GZI
POPI
Data Protection and Information
GZ INDUSTRIES SOUTH AFRICA
(“GZI”)
Data Protection and Information
Sharing Policy
|
Policy Category |
STRATEGIC |
|
Policy Title |
Data Protection and Information Sharing Policy |
|
Policy Owner and Custodian |
|
|
Date of Finance and Risk Committee |
|
|
Date of Board Approval |
|
|
Date of next review |
|
Table of Contents
5. PROCESSING OF PERSONAL INFORMATION
5.2. Categories of Data Subjects and their Personal Information
5.3. Categories of Recipients for Processing the Personal Information
5.4. Actual or Planned Transborder Flows of Personal Information
5.5. Retention of Personal Information Records
5.6. General Description of Information Security Measures
6. ACCESS TO PERSONAL INFORMATION
6.1. Remedies available if request for access to Personal Information is refused
7.1. Training & Dissemination of Information
8. EIGHT PROCESSING CONDITIONS
8.7. Data Subject Participation
11. STATUTORY RETENTION PERIODS
1. INTRODUCTION
This Data Protection and Information Sharing Policy describes the way that GZI, will meet its legal obligations and requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon the Protection of Personal Information Act (No 4 of 2013), as that is the key piece of legislation covering security and confidentiality of personal information.
Information Officer : A. Kekae
Physical Address : 1 Snapper Rd
Wadeville
Johannesburg
1428
Telephone
Number : +27
10 141 6740
Email
address : Alphina.Kekae@gzican.com
Deputy Information Officer : S. Mthenjana
Postal
Address : 1
Snapper Rd
Wadeville
Johannesburg
1428
Telephone Number : +27 10 141 6745
Email
address : Sibusiso.Mthenjana@gzican.com
2. DEFINITIONS
2.1.
Consent means the voluntary, specific and
informed expression of will;
2.2. Data Subject means the natural or juristic person to whom the Personal Information relates;
2.3. Direct Marketing means approaching a Data Subject personally for the purpose of selling them a product or service, or requesting a donation;
2.4. POPI means the Protection of Personal Information Act, No. 4 of 2013;
2.5. Personal Information means information relating to an unidentifiable, living, natural person, or an identifiable, existing juristic person, as defined in POPI;
2.6. Processing means an operation or activity, whether or not by automatic means, concerning Personal Information.
The Policy applies to all GZI
employees, directors, sub-contractors, agents, and appointees. The provisions
of the Policy are applicable to both on and off-site processing of personal
information.
GZI collects and uses Personal
Information of the individuals and corporate entities with whom it works in
order to operate and carry out its business effectively. GZI regards the lawful
and appropriate processing of all Personal Information as crucial to successful
service delivery and essential to maintaining confidence between GZI and those
individuals and entities who deal with it. GZI therefore fully endorses and
adheres to the principles of the Protection of Personal Information Act
(“POPI”)and other applicable regulation on the processing of personal
information
5. PROCESSING OF PERSONAL INFORMATION
GZI uses the Personal Information
under its care in the following ways:
- Conducting credit reference checks and assessments
- Administration of agreements
- Providing products and services to customers
- Detecting and prevention of fraud, crime, money laundering and other malpractice
- Conducting customer satisfaction research
- Marketing and sales
- In connection with legal proceedings
- Staff administration
- Keeping of accounts and records
- Complying with legal and regulatory requirements
- Profiling data subjects for the purposes of direct marketing
5.2. Categories of Data Subjects and their Personal Information
GZI may possess records relating to suppliers, members, contractors/service providers, employees and customers:
|
Entity Type |
Personal Information Processed |
|
Customers: Natural Persons (including beneficiaries) |
Names; contact details; physical and postal addresses; date of birth; ID number; tax related information; nationality; gender; bank account details; financial information confidential correspondence |
|
Customer – Juristic Persons / Entities |
Names of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; bank account details; BBBEE information
|
|
Contracted Service Providers |
Names of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; bank account details; BBBEE information
|
|
Employees / Directors |
Gender; pregnancy; marital status; colour, race; age; language; education information; financial information; employment history; ID number; physical and postal address; contact details; opinions; criminal record; well-being, union membership |
5.3. Categories of Recipients for Processing
the Personal Information
GZI may share the Personal Information
with its agents, affiliates, and associated companies who may use this
information to send the Data Subject information on products and services. GZI
may supply the Personal Information to any party to whom GZI may have assigned
or transferred any of its rights or obligations under any agreement, and/or to
service providers who render the following services:
-
Capturing and organising of data;
- Storing of data;
- Sending of emails and other correspondence to customers;
- Conducting due diligence checks;
- Administration of the Medical Aid and Pension Schemes.
- Transferring of salaries to employees/directors
- Pre-employment information verification
5.4. Actual or Planned Transborder Flows of Personal Information
Personal Information may be
transmitted transborder to GZI Group of companies in other countries, GZI’s
authorised dealers and its suppliers in other countries, and Personal
Information may be stored in data servers hosted outside South Africa, which
may not have adequate data protection laws. GZI will endeavour to ensure that
its dealers and suppliers make all reasonable efforts to secure said Data and
Personal Information.
5.5. Retention of Personal Information Records
GZI may retain Personal Information
records indefinitely, unless the Data Subject objects thereto. If the Data
Subject objects to the indefinite retention of its Personal Information GZI
shall retain the Personal Information records to the extent permitted or
required by law only.
5.6. General Description of Information Security Measures
GZI employs up to date technology to
ensure the confidentiality, integrity and availability of the Personal
Information under its care. Measures include:
-
Firewalls
- Virus protection software and update protocols
- Logical and physical access control;
- Secure setup of hardware and software making up the IT infrastructure;
- Outsourced Service Providers who process Personal Information on behalf of GZI are contracted to implement security controls.
6. ACCESS TO PERSONAL INFORMATION
All individuals and entities may request access, amendment, or deletion of their own Personal Information held by GZI. Any requests should be directed, on the prescribed form, to the Information Officer.
6.1. Remedies available if request for access to Personal Information is refused
6.1.1. Internal Remedies
GZI does not have internal appeal procedures. As such, the decision made by the Information Officer pertaining to a request is final. The Information Officer may refuse a request from a data subject for reasons listed but not limited in Clause 6.2. Reasons for refusal will be communicated. Then the requestor may seek external legal remedies if dissatisfied with the decision of the Information Officer at his/her own cost.
6.1.2. External Remedies
A requestor that is dissatisfied with the information officer’s refusal to disclose information, may within 30 days of notification of the decision, apply to a court for relief. Likewise, a third party dissatisfied with the information officer’s decision to grant a request for information, may within 30 days of notification of the decision, apply to a court for relief. For purposes of the Act, courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another court of similar status.
6.2. Grounds for Refusal
GZI may legitimately refuse to grant access to a requested record that falls within a certain category. Grounds on which GZI may refuse access include:
- Protecting personal information that GZI holds about a third person (who is a natural person) including a deceased person, from unreasonable disclosure;
- Protecting commercial information that GZI holds about a third party or GZI (for example trade secret: financial, commercial, scientific or technical information that may harm the commercial or financial interests of the organisation or the third party);
- If disclosure of the record would result in a breach of a duty of confidence owed to a third party in terms of an agreement;
- If disclosure of the record would endanger the life or physical safety of an individual;
- If disclosure of the record would prejudice or impair the security of property or means of transport;
- If disclosure of the record would prejudice or impair the protection of a person in accordance with a witness protection scheme;
- If disclosure of the record would prejudice or impair the protection of the safety of the public;
- The record is privileged from production in legal proceedings, unless the legal privilege has been waived;
- Disclosure of the record (containing trade secrets, financial, commercial, scientific, or technical information) would harm the commercial or financial interests of GZI;
- Disclosure of the record would put GZI at a disadvantage in contractual or other negotiations or prejudice it in commercial competition;
- The record is a computer programme; and
- The record contains information about research being carried out or about to be carried out on behalf of a third party or GZI.
Records that cannot be found
or do not exist
If GZI has searched for a record and
it is believed that the record does not exist or cannot be found, the requester
will be notified by way of an affidavit or affirmation. This will include the
steps that were taken to try to locate the record.
7. IMPLEMENTATION GUIDELINES
7.1. Training
& Dissemination of Information
This Policy has been put in place
throughout GZI, training on the Policy and POPI will take place with all
employees.
All new employees will be made aware
at induction, or through training programmes, of their responsibilities under
the terms of this Policy and POPI.
Modifications and updates to data
protection and information sharing policies, legislation, or guidelines will be
brought to the attention of all employees.
7.2. Employee
Contracts
7.2.1.
Each new employee will sign an Employment Contract
containing the relevant consent clauses for the use and storage of employee
information, and a confidentiality undertaking as part and will be personally
responsible for ensuring there are no breaches of confidentiality in relation
to any Personal Information, however it is stored. Failure to comply will
result in the instigation of a disciplinary procedure.
7.2.2. Each employee currently employed within GZI will sign an addendum to their Employment Contract containing the relevant consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however it is stored. Failure to comply will result in the institution of disciplinary proceedings.
8. EIGHT PROCESSING CONDITIONS
POPI is implemented by abiding by eight
processing conditions. GZI shall abide by these principles in all its
possessing activities.
8.1.
Accountability
GZI shall ensure that all processing
conditions, as set out in POPI, are complied with when determining the purpose
and means of processing Personal Information and during the processing itself. GZI
shall remain liable for compliance with these conditions, even if it has
outsourced its processing activities.
8.2. Processing
Limitation
8.2.1. Lawful grounds
The processing of Personal Information is only lawful if, given the purpose of processing, the information is adequate, relevant and not excessive.
GZI may only process Personal
Information if one of the following grounds of lawful processing exists:
-
The Data Subject consents to the processing;
- Processing is necessary for the conclusion or performance of a contract with the Data Subject;
- Processing complies with a legal responsibility imposed on GZI;
- Processing protects a legitimate interest of the Data Subject;
- Processing is necessary for pursuance of a legitimate interest of GZI, or a third party to whom the information is supplied;
Special Personal
Information includes:
-
Religious, philosophical, or political beliefs;
- Race or ethnic origin;
- Trade union membership;
- Health or sex life;
- Biometric information (including blood type, fingerprints, DNA, retinal scanning, voice recognition, photographs);
- Criminal behaviour;
- Information concerning a child.
GZI may only process Special Personal
Information under the following circumstances:
-
The Data Subject has consented to such processing;
- The Special Personal Information was deliberately made public by the Data Subject;
- Processing is necessary for the establishment of a right or defence in law;
- Processing is for historical, statistical, or research reasons
- If processing of race or ethnic origin is in order to comply with affirmative action laws
All Data Subjects have the right to
refuse or withdraw their consent to the processing of their Personal
Information, and a Data Subject may object, at any time, to the processing of
their Personal Information on any of the above grounds, unless legislation
provides for such processing. If the Data subject withdraws consent or objects
to processing then GZI shall forthwith refrain from processing the Personal
Information.
8.2.2. Collection directly
from the Data Subject
Personal Information must be collected directly from the Data Subject, unless:
-
Personal Information is contained in a public record;
- Personal Information has been deliberately made public by the Data Subject;
- Personal Information is collected from another source with the Data Subject’s consent;
- Collection of Personal Information from another source would not prejudice the Data Subject;
- Collection of Personal Information from another source is necessary to maintain, comply with or exercise any law or legal right;
- Collection from the Data Subject would prejudice the lawful purpose of collection;
- Collection from the Data Subject is not reasonably practicable.
8.3. Purpose
Specification
GZI shall only process Personal
Information for the specific purposes as set out and defined above at paragraph
5.1.
8.4.
Further Processing
New processing activity must be
compatible with original purpose of processing. Further processing will be
regarded as compatible with the purpose of collection if:
-
Data Subject has consented to the further processing;
- Personal Information is contained in a public record;
- Personal Information has been deliberately made public by the Data Subject;
- Further processing is necessary to maintain, comply with or exercise any law or legal right;
- Further processing is necessary to prevent or mitigate a threat to public health or safety, or the life or health of the Data Subject or a third party.
8.5. Information
Quality
GZI shall take reasonable steps to
ensure that Personal Information is complete, accurate, not misleading and
updated. GZI shall periodically review Data Subject records to ensure that the
Personal Information is still valid and correct.
Employees should as far as reasonably
practicable follow the following guidance when collecting Personal Information:
-
Personal Information should be dated when received;
- A record should be kept of where the Personal Information was obtained;
- Changes to information records should be dated;
- Irrelevant or unneeded Personal Information should be deleted or destroyed;
- Personal Information should be stored securely, either on a secure electronic database or in a secure physical filing system.
8.6. Openness
GZI shall take reasonable steps to
ensure that the Data Subject is made aware of:
-
What Personal Information is collected, and the source
of the information;
- The purpose of collection and processing;
- Where the supply of Personal Information is voluntary or mandatory, and the consequences of a failure to provide such information;
- Whether collection is in terms of any law requiring such collection;
- Whether the Personal Information shall be shared with any third party.
8.7. Data Subject Participation
Data Subject have the right to request
access to, amendment, or deletion of their Personal Information.
All such requests must be submitted in writing to the Information Officer. Unless there are grounds for refusal as set out in paragraph 6.2, above, GZI shall disclose the requested Personal Information:
-
On receipt of adequate proof of identity from the Data
Subject, or requester;
- Within a reasonable time;
- On receipt of the prescribed fee, if any;
- In a reasonable format
GZI shall not disclose any Personal
Information to any party unless the identity of the requester has been
verified.
8.8. Security Safeguards
GZI shall ensure the integrity and
confidentiality of all Personal Information in its possession, by taking
reasonable steps to:
-
Identify all reasonably foreseeable risks to
information security;
- Establish and maintain appropriate safeguards against such risks;
8.8.1. Written records
- Personal Information records should be kept in locked cabinets, or safes;
- When in use Personal Information records should not be left unattended in areas where non-employee members may access them;
- GZI shall implement and maintain a “Clean Desk Policy” where all employees shall be required to clear their desks of all Personal Information when leaving their desks for any length of time and at the end of the day;
- Personal Information which is no longer required should be disposed of by shredding.
Any loss or theft of, or unauthorised
access to, Personal Information must be immediately reported to the Information
Officer.
8.8.2. Electronic Records
- All electronically held Personal Information must be saved in a secure database;
- As far as reasonably practicable, no Personal Information should be saved on individual computers, laptops or hand-held devices;
- All computers, laptops and hand-held devices should be access protected with a password, fingerprint or retina scan, with the password being of reasonable complexity and changed frequently;
- GZI shall implement and maintain a “Clean Screen Policy” where all employees shall be required to lock their computers or laptops when leaving their desks for any length of time and to log off at the end of the day;
- Electronic Personal Information which is no longer required must be deleted from the individual laptop or computer and the relevant database. The employee must ensure that the information has been completely deleted and is not recoverable.
Any loss or theft of computers,
laptops or other devices which may contain Personal Information must be
immediately reported to the Information Officer, who shall notify the IT
department, who shall take all necessary steps to remotely delete the
information, if possible.
9. DIRECT MARKETING
All Direct Marketing communications
shall contain GZI’s, and/or the Company’s details, and an address or method for
the customer to opt-out of receiving further marketing communication.
9.1.1. Existing Customers
Direct Marketing by electronic means to existing customers is only permitted:
-
If the customer’s details were obtained in the context
of a sale or service; and
- For the purpose of marketing the same or similar products;
The customer must be given the
opportunity to opt-out of receiving direct marketing on each occasion of direct
marketing.
9.1.2. Consent
GZI may send electronic Direct Marketing communication to Data Subjects who have consented to receiving it. GZI may approach a Data Subject for consent only once.
9.1.3. Record Keeping
GZI shall keep record of:
- Date of consent
- Wording of the consent
- Who obtained the consent
- Proof of opportunity to opt-out on each marketing contact
- Record of opt-outs
10.1. Documents may be destroyed after the
termination of the retention period specified herein, or as determined by the Company from time to time.
10.2. Each department is responsible for attending
to the destruction of its documents and electronic records, which must be done
on a regular basis. Files must be checked in order to make sure that they may
be destroyed and also to ascertain if there are important original documents in
the file. Original documents must be returned to the holder thereof, failing
which, they should be retained by the Company pending such return.
10.3. The documents must be made available for
collection by the approved document disposal company.
10.4. Deletion of electronic records must be done
in consultation with the IT Department, to ensure that deleted information is
incapable of being reconstructed and/or recovered.
11. STATUTORY RETENTION PERIODS
|
Legislation |
Document Type |
Period |
|
Companies Act |
Any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act; Notice and minutes of all shareholders meeting, including resolutions adopted and documents made available to holders of securities; Copies
of reports presented at the annual general meeting of the company; Copies
of annual financial statements required by the Act; Copies of accounting
records as required by the Act; Record of directors
and past directors, after the director has retired from the company; Written communication to holders of securities and Minutes and resolutions of directors’ meetings, audit committee and directors’ committees. |
7 Years |
|
Registration certificate; Memorandum of Incorporation and alterations and amendments; Rules; Securities register and
uncertified securities register; Register of company
secretary and auditors and Regulated Companies (companies to which chapter 5, part B, C and Takeover Regulations apply) – Register of disclosure of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued.
|
Indefinitely |
|
|
Consumer Protection Act |
Full names, physical address, postal address and contact details; ID
number and registration number; Contact details of public
officer in case of a juristic person; Service
rendered; Cost
to be recovered from the consumer; Frequency
of accounting to the consumer; Amounts, sums,
values, charges, fees, remuneration specified in monetary terms; Conducting a promotional competition refer to Section 36(11)(b) and Regulation 11 of Promotional Competitions; |
3 years |
|
Financial Intelligence Centre Act |
Whenever a reportable transaction is concluded with a customer, the institution must keep record of the identity of the customer; If the customer is
acting on behalf of another person, the identity of the person on whose
behalf the customer is acting and the customer’s authority to act on behalf
of that other person; If another person is
acting on behalf of the customer, the identity of that person and that other
person’s authority to act on behalf of the customer; The manner in
which the identity of the persons referred to above was established; The nature of that
business relationship or transaction; In the case of a
transaction, the amount involved and the parties to that transaction; All accounts that are
involved in the transactions concluded by that accountable institution in the
course of that business relationship and that single transaction; The name of the person
who obtained the identity of the person transacting on behalf of the
accountable institution; Any document or copy of a document obtained by the accountable institution |
5 years |
|
Compensation for Occupational Injuries and Diseases Act |
Register, record or reproduction of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees.
|
4 years |
|
Section 20(2) documents : -Health and safety committee recommendations made to an employer in terms of issues affecting the health of employees and of any report made to an inspector in terms of the recommendation; -Records of incidents reported at work. |
3 years |
|
|
Asbestos Regulations, 2001, regulation 16(1): -Records of assessment and air monitoring, and the asbestos inventory; -Medical surveillance records; Hazardous Biological Agents Regulations, 2001, Regulations 9(1) and (2): -Records of risk assessments and air monitoring; -Medical surveillance records. Lead Regulations, 2001, Regulation 10: -Records of assessments and air monitoring; -Medical surveillance records Noise - induced Hearing Loss Regulations, 2003, Regulation 11: -All records of assessment and noise monitoring; -All medical surveillance records, including the baseline audiogram of every employee. |
40 years |
|
|
Hazardous Chemical Substance Regulations, 1995, Regulation 9: -Records of assessments and air monitoring; -Medical surveillance records
|
30 years |
|
Legislation |
Document Type |
Period |
|
Basic Conditions of Employment Act |
Section 29(4): -Written particulars of an employee after termination of employment; Section 31: -Employee’s name and occupation; -Time worked by each employee; -Remuneration paid to each employee; -Date of birth of any employee under the age of 18 years. |
3 years |
|
Employment Equity Act |
Records in respect of the company’s workforce, employment equity plan and other records relevant to compliance with the Act; Section 21 report which is sent to the Director General |
3 years |
|
Labour Relations Act |
Records to be retained by the employer are the collective agreements and arbitration awards. |
3 years |
|
An employer must retain prescribed details of any strike, lock-out or protest action involving its employees; Records of each employee specifying the nature of any disciplinary transgressions, the actions taken by the employer and the reasons for the actions |
Indefinite |
|
|
Unemployment Insurance Act |
Employers must retain personal records of each of their current employees in terms of their names, identification number, monthly remuneration and address where the employee is employed |
5 years |
|
Tax Administration Act |
Section 29 documents which: -Enable a person to observe the requirements of the Act; -Are specifically required under a Tax Act by the Commissioner by the public notice; -Will enable SARS to be satisfied that the person has observed these requirements |
5 years |
|
Income Tax Act |
Amount of remuneration paid or due by him to the employee; The amount of employees tax deducted or withheld from the remuneration paid or due; The income tax reference number of that employee; Any further prescribed information; Employer Reconciliation return. |
5 years |
|
Value Added Tax Act |
Where a vendor’s basis of accounting is changed the vendor shall prepare lists of debtors and creditors showing the amounts owing to the creditors at the end of the tax period immediately preceding the changeover period; Importation of goods, bill of entry, other documents prescribed by the Custom and Excise Act and proof that the VAT charge has been paid to SARS; Vendors are obliged to retain records of all goods and services, rate of tax applicable to the supply, list of suppliers or agents, invoices and tax invoices, credit and debit notes, bank statements, deposit slips, stock lists and paid cheques; Documentary proof substantiating the zero rating of supplies; Where a tax invoice, credit or debit note, has been issued in relation to a supply by an agent or a bill of entry as described in the Customs and Excise Act, the agent shall maintain sufficient records to enable the name, address and VAT registration number of the principal to be ascertained. |
5 years |
12 DOCUMENT CONTROL
12.1 Version history
This document is the latest version indicated in the following table:
|
Version |
Details of changes |
Author |
|
|
First draft |
Legal Officer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12.2 Version review
This document version was reviewed as indicated in the following table:
|
Person |
Designation |
Review date |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12.3 Version approval
This document version was approved for implementation as shown below, and is effective from the date of approval.
This policy will be reviewed every second year or when necessary (i.e. legislative changes), from the date of approval.
|
Person (or Committee) |
Designation |
Approval date |
|
|
|
|
|
|
|
|