PRIVACY PORTAL

PURPOSE AND OVERVIEW

As a business, Africorp Advisory Services is committed to the highest standards of professionalism, ethics and service delivery. We are committed to upholding every person's constitutional right to privacy and ensuring that any personal information we process is completed in a lawful and transparent manner. We maintain a strict standard of confidentiality with our clients and never share personal information with third parties unless required by law or with the express consent of our clients.

Any personal information processed by Africorp Advisory Services is processed in accordance with the provisions of the Protection of Personal Information Act 4 of 2013 ("POPI"), and, where applicable, the General Data Protection Regulation 2016/679 ("GDPR").

POPI

Africorp Advisory Services has taken comprehensive steps to ensure that its staff process any personal information in accordance with the provisions of POPI. Personal information is defined in section 1 of POPI to mean: "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

  • (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • (b) information relating to the education or the medical, financial, criminal or employment history of the person;
  • (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • (d) the biometric information of the person;
  • (e) the personal opinions, views or preferences of the person;
  • (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • (g) the views or opinions of another individual about the person; and
  • (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person."

Depending on who determines the purpose of and means for processing personal information in a particular instance, Africorp Advisory Services acknowledges that it may be acting in the capacity of either a "responsible person" or "operator" as defined in section 1 of POPI. Where a client is also the "data subject" as defined in section 1 of POPI and has not mandated Africorp Advisory Services to process personal information on the client's behalf, it is a determining factor which puts Africorp Advisory Services in the role of a responsible party. Where Africorp Advisory Services processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party, Africorp Advisory Services will be acting as an operator. Whether acting as a responsible party or operator, Africorp Advisory Services will process personal information in accordance with the applicable provisions of POPI.

General Data Protection Regulation 2016/679

Africorp Advisory Services acknowledges that it offers its goods and/or services to persons domiciled in the European Union, and which compels that data processing activities for such persons are completed in accordance with GDPR. Depending on who determines the purpose of and conditions for processing personal information in a particular instance, Africorp Advisory Services acknowledges it may be acting in the capacity of either a "controller" or "processor" as defined. Where a client is also the "data subject" as defined in GDPR and has not mandated Africorp Advisory Services to process personal information on the client's behalf, it is a determining factor which puts Africorp Advisory Services in the role of a controller. Where Africorp Advisory Services processes personal information for a controller in terms of a contract or mandate, Africorp Advisory Services will be acting as a processor. Whether acting as a controller or processor, Africorp Advisory Services will process data in respect of persons in the European Union in accordance with the applicable provisions of GDPR.

PRIVACY AND DATA PROTECTION OBLIGATIONS

Africorp Advisory Services acknowledges its privacy and data protection obligations and adheres to the highest standards possible to ensure legal and safe processing of data, including personal information. Africorp Advisory Services remains accountable to ensure compliance with POPI and/or GDPR, and that it has accordingly implemented measures and procedures which give effect to such compliance. In this regard, Africorp Advisory Services has registered its designated Information Officer with the Information Regulator established in terms of section 39 of POPI, as well as its Deputy Information Officers to whom the Information Officer has delegated its duties. Africorp Advisory Services further regularly trains its staff as to their obligations arising from POPI and GDPR, and general best practice insofar as privacy and data protection. Africorp Advisory Services also maintains an expert Information Technology team, who maintains its information security systems. In addition to this Policy, Africorp Advisory Services has published various other policies which assist in the enforcement of privacy and data protection measures by its staff.

The measures and procedures implemented by Africorp Advisory Services, extend to the fulfilment of the following obligations insofar as privacy and data protection. The client or person whose data/personal information is processed is referred to as the "data subject".

Processing limitation

  • Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
  • Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
  • Personal information may only be processed if—
    • the data subject or a competent person where the data subject is a child consents to the processing;
    • processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
    • processing complies with an obligation imposed by law on Africorp Advisory Services;
    • processing protects a legitimate interest of the data subject;
    • processing is necessary for the proper performance of a public law duty by a public body; or
    • processing is necessary for pursuing the legitimate interests of Africorp Advisory Services or of a third party to whom the information is supplied.
  • The data subject or competent person may withdraw his, her or its consent, provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information will not be affected.
  • A data subject may object, at any time, to the processing of personal information—
    • on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
    • for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.
  • If a data subject has objected to the processing of personal information, Africorp Advisory Services may no longer process the personal information.
  • Personal information must be collected directly from the data subject, except if—
    • the information is contained in or derived from a public record or has deliberately been made public by the data subject;
    • the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
    • collection of the information from another source would not prejudice a legitimate interest of the data subject;
    • collection of the information from another source is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997;
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
      4. in the interests of national security; or
      5. to maintain the legitimate interests of Africorp Advisory Services or of a third party to whom the information is supplied;
    • compliance would prejudice a lawful purpose of the collection; or
    • compliance is not reasonably practicable in the circumstances of the particular case.

Purpose specification

  • Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Africorp Advisory Services.
  • Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
    • retention of the record is required or authorised by law;
    • Africorp Advisory Services reasonably requires the record for lawful purposes related to its functions or activities;
    • retention of the record is required by a contract between the parties thereto; or
    • the data subject or a competent person where the data subject is a child has consented to the retention of the record.
  • Records of personal information may be retained for historical, statistical or research purposes if Africorp Advisory Services has established appropriate safeguards against the records being used for any other purposes.
  • Africorp Advisory Services must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after Africorp Advisory Services is no longer authorised to retain the record.

Further processing

Further processing of personal information must be in accordance or compatible with the purpose for which it was collected.

Information quality

Africorp Advisory Services must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

Openness

  • Africorp Advisory Services must maintain the documentation of all processing operations under its responsibility.
  • If personal information is collected, Africorp Advisory Services must take reasonably practicable steps to ensure that the data subject is aware of—
    • the information being collected and where the information is not collected from the data subject, the source from which it is collected;
    • the name and address of Africorp Advisory Services;
    • the purpose for which the information is being collected;
    • whether or not the supply of the information by that data subject is voluntary or mandatory;
    • the consequences of failure to provide the information;
    • any particular law authorising or requiring the collection of the information;
    • the fact that, where applicable, Africorp Advisory Services intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
    • any further information such as the—
      • recipient or category of recipients of the information;
      • nature or category of the information;
      • existence of the right of access to and the right to rectify the information collected;
      • existence of the right to object to the processing of personal information; and
      • right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
  • It is not necessary for Africorp Advisory Services to make the data subject aware of its data processing if—
    • the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
    • non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
    • non-compliance is necessary—
      • to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      • to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997;
      • for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
      • in the interests of national security;
    • compliance would prejudice a lawful purpose of the collection;
    • compliance is not reasonably practicable in the circumstances of the particular case; or
    • the information will—
      • not be used in a form in which the data subject may be identified; or
      • be used for historical, statistical or research purposes.

Security safeguards

  • Africorp Advisory Services must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
    • loss of, damage to or unauthorised destruction of personal information; and
    • unlawful access to or processing of personal information.
  • Africorp Advisory Services must take reasonable measures to—
    • identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
    • establish and maintain appropriate safeguards against the risks identified;
    • regularly verify that the safeguards are effectively implemented; and
    • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
  • The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Acting as operator

  • Where Africorp Advisory Services acts as an operator, it must—
    • process such information only with the knowledge or authorisation of responsible party; and
    • treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.
  • A responsible party must, in terms of a written contract between the responsible party and Africorp Advisory Services (as the operator), ensure that Africorp Advisory Services establishes and maintains the security measures referred to POPI.
  • Africorp Advisory Services (as operator) must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Security compromises

  • Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, Africorp Advisory Services must notify—
    • the Regulator; and
    • the data subject, unless the identity of such data subject cannot be established.
  • The notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:
    • Mailed to the data subject's last known physical or postal address;
    • sent by e-mail to the data subject's last known e-mail address;
    • placed in a prominent position on the website of Africorp Advisory Services;
    • published in the news media; or
    • as may be directed by the Regulator.
  • The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
    • a description of the possible consequences of the security compromise;
    • a description of the measures that Africorp Advisory Services intends to take or has taken to address the security compromise;
    • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
    • if known to Africorp Advisory Services, the identity of the unauthorised person who may have accessed or acquired the personal information.

Data subject participation

  • A data subject, having provided adequate proof of identity, has the right to—
    • request Africorp Advisory Services to confirm, free of charge, whether or not Africorp Advisory Services holds personal information about the data subject; and
    • request from Africorp Advisory Services the record or a description of the personal information about the data subject held by Africorp Advisory Services, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
  • If, in response to a request, personal information is communicated to a data subject, the data subject must be advised of the right to request the correction of information.
  • Africorp Advisory Services may or must refuse, as the case may be, to disclose any information requested to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act.
  • A data subject may, in the prescribed manner, request Africorp Advisory Services to—
    • correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
    • destroy or delete a record of personal information about the data subject that Africorp Advisory Services is no longer authorised to retain.
  • On receipt of a request, Africorp Advisory Services must, as soon as reasonably practicable—
    • correct the information;
    • destroy or delete the information;
    • provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
    • where agreement cannot be reached between Africorp Advisory Services and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
  • If Africorp Advisory Services has taken steps that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, Africorp Advisory Services must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
  • Africorp Advisory Services must notify a data subject, who has made a request, of the action taken as a result of the request.

Special personal information

  • Africorp Advisory Services may not process personal information concerning—
    • the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
    • the criminal behaviour of a data subject to the extent that such information relates to—
      • the alleged commission by a data subject of any offence; or
      • any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
  • The prohibition on processing personal information does not apply if the—
    • processing is carried out with the consent of a data subject;
    • processing is necessary for the establishment, exercise or defence of a right or obligation in law;
    • processing is necessary to comply with an obligation of international public law;
    • processing is for historical, statistical or research purposes to the extent that—
      • the purpose serves a public interest and the processing is necessary for the purpose concerned; or
      • it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
    • information has deliberately been made public by the data subject; or
    • provisions of sections 28 to 33 of POPI are, as the case may be, complied with.
  • The prohibition on processing personal information concerning a data subject's race or ethnic origin does not apply if the processing is carried out to—
    • identify data subjects and only when this is essential for that purpose; and
    • comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.
  • The prohibition on processing personal information concerning a data subject's criminal behaviour or biometric information does not apply if the processing is carried out by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law.

Personal information of children

  • Africorp Advisory Services may not process personal information concerning a child.
  • The prohibition on processing personal information of children does not apply if the processing is—
    • carried out with the prior consent of a competent person;
    • necessary for the establishment, exercise or defence of a right or obligation in law;
    • necessary to comply with an obligation of international public law;
    • for historical, statistical or research purposes to the extent that—
      • the purpose serves a public interest and the processing is necessary for the purpose concerned; or
      • it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
    • of personal information which has deliberately been made public by the child with the consent of a competent person.

Direct marketing

  • The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
    • has given his, her or its consent to the processing; or
    • is a customer of Africorp Advisory Services.
  • Africorp Advisory Services may approach a data subject—
    • whose consent is required; and
    • who has not previously withheld such consent, only once in order to request the consent of that data subject.
  • The data subject's consent must be requested in the prescribed manner and form.
  • Africorp Advisory Services may only process the personal information of a data subject who is a customer of Africorp Advisory Services –
    • if Africorp Advisory Services has obtained the contact details of the data subject in the context of the sale of a product or service;
    • for the purpose of direct marketing of Africorp Advisory Services's own similar products or services; and
    • if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
      • at the time when the information was collected; and
      • on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
  • Any communication for the purpose of direct marketing must contain details of the identity of the sender or the person on whose behalf the communication has been sent; and an address or other contact details to which the recipient may send a request that such communications cease.

Transfers of personal information outside Republic

  • Africorp Advisory Services in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—
    • the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that—
      • effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
      • includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
    • the data subject consents to the transfer;
    • the transfer is necessary for the performance of a contract between the data subject and Africorp Advisory Services, or for the implementation of pre-contractual measures taken in response to the data subject's request;
    • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Africorp Advisory Services and a third party; or
    • the transfer is for the benefit of the data subject, and—
      • it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
      • if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
  • For the purpose of this provision—
    • "binding corporate rules" means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
    • "group of undertakings" means a controlling undertaking and its controlled undertakings.

CHANGES TO THIS NOTICE

This Policy was last updated on 21 June 2021. Please note that we may amend this Policy from time to time.

HOW TO CONTACT US

If any person has questions about this Policy or believes Africorp Advisory Services has not adhered to it, or needs further information about Africorp Advisory Services's privacy practices or wishes to give or withdraw consent, exercise preferences or access or correct the person's personal information, please feel free to contact Africorp Advisory Services at:

Telephone: +27 44 873 2782

Email: contact@africorpadvisory.co.za

INFORMATION REGULATOR

Any person has the right to complain to the Information Regulator regarding any breach of the POPI provisions by Africorp Advisory Services, whose contact details are:

Information Regulator

Email: inforeg@justice.gov.za