Protection of Personal Information Act

Initial Date
Owner
Content
Valid From
Version
Classification
page(s)

29.06.2021
Information Officer
Manual
07.07.2021
v5
Internal & external use
1 / 14

COCRE8 TECHNOLOGY SOLUTIONS (PTY) LTD
1999/023896/07
&

COCRE8 IT SERVICES (PTY) LTD

1930/002267/07
MANUAL
In terms of the Protection of Personal Information Act 4 of 2013
(“POPIA”)

 

 

  1. INTRODUCTION CoCre8 Technology Solutions (Pty) Limited (“CoCre8”) conducts business as an IT hardware and software services provider, offering installation and implementation services for hardware and software, IT maintenance services, and technical support.
  2. DEFINITIONS
    2.1. “Conditions for Lawful Processing” means the conditions for the lawful processing of Personal Information as fully set out in chapter 3 of POPIA;
    2.2. “Constitution” means the Constitution of the Republic of South Africa, 1996;
    2.3. “Customer” refers to any natural or juristic person that received or receives services from CoCre8;
    2.4. “Data Subject” has the meaning ascribed thereto in section 1 of POPIA;
    2.5. “Information Officer” means CoCre8’s Chief Executive as referred to in clause 4;
    2.6. “Manual” means this manual prepared in accordance with regulation 4(1) (d) of the POPIA Regulations;
    2.7. “Personal Information” has the meaning ascribed thereto in section 1 of POPIA;
    2.8. “Personnel” refers to any person who works for, or provides services to or on behalf of CoCre8, and receives or is entitled to receive remuneration and any other person who assists in carrying out or conducting the business of CoCre8, which includes, without limitation, directors (executive and non-executive), all permanent, temporary and part-time staff as well as contract workers;
    2.9. “POPIA Regulations” mean the regulations promulgated in terms of section 112(2) of POPIA;
    2.10. “Private Body” has the meaning ascribed thereto in sections 1 of POPIA;
    2.11. “Processing” has the meaning ascribed thereto in section 1 of POPIA;
    2.12. “Responsible Party” has the meaning ascribed thereto in section 1 of POPIA; and
    2.13. “SAHRC means the South African Human Rights Commission.
    Capitalised terms used in this Manual have the meanings ascribed thereto in section 1 of POPIA, unless otherwise defined herein.
  3. PURPOSE OF THE MANUAL
    This manual for the purposes of POPIA, amongst other things, details the purpose for which Personal Information may be processed; a description of the categories of Data Subjects for whom CoCre8 Processes Personal Information as well as the categories of Personal Information relating to such Data Subjects; and the recipients to whom Personal Information may be supplied.
  4. COCRE8 CONTACT DETAIL

Directors:

Mr. JW Burger (Managing)
Mr. CF Pretorius

CEO:

Postal Address:

Street Address:

Telephone Number:

Email:

Mr. Johannes Burger

P.O. Box 3467, Rivonia, 2128

96, 14th Road, Noordwyk, Midrand, 1687

011 012 1500

talk2us@cocre8.africa

5. CONTACT DETAILS OF THE INFORMATION OFFICER

5.1. The Information Officer’s contact details are as follows:

Postal Address:

Street Address:

Telephone Number:

Email:

P.O. Box 3467, Rivonia, 2128

96, 14th Road, Noordwyk, Midrand, 1687

011 012 1500

datarequests@cocre8.com

6. PROTECTION OF PERSONAL INFORMATION THAT IS PROCESSED BY COCRE8

6.1. Chapter 3 of POPIA provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPIA.

6.2. CoCre8 may need Personal Information relating to both individual and juristic persons in order to carry out its business and organisational functions. The manner in which this information is Processed and the purpose for which it is Processed is determined by CoCre8. CoCre8 is accordingly a Responsible Party for the purposes of POPIA and will ensure that the Personal Information of a Data Subject:
6.2.1. is processed lawfully, fairly and transparently. This includes the provision of appropriate information to Data Subjects when their data is collected by CoCre8, in the form of privacy or data collection notices. CoCre8 must also have a legal basis (for example, consent) to process Personal Information;

6.2.2. is processed only for the purposes for which it was collected;
6.2.3. will not be processed for a secondary purpose unless that processing is compatible with the original purpose;
6.2.4. is adequate, relevant and not excessive for the purposes for which it was collected;
6.2.5. is accurate and kept up to date;
6.2.6. will not be kept for longer than necessary;
6.2.7. is processed in accordance with integrity and confidentiality principles; this includes physical and organisational measures to ensure that Personal Information, in both physical and electronic form, are subject to an appropriate level of security when stored, used and communicated by CoCre8, in order to protect against access and acquisition by unauthorised persons and accidental loss, destruction or damage; and
6.2.8. is processed in accordance with the rights of Data Subjects, where applicable. Data Subjects have the right to:
6.2.8.1. be notified that their Personal Information is being collected by CoCre8. The Data Subject also has the right to be notified in the event of a data breach;
6.2.8.2. know whether CoCre8 holds Personal Information about them, and to access that information. Any request for information must be handled in accordance with the provisions of this Manual;
6.2.8.3. request the correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained Personal Information;
6.2.8.4. object to CoCre8’s use of their Personal Information and request the deletion of such Personal Information (deletion would be subject CoCre8’s record keeping requirements);
6.2.8.5. object to the processing of Personal Information for purposes of direct marketing by means of unsolicited electronic communications; and
6.2.8.6. complain to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its Personal Information.

6.3. Purpose of the Processing of Personal Information by CoCre8:

As outlined above, Personal Information may only be Processed for a specific purpose. The purposes for which CoCre8 Processes or will Process Personal Information as set out in Part 1 of Appendix 1.

6.4. Categories of Data Subjects and Personal Information/special Personal Information relating thereto:

As per section 1 of POPIA, a Data Subject may either be a natural or a juristic person. Part 2 of Appendix 1 sets out the various categories of Data Subjects that CoCre8 may Processes Personal Information on and the types of Personal Information relating thereto.

6.5. Recipients of Personal Information:

Part 3 of Appendix 1 outlines the recipients to whom CoCre8 may provide a Data Subjects Personal Information to.

6.6. Cross-border flows of Personal Information:

Section 72 of POPIA provides that Personal Information may only be transferred out of the Republic of South Africa if the:

6.6.1. recipient country can offer such data an “adequate level” of protection. This means that its data privacy laws must be substantially similar to the Conditions for Lawful Processing as contained in POPIA; or
6.6.2. Data Subject consents to the transfer of their Personal Information; or
6.6.3. transfer is necessary for the performance of a contractual obligation between the Data Subject and the Responsible Party; or
6.6.4. transfer is necessary for the performance of a contractual obligation between the Responsible Party and a third party, in the interests of the Data Subject; or
6.6.5. the transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were, the Data Subject, would in all likelihood provide such consent.

Part 4 of Appendix 1 sets out the planned cross-border transfers of Personal Information and the condition from above that applies thereto.

6.7. Description of information security measures to be implemented by CoCre8:

Part 5 of Appendix 1 sets out the types of security measures implemented by CoCre8 in order to ensure that Personal Information is respected and protected. A preliminary assessment of the suitability of the information security measures implemented or to be implemented by CoCre8 may be conducted in order to ensure that the Personal Information that is processed by CoCre8 is safeguarded and Processed in accordance with the Conditions for Lawful Processing.

6.8. Objection to the Processing of Personal Information by a Data Subject:

Section 11 (3) of POPIA and regulation 2 of the POPIA Regulations provides that a Data Subject may, at any time object to the Processing of his/her/its Personal Information in the prescribed form attached to this Manual as Appendix 2 subject to exceptions contained in POPIA.

6.9. Request for correction or deletion of Personal Information:

Section 24 of POPIA and regulation 3 of the POPIA Regulations provides that a Data Subject may request for their Personal Information to be corrected/deleted in the prescribed form attached as Appendix 3 to this Manual.

Part 1

PROCESSING OF PERSONAL INFORMATION IN ACCORDANCE WITH POPIA

 

Purpose of the Processing of Personal Information Type of Processing
1.     To provide services to the Customer in accordance with terms agreed to by the Customer;

2.     To undertake activities related to the provision of services and transactions, including:

2.1.         to fulfil foreign and domestic legal, regulatory and compliance requirements and comply with any applicable treaty or agreement with or between foreign and domestic governments applicable to CoCre8;

2.2.         to verify the identity of Customer representatives who contact CoCre8 or may be contacted by CoCre8;

2.3.         for risk assessment, information security management, statistical, trend analysis and planning purposes;

2.4.         to monitor and record calls and electronic communications with CoCre8 for quality, training, investigation and fraud prevention purposes;

2.5.         for crime detection, prevention, investigation and prosecution;

2.6.         to enforce or defend CoCre8’s rights; and

2.7.         to manage CoCre8’s relationship with the Customer.

3.     The purposes related to any authorised disclosure made in terms of agreement, law or regulation;

4.     Any additional purposes expressly authorised by the Customer; and

5.     Any additional purposes as may be notified to the Customer or Data Subjects in any notice provided by CoCre8.

 Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Part 2

CATEGORIES OF DATA SUBJECTS AND CATEGORIES OF PERSONAL INFORMATION RELATING THERETO

 

Categories of Data Subjects and categories of Personal Information relating thereto Data Subject Personal Information Processed
Customer:

1.   Corporate

Customer Profile information including, account details, payment information, corporate structure, Customer risk rating and other Customer information including to the extent the categories of information relate to individuals or representatives of Customers (e.g., shareholders, directors, etc.) required for the above mentioned purposes.

2.   Individual

Name; contact details (Company E-Mail Address, Company Telephone Number), client details (Home Facsimile Number, Home Postal Address, Home Telephone Number, Personal Cellular, Mobile Or Wireless Number, Personal E-Mail Address); regulatory identifiers (e.g. tax identification number); Account information (Bank Account Name, Bank Account Number, Bank Account Type, Bank account balance); transaction details and branch details; “know-your customer” data, photographs; other identification and verification data as contained in images of ID card, passport and other ID documents; images of customer signatures)

  

Natural Persons;

Juristic Persons.

 Personal data relating to a Data Subject received by or on behalf of CoCre8 from the Customer, Customer affiliates and their respective representatives and related parties in the course of providing accounts and services to the Customer or in connection with a transaction or services. Customer personal data may include names, contact details, identification and verification information, nationality and residency information, taxpayer identification numbers, voiceprints, bank account and transactional information (where legally permissible), to the extent that these amount to personal data under POPIA.
Payment beneficiaries:

Bank Account Name, Bank Account Number, Bank Account Type; beneficiary address, transaction details; payment narrative.
Personnel:

Name; employee ID number; business contact details (address/telephone number/email address)

Part 3

Recipients of Personal Information

CoCre8, its affiliates and their respective representatives

Part 4

Cross border transfers of Personal Information

When making authorized disclosures or transfers of Personal Information in terms of section 72 of POPIA, Personal Data may be disclosed to recipients located in countries which do not offer a level of protection for those data as high as the level of protection as South Africa.

Part 5

Description of information security measures

CoCre8 undertakes to institute and maintain data protection measures to accomplish the following objectives outlined below. The details given are to be interpreted as examples of how to achieve an adequate data protection level for each objective. CoCre8 may use alternative measures and adapt to technological security development, as needed, provided that the objectives are achieved.

  1. Access Control of Persons: CoCre8 shall implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where the data are processed.
  2. Data Media Control: CoCre8 undertakes to implement suitable measures to prevent the unauthorised manipulation of media, including reading, copying, alteration or removal of the data media used by CoCre8 and containing personal data of Customers.
  3. Data Memory Control: CoCre8 undertakes to implement suitable measures to prevent unauthorized input into data memory and the unauthorised reading, alteration or deletion of stored data.
  4. User Control: CoCre8 shall implement suitable measures to prevent its data processing systems from being used by unauthorised persons by means of data transmission equipment.
  5. Access Control to Data: CoCre8 represents that the persons entitled to use CoCre8’s data processing system are only able to access the data within the scope and to the extent covered by their respective access permissions (authorization).
  6. Transmission Control: CoCre8 shall be obliged to enable the verification and tracing of the locations / destinations to which the Personal Information is transferred by utilisation of CoCre8’s data communication equipment / devices.
  7. Transport Control: CoCre8 shall implement suitable measures to prevent Personal Information from being read, copied, altered or deleted by unauthorised persons during the transmission thereof or during the transport of the data media.
  8. Organisation Control: CoCre8 shall maintain its internal organisation in a manner that meets the requirements of this Manual.

OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF POPIA REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018

Note:

  1. Affidavits or other documentary evidence as applicable in support of the objection may be attached.
  2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.
  3. Complete as is applicable.
A DETAILS OF DATA SUBJECT
Name(s) and surname/ registered name of Data Subject:
Unique Identifier/ Identity Number
Residential, postal or business address:
Contact number(s):
Fax number / E-mail address
B DETAILS OF RESPONSIBLE PARTY
Name(s) and surname/ registered name of Data Subject:  
Residential, postal or business address:  
Contact number(s):  
Fax number / E-mail address  
C REASONS FOR OBJECTION IN TERMS OF SECTION 11(1)(d) to (f) (Please provide detailed reasons for the objection