MAJESTIC DATA – PROTECTION OF PERSONAL INFORMATION POLICY incorporating the currently operative DATA PROCESSING TERMS AND CONDITIONS
Majestic Data Proprietary Limited (”MD”) have to comply with POPI Act by 30 June 2021. This document constitutes the Data Processing Terms and Conditions (“DPT&C”) that will be applicable to the Parties in their dealings with MD.
BACKGROUND: On 22nd June 2020 the Presidency announced dates for compliance with POPIA, being Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) of the POPI Act that commenced on 1 July 2020.
In this regard Section 114(1) is of particular importance as it determines that all forms of processing of Personal Information must, within one year after the commencement of the section, being 1 July 2021, be made to conform to the Act. Both private and public bodies have to ensure compliance with the Act by 1 July 2021.
These DPT&C shall constitute MD’s data protection policy effective from the date published on the MD website.
- INTRODUCTION
- In consideration of the new obligations set out in the Data Protection Laws (as defined below), MD hereby sets forth and communicates to all interested and effected parties, including its clients, suppliers and other bodies, public or private, that the following terms and conditions shall constitute the applicable principles, terms and conditions whereby MD shall engage with such parties in respect, in instances where Personal Information forms part of the engagements between MD and such party or parties and data protection and aspect related thereto. This DPT&C shall be applicable to all engagements, of whatsoever nature, with such party(s) form date of publication hereof and shall govern the Processing of Personal Information by the MD on behalf of parties, including customers, clients and suppliers and the Processing of MD Personal information by a party.
- Where MD is the client or party that give instructions, then MD will be referred to as the “Customer” and the other party as the “Vendor” and if MD is the supplier or supply goods and/or services then MD will be referred to as the “Vendor” and the other party as the “Customer”.
- For purposes of this DPT&C the Vendor is the Operator/Processor and the Customer is the Responsible Party/Controller as defined in the Act. The concept “Customer” shall include a supplier.
- DEFINITIONS
In this DPT&C the words and phrases set out below shall have the following meanings ascribed to them unless the context requires otherwise:
- “Agreement(s)” means, but shall not be limited to, any and all services agreement, supplier agreement, statement of work, work order, task order, purchase order, mandate and like entered into between MD and a party either with MD acting as Vendor or Customer.
- “Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information.
- “Data Protection Laws” means the Protection of Personal Information Act no 4 of 2013 of South Africa and/or any other applicable law or regulation relating to the protection of Personal Information in the Republic of South Africa and, in respect of the international transfer of Personal Information, the General Data Protection Regulation 2016/679, the implementing acts by the Member States of the European Union, the Protection of Personal Information Act no 4 of 2013 of South Africa and/or any other applicable law or regulation relating to the protection of Personal Information.
- “Data Subject” means the person to whom Personal Information
- “Operator” and/or “Processor” means a person who processes Personal Information for a Responsible Party in terms of an Agreement, without coming under the direct authority of the Responsible Party.
- ““Personal Information“, including personal data means information relating to any identifiable living natural person, and where it is applicable and identifiable, existing juristic persons, including but not limited to (a) information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, believe, cultural or employment history of the person; (b) information relating to the education all the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the content of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other Personal Information relating to the person or if the disclosure of its name itself would reveal information about the person. Personal Information must be treated as confidential information, even after the Data Subject’s death.
- “POPIA” and/or “the POPI Act” means The Protection of Personal Information Act No. 4 of 2013, as amended.
- “Processing” means any operation or activity or any set of operations whether or not by automatic means, concerning Personal Information, including the collection, receipt, recording, organization, collation, storage, back-up, archiving, updating or modification, retrieval, alteration, consultation, or use, dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restrictions, degradation, erasure, or destruction of information.
- “Regulator” and/or “Information Regulator” means the Information Regulator established in terms of section 39 of POPIA.
- “Responsible Party” and/or “Controller” means a public or private body or any other person which alone, or in conjunction with others, determines the purpose of and means for processing Personal Information.
- “Security Breach” means any act that leads to damage to Personal Information and/or any unauthorized access to Personal Information.
- RELATIONSHIP WITH OTHER AGREEMENTS
In the event of inconsistencies between the provisions of this DPT&C and other Agreements operative between MD and a party, the provisions of this DPT&C shall take precedence with regard to any party’s data protection obligations relating to Personal Information provided by the party acting as Customer or Vendor as contemplated in clause 5 below and as the case may be.
- STATUS OF PARTIES AS CONTEMPLATED IN THE POPIA ACT
Under this DPT&C, Customer is the Controller and Vendor is the Processor of Personal Information provided by Customer. Vendor shall not assume any responsibility for determining the purposes for which the Personal Information provided by Customer shall be Processed.
- SCOPE OF DATA PROCESSING
The scope, purpose and duration of the Processing of Personal Information provided by Customer is determined by the Customer as Responsible Party/Controller for the performance of the services provided by Vendor. The nature of the Processing operations, types of Personal Information and categories of Data Subjects Processed under this DPT&C may include some or all of the types specified as set out below.
- Categories of Data Subjects:
- Vendors – suppliers, consultants, advisers and other professional experts.
- Clients, Customers/Supplier – Past, present and future staff of the clients and customers of Customer (including volunteers, agents, interns, contractors, temporary and casual workers).
- Employees – Persons that are full-time or part-time employed by Customer;
- Contractors – Persons who have a contract with Customer to perform certain activities/work for Customer.
- Types of Personal Data:
- Employees and Contractors: Employee’s or Contractor’s first name, surname and previous surname (if applicable); gender; fathers’ first name; citizenship; nationality, permanent address; temporary address (current residence, if applicable); date and place of birth; personal ID number; unique citizen number; ID card / passport number and issued by whom (what official authority), photograph, academic and professional qualification; social security number; health insurance number, professional experience; list of previous employers; duration of the previous employments and type of work; bank account details; child’s (children’s) name(s), birth date(s) of child (children) date(s) of birth; educational training.
- Vendors, Clients, Customers or Suppliers: full name(s) and job title(s) of employee(s) and contractor(s); full name(s) and address(es) of Company/Affiliate(s), professional email address(es); professional telephone and fax number(s) (including mobile telephone number(s)); personal email address(es); personal telephone and fax number(s) (including personal mobile telephone number(s)); Company financial data; data related to Company transactions including transactions’ purposes; Company tax ID; government identification number; Company bank account details; VAT number; academic and professional qualification(s) of employee(s) and contractor(s); certification(s); ID card/passport details; photograph; images and sounds.
- PROCESSOR OBLIGATIONS
A Vendor shall be deemed to have agreed and to warrant that:
- It shall Process the Personal Information provided by Customer only:
- on behalf of Customer and in accordance with Customer documented instructions unless otherwise required by applicable Data Protection Laws;
- for the purpose of carrying out the services or as otherwise instructed by Customer and not for the Vendor’s own purposes; and
- in compliance with this DPT&C.
- If is legally required by Data Protection Laws to Process the Personal Information provided by Customer in a manner otherwise than as instructed by Customer it shall notify Customer before such Processing occurs, unless the law requiring such Processing prohibits Vendor from notifying Customer, in which case it shall notify Customer as soon as that law permits it to do so.
- It has no reason to believe that any Data Protection Laws prevents Vendor it from fulfilling either the instructions received from Customer or its obligations under this DPT&C or any Data Processing Agreement.
- It has implemented and will maintain appropriate technical and organizational measures to protect the Personal Information provided by Customer against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and, in particular, where the Processing involves the transmission of data over a network, against all other unlawful forms of Processing. Having regard to the state of the art and cost of their implementation, as well as the nature, scope, context, and purposes for Processing the Personal Information provided by Customer. Vendor agrees that such measures shall ensure a level of security appropriate to the risks to the Personal Information represented by the Processing and the nature of the Personal Information.
- It will treat all Personal Information provided by Customer as confidential information and not disclose such confidential information without Customer’s prior written consent except:
- to those of its personnel who need to know the confidential information in order to carry out the Services or other instructions by Customer; and
- where it is required by a court of competent jurisdiction to disclose the Personal Information provided by Customer, or there is a statutory obligation to do so, but only to the minimum extent necessary to comply with such court order or statutory obligation.
- It will take reasonable steps to ensure that its personnel who have access to the Personal Information:
- are both informed of the confidential nature of the Personal Information provided by Customer and obliged to keep such Personal Information provided by Customer confidential; and
- are aware of and comply with Vendor’s duties and obligations under this DPT&C.
- It will promptly notify Customer without delay about:
- any instruction issued by Customer with respect to Vendor’s Processing of Personal Information provided by Customer which, in Vendor’s opinion, could put either party in breach of their respective obligations under Data Protection Laws, provided that nothing contained in this DPT&C will release a Customer, where MD is the Vendor, or the Vendor, where MD is the Customer, of its obligations under the Data Protection Laws;
- any actual or suspected breach of security, accidental, unlawful, or unauthorized access, misappropriation, loss, damage to, disclosure of destruction of or other compromise of the security, confidentiality, or integrity of the Personal Information provided by Customer and Processed by Vendor or a Sub-processor (“Security Breach”);
- any complaint, communication or request received directly by Vendor or a Sub-processor from a Data Subject and pertaining to the Data Subject’s Personal Information, without responding to that request unless it has been otherwise authorized to do so by Customer; and
- any change in Data Protection Laws to which Vendor or a Sub-processor is subject that is likely to have a substantial adverse effect on the warranties and obligations in this DPT&C.
- Upon discovery of any Security Breach, it shall:
- immediately take all reasonably required action to mitigate the risk to the Personal Information provided by Customer and prevent any further Security Breach; and
- provide Customer with full and prompt cooperation and assistance in relation to Customer’s investigation of the Security Breach and Customer’s compliance with Data Protection Laws related to the Security Breach including, but not limited to, any legal obligation to issue notifications about the Security Breach.
- It will provide Customer with full and prompt cooperation and assistance in relation to any complaint, communication or request arising from a Data Subject to whom the Personal Information, provided by Customer, relate, including by:
- providing Customer with full details of the complaint, communication or request.
- where authorized by Customer, complying with a request from a Data Subject in relation to the Data Subject’s Personal Information within the relevant timescales set out by Data Protection Laws and in accordance with Customer’s instructions;
- providing Customer with any Personal Information, provided by Customer, it holds in relation to a Data Subject, if required, in a commonly used, structured, electronic and machine-readable format;
- providing Customer with any information requested by Customer relating to the Processing of the Personal Information provided by Customer under an Agreement;
- where authorized by Customer, correcting, deleting, archiving, restricting, or blocking any Personal Information provided by Customer; and
- implementing appropriate technical and organizational measures that enable it to comply with this Section 6.
- to provide Customer with full and prompt cooperation and assistance in relation to compliance with Data Protection Laws, including any data protection impact assessment or regulatory consultation that Customer is legally required to make in respect of the Personal Information provided by Customer.
- to comply with all requests from an applicable supervisory and/or regulatory authority, especially in the event of an investigation.
- to make available to Customer upon request all information and evidence necessary to demonstrate that Vendor is complying with its obligations under this DPT&C.
- that Customer authorizes Vendor to engage another processor (Sub-processor) to exercise Processing operations under this DPT&C on condition that the Sub-processor is subject to a written agreement which is governed by the applicable Data Protection Laws to the extent that the agreement relates to the Personal Information provided by Customer and which imposes the same obligations on that Sub-processor as are imposed on Vendor under this DPT&C.
- that Vendor shall remain fully liable to Customer for any Sub-processors’ Processing of the Personal Information provided by Customer under this DPT&C.
- INTERNATIONAL DATA TRANSFERS
Where there are transfers of Personal Information from South Africa to another country MD requires that any other party, dependent on where the obligations reside, take appropriate steps to ensure that such data transfers comply with Data Protection Laws.
- DURATION
- Where Personal Information provided by a Customer is Processed by Vendor such processing shall occur for the duration of services under any relevant Agreement.
- A Customer is entitled to suspend and/or terminate an agreement, in as far as it relates to the Processing of Personal Information provided by Customer by giving notice to the Vendor if:
- the Vendor commits any material breach of this DPT&C; and
- Customer gives notice to the Vendor to remedy the breach and the Vendor fails to do so within thirty (30) days of the notice.
- In the event of termination of services that relate to the Personal Information, provided by Customer, the Vendor and all its Sub-processors shall, at the choice of Customer, return all Personal Information provided by Customer and the copies thereof to Customer, or securely destroy all Personal Information provided by Customer and certify to Customer that Vendor has done so, unless the Data Protection Laws to which Vendor or a Sub-processor are subject prevent Vendor or a Sub-processor from returning or destroying all or part of the Personal Information provided by Customer. ln such a case, Vendor is deemed to warrant that it will guarantee the confidentiality of the Personal Information provided by Customer and will not actively Process the Personal Information provided by Customer further and will guarantee the return and/or destruction of the Personal Information provided by Customer, as requested by Customer, when the legal obligation not to return or destroy the information is no longer in effect.
- ACCESS TO PERSONAL INFORMATION
The Customer may contact the Vendor’s offices to enquire what Personal Information the Vendor hold for the Customer. The Vendor shall make the information available to the Customer upon request and after reasonable satisfaction that the Customer has confirmed the Customer’s identity to the Vendor.
- CORRECTION OF PERSONAL INFORMATION
The Vendor is obliged to store information which is accurate and updated. The Customer is required to update, correct, amend or delete Personal Information regularly. The Vendor will take all reasonable steps to confirm the Customer’s identity before making changes to Personal Information.
12 COMPLAINTS
Where MD is the Vendor, a Customer has the right to address any complaint the Customer may have regarding Personal Information, provided by the Customer to the Vendor, to MD’s complaints department, details of which are available on MD’s website, alternately the Customer may contact the Personal Information Regulator:
The Information Regulator (South Africa):
Postal Address: Physical Address: | P.O Box 31533, Braamfontein, Johannesburg, 2017 33 Hoofd Street. Forum III, 3de Floor Braampark |
Website: Complaints: General Enquiries: | https://www.justice.gov.za/inforeg |
AMENDMENTS
MD may amend this notice from time to time and affected parties are required to regularly acquaint themselves by checking MD’s website to inform themselves of any changes introduced by MD.
14 MISCELLANEOUS
14.1 Should any provision or condition of this DPT&C be held or declared invalid, unlawful, or unenforceable by a competent authority or court, then the remainder of this DPT&C shall remain valid. Such an invalidity, unlawfulness or unenforceability shall have no effect on the other provisions and conditions of this DPT&C to the maximum extent permitted by law.
14.2 This DPT&C shall be governed by and construed in accordance with the laws of South Africa.