02.1: Personal Information Protection Policy
1. Contents. 1
2. Purpose, Scope and Users. 2
3. Reference documents. 2
4. Definitions. 2
4.1. Personal Information. 2
4.2. Special Personal Information. 3
4.3. Processing. 3
4.4. Responsible Party. 3
4.5. Operator 3
5. General Principles for Processing Personal Information. 3
5.1. Purpose of the Guiding Principles. 4
5.2. Scope. 4
6. Compliance with Personal Information Protection Principles. 4
6.1. General. 4
6.2. Protection of Personal Information Act 2013 (“POPI”) 6
6.3. Consent Obligation. 6
a..... Consent Required. 6
b..... Provision of Consent 7
c..... Withdrawal of Consent 7
6.4. Purpose Limitation Obligation. 7
a..... Limitation of Purpose. 7
b..... Notification of Purpose. 7
6.5. Access and Correction Obligation. 8
a..... Access to Clients Personal Information. 8
b..... Correction of Clients Personal Information. 8
6.6. Accuracy Obligation. 8
6.7. Protection Obligation. 9
6.8. Retention Limitation Obligation. 9
6.9. Transfer Limitation Obligation. 9
6.10. Complaints Handling Procedure. 9
6.11. Compliance with this Policy. 10
6.12. Information Officer (“IO”) 10
2.Purpose, Scope and Users
2.1. This Policy regulates the management of Personal Information of the AMJ MOTORS hereinafter the Organisation) and provides rules and procedures which apply to all departments and individuals within the Organisation, aimed at ensuring that Personal Information is processed and protected properly.
2.2. This Policy applies to the Processing of Personal Information by any department or individual within the Organisation.
2.3. "Organisation" refers AMJ MOTORS and all wholly owned subsidiaries directly or indirectly controlled by it.
2.4. The users of this document are all staff members of the Organisation.
3.1. Protection of Personal Information Act, 2013
3.2. Promotion of Access to Information Act, 2000
The following definitions of terms used in this document are drawn from the Protection of Personal Information Act, 2013 (POPIA Act):
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to -
information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
information relating to the education or the medical, financial, criminal or employment history of the person;
any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
the biometric information of the person;
the personal opinions, views or preferences of the person;
correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
the views or opinions of another individual about the person; and
the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information.
4.2.Special Personal Information
“special personal information includes personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of an information subject; or the criminal behaviour of an information subject.
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including -
the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restriction, degradation, erasure or destruction of information.
‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. For purpose of this policy the responsible party will be AMJ MOTORS
‘‘operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
5.General Principles for Processing Personal Information
We have summarized below the most important principles of personal information protection set out in the POPI Act. Any processing of personal information which is incompatible with any of the principles would be unlawful (unless an exemption or derogation applies).
5.1.Purpose of the Guiding Principles.
In order to provide guidance and recommendations in connection with processing the personal information (special or not) related to data subjects in the Organisation, who has considered it necessary to issue the following guiding principles.
This Policy applies to all personal and special personal information held by the Organisation in relation to data subjects of concern to the Organisation.
This Policy applies whether processing takes place within an Organisation office, between different Organisation offices in the same or more than one country, or whether personal information is transferred to third parties.
The Policy continues to apply even after persons are no longer of concern to the Organisation.
Compliance with this Policy is mandatory for all Organisation personnel.
6.Compliance with Personal Information Protection Principles
Our Information Officer will ensure that we process the personal information of our staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules as set out in the POPI Act.
Lawfulness, reasonableness and transparency
Personal information shall be processed lawfully, reasonably and in a transparent manner in relation to the data subject.
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
Personal information may only be processed if -
the data subject or a competent person where the data subject is a child consents to the processing;
processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
processing complies with an obligation imposed by law on the responsible party;
processing protects a legitimate interest of the data subject;
processing is necessary for the proper performance of a public law duty by a public body; or
processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied
Personal information must be collected for a speciﬁc, explicitly deﬁned and lawful purpose related to a function or activity in the Organisation.
The general rule is that personal information can be saved only for as long as be needed to fulfil the service that was agreed on. Once the service ends, the personal information must be destroyed, deleted or de-identified as soon as reasonably practicable after you are no longer authorised to retain the record.
Further processing limitation
Personal information can only be used on what was agreed on when provided. It cannot be used for anything else.
Personal information shall be complete, accurate, not misleading and updated where necessary. If it is to be discovered to be incorrect or misleading, it must be fixed or deleted immediately.
Whenever we collect personal information, we must take reasonably practicable steps to ensure that the data subject is aware of our section 18 Privacy Notification.
Personal information shall be processed in a manner that ensures appropriate security of the personal information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In order to give effect to the previous paragraph, we take reasonable measures to -
identify all reasonably foreseeable internal and external risks to personal information in our possession or under our control – see 01.2_POPI Security Risk Assessment;
establish and maintain appropriate safeguards against the risks identified – see our POPIA Compliance Management Framework;
regularly verify that the safeguards are effectively implemented; and
ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
We did identify our contractors that function as Operators and will by way of an agreement make sure they -
process such information only with our knowledge or authorisation; and
treat personal information which comes to their knowledge as confidential and
must not disclose it, unless required by law or in the course of the proper performance of their duties.
Data subject participation
Data subjects do have a right access to their personal information. They can revoke their consent or demand that their personal information being updated. The data subject must be advised of the right to request the correction of information
6.2.Protection of Personal Information Act 2013 (“POPI”)
Below, we provide guidance as to how we collect, use, disclose and retain client’s personal information in accordance with POPI and how we administer this Policy.
The Organisation shall not collect, use or disclose client’s personal information unless;
the client gives, or are deemed to give, consent to the collection, use or disclosure of their personal information; or
the collection use or disclosure of client’s personal information without client’s consent is required or authorised under POPI or other written law.
b.Provision of Consent
Organisation shall not, as a condition of providing a product or service to our clients require them to consent to the collection, use or disclosure of their personal information beyond what is reasonable to provide the product or service to them.
The Organisation shall not obtain or attempt to obtain clients consent for collecting, using or disclosing personal information by providing false or misleading information with respect to the collection, use or disclosure of client’s personal information, or use deceptive or misleading practices.
c.Withdrawal of Consent
On providing reasonable notice to the Organisation clients may at any time withdraw any consent given, or deemed to be given, in respect of the Organisation’s collection, use or disclosure of their personal information for any purpose.
Clients may submit the withdrawal of consent via mail, email or by completing the 06.6_Withdrawal of Consent and submit to the Organisation’s Information Officer.
On receipt of such notice, the Organisation shall inform them of the likely consequences of withdrawing client’s consent.
Processing and updating clients request can take up to 30 days.
6.4.Purpose Limitation Obligation
a.Limitation of Purpose
The Organisation may collect, use or disclose client’s personal information only for purposes:
that a reasonable person would consider appropriate in the circumstances; and
where the client has been informed, to the extent applicable.
b.Notification of Purpose
The Organisation shall provide clients with the following information whenever we seek to obtain their consent to the collection, use or disclosure of their personal information, except under circumstances where their consent is deemed or is not required – our section 18 Privacy Notification:
the purpose(s) for the collection, use or disclosure of their personal information, on or before collecting client’s personal information;
any other purpose(s) for the use or disclosure of their personal information of which you have not been informed, before the use or disclosure of client’s personal information for that purpose; and
on requested by them, the contact details of the Organisation’s Information Officer (“IO”), who can answer client’s questions about the collection, use or disclosure of their personal information.
6.5.Access and Correction Obligation
a.Access to Clients Personal Information
On client’s request (completion of form 06.5_PAIA Form C Request for Access to Record of Private Body), and subject to the restrictions set forth in POPI, the Organisation shall, as soon as reasonably possible, provide them with:
their personal information that is in the Organisation’s possession or control; and
information about the ways in which their personal information has or may have been used or disclosed by the Organisation within a year before their request.
the Organisation may charge clients a minimum fee for access to their personal information to offset the administrative costs in complying with such requests.
b.Correction of Clients Personal Information
Clients may request the Organisation to correct an error or omission in their personal information that is under the Organisation’s control or possession by completing form 06.3_Request Correction Deletion Personal Information. Unless the Organisation is satisfied on reasonable grounds that a correction should not be made or the law states otherwise. the Organisation shall:
correct client’s personal information as soon as practicable; and
send clients corrected personal information to every organisation to which client’s personal information was disclosed by the Organisation within a year before the data correction was made, unless that other organisation does not need the corrected personal information for any legal or business purpose.
the Organisation is not required to correct or alter an opinion, including professional or an expert opinion.
The Organisation shall make reasonable efforts to accurately record client’s personal information as given by them or their representatives and make reasonable efforts to ensure that clients personal information is accurate and complete, if the personal information:
is likely to be used by the Organisation to make a decision that affects them; or
is likely to be disclosed by the Organisation to another organisation.
The Organisation shall protect personal information in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or any other similar risks.
6.8.Retention Limitation Obligation
The Organisation shall cease to retain documents containing client’s personal information, or remove the means by which their personal information can be associated with them, as soon as it is reasonable to assume that:
the purpose for which client’s personal information was collected is no longer being served by retention of their personal information; and
retention is no longer necessary for legal or business purposes.
6.9.Transfer Limitation Obligation
The Organisation shall not transfer client’s personal information outside of South Africa except in accordance with the requirements of POPI.
6.10.Complaints Handling Procedure
Should a client be unhappy with our treatment of their personal information or they believe there has been a breach of this Policy, they must please contact the Organisation’s Information Officer (details in clause 6.13 below) and clearly set out the nature of client’s concern.
Complaints may be initially made orally, or in writing. Where a complaint is made orally, a client must confirm the complaint in writing as soon as possible. If they require assistance in lodging a complaint, they must please contact our office.
Clients complaint will be reviewed, and they will be provided with a written response within fourteen (14) working days.
6.11.Compliance with this Policy
the Organisation implements this Policy through the use of proper procedures and staff training to ensure compliance with this Policy.
We ensure that all our staff members and any representatives who deal with personal information are aware of the standards of this Policy.
the Organisation requires that all of its staff and representatives with access to personal information maintain confidentiality concerning that personal information. We implement that requirement through appropriate contractual terms and internal policies.
Our procedures for handling personal information are developed to implement the standards of this Policy. the Organisation trains its staff members in the proper conduct of those procedures that are relevant to their duties.
6.12.Information Officer (“IO”)
For further information about this Policy or to access our complaint handling procedure, please address client’s correspondence to the Organisation Information Officer
Name of Information Officer
Jamie Van Wyk-Joubert
303 Voortrekker Road, Goodwood, 7590