party may from time to time have to disclose the Data Subject’s Personal Information to other parties, including its group companies or subsidiaries, joint venture companies, client companies and entities and/or approved product or third party service providers, regulators and/or governmental officials, international service providers and related companies or agents, but such disclosure will always be subject to an agreement, which will be concluded between the Responsible Party and the party to whom it is disclosing the Data Subject’s Personal Information, which contractually obliges the recipient of the Data Subject’s Personal Information to comply with strict confidentiality and data security conditions.
Where Personal Information and related data is transferred to a country which is situated outside the borders of South Africa, the Data Subject’s Personal Information will only be transferred to those countries which have similar data privacy laws in place, or where the recipient of the Personal Information is bound contractually to a no lesser set of obligations than those imposed by POPIA.
8. Right to Object and Complaints
The Data Subject is encouraged to make immediate contact with the Responsible Party Information Officer at any time if he/she/it is not comfortable or satisfied with the way the Responsible Party is processing the Data Subject’s Personal Information.
On receipt of the Data Subject’s objection, the Responsible Party will place a hold on any further processing until the cause of the objection has been resolved. If the Data Subject is not satisfied with such process, the Data Subject has the right to lodge a complaint with the Information Regulator.
9. Accuracy of Information and Onus
POPIA requires that all the Data Subject’s Personal Information and related details as supplied, are complete, accurate and up-to-date.
While the Responsible Party will always use its best endeavours to ensure that the Data Subject’s Personal Information is reliable, it will be the Data Subject’s responsibility to advise the Responsible Party of any changes to the Data Subject’s Personal Information, as and when these may occur.
10. Access to Information by the Data Subject
The Data Subject has the right at any time to request the Responsible Party to provide the Data Subject with details of his/her/its Personal Information which the Responsible Party holds, and/or the purpose for which it has been used, provided that such request is made using the standard section 51 Responsible Party PAIA process, which procedure can be accessed by downloading and completing the standard request for information form, kept in the Responsible Party’s section 51 PAIA Manual, which can be found on the Responsible Party’s website.
11. Amendments and Binding on Successors in Title
The Responsible Party reserves the right to amend this Data Privacy Consent Notice from time to time.
The rights and obligations of the parties under this Data Privacy Consent Notice will be binding on, and will be of the benefit to, each of the parties’ successors in title and/or assigns where applicable.
12. Declaration and Data Privacy Consent
The Data Subject confirms that the Data Subject’s Personal Information provided is accurate, up-to-date, not misleading and is complete in all respects, save where same may change and then, in such an event, the Data Subject undertakes to advise the Responsible Party or its Operator(s) of these changes.
The Data Subject, in providing the required Personal Information to the Responsible Party and/or to its Operator(s), consents and gives the Responsible Party permission to process and further process the Data Subject’s Personal Information as and where required and acknowledges that the Data Subject understands the purposes for which the Personal Information is required, and for what it will be used.
Should any of the Personal Information which has been provided by the Data Subject concern a legal entity, the Data Subject confirms that he/she has the necessary authority to act on behalf of such legal entity, and that he/she has the right to provide the Personal Information and/or the required consent to use said Personal Information, on behalf of the legal entity.
Should any of the Personal Information belong to any of the Data Subject’s dependants and/or beneficiaries who are underage, the Data Subject, in his/her capacity as their legal guardian and competent person, give the Responsible Party the appropriate authorisation to process their Personal Information for the purposes for which these details were given.
For further information contact:
Omega Capital’s Information Officer: administrators@omegacapital.co.za