DATA PROTECTION POLICY
- This privacy and data protection policy (“DP Policy”) sets out a framework for us to comply with POPIA’s requirements in the processing of your personal Information (“PI”).
- Where reference is made to the “processing” of PI, this has the meaning ascribed thereto in POPIA and will include any activity in which the PI is worked with, from the time that the PI is collected, up to the time that the PI is destroyed.
- By accessing our website and using any of our services through it, you agree that we may process your PI as explained in this DP Policy.
2. Processing of PI
- Depending on the type of business we conduct with you or the relationship you have with us, we may process your PI, including the following: name, race (for employment purposes or as otherwise required by applicable law), gender, marital status, nationality, age, language preference, date of birth, information relating to education, financial, criminal or employment history of a person, identifying numbers such as identity or passport number, tax identification numbers or tax, reference numbers, email address, physical address and telephone number.
- We undertake to comply with POPIA at all relevant times and to process your PI lawfully and reasonably, so as not to infringe unnecessarily on your privacy.
- We undertake to process your PI only for the purpose for which it is intended, to enable us to conduct our business, affairs and activities, as may inter alia be contractually determined.
- Whenever necessary, we shall obtain the voluntary, specific and informed consent as defined in POPIA (“Consent”) from you to process your PI.
- Where we do not expressly seek your Consent, the processing of your PI may be done in terms of another legitimate ground, such as a legal obligation placed on us, to protect a legitimate interest that requires protection, done solely for permitted journalistic/literary expression, or be permitted under a Code of Conduct that we ascribe to.
- We shall stop processing your PI as soon as the required Consent to do so is withdrawn by you or if a legitimate objection thereto is raised by you.
- We shall collect PI directly from you, unless: the PI is of public record, you have consented to the collection of your PI from an Affiliate of the Organisation, the PI to be collected is necessary for the maintenance of law and order or national security, the PI is being collected to comply with a legal obligation, including an obligation to SARS, the PI collected is required for the conduct of proceedings in any court or tribunal, where these proceedings have commenced or are reasonably contemplated, or the PI is required to maintain our legitimate interests.
- We shall retain records of your PI that we have collected for the minimum period as required by law unless you have given your Consent or instructed us to retain the records for a longer period.
- We shall destroy or delete records of your PI (so as to de-identify your PI) as soon as reasonably possible after the time period for which we are entitled to hold the records, has expired or you withdraw your Consent.
- We undertake to ensure that your PI which we collect and process is complete, accurate, not misleading and up to date.
- Where relevant, we undertake to take special care with your bank account details and are not entitled to obtain or disclose or procure the disclosure of such banking details unless it has your specific Consent or is legally obliged to disclose it.
3. Your rights
- In cases where your consent is required to process your PI, this Consent may be withdrawn by you (otherwise than where there is an existing obligation to process it, e.g. under a contractual relationship).
- You are entitled to lodge a complaint regarding our application of POPIA to your PI with the Information Regulator (“IR”).
- The prescribed forms for the exercise of these rights are attached to the 2018 regulations passed in terms of POPIA (“Regulations”) and can be obtained from our duly appointed Information Officer (“IO”).
4. Requests for PI records
- On production of proof of identity, you are entitled to request that we confirm, free of charge, whether or not we hold any PI relating to you in our records.
- If we indeed hold such PI, on request, and upon payment of a fee of R500,00 plus VAT, we shall provide you with the record, or a description of the PI, including information about the identity of all third parties or categories of third parties who have or have had access to the PI. We shall do this within a reasonable period of time, in a reasonable manner and in an understandable form.
5. Correction of PI
- You are entitled to require us to correct or delete PI that we have, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully.
- You are also entitled to require us to destroy or delete records of your PI that we are no longer authorised to retain.
- Any such request must be made on the prescribed form (Form 2 of the Regulations), obtainable from our IO.
- We undertake, upon receipt of such a lawful request, to comply as soon as reasonably practicable.
- In the event that a dispute arises regarding your rights to have your PI corrected, and in the event that you so require, we shall attach to your PI, in a way that it will always be read with your PI, an indication that the correction of your PI has been requested but has not been made.
- We shall notify you of the action that we have taken as a result of such a request.
6. Special PI
- Special rules apply to the collection and use of PI relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.
- We shall not process any of your special PI as defined in POPIA (“Special PI”), without your Consent, or such processing is necessary for the establishment, exercise or defence of a right or an obligation in law.
7. The processing of PI of children
We may only process the PI of a child if we have the written consent of the child’s parent or legal guardian.
8. PI security breaches
Should it appear that your PI has been accessed or acquired by an unauthorised person, we shall as soon as reasonably possible, notify the IR and yourself, unless we are no longer able to identify you from the information in our possession.
9. Information officer
Should you have any questions or wish to lay any complaint with regard to the processing of your PI you may contact our IO.
10. Direct marketing
- We may contact you from time to time to inform you of our additional services or products.
- We may also provide you with newsletters and promotions as part of our value-added client experience.
- We may share your PI with our Affiliates (subject to applicable law and our indicated marketing preferences) so that they may offer you their products and services.
- You may at any time object to us processing your PI for marketing purposes. You can unsubscribe from direct marketing by following the steps set out in the direct marketing material you received or by contacting us.
- All direct marketing communications will disclose our identity and contain an address or other contact details to which you may send a request that such communications cease.
11. Prescribed forms and details of the information regulator
12. Updates to this privacy statement
This privacy statement is dated as of 1 July 2021. We may update the privacy statement from time to time. Please check our website on a regular basis.
The ISS is committed to internet privacy and would like visitors to be well informed about the gathering and use of their information through these websites.
- Monitoring of general trends in the use of the websites but no tracking of individual visitors
- No collection of information concerning visitors unless that information is voluntarily disclosed, for example by signing up as a member, subscriber, participant or similar, or subscribing to updates from the website
- No selling or renting of information voluntarily disclosed to the ISS nor sharing of it with any third parties
- Individuals and partners will only be contacted by the ISS for purposes related to the work of the organisation
- At any time, visitors signed up for specific services can cancel or modify their information
1. Data collection
The websites collect two categories of information:
2. Use of information
The ISS analyses browsing patterns and usage trends of the websites’ visitors with the general information collected. The ISS periodically summarises and analyses these log files to learn how visitors use the content on the website. This information is used to allocate resources effectively and improve the content, organisation and performance of ISS websites. This process does not collect, store or use personally-identifying information such as name, address, telephone number or email address.
A cookie is a small piece of information that a web server asks a visitor’s browser to store on the visitor’s local computer; later their browser presents this information to the webserver. In its simplest form, a cookie is an identifying number.
The ISS does not know the identity of a person based on the numerical ID. The cookies used on the websites do not contain any personal information about visitors nor are they used to look up personal information about visitors, even if visitors have entered information about themselves in one of ISS’ registration forms.
Additional cookies may be used from time to time to, inter alia, monitor new visitors to the websites, promote specific content and create call to action campaigns.
Any information provided to the ISS by visitors of the websites is handled with due care and security, and will not be used in ways other than as set forth in this policy, or in any site/area-specific policies, or in ways to which visitors have not explicitly consented.
The ISS employs a range of technologies and security measures to protect the information maintained on ISS systems from loss, misuse, unauthorised access or disclosure, alteration or destruction. When visitors submit sensitive information via the websites, such information is encrypted and protected with SSL encryption.
All ISS employees who have access to and are associated with the processing of personal data are obliged to respect the confidentiality of official business matters, including personal data.
5. Retention of personal information
6. Electronic mail
When a visitor sends the ISS personal identifying information via email (that is, in a message containing a question or a comment, or by filling out a form that emails the ISS this information), the ISS uses it to respond to visitors’ requests.
The ISS may forward visitors emails to other employees of the ISS (including affiliates or consultants) who are better able to answer visitors’ questions. The ISS does not retain or distribute lists of email addresses to any parties outside of the ISS (including partner organisations). The ISS does not distribute lists of e-mail addresses to any outside parties. Information collected via email will be retained at the ISS’ sole discretion in a directly readable form as long as necessary to complete the ISS’ response.
7. External links
8. Agreement and notification of amendments
9. Applicable law and venue of jurisdiction