1.0. 2IP Independent Investment Partners (Pty) Ltd. (“the Company”) is an authorised financial services provider whose business includes the collection of Personal Information from its clients, suppliers, and employees. The Company endeavours to comply with all the relevant legislation and regulations relating to the protection of Personal Information.
1.1. This Personal Information Protection Policy (the “Policy”) documents and records the principles and policies the Company follows when collecting and Processing Personal Information, describes the required business activities relating to Personal Information Processing and specifies the responsibilities of the Company when complying with the relevant legislation and regulations.
1.2. The Company acknowledges that it must comply with South African legislation, in the form of the Protection of Personal Information Act, 2013 (Act no. 4 of 2013) (“POPIA”) as it Processes Personal Information in South Africa. In addition, the Company acknowledges that it has to comply with the European Union General Data Protection Regulation (“GDPR”) as GDPR impacts South African based companies which Process Personal Information of EU residents, and due to the fact that convergence of these various data protection legislation and regulations are imminent.
2. DOCUMENTS OF REFERENCE
2.0. Protection of Personal Information Act, 2013 (Act no. 4 of 2013);
2.1. European Union General Data Protection Regulation (“GDPR”);
2.2. Data Retention Policy;
3.0. “Anonymization” or “De-identify” means irreversibly De-identifying Personal Information such that the person cannot be identified by using reasonable time, cost, and technology. Personal Information Processing principles do not apply to Anonymized data.
3.1. “Data Subject” means the person to whom the Personal Information relates.
3.2. “Encryption” means scrambling the entire contents of a set of information using mathematical techniques.
3.3. “Operator” means a natural or juristic person, public authority, or any other institution which Processes Personal Information on behalf of the Responsible Party.
3.4. “Personal Information” means any information relating to an identifiable natural person, or to the extent applicable, a juristic person. This includes, but is not limited to information relating to race, gender, sex, pregnancy, marital status, ethnic and social origin, colour, sexual orientation, age, physical or mental health, religion, disability, language, information relating to educational, medical, financial, criminal or employment history, any identifying number, email address, physical address, telephone number, location information, online identifier, or biometric Personal Information.
3.5. “Processing” means any activity concerning Personal Information including the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination by means of transmission, distribution or making available in any other form, or merging, linking, as well as restriction, degradation, erasure, or destruction of information.
3.6. “Pseudonymization” means the Processing of Personal Information in such a manner that the Personal Information can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately.
3.7. “Re-identify” means to resurrect any information that has been De-identified.
3.8. “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information.
4. PRINCIPLES REGARDING PERSONAL INFORMATION PROCESSING
4.0.1. The Company acknowledges that, as a Responsible Party, it must ensure compliance with the relevant regulations. The Information Officer has been designated with this responsibility.
4.1. Lawful Processing of Personal Information
4.1.1. The Company will ensure that Personal Information is Processed lawfully, fairly and transparently in relation to the Data Subject. Personal Information collected must not be excessive, must be legally justifiable and not collected from third parties without good reason.
4.2. Purpose limitation
4.2.1. Personal Information collected is limited and relevant in relation to the specific purpose for which it is Processed. The Company will apply Anonymization or Pseudonymization to Personal Information, where possible, to reduce the risk to the Data Subject. Personal Information will not be stored for any longer than necessary.
4.3. Data minimization
4.3.1. The Company will ensure that Personal Information is adequate and limited to what is necessary in relation to the purpose for which it is Processed.
4.4. Information quality
4.4.1. All Personal Information collected will be complete and accurate and the Company will take reasonable steps to ensure that inaccurate data is corrected in a timely manner.
4.5. Lawful processing of personal information
4.5.1. The Company will ensure that Personal Information is processed lawfully, fairly and transparently. Personal Information collected must not be excessive, must be legally justifiable and not collected from third parties without good reason.
4.6. Security safeguard relating to integrity and Personal Information confidentiality
4.6.1. The Company will ensure that Personal Information is Processed securely and will use appropriate information technology measures to protect Personal Information against accidental or unlawful destruction, loss, amendment, or unauthorized access. Notification of any data breaches will occur timeously.
4.7. Restriction on further Processing
4.7.1. Personal Information may only be Processed for the purpose for which it was collected under specific conditions.
4.8.1. The Company will Process Personal Information in a transparent manner.
4.9. Data Subject participation
4.9.1. Data Subjects will be allowed to access their Personal Information and request that it is corrected or deleted if inaccurate. The Company acknowledges that Personal Informationthat is inaccurate, irrelevant, inappropriate, ambiguous or unlawfully obtained is to be corrected or deleted.
4.10. Storage period limitation
4.10.1. Personal Information must be stored for no longer than necessary for the purposes for which it is Processed.
5. INFORMATION PROTECTION PROCESSES
5.0. Communication to Data Subjects
5.0.1. The Company is responsible for communicating to Data Subjects which types of Personal Information is collected, the purposes of the Processing of the Personal Information, the Processing methods, the Data Subjects’ rights and the retention periods. The Information Officer will ensure that the Data Subjects are notified when Personal Information is shared with third parties.
5.0.2. The Information Officer will authorise which Personal Information is Processed. The Company will perform a Data Protection Impact Assessment for each Personal Information Processing activity.
5.1. Data Subject’s consents
5.1.1. The Information Officer will be responsible for retaining the records of the Data Subject’s consents regarding the Processing of Personal Information. In addition, the Information Officer will ensure that any request to correct, change or destroy Personal Information is dealt with within a reasonable time frame and keep records thereof. The Company will ensure that any consents given by the Data Subjects are voluntary, specific and an informed expression of will.
5.2. Personal Information collection
5.2.1. The Company will attempt to collect the minimum amount of Personal Information possible. If any Personal Information is collected from a third party, the Information Officer will ensure that the information is collected lawfully.
5.3. Personal Information use, retention and deletion
5.4. Data Subject’s access rights
5.4.1. The Company’s Information Officer will ensure that Data Subjects are provided with reasonable access to their Personal Information. The Company will further ensure that its Data Subjects can update, correct, delete or transfer their Personal Information if required.
5.5. Personal Information transferability
5.5.1. Data Subjects have the right to receive a copy of their Personal Information provided to the Company. The Information Officer will ensure that the Data Subject’s Personal Information can be transmitted to another party if so required and will ensure that such requests are processed timeously.
5.6. Third-party disclosures
5.6.1. In instances where the Company utilizes third parties to Process Personal Information, the Information Officer will ensure that the third parties have adequate security measures in place to safeguard Personal Information.
5.7. Right to delete or destroy Personal Information
5.7.1. The Company will ensure that Personal Information of the Data Subject can be deleted or destroyed upon the Data Subject’s request. Personal Information destruction will occur as soon as reasonably practical after the request has been made.
5.9. Security measures
5.9.1. The storage and transfer of Personal Information will occur in a secure environment. The Company will ensure that a risk assessment is completed in order to identify all reasonably foreseeable internal and external risks to Personal Information under its control. Technical measures will be utilised to secure Personal Information, and such measures may consist of De-identification (anonymization) or Encryption. The Company will ensure that the Information Regulator is notified of any data breaches as soon as reasonably possible and will also notify all Data Subjects affected by such breaches.
6. RESPONSIBILITIES OF THE COMPANY
6.0. The Company, as the Responsible Party, is committed to principles of accountability, transparency and consensual and responsible Processing of Personal Information.
6.1. It is the intention of the Company that this Policy will protect a Data Subject’s Personal Information from being compromised in any way and this Policy is consistent with the privacy laws applicable in South Africa.
6.2. The board of directors of the Company is responsible for approving this Policy and the Information Officer is responsible for managing and implementation of the Personal Information protection processes.
6.3. The Company’s Compliance Officer will monitor Personal Information protection regulation to ensure that all developments are incorporated into the Company’s business activities.
6.4. The Chief Executive Officer / Information Officer of the Company will ensure that employees’ awareness of Personal Information protection is raised and will further ensure that employee Personal Information protection takes place.
7. INFORMATION OFFICER/CONTACT DETAILS
Information Officer : Danielle van Breda
Telephone number : 021 914 1321
Postal address : Unit 6 Monaco Square | 14 Church Street | Durbanville 7550
Physical address : Unit 6 Monaco Square | 14 Church Street | Durbanville 7550
Email address : firstname.lastname@example.org
Website : https://www.2ip.co.za/