Protection of Personal Information Policy

NON RES SA (PTY) LTD PROTECTION OF PERSONAL INFORMATION ACT (POPIA) COMPLIANCE POLICY

Updated 1 July 2021

CONENTS

1. INTRODUCTION

2. OVERVIEW

2.1. An overview of the act

2.2. An overview of the regulations

3. APPLICATION TO NON RES SA (PTY) LTD

3.1. Scope of the application

3.2. The “data subject”

3.3. The “responsible party”

3.4. The “operator”

4. PROCESSING OF PERSONAL INFORMATION

4.1. Which activities fall within the meaning of “processing”?

4.2. What is “Personal Information”?

4.3. Exceptions and rules relation to “Special Personal Information”

4.4. Processing of “Special Personal Information”

5. CONDITIONS FOR LAWFUL PROCESSING OF INFORMATION

6. THE REGULATORY AUTHORITY

6.1. The Regulator for data protection

6.2. Powers, duties and responsibilities of the regulator

6.3. Submitting complaints to the regulator

7. SPECIAL NOTIFICATION/REGISTRATION REQUIREMENTS

8. THE COMPLIANCE OFFICER

9. IMPLENTATION OF POLICY WITHIN NON RES SA (PTY) LTD

10. ELECTRONIC DIRECT MARKETING CONSENT

11. FURTHER COMPLIANCE CONSIDERATIONS

11.1. Data breach notifications

11.2. Sanctions

11.3. Data retention

11.4. Data transfer and outsourcing

1. INTRODUCTION

The Constitution of the Republic of South Africa entrenches the right to privacy. With our ever-growing susceptibility to invasions of privacy, whether by technological or other means, the Protection of Personal Information Act 4 of 2013 (hereinafter referred to as “the Act”) was passed in order to give effect to this right. The goal of this Act is to ensure that businesses deal with personal information in a responsible and secure way. The Electronic Communications and Transactions Act of 2002 regulates privacy of personal information to a certain extent, but these provisions have been repealed as of 30 June 2021.

The nature of our company means that we typically process large amounts of personal information. Along with the professional duty of client confidentiality, the importance of properly protecting personal information entrusted to us must not be underestimated.

2. OVERVIEW

2.1. AN OVERVIEW OF THE ACT

The Act was signed into law in 2013 but did not take full effect at the time as various developments were still required, such as the appointment of the Information Regulator and the publishing of the regulations. An overview is as follows:

Chapter 1 (Sections 1 and 2)
Effective as at 11 April 2014, these sections comprise of the definitions and prupose of the Act;

Chapter 2 (Application Provisions)
Section 3: The Application and interpretation of the Act
Section 4: The lawful processing of personal information
Section 5: The rights of data subjects
Section 6: The exclusions
Section 7: Exclusions for journalistic, literary or artistic purposes

Chapter 3 (Sections 8 to 35)
The conditions for the lawful processing of personal information, which conditions must be complied with by responsible parties when processing personal information

Chapter 4 (Sections 36 to 38)
Exemptions from the conditions for the lawful processing of personal information which, if applicable, will exempt a responsible party for processing that is in breach of the conditions for the lawful processing of personal information

Chapter 5 (Supervision, Sections 39 to 56)
Sets out the Information Regulator, the establishment thereof and the requirements for Information Officers

Chapter 6 (Prior Authorization, Sections 57 to 59)
The requirements for responsible parties to obtain prior authorization from the Information Regulator for specific types of planned processing activities

Chapter 7 (Codes of Conduct, Sections 60 to 68)
The issuing of Codes of Conduct by the Information Regulator

Chapter 8 (Sections 69 to 71)
The requirements in respect of direct marketing, directories and automated decision making

Chapter 9 (Section 72)
Transfers of personal information outside of the Republic

Chapter 10 (Sections 73 to 99)
The enforcement of the Act

Chapter 11 (Sections 100 to 109)
Offences, penalties and administrative fines

Chapter 12 (General Provisions, Sections 110 to 115)
These cover amendment of laws, fees, regulations, the procedures for making regulations, short title and commencement as well as transitional arrangements. The transitional arrangements refer to a one-year transition period following the commencement of the Act to allow for compliance. Responsible parties will need to comply with all of the provisions of the Act from 1 July 2021.

2.2. AN OVERVIEW OF THE REGULATIONS

The nature of the regulations is mainly administrative. The regulations prescribe forms to be used to facilitate taking relevant action under the Act. The relevant forms are attached to the policy as Annexure A

A brief description is as follows:

Form 1: Consent to the processing of Personal Information

Form 2: Request for the correction/deletion of Personal Information

Form 3: Objection to the processing of Personal Information

Form 4: Direct Marketing Consent

3. APPLICATION TO NON RES SA (PTY) LTD

3.1. SCOPE OF APPLICATION

The Act applies to processing of Personal Information in any form by a responsible party domiciled in South Africa. The Act also applies to a responsible party not domiciled in South Africa, if such party makes use of automated or non-automated means in South Africa, unless the processing relates only to the forwarding of Personal Information through South Africa.

Personal Information which is processed by non-automated means falls under the ambit of the Act if it forms party of a filing system or is intended to be part of a filing system.

The term Personal Information included a wide variety of details to be discussed in full under Chapter 4 which include details collected by employees of Non Res SA (Pty) ltd when they perform functions on behalf of clients, employees/potential employees, suppliers and those to who processing activities are outsourced.

3.2. THE “DATA SUBJECT”

The Data Subject is the person or entity to whom the data (Personal Information) belongs. In the context of Non Res SA (Pty) Ltd, the data subject will in most cases be the clients, employees/potential employees, service providers or suppliers.

Personal Information of the data subject may only be processed if the data subject expressly consents to the processing of Personal Information.

Consent of the data subject is not required if the following exclusions apply:

3.2.1. The processing of Personal Information is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;

3.2.2. The processing of Personal Information complies with an obligation imposed by law on the responsible party. For example, collecting proof of residence to comply with the Financial Intelligence Centre Act 38 or 2001;

3.2.3. The processing of Personal Information protects a legitimate interest of the data subject;

3.2.4. The processing of Personal Information is necessary for the property performance of a public law duty by a public body;

3.2.5. The processing of Personal Information is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied

The Personal Information must ideally be collected directly from the data subject, with the following exceptions:

• The information is already contained in, or derived from, a public record, or has deliberately been made public by the data subject;

• Collection of the information from another source would not prejudice a legitimate interest of the data subject.

For example, information in the Deeds Office database may be collected without consent and without the need to collect it directly from the client, because it is available on the public Deeds Office database. Nonetheless, despite it being derived from a public record, employees must act responsibly when using and sharing the information so obtained.

A data subject may withdraw their consent at any time and may request that a responsible party correct or delete Personal Information that is inaccurate, irrelevant, and excessive or which the responsible party is no longer authorized to retain.

3.3. THE “RESPONSIBLE PARTY”

A responsible party is defined as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. In most cases, the responsible party is exactly that – the party that carries the lion’s share of responsibility in terms of the Act. This is the party that decides what information is to be collected and how it will be used. In this sense, Non Res SA (Pty) Ltd, ultimately the Directors as the heads thereof, will mostly be the responsible party, as it ultimately determines what information it will ask for from its clients, employees and service providers.

However, this does not negate the responsibility of the employees of Non Res SA (Pty) Ltd as the employees are required to act in the interests of Non Res SA (Pty) Ltd and thus it could be argued that the employees act in conjunction with Non Res SA (Pty) Ltd as responsible party, despite the fact that the Directors will ultimately be held vicariously liable for all staff’s actions, interactions and communications.

The responsible party bears the onus to ensure that it meets the conditions of lawful processing of Personal Information. It further bears the ultimate onus to ensure that security measures are adhered to, as well as all necessary costs when it comes to the integrity and confidentiality required when dealing with Personal Information.

The responsible party may process Personal Information where the information protection conditions are met:

3.3.1. The processing is performed in a reasonable manner. The processing does not infringe the data subject’s privacy and is for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party;

3.3.2. The data subject has been made aware of the nature of the information being collected, the identity of the responsible party and the purpose of the collection of the information and in relation to processing, such processing is adequate, relevant and not excessive;

3.3.3. The data subject has consented thereto, or the processing is necessary for the conclusion of a contract, complies with an obligation imposed by law, protects a legitimate interest of the data subject, or is necessary for pursuing the legitimate interests of the responsible party or a third party to who the information is supplied;

3.3.4. The Personal Information is collected directly from the data subject. Exceptions to this requirement are as follows: the information has been made public by the data subject, the data subject has consented to collection from another source, the data subject’s interests would not be prejudiced by the collection, the collection is necessary per the prejudiced or compliance is not reasonably practicable;

3.3.5. The data subject will continue to have access to the personal information subject to certain exemptions;

3.3.6. The responsible party has taken appropriate technical and organizational measures to safeguard the security of the information.

3.4. THE “OPERATOR”

An operator is defined as a person who processes Personal Information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. The operator is a party that performs processing of the data subject’s Personal Information on behalf of the responsible party, such as when the operator is a third party to the main business. Any third party or operator processing Personal Information for the responsible party must do so only with the knowledge and express authorization of the responsible party and must treat the Personal Information as confidential. The responsible party always has the obligation to ensure that an operator processing information on its behalf establishes security safeguards and that these measures are maintained. The responsible party is also obliged to ensure that an operator not domiciled in the Republic, adheres to the laws governing the processing of Personal Information.

Despite the responsible party being ultimately liable, the operator is obliged to process information lawfully in accordance with the responsible party’s needs, as well as take adequate measures to comply with the Act.

The Act provides that a responsible party:

• Remains ultimately accountable for an operator;

• Must ensure that an operator only processes information furnished to it with the knowledge or authorization of the responsible party, must treat Personal Information which comes to their knowledge as confidential and must not disclose it to others unless required by law or in the course of the property performance of their duties;

• Must in terms of a written contract between the responsible party and the operator, ensure that the operator who/which processes Personal Information for the responsible party establishes and maintains the requisite security measures.

Duties of the operator

The operator must notify the responsible party immediately where there are reasonable grounds to believe that the Personal Information of a data subject has been accessed or acquired by any unauthorized person.

4. PROCESSING OF PERSONAL INFORMATION

4.1. WHICH ACTIVITIES FALL WITHIN THE MEANING OF “PROCESSING”?

The following activities of all employees fall within the meaning of processing: collections, receipt, recording, organizing of information, collation, storage, updating, modification, retrieval, alteration, use, dissemination and merging.

Where the Personal Information has been used for the purpose for which it was collected, it has to be deleted in a secure manner once the requisite time period for keeping records has lapsed. A secure manner is such that the data subject cannot be re-identified, for example, shredding.

4.2. WHAT IS “PERSONAL INFORMATION”?

The following constitutes Personal Information: information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including but not limited to:

• Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
• Information relating to the education or the medical, financial, criminal or employment history of that person;
• Any identifying number, symbol, email address, physical address, telephone numbers, location information, online identifier or other particular assignment to the person;
• The biometric information of the person;
• The personal opinions, views or preferences of the person;
• Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
• The views or opinions of another individual about the person; and
• The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

4.3. EXCEPTIONS AND RULES RELATING TO “SPECIAL PERSONAL INFORMATION”

There is a special category of Personal Information called “Special Personal Information.” Due to the more sensitive nature of this information, a stricter degree of protection is required.

Special Personal Information includes:

• Information concerning a child:
• Personal Information concerning the religious or philosophical beliefs, race or thenic origin, trade union membership, political opinions, health, DNA, sexual life or criminal behaviour or a data subject.

You are not allowed to process this Special Personal Information unless:

• It is done with consent of the parent or legal guardian; or
• Is necessary in law; or
• Is done for historical, statistical or research purposes; or
• The information has been deliberately made public by the subject.

There are a few exceptions to the limitations placed on the processing of Special Personal Information. These exceptions relate to situations when this information is specifically relevant and constitutes the purpose for which the information is being collected.

Not all information falls under the ambit of the Act and may thus be processed without compliance.

There are further general exceptions of which the following types of processing are excluded from the ambit of the Act, namely information:

• Processed for purely personal or household activity;
• That has been de-identified (if the information which links it to a specific data subject has been deleted or the link between a data subject and their Personal Information has been broken to such an extent that someone cannot link the information back to the relevant data subject again);
• Processed on behalf of the State or used by the Cabinet, Executive Council or a Province and any Municipality;
• Used exclusively for journalistic purposes;
• Required for the judicial functions of courts and/or;
• Which is exempted by the Regulator in terms of Section 34 of POPI (for example, processing information concerning a child).

5. CONDITIONS FOR LAWFUL PROCESSING

The nature of the business of Non Res SA (Pty) Ltd is such that we frequently deal with the Personal Information of clients. There are certain requirements imposed by the Act for the lawful use of Personal Information. If you collect and process data in accordance with these conditions and allowable exceptions, the handling thereof will not breach the Act or the person’s right to privacy. These are legally binding principles that must underpin all processing of Personal Information within the company.

The conditions for processing are as follows:

• ACCOUNTABILITY: this principle is met when the responsible party ensures that the Act is complied with when collecting and processing the Personal Information of clients;

• LAWFULNESS: the collection of Personal Information must not be excessive, it must be legally justifiable, and it must not be collected from third parties if not conducive to the purpose of the matter.

The six justification grounds are:

o Consent: the individual has given clear consent for the company to process his/her/its personal data for a specific purpose;

o Contract: the processing is necessary for the performance or conclusion of a contract to which the data subject is a party;

o Legal Obligation: the processing is necessary as it complies with an obligation imposed by law. For example: obtaining proof of residential address to comply with the Financial Intelligence Centre Act (FICA);

o Public Law: the processing is necessary to perform a public law duty by a public body, whereby it is a legal obligation to have to share the information;

o Legitimate Interests of the Data Subject: processing protects the vital interests of the data subject insofar as necessary, and not more;

o Legitimate Interests of the Responsible Party: information must be processed in line with what the data subject would reasonably expect.

How should the responsible party perform a legitimate interest assessment?

The responsible party should identify the legitimate interest, show why the processing is necessary to achieve it and balance same against the data subject’s interest, rights and freedoms.

• PURPOSE LIMITATION: Personal Information must only be collected in connection with a specific purpose and must not be stored for longer than necessary;

• RESTRICTION ON FURTHER PROCESSING: Personal Information may not be processed for a purpose other than that for which it was collected;

• INFORMATION QUALITY: Personal Information must be complete and accurate and must ideally be obtained from the person themselves, where possible. Only where this is not possible, may other sources be approached;

• OPENESS: Personal Information must be processed in a transparent manner;

• SECURITY SAFEGUARDS: Personal Information must be processed securely. The responsible party is obliged to provide notification of any data breaches. Non Res SA (Pty) Ltd undertakes to ensure that all Personal Information handled is kept secure at all times. This encapsulates the responsibility of ensuring that information is not accidentally lost or made known to third parties when collecting and storing same. A reasonable measure in ensuring that information is kept secure is ensuring that files are locked away when not in use and all electronic devices are password protected.

The Regulator requires the responsible party to take appropriate, reasonable technical and organizational measure to prevent the loss or damage to, or unauthorized access of Personal Information.

This includes putting in place measures to ensure that all employees of Non Res SA (Pty) Ltd only apply and use information made available to themselves, for the purposes determined by Non Res SA (Pty) Ltd.

Non Res SA (Pty) Ltd will ensure that all employees that process Personal Information for it, establish and maintain all security measures. Further, Non Res SA (Pty) Ltd ensures that in the case of data breaches or unauthorized access to the system of an employee, that the employee reports the incident to the responsible party (who then reports it to the Regulator) and the data subject/s with a reasonable time.

A data breach notification must be in writing and communicated to the data subject in one of various ways, or as directed by the Regulator. In the case of a severe breach, a data breach notification must be communicated to the Regulator directly.

• DATA SUBJECT PARTICIPATION: data subjects must be allowed access to their Personal Information held by Non Res SA (Pty) Ltd, and may request that it is corrected or deleted if it is inaccurate. If Non Res SA (Pty) Ltd is obliged by law to keep the records for a certain period, then employees may legitimately refuse the data subject’s request to delete said information.

6. THE REGULATORY AUTHORITY

6.1. THE REGULATOR FOR DATA PROTECTION

The Act introduces and provides for the establishment of an independent supervisory authority, the Information Regulator. Its function is to monitor and oversee compliance with the data protection provisions contained in the Act.

6.2. POWERS, DUTIES AND RESPONSIBILITIES OF THE REGULATOR

The information regulator is responsible for the oversight and enforcement of the Act and has wide ranging powers and responsibilities, including and in relation to:
o Facilitating education, training and awareness on data protection;

o Monitoring and enforcing compliance with the Act;

o Consulting with any interested parties on data protection;

o Handling complaints from data subjects and/or other parties in relation to data protection;

o Research regarding privacy and data protection; issuing codes of conduct; and facilitating cross border cooperation in the enforcement of privacy laws.

6.3. SUBMITTING COMPLAINTS TO THE REGULATOR

If there is an alleged interference with a person’s right to privacy, that person may, orally or in writing, submit a complaint to the Information Regulator.

The Information Regulator is then obliged to investigate the complaint, act as a conciliator where appropriate, and take further action as contemplated in the Act.

The Information Regulator may do the following in exercising its investigative powers:

o Summon and enforce the appearance of persons;

o Compel the provision of written or oral evidence under oath

o Receive evidence irrespective of whether such evidence is admissible in a court of law; and

o Enter and search any premises occupied by a responsible party

If necessary, the Information Regulator may apply to a judge of the High Court or a magistrate to issue a warrant to enable the Information Regulator to enter and search premises.

7. SPECIAL NOTIFICATION/REGISTRATION REQUIREMENTS

No registration or notification requirements for the processing of Personal Information are prescribed by the Act other than prior authorization with regard to certain limited categories of processing under Section 57 of the Act which relates to the cross-border transfer of Special Personal Information or Personal Information regarding children, criminals and information pertaining to credit reporting.

In this case, the operator or the responsible party will need authorisation from the Information Regulator directly in writing prior to any processing. This is specifically applicable to credit reporting, criminal behaviour and the transfer of Special Personal Information relating to children, because in such processing, there is a potential risk when it comes to the interests of the data subject.

In this case, a responsible party or an operator cannot process information until the Regulator has completed its investigation, or until receiving notice that a further investigation needs to be conducted.

The Regulator is obliged to inform the responsible party in writing within 4 weeks of further investigation and the period of investigation must not exceed 13 weeks. Following the period of investigation, a statement by the Regulator must be processed for the responsible party to either act or suspend its processing.

8. THE COMPLIANCE OFFICER

It is compulsory under the Act for appoint a compliance officer.

There is no formal prescribed procedure for the appointment by an organization for the appointment of an individual as an information officer, as the position is automatically assigned to the head of an organization. At Non Res SA (Pty) Ltd, this shall be Damien Williams.

The information officer’s role is governed by the Promotion of Access to Information Act 2 of 2002 as well as the Protection of Personal Information Act.

The Act provides that the information officer is responsible for the following:

• Ensuring that the organization complies with the conditions of lawful processing of Personal Information;

• Working with the Regulator in relation to any investigations conducted in accordance with the relevant provisions of the Act.

These responsibilities are further extended in the regulations, which provide that an information officer is required to, amongst other things:

• Ensure a compliance framework is developed, implemented, monitored and maintained;

• Attend to a Personal Information impact assessment to ensure that adequate measures and standards exist within the responsible party in order to comply with the various conditions for lawful processing of Personal Information as contemplated in the Act;

• Ensure that a training manual as contemplated in the Promotion of Access to Information Act is developed, monitored for updates, maintained by HR and made available to employees;

• Ensure that internal awareness training sessions are conducted regarding the provisions of the Act, the regulations and any codes of conduct or information obtained from the Regulator and a copy of the manual must be signed by each trained employee.

Any organization may appoint deputy information offers as may be necessary to assist with and perform the duties placed on the information officer, for example, the Directors of the respective branches.

The position of the information officer is an automatic appointment. However, the information officer is required to register with the Regulator prior to taking up his or her duties as an information officer under the Act. Thus, although an information officer may continue to act in accordance with the provisions of Promotion of Access to Information Act, he or she should first register with the Regulator before attending to his or her duties under the Protection of Personal Information Act. From 1 July 2021, Damien Williams must register and then deputize accordingly.

As at 3 March 2021, the information regulator’s office has developed an electronic portal which has enabled the organization to register its information officers and which will allow access to the register of information officers to data subjects.

9. IMPLEMENTATION OF POLICY WITHIN NON RES SA (PTY) LTD

The implementation and compliance within Non Res SA (Pty) Ltd will involve the following:

9.1. The draft policy shall be signed off;

9.2. Establishment of the Information Officer’s role, as mentioned above:

9.3. Buy-in and staff training in order to ensure effective compliance, buy-in from senior management all the way down the chain of command is needed. Employees must be information of what data privacy is about, what their data privacy is about in terms of their specific role and what their duties are in terms of the Act;

9.4. Self checks/GAP analysis/impact assessment: employees of Non Res SA (Pty) Ltd need to do a detailed check, supervised by the Directors, on when and how information is collected, how it is stored and used and ultimately deleted or destroyed. Further, whether it was collected with the necessary consent or otherwise obtained lawfully where consent is not required. Gaps and risks therefore become identifiable;

9.5. Implementation: the framework must be implemented, monitored and maintained;

9.6. Employees and employment contracts: the Act applies equally to any Personal Information processed as part of a data subject’s employment. The Act therefore applies to the collection and use of Personal Information of prospective employees, current employees and past employees, as well as monitoring employee’s email, internet access, location data and video surveillance of employees in the employment context. Employee records recorded and maintained by the employer as responsible party must be processed in accordance with the Act.

The employer will thus ensure:

• There is lawful justification for the processing of Personal Information;

• The Personal Information being processed shall be relevant, adequate and not excessive having regard to the purpose for which it is processed;

• The employees shall be notified of the purposes of collection and processing of Personal Information, and the employer will consider each employees’ right to access, modification and erasure in light of the Act’s requirements.

Employees of Non Res SA (Pty) Ltd shall sign this compliance policy recording their obligations to adhere to the privacy policies, both with regard to the private information of the employer and the private information of clients and services providers that the employee may come in contact with in the course of his or her employment.

Non Res SA (Pty) Ltd will make every effort to maintain awareness of compliance with the privacy policies contained herein by way of regular training and updates to employees on the requirements of the Act.

The importance of compliance herein must not be underestimated. Employees who fail to take reasonable measures to ensure compliance with the Act will be made will be made subject to a disciplinary procedure or steps therein depending on the severity of non-compliance.

The disciplinary procedure is as follows:

1. Verbal warning;

2. Written warning;

3. Final written warning;

4. Suspension without pay (for a limited period);

5. Dismissal

10. ELECTRONIC DIRECT MARKETING AND CONSENT

Direct Marketing consists of any marketing that relies on direct communication or distribution to individual consumers with the object of persuading the recipient to take action.

Direct Marketing via any form of electronic communication including telephonic communication, automated calling machines, faxes, sms, emails or any other form of technology used for Direct Marketing purposes will no longer be permitted under the Act, unless the person to who the Direct Marketing is aimed, has given his or her consent to receive such electronic communication or is an existing customer.

For this purpose, the Non Res SA (Pty) Ltd may approach a person whose consent it required, and who has not previously withheld such consent, only once, in order to request the consent of such person.

For our existing customers, Non Res SA (Pty) Ltd may only send Direct Marketing to such person if the following requirements are met:

• The customer’s contact details were obtained in the context of a sale of a product or service;

• For the purpose of Direct Marketing or similar goods or services;

• The customer has been given a reasonable opportunity to object to the Direct Marketing at the time the personal information was collected and on every communication.

All Direct Marketing communications must contain the sender’s details and an “unsubscribe” option. Any communication sent for the purpose of Direct Marketing must contain the details of the identity of the sender or person on whose behalf the communication has been sent; and an address or other contact details to which the recipient may send a request that such communications cease. To facilitate said request for discontinuation, all marketing communications will require an “unsubscribe” or opt out function.

11. FURTHER COMPLIANCE CONSIDERATIONS

11.1. DATA BREACH NOTIFICATION

Where there are reasonable grounds to believe that a data subject’s Personal Information has been accessed or acquired by an unauthorized person, the responsible party or third party processing Personal Information on instruction from Non Res SA (Pty) Ltd, must notify the Information Regulator and the data subject. Notice to the data subject is not required if the identity of the data subject cannot be established.

Notification to the data subject must be:

• Made as soon as reasonably possible after the discovery of the breach;

• Sufficiently detailed;

• In writing; and

• Communicated to the data subject by mail to the data subjects last known physical or postal address, or by email to the data subject’s last known email address; or by placement in a prominent position on the website of the responsible party; or by publication in the news media; or as may be directed by the Information Regulator.

11.2. SANCTIONS

It has been noted above that the Information Regulator is responsible for the investigation and enforcement of the Act. A person contravenes the provisions of the Act if he/she/it:

• Hinders, obstructs or unlawfully influences the Information Regulator;

• Fails to comply with an information or enforcement notice;

• Gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation;

• Contravenes the conditions;

• Knowingly or recklessly, without the consent of the responsible party, obtains, discloses or procures the disclosure, sell, or offers to sell details of a data subject to another person;

Such a contravention will result in the party being guilty of an offence. Contravention of the Act could result in far-reaching sanctions, these include the imposition of fines of up to R10 million, imprisonment for a period of 12 months to 10 years and/or a damages claim by the data subject.

11.3. DATA RENTENTION

In terms of the Act, records of Personal Information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processes, in compliance with the processing principle of purpose limited referred to in Chapter 5.

The trigger for the application of data retention requirements will thus depend on the activities conducted by a responsible party.

Personal Information may however be retained for longer periods if:

• The retention of the record is required or authorized by law;

• The responsible party reasonably requires the record for lawful purposes related to its functions or activities;

• Retention of the record is required by a contract between the parties thereto; or

• The data subject or a competent person, where the data subject is a child, has consented to the retention or the record.

Notwithstanding these exceptions, records of Personal Information may be retained for periods in excess of these mentioned for historical, statistical, or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

11.4. DATA TRANSFER AND OUTSOURCING

The Act provides that a responsible party may not transfer Personal Information about a data subject to a third party in a foreign jurisdiction unless:

• The recipient is subject to a law or contract which: upholds principles of reasonable processing of the information that are substantially similar to the principles contained in the Act;

• Includes provision that are substantially similar to those contained in the Act relating to the further transfer of Personal Information from the recipient to third parties;

• The data subject consents to the transfer;

• The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;

• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or

• The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer, and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.