In compliance with the Protection of Personal Information Act 4 of 2013 (“POPI”) – 30 June 2021
PM AND A CONSULTING & MARKETING (PTY) LTD t/a PM&A Consulting & IT Services.
2022/667988/07 t/a PM&A Consulting & IT Services
Unit F3 Pinelands Business Park, 4 Old Mill Road, Pinelands, 7405
We acknowledge that the protection and processing of personal information has become a global phenomenon and poses great risks. We acknowledge that the right to privacy enshrined in section 14 of the Constitution of the Republic of South Africa, 1996 (“Constitution”) forms the cornerstone of protection of personal information and must provide guidance on how we process personal information.
Compliance with POPI is required as of 30 June 2021 and our team is committed to complying with its provisions in fulfilment of our clients’ instructions. We acknowledge our clients’ right to protection against the unlawful collection, retention, dissemination and use of personal information, subject to justifiable limitations that are aimed at protecting other rights and important interests.
1. KEY DEFINITIONS
The following definitions contained in section 1 of POPI are of importance:
‘data subject’ means the person to whom personal information relates;
‘information officer’ means the person(s) as identified in this Policy;
‘personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to–
‘record’ means any recorded information-
‘responsible party’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
‘special personal information’ means information relating to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information or the criminal behaviour of a data subject.
2. INFORMATION OFFICER (internal)
Should you have any questions/complaints/suggestions regarding the processing of personal information, we encourage you to contact our firm’s Information Officer(s):
083 261 7264
You are further invited to contact our Information Officer(s) regarding issues specifically pertaining to1. Any objection to the processing of your personal information;
A request for the deletion/destruction/correction of your personal information or records; and/or
The submission of a complaint relating to the processing of your personal information.
Our Information Officer is responsible for encouraging and ensuring compliance with POPI, and will deal with requests relating thereto and work closely with the Information Regulator whenever necessary.
In addition thereto, our Information Officer will ensure that-
Our Information Officer and Deputy Information Officers have been duly appointed by resolution and have been registered accordingly with the Information Regulator.
3. INFORMATION REGULATOR (external)
Should you prefer not to contact our offices directly regarding any personal information related issues, you may forward your complaint/request directly to the Information Regulator at: firstname.lastname@example.org
4. ACTION PLAN AND INFORMATION POLICIES
We worked closely with our legal representatives to ensure compliance with POPI and the lawful and secure processing of your personal information. This processed involved the following steps:
With the assistance of our legal representatives, we have developed and implemented the following policies regulating the processing of personal information in our business-
We have identified certain areas that carry more risk than others, specifically relating to those wherein third parties are involved or where mass volumes of electronic data are stored, and have implemented further measures to ensure the security of personal information herein;
These measures include cybersecurity checks and updates, and the implementation of Operator Undertakings (see below).
An external document (this document) available to outside parties explaining how we process personal information and regulating everything else POPI-related;
An internal document specifically applicable to our employees wherein they acknowledge that they are aware of the provisions of POPI and undertake to comply with our Information Policies;
An internal guideline highlighting the principles applicable to processing of personal information in our business;
We have worked closely with third parties who may have access or deal with any personal information held by us and inquired on whether they are aware of the provisions of POPI;
These third parties have provided us with undertakings, confirming that they will only process personal information in line with the purpose that it was provided to them for and in line with the principles enshrined in POPI.
5. DESCRIPTION OF BUSINESS ACTIVITIES
PM&A provide Information Communication Technology services to Small to Medium Enterprises in Cape Town and surrounding areas. We are Microsoft Sophos Managed Security Service Providers and Microsoft Cloud Solution Providers.
6. PROCESSING OF PERSONAL INFORMATION
Section 18 of POPI requires from us to ensure you are aware of the following:
By engaging our services, you therefore consent to us processing your personal information in line with the purpose for which it was provided to us.
7. RETENTION AND DELETION OF PERSONAL INFORMATION
You are further advised that financial records will be retained by us for a period 5 (five) years from the date of last entry on your file, as required by South African Revenue Service guidelines, after which it will be destroyed and/or deleted and/or destructed and/or de-identified in a manner that prevents its reconstruction in an intelligible form.
Furthermore, considering the nature of our business we keep most of our data in electronic format. Electronic data will also be de-identified in a manner that prevents its reconstruction in an intelligible form. We undertake to delete your personal information at any time upon your request, unless POPI requires otherwise.
8. GROUNDS FOR PROCESSING PERSONAL INFORMATION
In conducting our Business Activities as described above, we will generally rely on the following grounds as listed in section 11 of POPI to process your personal information:
9. GROUNDS FOR PROCESSING SPECIAL PERSONAL INFORMATION
POPI contains a general prohibition on the processing of special personal information, unless one of the exclusions in POPI apply. The categories of special personal information contained in POPI include-
We do not process special personal information in the ordinary course of business. The processing of the above information involves greater risk, and in the unlikely event that you require us to do so on your behalf, we will take special care to protect this information. Our security measures implemented are discussed under “SECURITY SAFEGUARDS” below. We have worked closely alongside our legal representatives to identify any risks associated herewith and have implemented the below measures to combat these risks.
10. YOUR RIGHTS
Kindly be advised that, as a data subject, you have the right to1. Be informed that your personal information is being collected;
11. YOUR DUTY
In order for us to properly execute our mandate and provide the best assistance possible, we kindly request that you provide us with your accurate and complete personal information required by us to fulfil our mandate. Lastly, we kindly request that you update us of any changes to your personal information for us to endorse same in our records.
Kindly contact our Information Officer to inquire on the following forms:
Once received, you are encouraged to complete these forms and present them to our Information Officer, alternatively the Information regulator, whichever may be applicable.
13. CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFORMATION
Our team is committed to the fulfilment of the following condition imposed by POPI:
Our approach in fulfilment of each of the above is discussed below.
We are committed to ensuring that your personal information will only be processed in accordance with the provisions of POPI and in line with the purpose for which it was supplied to us.
13.2. PROCESSING LIMITATION
Personal information will only be-
13.3. PURPOSE SPECIFICATION
Data subjects will always be made aware of the purpose for which their personal information is being processed.
As mentioned above, section 18 of POPI requires from us to ensure you are aware that your personal information may be processed by us in execution of our services to you and will be used solely for this purpose. By engaging our services, you therefore consent to us processing your personal information in line with the purpose for which it was provided to us.
Personal information will always be collected directly from the data subject, unless-
13.4. FURTHER PROCESSING LIMITATION
In line with the previous paragraph (‘PURPOSE SPECIFICATION’), any further/subsequent processing of your personal information will still be done in accordance with original purpose and only when processing thereof is necessary in the circumstances described above.
13.5. INFORMATION QUALITY
Upon collecting your personal information, our staff will take all steps necessary to ensure the correctness of your personal information. All of your personal information is stored securely for if and when we require same to be processed (refer to “Security Safeguards” below).
In order for us to properly assist our clients, we kindly request that you provide us with your accurate and complete personal information required by us to fulfil our services.
Lastly, we kindly request that you update us of any changes to your personal information for us to endorse same in our records.
13.7. SECURITY SAFEGUARDS
In order to protect our clients’ personal information, our team will-
Furthermore, all our agreements with third party operators have been reviewed and/or Operator Undertakings have been provided to ensure compliance by third parties with POPI.
13.8. DATA SUBJECT PARTICIPATION
Data subjects can request confirmation from us on whether we hold personal information and/or the correct personal information. Data subjects can further request for such information to be deleted or destroyed.
Our team will not process special personal information unless expressly provided for in POPI and unless specifically necessary for the purpose for which it was provided to us for.
14. STEPS IN EVENT OF A COMPROMISE
The following steps will be taken by us in the unlikely event of a data breach/information compromise:
15. CROSS-BORDER TRANSMISSION OF PERSONAL INFORMATION
We do not transfer personal information to foreign countries in the ordinary course of business. In the rare event where this is required, we will not send your personal information abroad unless-
16. PERSONAL INFORMATION OF CHILDREN
We do not process personal information of any children in the ordinary course of our business. We acknowledge that the processing of the above information involves great risk and such information may only be processed where consent has been provided by a competent person (parent or guardian) or where otherwise authorised by POPI.
17. ACCOUNT NUMBERS
We will never sell, obtain or disclose your account number (whether this relates to any sort of bank account details, credit card numbers or credit application numbers) to any person without your consent.
18. CORRESPONDENCE FROM US
As a client of ours, we will communicate with you as and when required in the ordinary course of business. We will only correspond with you if you are an existing or prospective customer, or if you provided consent. Communications will only be sent if we obtained your contact details in the context of the sale of our products or services as in the ordinary course of business. Communications received from us will always clearly identify us as the sender and should you wish to stop receiving correspondence from us, you are encouraged to notify us thereof.
Our Team is committed to complying with POPI and we acknowledge our clients’ right to protection against the unlawful collection, retention, dissemination and use of personal information, subject to justifiable limitations that are aimed at protecting other rights and important interests.
Kindly contact our Information Officer for any queries relating to the processing of