Data Protection and Website Privacy Policy


1. Background

  • This privacy and data protection policy (“DP Policy”) sets out a framework for us to comply with POPIA’s requirements in the processing of your personal Information (“PI”).
  • Where reference is made to the “processing” of PI, this has the meaning ascribed thereto in POPIA and will include any activity in which the PI is worked with, from the time that the PI is collected, up to the time that the PI is destroyed.
  • By accessing our website and using any of our services through it, you agree that we may process your PI as explained in this DP Policy.

2. Processing of PI

  • Depending on the type of business we conduct with you or the relationship you have with us, we may process your PI, including the following: name, race (for employment purposes or as otherwise required by applicable law), gender, marital status, nationality, age, language preference, date of birth, information relating to education, financial, criminal or employment history of a person, identifying numbers such as identity or passport number, tax identification numbers or tax, reference numbers, email address, physical address and telephone number.
  • We undertake to comply with POPIA at all relevant times and to process your PI lawfully and reasonably, so as not to infringe unnecessarily on your privacy.
  • We undertake to process your PI only for the purpose for which it is intended, to enable us to conduct our business, affairs and activities, as may inter alia be contractually determined.
  • Whenever necessary, we shall obtain the voluntary, specific and informed consent as defined in POPIA (“Consent”) from you to process your PI.
  • Where we do not expressly seek your Consent, the processing of your PI may be done in terms of another legitimate ground, such as a legal obligation placed on us, to protect a legitimate interest that requires protection, done solely for permitted journalistic/literary expression, or be permitted under a Code of Conduct that we ascribe to.
  • We shall stop processing your PI as soon as the required Consent to do so is withdrawn by you or if a legitimate objection thereto is raised by you.
  • We shall collect PI directly from you, unless: the PI is of public record, you have consented to the collection of your PI from an Affiliate of the Organisation, the PI to be collected is necessary for the maintenance of law and order or national security, the PI is being collected to comply with a legal obligation, including an obligation to SARS, the PI collected is required for the conduct of proceedings in any court or tribunal, where these proceedings have commenced or are reasonably contemplated, or the PI is required to maintain our legitimate interests.
  • We shall retain records of your PI that we have collected for the minimum period as required by law unless you have given your Consent or instructed us to retain the records for a longer period.
  • We shall destroy or delete records of your PI (so as to de-identify your PI) as soon as reasonably possible after the time period for which we are entitled to hold the records, has expired or you withdraw your Consent.
  • We undertake to ensure that your PI which we collect and process is complete, accurate, not misleading and up to date.
  • Where relevant, we undertake to take special care with your bank account details and are not entitled to obtain or disclose or procure the disclosure of such banking details unless it has your specific Consent or is legally obliged to disclose it.

3. Your rights

  • In cases where your consent is required to process your PI, this Consent may be withdrawn by you (otherwise than where there is an existing obligation to process it, e.g. under a contractual relationship).
  • You are entitled to lodge a complaint regarding our application of POPIA to your PI with the Information Regulator (“IR”).
  • The prescribed forms for the exercise of these rights are attached to the 2018 regulations passed in terms of POPIA (“Regulations”) and can be obtained from our duly appointed Information Officer (“IO”).

4. Requests for PI records

  • On production of proof of identity, you are entitled to request that we confirm, free of charge, whether or not we hold any PI relating to you in our records.
  • If we indeed hold such PI, on request, and upon payment of a fee of R500,00 plus VAT, we shall provide you with the record, or a description of the PI, including information about the identity of all third parties or categories of third parties who have or have had access to the PI. We shall do this within a reasonable period of time, in a reasonable manner and in an understandable form.

5. Correction of PI

  • You are entitled to require us to correct or delete PI that we have, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully.
  • You are also entitled to require us to destroy or delete records of your PI that we are no longer authorised to retain.
  • Any such request must be made on the prescribed form (Form 2 of the Regulations), obtainable from our IO.
  • We undertake, upon receipt of such a lawful request, to comply as soon as reasonably practicable.
  • In the event that a dispute arises regarding your rights to have your PI corrected, and in the event that you so require, we shall attach to your PI, in a way that it will always be read with your PI, an indication that the correction of your PI has been requested but has not been made.
  • We shall notify you of the action that we have taken as a result of such a request.

6. Special PI

  • Special rules apply to the collection and use of PI relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.
  • We shall not process any of your special PI as defined in POPIA (“Special PI”), without your Consent, or such processing is necessary for the establishment, exercise or defence of a right or an obligation in law.

7. The processing of PI of children

We may only process the PI of a child if we have the written consent of the child’s parent or legal guardian.

8. PI security breaches

Should it appear that your PI has been accessed or acquired by an unauthorised person, we shall as soon as reasonably possible, notify the IR and yourself, unless we are no longer able to identify you from the information in our possession.

9. Information officer

Should you have any questions or wish to lay any complaint with regard to the processing of your PI you may contact our IO.

10. Direct marketing

  • We may contact you from time to time to inform you of our additional services or products.
  • We may also provide you with newsletters and promotions as part of our value-added client experience.
  • We may share your PI with our Affiliates (subject to applicable law and our indicated marketing preferences) so that they may offer you their products and services.
  • You may at any time object to us processing your PI for marketing purposes. You can unsubscribe from direct marketing by following the steps set out in the direct marketing material you received or by contacting us.
  • All direct marketing communications will disclose our identity and contain an address or other contact details to which you may send a request that such communications cease.

11. Prescribed forms and details of the information regulator

12. Updates to this privacy statement

This privacy statement is dated as of 1 July 2021. We may update the privacy statement from time to time. Please check our website on a regular basis.


The ISS is committed to internet privacy and would like visitors to be well informed about the gathering and use of their information through these websites.

The following forms essential parts of the ISS’s privacy policy:

  • Monitoring of general trends in the use of the websites but no tracking of individual visitors
  • No collection of information concerning visitors unless that information is voluntarily disclosed, for example by signing up as a member, subscriber, participant or similar, or subscribing to updates from the website
  • No selling or renting of information voluntarily disclosed to the ISS nor sharing of it with any third parties
  • Individuals and partners will only be contacted by the ISS for purposes related to the work of the organisation
  • At any time, visitors signed up for specific services can cancel or modify their information
  • This privacy policy is incorporated into the websites’ terms of use. Any person that uses the websites or registers on the websites acknowledges that he or she has read and agrees to be bound by the terms and conditions of the terms of use and privacy policy. Any visitor that uses or accesses the websites agrees and consents to the collection of personal information in the manner outlined in this privacy policy.

1. Data collection

The websites collect two categories of information: 

  • General information: The websites automatically collect non-personally identifiable information using the websites’ cookies to monitor visitor usage patterns and information. The only information the websites collect from a normal visit is the IP address, domain name, browser and type of machine used, referring websites, downloaded files, requested pages and time and date of those requests using Google Analytics website tracking cookies (Google privacy policy).
  • Personal information: In order to access certain features, visitors may be asked to submit information such as their name and e-mail address. This information is only collected where provided on a voluntary basis through the completion of one of ISS’ forms by the visitor and is kept in databases and mailing lists. The mailing list is managed by Benchmark Email and is subject to the Benchmark Internet Group security and privacy policy as well as the Benchmark Internet Group anti-spam policy under the rules of the CAN-SPAM Act.

2. Use of information

The ISS analyses browsing patterns and usage trends of the websites’ visitors with the general information collected. The ISS periodically summarises and analyses these log files to learn how visitors use the content on the website. This information is used to allocate resources effectively and improve the content, organisation and performance of ISS websites. This process does not collect, store or use personally-identifying information such as name, address, telephone number or email address.

3. Use of cookies

A cookie is a small piece of information that a web server asks a visitor’s browser to store on the visitor’s local computer; later their browser presents this information to the webserver. In its simplest form, a cookie is an identifying number.

The ISS websites use cookies from Google Analytics for website usage tracking. All requests for pages are tagged with a unique numerical ID, and by analysing log files via Google Analytics, the ISS can determine how many unique visitors used the website, the navigation route and content viewed across websites.

The ISS does not know the identity of a person based on the numerical ID. The cookies used on the websites do not contain any personal information about visitors nor are they used to look up personal information about visitors, even if visitors have entered information about themselves in one of ISS’ registration forms.

Additional cookies may be used from time to time to, inter alia, monitor new visitors to the websites, promote specific content and create call to action campaigns.

4. Security

Any information provided to the ISS by visitors of the websites is handled with due care and security, and will not be used in ways other than as set forth in this policy, or in any site/area-specific policies, or in ways to which visitors have not explicitly consented.

The ISS employs a range of technologies and security measures to protect the information maintained on ISS systems from loss, misuse, unauthorised access or disclosure, alteration or destruction. When visitors submit sensitive information via the websites, such information is encrypted and protected with SSL encryption.

All ISS employees who have access to and are associated with the processing of personal data are obliged to respect the confidentiality of official business matters, including personal data.

5. Retention of personal information

The ISS will retain visitors’ personal information for the period necessary to fulfil the purposes outlined in this privacy policy unless a longer retention period is required or permitted by law.

6. Electronic mail

When a visitor sends the ISS personal identifying information via email (that is, in a message containing a question or a comment, or by filling out a form that emails the ISS this information), the ISS uses it to respond to visitors’ requests.

The ISS may forward visitors emails to other employees of the ISS (including affiliates or consultants) who are better able to answer visitors’ questions. The ISS does not retain or distribute lists of email addresses to any parties outside of the ISS (including partner organisations). The ISS does not distribute lists of e-mail addresses to any outside parties. Information collected via email will be retained at the ISS’ sole discretion in a directly readable form as long as necessary to complete the ISS’ response.

7. External links

The websites contain links to other websites that are not operated or maintained by the ISS and are not covered by this privacy policy. Visitors should be aware that the links on ISS’ websites are provided only for visitors’ convenience. The ISS has no control over, makes no promises or warranties of any kind with regards to, and has no responsibility or liability for, the content of any other websites or their privacy policies, their use of cookies, or the way they collect, save, store or use information. Visitors should review the privacy policy of each website they visit.

8. Agreement and notification of amendments

By using this website, a visitor signifies his/her agreement with the ISS’s privacy policy.

The ISS reserves the right, at its sole discretion, to change, modify, add or remove portions of this privacy policy at any time. Visitors continued use of these websites following changes to these terms means that visitors accept those changes.

9. Applicable law and venue of jurisdiction

This privacy policy shall be governed by and interpreted in accordance with the substantive laws of South Africa, under the exclusion of any international treaty and under the exclusion of any conflicts of laws principles. The place of jurisdiction shall be Pretoria.

10. Contact

For questions or concerns regarding the ISS’s privacy policy, please contact the ISS at [email protected].