Privacy policy

Use and Protection of Personal Information in relation to the Protection of Personal Information Act (POPIA)

For purposes of this policy

"Data Protection Legislation" means applicable data protection or data privacy laws, including POPI, in force in South Africa from time to time;

Disclosing Party” means a Party who discloses Personal Information to a Receiving Party, or on whose behalf Personal Information has been collected by the Receiving Party, pursuant to this Agreement;

Operator” has the meaning ascribed thereto in POPI;

Personal Information” has the meaning ascribed thereto in POPI and is being or may be processed by the Receiving Party pursuant to this Agreement;

POPI” means the Protection of Personal Information Act No 4 of 2013 and any regulations passed thereunder, as may be amended from time to time;

"Processing" has the meaning ascribed thereto in POPI and derivatives thereof will have cognate meanings;

Receiving Party” means a Party who receives Personal Information from the Disclosing Party, or on whose behalf it collects Personal Information, pursuant to this Agreement and such receipt of Personal Information renders that Party an Operator;

Representative” means an officer, director or employee of the Receiving Party; and

Third Party Operator” means a third party who is an Operator of the Receiving Party.

To the extent that the Receiving Party Processes Personal Information, it warrants that:

  1. It shall Process such Personal Information only on the written instruction of the Disclosing Party, in accordance with this Agreement or as required by Data Protection Legislation and as is necessary to perform its obligations under this Agreement and for no other purpose;

  2. It shall not create or maintain data which are derivatives of such Personal Information, except for the purpose of performing its obligations under this Agreement and as authorised by the Disclosing Party in writing;

  3. It shall, at any and all times during which it is Processing such Personal Information:

  • Comply with Data Protection Legislation, and not, by act or omission, place the Disclosing Party in violation of any applicable privacy or security law;

  • Implement and maintain appropriate and reasonable technical and organisational security measures to protect the security of such Personal Information, including security measures applicable to the storage and transmission of such Personal Information, and to prevent a data security breach, including, without limitation, a breach resulting from or arising out of the Receiving Party’s internal use, Processing or other transmission of such Personal Information, whether between or among the Receiving Party’s Representatives or any Third Party Operator;

  • Assign an employee who will be responsible for implementing and maintaining the technical and organisational security measures required in terms of this Agreement and, upon the Disclosing Party’s request, provide evidence that it has established and maintains such technical and organisational security measures governing the Processing of such Personal Information;

  • Safely secure all such Personal Information when processing such Personal Information on a laptop or other portable device (including memory sticks, USB flash drives, or other storage medium devices);

It shall notify the Disclosing Party without undue delay and no later than 1 (one) day from the date of obtaining actual knowledge of any data security breach in respect of such Personal Data.

It shall not permit any Representative or Third Party Operator to process such Personal Information, unless such Processing is in compliance with this Agreement and is necessary in order to carry out the Receiving Party’s obligations under this Agreement;

It shall not disclose such Personal Information to any third party (including, without limitation, its affiliates and subsidiaries and Third Party Operators) unless –

  • The disclosure is necessary in order to carry out the Receiving Party’s obligations under this Agreement;

  • Such third party is bound by the same provisions and obligations as those set out in this Agreement;

  • The Receiving Party has received the Disclosing Party’s prior written consent; and

  • The Receiving Party remains responsible for any breach by such third party of the obligations set out in this Agreement to the same extent as if the Receiving Party caused such breach;

It shall establish policies and procedures to provide all reasonable and prompt assistance to the Disclosing Party in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any such Personal Information;

It shall provide security awareness and/or training to its Representatives and any other third parties who process Personal Information on its behalf to promote continual security education related to user security responsibilities for protecting Personal Information received from the Disclosing Party. Where appropriate, training must include secure application development training to ensure that the Receiving Party’s developers are programming according to secure coding techniques and principles. Upon the Disclosing Party’s request, the Receiving Party will provide reports of training completion to the Disclosing Party for auditing purposes;

It and all of its Representatives shall adhere to the requirements and security safeguards set out in POPI;

It shall not use such Personal Information for any purpose that is inconsistent with POPI on or before the time of collection of that Personal Information.