1. INTRODUCTION
1.1 CLASSIC FOOD BRANDS (PTY) LTD (“CFB”) and its employees, have a legal obligation to
protect personal information about third parties in terms of the Protection of Personal Information Act, No 4 of 2013.
1.2 Data subjects (as defined below) have an objectively reasonable expectation of privacy, including a right to protection against the unlawful collection, retention, dissemination and use of personal information, which right may not be wrongfully or intentionally interfered with.
1.3 The need for economic and social progress requires the free flow of information, including personal information.
2. SCOPE
2.1 This policy applies to:
2.1.1 All employees, directors and service providers of CFB in regard to personal
information relating to affected data subjects (as defined below); and
2.1.2 The processing of personal information:
2.1.2.1 entered into a record by automated or non-automated means;
2.1.2.2 where the responsible party is domiciled in South Africa or makes use of automated or non-automated means in South Africa.
3. DEFINITIONS
3.1 “child” means a natural person under the age of 18 years who is not legally competent,
without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself;
3.2 “consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
3.3 “data subject” means the person to whom personal information relates;
3.4 “employees” means all full-time, part-time, fixed term, labour broker, permanent and temporary employees;
3.5 “operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party, and includes all service providers;
3.6 “PAIA” means the Promotion of Access to Information Act, 2 of 2000;
3.7 “personal information” means information relating to an identifiable, living natural person and, where it is applicable, an identifiable, existing juristic person, including but not limited to –
3.7.1 information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;
3.7.2 information relating to the education or the medical, financial, criminal or employment history of the person;
3.7.3 any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
3.7.4 the biometric information of the person;
3.7.5 the person opinions, view or preferences of the person;
3.7.6 correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
3.7.7 the views or opinions of another individual about the person; and
3.7.8 the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
3.8 “the Act” means the Protection of Personal Information Act, No 4 of 2013;
3.9 “processing” means any operation or activity or any set of operations, whether by automated or non-automated means, concerning personal information, including –
3.9.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
3.9.2 dissemination by means of transmission, distribution or making available in any other form; or
3.9.3 merging, linking, as well as restriction, degradation, erasure or destruction of information; and
3.10 “responsible party” means a person or organisation that processes personal information, including all employees and service providers;
3.11 “service providers” means all persons other than employees who are contracted to perform work or provide services to CFB and for that purpose require and will have access to personal information;
3.12 “special personal information” means information that relates to –
3.12.1 the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, or biometric information of a data subject; or
3.12.2 the criminal behaviour of a data subject provided that such information relates to the alleged commission of an offence or any proceedings in respect of any offence allegedly committed by a data subject.
4. POLICY STATEMENT
4.1 The main objectives of the Act are to –
4.1.1 give effect to the constitutional right to privacy, by safeguarding personal information
when processed by a responsible party, subject to justifiable limitations that are aimed at—
4.1.1.1 balancing the right to privacy against other rights, particularly the right of access to information; and
4.1.1.2 protecting important interests, including the free flow of information within the Republic and across international borders;
4.1.2 regulate the manner in which personal information may be processed; and
4.1.3 provide persons with rights and remedies to protect their personal information from processing that is not in accordance with the Act.
5. EXCLUSIONS
This policy does not apply to the processing of personal information that has been deidentified to the extent that it cannot be re-identified again.
6. INFORMATION OFFICER
6.1 The information officer for CFB is the Chief Executive Officer, as contemplated in section 1 of PAIA.
6.2 The information officer will in turn designate deputy information officers as required to
perform the duties set out below. Such delegation will be done in writing.
6.3 The information officer and deputy information officers will be registered as such with the information regulator and will only assume their duties once registered.
6.4 The duties and responsibilities of the information officer and deputy information officers are:
6.4.1 encourage compliance with the Act;
6.4.2 dealing with requests made to CFB in relation to the Act;
6.4.3 working with the Information Regulator in relation in investigations;
6.4.4 otherwise ensuring compliance by CFB with the provisions of the Act; and
6.4.5 as may be prescribed by the Regulator from time to time.
7. RIGHTS OF DATA SUBJECTS
Data subjects have the right to have their personal information processed in
accordance with the conditions for the lawful process of data as set out below.
8. CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION
8.1 8 conditions for the lawful processing of personal information must be complied with
(as more fully set out in this policy), namely –
8.1.1 Accountability;
8.1.2 Processing limitation;
8.1.3 Purpose specification;
8.1.4 Further processing limitation;
8.1.5 Information quality;
8.1.6 Openness;
8.1.7 Security safeguards; and
8.1.8 Data subject participation.
9. CONDITION 1 – ACCOUNTABILITY
9.1 Appropriate steps must be taken to ensure that the 8 conditions and all other measures that give effect to the conditions are complied with.
9.2 CFB will be held responsible for the processing of personal information of a data
subject, whether such processing is done by CFB or service providers on CFB behalf.
9.3 Responsible parties must know, understand and comply with the 8 conditions for the law processing of personal information.
10. CONDITION 2 – PROCESSING LIMITATION
10.1 Personal information must be lawfully processed in accordance with the requirements of the Act and in a reasonable manner that does not infringe the privacy of a data subject. The easiest way to deal with this requirement is to obtain consent.
10.2 Responsible parties must examine whether they have received consent to process information that is already maintained in their operations and whether consent will be obtained in future. If necessary, systems must be put in place in order to deal with this.
10.3 When processing personal information the interests and reasonable expectations of data subjects must be taken into account.
10.4 Personal information may only be processed if such processing is adequate, relevant and not excessive. Only personal information that is appropriate for the purpose should be collected.
10.5 Personal information may only be processed if –
10.5.1 the data subject consents to the processing – consent must be voluntary, specific and informed. Whilst consent need not be in writing, it is nevertheless recommended;
10.5.2 processing is necessary in terms of a contract to which the data subject is a party;
10.5.3 processing complies with an obligation imposed by law;
10.5.4 processing protects a legitimate interest of a data subject;
10.5.5 processing is necessary to fulfil a public law duty obligation; or
10.5.6 processing is necessary for pursuing the legitimate interests of CFB or of a third party to whom information is supplied.
10.6 Notwithstanding the above, should a data subject object to the processing of further processing of the information, responsible parties must immediately stop with any processing or further processing of such a data subject’s personal information.
10.7 Personal information should preferably be collected directly from a data subject to ensure that the data subject knows which information is being collected. However, personal information may be collected from another source if –
10.7.1 the information forms part of a public record, or the information has deliberately been made public by the data subject;
10.7.2 the data subject has consented to collection from another source;
10.7.3 the legitimate interests of the data subject are not prejudiced (this means where
the data subject may actually benefit from the processing of this personal
information);
10.7.4 collection from another source is necessary to avoid the prejudice of the maintenance
of law, the enforcement of law, the collection of revenue by the South African
Revenue Services, conduct of court proceedings, the legitimate interests of national security or the maintenance of CFB’s legitimate interests;
10.7.5 compliance would be prejudicial to a lawful purpose; or
10.7.6 compliance is not reasonably practicable.
11. CONDITION 3 – PURPOSE SPECIFICATION
11.1 This condition entails 3 separate elements, namely: (1) personal information must be collected for a specific purpose; (2) the data subject must be aware of the purpose of the processing; and (3) compliance with the principles of the Act regarding the period for the retention of personal information.
11.2 Personal information must be collected for a specific, explicitly defined and lawful purpose and this should be communicated to the data subject. It must be borne in mind that the purpose for which the personal information is collected influences the processing of the information (e.g. the manner of collection, periods it may be retained, whether or not the information may be further processed, and if such information may be disclosed to third parties). It is therefore important to take all of these factors into account when formulating the purpose for which the personal information is being collected.
11.3 Before collecting personal information (including personal information collected by a third party), responsible parties must ensure that data subjects are aware of the purpose for which the information is being collected.
11.4 As a general rule, records must not be retained for longer than the period necessary for achieving the goals set out in the purpose for which the information was initially processed.
11.5 Personal information may be retained for a period longer than is actually necessary if:
11.5.1 the retention of the record is required or authorised by law;
11.5.2 CFB requires the record for lawful purposes which are related to its functions or activities;
11.5.3 the retention of the record is required by a contract between CFB and the data subject; or
11.5.4 if the data subject has consented to the retention of the record.
11.6 Responsible parties must review the purposes for which they collect personal information.
11.7 The information officer will consider CFB’s privacy policies and notification practices, and determine whether data subjects are made aware of reasons when personal information is collected.
12. CONDITION 4 – FURTHER PROCESSING LIMITATION
12.1 Any further processing of personal information must be compatible with the purpose
for which it was initially collected.
12.2 To assess whether further processing is compatible with the initial purpose of collection, responsible parties must take the following factors into account:
12.2.1 the relationship between the purpose for which the information was originally collected and the purpose of any further processing (i.e. whether or not the two are aimed at the same goal);
12.2.2 the nature of the information concerned (e.g. it is only intended and/or suitable for a specific purpose or can it be used for another purpose without infringing the right of the data subject);
12.2.3 the consequences of further processing (e.g. whether there will be any prejudice to the data subject as a result of the intended further processing);
12.2.4 the manner in which the information was collected (e.g. whether it was collected directly from the data subject, or a third party); and
12.2.5 contractual rights and obligations between CFB and the data subject.
12.3 Responsible parties must review their processes to ensure that information will only be used for the purposes for which it was collected, including during further processing.
13. CONDITION 5 – INFORMATION QUALITY
13.1 Responsible parties must take reasonably practicable steps and put systems in place to ensure that personal information which is collected and/or processed is complete, accurate, not misleading and updated where necessary.
13.2 Appropriate information security measures safeguarding the integrity of a data subject’s personal information must be employed.
14. CONDITION 6 – OPENNESS
14.1 Responsible parties must ensure transparency and fairness in the processing of
personal information.
14.2 Data subjects must be provided with information which will allow them to be aware of the following:
14.2.1 the information being collected and, where the information was not collected directly from the data subject, the source from which it was collected;
14.2.2 the name and address of the responsible party;
14.2.3 the purpose for collecting the information;
14.2.4 whether or not the supply of the information by the data subject is voluntary or mandatory;
14.2.5 the consequences if the data subject fails to provide the information; and
14.2.6 whether or not the responsible party intends to transfer the information to a foreign country and if so, what the level of protection of personal information is in that country.
14.3 Notwithstanding the above, responsible parties will not have to comply with the provisions relating to openness in the following circumstances:
14.3.1 if the data subject consents to the non-compliance;
14.3.2 if non-compliance would not prejudice the legitimate interests of the data subject(the onus would be on the responsible party to prove that the data subject’s legitimate interests will not be prejudiced);
14.3.3 if non-compliance is necessary to avoid prejudice to the maintenance of the law by any public body;
14.3.4 if compliance would prejudice a lawful purpose of the collection;
14.3.5 if compliance is not reasonably practicable in the circumstances of the particular case (provided that the data subject would have consented thereto or if the circumstances were different the responsible party would have complied with the openness condition);
14.3.6 if CFB must comply with an obligation imposed by law, or enforce legislation concerning the collection of revenue; and
14.3.7 if the processing is for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated.
15. CONDITION 7 – SECURITY SAFEGUARDS
15.1 Personal information in CFB’s possession or under its control must be appropriately safeguarded against loss, destruction or unlawful access. To this end, all reasonable measures must be taken to:
15.1.1 identify all reasonably foreseeable internal and external risks to personal information in CFB’s possession or under its control;
15.1.2 establish and maintain safeguards against the risks identified;
15.1.3 regularly verify that the safeguards are effectively implemented; and
15.1.4 ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
15.2 Any authorised third party or external operator who processes personal information on behalf of CFB must do so only with the knowledge and express authorisation of CFB, and must treat such personal information as confidential. In this respect, responsible parties must also ensure that third parties or external operators processing information on CFB’s behalf establish security safeguards and that these measures are maintained.
15.3 In the event that there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the information officer must notify the Regulator and the data subject of this suspicion. This obligation will not apply if the identity of the data subject cannot be established.
15.4 The information officer will:
15.4.1 review CFB’s information protection security measures, particularly from an IT perspective;
15.4.2 consider CFB’s security controls in general; and
15.4.3 check in which instances CFB uses service providers, and in those instances conclude appropriate service level agreements with them.
16. CONDITION 8 – DATA SUBJECT PARTICIPATION
16.1 Data subjects have the right to request CFB to confirm, free of charge, whether CFB holds personal information about the data subject. A data subject may also request that CFB provide such data subject with a description of their personal information held by OT: or by a third party (appointed by CFB to process the personal information) within a reasonable time.
16.2 A data subject may at any time request a correction or deletion of their personal data. Upon receipt of such a request, the information officer must investigate the request and timeously respond thereto.
17 MANNER OF ACCESS FOR DATA SUBJECTS
17.1 Employees, customers, suppliers, and service providers who require access to their own personal information held by CFB, may address such requests directly to the
Information Officer.
18. PRIOR AUTHORISATION
18.1 Prior authorisation for the processing of personal information must be obtained from the information regulator if a responsible party plans to –
18.1.1 process any unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection and with the aim of linking the information together with information processed by other responsible parties;
18.1.2 process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
18.1.3 process information for the purpose of credit reporting;
18.1.4 transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
18.2 Prior authorisation need only be obtained once and not each time that personal information is received or processed except where the processing departs from the four categories mentioned above, in which case it will need to be obtained again.
18.3 Failure to comply with the Act’s provisions relating to obtaining prior authorisation is an offence and CFB would be liable to pay a penalty.
18.4 The information officer will determine whether CFB’s information processing activities will fall within any of the categories mentioned above. If so, the information officer will notify the information regulator.
19 PROCESSING OF SPECIAL PERSONAL INFORMATION
19.1 As a general rule, CFB may not process special personal information unless:
19.1.1 processing is carried out with the consent of the data subject;
19.1.2 processing is necessary for the establishment, exercise or defence of a right or obligation in law;
19.1.3 processing is necessary to comply with an obligation of international public law;
19.1.4 processing is for historical, statistical or research purposes; or
19.1.5 information has deliberately been made public by the data subject.
20. PROCESSING OF PERSONAL INFORMATION OF CHILDREN
20.1 There is a general prohibition on the processing of personal information concerning a child unless a competent person (i.e. someone who is legally competent to consent to any action or decision being taken by a child) consents to such processing.
20.2 In the absence of consent the processing of personal information concerning a child will be permitted:
20.2.1 if it is necessary for the establishment, exercise or defence of a right or obligation in law;
20.2.2 it is necessary to comply with an obligation of international public law;
20.2.3 it is personal information that has deliberately been made public by the child with the consent of a competent person; or
20.2.4 it is done for historical, statistical or research purposes, provided that the reason serves a public interest and the processing is necessary for the purpose concerned.
20.2.5 Within CFB children’s personal information can be used in different contexts. It might be contained in HR files. Responsible parties need to identify their processing of children’s personal information and make sure that the correct, lawful procedures are
in place to process such information.
21. DIRECT MARKETING BY WAY OF UNSOLICITED E-COMMUNICATIONS
21.1 The Act follows an “opt in” approach to direct marketing and provides that if a data subject does not consent to the processing of its personal information for purposes of direct marketing by means of unsolicited electronic communications, including automatic calling machines, facsimile machines, SMSs or email, responsible parties would not be allowed to use and/or process the data subject’s personal information for purposes of direct marketing.
21.2 CFB is however, permitted to approach data subjects in order to request the data subjects’ consent provided that CFB does not approach the data subject on more than one occasion.
21.3 If the data subject is a customer of CFB, CFB would be allowed to process a data subject’s personal information for the purposes of direct marketing in the following circumstances:
21.3.1 if the contact details of the data subject were obtained in the context of the sale of a product or service;
21.3.2 for the purpose of direct marketing of CFB’s own similar products or services; and
21.3.3 if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to the use of the data subject’s electronic details.
21.4 In the event that a data subject objects to the use of their personal information for direct marketing, any further processing of such information for direct marketing would be a contravention of the Act.
21.5 Any communication for purposes of direct marketing must contain details of the identity of the sender or the person on whose behalf the communication is sent, and contain an address or other contact details to which the recipient may send a request that such communications cease.
21.6 Communication to persons other than customers for the purposes of direct marketing must be done in the prescribed manner and form.
22. ACCESS TO PERSONAL INFORMATION
22.1 Only authorised persons may have access to and the ability to process personal information, and for authorised purposes only.
22.2 Appropriate safeguards must be put in place in order to ensure the security of personal information.
22.3 Personal information requested by law enforcement authorities may only be released on presentation of an appropriate subpoena.
22.4 Personal information must not be retained for longer than is required in order to reasonably serve the authorised purposes.
22.5 Personal information must be stored in accordance with the provisions of this policy.
23. TRANS-BORDER INFORMATION FLOWS
23.1 CFB may not transfer personal information to a third party in a foreign country unless:
23.1.1 the recipient of the information is subject to a law, binding corporate rules or a binding agreement which provide an adequate level of personal data protection;
23.1.2 the data subject consents to the transfer;
23.1.3 the transfer is necessary for the conclusion of a contract that is in the interests of the data subject;
23.1.4 the transfer is for the benefit of the data subject and it is impracticable to obtain the
data subject’s consent (and if it was practicable to obtain the consent, the data subject would have given the consent); or
23.1.5 the transfer is necessary for the performance of a contract between the data subject and CFB.
24. NON-COMPLIANCE AND ENFORCEMENT OF THE ACT
24.1 A data subject may submit a complaint to the Regulator, if the data subject alleges that there has been interference with the data subject’s personal information. The Regulator will be entitled to take various steps in relation to a complaint, as set out in the Act. The Regulator will have various powers in order to investigate complaints and take related action.
24.2 If the Regulator is satisfied that there has been interference with the protection of personal information of a data subject, the Regulator may require the offending party to take specific steps to refrain from the interference or to stop processing of the personal information.
24.3 The following actions constitute an offence under the Act:
24.3.1 obstruction of the Regulator;
24.3.2 breach of the Act’s confidentiality provisions;
24.3.3 obstruction of the execution of a warrant; and
24.3.4 failure to comply with the Regulator’s enforcement or information notices.
24.4 Any person convicted of an offence under the Act can be sanctioned with a fine and/or imprisonment. The Act also makes provision for civil actions that can be instituted by data subjects against responsible parties who breach the Act’s provisions.
25. COMPLIANCE
25.1 All personal information must be stored on secure CFB servers or if stored on a hard drive, all files that contain personal information must be password protected. If such servers are hosted by third parties, appropriate agreements must be in place which expressly bind the third party operator to the provisions of the Act.
25.2 A POPI consent will be included in all Contracts of employment
25.3 All personal information must be updated as and when requested or, at least, on an annual basis
25.4 Information processed by a third party on behalf of CFB must be governed by a written and signed service level agreement, and all such third parties must prove their compliance with the Act as a condition of such service level agreements.
26. INFORMATION REGULATOR
26.1 Any employee that believes CFB has used their personal information contrary to this policy or the Act is encouraged to first following the internal complaints process set out below to resolve the complaint.
26.2 If CFB cannot comply with a request for access to personal information, reasons will be provided and documented.
26.3 Any person may submit a complaint to the Information Regulator in the prescribed manner and form.
26.4 Contact details for the Information Regulator are:
33 Hoofd Street
Forum III, 3rd Floor Braampark
P.O Box 31533
Braamfontein, Johannesburg, 2017
Mr Marks Thibela
Chief Executive Officer
Tel No. +27 (0) 10 023 5207, Cell No. +27 (0) 82 746 4173
inforeg@justice.gov.za
https://www.justice.gov.za/inforeg/index.html
27. INTERNAL COMPLAINTS PROCESS
27.1 Internal complaints in terms of clause 26.1 above may be submitted to the employee’s line manager. The line manager department will investigate the complaint, identify whether there was a breach, remedy the breach, take appropriate corrective action, and provide feedback to the employee.
27.2 If the complaint remains unresolved within 5 days of being submitted to the employee line manager, or if the employee is dissatisfied with the outcome of the complaint, the employee may escalate the complaint to the CFB Group Chief Executive Officer.
27.3 If the complaint remains unresolved within 5 days of being submitted to the CFB Group Chief Executive Officer, or if the employee is dissatisfied with the outcome of the complaint, the complaint may be escalated to the Information Regulator.
28. CONTRAVENTION OF THE POLICY
28.1 Employees with questions about this policy should direct them to the Information Officer.
28.2 This policy will be strictly enforced on all employees.
28.3 Employees contravening the provisions of this policy will face disciplinary action and may face civil or criminal charges.
28.4 If employees feel that their own actions have, or may have, contravened this policy, they should advise an appropriate executive.
28.5 If employees suspect that a contravention of the policy has been committed by another CFB employee, they should promptly and confidentially report this to their line manager or an appropriate executive.