Diplomat Distributors SA Proprietary Limited
VERSION DATE UPDATED BY DETAILS
1 24/07/2023 HEIDI RODER FIRST ISSUE
2. POLICY STATEMENT
Diplomat Distributors intends to fully comply with POPIA, the regulations and guidance published thereunder and any code of conducts applicable to it, which relate to the protection of Personal Information and the promotion of the right to privacy as contained in section 14 of the Constitution of the Republic of South Africa, 1996.
3. PURPOSE OF THIS POLICY
3.1. Diplomat Distributors has established that the nature of its business operations involves the Processing of Personal Information and in order to comply with POPIA, Diplomat Distributors would need to have a standard framework in place to ensure all its employees and contractors, understand their responsibilities when Processing Personal Information for or on behalf of Diplomat Distributors.
3.2. This Policy sets out the minimum standards that must be applied by all Diplomat Distributors’ employees and contractors.
4. SCOPE / APPLICABILITY
This Policy applies to all Diplomat Distributors’ employees and contractors (hereinafter referred to collectively as “employees”). This Policy applies to all activities and supporting information systems involved in the collection, storage, use or any other form of Processing of Personal Information.
5. OVERVIEW OF YOUR OBLIGATIONS
Personal Information must be processed lawfully by Diplomat Distributors and in a reasonable manner that does not infringe on the privacy of a Data Subject. In this regard, all employees shall ensure that:
5.1. there is a lawful basis for collection and Processing of Personal Information (see paragraph 7);
5.2. Personal Information is collected directly from the Data Subject unless an exception applies (see paragraph 8);
5.3. Personal Information is only collected where there is a specific, explicitly defined and lawful purpose and only the minimum Personal Information is collected having regard to the lawful purpose of collection (see paragraph 9);
5.4. Personal Information is processed in a fair and transparent manner (see paragraph 10);
5.5. Personal Information collected is complete, accurate, not misleading and, where necessary, kept up to date (see paragraph 11);
5.6. Personal Information Records are labelled and treated with the record classification prescribed by Diplomat Distributors’ Privacy Procedures (see paragraph 12);
5.7. Personal Information Records are retained and destroyed in accordance with Diplomat Distributors’ Privacy Procedures (see paragraph 13);
5.8. that an approved data processing agreement has been entered into or that the prior written approval of Diplomat Distributors’ designated and approved authorising signatories has been obtained for any other terms and conditions prior to engaging any third party for purposes of Processing Personal Information for or on behalf of Diplomat Distributors (see paragraph 14);
5.9. none of the following Processing activities are performed except in the limited circumstances set out in this Policy:
5.9.1. Processing of Special Personal Information (see paragraph 15);
5.9.2. Processing of Children’s Personal Information (see paragraph 16);
5.9.3. Performing Direct Marketing by electronic means (see paragraph 17);
5.9.4. transferring of Personal Information to a foreign country / international transfer of Personal Information (see paragraph 18);
5.9.5. further Processing (i.e. Processing Personal Information for a purpose that is incompatible with the original purpose of collection) (see paragraph 19); and
5.9.6. automated decision making (see paragraph 20);
5.10. Data Subject’s rights are respected and any exercise of those rights by a Data Subject is immediately brought to the attention of Diplomat Distributors’ Information Officer (see paragraph 21);
5.11. the Information Officer is immediately informed of any complaint from a Data Subject related to an alleged infringement of his/her/its rights in terms of POPIA (see paragraph 21);
5.12. requests for access to Personal Information Records by third parties shall be handled in accordance with Diplomat Distributors’ PAIA Manual (see paragraph 22);
5.13. any communications from the Information Regulator are immediately brought to the attention of the Information Officer (see paragraph 23);
5.14. any regulatory changes, regulatory filings and regulatory interactions related to POPIA are dealt with in terms of this Policy and the Privacy Procedures (see paragraph 24);
5.15. Personal Information is processed securely in compliance with Diplomat Distributors’ information security policies and procedures (see paragraphs 25 and 26);
5.16. any suspected data breaches or incidents must be reported in accordance with the regulatory notification matrix and handled in accordance with Cyber Business Continuity Policy (see paragraph 27); and
5.17. complete all mandatory training regarding data privacy and protection conducted by or for Diplomat Distributors (see paragraph 28).
6. PRIVACY GOVERNANCE
Diplomat Distributors will establish a governance structure that ensures accountability for data privacy and protection at the highest level. The privacy governance structure will be reviewed annually to ensure it remains appropriate having regard to the size, complexity, and nature of the business of Diplomat Distributors and its Processing activities. Diplomat Distributors must ensure that there are sufficient financial and people resources available to:
6.1. drive compliance with POPIA and any other applicable laws and regulations protecting Personal Information;
6.2. ensure compliance with Diplomat Distributors internal privacy policies and procedures issued there under;
6.3. identify, assess, manage and report on data privacy and protection risks within the business of Diplomat Distributors.
7. LAWFUL BASIS FOR PROCESSING PERSONAL INFORMATION
Diplomat Distributors shall not Process Personal Information without having a lawful basis for such Processing. There are several lawful bases that Diplomat Distributors may rely on to lawfully Process Personal Information. The appropriate lawful basis differs having regard to the purpose of the Processing of Personal Information. The different lawful bases that may apply in the circumstances include:
7.1. the Data Subject or a Competent Person, where the Data Subject is a Child, consents to the Processing. To rely on this lawful basis the requirements in Annexure B – Consent Requirements must be met;
7.2. Processing is necessary to carry out actions for the conclusion of a contract to which the Data Subject is party;
7.3. Processing is necessary to carry out actions for the performance of a contract to which the Data Subject is party (for example where Processing of Personal Information is necessary to give effect to the terms of an employment contract; supplier contract or customer contract);
7.4. Processing complies with an obligation imposed by law on Diplomat Distributors (for example, where the law obliges Diplomat Distributors to collect and Process Personal Information);
7.5. Processing protects a legitimate interest of the Data Subject. This justification may only be relied upon once the Information Officer has confirmed this lawful basis is appropriate in writing; or
7.6. Processing is necessary for pursuing the legitimate interests of Diplomat Distributors, as the Responsible Party, or of a third party to whom the information is supplied. This justification may only be relied upon once the Information Officer has confirmed this lawful basis is appropriate in writing.
8. INFORMATION SOURCES
All Personal Information relating to a Data Subject must be collected directly from a Data Subject. Where it is not possible to collect Personal Information directly from a Data Subject, Personal Information may be collected from an indirect source only in the following circumstances:
8.1. the Personal Information is contained in or derived from a public Record;
8.2. the Personal Information has deliberately been made public by the Data Subject (for example, it is published on the Data Subject’s website);
8.3. the Data Subject or a Competent Person, where the Data Subject is a Child, has consented to the collection of the Personal Information from another source;
8.4. collection of the Personal Information from another source is otherwise approved by the Information Officer, in writing, on the basis that —
8.4.1. collection of the Personal Information from another source would not prejudice a legitimate interest of the Data Subject;
8.4.2. indirect collection is necessary to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 34 of 1997;
8.4.3. indirect collection is necessary for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
8.4.4. indirect collection is necessary in the interests of national security;
8.4.5. indirect collection is necessary to maintain the legitimate interests of Diplomat Distributors or of a third party to whom the Personal Information is supplied;
8.4.6. compliance would prejudice a lawful purpose of the collection; or
8.4.7. compliance is not reasonably practicable in the circumstances of the particular case.
9. DATA MINIMISATION AND PURPOSE SPECIFICATION
9.1. Personal Information may only be collected if there is a specific, explicitly defined and lawful purpose related to a function or activity of Diplomat Distributors.
9.2. Any Personal Information collected must be adequate, relevant and not excessive. This means that only the minimum Personal Information that is necessary to give effect to a specified purpose of collection may be collected. No additional Personal Information may be collected where the collection would amount to more Personal Information being requested than necessary.
9.3. Any excessive Personal Information that is provided by a Data Subject, or a third party must:
9.3.1. either be returned to the Data Subject or third party immediately; or
9.3.2. immediately destroyed.
9.4. Any actions taken in terms of sub-paragraph 9.3.2 must be communicated to the Data Subject or third party in writing, as the case may be.
10. FAIR AND TRANSPARENT PROCESSING
10.1. Diplomat Distributors shall be transparent with Data Subjects regarding its Processing of their Personal Information. In this regard, Diplomat Distributors shall develop a privacy notice describing its Processing activities. The privacy notice shall comply with the requirements of POPIA and include all information contained in Annexure C – Notification of Personal Information Collected.
11. DATA ACCURACY
11.1. Diplomat Distributors’ employees must take reasonably practicable steps to ensure that the Personal Information is complete, accurate, not misleading at the time it is collected.
11.2. The obligation to ensure that Personal Information is complete, accurate and not misleading obligation is heightened when:
11.2.1. Personal Information is not collected directly from the Data Subject but collected from another source; and/or
11.2.2. where the Personal Information is used to make decisions that may significantly affect the Data Subject concerned or others.
In these circumstances Diplomat Distributors’ employees must accurately record the source of the information and, where reasonably practicable, take reasonable steps to verify the Personal Information.
12. CLASSIFICATION OF PERSONAL INFORMATION RECORDS
12.1. Information Owners are responsible for ensuring that Records under their ownership are classified and handled in accordance with Diplomat Distributors’ Privacy Procedures and any additional handling standards prescribed by the Information Owner.
12.2. All employees are required to familiarise themselves with and adhere to Diplomat Distributors’ Privacy Procedures which governs the classification and handling of Personal Information Records, including the:
12.2.1. labelling of Personal Information Records;
12.2.2. back-up / archival and storage of Personal Information Records;
12.2.3. transfer or transmission of Personal Information Records; and
12.2.4. destruction and disposal of Personal Information Records.
13. RETENTION AND DESTRUCTION OF PERSONAL INFORMATION RECORDS
13.1. Personal Information Records shall not be retained any longer than is necessary for achieving the purpose for which the Personal Information was collected, created, acquired or subsequently Processed, unless:
13.1.1. retention of the Record is required or authorised by law;
13.1.2. Diplomat Distributors reasonably requires the Record for lawful purposes related to its functions or activities;
13.1.3. retention of the Record is required by a contract between the parties thereto; or
13.1.4. the Data Subject or a Competent Person, where the Data Subject is a Child, has Consented to the retention of the Record.
13.2. In giving effect to sub-paragraph 13.1 all employees shall familiarise themselves with and adhere to the Privacy Procedures which governs, inter alia:
13.2.1. the maximum length of time that Personal Information Records may be retained;
13.2.2. the manner in which Personal Information Records should be identified for destruction; and
13.2.3. the manner in which Personal Information Records should be destroyed or de-identified.
14. PROCESSING BY THIRD PARTIES
14.1. Prior to engaging any third party for purposes of Processing Personal Information for or on behalf of Diplomat Distributors, Diplomat Distributors must identify and assess any data privacy and protection risks to Personal Information posed by outsourcing those Processing activities to that third party.
14.2. Diplomat Distributors’ employees may not share any Personal Information Records or make available any Personal Information Records to a third party unless:
14.2.1. a data processing agreement has been entered into which is materially the same as the template agreement approved by Diplomat Distributors’ Information Officer; or
14.2.2. the prior written approval of Diplomat Distributors’ designated and approved authorising signatories have agreed to the proposed terms and conditions of the agreement.
14.3. Diplomat Distributors must perform on-going monitoring of any third party that Processes Personal Information (by applying a risk-based approach) to ensure that the third party is compliant with any data privacy and protection obligations relating to the Personal Information as agreed with Diplomat Distributors and in accordance with POPIA.
15. PROCESSING SPECIAL PERSONAL INFORMATION
15.1. Diplomat Distributors’ employees are prohibited from Processing Special Personal Information, unless the written approval of the Information Officer has been obtained. In determining whether to approve the Processing of Special Personal Information the Information Officer shall have regard to the exceptions set out in sections 27 to 33 of POPIA as well as the obligations in terms of sections 57 and 58 of POPIA.
15.2. The written approval of the Information Officer in terms of sub-paragraph 15.1 shall not be required if the Processing of Special Personal Information is required for Processing:
15.2.1. by the HR team administering sick leave benefits;
15.2.2. by the Payroll team deducting trade union membership fees; and
15.2.3. by the HR team for purposes of recruitment where the written Consent of the Data Subject is maintained to perform a criminal background check (provided the requirements in Annexure B – Consent Requirements have also been met).
16. PROCESSING CHILDREN’S PERSONAL INFORMATION
16.1. Diplomat Distributors’ employees are prohibited from Processing Personal Information of any Child, unless the written approval of the Information Officer has been obtained. In determining whether to approve the Processing of a Child’s Personal Information, the Information Officer shall have regard to the section 35 of POPIA as well as the obligations in terms of sections 57 and 58 of POPIA.
16.2. The written approval of the Information Officer in terms of sub-paragraph 16.1 shall not be required if the Processing of Children’s Personal Information is required for Processing by the HR team for purposes of administering medical aid or provident fund benefits.
17. DIRECT MARKETING
17.1. Unless an exception in sub-paragraph Error! Reference source not found. applies, Diplomat Distributors must obtain the written Consent of the Data Subject before Processing the Data Subject’s Personal Information for purposes of Direct Marketing by means of any form of electronic communication (including automatic calling machines, facsimile machines, SMSs or email).
17.2. Diplomat Distributors may Process Personal Information of its existing customers for Direct Marketing purposes only if the following conditions are met:
17.2.1. Diplomat Distributors obtained the contact details of the customer in the context of the sale of Diplomat Distributors’ products or services;
17.2.2. Diplomat Distributors uses the contact details to perform Direct Marketing of its own similar products or services; and
17.2.3. the Data Subject was given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his/her/its/their electronic details at the time when the information was collected and on the occasion of each communication with the Data Subject for the purpose of marketing.
17.3. Diplomat Distributors may approach a Data Subject whose Consent is required in terms of sub-paragraph 17.1 and who has not previously withheld such consent, only once in order to request the Consent of that Data Subject.
17.4. Any communication for the purpose of Direct Marketing must contain—
17.4.1. Diplomat Distributors’ details; and
17.4.2. Diplomat Distributors’ Information Officer’s address and contact details (including an email address) to which the recipient of Direct Marketing may send a request that such communication to cease.
18. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
18.1. Diplomat Distributors’ employees are prohibited from transferring or making available Personal Information to a third party in a foreign country, unless the written approval of the Information Officer has been obtained.
18.2. In determining whether to provide his/her approval for the transfer of Personal Information in terms of sub-paragraph 18.1, the Information Officer shall consider whether:
18.2.1. the third party who is the recipient of the information is subject to a law which provides an adequate level of protection as contemplated in section 72(1)(a) of POPIA;
18.2.2. the third party who is the recipient of the information is subject to binding corporate rules or a binding agreement which provides an adequate level of protection as contemplated in section 72(1)(a) of POPIA;
18.2.3. the Data Subject has Consented to the transfer of Personal Information to the recipient in the foreign jurisdiction;
18.2.4. the transfer is necessary for the performance of a contract between the Data Subject and Diplomat Distributors;
18.2.5. the transfer is necessary for the implementation of precontractual measures taken in response to the Data Subject’s request;
18.2.6. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between Diplomat Distributors and a third party; or
18.2.7. the transfer is for the benefit of the Data Subject and—
18.104.22.168. it is not reasonably practicable to obtain the Consent of the Data Subject to that transfer; and
22.214.171.124. if it were reasonably practicable to obtain such Consent, the Data Subject would be likely to give it.
18.3. The Information Officer may provide his/her conditional approval in terms of sub-paragraph 18.1 on the basis that the employee shall:
18.3.1. procure the signature of a binding agreement which meets the requirements of section 72 of POPIA and the terms have been approved by the Information Officer; or
18.3.2. obtain the written consent of the Data Subject in a form that the Information Officer has approved.
18.4. Diplomat Distributors shall not allow Personal Information to be stored on a cloud platform or cloud solution that is hosted outside of South Africa unless an assessment has been performed by the Information Officer to determine the nature and extent of data privacy and protection risks related to the cloud services and Diplomat Distributors has implemented appropriate mitigating measures against the risks identified.
19. FURTHER PROCESSING
19.1. Personal Information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Diplomat Distributors (“the original purpose of collection”). Diplomat Distributors’ employees may not process Personal Information for purposes which are not compatible or not in accordance with the original purpose of collection. Should a Diplomat Distributors employee wish to perform such further Processing he/she/they must obtain the written approval of the Information Officer.
19.2. In determining whether to provide his/her/their approval in terms of sub-paragraph 19.1, the Information Officer shall assess whether further Processing is compatible with the original purpose of collection, having regard to:
19.2.1. the relationship between the purpose of the intended further Processing and the original purpose for which the Personal Information has been collected;
19.2.2. the nature of the Personal Information concerned;
19.2.3. the consequences of the intended further Processing for the Data Subject;
19.2.4. the manner in which the Personal Information has been collected; and
19.2.5. any contractual rights and obligations between the parties.
19.3. 19.3. The Information Officer shall also consider Annexure D – Further Processing Compatibility which sets out the circumstances when further Processing of Personal Information will not be considered incompatible with the original purpose of collection in terms of Section 15(3) of POPIA.
20. AUTOMATED DECISION MAKING
20.1. Diplomat Distributors and its employees shall not make a decision based solely on the basis of the automated Processing of Personal Information intended to provide a profile of such Data Subject including his/her/their performance at work, or his/her/their/its credit worthiness, reliability, location, health, personal preferences or conduct (“automated decision making”).
21. DATA SUBJECT PARTICIPATION AND PRIVACY COMPLAINTS
Diplomat Distributors respects the privacy rights of Data Subjects as provided for in POPIA. Employees are required to familiarise themselves with the privacy rights of Data Subjects and the process to be followed as set out in the Privacy Procedures.
22. EXTERNAL REQUESTS FOR ACCESS TO PERSONAL INFORMATION RECORDS
Diplomat Distributors shall consider any request or demand for disclosure of Personal Information of a Data Subject by a Public Authority or other external person (“Disclosure Request”) in accordance with its PAIA Manual having regard to the principle of promotion of access to information, as contemplated in PAIA, and the requirement to protect Personal Information as contemplated in POPIA. Employees shall apply the Privacy Procedures when they receive or become aware of a Disclosure Request.
23. INVESTIGATIONS BY THE INFORMATION REGULATOR
23.1. Diplomat Distributors’ employees must not hinder, obstruct or unlawfully influence the Information Regulator or any person acting on behalf of or under the direction of the Information Regulator in the performance of the Information Regulator’s duties and functions under POPIA.
23.2. Diplomat Distributors employees must not intentionally obstruct a person in the execution of a warrant issued in terms of POPIA and must give any person executing such a warrant such assistance as he/she/they may reasonably require for the execution of the warrant.
24. REGULATORY FILINGS AND REGULATORY CHANGE
24.1. The Information Officer is responsible for identifying any regulatory changes and for assessing the impact of such regulatory change on the business of Diplomat Distributors. The Information will communicate the any impact of the regulatory change to Diplomat Distributors’ employees.
24.2. The Information Officer is further responsible for identifying and timeously lodging any regulatory filings or reports that may be required in terms of POPIA to the Information Regulator from time to time.
25. ACCESS RESTRICTION
Personal Information must be adequately protected and may only be disclosed to persons who are authorised and have a legitimate business need to have access to such Personal Information, and then only when strictly necessary to perform in terms of their job or for any other legitimate purpose.
26. SECURING PERSONAL INFORMATION
26.1. Diplomat Distributors must secure the integrity and confidentiality of Personal Information in its possession or under its control to prevent against loss of, damage to or unauthorised destruction of Personal Information and to prevent unauthorised access to or Processing of Personal Information.
26.2. The Head of IT and Business Transformation is responsible for:
26.2.1. designing and implementing reasonable technical and organisational measures to give effect to sub-paragraph 26.1;
26.2.2. taking reasonable measures to:
126.96.36.199. identify all reasonably foreseeable internal and external risks to Personal Information in Diplomat Distributors’ possession or under its control;
188.8.131.52. establish and maintain appropriate safeguards against the risks identified;
184.108.40.206. regularly verify that the safeguards are effectively implemented; and
220.127.116.11. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
26.2.3. stay abreast of generally accepted information security practices and procedures which may apply to Diplomat Distributors generally or be required in terms of specific industry or professional rules and regulations and implementing such measures.
26.3. Employees must familiarise themselves with the policies and procedures which support the security control environment and to apply those policies when accessing Diplomat Distributors’ premises and/or using business systems, applications or devices.
27. IDENTIFYING AND REPORTING BREACHES / SECURITY COMPROMISES
27.1. Where there are reasonable grounds to believe that the Personal Information of a Data Subject has been lost or has been accessed or acquired by any unauthorised person (“Personal Data Breach”), the employee must immediately notify the IT service desk or the Head of IT.
27.2. The Head of IT will notify the Head of Information Security of the group of companies to which Diplomat Distributors belongs for further inquiry and handling.
27.3. The Information Officer shall be responsible for notifying the Information Regulator and, where applicable, Data Subjects of the Personal Data Breach as contemplated in Annexure E – Notification of Personal Data Breach.
27.4. Further roles and responsibilities of employees once they become aware of or reasonably suspect a Data Breach are detailed in Cyber Business Continuity Policy, which includes a Crisis Communication Policy.
28. TRAINING AND AWARENESS
The Information Officer must implement adequate training and awareness initiatives to ensure that all Diplomat Distributors directors, executives and employees are aware of, and understand, the data privacy and protection requirements as set out in this Policy, the Privacy Procedures, as well as any other data privacy and protection processes implemented within Diplomat Distributors, including Personal Data Breaches.
Should there be any violation of this Policy, Diplomat Distributors is empowered to take such disciplinary action against any person found to be involved in conduct which is contrary to this Policy.
30. DOCUMENT CONTROL
Policy Owner Financial Manager
Policy Approver Chief Executive Officer
Approval Date 24 July 2023
Review Frequency Every 2 years
Next Review Date 1 August 2025
ANNEXURE A – GLOSSARY OF TERMS
Automatic Call Machine means a machine that is able to do automated calls without human intervention.
Child means a natural person under the age of 18 years who is not legally competent, without the assistance of a Competent Person, to take any action or decision in respect of any matter concerning him or herself.
Competent Person means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a Child.
Consent means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
Diplomat Distributors means Diplomat Distributors SA Proprietary Limited;
Data Subject means the person to whom Personal Information relates. A Data Subject may be an individual or juristic person. A Data Subject may include a member of the public, a customer, a supplier, a job applicant, an employee or a past employee.
Direct Marketing means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of—
a) promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or
b) requesting the Data Subject to make a donation of any kind for any reason.
Direct Marketing by electronic communication includes any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes:
— messages via automatic calling machines;
— messages via fax machine;
— SMSs; and
Information Regulator means the Information Owner as defined in Diplomat Distributors’ Privacy Procedures.
means the Information Regulator established in terms of section 39 of POPIA.
Operator(s) means a person who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party. Diplomat Distributors may act in the capacity of an Operator and/or may engage with third parties who act in the capacity of an Operator.
PAIA means the Promotion of Access to Information Act, 2 of 2000.
Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;
b) information relating to the education or the medical, financial, criminal or employment history of the person;
c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
d) the biometric information of the person;
e) the personal opinions, views or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including—
a) the collection, receipt, Recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
b) dissemination by means of transmission, distribution or making available in any other form; or
c) merging, linking, as well as restriction, degradation, erasure or destruction of information.
POPIA means the Protection of Personal Information Act, 4 of 2013;
Public Authority means any governmental authority, regulatory authority, governmental agency, law enforcement authority, judicial authority, the South African Information Regulator or similar body;
Record means any Recorded information—
a) regardless of form or medium, including any of the following—
i. writing on any material;
ii. information produced, Recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, Recorded or stored;
iii. label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
iv. book, map, plan, graph or drawing;
v. photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
b) in the possession or under the control of a Responsible Party;
c) whether or not it was created by a Responsible Party; and
d) regardless of when it came into existence.
Responsible Party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information. Diplomat Distributors often acts in the capacity of a Responsible Party.
Special Personal Information a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or
b) the criminal behaviour of a Data Subject to the extent that such information relates to—
i. the alleged commission by a Data Subject of any offence; or
ii. any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.
ANNEXURE B – CONSENT REQUIREMENTS
In order to rely on the justification of Consent, it must be voluntary, specific and informed expression of will. Employees should avoid making Consent to Processing as a precondition of a service and should instead consider whether there is another lawful basis for Processing Personal Information. Where an employee intends to rely on Consent as the lawful basis for Processing Personal Information, the following conditions must be met:
1. the Data Subject must have capacity to Consent. A Child does not have capacity to Consent, and Consent must be obtained from a person who is legally competent to Consent to any action or decision being taken in respect of any matter concerning a Child;
2. Consent must be freely given, and Data Subjects must not be forced or coerced to provide his/her/their/its Consent;
3. Consent requires a positive opt-in. This means that Diplomat Distributors will not consider pre-ticked boxes or any other method of default Consent as being valid;
4. there must be a clear and specific statement of Consent clearly describing to whom Consent is granted (i.e. Diplomat Distributors); the purpose of the Processing; and the types of Processing activity;
5. Consent requests must be kept separate from other terms and conditions (i.e. it must a choice and not bundled with other terms and conditions);
6. blanket Consent is not enough – Consent must be ‘granular’. This means that the Data Subject’s Consent must be obtained for separate processing activities / purposes;
7. if third parties will be relying on the Consent then this must be made known to the Data Subject when obtaining his/her/its Consent;
8. it must be easy for people to withdraw Consent and Data Subjects should be informed about how to withdraw Consent at the time that Consent is obtained;
9. you must maintain a Record of Consent being given in a central place including the information you shared when obtaining the Data Subject’s Consent; and
10. Consent should generally not be relied on where the Data Subject is an employee and the Information Officer should be consulted in this regard.
ANNEXURE C – NOTIFICATION OF PERSONAL INFORMATION COLLECTED IN TERMS OF SECTION 18(1) OF POPIA
Where Personal Information is collected, Diplomat Distributors must take reasonably practical steps to ensure that the Data Subject is aware of –
1. the Personal Information being collected and where the Personal Information is not collected from the Data Subject, the source from which it is collected;
2. the name and address of Diplomat Distributors;
3. the purpose for which the Personal Information is being collected;
4. whether or not the supply of the Personal Information by that Data Subject is voluntary or mandatory;
5. the consequences of failure to provide the Personal Information;
6. any particular law authorising or requiring the collection of the Personal Information;
7. the fact that, where applicable, Diplomat Distributors intends to transfer the Personal Information to a third country or international organisation and the level of protection afforded to the Personal Information by that third country or international organisation;
8. any further information such as the—
a) recipient or category of recipients of the Personal Information;
b) nature or category of the Personal Information;
c) existence of the right of access to and the right to rectify the Personal Information collected;
d) existence of the right to object to the Processing of Personal Information as referred to in section 11(3) of POPIA; and
e) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator,
which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable Processing in respect of the Data Subject to be reasonable.
ANNEXURE D – FURTHER PROCESSING COMPATIBILITY IN TERMS OF SECTION 15(3) OF POPIA
The further Processing of Personal Information is not incompatible with the purpose of collection if –
1. the Data Subject or a competent person, where the Data Subject is a child, has Consented to the further Processing of the Personal Information;
2. the Personal Information is available in or derived from a public record or has deliberately been made public by the Data Subject;
3. further Processing is necessary to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;
4. further Processing is necessary to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act 34 of 1997;
5. further Processing is necessary for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
6. further Processing is necessary in the interests of national security;
7. the further Processing of the Personal Information is necessary to prevent or mitigate a serious and imminent threat to—
a) public health or public safety; or
b) the life or health of the Data Subject or another individual;
8. the Personal Information is used for historical, statistical or research purposes and Diplomat Distributors ensures that the further Processing is carried out solely for such purposes and will not be published in an identifiable form; or
9. the further Processing of the Personal Information is in accordance with an exemption granted under section 37 of POPIA.
ANNEXURE E – NOTIFICATION OF PERSONAL DATA BREACH
1. Notification of any Personal Data Breach must be made as soon as reasonably possible after the discovery of the compromise of the Personal Information, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise of the Personal Information and to restore the integrity of Diplomat Distributors’ information system.
2. Diplomat Distributors may only delay notification of the Data Subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that notification will impede a criminal investigation by the public body concerned.
3. Notification of any Personal Data Breach to the Data Subject must be in writing and communicated to the Data Subject in at least one of the following ways:
a. mailed to the Data Subject’s last known physical or postal address;
b. sent by e-mail to the Data Subject’s last known e-mail address;
c. placed in a prominent position on the website of Diplomat Distributors;
d. published in the news media; or
e. as may be directed by the Information Regulator.
4. The notification of any Personal Data Breach must provide sufficient information to allow the Data Subject to take protective measures against the potential consequences of the compromise, including—
a. a description of the possible consequences of the security compromise;
b. a description of the measures that Diplomat Distributors intends to take or has taken to address the security compromise;
c. a recommendation with regard to the measures to be taken by the Data Subject to mitigate the possible adverse effects of the security compromise; and
d. if known to Diplomat Distributors, the identity of the unauthorised person who may have accessed or acquired the Personal Information.