Privacy Policy

1. Introduction

The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPI Act”).

The POPI Act aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner.

Through the provision of quality services and goods, Southey Contracting (Pty) Ltd is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of clients, customers, employees and other stakeholders. Given the importance of privacy, the Company is committed to effectively managing personal information in accordance with the provisions of the POPI Act.

2. Definitions

Personal information:
Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.

Data subject:
A data subject refers to the natural or juristic person to whom personal information relates.

Responsible party:
The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, the Company is the responsible party

Information Officer:
The Information Officer is responsible for ensuring the Company’s compliance with the POPI Act.

Processing:
The act of processing information includes any activity or any set of operations, whether by automatic means, concerning the personal information, and includes:

        • The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
        • Dissemination by means of transmission, distribution or making available in any other form
        • Merging, linking, as well as any restriction, degradation, erasure or destruction of information.

3. Policy Purpose

The purpose of this policy is to protect the organisation from the compliance risks associated with the protection of personal information.

This policy demonstrates the Company’s commitment to protecting the privacy rights of data subjects in the following manner:

        • Through stating desired behaviour and directing compliance with the provisions of the POPI Act and best practice
        • By cultivating an organisational culture that recognises privacy as a valuable human right
        • By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information
        • By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the Company

4. Policy Application

This policy and its guiding principles apply to:

        • All branches, business units, divisions and subsidiaries of the Company
        • All employees
        • The directors of the Company
        • All contractors, suppliers, external providers and other persons acting on behalf of the Company

 

The policy’s guiding principles must be read in conjunction with the POPI Act as well as Southey Holdings’ PAIA Manual as required by the Promotion of Access to Information Act No. 2 of 2000.

The legal duty to comply with the POPI Act’s provisions is activated in any situation where there is a processing of personal information, entered into a record by or for a responsible person who is domiciled in South Africa.

5. Rights of Data Subjects

The right to access personal information:
The Company recognises that a data subject has the right to establish whether the Company holds personal information related to them, including the right to request access to that personal information.

The right to have personal information corrected or deleted:
The data subject has the right to request, where necessary, that their personal information must be corrected or deleted where the organisation is no longer authorised to retain the personal information

The right to object to the processing of personal information:
The data subject has the right, on reasonable grounds, to object to the processing of their personal information. In such circumstances, the Company will give due consideration to the request and the requirements of the POPI Act.

The right to object to direct marketing:
The data subject has the right to object to the processing of their personal information for purposes of direct marketing by means of unsolicited electronic communications.

The right to complain to the Information Regulator:
The data subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under the POPI Act and to institute civil proceedings regarding the alleged non-compliance with the protection of their personal information.

The right to be informed:
The data subject has the right to be notified that their personal information is being collected by the Company.

The data subject also has a right to be notified in any situation where the Company has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.

6. General Guiding Principles

Accountability:
The Company will ensure that the provisions of the POPI Act and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, the Company will take appropriate sanctions against those individuals who, through intentional or negligent actions and/ or omissions, fail to comply with the principles outlined in this policy.

Processing limitation:
The Company will ensure that personal information under its control is processed:

  • In a fair, lawful and reasonable manner
  • Only with the informed consent of the data subject
  • Only for a specifically defined purpose

The Company will inform the data subject of the reasons for collecting their personal information and obtain written consent prior to processing personal information.

The Company will under no circumstances disclose personal information unless it has a duty or right to do so in terms of applicable legislation, the law, or where it may be necessary to protect the Company’s rights.

Purpose specification:
The Company will process personal information only for specific, explicitly defined and legitimate reasons. The Company will inform data subjects of these reasons prior to collecting or recording the data subject’s personal information.

Further processing limitation:
Where the Company seeks to process personal information it holds for a purpose other than the original purpose for which it was originally collected, and where this secondary purpose is not compatible with the original purpose, the organisation will first obtain additional consent from the data subject.

Information quality:
The Company will take reasonable steps to ensure that all personal information collected is relevant, complete, accurate and not misleading, and is updated where necessary.

Where personal information is collected or received from third parties, the organisation will take reasonable steps to confirm that the information is correct by verifying the accuracy of the information directly with the data subject or by way of independent resources.

Open communication:
The Company will take reasonable steps to ensure that data subjects are notified and are aware that their personal information is being collected, including the purpose for which it is being collected and processed.

Security safeguards:
The Company will manage the security of its systems to ensure that personal information is adequately protected. To this end, security controls will be implemented to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction of personal information.

The Company will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the Company’s IT network.

The Company will ensure that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals

Data subject participation:
A data subject may request the correction or deletion of their personal information held by the Company. The Company will ensure that it provides a facility for data subjects who want to request the correction or deletion of their personal information.

7. Information Officer

The Company has appointed an Information Officer, who is responsible for ensuring compliance with the POPI Act. The details of the Information Officer are as follows:

Name: Peter Ringelmann
Tel: 031 533 0700
Email: pringelmann@southey.co.za
Fax: 031 569 6592

8. Request to Access Personal information – Procedure

Data subjects have the right to:

    • Request what personal information the Company holds about them and why
    • Request access to their personal information
    • Be informed how to keep their personal information up to date

Access to information requests can be made by email to the Information Officer. The Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against Southey Holdings PAIA manual. The Information Officer will process all requests within a reasonable time.

9. POPI Complaints Procedure

Data subjects have the right to complain in instances where any of their rights under the POPI Act have been infringed upon. The Company takes all complaints very seriously and will address all POPI Act- related complaints in accordance with the following procedure:

 

  • POPI complaints must be submitted to the Information Officer in writing
  • The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint
  • The Information Officer will carefully consider the complaint and address the complainant’s concerns in a fair manner and in accordance with the principles outlined in the POPI Act
  • The Information Officer will revert to the complainant with a proposed solution within 7 working days of receipt of the complaint
  • Where the data subject is not satisfied with the Information Officer’s suggested solution, the data subject has the right to complain to the Information Regulator
  • The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting

10. Disciplinary Action

Where a POPI complaint or a POPI infringement investigation has been finalised, the Company may take any appropriate administrative, legal and/ or disciplinary action against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.

Any gross negligence or the wilful mismanagement of personal information will be considered a serious form of misconduct for which the organisation may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence.