1.1. Purpose and scope
The Protection of personal information policy is prescribed in terms of the Protection of Personal Information Act 4 of 2014 (POPI), as amended or substituted from time to time. The right to privacy is an integral human right, recognised and protected in the South African Constitution and in POPI. POPI aims to promote the protection of privacy, through providing guiding principles that are intended to be applied to the processing of personal information, in a contextsensitive way.
The Company Essential Cleaning Services is a Cleaning Services company, the Company is necessarily involved in collecting, using and disclosing certain aspects of the personal information of its clients, employees and other stakeholders. As a responsible party, the Company must comply with POPI. POPI requires the Company to inform its clients and employees about the way their personal information is used, disclosed and destroyed.
A person’s right to privacy entails having control over their personal information and being able to conduct their affairs relatively free from unwanted intrusions. Given the importance of privacy, the Company is committed to effectively managing personal information, in accordance with POPI. The Company is committed to protecting the privacy of its clients and employees and ensuring that their personal information is used appropriately, transparently, securely, and in accordance with applicable laws. The Policy sets out the way the Company deals with its clients and employees’ personal information and stipulates the purpose for which the information is used, and how it is used.
The purpose of this Policy is to:
1.1.1. protect the Company from the compliance risks associated with the protection of personal information, which includes:
126.96.36.199. breaches of confidentiality;
188.8.131.52. reputational damage;
1.1.2. demonstrate the Company’s commitment to protecting the privacy rights of data subjects:
184.108.40.206. through stating desired behaviour and directing compliance with the provisions of POPI and best practice;
220.127.116.11. by cultivating a culture that recognises privacy as a valuable human right;
18.104.22.168. by developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information;
22.214.171.124. by creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the Company;
126.96.36.199. by assigning specific duties and responsibilities to control owners, including the appointment of an information officer, and where necessary, deputy information officers, to protect the interests of the Company and data subjects;
188.8.131.52. by raising awareness, through training and providing guidance to individuals who process personal information, so that they can act confidently and consistently.
2.2. Legislative framework
The reference to legislation, subordinate legislation and supervision documents includes amendments made from time to time.
2.2.1. Protection of Personal Information Act 4 of 2014 (POPI);
2.2.2. Promotion of Access to Information Act 2 of 2000 (PAIA);
2.2.3. Income Tax Act 58 of 1962;
2.2.4. Constitution of the Republic of South Africa, 1996 (Constitution).
2.3.1. Competent person means any person who is legally competent to consent to any action, or decision, being taken in respect of any matter concerning a child;
2.3.2. Consent means any voluntary, specific and informed expression of will, in terms of which permission is given for the processing of personal information;
2.3.3. Data subject means the person to whom personal information relates;
2.3.4. De-identify, in relation to personal information of a data subject, means to delete any information that:
184.108.40.206. identifies the data subject;
220.127.116.11. can be used, or manipulated, by a reasonably foreseeable method, to identify the data subject; or
18.104.22.168. can be linked by a reasonably foreseeable method, to other information that identifies the data subject, and ‘de-identified‘ has a corresponding meaning;
2.3.5. Direct marketing means to approach a data subject, either in person, or by mail, or electronic communication, for the direct, or indirect, purpose of:
22.214.171.124. promoting, or offering, to supply, in the ordinary course of business, any goods, or services, to the data subject; or
126.96.36.199. requesting the data subject to make a donation of any kind for any reason;
2.3.6. Head of, or in relation to, a private body means:
188.8.131.52. in the case of a natural person, that natural person, or any person duly authorised by that natural person;
184.108.40.206. in the case of a partnership, any partner of the partnership, or any person duly authorised by the partnership;
220.127.116.11. in the case of a juristic person:
18.104.22.168.1. the chief executive officer, or equivalent officer, of the juristic person, or any person duly authorised by that officer; or
22.214.171.124.2. the person who is acting as such, or any person duly authorised by such acting person;
2.3.7. Information officer of, or in relation to, a:
126.96.36.199. public body, means an information officer, or deputy information officer, as contemplated in terms of section 1 or 17 of PAIA; or
188.8.131.52. private body, means the head of a private body, as contemplated in section 1 of PAIA;
2.3.8. Operator means a person who processes personal information for a responsible party, in terms of a contract or mandate, without coming under the direct authority of that party;
2.3.9. Person means a natural person, or a juristic person;
2.3.10. Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
184.108.40.206. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
220.127.116.11. information relating to the education, or the medical, financial, criminal, or employment history, of the person;
18.104.22.168. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment, to the person;
22.214.171.124. the biometric information of the person;
126.96.36.199. the personal opinions, views or preferences of the person;
188.8.131.52. correspondence sent by the person that is implicitly, or explicitly, of a private, or confidential, nature, or further correspondence that would reveal the contents of the original correspondence;
184.108.40.206. the views, or opinions, of another individual, about the person; and the name of the person, if it appears with other personal information relating to the person, or if the disclosure of the name itself, would reveal information about the person;
2.3.11. Private body means:
220.127.116.11. a natural person who carries, or has carried on, any trade, business, or profession, but only in such capacity;
18.104.22.168. a partnership, which carries, or has carried on, any trade, business, or profession; or
22.214.171.124. any former, or existing, juristic person, but excludes a public body;
2.3.12. Processing means any operation, or activity, or any set of operations, whether, or not, by automatic means, concerning personal information, including:
126.96.36.199. the collection, receipt, recording, organisation, collation, storage, updating, or modification, retrieval, alteration, consultation, or use;
188.8.131.52. dissemination by means of transmission, distribution, or making available, in any other form; or
184.108.40.206. merging, linking, as well as restriction, degradation, erasure, or destruction, of information;
2.3.13. Public body means:
220.127.116.11. any department of state, or administration, in the national, or provincial, sphere of government, or any municipality, in the local sphere of government; or
18.104.22.168. any other functionary, or institution, when:
22.214.171.124.1. exercising a power, or performing a duty, in terms of the Constitution, or a provincial constitution; or
126.96.36.199.2. exercising a public power, or performing a public function, in terms of any legislation;
2.3.14. Record means any recorded information:
188.8.131.52. regardless of form or medium, including any of the following:
184.108.40.206.1. Writing on any material;
220.127.116.11.2. information produced, recorded, or stored, by means of any tape-recorder, computer
equipment, whether hardware, or software, or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
18.104.22.168.3. label, marking, or other writing that identifies, or describes, anything of which it forms part, or to which it is attached, by any means;
22.214.171.124.4. book, map, plan, graph or drawing;
126.96.36.199.5. photograph, film, negative, tape, or other device, in which one, or more, visual images are embodied, so as to be capable, with, or without, the aid of some other equipment, of being reproduced;
188.8.131.52. in the possession, or under the control of, a responsible party;
184.108.40.206. whether, or not, it was created by a responsible party; and
220.127.116.11. regardless of when it came into existence;
2.3.15. Regulator means the Information Regulator, established in terms of section 39 of POPI;
2.3.16. Re-identify, in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that:
18.104.22.168. identifies the data subject;
22.214.171.124. can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
126.96.36.199. can be linked by a reasonably foreseeable method to other information that identifies the data subject,
188.8.131.52. and ‘re-identified‘ has a corresponding meaning;
2.3.17. Responsible party means a public, or private body, or any other person, which, alone, or in conjunction with others, determines the purpose of, and means for, processing personal information;
2.3.18. Special personal information means personal information, as referred to in section 26 of POPI;
2.3.19. Unique identifier means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject, in relation to that responsible party.
2.4. Personal information collected
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
2.4.1. The Company collects and processes data subjects’ personal information in terms of several other laws, associated with the functions performed by the Company, including the Labour Relations Act, Employment Equity Act and FICA. As cleaning company, providing cleaning services to clients, as well as the employment of staff, the Company obtains personal information of potential and existing clients, as well as employees. The company must in terms of FICA, perform initial and ongoing customer due diligence processes, as well as during the employment of potential staff members. This includes establishing and verifying the identity of the potential and existing clients, the beneficial owners, and other persons associated with the business relationship, and includes performing screening searches, to determine the riskiness of the client and the overall business relationship, as well as the identification verification and background checks done on candidates to be potentially employed. The type of information depends on the purpose for which it is collected and will be processed for that purpose only. Wherever possible, the Company will inform the client and their potential candidate employee about the information required and the information deemed optional.
2.4.2. Employees of the Company are also data subjects, and the Company collects personal information of potential and existing employees, in terms of employment laws.
2.4.3. Examples of personal information that we collect from data subjects includes:
184.108.40.206. Identity number, passport number, date of birth, nationality, full name physical and postal addresses, marital status, income tax number, number of dependants, race, gender, etc.;
220.127.116.11. Description of residence, business, assets, liabilities, financial information, banking details, etc.;
18.104.22.168. Qualifications, education, employment history, criminal history, credit history, etc.;
22.214.171.124. Any other information required by the Company, its product suppliers, third party service providers, etc.
2.4.4. The Company also collects and processes clients’ personal information for marketing purposes, to ensure that our services remain relevant to our clients and potential clients.
2.4.5. From the effective date of the regulations to POPI, if the Company wants to engage in direct marketing, it must use the prescribed Form 4, as contained in the regulations, to apply for the consent of a data subject, for processing personal information for the purpose of direct marketing.
2.4.6. The Company aims to have agreements in place with all product suppliers, and third-party service providers, to ensure a mutual understanding regarding the protection of clients’ personal information. The Company’s product suppliers will be subject to the same regulations, as applicable to the Company, in terms of the protection of clients’ personal information.
2.5. Use of personal information
2.5.1. The Company only processes personal information lawfully and reasonably, in a way that does not infringe the privacy of the data subject.
2.5.2. The Company only processes personal information if:
126.96.36.199. the data subject, or a competent person (only where the data subject is a child), consents to the processing. For example, consent is obtained from clients during the introductory, appointment and needs analysis stage of the business relationship;
188.8.131.52. processing is necessary to carry out actions for the conclusion, or performance, of a contract to which the data subject is party. For example, to conduct an accurate analysis of the client’s servicing needs and objectives;
184.108.40.206. processing complies with an obligation imposed by law on the responsible party. For example, as required by, FICA, employment related legislation, tax related legislation;
220.127.116.11. processing protects a legitimate interest of the data subject.
18.104.22.168. processing is necessary for pursuing the legitimate interests of the Company, or its third-party service providers, to whom the information is supplied.
2.5.3. Clients’ personal information will only be used for the purpose for which it was collected, and as agreed with the client, and the processing is adequate, relevant and not excessive, which purpose may include (if applicable):
22.214.171.124. Providing cleaning products and equipment or services to clients, carrying out the instructions related thereto;
126.96.36.199. Confirming, verifying and updating information;
188.8.131.52. Detecting and preventing fraud, crime, money laundering, or other unlawful activities;
184.108.40.206. Determining riskiness of client and business relationship;
220.127.116.11. Conducting market or customer satisfaction research;
18.104.22.168. Audit and record keeping;
22.214.171.124. In connection with legal proceedings;
126.96.36.199. Activities relating to maintaining and improving the business relationship;
188.8.131.52. Providing communication about the Company, its cleaning products, equipment and services, and regulatory matters that may affect clients; and
184.108.40.206. In connection with, and complying with, legal and regulatory requirements, or when it is otherwise allowed by law.
2.5.4. Employees’ personal information will only be used for the purpose for which it was collected, and as agreed with the employee, and the processing is adequate, relevant and not excessive, which purpose may include (if applicable):
220.127.116.11 Confirming, verifying and updating information, including aspects such as qualifications, education, employment history, criminal history,
18.104.22.168. Detecting and preventing fraud, crime, money laundering, or other unlawful activities;
22.214.171.124. In connection with legal proceedings;
126.96.36.199. Audit and record keeping;
188.8.131.52. In connection with, and complying with, legal and regulatory requirements, or when it is otherwise allowed by law.
2.6. Disclosure of personal information
2.6.1. The Company may disclose a client’s personal information to any of the Company’s associates, relevant product suppliers, and relevant third-party service providers. The Company has agreements in place, to ensure compliance with the confidentiality and privacy conditions.
2.6.2. The Company may also share a client’s personal information with, and obtain information about a client from, third parties, but only for the reasons specified in this Policy.
2.6.3. The Company may also disclose a client’s information where it has a duty, or a right, to disclose the information in terms of applicable legislation, the law, or where it may be deemed necessary, to protect the rights of the Company.
2.7. Safeguarding personal information
2.7.1. Personal information of data subjects must be adequately protected. The Company continuously reviews its security controls and processes, to ensure that personal Information is secure.
2.7.2. The Company is a responsible party that is a juristic person, private body. There the information officer must be the chief executive officer of the Company, or a person duly authorised by the chief executive officer.
2.7.3. The chief executive officer has authorised Peter Mead as the information officer, whose contact details are reflected elsewhere in this Policy, and who is responsible for compliance with the conditions of the lawful processing of personal information and other provisions of POPI and the regulations thereto.
2.7.4. This Policy has been put in place throughout the Company, and training on this Policy and POPI will be conducted regularly.
2.7.5. Each new employee must sign an employment contract, containing relevant consent clauses for the use and storage of employee personal information, or any other action required, in terms of POPI.
2.7.6. Current employees must sign an addendum to their employment contracts, containing relevant consent clauses for the use and storage of employee personal information, or any other action required, in terms of POPI, if the relevant clauses are not included in the employment contracts.
2.7.7. Archived client personal information is stored within the company’s software infrastructure, and this information is backed up in terms of our IT Strategy policy. Access to retrieve the archived personal information is restricted to individuals authorised by the information officer.
2.7.8. The agreements that the Company has in place with its product suppliers and third-party service providers must stipulate that the product suppliers and third-party service providers are responsible for complying with POPI and the regulations thereto.
2.7.9. Electronic files and data are backed up daily.
2.8. Access to, and correction of, personal information
2.8.1. Clients have the right to access the personal information the Company holds about them. Clients also have the right to ask the Company to update, correct, or delete, their personal information, on reasonable grounds.
2.8.2. If a client objects to the processing of their personal information, the Company may no longer process the personal information.
2.8.3. The Company will take all reasonable steps to confirm a client’s identity, before providing details of, or making changes to, their personal information.
2.8.4. From the effective date of the regulations to POPI, data subjects must submit their objection to the Company, using the prescribed Form 1, as contained in the regulations.
2.8.5. From the effective date of the regulations to POPI, data subjects must submit their request for correction, or deletion, to the Company, using the prescribed Form 2, as contained in the regulations.
2.8.6. Information officer contact details
Full name: Peter Mead
Email address: email@example.com
Telephone number/s: 021 448 1705
2.8.7. Company’s head office details
6 Burke Street,
|Contact email address:||firstname.lastname@example.org|
|Contact telephone number/s:||021 4481705|
3. Retention and confidentiality of documents, information and electronic transactions
3.1. Purpose and scope
The purpose of this Policy is to exercise effective control over the retention and confidentiality of documents, information and electronic transactions, as prescribed by legislation and as dictated by business practice.
Documents must be retained, in accordance with legislation, to prove the existence of facts, and to exercise the rights of the Company. Documents are also necessary for defending legal action, for establishing what was said, or done, in relation to the functions of the Company, and to mitigate the Company’s reputational risks.
This Policy also helps to ensure that the Company’s interests are protected and that the Company’s and clients’ rights to privacy and confidentiality are not breached. The Policy applies to all documents, information and electronic transactions, generated within, and/or received by, the Company.
Queries may be referred to the compliance function, or the information officer.
3.2. Legislative framework
The reference to legislation, subordinate legislation and supervision documents includes amendments made from time to time.
3.2.1. Protection of Personal Information Act 4 of 2014 (POPI);
3.2.2. Promotion of Access to Information Act 2 of 2000 (PAIA);
3.2.3. Financial Intelligence Centre Act 38 of 2001 (FICA);
3.2.4. Income Tax Act 58 of 1962;
3.2.5. Companies Act 71 of 2008;
3.2.6. Electronic Communications and Transactions Act 25 of 2002 (ECTA);
3.2.7. Constitution of the Republic of South Africa, 1996 (Constitution).
3.2.8. Labour Relations Act 66 of 1995
3.2.9. Employment Equity Act 55 of 1998
The below definitions, which are not elsewhere included in this Policy, are relevant.
3.3.1. Clients includes, but is not limited to, persons that the Company has business relationships with, persons to whom the Company provides cleaning products or services, shareholders, debtors, creditors, as well as the affected employees and/or departments, relating to the functions of the Company;
3.3.2. Confidential information refers to all information, or data, disclosed to, or obtained by, the Company, by any means whatsoever;
3.3.3. Data refers to electronic representations of information, in any form;
3.3.4. Documents includes books, records, security, or accounts, and any information that has been stored, or recorded, electronically, magnetically, mechanically, electromechanically, or optically, or in any other form;
3.3.5. Electronic communication refers to a communication by means of data messages;
3.3.6. Electronic signature refers to data attached to, incorporated in, or logically associated with, other data, and which is intended by the user/person to serve as a signature;
3.3.7. Electronic transactions include emails sent and received.
3.4. Access to documents
3.4.1. All Company, employee and client information must be dealt with in the strictest confidence and may only be disclosed, without fear of redress, in the following circumstances:
184.108.40.206. where disclosure is compulsory, in terms of legislation;
220.127.116.11. where there is a duty to the public, to disclose;
18.104.22.168. where the interests of the Company require disclosure; and
22.214.171.124. where disclosure is made with the express, or implied, consent, of the client.
3.5. Disclosure to third parties
3.5.1. Employees have a duty of confidentiality to the Company and its clients.
3.5.2. The Company’s clients’ right to confidentiality is protected in the Constitution, and in terms of the ECTA. Information may only be given to a third party if the client has consented, in writing, to that person receiving the information.
Requests for the Company’s information are dealt with in terms of the PAIA, which gives effect to the constitutional right of access to information held by the State, or any person (natural and juristic), that is required for the exercise, or protection, of rights. However, private bodies, like the Company, must refuse access to records, if disclosure would constitute an action of breaching the duty of secrecy owed to a third party.
3.5.3. Requests must be made in writing, on the prescribed form, to the compliance function, or the information officer. The requesting party must state the reason for wanting the information and must pay a prescribed fee.
3.5.4. Confidential company and/or business information may not be disclosed to third parties, as this may constitute industrial espionage. The affairs of the Company must always be kept strictly confidential.
3.5.5. The Company views any contravention of this Policy very seriously, and employees who are guilty of contravening the Policy will be subject to disciplinary procedures, which may lead to the dismissal of any guilty party.
3.6. Retaining documents
Certain legislation specifies requirements for documents that must be retained, as well as how long those documents must be retained, some of which are detailed below.
3.6.1. Companies Act 71 of 2008
126.96.36.199. Hard copies of the following documents must be retained for 7 years:
188.8.131.52.1. Any documents, accounts, books, writing, records, or other information, that a company is required to keep, in terms of the Act;
184.108.40.206.2. Notice and minutes of all shareholder meetings, including resolutions adopted and documents made available to holders of securities;
220.127.116.11.3. Copies of reports presented at the annual general meeting of the Company;
18.104.22.168.4. Copies of annual financial statements, required by the Act;
22.214.171.124.5. Copies of accounting records, required by the Act;
126.96.36.199.6. Records of directors and past directors, after the director has retired from the Company;
188.8.131.52.7. Written communication to holders of securities; and
184.108.40.206.8. Minutes and resolutions of directors’ meetings, audit and risk committee meetings.
220.127.116.11. Copies of the following documents must be retained indefinitely:
18.104.22.168.1. Registration certificate;
22.214.171.124.2. Memorandum of Incorporation and alterations and amendments thereto;
126.96.36.199.3. Rules of the Company (if applicable);
188.8.131.52.4. Securities register and uncertified securities register;
184.108.40.206.5. Register of company secretary and auditors; and
220.127.116.11.6. Register of disclosure of persons who hold a beneficial interest equal to, or in excess of, 5% of the securities of that class issued (for regulated companies, i.e. companies to which chapter 5, part B, C and Takeover Regulations apply).
3.6.2. Financial Intelligence Centre Act 38 of 2001
18.104.22.168. As part of the customer due diligence process, employees must ensure that all records relating to the customer due diligence information obtained about clients, or prospective clients, are kept. These records must be kept for at least 5 years from the date that the business relationship is terminated, or from the date of the conclusion of the single transaction, respectively.
22.214.171.124. The records must include:
126.96.36.199.1. copies of, or references to, information provided to, or obtained by, the Company, to verify a person’s identity; and
188.8.131.52.2. in addition, for business relationships, information about:
184.108.40.206.2.1. the nature of the business relationship;
220.127.116.11.2.2. the intended purpose of the business relationship; and
18.104.22.168.2.3. the source of the funds that the prospective client expects to use for transacting during the business relationship.
22.214.171.124. The Company will keep record of every transaction, whether the transaction is a single transaction, or concluded during a business relationship, which transactions are reasonably necessary to enable that transaction to be readily reconstructed.
126.96.36.199. The records must include:
188.8.131.52.1. amount involved and the currency in which it was denominated;
184.108.40.206.2. date on which the transaction was concluded;
220.127.116.11.3. parties to the transaction;
18.104.22.168.4. nature of the transaction;
22.214.171.124.5. business correspondence; and
126.96.36.199.6. if the Company provides account facilities to its clients, the identifying particulars of all accounts, and the account files at the Company that are related to the transaction.
188.8.131.52. These records must be kept for at least five 5 years from the date that the transaction was concluded.
184.108.40.206. The Company must ensure that electronically kept records are backed-up frequently, and can be reproduced in a legible format.
220.127.116.11. If the Company has appointed a third party to keep records on its behalf, the Company will immediately provide the relevant departments of the Authority with the following details of the third party:
18.104.22.168.1. full name, if the third party is a natural person; or
22.214.171.124.2. registered name, if the third party is a close corporation or company;
126.96.36.199.3. name under which the third-party conducts business;
188.8.131.52.4. full name and contact particulars of the individual who exercises control over access to the records;
184.108.40.206.5. address where the records are kept;
220.127.116.11.6. address from where the third-party exercises control over the records; and
18.104.22.168.7. full name and contact particulars of the individual who liaises with the third party, on behalf of the Company, regarding the retention of the records.
The Company will ensure that it has easy access to the customer due diligence and transaction records, and that they are readily available to the Centre and the relevant departments of the Authority.
3.7. Destructing documents
3.7.1. Documents may be destroyed after the termination of the retention period specified in the relevant legislation.
3.7.2. Each department is responsible for attending to the destruction of its documents, which must be done regularly. Files must be checked, to ensure that the documents may be destroyed, and to ascertain whether there are important original documents in the file. Original documents must be returned to the holder thereof, failing which, they should be retained by the Company, pending return.
3.7.3. After performing this process, the head of the relevant department shall, in writing, authorise the removal and destruction of the documents in the authorisation document.
3.7.4. The documents are then made available for collection by the removers of the Company’s documents, who also ensure that the documents are shredded before disposal. This helps to ensure confidentiality of information. The removers of the Company’s documents provide the Company with a certificate of destruction, whenever documents are destroyed.
3.7.5. Documents may also be stored off-site, in storage facilities, approved by the Company, as long as the relevant authorities are informed thereof.
4. Amending the policy
Amendments to, or a review of this Policy, will take place as may be necessary, but at least annually. Where material changes take place, clients will be notified directly.