In this Policy (as defined below), unless the context requires otherwise, the following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings –
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information under the control of or in the possession of INTELLIDEX;”Data Subject” means the natural or juristic person to whom Personal Information relates;
- “Employees” means any employee of INTELLIDEX;
- “Operator” means a person or entity who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party;
- “Research Respondent” means individuals who provide data to be analysed for the research study.
- “IMEI” means internet mobile equipment identity;
- “INTELLIDEX ” means Intellidex (Pty) Ltd;
- “IP” means internet protocol;
- “Personal Information” has the meaning ascribed thereto under POPIA and specifically includes any form of information that can be used to identify a Data Subject;
- “POPIA” means the Protection of Personal Information Act No. 4 of 2013;
- “Processing” has the meaning ascribed thereto under POPIA. “Process” has a corresponding meaning;
- “Regulator” means the Information Regulator established in terms of POPIA;
- “Responsible Party” means a public or private body or any other person which alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;
- “Special Personal Information” means Personal Information concerning a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, biometric information or criminal behaviour; and
- “Third Party” means any independent contractor, agent, consultant, sub-contractor or other representative of INTELLIDEX.
PURPOSE OF THE POILICY
- The purpose of this Policy is to inform Data Subjects about how and when INTELLIDEX Processes their Personal Information.
- INTELLIDEX, in its capacity as the Responsible Party, shall strive to observe and comply with its obligations under POPIA, as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.
- This Policy applies to Personal Information Processed by INTELLIDEX in connection with the services which INTELLIDEX offers and provides.
PURPOSE FOR PROCESSING PERSONAL INFORMATION
- INTELLIDEX understands its obligation to make Data Subjects aware that it is Processing their Personal Information and inform them of the purpose for which INTELLIDEX Processes such Personal Information.
- INTELLIDEX will only Process a Data Subject’s Personal Information for a specific, lawful and clear purpose (or for specific, lawful and clear purposes) and will ensure that it makes the Data Subject aware of such purpose(s) as far as possible.
- It will ensure that there is a legal basis for the Processing of any Personal Information. Further, INTELLIDEX will ensure that Processing will relate only to the purpose for and of which the Data Subject has been made aware (and where relevant, consented to) and will not Process any Personal Information for any other purpose(s).
- INTELLIDEX will generally use Personal Information for purposes required to operate and manage its normal business operations and these purposes include one or more of the following non-exhaustive purposes –
- research on financial markets and socioeconomic development;
- sending Data Subjects marketing and other business development related material which INTELLIDEX believes may be of interest to the Data Subject;
- keeping a record of Data Subjects that access INTELLIDEX’s reports published on its website;
- for purposes of market research;
- in connection with the execution of payment processing functions, including payment of INTELLIDEX’s supplier invoices;
- for employment-related purposes such as recruitment, administering payroll and carrying out background checks;
- in connection with internal audit purposes (i.e. ensuring that the appropriate internal controls are in place in order to mitigate the relevant risks, as well as to carry out any investigations where this is required);
- in connection with external audit purposes, INTELLIDEX engages external service providers and, in so doing, shares Personal Information of the Data Subjects with third parties;
- to respond to any correspondence that INTELLIDEX receives, including via email, fax, post or by telephone;
- for such other purposes to which the Data Subject may consent to from time to time; and
- for such other purposes as authorised in terms of applicable law.
INFORMATION WE MAY COLLECT ABOUT THE DATA SUBJECT
- When visitors leave comments on the INTELLIDEX’s website, we may collect certain information that is not Personal Information such as the Data Subject’s operating system, device type, IP address, browser type and the internet service provider. This type of information does not identify you personally.
- If you leave a comment on our website you may opt-in to saving your name, email address and website in the cookies. These are for your convenience so that you do not have to fill in your log-in details again when you leave another comment. These cookies will last for one year.
- If you have an account and you log in to our website, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
- We store the Personal information of Data Subjects that register on our website,
- In particular, we may collect and Process the following information (which may include Personal Data) about you ―
- information that you provide to us and/or allow the Data Subject to access our website, their personal profile and/or leave comments on our website;
- information about your device software and hardware, including the unique IMEI number of your mobile telephone, your email address, IP address, mobile phone number, date and time and country of your device;
- your geographic location, information based on your mobile network operator’s tower details, GPS (Global Positioning System) and/or WIFI communications network location;
- information that we may ask you for if you report a problem with our website;
- details of your visits to our website (including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access;
- information provided by you if you contact us, or if we contact you, and we may keep a record of that correspondence;
- information about you when you voluntarily register with us to receive company related alerts, complete our online information request form, complete any user surveys and fill-in job seeker forms; and
- your name, email address and country of residence if you would like to receive one of our newsletters or marketing materials.
6. We collect and process any special categories of Personal Information of the Data Subject in limited circumstances. Where we process special categories of Personal Information, we only do so where we have obtained your explicit consent from the Data subject or where such processing is necessary for purposes of carrying out our legal obligations.
LAWFUL PROCESSING OF PERSONAL INFORMATION
- Where INTELLIDEX is the Responsible Party, it will only Process a Data Subject’s Personal Information (other than for Special Personal Information) where –
- consent of the Data Subject (or a competent person, where the Data Subject is a Child) is obtained;
- Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party;
- Processing complies with an obligation imposed by law on INTELLIDEX;
- Processing protects a legitimate interest of the Data Subject; and/or
- Processing is necessary for pursuing the legitimate interests of INTELLIDEX or of a third party to whom the information is supplied.
2. INTELLIDEX will only Process Personal Information where one of the legal grounds referred to in paragraph 1 above are present.
- Where required (i.e., where we are not relying on a legal ground listed in paragraph 1 above), INTELLIDEX will obtain the Data Subject’s consent prior to collecting, and in any case prior to using or disclosing, the Personal Information for any purpose.
- INTELLIDEX will make the manner and reason for which the Personal Information will be Processed clear to the Data Subject.
- Where INTELLIDEX is relying on a Data Subject’s consent as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to INTELLIDEX Processing of the Personal Information at any time. However, this will not affect the lawfulness of any Processing carried out prior to the withdrawal of consent or any Processing justified by any other legal ground provided under POPIA.
- If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information, INTELLIDEX will ensure that the Personal Information is no longer Processed or is de-identified .
SPECIAL PERSONAL INFORMATION AND PERSONAL INFORMATION
- Special Personal Information is sensitive Personal Information of a Data Subject and INTELLIDEX acknowledges that it will generally not Process Special Personal Information unless –
- Processing is carried out in accordance with the Data Subject’s consent;
- Processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- Processing is for historical, statistical or research purposes, subject to stipulated safeguards;
- information has deliberately been made public by the Data Subject; or
- specific authorisation applies in terms of POPIA.
2. INTELLIDEX acknowledges that it may not Process any Personal Information concerning a Child and will only do so where it has obtained the consent of the parent or guardian of that Child or where it is permitted to do so in accordance with applicable laws.
KEEPING PERSONAL INFORMATION ACCURATE
- INTELLIDEX will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up to date as reasonably possible depending on the purpose for which Personal Information is collected or further processed.
- INTELLIDEX may not always expressly request the Data Subject to verify and update his/her/its Personal Information unless this process is specifically necessary.
- INTELLIDEX, however, expects that the Data Subject will notify INTELLIDEX from time to time in writing of any updates required in respect of his/her/its Personal Information.
STORAGE AND PROCESSING OF PERSONAL INFORMATION by INTELLIDEX AND THIRD PARTY SERVICE PROVIDERS
- INTELLIDEX may store your Personal Information in hardcopy format and/or in electronic format using INTELLIDEX’s own secure on-site servers or other internally hosted technology. Your Personal Information may also be stored by Third Parties, via cloud services or other technology, with whom INTELLIDEX has contracted with, to support INTELLIDEX’s business operations.
- INTELLIDEX’s Third Party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.
- INTELLIDEX will ensure that such Third Party service providers will process the Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures and POPIA.
- These Third Parties do not use or have access to your Personal Information other than for purposes specified by us, and INTELLIDEX requires such parties to employ at least the same level of security INTELLIDEX uses to protect your personal data.
RETENTION OF PERSONAL INFORMATION
- INTELLIDEX may keep records of the Personal Information it has collected, correspondence, or comments in an electronic or hardcopy file format.
- In terms of POPIA, INTELLIDEX may not retain Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or processed and is required to delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances –
- where the retention of the record is required or authorised by law;
- INTELLIDEX requires the record to fulfil its lawful functions or activities;
- retention of the record is required by a contract between the parties thereto;
- the data subject (or competent person, where the data subject is a child) has consented to such longer retention; or
- the record is retained for historical, research or statistical purposes provided safeguards are put in place to prevent use for any other purpose.
3. Accordingly, INTELLIDEX will, subject to the exceptions noted in this Policy, retain Personal Information for as long as necessary to fulfil the purposes for which that Personal Information was collected and/or as permitted or required by applicable law.
4. Where INTELLIDEX retains Personal Information for longer periods for statistical, historical or research purposes, INTELLIDEX will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and applicable laws.
5. Once the purpose for which the Personal Information was initially collected and Processed no longer applies or becomes obsolete, INTELLIDEX will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that a person cannot re-identify such Personal Information. In instances where we de-identify your Personal Information, INTELLIDEX may use such de-identified information indefinitely.
SECURING OF PERSONAL INFORMATION
- INTELLIDEX shall preserve the security of Personal Information and strive to take steps to prevent its alteration, loss and damage, or access by non-authorised third parties.
- INTELLIDEX will ensure the security and integrity of Personal Information in its possession or under its control with appropriate, reasonable technical and organisational measures to prevent interference loss, misuse modification unlawful access and unauthorised destruction or disclosure of Personal Information.
- INTELLIDEX has implemented physical, organisational, contractual and technological security measures (having regard to generally accepted information security practices or industry specific requirements or professional rules) to keep all Personal Information secure, including measures protecting any Personal Information from loss or theft, and unauthorised access, disclosure, copying, use or modification. Further, INTELLIDEX maintains and regularly verifies that the security measures are effective and regularly updates same in response to new risks.
BREACHES OF PERSONAL INFORMATION
- A Data Breach refers to any incident in terms of which reasonable grounds exist to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.
- INTELLIDEX will address any Data Breach in accordance with the provisions of POPIA.
- INTELLIDEX will notify the Regulator and the affected Data Subject (unless the applicable law requires that we delay notification to the Data Subject) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of that Data Subject’s Personal Information.
- INTELLIDEX will provide such notification as soon as is reasonably possible after it has become aware of any Data Breach in respect of such a Data Subject’s Personal Information.
PROVISION OF PERSONAL INFORMATION TO THIRD PARTY SERVICE PROVIDERS
- INTELLIDEX may disclose Personal Information to Third Parties and will enter into written agreements with such Third Parties to ensure that they Process any Personal Information in accordance with the provisions of this Policy and
- INTELLIDEX notes that such Third Parties may assist INTELLIDEX with the purposes listed in paragraph 3 above – for example, service providers may be used, inter alia,
- for data storage;
- to assist INTELLIDEX with auditing processes (external auditors); and/or
- to notify the Data Subjects of any pertinent information concerning INTELLIDEX.
3. INTELLIDEX will disclose Personal Information with the consent of the Data Subject or if INTELLIDEX is permitted to do so without such consent in accordance with applicable laws.
4. When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa, INTELLIDEX will obtain the necessary consent to transfer the Personal Information to such foreign jurisdiction or may transfer the Personal Information where INTELLIDEX, is permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under POPIA.
5. The Data Subject should also take note that the Processing of Personal Information in a foreign jurisdiction may be subject to the laws of the country in which the Personal Information is held, and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.
ACCESS TO PERSONAL INFORMATION
- POPIA read with the relevant provisions of the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA“) confers certain access rights on Data Subjects. These rights are set out in INTELLIDEX’s PAIA Manual, which can be found www.intellidex.co.za (“PAIA Manual“).
CHANGES TO THIS POLICY
- INTELLIDEX, reserves the right to make amendments to this Policy from time to time and will use reasonable efforts to notify Data Subjects of such amendments.
- The current version of this Policy will govern the respective rights and obligations between you and INTELLIDEX.
- All comments, questions, concerns or complaints, regarding your Personal Information or this Policy, should be forwarded to our Information Officer; email: firstname.lastname@example.org or telephone: 010 072 0472 or our Deputy Information Officer: email is email@example.com. Please always copy: firstname.lastname@example.org.
- The Data Subject also has the right to lodge a complaint with the Information Regulator, the details of which are: Website: http://justice.gov.za/inforeg/; Telephone: 012 406 4818; Fax: 086 500 3351; Email: email@example.com