Menu
Your Cart

Privacy Policy

POPIA File Index

 

1.Information Officer/ Deputy Information Officer appointment




 











 

2. PAIA Manual for your company/ store





 











 

3.Training plan







 











 

4.Training Completed /Register








 











 

5.Social media privacy notices, disclaimers, and consent requests (websites, Facebook, WhatsApp)

 











 

6.Privacy Policy





 











 

7.Direct suppliers - Signed Information Security and Processing Agreement


 











 

8. POPIA-related CCTV disclaimer





 











 

9.Personal Information-Best practices per department



 











 

10.FAQ & Contact numbers




 











 

 










 

 

 



























 

 

 

 

 

 

 

 

 

 

 

 

1.   Information Officer appointment

 

The SPAR Group Ltd

Role and Responsibilities of the designated Information Officer

 in terms of the Protection of Access to Information Act (2 of 2000) and

the Protection of Personal Information Act (4 of 2013)

 

Background

The provisions of the Protection of Personal Information Act (4 of 2013) known as POPIA, will become mandatory by 30 June 2021, by which time SPAR has to demonstrate that they are compliant with the terms of the Act.

One of the first stipulations of the Act is that every company has to appoint an Information Officer. By default this is the CEO of the company, however the CEO can appoint an appropriate employee to fulfil this role, in the CEO’s stead. (Please refer to Appendix A for appropriate wording of this delegation of duty.)

 

Role of Information Officer

Under PAIA

The Information Officer is responsible for ensuring that the organisation complies with PAIA. An information officer of a responsible party (or body) must:

  • encourage and ensure compliance with PAIA in accordance with the body’s definition of compliance,
  • create, maintain/ update, and make available a PAIA manual for the company,
  • evaluate and approve requests for access to information received in terms of the grounds set out in PAIA, within the time constraint or any extended period.

Under POPIA and the regulations

They are also the person who is responsible for ensuring that the organisation complies with the POPI Act. They are a key person in any project or programme. Under section 55 of POPIA, an information officer of a responsible party (or body) must:

  1. encourage compliance with conditions for the lawful processing of personal information,
  2. deal with requests made relevant to POPIA by the Information Regulator or data subjects,
  3. work with the Regulator in relation to investigations conducted related to prior authorisations (pursuant to Chapter 6 in relation to the body),
  4. otherwise ensure compliance by the body with the provisions of POPIA,
  5. develop, implement and monitor a compliance framework,
  6. ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
  7. develop internal measures and adequate systems to process requests for access to information,
  8. ensure that internal awareness sessions are conducted, and
  9. perform any other duty as may be prescribed by the Minister or the Information Regulator.

These responsibilities are set out in section 55 of POPIA and in the POPIA Regulations.

The Information Officer, or IO, is tasked with ensuring that any data held by the company, which is related to the definition of personal information, or special personal information, meets the following processing conditions:

1)    Accountability: the responsible party is responsible for complying with the conditions below:

1.1.  Processing limitation: personal information should only be obtained by limited and lawful processing that does not unnecessarily infringe privacy;

1.2.  Purpose Specification: the purpose for which personal information is collected must be specific, explicitly defined and lawful;

1.3.  Further processing limitation: further processing must be compatible with the purpose for which personal information is collected;

1.4.  Information quality: the responsible party must take reasonably practical steps to ensure personal information is complete, accurate, not misleading and updated;

1.5.  Openness: the responsible party must notify the Regulator that it processes personal information where pre-approval is required, and advise the data subject of certain mandatory information in regard to such collection;

1.6.  Security safeguards: the integrity and confidentiality of the personal information must be secured; and

1.7.  Data subject participation: the data subject has certain access rights, including a request to delete their information, and be assured that this has happened.

 

Responsibility of Information Officer

The Information Officer must ensure that:

1.    A compliance framework is developed, implemented and monitored;

2.    Adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;

3.    Preliminary assessments are conducted and recorded; Compliance framework.

4.     A manual for the purpose of the PAIA and POPIA is developed and published, including specific categories;

5.    The manual is made available on both the website and the office of the responsible party; We don’t have websites

6.    Internal measures are developed, together with adequate systems to process requests for  information and access to such information;

7.    Awareness sessions are conducted regarding the provisions of POPI, regulations, codes of conduct, or information to be obtained from the Regulator; and

8.    The information officer or delegated authority, can upon request of any person provide copies of the manual, to that person upon receipt of a fee determined by the responsible party, which may not be charged at more than R3.50 per page.

 

Summary of documents required

Compliance Framework

PAIAL POPIA Manual

Personal Information Sharing Policy

Personal Information Impact Assessment This is the file

Legal references

 

Section

Provision

Notes

Section 55(1) of the Protection of Personal Information Act (the Act)

Encourage compliance with the conditions for the lawful process of personal information

 

Deal with request made by pursuant to the Act

Type of requests:

·         Objection (form 1)

·         Correction, deletion or destruction (form 2)

·         Submit a complaint (Part 1 of Form 5)

Work with the Regulator in relation to investigations conducted

 

Ensure compliance with the provision of the Act

 

Section 4 of the Regulations of the Act

A compliance framework is developed, implemented, monitored and maintained

 

A Personal Information Impact Assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information

 

A manual is developed, monitored, maintained and made available as prescribed in the Promotions of Access to Information Act

 

Internal measures are developed together with adequate systems to process request for information or access thereto

 

Internal awareness sessions are conducted regarding the provision of the Act

 

 

 


 

Appendix A: Appropriate wording for Delegation of Authority

 

[Letterhead or Company Name and details]

[Date]

 

Authorisation and Delegation of Authority

 

The Promotion of Access to Information Act, 2 of 2000 defines the “head” of a private body, inter alia as:

“ (c) in the case of a juristic person – (i) the chief executive officer or equivalent officer of a juristic person or any person duly authorised by that officer”.

 

I hereby authorize and delegate to the [position of designated person], [name of designated person] as the “head” of the [company name], responsible for compliance with the Promotion of Access to Information Act only.

Such authorization and delegation may be further delegated to relevant staff in such department, subject to the authorization and control of the [position of designated person].

 

­­­­­­­­­­­­­­­­_________________________________

[CEO Name]

Chief Executive Officer

 

 

 

 

 

 

 

 

 

 

 

 

 

2.     PAIA Manual

 

[company logo]                                              PAIA MANUAL 2021

 

Contents

1       INTRODUCTION AND PURPOSE OF THIS DOCUMENT. 3

2       BUSINESS OVERVIEW.. 3

3       INFORMATION REQUIRED UNDER SECTION 51(1) (a) OF THE ACT. 3

4       DESCRIPTION OF GUIDE REFERRED TO IN SECTION 10. 3

5       RECORDS AVAILABLE IN TERMS OF OTHER LEGISLATION. 4

6       APPLICABLE LEGISLATION. 4

7       RECORDS automatically available. 6

8       PURPOSE OF PROCESSING OF PERSONAL INFORMATION. 6

9       Data Subject CATEGORIES AND Their Personal Information. 6

10          PLANNED RECIPIENTS OF PERSONAL INFORMATION (NON-EXHAUSTIVE list) 7

11          Planned Trans-border Flows of Personal Information. 7

12          Security Measures To Protect Personal Information. 7

13          DETAIL ON HOW TO MAKE A REQUEST FOR ACCESS. 7

14          GROUNDS FOR REFUSING A REQUEST. 8

15          AVAILABILITY OF THE MANUAL. 9

16          ANNEXURE A. 10

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

INTRODUCTION AND PURPOSE OF THIS DOCUMENT

 

This manual grants access to records held by [insert company name and registration number], (“the Company”).

BUSINESS OVERVIEW

 

[Insert a brief overview of the nature of the business, including the various stores owned across the registered company (SaveMor, Build it, Tops at SPAR Liquors, Pharmacy at SPAR, where applicable); whether the company has been listed with the JSE stock exchange; any subsidiaries, joint ventures and associations which may exist; the primary business of the company; and any other information you wish to include].

 

Requests for Company information must be made to the designated Information Officer, as per the details below and in the form reflected in annexure “A”. All requests for Company information shall be considered in the light of the relevant sections in the Act.

 

INFORMATION REQUIRED UNDER SECTION 51(1) (a) OF THE ACT

[Please fill in all details below]

Designated Head of the Company:

Postal Address of the Company:

Street Address of the Company:

Telephone Number of the Company:

E- Mail address of the Company:

Person delegated to deal with information requests (“the designated Information Officer”):

E-mail address of the Designated Head:

DESCRIPTION OF GUIDE REFERRED TO IN SECTION 10

 

A Guide has been compiled in terms of Section 10 of Promotion of Access to Information Act 2 OF 2002 (“PAIA”) by the South African Human Rights Commission (SAHRC). It contains information required by a person wishing to exercise any right, contemplated by PAIA. It is available in all of the official languages.

 

The Guide is available for inspection, inter alia, at the office of the South African Human Rights Commission at Braampark Forum 3, 33 Hoofd Street, Braamfontein, Johannesburg, Gauteng and at www.sahrc.org.za.

 

For further information please contact the SAHRC:

Postal Address:                    Private Bag 2700, Houghton, 2041

Telephone Number:             +27-11-877 3600

Fax Number:                         +27-11-403 0625

Email:                                     mnyuswa@sahrc.org.za

 

RECORDS AVAILABLE IN TERMS OF OTHER LEGISLATION

 

Requesters may make requests for information that may be requested in accordance with applicable South African legislation, including:

 

  • Personal Records supplied by the employees;
  • Records provided by a third party relating to employees;
  • Conditions of employment and other personnel-related contractual and quasi legal records;
  • Internal pricing records and other internal records;
  • Correspondence related to personnel;
  • Training records and material;
  • Employment Equity Plans;
  • Media releases;
  • Records of executive, board and shareholder decisions taken and related information (limited circumstances); [retailers are encouraged to seek advice from the Central Office Legal Department fi faced with such a request]
  • Documents of incorporation; and
  • Trademark information.

 

APPLICABLE LEGISLATION

 

Agricultural Products Standards Act 119 of 1990 Just need to know that clarity

Basic Condition of Employment Act 75 of 1997

Broad Based Black Economic Empowerment Act 53 Of 2003

Businesses Act 71 of 1991

Companies Act 61 of 1973

Compensation for Occupational Injuries and Diseases Act 130 of 1993

Competition Act 89 of 1998

Consumer Protection Act 68 of 2008

Customs & Excise Act 91 of 1964

Designs Act 195 of 1993

Electronic Communications and Transactions Act 25 of 2002

Employment Equity Act 55 of 1998

Foodstuffs, Cosmetics and Disinfectants Act 54 of 1972

Income Tax Act 58 of 1963

Insolvency Act 24 of 1936

Labour Relations Act 66 of 1995

Liquor Act 27 of 1989

Liquor Products Act 60 of 1989

Merchandise Marks Act 17 of 1941

National Credit Act 89 of 1991

Occupational Health and Safety Act 85 of 1993

Patents Act 57 of 1978

Promotion of Access to Information Act 2 of 2000

Protection of Personal Information Act 14 of 2013

Regulation of Interception of Communications Act 70 of 2002

Regulation of Interception of Communications and Provision of Communication

Related Information Amendment Act 48 of 2008

Pension Funds Act 24 of 1956

Skills Development Act 97 of 1998

Skills Development Levies Act 9 of 1999

Stamp Duties Act 77 of 1968 

Standards Act 29 of 1993

Unemployment Insurance Act 30 of 1966

Trademarks Act 194 of 1993

Value Added Tax Act 89 of 1991


 

RECORDS automatically available

 

Some records are automatically available in terms of legislation and this includes records lodged in terms of Government requirements with various statutory bodies, including the Companies and Intellectual Property Commission.

 

PURPOSE OF PROCESSING OF PERSONAL INFORMATION

 

The company processes information for various purposes including but not limited to: employee administration, sales and marketing initiatives, customer care processes and communicating with customers directly.

Data Subject CATEGORIES AND Their Personal Information

 

[as applicable to your business]:

Employees – personal information associated with the lifecycle of an employee;

Suppliers – personal information of suppliers including business particulars;

Customers – personal information of customers which are used for marketing initiatives;

General public – tracking general enquiries and web site visits; Only when personal information is involved.

Investors – records as maintained by the Company Secretary [if applicable]; and

Media – records of media interactions. Text-me


 

 

PLANNED RECIPIENTS OF PERSONAL INFORMATION (NON-EXHAUSTIVE list)

Statutory authorities – [examples include: the Consumer Goods Council, the Department of Labour, the UIF State Body, the South African Revenue Service];

Financial institutions – [examples include: FNB, Standard Bank, Old Mutual, Nedbank];

Medical schemes and service providers – [examples include: Tiger Brands Medical Scheme, Momentum Multiply];

Employee pension and provident funds – [examples include: Old Mutual]; and

Industry bodies – various.

 

Planned Trans-border Flows of Personal Information

 

Flows to service providers/operators in [insert any cross-border information flows if applicable]

Flows to subsidiaries and affiliates in [insert any cross-border information flows if applicable]

Flows through the use of social media.

Just put Not applicabale

Security Measures To Protect Personal Information

 

The company understands the value of information and will take all reasonable steps to protect the information from loss, misuse, or unauthorised access.  

The company has a responsibility to:  

·           protect and manage information that its holds about its stakeholders;  

·           make use of electronic and computer safeguards, such as firewalls and data encryption, to secure stakeholders’ information;  

·           have physical and electronic access control to its premises; and  

·           only authorise access to information to those employees who require it to fulfil their designated responsibilities.  

 

The Company is committed to use appropriate technical and other security measures in line with acceptable industry standards, to safeguard stakeholders’ information.  

 

DETAIL ON HOW TO MAKE A REQUEST FOR ACCESS

 

The requester must complete Annexure A below and submit this form together with a request fee, to the designated Information Officer. The form must be submitted to the designated Information Officer of the Company at his/ her physical or electronic mail address, as stated earlier in this manual.

 

 

 

Form of request:

 

The requester must provide sufficient detail on the request form to enable the designated head to identify the record and the requester.

 

The requester should indicate which form of access is required.

 

The requester should indicate if any other manner is to be used to inform the requester and state the necessary particulars to be so informed [s 53(2)(a) and (b) and (c)] of PAIA.

 

The requester must identify the right that is sought to be exercised or to be protected and provide an explanation of why the requested record is required for the exercise or protection of that right [s 53(2)(d)] of PAIA.

 

If a request is made on behalf of another person, the requester must then submit proof of the capacity in which the requester is making the request to the satisfaction of the designated head of the private body [s 53(2)(f)] of PAIA.

 

A requester who seeks access to a record containing personal information about that requester is not required to pay the request fee.

 

Every other requester, who is not a personal requester, must pay the required request fee.

 

The designated head of the private body must notify the requester (other than a personal requester) by notice, requiring the requester to pay the prescribed fee (if any) before further processing the request [s 54(1)] of PAIA.

 

The fee that the requester must pay to a private body is currently R50,00. The requester may lodge an application to the court against the tender or payment of the request fees 54(3)(b)] of PAIA.

 

After the designated head of the private body has made a decision on the request, the requester must be notified in the required form.

 

If the request is granted then a further access fee must be paid for the search, reproduction, preparation and for any time that has exceeded the prescribed hours to search and prepare the record for disclosure [s 54(6)] of PAIA.

 

GROUNDS FOR REFUSING A REQUEST

 

The Company may refuse access to records on one or more of the grounds outlined in Chapter 4 of the Act pertaining to: “Grounds for Refusal of Access to Records”.

 

 

 

 

AVAILABILITY OF THE MANUAL

Copies of this manual are available for inspection at the designated Information Officer of the Company and copies can be made available free of charge. Copies are also available on the Company’s website at [insert company website URL]

 

Requests for information must be submitted in accordance with the prescribed format and must be accompanied by the prescribed fee as indicated herein.

 

 

_________________________________________________________

Signature of Designated Head of the Private Body

 

________________________________________________________

Name of Designated Head of the Private Body

 

(Note: each page should be initialled to complete the signing process).

 

Date of signature_________________________________________________________

 

Publication date of this manual: [insert date] Annually.

 

Next revision date of this document: [insert date] Annually.

 

The breakdown of fees for accessing records of private bodies are:

The following is a breakdown of the fees structure for the purposes of determining the manner in which fees relating to a request for access to a record of a private body are to be calculated:

Regulation 187 published in the Government Gazette on the 15 February 2002:

 

Copy per A4 Page

R1.10

 

Printing per A4 page

75 cents

 

Copy on a CD/memory stick (4 GB)

R70

 

Transcription of visual images per A4 page

R40

 

Copy of a visual image

R60

 

Transcription of an audio recording per A4 page

R20

 

Search and preparation of the record for disclosure

R30 per hour or part thereof, excluding the first hour, reasonably required for the search and preparation.

 

The actual postage is payable when a copy of a record must be posted to a requester.


 

ANNEXURE A

 

PRESCRIBED FORMS

REQUEST FOR ACCESS TO RECORD OF PRIVATE BODY

(Section 53(1) of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

 

 

[Regulation 10]

 

 

 

A.  Particulars of private body: 

 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

 

B.  Particulars of person requesting access to the record: 

 

 

Full names and surname:  â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦.

Identity number:                  â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

Postal address:                   â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦.

Fax number:                        â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

Telephone number:             â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

Email address:                     â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

 

 

Capacity in which request is made, when made on behalf of another person: 

 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

 

C.  Particulars of person on whose behalf request is made: 

 

 

Full names and surname:            â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

 

 

Identity number:                           â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

 

Particulars of record: 

 

 

1.  Description of record of relevant part of the record: 

 

 

………………………………………………………………………………………………..

 

 

………………………………………………………………………………………………..

 

…………………………………………………………………………………………………

 

 

…………………………………………………………………………………………………

 

 

2.  Reference number if available: 

 

 

………………………………………………………………………………………………… 

 

………………………………………………………………………………………………… 

 

…………………………………………………………………………………………………

 

 

3.  Any further particular of record: 

 

 

…………………………………………………………………………………………………

 

…………………………………………………………………………………………………

 

 

…………………………………………………………………………………………………

 

 

…………………………………………………………………………………………………

 

 

E.  Notice of decision regarding request for access 

 

 

a)  A request for access to a record, other than a record containing personal information about yourself, will be processed only after a request fee has been paid. 

b)  You will be notified of the amount required to be paid as the request fee. 

c)  The fee payable foraccess to a record depends on the form in which access is required   and the reasonable time required to search for and prepare a record. 

d)  If you qualify for exception of the payment of any fee, please state the reason for your exemption.

 

 

 

…………………………………………………………………………………………………

 

…………………………………………………………………………………………………

 

…………………………………………………………………………………………………

 

………………………………………………………………………………………………… 

 

 

3.Training Roll out Plan

 

POPIA Training  Roll out

Department

Name of Staff member in order of importance

Date of training planned

Signature of agreement

Management

 

 

 

 

 

 

 

 

 

 

 

Admin Staff

 

 

 

 

 

 

 

 

 

 

 

Front End Supervisors

 

 

 

 

 

 

 

 

 

 

 

Cashiers

 

 

 

 

 

 

 

 

 

 

 

Receiving Clerk

 

 

 

 

 

 

 

 

 

 

 

Merchandizers

 

 

 

 

 

 

 

 

 

 

 

Departments

 

 

 

 

 

 

 

 

 

 

 

Cleaners

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4.Training Record

 

POPIA Training Record

Name of Staff member

Position

Date of training

Signature