POPIA File Index

 

1.Information Officer/ Deputy Information Officer appointment




 











 

2. PAIA Manual for your company/ store





 











 

3.Training plan







 











 

4.Training Completed /Register








 











 

5.Social media privacy notices, disclaimers, and consent requests (websites, Facebook, WhatsApp)

 











 

6.Privacy Policy





 











 

7.Direct suppliers - Signed Information Security and Processing Agreement


 











 

8. POPIA-related CCTV disclaimer





 











 

9.Personal Information-Best practices per department



 











 

10.FAQ & Contact numbers




 











 

 










 

 

 



























 

 

 

 

 

 

 

 

 

 

 

 

1.   Information Officer appointment

 

The SPAR Group Ltd

Role and Responsibilities of the designated Information Officer

 in terms of the Protection of Access to Information Act (2 of 2000) and

the Protection of Personal Information Act (4 of 2013)

 

Background

The provisions of the Protection of Personal Information Act (4 of 2013) known as POPIA, will become mandatory by 30 June 2021, by which time SPAR has to demonstrate that they are compliant with the terms of the Act.

One of the first stipulations of the Act is that every company has to appoint an Information Officer. By default this is the CEO of the company, however the CEO can appoint an appropriate employee to fulfil this role, in the CEO’s stead. (Please refer to Appendix A for appropriate wording of this delegation of duty.)

 

Role of Information Officer

Under PAIA

The Information Officer is responsible for ensuring that the organisation complies with PAIA. An information officer of a responsible party (or body) must:

Under POPIA and the regulations

They are also the person who is responsible for ensuring that the organisation complies with the POPI Act. They are a key person in any project or programme. Under section 55 of POPIA, an information officer of a responsible party (or body) must:

  1. encourage compliance with conditions for the lawful processing of personal information,
  2. deal with requests made relevant to POPIA by the Information Regulator or data subjects,
  3. work with the Regulator in relation to investigations conducted related to prior authorisations (pursuant to Chapter 6 in relation to the body),
  4. otherwise ensure compliance by the body with the provisions of POPIA,
  5. develop, implement and monitor a compliance framework,
  6. ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
  7. develop internal measures and adequate systems to process requests for access to information,
  8. ensure that internal awareness sessions are conducted, and
  9. perform any other duty as may be prescribed by the Minister or the Information Regulator.

These responsibilities are set out in section 55 of POPIA and in the POPIA Regulations.

The Information Officer, or IO, is tasked with ensuring that any data held by the company, which is related to the definition of personal information, or special personal information, meets the following processing conditions:

1)    Accountability: the responsible party is responsible for complying with the conditions below:

1.1.  Processing limitation: personal information should only be obtained by limited and lawful processing that does not unnecessarily infringe privacy;

1.2.  Purpose Specification: the purpose for which personal information is collected must be specific, explicitly defined and lawful;

1.3.  Further processing limitation: further processing must be compatible with the purpose for which personal information is collected;

1.4.  Information quality: the responsible party must take reasonably practical steps to ensure personal information is complete, accurate, not misleading and updated;

1.5.  Openness: the responsible party must notify the Regulator that it processes personal information where pre-approval is required, and advise the data subject of certain mandatory information in regard to such collection;

1.6.  Security safeguards: the integrity and confidentiality of the personal information must be secured; and

1.7.  Data subject participation: the data subject has certain access rights, including a request to delete their information, and be assured that this has happened.

 

Responsibility of Information Officer

The Information Officer must ensure that:

1.    A compliance framework is developed, implemented and monitored;

2.    Adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;

3.    Preliminary assessments are conducted and recorded; Compliance framework.

4.     A manual for the purpose of the PAIA and POPIA is developed and published, including specific categories;

5.    The manual is made available on both the website and the office of the responsible party; We don’t have websites

6.    Internal measures are developed, together with adequate systems to process requests for  information and access to such information;

7.    Awareness sessions are conducted regarding the provisions of POPI, regulations, codes of conduct, or information to be obtained from the Regulator; and

8.    The information officer or delegated authority, can upon request of any person provide copies of the manual, to that person upon receipt of a fee determined by the responsible party, which may not be charged at more than R3.50 per page.

 

Summary of documents required

Compliance Framework

PAIAL POPIA Manual

Personal Information Sharing Policy

Personal Information Impact Assessment This is the file

Legal references

 

Section

Provision

Notes

Section 55(1) of the Protection of Personal Information Act (the Act)

Encourage compliance with the conditions for the lawful process of personal information

 

Deal with request made by pursuant to the Act

Type of requests:

·         Objection (form 1)

·         Correction, deletion or destruction (form 2)

·         Submit a complaint (Part 1 of Form 5)

Work with the Regulator in relation to investigations conducted

 

Ensure compliance with the provision of the Act

 

Section 4 of the Regulations of the Act

A compliance framework is developed, implemented, monitored and maintained

 

A Personal Information Impact Assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information

 

A manual is developed, monitored, maintained and made available as prescribed in the Promotions of Access to Information Act

 

Internal measures are developed together with adequate systems to process request for information or access thereto

 

Internal awareness sessions are conducted regarding the provision of the Act

 

 

 


 

Appendix A: Appropriate wording for Delegation of Authority

 

[Letterhead or Company Name and details]

[Date]

 

Authorisation and Delegation of Authority

 

The Promotion of Access to Information Act, 2 of 2000 defines the “head” of a private body, inter alia as:

“ (c) in the case of a juristic person – (i) the chief executive officer or equivalent officer of a juristic person or any person duly authorised by that officer”.

 

I hereby authorize and delegate to the [position of designated person], [name of designated person] as the “head” of the [company name], responsible for compliance with the Promotion of Access to Information Act only.

Such authorization and delegation may be further delegated to relevant staff in such department, subject to the authorization and control of the [position of designated person].

 

­­­­­­­­­­­­­­­­_________________________________

[CEO Name]

Chief Executive Officer

 

 

 

 

 

 

 

 

 

 

 

 

 

2.     PAIA Manual

 

[company logo]                                              PAIA MANUAL 2021

 

Contents

1       INTRODUCTION AND PURPOSE OF THIS DOCUMENT. 3

2       BUSINESS OVERVIEW.. 3

3       INFORMATION REQUIRED UNDER SECTION 51(1) (a) OF THE ACT. 3

4       DESCRIPTION OF GUIDE REFERRED TO IN SECTION 10. 3

5       RECORDS AVAILABLE IN TERMS OF OTHER LEGISLATION. 4

6       APPLICABLE LEGISLATION. 4

7       RECORDS automatically available. 6

8       PURPOSE OF PROCESSING OF PERSONAL INFORMATION. 6

9       Data Subject CATEGORIES AND Their Personal Information. 6

10          PLANNED RECIPIENTS OF PERSONAL INFORMATION (NON-EXHAUSTIVE list) 7

11          Planned Trans-border Flows of Personal Information. 7

12          Security Measures To Protect Personal Information. 7

13          DETAIL ON HOW TO MAKE A REQUEST FOR ACCESS. 7

14          GROUNDS FOR REFUSING A REQUEST. 8

15          AVAILABILITY OF THE MANUAL. 9

16          ANNEXURE A. 10

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

INTRODUCTION AND PURPOSE OF THIS DOCUMENT

 

This manual grants access to records held by [insert company name and registration number], (“the Company”).

BUSINESS OVERVIEW

 

[Insert a brief overview of the nature of the business, including the various stores owned across the registered company (SaveMor, Build it, Tops at SPAR Liquors, Pharmacy at SPAR, where applicable); whether the company has been listed with the JSE stock exchange; any subsidiaries, joint ventures and associations which may exist; the primary business of the company; and any other information you wish to include].

 

Requests for Company information must be made to the designated Information Officer, as per the details below and in the form reflected in annexure “A”. All requests for Company information shall be considered in the light of the relevant sections in the Act.

 

INFORMATION REQUIRED UNDER SECTION 51(1) (a) OF THE ACT

[Please fill in all details below]

Designated Head of the Company:

Postal Address of the Company:

Street Address of the Company:

Telephone Number of the Company:

E- Mail address of the Company:

Person delegated to deal with information requests (“the designated Information Officer”):

E-mail address of the Designated Head:

DESCRIPTION OF GUIDE REFERRED TO IN SECTION 10

 

A Guide has been compiled in terms of Section 10 of Promotion of Access to Information Act 2 OF 2002 (“PAIA”) by the South African Human Rights Commission (SAHRC). It contains information required by a person wishing to exercise any right, contemplated by PAIA. It is available in all of the official languages.

 

The Guide is available for inspection, inter alia, at the office of the South African Human Rights Commission at Braampark Forum 3, 33 Hoofd Street, Braamfontein, Johannesburg, Gauteng and at www.sahrc.org.za.

 

For further information please contact the SAHRC:

Postal Address:                    Private Bag 2700, Houghton, 2041

Telephone Number:             +27-11-877 3600

Fax Number:                         +27-11-403 0625

Email:                                     mnyuswa@sahrc.org.za

 

RECORDS AVAILABLE IN TERMS OF OTHER LEGISLATION

 

Requesters may make requests for information that may be requested in accordance with applicable South African legislation, including:

 

 

APPLICABLE LEGISLATION

 

Agricultural Products Standards Act 119 of 1990 Just need to know that clarity

Basic Condition of Employment Act 75 of 1997

Broad Based Black Economic Empowerment Act 53 Of 2003

Businesses Act 71 of 1991

Companies Act 61 of 1973

Compensation for Occupational Injuries and Diseases Act 130 of 1993

Competition Act 89 of 1998

Consumer Protection Act 68 of 2008

Customs & Excise Act 91 of 1964

Designs Act 195 of 1993

Electronic Communications and Transactions Act 25 of 2002

Employment Equity Act 55 of 1998

Foodstuffs, Cosmetics and Disinfectants Act 54 of 1972

Income Tax Act 58 of 1963

Insolvency Act 24 of 1936

Labour Relations Act 66 of 1995

Liquor Act 27 of 1989

Liquor Products Act 60 of 1989

Merchandise Marks Act 17 of 1941

National Credit Act 89 of 1991

Occupational Health and Safety Act 85 of 1993

Patents Act 57 of 1978

Promotion of Access to Information Act 2 of 2000

Protection of Personal Information Act 14 of 2013

Regulation of Interception of Communications Act 70 of 2002

Regulation of Interception of Communications and Provision of Communication

Related Information Amendment Act 48 of 2008

Pension Funds Act 24 of 1956

Skills Development Act 97 of 1998

Skills Development Levies Act 9 of 1999

Stamp Duties Act 77 of 1968 

Standards Act 29 of 1993

Unemployment Insurance Act 30 of 1966

Trademarks Act 194 of 1993

Value Added Tax Act 89 of 1991


 

RECORDS automatically available

 

Some records are automatically available in terms of legislation and this includes records lodged in terms of Government requirements with various statutory bodies, including the Companies and Intellectual Property Commission.

 

PURPOSE OF PROCESSING OF PERSONAL INFORMATION

 

The company processes information for various purposes including but not limited to: employee administration, sales and marketing initiatives, customer care processes and communicating with customers directly.

Data Subject CATEGORIES AND Their Personal Information

 

[as applicable to your business]:

Employees – personal information associated with the lifecycle of an employee;

Suppliers – personal information of suppliers including business particulars;

Customers – personal information of customers which are used for marketing initiatives;

General public – tracking general enquiries and web site visits; Only when personal information is involved.

Investors – records as maintained by the Company Secretary [if applicable]; and

Media – records of media interactions. Text-me


 

 

PLANNED RECIPIENTS OF PERSONAL INFORMATION (NON-EXHAUSTIVE list)

Statutory authorities – [examples include: the Consumer Goods Council, the Department of Labour, the UIF State Body, the South African Revenue Service];

Financial institutions – [examples include: FNB, Standard Bank, Old Mutual, Nedbank];

Medical schemes and service providers – [examples include: Tiger Brands Medical Scheme, Momentum Multiply];

Employee pension and provident funds – [examples include: Old Mutual]; and

Industry bodies – various.

 

Planned Trans-border Flows of Personal Information

 

Flows to service providers/operators in [insert any cross-border information flows if applicable]

Flows to subsidiaries and affiliates in [insert any cross-border information flows if applicable]

Flows through the use of social media.

Just put Not applicabale

Security Measures To Protect Personal Information

 

The company understands the value of information and will take all reasonable steps to protect the information from loss, misuse, or unauthorised access.  

The company has a responsibility to:  

·           protect and manage information that its holds about its stakeholders;  

·           make use of electronic and computer safeguards, such as firewalls and data encryption, to secure stakeholders’ information;  

·           have physical and electronic access control to its premises; and  

·           only authorise access to information to those employees who require it to fulfil their designated responsibilities.  

 

The Company is committed to use appropriate technical and other security measures in line with acceptable industry standards, to safeguard stakeholders’ information.  

 

DETAIL ON HOW TO MAKE A REQUEST FOR ACCESS

 

The requester must complete Annexure A below and submit this form together with a request fee, to the designated Information Officer. The form must be submitted to the designated Information Officer of the Company at his/ her physical or electronic mail address, as stated earlier in this manual.

 

 

 

Form of request:

 

The requester must provide sufficient detail on the request form to enable the designated head to identify the record and the requester.

 

The requester should indicate which form of access is required.

 

The requester should indicate if any other manner is to be used to inform the requester and state the necessary particulars to be so informed [s 53(2)(a) and (b) and (c)] of PAIA.

 

The requester must identify the right that is sought to be exercised or to be protected and provide an explanation of why the requested record is required for the exercise or protection of that right [s 53(2)(d)] of PAIA.

 

If a request is made on behalf of another person, the requester must then submit proof of the capacity in which the requester is making the request to the satisfaction of the designated head of the private body [s 53(2)(f)] of PAIA.

 

A requester who seeks access to a record containing personal information about that requester is not required to pay the request fee.

 

Every other requester, who is not a personal requester, must pay the required request fee.

 

The designated head of the private body must notify the requester (other than a personal requester) by notice, requiring the requester to pay the prescribed fee (if any) before further processing the request [s 54(1)] of PAIA.

 

The fee that the requester must pay to a private body is currently R50,00. The requester may lodge an application to the court against the tender or payment of the request fees 54(3)(b)] of PAIA.

 

After the designated head of the private body has made a decision on the request, the requester must be notified in the required form.

 

If the request is granted then a further access fee must be paid for the search, reproduction, preparation and for any time that has exceeded the prescribed hours to search and prepare the record for disclosure [s 54(6)] of PAIA.

 

GROUNDS FOR REFUSING A REQUEST

 

The Company may refuse access to records on one or more of the grounds outlined in Chapter 4 of the Act pertaining to: “Grounds for Refusal of Access to Records”.

 

 

 

 

AVAILABILITY OF THE MANUAL

Copies of this manual are available for inspection at the designated Information Officer of the Company and copies can be made available free of charge. Copies are also available on the Company’s website at [insert company website URL]

 

Requests for information must be submitted in accordance with the prescribed format and must be accompanied by the prescribed fee as indicated herein.

 

 

_________________________________________________________

Signature of Designated Head of the Private Body

 

________________________________________________________

Name of Designated Head of the Private Body

 

(Note: each page should be initialled to complete the signing process).

 

Date of signature_________________________________________________________

 

Publication date of this manual: [insert date] Annually.

 

Next revision date of this document: [insert date] Annually.

 

The breakdown of fees for accessing records of private bodies are:

The following is a breakdown of the fees structure for the purposes of determining the manner in which fees relating to a request for access to a record of a private body are to be calculated:

Regulation 187 published in the Government Gazette on the 15 February 2002:

 

Copy per A4 Page

R1.10

 

Printing per A4 page

75 cents

 

Copy on a CD/memory stick (4 GB)

R70

 

Transcription of visual images per A4 page

R40

 

Copy of a visual image

R60

 

Transcription of an audio recording per A4 page

R20

 

Search and preparation of the record for disclosure

R30 per hour or part thereof, excluding the first hour, reasonably required for the search and preparation.

 

The actual postage is payable when a copy of a record must be posted to a requester.


 

ANNEXURE A

 

PRESCRIBED FORMS

REQUEST FOR ACCESS TO RECORD OF PRIVATE BODY

(Section 53(1) of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

 

 

[Regulation 10]

 

 

 

A.  Particulars of private body: 

 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

 

B.  Particulars of person requesting access to the record: 

 

 

Full names and surname:  â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦.

Identity number:                  â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

Postal address:                   â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦.

Fax number:                        â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

Telephone number:             â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

Email address:                     â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

 

 

Capacity in which request is made, when made on behalf of another person: 

 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

……………………………………………………………………………………………………………… 

 

 

C.  Particulars of person on whose behalf request is made: 

 

 

Full names and surname:            â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

 

 

Identity number:                           â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦. 

 

Particulars of record: 

 

 

1.  Description of record of relevant part of the record: 

 

 

………………………………………………………………………………………………..

 

 

………………………………………………………………………………………………..

 

…………………………………………………………………………………………………

 

 

…………………………………………………………………………………………………

 

 

2.  Reference number if available: 

 

 

………………………………………………………………………………………………… 

 

………………………………………………………………………………………………… 

 

…………………………………………………………………………………………………

 

 

3.  Any further particular of record: 

 

 

…………………………………………………………………………………………………

 

…………………………………………………………………………………………………

 

 

…………………………………………………………………………………………………

 

 

…………………………………………………………………………………………………

 

 

E.  Notice of decision regarding request for access 

 

 

a)  A request for access to a record, other than a record containing personal information about yourself, will be processed only after a request fee has been paid. 

b)  You will be notified of the amount required to be paid as the request fee. 

c)  The fee payable foraccess to a record depends on the form in which access is required   and the reasonable time required to search for and prepare a record. 

d)  If you qualify for exception of the payment of any fee, please state the reason for your exemption.

 

 

 

…………………………………………………………………………………………………

 

…………………………………………………………………………………………………

 

…………………………………………………………………………………………………

 

………………………………………………………………………………………………… 

 

 

3.Training Roll out Plan

 

POPIA Training  Roll out

Department

Name of Staff member in order of importance

Date of training planned

Signature of agreement

Management

 

 

 

 

 

 

 

 

 

 

 

Admin Staff

 

 

 

 

 

 

 

 

 

 

 

Front End Supervisors

 

 

 

 

 

 

 

 

 

 

 

Cashiers

 

 

 

 

 

 

 

 

 

 

 

Receiving Clerk

 

 

 

 

 

 

 

 

 

 

 

Merchandizers

 

 

 

 

 

 

 

 

 

 

 

Departments

 

 

 

 

 

 

 

 

 

 

 

Cleaners

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4.Training Record

 

POPIA Training Record

Name of Staff member

Position

Date of training

Signature

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Social Media Privacy Notices , disclaimers and consent request

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6. Privacy Policy

 

 

Personal Information Privacy Policy

 

 

 

                       

 

 

 

 

 

Personal Information Privacy Policy

 

 

 

 

Table of Contents

 

PRIVACY POLICY. 4

INTRODUCTION. 4

PURPOSE. 4

SCOPE. 4

NOTIFICATION TO DATA SUBJECT. 4

COLLECTING INFORMATION. 6

USE OF INFORMATION. 7

SHARING OF INFORMATION. 7

TRANSBORDER INFORMATION FLOWS. 7

SAFEGUARDING OF INFORMATION. 7

TRAINING OF INFORMATION USERS. 8

ACCESS TO INFORMATION. 8

ADMINISTRATION OF THIS POLICY. 8

Policies and Procedures Acknowledgement Form.. 10

 

PRIVACY POLICY

 

INTRODUCTION

______________________________ (insert name of company), hereafter referred to as “The Company” is committed to business practices in compliance with all relevant legislation, which includes the Protection of Personal Information Act 4 of 2013 (“the POPIA”), the Electronic Communications and Transaction Act 25 of 2002 (“the ECTA”), the Promotion of Access to Information Act 2 of 2000 (“the PAIA”) and the Consumer Protection Act 68 of 2009 (“the CPA”), particularly Section 11 of the CPA [1] for the purposes of this policy.

The Company respects the right to privacy and confidentiality and is committed to maintaining the privacy and security of its employees, customers, retailers, suppliers, agents, consultants and contractors, (“stakeholders”) information.

PURPOSE

This policy sets out the Company’s commitment, principles and practices to complying with the POPIA.

SCOPE

This policy applies to the processing of personal information by all employees employed by the Company, all business units of the Company and all stakeholders who interact with the Company, and it is fully binding on all stakeholders.

Employees, business units and stakeholders are expected to be familiar with, and to comply with this policy. Failure to do so by employees may result in disciplinary action.

The Company will ensure that all contracts with third parties will comply with the principles set out in this policy.

NOTIFICATION TO DATA SUBJECT

If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—

·                the information being collected; and where the information is not collected from the data subject, the source from which it is collected;

·                the name and address of the responsible party;

·                the purpose for which the information is being collected;

·                whether or not the supply of the information by that data subject is voluntary or mandatory;

·                the consequences of failure to provide the information;

·                any particular law authorising or requiring the collection of the information;

·                the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

 

 

 

 

 

·                any further information such as the :

·       recipient or category of recipients of the information;

·       nature or category of the information;

·       existence of the right of access to and the right to rectify the information collected;

·       existence of the right to object to the processing of personal information as referred to in section 11(3); and

·       right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

·                The steps referred to above must be taken—

·       if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or

·       in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

·                A responsible party that has previously taken the steps referred to 1. above complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind, if the purpose of collection of the information remains the same.

·                It is not necessary for a responsible party to comply with subsection (1) if—

·       the data subject ,or a competent person where the data subject is a child, has provided consent for the non-compliance;

·       non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;

·                non-compliance is necessary—

·       to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

·       to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

·       for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

·       in the interests of national security;

·       if compliance would prejudice a lawful purpose of the collection;

·       when compliance is not reasonably practicable in the circumstances of the particular case; or

·       the information will—

·         not be used in a form in which the data subject may be identified; or

·         be used for historical, statistical or research purposes.

 


 

CONSENT

The supply of information to the Company by any of its stakeholders is at the stakeholders’ discretion. By supplying the Company with any information, stakeholders are accepting the principles, practices and terms contained in this policy.

The Company will not process stakeholders’ information without obtaining stakeholders’ consent, a record of which will have to be maintained. In respect of all marketing activities relating to the Company’s services and/or products, consent to collect or use information will be obtained. Consumers will be given an option to opt-in or opt-out of any electronic communication.

In respect of other activities, consent to collect or use will be obtained via acknowledgement by the stakeholder concerned that the Company is collecting his or her personal information.

This acknowledgment will be contained in all documents or processes where personal information is collected, including telephonic recordings, and any contracts concluded with the Company or the stakeholder will be specifically requested to sign an acknowledgment of the collection of personal information.

If information is collected through a third party, the third party will be required to sign a declaration that they comply with the POPIA requirements.

It is to be noted that the Company:

·       has different business units which process and share stakeholder information internally and will share information relating to that stakeholder internally in instances where required; and

·       is obliged to disclose certain categories of information relating to regulatory and legal purposes.

COLLECTING INFORMATION

The type of information collected varies. Information includes any personal information as defined in the POPIA, but is not limited to details such as name, age, ID numbers, registration numbers, addresses and other contact details, liabilities, income and payments records, financial information and banking details such as account numbers, and biometric details such as fingerprints.

Stakeholders’ information in general refers to information submitted to the Company through:

·       recruitment;

·       its website that identifies or relates to an online visitor or customer, whether they are an individual or a business;

·       its customer care line;

·       competitions;

·       marketing activities; (it is to be noted that for purposes of marketing campaigns, that further processing of personal information will be compatible with the original purpose of collection);

·       security measures, such as image recording from video surveillance systems (if any) placed on premises belonging to the Company, including access control devices;

·       agreements and/or contracts concluded with the Company;

·       third party sources, where allowed to do so in law;

·       emails;

·       social media;

·       registers; and

·       other communications sources.

USE OF INFORMATION

The Company uses information to identify its stakeholders. Stakeholders’ information is necessary to enable the Company to:

·       make contact, if and when required, to promote its services and/or products or in relation to a customer care query;

·       perform its duties in pursuance of any contract;

·       comply with any regulatory or other business obligation;

·       carry out market research, business and statistical analysis;

·       carry out any other reasonable business operations; and

·       employment of personnel.

Information may also be used for other purposes for which permission is given, or if required to by law, or if it is of public interest to disclose such information.

The Company undertakes to only process information that is required and relevant for the purposes set out above, and to ensure that further processing of personal information, will only be in accordance, or compatible, with the purpose for which it was collected.

The Company will not intentionally collect information about children and will only process information about children with the consent of a parent or guardian, or if otherwise required to do so by law.

The Company does not intend to process any ‘special personal information as defined in the POPIA, which includes for example political, religious or health-related information, and will only process special personal information with the stakeholders’ consent, or if otherwise allowed to do so in law.

Stakeholders may on reasonable grounds object to the processing of information, after which the Company undertakes not to continue to process, except when required to do so by law.

Information will be retained as long as necessary for the purpose for which it was collected, and in line with the Company’s Record Retention Policy (drafted in line with regulations governing the duration information should be kept).

SHARING OF INFORMATION

The Company will only share information with third parties with a stakeholder’s consent or if otherwise required to do so by law.

The Company has trusted relationships with selected third parties who perform services on its behalf. All service providers are bound by contract, and special data protection agreements, to maintain the security of the Company’s stakeholders’ information and to use it only as permitted by the Company.

TRANSBORDER INFORMATION FLOWS

Any Transfers of personal information outside the Republic of South Africa, MUST comply fully with Section 72 of POPIA, having taken all defined requirements into consideration.

The third party who is the recipient of the data MUST sign and acknowledge the Company’s POPIA Information Processing and Security Agreement

SAFEGUARDING OF INFORMATION

The Company understands the value of information and will take all reasonable steps to protect the information from loss, misuse, or unauthorised access.

The Company’s responsibility is to:

·       protect and manage information that its holds about its stakeholders;

·       make use of electronic and computer safeguards, such as firewalls and data encryption, to secure stakeholders’ information;

·       have physical and electronic access control to its premises; and

·       only authorise access to information to those employees who require it to fulfil their designated responsibilities.

The Company is committed to use appropriate technical and other security measures in line with acceptable industry standards to safeguard stakeholders’ information.

Stakeholders can also help maintain the security of information by becoming familiar with the POPIA and implementing their own security measures and procedures.

TRAINING OF INFORMATION USERS

Training is an important aspect in your POPIA compliance journey. The likelihood of complying with the requirements of POPIA is very slim if the individuals in the organisation do not understand the legislation and the role they need to fulfil to ensure that the purpose of POPIA is carried out appropriately.

To this end, it is a requirement that the POPIA Training be undertaken by all staff annually.

ACCESS TO INFORMATION

Stakeholders have the right to access information, including certain personal information held by the Company. Requests for information must be made to the Information Officer:

Name:

Physical Address:

Email:   

Tel:

Fax:

Access to information in terms of the PAIA must be obtained in accordance with the Access to Information Manual, which is available on ______________________ (website).

A stakeholder, having provided adequate proof of identity, has the right to –

·       request the Information Officer to confirm, whether, or not, the Company holds personal information about the stakeholder; and

·       request from the Company the record or a description of the personal information about the stakeholder held by the Company, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.

A stakeholder may, in the prescribed manner, request the Company to —

·       correct or delete personal information about the stakeholder in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

·        destroy or delete a record of personal information about the stakeholder that the Company is no longer authorised to retain in terms of the POPIA.

ADMINISTRATION OF THIS POLICY

The custodian of this policy is the Information Officer, who will be responsible for the administration, revision, interpretation and application of this policy, which will be reviewed annually, or as and when required.

Any alteration of this policy is subject to approval by __________________________ (insert name(s) of suitable authorities e.g. owner or partners)

Appendix A                                    Privacy Policy       

Policies and Procedures Acknowledgement Form

 

 

I certify, by signing below, that I have read and understand all policies and procedures contained in the Company’s Privacy Policy.

 

Also, by signing below, I agree to abide by the aforementioned policy and procedures having known and understood the consequences outlined within this document.

 

Please print.

 

Name:       ______________________________Date: ________________________________

 

 

Title:         ________________________________________

 

 

Signature:  ________________________________________

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7.Information security agreement

 

[COMPANY LOGO]                       Information Security Agreement

 

INFORMATION SECURITY AND PROCESSING AGREEMENTS

Company Name: ______________________

Completion Instructions

For the purposes of this document, the original provider of data to the Third Party Service Provider,

Company Name: ____________________________________________________________

Company Registration Number: ________________________________________________

Domiciled at: _______________________________________________________________

Will hereinafter be referred to as ‘the Company’, with the Company Address being the one listed above.

 

Actions for the Company

The Company is required to obtain confirmation that any personal information which it provides to a Third-Party Service Provider (TPSP) will be maintained securely and will not be used for any other reason, in accordance with the Protection of Personal Information Act (4 of 2013, known as POPIA). In terms of this, the Company must send a copy of this document to each service provider who has access to the personal information and data in the possession of the Company.

Actions for Business Partner

The Business Partner is required to accept the terms of this agreement by printing and then signing this agreement where applicable, as well as having all signatories initialing each of the pages of the agreement. Once completed the Agreement must be returned to the requester at the Company, for further processing.

Once signed by the Company Chief Executive Officer, a copy of the agreement must be provided to the Business Partner.


 

 

APPLICABILITY

Organisations utilising a “Third-Party Service Provider” to process Personal Information are subject to complying with Sections 20 and 21 of the Protection of Personal Information Act (“PoPIA”), detailed in Appendix A. Section 21(1) requires the Company to enter into a written agreement with a TPSP which processes personal information for or on behalf of the Company, in order to ensure that such TPSP establishes and maintains the security measures required by PoPIA. 

NOTE: A Third-Party Service Provider (“TPSP”)is a service provider which processes personal information for or on behalf of the Company. The provisions below are required in order for the Company to comply with the provisions of PoPIA.

INFORMATION PROCESSING AGREEMENT:

This Processing Agreement (“Agreement”) is made as of the ____day of _____, 20___ (“Effective Date”) by and between the Company and ________________________________ (the “Third-Party Service Provider” / “TPSP”);

Whereas the Company is required to adhere to the provisions of PoPIA.

Whereas the TPSP collects, transmits, stores or otherwise processes the Company’s Personal Information; and

Whereas the TPSP controls, or could impact the security and/or confidentiality of the Company’s Personal Information in the performance of the services provided to the Company.

For purposes of this Agreement, the following terms have been defined:

i)            “Main Agreement” means the agreement entered into between the Company and the TPSP in terms of which the TPSP provides products and/or services to the Company.

ii)           “PoPIA” means Protection of Personal Information Act, No. 4 of 2013, as amended.

iii)          “Security Incident” means any actual or potential accidental or unauthorised access, destruction, loss, alteration, disclosure or any other unlawful forms of processing of the Company Personal Information;

iv)           “the Company” means _________________________________________(full company name), with registration number ______________________ (company registration number) incorporated in accordance with the applicable laws of the Republic of South Africa.

v)           “the Company Personal Information” means any Personal Information which (i) is provided or made available to the TPSP by the Company; (ii) comes into the possession, or under the control of, the TPSP during the course or arising out of the Main Agreement and/or (iii) the TPSP is required to process for the purposes of performing is obligations under the Main Agreement.

The terms "Data Subject", "Personal Information", "Processing" and " Regulator" shall have the same meaning as in the PoPIA, and their cognate terms shall be construed accordingly.

It is hereby agreed that:

1)    The TPSP will only process Company Personal Information solely for the purposes and to the extent described in the Main Agreement or on the specific written instructions of the Company.

2)    In performing its obligations under the Main Agreement, the TPSP will comply with PoPIA and not cause the Company to breach any obligation under PoPIA.

3)    The TPSP will:

a.     treat Company Personal Information as confidential and shall not share, transfer, disclose or otherwise provide access to the Company Personal Information to any third party;

b.     limit access to Company Personal Information only to those employees to whom access is necessary to perform their role in the performance of the Main Agreement and then only on a need-to-know basis, and will ensure that such employees:

                                   i.    are subject to to confidentiality obligations;

                                  ii.    comply with this Agreement;

                                 iii.    are appropriately reliable, qualified and trained in relation to their Processing of Company Personal Data.

4)    The TPSP will not engage or use any third party for the Processing of Company Personal Information or permit any third party to process Company Personal Information without the prior written consent of the Company.

5)    If the TPSP subcontracts any of its obligations under the Main Agreement or otherwise appoints a third party to process Company Personal Information (“Subcontractor”), the TPSP will ensure that, prior to the processing taking place, there is a written contract in place between the TPSP and the Subcontractor that imposes on the Subcontractor the same terms as those imposed on the TPSP in this Agreement. The TPSP will procure that the Subcontractor will perform all obligations set out in this Agreement and the TPSP will remain responsible and liable to the Company for all acts and omissions of Subcontractor as if they were its own.

6)    The TPSP shall not cause or permit any Company Personal Information to be transferred outside the Republic of South Africa without the prior written consent of the Company.

7)    The TPSP acknowledges and agrees that the TPSP is responsible for the security and/or confidentiality of Company Personal Information that it stores, processes, or transmits on behalf of the Company, or to the extent that it could impact the security and/or confidentiality of the Company’s personal information data environment.

8)    The TPSP warrants that it will secure the integrity and confidentiality of Company Personal Information by taking appropriate, reasonable technical and organisational measures to prevent:

a.     loss of, or damage to, or unauthorised destruction of the Company Personal Information; and

b.     unlawful access to, or Processing of, the Company Personal Information.

9)    In order to give effect to the above, the TPSP will take reasonable measures to:

a.     identify all reasonable foreseeable internal and external risks to Company Personal Information;

b.     establish and maintain appropriate safeguards against the risks identified;

c.     regularly verify that the safeguards are effectively implemented, including conducting security assessments consistent with best industry practice; and

d.     ensure that the safeguards are continually updated in respect of new risks or deficiencies in previously implemented safeguards,

and shall notify the Company of the risks identified and the safeguards established and implemented from time to time.

10)  The TPSP will comply with:

a.     generally accepted information security practices and processes;

b.     best industry practices or, where applicable, professional rules and regulations; and

c.     the Company’s security practices and requirements as the Company may notify the TPSP, from time to time.

11)  Upon the Company’s request, the TPSP will:

a.     promptly provide the Company with all information necessary to demonstrate compliance with the obligations set out in this Agreement;

b.     allow for and contribute to audits, including without limitation inspections, conducted by the Company or other person mandated by the Company; and

c.     take measures to address Security Incidents, including without limitation, where appropriate, measures to mitigate their possible adverse effects.

12)  The TPSP shall immediately notify the Company in writing, on:

a.     becoming aware, or if there are reasonable grounds to believe, that a Security Incident has or is likely to occur including (i) the nature of the Security Incident, (ii) the approximate number and categories of Data Subjects; (iii) the likely consequences of the Security Incident and (iv) any measure proposed to be taken to address the Security Incident and to mitigate its possible adverse effects; and (v) any other relevant information;

b.     receipt of any request for access to or correction of Company Personal Information or complaints from a Data Subject and provide the Company with full details of such request or complaint (as the case may be); and

c.     receipt of any request for disclosure of Company Personal Information or any other notice or communication which relates to the Processing of the Company Personal Information from the Regulator or any other competent authority.

13)  The TPSP shall provide the Company with a detailed list of the PoPIA requirements it is responsible for, as well as the requirements where responsibility is shared between it and the Company.

14)  In the event that the Company determines, at its sole discretion, that the TPSP has committed a material breach of this Agreement and/or PoPIA, the Company may either:

a.     offer the TPSP an opportunity to remedy the breach, provided that the Company may immediately terminate this Agreement if the TPSP fails to remedy the breach within the time frame specified by the Company; or

b.     immediately terminate this Agreement, if the TPSP has breached a material term of this Agreement and the Company determines in its sole discretion that the material breach is not capable of being remedied.

15)  At the option of the Company, securely delete or return to the Company or transfer to any replacement service provider (in the format required by the Company) all the Company Personal Information promptly upon the termination (for any reason) of the Main Agreement or at any time upon request, and securely delete any remaining copies. Upon the Company’s request, the TPSP shall certify to the Company that all the Company Personal Information in its (including its subcontractors) possession or control has been returned or destroyed. Any right that the TPSP has to process the Company Personal Information will terminate immediately upon the termination of the Main Agreement.

16)  The TPSP agrees to indemnify, defend, and hold harmless the Company, and its directors, officers, employees and agents, against any and all losses, liabilities, damages, claims, fines, penalties, costs and expenses (including legal fees) arising out of or in connection with a breach by the TPSP (or any of its employees or subcontractors) of this Agreement, non-compliance with PoPIA and/or any unauthorized access, disclosure, or use of any the Company Personal Information in the possession or under the control of the TPSP.

17)  If any provision of this Agreement is held invalid, illegal or unenforceable for any reason such provision shall be severed and the remainder of the provisions of this Agreement shall continue in full force and effect as if this Agreement had been executed with the invalid, illegal or unenforceable provision eliminated.

18)  This Agreement may only be amended, or any rights under it waived, by a written agreement executed by the TPSP and the Company.

19)  Any failure of a party to exercise or enforce any of its rights under this Agreement will not act as a waiver of such rights.

20)  The Agreement shall be binding upon, and shall inure to the benefit of, the parties and their respective successors and permitted assigns.

21)  The TPSP acknowledges that the term of this Agreement shall commence on the Effective Date hereof and continue so long as the TPSP provides services and/or supplies goods under the Main Agreement or until terminated as provided for in this Agreement, whichever occurs first in time.

22)  All notices to be given in terms of this Agreement shall be given in writing and shall be addressed and delivered as follows:

 

a)    In the case of the Company: by hand delivery to the Company at its nominated address, marked for the attention of the Chief Information Officer;

b)    In the case of TPSP: either by hand delivery to ____________________________or by email to __________________________________________.

c)     A party shall be entitled to change its address by giving not less than seven (7) days’ written notice thereof to the other party.

 

23)  Termination of this Agreement will not affect the provisions, which are intended to continue to have effect and apply after termination.

24)  In the event and to the extent only of any conflict of provisions between this Agreement and the Main Agreement, the more stringent obligations on the TPSP will prevail.

1)    If there is any unresolved dispute between the parties arising out of or in connection with this Agreement, including, its existence, application, breach, interpretation, validity, termination or cancellation, the parties agree first to attempt to resolve the dispute informally by negotiation, and as far as possible avoid any formal dispute resolution process.   Any attempt to resolve the dispute informally shall last no longer than 7 (seven) days, commencing on the date that the dispute is first declared by formal written notice delivered by either party to the other. If the dispute is not so resolved, it shall be submitted to and decided by arbitration in terms of the Arbitration Act, 42 of 1965, subject to the following provisions:

 

a)    The arbitration tribunal shall consist of one arbitrator.

b)    The arbitrator shall be a retired judge or a practicing attorney or advocate of not less than 15 (fifteen) years' standing, and in the absence of agreement being reached in regard to the identity of the arbitrator within 7 (seven) days of the conclusion of the 7 (seven) day time period referred to in clause 25, the arbitrator shall be appointed by the chairman of the ________________________[PROVINCE] Society of Advocates, or its successor organisation.

c)     The arbitration proceedings shall be conducted in accordance with the Uniform Rules of the High Court in force at the time, save that the arbitrator shall be entitled to reduce any timeframe provided for in the Uniform Rules so as to facilitate adherence to the provisions of clause (f) below.

d)    The arbitration shall be held in __________________________ [relevant jurisidiction] and the language of the arbitration shall be __________________________ [preferred language].

e)    The arbitrator’s decision shall be binding and shall not be appealable.  Any party may however apply to any court having competent jurisdiction to have the decision made an order of court.

f)     The parties shall endeavour to ensure that the arbitration is completed within 90 (ninety) days after the arbitrator has been appointed and provides written notification of acceptance of the appointment.

g)    The decision of the arbitrator shall be in writing and the arbitrator shall give reasons for his award.

h)    The proceedings and decision shall be confidential to the parties and their advisers.

i)      This arbitration clause shall not preclude either party from seeking urgent interdictory relief in a court of appropriate jurisdiction, where grounds for urgency exist.

j)     In the event of either party having a claim against the other for a liquidated amount or an amount which arises from a liquid document, then the claiming party shall be entitled (but not obliged) to institute action in a court of law rather than in terms of clause 26, notwithstanding that the other party may dispute such a claim.

 

For [INSERT TPSP NAME]:                                             For the Company:

_________________________________             ________________________________

Name                                                                            Name

 

_________________________________             ________________________________

Signature                                                                       Signature

 

Title: ____________________________                          Title: ___________________________

 

Date: ___________________________                           Date: ___________________________                                      

 

WITNESSES                                                                   WITNESSES

1)_________________________________                      1)________________________________

Name:                                                                          Name:

Title:                                                                             Title:

Date:                                                                            Date:                           

 

2)_________________________________                      2)________________________________

Name:                                                                          Name:

Title:                                                                             Title:

Date:                                                                            Date:                                                   

 

APPENDIX A

 

RELEVANT SECTIONS OF PROTECTION OF PERSONAL INFORMATION ACT,

ACT 4 OF 2013

 

 

CHAPTER 3

CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION

 

 

Information processed by operator or person acting under authority

20. An operator or anyone processing personal information on behalf of a

responsible party or an operator, must—

a)     process such information only with the knowledge or authorisation of the responsible party; and

b)    treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.

 

Security measures regarding information processed by operator

21. (1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.

(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been   accessed or acquired by any unauthorised person.

 

 

 

 

 

 

 

 

 

 

 

8.POPIA CCTV disclaimer

 

A disclaimer must be visual to inform customers that the store makes use of CCTV

 

See disclaimer below:

 â€œThese premises, [insert address] , being the head office of the [company name] are

monitored using CCTV video surveillance systems. We will use this footage for

security purposes and for those purposes only. In compliance with the Protection of

Personal Information Act 4 of 2013, we will not share or distribute this footage with

any third parties unless required to do so by law. We will retain this footage for a

period of [enter in retention period] and securely dispose of it thereafter. By

entering these premises, you indicate your understanding of, and duly consent to,

these terms. If you are unhappy with the manner in which this footage is used, you

have the right to contact the Information Regulator with your complaints or

concerns at complaints.IR@justice.gov.za.“

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

9.Destruction of Personal information

 

The Protection of Personal Information Act (4 of 2013) - POPIA

Best Practices for Store Employees

 

Introduction

The Protection of Personal Information Act was brought into law in 2013, but is effective from 1 July 2021. This means that, by 1 July, every company in South Africa needs to show they are obeying this law, and that their staff members understand their role in keeping to the terms of this law.

What is Personal Information?

Personal information relates to everything that provides any information about a person or a company. So for example, it will relate to a person’s name, ID number, phone number, date of birth etc. It could also be related to how many children they have, their medical history and how much money they earn or save – basically anything that is specific to that person.

Customers have personal information too – their phone numbers, ID numbers, credit card numbers and similar. Customers may give us this information, but we have a responsibility to make sure we don’t pass this information on to anyone else, either by not specifically passing it on, or ensuring that we have done our best to stop anyone else from taking it illegally.

The government has defined companies as also having personal information. So although companies may have websites where their phone numbers or addresses are available, the public generally doesn’t know facts about the company like its financial status, who it banks with, or similar.

So anything that is not publicly available is deemed to be personal information, and should be protected.

How should it be protected?

Generally, personal information should be kept as private as your pin code. If you know information about anyone else that may be confidential, by law you are not allowed to share this information without that person’s consent. If you have saved it somewhere, you are responsible for taking all steps necessary to prevent it being stolen. So, for example, if you have other people’s contact details on your cellphone, you must keep your cellphone safe at all times and not leave it lying around where others could access it and find their numbers.

 


 

All Store Employees

DO

·      Remind others that they shouldn’t be sharing other people’s information, if you see/ hear them doing this;

·      Take care when handling documents of your own and other people, to ensure they aren’t left lying around where others can see them. If you need to bring documents to work, then please lock them in your locker or hand them to a manager for safekeeping;

·      Hand in anything a customer might have dropped, or left behind, to your Manager. They will keep the item for 7 days before destroying it;

·      Always respect other people’s privacy and confidentiality.

 

DON’T

·      Leave information relating to customers, colleagues, friends or family lying around anywhere

·      Share personal information with other people

·      Gossip about other people, whether they have had COVID-19 etc – this is illegal if the person hasn’t given permission!

·      Give your details or anyone else’s details away without making SURE the person really needs the information.

·      Discuss the people in the store, or the business of the store, with anyone outside the company, as the company also has ‘Personal Information’ that needs to be protected.

 

In my position as ____________________________ I have read and understood this section that applies to me.

 

Signature: ____________________________


 

Cashiers

DO

·      Respect customer’s details when they give them to you (for example cellphone numbers for Rewards etc.) and keep them confidential.

·      Hand anything that a customer leaves behind, that may contain personal information, to a manager for safekeeping.

·      Ensure all customer data is kept securely during the day, if you process returns, and locked away every night.

 

DON’T

·      Discuss any details relating to customers that includes personal information, including how much money they have, if they don’t look healthy, etc.

·      Leave credit card slips where somebody can get access to them.

 

In my position as ____________________________ I have read and understood this section that applies to me.

 

Signature: ____________________________

 

 


 

GRV Clerks

DO

·      File all documents such as GRV vouchers, invoices etc in the right place as soon as you receive them, and ensure these are securely locked in a cupboard or filing cabinet when you are not at your workspace

·      Store as much as you can, electronically and ensure this is also kept safely.

 

DON’T

·      Leave any documents lying around where suppliers or merchandisers from different companies could see them;

·      Leave your screen on if you leave the room while working on delivery notes, GRVs or similar.

 

 

In my position as ____________________________ I have read and understood this section that applies to me.

 

Signature: ____________________________

 


 

Security

DO

·      Ensure that any documents or records which are filled in by staff or store visitors, are filed appropriately and locked away securely at the end of each day. Items which need to be downloaded and stored (such as pictures of drivers’ licences and vehicle licence disks) must be cleared from the device as soon as possible.

·      Destroy any documents which are no longer needed (for example, temperature records relating to COVID-19 checks should only be kept for a maximum of 4 weeks).

·      Destroy any documents containing Personal Information by tearing them up into little pieces or shredding, before being thrown away.

·      Only use CCTV for security reasons, and make sure all copies are secured in a locked cupboard or filing cabinet. If for any reason these need to be viewed, only security and store management should be allowed to view these, and only for a specific reason such as shoplifting or theft.

 

DON’T

·      Ask for any more information than you actually need, to allow a person to enter the premises.

·      Provide information to anyone who is not authorized to see it. If in doubt, consult with a store manager before sharing anything.

 

In my position as ____________________________ I have read and understood this section that applies to me.

 

Signature: ____________________________

 


 

HR staff

DO

·      Ensure all employee files, CVs, applications, payroll information and other sensitive information is kept out of sight in locked cupboards or filing cabinets, and ensure the keys are in a safe place.

·      Ensure anyone who joins the company goes through PAIA and POPIA induction training;

·      Ensure all employees review the POPIA training on an annual basis, and sign the policy manual annually after training;

·      Ensure that you only collect and keep the information you need about a person, and nothing else.

·      Ensure all information is secure if you have to leave your workspace for any length of time.

·      Password-protect any documents that you need to send electronically that contain Personal Information (including that of a juristic person or company).

 

DON’T

·      Keep outdated CVs for longer than 3 months if the person was not employed, but rather keep a record on the CV Tracker and delete the file.

·      Discuss people’s personal or special personal information with anyone who doesn’t need to know.

·      Leave your screen on if you leave the room while working on employee files, payroll or similar;

·      Leave payroll slips or employee files lying around where other people can see them.

 

 

In my position as ____________________________ I have read and understood this section that applies to me.

 

Signature: ____________________________

 


 

Accounts/ Admin/ Bookkeeping

DO

·      Ensure all documents are securely locked in a cupboard or filing cabinet at all times.

·      Password-protect any documents that you need to send electronically that contain Personal Information (including that of a juristic person or company).

·      Ensure that you only collect and keep the information you need about a person, and nothing else.

·      Ensure all information is secure if you have to leave your workspace for any length of time.

 

DON’T

·      Discuss any details of debtors or creditors with any unauthorized people, or in open-plan areas

·      Leave your screen on if you leave the room while working on debtor or creditor information, or similar;

·      Leave financial documents or files lying around where other people can see them.

·       

 

In my position as ____________________________ I have read and understood this section that applies to me.

 

Signature: ____________________________

 


 

In-store Competitions

DO

·      Ensure the relevant disclaimer (and any other Terms & Conditions) is printed out and prominently displayed on the entry box.

·      Clear all entries from the box and lock these away in a cupboard or filing cabinet, every night

·      Keep entries secure for the duration of the entry period.

·      Destroy all entries when the competition is over and winners have been announced. (you might want to keep winning entries for a longer period, for audit purposes, but then only keep these as long as you need).

·      Ensure a parent’s/ guardian’s signature is attached to any entry where minors or children are involved.

 

DON’T

·      Ask for any more details than are required for an entry (for example, how much more than a name and phone number do you need?)

·      Display details that are irrelevant but consititute personal information, on any entries (for example, if children are entering a colouring-in competition, use only their first names on the front of the entry, no surnames, ages or school)

·      Announce more details than are required when announcing winners.

 

 

In my position as ____________________________ I have read and understood this section that applies to me.

 

Signature: ____________________________

 

 

 

 

 

 

 

 

 

 

 

 

10.FAQ &  Important Contacts

POPI Act Q &A.

1. Do CV’s have to be thrown out after 3 months supplied – wrt. job applications (as per the disclaimer) – what about stores wanting to keep them on file. If they are under lock and key or password protected – is that OK?

- CV’s don’t have to be thrown out after 3 months, however it is advisable to not keep

anything longer than is required.

- What we are practicing here is good controls and good housekeeping. As long as there are

controls in place to ensure that CV’s of applicants aren’t left lying around for everyone to

see – that is the message that must come through.

- CV’s contain very personal information about a person, so that Personal Information must

be secured. And staff must be made aware that CV’s can’t be left lying around, or in

unsecure boxes visible by staff and customers

o The POPI Act puts the responsibility to safeguard the info with the SPAR Retailer

- CV’s must be kept under lock and key, or preferably scanned and password encrypted with

the manual document destroyed the correct way

- It remains advisable that CV’s must not be kept longer than they are needed

2. Who are the right People to contact?

a. First contact person is to be your ROM

b. DC Champions:

iv. NR – Johannes Matlou (johannes.matlou@spar.co.za) 082 699 6545

iv. NR- Henk Bezuidenhoudt (henk.bezuidenhoudt@spar.co.za ) 082 326 9370

 

3. Rewards – What disclaimers will be provided by SPAR to explain what information is collected/ used by SPAR and that the store has no access to it?

- SPAR Central Office is working on a disclaimer to be added to SPAR Rewards

4. Recording of customer complaints/ queries – Majority of stores will not have the ability to record calls. How does SPAR suggest we proceed?

- SPAR CO will add a disclaimer to SPAR Customer Service and SPAR Social Media Pages for

Complaints

- It is suggested that at store level if customers call to complain about an issue, that this is

recorded in an official complaints book or a printed complaints page

o It is essential that this is kept securely and not left lying around

o Only certain people may be authorized to receive complaints

- Important that only the necessary details are taking down:

o Name, contact number

o To inform the customer that they are collecting these details to report back on the

complaint to them directly, their information will be stored securely and won’t be

used for other purposes.

5. As English is not the home language of the majority of our customers will SPAR be able to provide the Terms and Conditions in English, Zulu and Xhosa? Can this also be available on the SPAR website so that we can refer customers to a hyperlinked “disclaimer” button so that we do not have a huge amount of text for the customer to go through on our pages/ in our private FB messages with customers.

- Currently no plans have yet to be made to translate to English – all disclaimers on the SPAR

website are in English

- The ACT itself is only in English

6. In terms of the POPI Act, do we need to have a disclaimer on the building/at shop entrance to state that there is CCTV Surveillance on site and patrons will be recorded and that they give their consent to do so if they come on site

- Yes, a disclaimer must be added to inform the customers the store makes use of CCTV

- See disclaimer below:

o “These premises, [insert address], being the head office of the [company name] are

monitored using CCTV video surveillance systems. We will use this footage for

security purposes and for those purposes only. In compliance with the Protection of

Personal Information Act 4 of 2013, we will not share or distribute this footage with

any third parties unless required to do so by law. We will retain this footage for a

period of [enter in retention period] and securely dispose of it thereafter. By

entering these premises, you indicate your understanding of, and duly consent to,

these terms. If you are unhappy with the manner in which this footage is used, you

have the right to contact the Information Regulator with your complaints or

concerns at complaints.IR@justice.gov.za.“

7. If a customer places an order now and we take their details, do we have to have them sign a consent form according to POPIA?

- You don’t need to have the customer sign a consent form

- Our responsibility is to ensure we safeguard customer info they share with us.

- If a retailer makes use of an Online, WhatsApp or Call-in order platform, you will require a

disclaimer to state that you as the retailer, will store the customers info in accordance with

the POPI Act, and without their consent, you won’t use it for other purposes.

- Refer to POPIA Disclaimers and Clauses on Retail Studio

- So our responsibility is to ensure that we secure the customers info

- The Act refers to ‘Minimality’, which means that we mustn’t obtain from the customer any

more info than we require from them in order to complete the order:

o So for any order, it would be a Name, Contact Number, or email address for proof of

purchase, and possibly a Delivery Address if for Delivery

o You don’t need to know an ID number, race, gender, etc.

8. What happens if a customer leaves/loses an ID Document, Credit Card, Cellphone, etc. in my store?

- Secure the item!

- Any items left in your store of a customer which contains Personal Information must be stored securely

- Credit cards, debit cards, ID Cards, should not be kept together by a rubber band near the front end or managers pulpit

o This gives too much opportunity for people to access the PI- Any items must be stored in Managers/Finance office in a locked secure cupboard

9. Must I destroy items left in store by a customer?

- We all understand that losing your credit card, ID book becomes an inconvenience when you lose it, and getting new documents can take time

- However, given the risk of PI being attained by other people, we must consider destroying

items appropriately

- It is advisable that any Customers Cards – credit cards, debit cards, bank cards, are

destroyed after 7 days (fortunately most customers will cancel cards when they realise they

have misplaced them)

o 7 Days allow customers to retrace their steps

- Any ID Documents to remain in a locked cupboard/safe for a period not exceeding a month

o Thereafter they must either be destroyed or handed over to Police

- Cellphones are extremely expensive, but they contain very sensitive Personal Information

o Given that they are expensive and not easily destroyed, all cellphones to remain in a

safe for length at the discretion of the retailer

o Most customer become aware of a lost phone very quickly and will retrace their

steps

10. Where can I register my Information Officer

- Log onto the Online Portal https://www.justice.gov.za/inforeg/portal.html

- In order to register your Info Officer, a lot of information is required: ID numbers, Company

Registration Numbers, Addresses, Contact numbers, as well as a mandatory Fax number

(suggest a Fax-to-email nu,ber)

o ID numbers for Deputy Information Officers

o You can’t re-use your Info Officer details anywhere – can’t use for another store or

Build IT.- There is a significant load of users logging their Information Officer’s hence the portal has dropped from time – to – time. Therefore ensure you act urgently

 

 



[1] Right to restrict unwanted direct marketing