PROTECTION OF PERSONAL INFORMATION ACT 4 of 2013
DATA PROTECTION POLICY IN RESPECT OF YOU’VE EARNED IT (“YEI”)
YOU’VE EARNED IT (PTY) LTD
- WHAT IS YEI?
- YEI is a digital news, promotions, and competitions subscriber directory for persons over the age of 60.
- YEI is located in Cape Town, South Africa.
- Marilyn Hallett has been duly appointed to be the Information Officer of YEI and is the person with whom to liaise in relation to the Protection of Personal Information Act 4 of 2013 (“the Act”).
- PURPOSE OF THIS DOCUMENT
This document sets out:- what personal information YEI processes,
- why it collects this information and what it is used for,
- how it stores that information and for how long; and
- how you can contact YEI to ask them about your personal information.
- You can find this document on YEI’s website located at https://youve-earned-it.co.za/ or you can request a copy of it from the Information Officer, using the details below.
- THE PURPOSE OF THE ACT
- The purpose of the Act is to ensure the protection of personal information which is processed by public and private institutions. It does this by:
- introducing certain minimum requirements when it comes to the processing of personal information,
- allowing for the creation of a regulator to enforce the various provisions of the Act;
- allowing for codes of conduct to be issued that apply to all private and public bodies that process personal information;
- protecting your rights as a data subject when it comes to receiving unsolicited electronic communications and where decisions relating to your personal information are made by an automated system; and
- to regulate when and how your personal information may be sent outside the borders of South Africa.
- The purpose of the Act is to ensure the protection of personal information which is processed by public and private institutions. It does this by:
- SOME IMPORTANT DEFINITIONS
- In order to make sense of your rights in terms of this document, it is important that certain definitions contained in section 1 of the Act are explained:
- Data subject: This is the person to whom the personal information relates.
- Personal Information: This is extensively defined as follows:
- Information relating to your race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth;
- Information relating to your education or to your medical, financial, criminal or employment history;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assignment particular to you;
- your biometric information;
- your personal opinions, views or preferences of the person;
- correspondence sent by you that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about you; and
- your name if it appears with other personal information relating to you or if the disclosure of your name itself would reveal information about you.
- and divided into two categories of “personal information” which may generally be processed, as long as the minimum requirements of the Act are met, and “special personal information” which may not generally be processed unless specific exceptions apply as defined in the Act.
- Processing: this includes any of the following actions in relation to personal information:
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information
- Record: this refers to personal information in the possession or under the control of a responsible party (regardless of who created it or when it was created) which is in any of the following forms:
- writing on any material;
- information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- book, map, plan, graph or drawing;
- photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
- Responsible party: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. In this case, YEI is the Responsible Party.
- Operator: this is a person who processes personal information on behalf of a Responsible Party in terms of a contract or mandate.
- Filing system: any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
- In order to make sense of your rights in terms of this document, it is important that certain definitions contained in section 1 of the Act are explained:
- CONTACT DETAILS OF INFORMATION OFFICER
- Attention: Marilyn Hallett
- Postal Address: 16 Oberon Way, Meadowridge, 7806, Cape Town
- Physical address: 16 Oberon Way, Meadowridge, 7806, Cape Town
- Telephone: +27 21 715 7805
- E-mail: marilyn.hallett@youve-earned-it.co.za
- WHAT KIND OF PERSONAL INFORMATION IS HELD BY YEI?
- PERSONAL INFORMATION BELONGING TO YEI’S SUBSCRIBERS WHO USE YEI’S SERVICES:
- Personal information belonging to juristic persons:
- natural person, company or close corporation identity/registration number, business logo, personal/business e-mail addresses, the physical and postal address, telephone number and location information.
- Personal information belonging to natural persons
- Where subscribers are natural persons:
- full name, e-mail addresses, the physical and postal address, telephone number and location information.
- Information belonging to natural persons who are representatives of juristic persons
- full name, business e-mail address, place of employment, address of employer and business telephone number.
- PERSONAL INFORMATION BELONGING TO EMPLOYEES OF YEI
- information relating to the name, race, gender, national, ethnic or social origin, age, and birthdate of employees;
- information relating to the education, and employment history of employees;
- South African identity number, personal e-mail address, physical address, personal telephone numbers, location information and online identifiers of employees;
- private and confidential correspondence with employees; and
- records of a personal information stored by employees in YEI’s physical or electronic filing system(s).
- PERSONAL INFORMATION BELONGING TO THIRD PARTY SERVICE PROVIDERS OF YEI
- bank account details;
- company or close corporation registration number, full name of authorised representatives, South African identity number, business logo, business e-mail addresses, the physical and postal address, telephone number and location information, VAT numbers.
- Where subscribers are natural persons:
- Personal information belonging to juristic persons:
- PERSONAL INFORMATION BELONGING TO YEI’S SUBSCRIBERS WHO USE YEI’S SERVICES:
- WHY IS THE PERSONAL INFORMATION ABOVE COLLECTED BY YEI AND WHAT IS IT USED FOR?
- PERSONAL INFORMATION BELONGING TO SUBSCRIBERS OF YEI
- YEI requires the information collected from its subscribers, that are both natural and juristic persons, to provide them with newsletters, promotions, and competitions. YEI processes the information necessary to provide these services. YEI may make this information available to operators to ensure that the services are provided to the very best of YEI’s abilities and to the highest standards. All operators have signed documentation confirming that personal information received from YEI is to be used solely to the purpose for which it is given to them. Such operators are prohibited from further processing the personal information given to them and have confirmed that they have systems in place that make sure that they are compliant with the requirements of the Act.
- THE PERSONAL INFORMATION SOUGHT BY YEI IS MANDATORY IN NATURE. SHOULD SUBSCRIBERS NOT PROVIDE THE PERSONAL INFORMATION SOUGHT, YEI WILL NOT BE ABLE TO PROVIDE ITS SERVICES.
- PERSONAL INFORMATION BELONGING TO EMPLOYEES OF YEI
- YEI is committed to good governance and compliance. No personal information in respect of any employees will be used for any other reason besides what it is provided for. Any staff database kept by YEI will be for the purpose of managing the employment relationship between YEI and its employees only. No personal information pertaining to any employee will be provided to any third person unless in accordance with the Act, any relevant Labour Law legislation or with the express consent of the employee.
- PERSONAL INFORMATION BELONGING TO THIRD PARTY SERVICE PROVIDERS OF YEI
- YEI requires the information collected from third party service providers that are both natural and juristic persons in order to do business with them. YEI takes its compliance obligations very seriously and requires the information processed in order to conclude agreements regarding the relationship between YEI and its service providers, many of whom may be operators as defined in the Act.
- YEI processes the information necessary in order to provide these services and to conclude these agreements. YEI may make this information available to other operators to ensure that the services are provided to the very best of YEI’s abilities and to the highest standards for its subscribers. All operators and third-party service providers have signed documentation confirming that personal information received from YEI and its operators is to be used solely to the purpose for which it is given to them. Such operators and third parties are prohibited from further processing the personal information given to them and have confirmed that they have systems in place that make sure that they are compliant with the requirements of the Act.
- THE PERSONAL INFORMATION SOUGHT BY YEI IS MANDATORY IN NATURE. SHOULD THIRD PARTIES AND OPERATORS NOT PROVIDE THE PERSONAL INFORMATION SOUGHT, YEI WILL NOT BE ABLE TO CONCLUDE AGREEMENTS WITH THEM AND THEREFORE NOT DO BUSINESS WITH THEM.
- WHERE IS THE PERSONAL INFORMATION COLLECTED BY YEI STORED AND WHAT SECURITY MEASURES ARE IN PLACE?
- Personal information is stored both electronically and in hard copy in YEI’s filing system(s).
- Electronic information is encrypted and stored on a cloud based system. Personal information is also saved on the YEI PC and laptops.
- YEI has a physical security policy as well as a policy pertaining to the use of electronic data by employees which policies are internal and kept by the Information Officer. These policies are not available to the public save where YEI is forced to make same available in terms of law so as to protect the information held by YEI.
- PERSONAL INFORMATION BELONGING TO SUBSCRIBERS OF YEI
- WHEN WILL YEI MAKE PERSONAL INFORMATION AVAILABLE TO THIRD PARTIES (OTHER THAN OPERATORS)
- YEI will not reveal any personal information to anyone outside of YEI unless:
- It is compelled to comply with legal and regulatory requirements or when it is otherwise allowed by law;
- It is in the public interest;
- YEI needs to do so to protect their rights.
- YEI is running a partnership promotion or competition – entrants are asked to agree to their information being shared with partners or clients who are running the competition.
- YEI endeavours to take all reasonable steps to keep secure any information which they hold about an individual, and to keep this information accurate and up to date. If at any time, an individual discovers that information gathered about them is incorrect, they may contact YEI to have the information corrected. Where information has been disclosed to employees of YEI, YEI has agreements in place to ensure that compliance with confidentiality and privacy conditions.
- YEI recognises the importance of protecting the privacy of information collected about individuals, in particular, information that can identify an individual (“personal information”).
- YEI will not reveal any personal information to anyone outside of YEI unless:
- TRANSBORDER INFORMATION FLOWS
- YEI will not transmit personal information internationally, unless consent has been obtained, or it is necessary to perform our contractual obligations, and it benefits our subscribers or third party service providers. If personal information is transmitted internationally, we ensure that it is subject to data protection laws that are substantially similar to POPIA (e.g. European Union GDPR and other country specific information privacy protection laws).
- FOR HOW LONG IS PERSONAL INFORMATION KEPT BY YEI?
- COMPANIES ACT NO. 71 OF 2008, as amended:
The Companies Act as amended requires records must be kept “in written form, or other form or manner that allows that information to be converted into written form within a reasonable time.” Such as the following for an indefinite period:
- Notice of Incorporation (Registration certificate);
- Certificate of change of name (if any);
- Memorandum of Incorporation and alterations or amendments;
- Rules;
- Register of company secretary and auditors;
- Regulated companies (companies to which chapter 5, part B, C and Takeover Regulations apply) register of disclosures of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued;
- Security register and uncertificated securities register.
The following records for 7 years:
- Notice and minutes of all shareholders meeting including Resolutions adopted and documents made available to holders of securities;
- Copies of reports presented at the annual general meeting of the company;
- Copies of annual financial statements;
- Copies of accounting records;
- Record of directors and past directors, after the director has retired from the company;
- Written communication to holders of securities;
- Minutes and resolutions of directors’ meetings, audit committee and directors’ committees.
- CLOSED CORPORATION ACT NO. 69 OF 1984, as amended:
The Closed Corporation Act as amended requires that hardcopies and/or electronic copies of the following documents are kept for a total of 15 years:
- Accounting records, including supporting schedules to accounting records and ancillary accounting records;
- Annual financial statements, including annual accounts and the report of the accounting officer;
The following documentation is required to be kept for an indefinite period:
- Record of Members and past members, after the member has retired from the company;
- Minutes and resolutions of the members of the company.
- CONSUMER PROTECTION ACT NO. 68 OF 2008, as amended:
The Consumer Protection Act seeks to protect the interests of Consumers and as such requires YEI as a service provider to retain and maintain the following records of consumers for a period of at least 3 years:
- Full names, physical address, postal address and contact details;
- ID number and registration number;
- Contact details of public officer in case of a juristic person;
- Service rendered;
- Intermediary fee;
- Cost to be recovered from the consumer;
- Frequency of accounting to the consumer;
- Amounts, sums, values, charges, fees, remuneration specified in monetary terms;
- Disclosure in writing of a conflict of interest by the intermediary in relevance to goods or service to be provided;
- Record of advice furnished to the consumer reflecting the basis on which the advice was given;
- Written instruction sent by the intermediary to the consumer;
- Conducting a promotional competition refer to Section 36(11) (b) and Regulation 11 of Promotional Competitions;
- Documents in respect of Section 45 and Regulation 31 for Auctions.
- COMPENSATION FOR OCCUPATIONAL INJURIES AND DISEASES ACT NO. 130 OF 1993:
Section 81(1) and (2) of the Compensation for Occupational Injuries and Diseases Act requires a retention period of 4 years for the documents mentioned below:
- Register, record or reproduction of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees.
- Section 20(2) documents with a required retention period of 3 years:
- Health and safety committee recommendations made to an employer in terms of issues affecting the health of employees and of any report made to an inspector in terms of the recommendation;
- Records of incidents reported at work.
- BASIC CONDITIONS OF EMPLOYMENT ACT NO. 75 OF 1997:
The Basic Conditions of Employment Act requires a retention period of 3 years for the documents mentioned below:
- Written particulars of an employee after termination of employment;
- Employee’s name and occupation;
- Time worked by each employee;
- Remuneration paid to each employee;
- Date of birth of any employee under the age of 18 years.
- EMPLOYMENT EQUITY ACT NO. 55 OF 1998:
- Section 26 and the General Administrative Regulations, 2014, requires a retention period of 3 years for the documents mentioned below:
- Records in respect of the company’s workforce, employment equity plan and other records relevant to compliance with the Act;
- UNEMPLOYMENT INSURANCE ACT NO. 63 OF 2002:
Section 56(2)(c) requires a retention period of 5 years, from the date of submission, for the documents mentioned below:
- personal records of each of their current employees in terms of their names, identification number, monthly remuneration and address where the employee is employed.
- ACCESS TO AND CORRECTION OF INFORMATION
- Subscribers, employees and third parties have the right to access the personal information YEI holds about them. Subscribers and other people whose data YEI holds also have the right to ask YEI to update, correct or delete their personal information on reasonable grounds. Once a subscriber or such other person objects to the processing of their personal information, YEI may no longer process said personal information unless YEI is obliged to in terms of its contractual obligations. YEI will take all reasonable steps to confirm its subscribers’ identity before providing details of their personal information or making changes to their personal information;
- All employees have a duty of confidentiality in relation to the Company and subscribers. Information on subscribers: Our subscribers’ right to confidentiality is protected in the Constitution and in terms of ECTA. Information may be given to a 3rd party if the subscriber has consented in writing to that person receiving the information or if it is required by law.
- If YEI duly and diligently searches for a record and it is believed that the record either does not exist or cannot be found, the subscriber or requester will be notified accordingly. This notification will include the steps that were taken the attempt to locate the record.
- DELETION AND DESTRUCTION OF INFORMATION
- Subscribers, employees and third parties have the right to access the personal information YEI holds about them. Subscribers and other people whose data YEI holds also have the right to ask YEI to update, correct or delete their personal information on reasonable grounds. Once a subscriber or such other person objects to the processing of their personal information, YEI may no longer process said personal information unless YEI is obliged to in terms of its contractual obligations. YEI will take all reasonable steps to confirm its subscribers’ identity before providing details of their personal information or making changes to their personal information.
- FORM OF REQUEST
- The requester must use the prescribed form to make the request for access to a record. This must be made to the information officer. This request must be made to the address, or electronic mail address of the information officer.
- The requester must provide sufficient detail on the request form to enable the information officer to identify the record and the requester. The requester should also indicate which form of access is required. The requester should also indicate if he or she wishes to be informed in any other manner and state the necessary particulars to be so informed.
- The requester must identify the right that he or she is seeking to exercise or protect and provide an explanation as to why the requested record is required for the exercise or protection of that right.
- If a request is made on behalf of a person, the requester must submit proof of the capacity in which the requester is making the request to the satisfaction of the information officer.
- The form in which a request to access personal information is made can be found in Annexure A at the end of this policy document.
- The form in which a request to object, correct, delete/destroy personal information is made can be found in Annexure B at the end of this policy document.
- FEES
- The information officer must notify the requester (other than a personal requester) by notice, requiring the requester to pay the relevant fee before further processing the request. A personal requester does not pay such fee.
- The requester may lodge an application to the court against the tender or payment of the request fee.
- The information officer will then decide on the request and notify the requester in the required form.
- If the request is granted then a further access fee must be paid for the search, reproduction, preparation and for any time that had exceeded the prescribed hours to search and prepare the record for disclosure.
- AVAILABILITY OF THE MANUAL
- The manual is available for inspection at the offices of YEI free of charge, a copy is made available on YEI’s website, alternatively a copy may be requested from YEI’s information officer.
- AMENDMENTS TO THIS POLICY
- Amendments to, or a review of this Policy, will take place on an ad hoc basis. Subscribers are advised to access YEI’s website periodically to keep abreast of any changes. Where material changes take place, these will be posted on our website. Unless otherwise stated, the current version of this Policy posted on our website shall supersede and replace all previous versions of this Policy.
Signed at Meadowridge, Cape Town this 25th day of August 2021.
_____________________________________
INFORMATION OFFICER
Click here for a printable version of Annexure A
Click here for a printable version of Annexure B