BACKGROUND TO DATA PRIVACY IN SOUTH AFRICA
The Protection of Personal Information Act, 4 of 2013, (“POPIA”), which came into force on 1 July 2021, is a law which regulates the use and processing of a person and / legal entity’s personal information, this being in response
to, and in order to protect and give effect to a person and/or legal entity’s rights to privacy, including the right not to have their / its personal information and related data misused, abused or used for ulterior purposes.
POPIA applies to personal information which belongs to individuals and legal entities (“Data Subjects”) which is processed, be it in an automated or non-automated manner in South Africa, by another (“Responsible Party”) and places
on any Responsible Party who is processing a data Subject’s personal information, a duty to use it lawfully and only for a specific and defined purpose(s).
In terms of POPIA, THE COMPANY, as a Responsible Party, is required to appoint an Information Officer (“IO”) and Deputy Information Officers (“DIOs”), to be responsible for establishing a POPIA Compliance Framework, and who
following this, are required to assess, analyse and understand what types of personal information THE COMPANY is processing which belongs to Data Subjects and to thereafter develop certain processes and procedures, including a POPIA
Policy, which have to be followed by all THE COMPANY personnel when they process and use another’s personal information.
A Personal Information Impact Assessment as per THE COMPANY POPIA Compliance Framework has been carried out and created, which has indicated that THE COMPANY, during the course of its business activities does and will continue to
collect, store and process personal information about THE COMPANY employees, its customers, suppliers and other third parties.
Furthermore, the Impact Assessment has defined and revealed that THE COMPANY processes a large amount of different types of personal information including names, addresses, opinions, financial details, medical details and the like
which pertain to current, past and prospective employees and customers, suppliers, and others who THE COMPANY communicates and deals with, and which processing is carried out for a variety of purposes, including for business,
compliance and legal purposes.
THE COMPANY also processes special personal information including gender, sex, marital status, colour, age, race or ethnic origin, religious beliefs, trade union membership and the like for the purposes of recruitment, employment
equity statistics, legal compliance and for the facilitation of union fees and memberships.
Following the Personal Information Impact Assessment, THE COMPANY is confident that whilst this personal information is held on paper or on a computer or other media, such storage is subject to the prescribed legal safeguards as
specified in POPIA and other regulations.
This Policy is in respect of and/or applies to KAL Group Bedryf Limited, (Registration Number: 1995/000336/06), together with its holding company, KAL Group Limited (Registration number: 2011/113185/06) being a JSE Listed entity,
and all its subsidiaries, related entities listed and outlined in clause 21.3, (which entities will hereinafter be referred to collectively as "KAB", “we”, ”us”, “or “THE COMPANY”). This policy sets out how THE COMPANY personnel are
to go about processing and using another’s personal information, which information needs to be processed lawfully and in accordance with POPIA.
STATEMENT FROM THE COMPANY BOARD OF DIRECTORS
THE COMPANY has a long and proud tradition of conducting business with the highest level of integrity, in accordance with the highest ethical standards and in full compliance with all applicable laws, including the law
known as the Protection of Personal Information Act, 4 of 2013, (POPIA), which regulates the Processing of Personal Information.
The Protection of Personal Information Policy has been developed at the direction of THE COMPANY’s Board of Directors in order to provide clear guidance to all directors, employees and those who Process Personal
Information on behalf of THE COMPANY on how they are to Process Personal Information, thereby ensuring that all Personal Information Processed by THE COMPANY is done in a lawful, transparent and consistent manner and in
full compliance with all and any applicable data protection laws which may from time to time apply to its operations, including POPIA and the General Data Protection Regulation 2016/679 (GDPR) applicable in the EU
(hereinafter referred collectively as the “Data protection laws”).
- THE COMPANY requires compliance with all its policies, including this Protection of Personal Information Policy.
INFORMATION PROCESSING TERMS AND DEFINITIONS
- POPIA makes use of certain terms and references, which will be used in this Policy, which are explained below:
“Consent” means in relation to POPIA, any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signify
agreement to the Processing of Personal Information about them;
- “Data Subject” means any individual or legal entity;
“Operator” means any person who Processes Personal Information on behalf of a Responsible Party as a contractor or sub-contractor, in terms of a contract or mandate, without coming under the direct
authority of the Responsible Party;
“Processing Notices” means a notice setting out the prescribed information that must be provided to Data Subjects before collecting his, her or its Personal Information, (also known as “section 18 POPIA
notices”, “privacy notices” or “data protection notices”).
“Personal Information/PI” means Personal Information relating to any identifiable, living, natural person, and an identifiable, existing juristic person, including, but not limited to:
- name, address, contact details, date of birth, place of birth, identity number, passport number;
- bank details;
- qualifications, expertise, employment details;
- tax number;
- vehicle registration;
- dietary preferences;
- financial details including credit history;
- next of kin / dependants;
- education or employment history; and
Special Personal Information/SPI, being including race, gender, pregnancy, national, ethnic or social origin, colour, physical or mental health, disability, criminal history, including offences committed or
alleged to have been committed, membership of a trade union and biometric information, such as images, fingerprints and voiceprints, blood typing, DNA analysis, retinal scanning and voice recognition.
- “Personnel” means THE COMPANY directors, employees and any other person who may Process Personal Information on behalf of THE COMPANY.
“Processing, Process, Processed” means in relation to Personal Information, the collection, receipt, recording, collation, storage, updating or modification, retrieval, alteration, consultation or use;
dissemination by means of transmission, distribution or making available in any other form; merging, linking, as well as restriction, degradation, erasure or destruction of information; or sharing with, transfer and
further Processing, including physical, manual and automatic and in relation thereto which may be held on a “Record” which means any recorded information housing Personal Information Processed by THE COMPANY, or its
Personnel, regardless of form or medium.
- “Purpose” means the underlying reason why a Responsible Party or Controller needs to Process a Data Subject’s Personal Information.
- “Responsible Party” means, in relation to POPIA, the person or legal entity who is Processing a Data Subject’s Personal Information.
SCOPE AND APPLICATION
This Policy applies to any persons who Process Personal Information on behalf of THE COMPANY, including THE COMPANY directors, employees and Operators, who will hereinafter be referred to collectively as “Personnel”.
LAWFUL BASIS FOR PROCESSING
In terms of POPIA, where Personal Information is Processed such Processing must be done lawfully and in a reasonable manner that does not infringe on the privacy of the Data Subject. In order to discharge the above
obligations, Personnel must comply with the Processing guides, rules and procedures set out below.
A Data Subject does not have to Consent to the Processing of his, her or its Personal Information where there is a lawful basis for such Processing. A lawful basis for Processing in terms of the Data Processing laws, is
- the Processing is necessary to conclude a contract to which the Data Subject is a party and to perform contractual obligations or give effect to contractual rights;
- the Processing is necessary in order to comply with a law or to comply with certain legal obligations imposed by a law;
the Processing is necessary to protect THE COMPANY ’s legitimate interests or rights, the Data Subject’s legitimate interests or rights or a third party’s legitimate interests or rights, unless there is a good
reason to protect the Data Subject’s Personal Information which overrides those legitimate interests;
- the Processing is necessary in order to perform a public duty or to perform tasks carried out in the public interest or the exercise of official authority.
- Where there is no lawful basis for the Processing, then the Data Subject, has to Consent to the Processing.
Personnel must ensure that prior to Processing a Data Subject’s Personal Information, that there is either a lawful reason for the Processing, or alternatively that the Data Subject has Consented to such Processing,
which lawful reason will be described under the specific and informative THE COMPANY Processing notice, or in the absence of a lawful reason, will call for the Data Subject’s consent.
A Data Subject may withdraw his, her, its Consent so long as it provides THE COMPANY with a “withdrawal of consent notice”, which notice is available on THE COMPANY website, which request will be handled and actioned
directly by the duly appointed THE COMPANY Information Officer or Deputy Information Officer (Information Officer), of THE COMPANY, which outcome in turn, will be relayed to the respective Personnel who has been
Processing such Personal Information.
A Data Subject may not withdraw Consent where no Consent is required, i.e., where THE COMPANY can show that there is a lawful basis for the Processing. In such a case the Data Subject may only object to such Processing,
provided that an “Objection notice” is sent to THE COMPANY , which notice is available on THE COMPANY website, which request will be handled and actioned directly by the Information Officer and which outcome will be
relayed to the respective Personnel who has been Processing such Personal Information.
Where a Data Subject withdraws Consent or objects to the Processing, in such case THE COMPANY and the respective Personnel who has been Processing the impacted Personal Information, will have to stop Processing the
Personal Information, unless THE COMPANY can show compelling legitimate grounds for the Processing which overrides the interests, rights and freedoms of the Data Subject, or the Processing is necessary for the
establishment, exercise or defence of legal claims.
The Information Officer will at the time of the withdrawal or objection referred to above, explain to the Data Subject the effects and consequences of any withdrawal or objection and relay the outcome to the respective
Personnel who has been Processing such Personal Information.
- may only be collected for a specified, explicit and legitimate purpose;
- must only be used for the purpose for which it was collected and for no other purpose, unless the Data Subject has been informed of the other purposes;
- may not be further Processed or used for any subsequent purpose, unless that Personal Information is required for a similar purpose; and such Processing is compatible with the initial purpose.
THE COMPANY, for the purposes of carrying out its business and related objectives Processes Personal Information belonging to a vast range of Data Subjects, including employees and staff, prospective employees and job
applicants, students and interns, service providers and contractors, vendors, clients, customers, and other third parties, which Processing is required for a variety of business-related purposes.
Examples of these purposes are described below:
- to recruit and employ - employment;
- to sell or purchase goods and services - procurement and supply chain;
- concluding and managing a contract or business transaction - contract;
- conducting criminal reference checks - legitimate interest;
- risk assessments - legitimate interest;
- insurance and underwriting purposes - legitimate interest;
- assessing and Processing queries, enquiries, complaints, and/or claims - legitimate interest;
- conducting credit checks - legitimate interest;
- confirming, verifying and updating personal details - legitimate interest;
- detection and prevention of fraud, crime, money laundering or other malpractices - legitimate interest;
- conducting market or customer satisfaction research - legitimate interest;
- direct marketing - marketing;
- audit and record keeping purposes - legitimate interest;
- managing debtor and creditors - legitimate interest;
- complying with laws and regulations - laws;
- dealing with regulators - laws;
- paying taxes - laws;
- collecting debts or legal proceedings - legitimate interest;
- communications - legitimate interest;
- managing employees - employment.
THE COMPANY personnel must:
- ensure that before Personal Information is Processed, there is a valid and legitimate reason for such Processing; and
advise all Data Subjects why the Personal Information is required, i.e., the purpose for the Processing, which purpose will be described under THE COMPANY Processing notices, housed on THE COMPANY website, which
the Data Subject should be directed to.
- All Personal Information Processed by THE COMPANY must be accurate and, where necessary, kept updated.
In order to ensure that Personal Information is accurate and is up to date, Personnel must use reasonable endeavours and as far as reasonably practicable:
take all and every reasonable step to ensure that all Personal Information which they Process is accurate, having regard to the purposes for which it is Processed, and where it is found to be inaccurate, that it
is where possible, updated and rectified without delay;
- implement procedures allowing Data Subjects to update their Personal Information;
- send out regular communications to Data Subject on an annual basis requesting “updates to details” which if responded to, should be acted on immediately by the relevant or responsible department;
- where appropriate, and possible, ensure that any inaccurate or out-of-date records are updated and the redundant information deleted or destroyed;
take note of the rights of the Data Subject in relation to updates and rectifications of Personal Information, housed under THE COMPANY Processing Notices and give effect to any update request, when such request
has been communicated through to it by the Information Officer.
- THE COMPANY may not Process Personal Information which is not necessary for the Purpose for which the Personal Information is Processed.
Personnel must use reasonable endeavours and as far as reasonably practicable:
- ensure that when they process Personal Information on behalf of THE COMPANY, that it is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed; and
revisit all pre-populated questionnaires and forms which are currently used to collect or house Personal Information and consider the purpose or reason for the collection and thereafter analyse the types of
Personal Information which is request or collected and where of the view that certain Personal Information is not needed for the defined purpose, then such information should no longer be called for, collected
and/or recorded and the relevant areas where this information is housed or asked for should be deleted.
TRANSPARENCY AND PROCESSING NOTICES
- THE COMPANY has a duty to show that it has dealt with a Data Subject in a transparent manner.
In order to demonstrate transparency, THE COMPANY must use reasonable endeavours and as far as reasonably practicable refer all Data Subjects, to a specific and informed Processing Notice, at the time when THE COMPANY
collects and Processes a Data Subject’s Personal Information or within a reasonable period thereafter, which Processing notice must set out:
- the types of Personal Information Processed, and the purpose or reason for the Processing;
- the lawful basis relied upon for such Processing or whether Consent is required for the Processing;
- the period for which the Personal Information will be retained;
- who the Personal Information will be shared with, including external or cross border transfers and the mechanism(s) relied upon for such transfer;
the security measures which are in place to protect the Personal Information, including where the Personal Information is sent to parties’ cross border and the mechanism(s) relied upon for such protection; and
- the respective rights of the Data Subject and how these rights may be exercised.
In order to meet its obligations under 9.2 above, THE COMPANY has developed and placed on its website the following informed and specific Processing Notices which apply to the different Data Subject categories with whom
it deals with:
- a Human Resources Processing Notice, which applies to all employees – prospective and actual, all bursary or learnership beneficiaries - prospective or actual;
a Procurement Processing Notice, which applies to all participants in THE COMPANY supply chain, including persons who provide goods and services to THE COMPANY (service providers), persons or
entities who purchase goods or services from THE COMPANY (Customers), and/or other parties who THE COMPANY may engage with and who make up THE COMPANY Procurement and supply chain, including Regulators;
a Company Secretarial Processing Notice, which applies to all Data Subjects who deal with THE COMPANY from a company secretarial perspective, including directors, trustees, investors, Regulators,
shareholders, stakeholders and/or other parties who THE COMPANY may engage with;
- a Security Processing Notice, which applies to any persons who come onto THE COMPANY sites, facilities and offices who THE COMPANY may engage with;
- a Website Privacy Notice which applies to any persons who make use of THE COMPANY websites, social media websites, emails, and other IT related communications facilities and platforms.
In order to give effect to the above transparency requirement, Personnel must use reasonable endeavours and as far as reasonably practicable:
- all understand the provisions of the Data Processing laws;
- familiarise themselves with the abovementioned Processing Notices and any others which THE COMPANY may implement from time to time, and any changes made thereto;
- familiarise themselves with, where applicable, THE COMPANY standard binding corporate rules, its standard Personal Information transfer agreement and/or its Operator agreement;
- ensure that all THE COMPANY documents, forms or other records (Records) which house or call for Personal Information contain the following Data Processing details:
“Please note that in order for THE COMPANY to engage with you, it will have to Process certain Personal Information which belongs to you, which Processing is described and explained under the specific and
informative Processing Notices, housed for ease of reference on THE COMPANY’s website which we ask that you download and read. By providing us with the required Personal Information, such act will be taken as an
indication that you have read and agree with the provisions described under the Processing Notice and where applicable, you consent to the processing by us of your Personal Information.
- at the time of Processing, direct the Data Subjects who you deal with to the applicable area of THE COMPANY website where the specific and informative THE COMPANY Processing notices are housed.
GENERAL DUTIES: CONFIDENTIALITY, INTEGRITY AND SECURITY OF PERSONAL INFORMATION
In order to safeguard, secure and ensure the confidentiality and integrity of all Personal Information held by or under the control of THE COMPANY, THE COMPANY together with its Personnel must use reasonable endeavours
and as far as reasonably practicable;
- identify all reasonably foreseeable internal and external risks to Personal Information in its possession or under its control;
- document the identified risks;
- establish, in response to the identified risks, reasonable technical and organizational measures across all areas where Personal Information is held or stored, including electronic and physical mediums;
implement and maintain all approved and required measures across all areas where Personal Information is held or stored, including electronic and physical measures, all which are designed to minimise the risk of
loss, damage, unauthorised destruction and/or unlawful access of Personal Information;
regularly verify that these measures are effectively implemented; and ensure that the measures are continually updated in response to new risks or deficiencies in previously implemented measures and safeguards,
which measures include, where appropriate, among others, the following:
- the pseudonymisation and encryption of Personal Information;
- ongoing efforts to ensure the long-term confidentiality, integrity, availability and resilience of Personal Information housed within THE COMPANY environment;
- applications and processes which have the ability to rapidly restore the availability of and access to Personal Information in the event of a tangible or technical incident; and
procedures for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures taken to ensure the security of Processing, including regular IT Security
The duty to ensure data privacy, confidentiality and integrity of Personal Information starts when THE COMPANY initially interacts with a Data Subject and will continue throughout the relationship, until the purpose for
the Processing of the Personal Information comes to an end.
RECORDS MANAGEMENT DUTIES: CONFIDENTIALITY, INTEGRITY AND SECURITY OF PERSONAL INFORMATION
In order to ensure the confidentiality and integrity of all Records which house or contain Personal Information which are held by THE COMPANY, and in order to safeguard and secure these Records, Personnel must use
reasonable endeavours and as far as reasonably practicable ensure that:
- all Processing of Personal Information activities and communications are reduced to writing and retained in a Record, which Record may either be electronic, or paper based;
each Record created is housed in a folder (Folder), and where applicable in sub folders of the Folder being a storage area, either electronic or paper based and in turn each Folder / subfolder is given an
appropriate title or Folder name using THE COMPANY naming convention set out under Annexure “A”;
- Folders and Records must be named in a consistent and logical manner so they can be located, identified and retrieved as quickly and easily as possible;
- all Folders and Records must be stored and saved in a way that the contents are identifiable as per the agreed COMPANY naming convention;
the name of the Folder and related sub folders and Records held in such Folders must be recorded in a Department specific Records Register which has to be compiled for each department, using THE COMPANY standard
Department Management Register set out under Annexure “A”, including the following details:
- the name of the Folder and related Records;
- format of the Folder and related Records;
- location of Record - including physical or electronic location;
- who has access to the Folder, and the Records;
- status of the Folder and the Records;
- retention period pertaining to the Folder and/or Records; and
- destruction date of the Records, when available;
- their respective department head reviews their own department specific Records Register annually to ensure compliance with this Policy;
- each department provides a copy of its department specific Records Register to THE COMPANY Records Manager, or where there is no Manager, to the Information Officer, annually, or on request.
Upon termination of employment, or change of job roles or responsibilities of Personnel, the affected line manager responsible for such Personnel must ensure that all access rights to any of THE COMPANY Folders or
Records is removed immediately and that all THE COMPANY assets used to access the Folders and or Records are returned to THE COMPANY , and that all physical access rights to THE COMPANY premises and facilities are
revoked or cancelled.
RECORDS MANAGEMENT DUTIES: STORAGE OF RECORDS HOUSING PERSONAL INFORMATION
In order to ensure the confidentiality and integrity of all paper-based Records which house or contain Personal Information, which are held by THE COMPANY, and in order to safeguard and secure these Records, Personnel
must use reasonable endeavours and as far as reasonably practicable ensure that all paper-based Records:
- which are housed in physical storage areas are labelled and the details recorded in the Department Records Register;
- when in use, are not left around for others to access, and are not left in places where persons can view the contents e.g., on a printer or on unmanned desks;
- are stored securely when not in use, in Folders, which in turn are placed in locked boxes, drawers, cabinets, or similar structures or containers;
- that only Personnel who are required, on an operational and need to know basis, are given access to such Records and/or Folders; and
such Records and/or Folders are only removed from THE COMPANY premises or work/office base if such removal is recorded in the Department Management Register and when removed off site, such Records are safeguarded
and kept confidential.
In order to ensure the confidentiality and integrity of all electronic Records which house or contain Personal Information, which are held by THE COMPANY, and in order to safeguard and secure these Records,
Personnel must use reasonable endeavours and as far as reasonably practicable ensure that:
- they comply with all applicable THE COMPANY IT Policies and Procedures, especially THE COMPANY IT end user policy;
all electronic Records are stored and housed on THE COMPANY servers which are protected by approved security software, and one or more firewalls under the direction of THE COMPANY IT Manager and where
transferred or uploaded to cloud computing services from computers, devices and applications, that these services have been approved by THE COMPANY IT Manager;
all devices where electronic Folders and/ or Records are stored, are password protected and that passwords are not written down or shared, irrespective of seniority or department, which passwords must be
strong passwords which are changed regularly. If a password is forgotten, it must be reset using the applicable method;
- all network devices and drives where electronic Folders and Records are stored have access control measures in place;
electronic Folders and Records are not stored on mobile devices and removable media, which includes, but is not limited to: smart phones, tablets and IPads, Digital media, USB sticks, external hard
drives, CDs, DVDs, memory cards, tapes, unless the device is password protected and the content of such Record(s) is where possible encrypted;
where one needs to use and access the contents of an electronic Folder or Record, off site, which will not be accessed using THE COMPANY secured servers, and which will be downloaded on to portable device
for off-site working purposes, such person must only remove the Folders and/or Records or parts thereof if such removal is recorded in the Department Records Register; only the record(s) which are
necessary for one’s immediate needs are removed; where possible and feasible, the Personal Information to be removed is strongly encrypted; and when removed off site, such Records are safeguarded and kept
confidential and when no longer needed, that the removed Folder and/or Record, once dealt with is deleted from the portable device;
all electronic Records are regularly backed up using THE COMPANY provided systems and applications and in accordance with backup protocols. Such backups will be tested regularly in line with THE COMPANY
standard backup procedures and protocols under the direction of the IT Manager;
- all device screens, when not in use are always locked especially when left unattended and password protected;
- electronic Records are only transmitted over secure networks, including wireless and wired networks.
RECORDS MANAGEMENT DUTIES: RETENTION AND DISPOSAL OF RECORDS HOUSING PERSONAL INFORMATION
Folders and Records housing Personal Information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless the longer retention
of the Folder or Record:
- is required or authorised by law;
- is required by THE COMPANY for lawful purposes related to its functions or activities;
- is required by a contract between the parties thereto; or
- is as per consent, received from the Data Subject who owns the Personal Information.
Records housing Personal Information may be retained indefinitely for business, historical, statistical or research purposes provided that THE COMPANY has used reasonable endeavours and as far as reasonably practicable
established appropriate safeguards against the Records being used for any other purposes.
- Each department of THE COMPANY will be responsible for the correct management of their Folders and Records, including the closing and archiving of these Records when they are no longer needed.
In order to ensure that the above duties are discharged, all Personnel must use reasonable endeavours and as far as reasonably practicable ensure that:
- on an ongoing basis they manage the respective life cycles of Folders and Records under their control;
- they establish what record retention periods and related requirements apply to the respective Folders and Records under their control, as per THE COMPANY Records Retention Policy;
- the record retention periods and related requirements are recorded in the department’s relevant Document Management Register;
- a Folder and Record is formally closed when the matter housed in the Folder or Record comes to an end, which is documented in the relevant Document Management Register;
- a closed Folder or Record is moved to a dedicated archive storage area where the Folder or Record will be retained for the required retention period;
- Folders and Records are only archived in secure storage media;
- only authorized personnel are granted physical and system-based access to archived Folders and Records;
- Folders and Records in archived areas are regularly backed up;
- once the prescribed retention period in respect of an archived Folder or Record has expired, the Folder or Record is marked “for deletion or disposal”;
before a Folder or Record is deleted or destroyed, the department head must obtain permission to delete or destroy said Folder or Record from the Records Manager where applicable, and the Information Officer,
which will be reflected in the relevant department Document Management Register;
each department, once approval for the deletion / destruction of the Folder or Record has been received, via the head of the department, will be responsible for the deletion or destruction of such archived Folder
or Record after the expiration of the retention period, unless instructed otherwise by the Records Manager where applicable, or the Information Officer, for example when there is a requirement to place the Folder
or Record under a legal hold;
- the legal hold status must be indicated under the relevant Folder or Record in the relevant Document Management Register;
- during a legal hold procedure, the affected Folder or Record must not be destroyed, even if the retention period has expired;
- the deletion / disposal of Folders and Records must ensure the permanent and complete deletion / disposal of all originals and reproductions (including both paper and electronically stored records);
- the department head is responsible for documenting the destruction details under the relevant department Document Management Register.
Where THE COMPANY makes use of an Operator, in terms of sections 19-21 of POPIA, it must use reasonable endeavours and as far as reasonably practicable ensure that the Operator only uses the Personal Information as per
the mandate to Process issued by THE COMPANY, keeps the Personal Information placed under its control, confidential, secure and safe, and that a standard Operator agreement/addendum is concluded between THE COMPANY and
the Operator, which sets out the above provisions and any other terms and rules which the Operator will have to follow when Processing Personal Information on behalf of THE COMPANY, which Operator agreement/addendum is
housed on THE COMPANY website.
All Personnel must use reasonable endeavours and as far as reasonably practicable:
- familiarise themselves with the standard Operator agreement/addendum of THE COMPANY;
ascertain who they use as Operators, now and in the future, include such details under an Operator register, and ensure that all such Operators sign the standard Operator agreement/addendum or a similar one which
has been approved and signed off by THE COMPANY Legal Department;
ensure that Operator agreement/addendum is followed by an Operator and that where an Operator agreement/addendum is breached, bring this to the attention of one’s line manager and the Information Officer and
following a decision reached by these parties, carry out the planned course of action, which ultimately must aim to protect and secure the Personal Information which is the subject matter of that Operator
SHARING PERSONAL INFORMATION
THE COMPANY may not share Personal Information with third parties in South Africa, unless:
- there is a legitimate business need to share the Personal Information; or
- the Data Subject has been made aware that his, her or its Personal Information will be shared with others and has, where required, given consent to such sharing; or
the person receiving the Personal Information has agreed to keep the Personal Information confidential and to use it only for the purpose for which it was shared under the standard Personal Information transfer
agreement of THE COMPANY, which is housed on THE COMPANY website or, where acting as an Operator, has concluded an Operator agreement with THE COMPANY, before receipt of the Personal Information.
In order to ensure that the above takes place, Personnel must ensure:
that where Personal Information is shared externally with a third party, there is a legitimate business need to share the Personal Information; or the Data Subject has been made aware that his, her or its
Personal Information will be shared with others and has, where required, given consent to such sharing; or
in the absence of the above two situations, has signed the standard Personal Information transfer agreement of THE COMPANY which is concluded with the recipient, before receipt of the Personal
- that where Personal Information is shared with an Operator, that THE COMPANY standard Operator agreement/addendum is concluded with the Operator before receipt of the Personal Information;
- that any requested deviations to THE COMPANY standard Personal Information transfer agreement or the Operator agreement/addendum is vetted and approved by THE COMPANY Legal Department;
when sending emails which contain Personal Information, that they are marked “confidential”, do not contain the Personal Information in the body of the email, whether sent or received, but rather placed in an
attachment, which attachment is password protected or encrypted before being transferred electronically;
- that Personal Information is not transferred or sent to any entity not authorised directly to receive it;
that where Personal Information is to be sent by facsimile transmission, that the recipient has been informed in advance of the transmission and that he or she is waiting by the fax machine to receive the data;
that where Personal Information is transferred physically, whether in hardcopy form or on removable electronic media, that it is passed directly to the recipient or sent using delivery services and housed in a
suitable container marked “confidential”;
- that where Personal Information is shared internally, that adequate measures are put in place to protect the confidentiality and integrity of such information.
CROSS BORDER TRANSFERS OF PERSONAL INFORMATION
THE COMPANY may not transfer Personal Information to another party who is situated outside South Africa, unless
- the Data Subject Consents (under POPIA); or
the transfer is necessary in order to perform a contract between THE COMPANY and a Data Subject, or for reasons of public interest, or to establish, exercise or defend legal claims or to protect the vital or
legitimate interests of the Data Subject in circumstances where the Data Subject is incapable of giving Consent; or
the country where the Personal Information is being transferred to provides the Data Subject with the same level of protection as is housed under the data processing laws applicable in South Africa; or
THE COMPANY has concluded a Personal Information data transfer agreement with the recipient of the Personal Information, either in the form of a standard binding corporate rule, or an Operator agreement/addendum
or a Personal Information transfer agreement, which sets out the rules which apply to the receipt and subsequent Processing of that Persona Information.
In order to ensure that the above is followed, Personnel may not transfer Personal Information to areas outside South Africa, unless one of the following controls and safeguards are in place:
the South African Data Privacy /Personal Information Regulator has issued an “adequacy decision” confirming that the territory or country where THE COMPANY proposes transferring the Personal Information to, has
adequate Data Protection laws in place which will afford the Data Subject with the same level of protection as that under POPIA;
- the standard Personal Information data transfer agreement or Operator agreement/addendum of THE COMPANY has been concluded with the recipient of the Personal Information;
- the Data Subject has given Consent (POPIA) to the proposed transfer, having been fully informed of any potential risks;
the transfer is necessary in order to perform a contract between THE COMPANY and a Data Subject, for reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of
the Data Subject in circumstances where the Data Subject is incapable of giving Consent (POPIA).
- Direct marketing, including unsolicited direct electronic marketing is prohibited unless the Data Subject has consented to the receipt of this marketing material.
In order to ensure that direct marketing is sent out in a lawful manner, all Personnel must ensure that:
all THE COMPANY customers, when approached or dealt with for the first time, are given the opportunity in an informal manner to agree or disagree to the receipt of any THE COMPANY direct marketing material and
that where consent is granted, and when marketing material is sent to these Data Subjects, that the material houses an “opt out” form, allowing the Data Subject to opt out of any further marketing material should
it so elect; and
- before direct marketing is sent to a non-customer that such person provides his, her, or its consent thereto, which will be in the form of the prescribed “opt in” notice, available on THE COMPANY website;
- when marketing material is sent to Data Subjects, who have “opted in” that the material houses an “opt out” form, allowing the Data Subject to opt out of any further marketing material; and
when a Data Subject exercises his, her or its right to object to receiving direct marketing, in the form of an opt out, that such opt out is recorded and given effect to, and that no further direct marketing is
sent to the opted-out customer.
- All Personnel, especially those who engage in direct marketing must familiarise themselves with THE COMPANY marketing opt in and opt out forms which are available on THE COMPANY website.
REPORTING PERSONAL INFORMATION BREACHES
In the event of a Personal Information breach, THE COMPANY has a duty to give notice of such breach to the Regulator who is in charge of POPIA, being the Information Regulator (Information Regulator), and to the Data
Subject(s) whose Personal Information has been affected as a result of such breach.
THE COMPANY has put in place appropriate procedures to deal with any Personal Information breach and will notify the Information Regulator and/or the Data Subjects, as the case may be, when it is legally required to do
so of any breach.
Personnel have a duty to
immediately report through to the Information Officer, any suspected or known Personal Information breach; using the prescribed COMPANY data breach report, which report must contain the following details:
- categories and approximate number of Data Subjects concerned;
- categories and approximate number of Personal Information records concerned;
- the likely cause of and the consequences of the breach;
- details of the measures taken, or proposed to be taken, to address the breach including, where appropriate, measures to mitigate its possible adverse effects;
- which report format is annexed hereto marked Annexure B.
- keep such information strictly private and confidential;
ensure that they do not deal with any persons in relation to the Personal Information breach, including any officials to investigators, noting that only the Information Officer with the approval of THE COMPANY ’s
Board has the right to report any Personal Information or security breach to the Information Regulator and/or the affected Data Subjects, as the case may be and to deal with any person in connection with such
DATA SUBJECT RIGHTS AND REQUESTS
A Data Subject has a number of rights under POPIA in relation to his, her or its Personal Information, including the right to:
- withdraw Consent;
- object to Processing;
- obtain confirmation of Processing and/or access to Personal Information;
- amend, update and delete Personal Information;
- to object to direct marketing;
- be notified of a personal information breach; and
- to complain.
THE COMPANY has developed, implemented and will maintain certain processes and related forms which give effect to these Data Subject rights, which processes and related forms are contained in the specific and informed
Processing notices which can be found on THE COMPANY website. When a Data Subject is desirous of exercising these rights, then he, she or it must be directed to the relevant COMPANY website where the relevant Processing
notices and related prescribed forms are housed, which form, once completed must be directed to and handled directly by the Information Officer or his or her deputy, and no other, who will be responsible for dealing with
the request and advising the affected Data Subject and/ or any affected Personnel of any decision and outcome in relation to such request.
Personnel must use reasonable endeavours and as far as reasonably practicable:
- familiarise themselves with the Data Subjects’ rights, and the related processes and forms which need to be followed and completed in order to access these rights;
- take note of and give effect to these processes;
in particular note that where a Data Subject seeks advices on what Personal Information THE COMPANY holds and which pertains to that Data Subject or where the Data Subject is desirous of accessing this Personal
Information, that such right has to be exercised using the “request for access to information” procedure which is described under a law known as the Promotion of Access to Information Act, 2000 (PAIA) and which
request procedure is more fully set out under THE COMPANY ’s PAIA Manual available on THE COMPANY website.
where asked by any Data Subject to give effect to these rights, do not deal with the request directly but instead direct the Data Subject to the relevant process and form on THE COMPANY website, and provide
assistance in so far as completing the form only.
THE RIGHT TO COMPLAIN
- A Data Subject has to right lodge a complaint with regards to the Processing of his, her or its Personal Information.
- THE COMPANY has established for this purpose, an internal compliant resolution procedure.
Should a Data Subject wish to submit a complaint, Personnel must, if contacted by the Data Subject, ask the Data Subject to complete the prescribed “personal information processing complaint” form, which is housed on THE
COMPANY website, and to submit the complaint, once completed, directly to the Information Officer.
- On receipt of the complaint, the Information Officer will attempt to hear and resolve the matter internally, and failing resolution will provide the Data Subject with a non-resolution notice.
- If the Information Officer and Data Subject are able to resolve the matter, a record setting out the solution will be compiled, and signed by the parties and any other affected persons.
- Where the parties are unable to resolve the matter, the Data Subject on receipt of the non-resolution notice, will have the right to refer the complaint to the Information Regulator.
THE COMPANY has appointed the below mentioned individual as its Information Officer, who will be responsible for the following using reasonable endeavours and as far as reasonably practicable:
developing, constructing and once prepared, implementing and overseeing an enterprise-wide Personal Information Processing framework and related roadmap including various Personal Information Processing
procedures and policies, including this Policy;
- monitoring compliance with this Policy, the various Personal Information Processing procedures and the Data Processing law;
- providing all Personnel with the necessary and required Personal Information Processing training;
- providing ongoing guidance and advice on Personal Information Processing;
- conducting Personal Information impact assessments when required, including base line risk assessments of all THE COMPANY ’s Personal Information Processing activities;
- ensuring that all operational and technological Personal Information and data protection standards are in place and are complied with;
working closely with IT in order to ensure that appropriate technological and operational measures have been implemented in order to ensure the safety and security of all electronically stored Personal
- receiving and considering reports from IT about compliance with all technological and operational data protection standards and protocols;
be entitled and have authorisation in conjunction with THE COMPANY HR function, to initiate disciplinary proceedings against Personnel who breach any technological and/or organizational and/or operational data
protection standard, rule, custom, instruction, policy, practice and/or protocol (verbal, in writing or otherwise), including this Policy;
- review and approve any contracts or agreements which deviate from the standard Processing documentation of THE COMPANY;
- attend to requests and queries from Data Subjects, including requests for access to their Personal Information;
- liaising with and/or co-operating with any regulators or investigators or officials who may be investigating a Personal Information or data privacy matter.
All queries and concerns in relation to the Processing of Personal Information within THE COMPANY operations or concerning THE COMPANY activities, must be taken up with the Information or Deputy Information Officers.
- The Information Officer of THE COMPANY is:
Kaap Agri Bedryf Limited (Registration Number: 1995/000336/06) together with its holding company, KAL Group Limited (Registration Number: 2011/113185/06), being a JSE listed entity, including all its
Mr. Satish Bhoola
Email: [email protected]
THE COMPANY’s Information Management department will be responsible for the following using all reasonable endeavours and as far as reasonably practicable:
- conducting cyber security risk assessments including base line risk assessments of all THE COMPANY information technology activities;
- ensuring that adequate and effective IT operational and technological data protection procedures and standards are in place in order to address all IT security risks;
ensuring that all systems, services and equipment used for Processing and/or storing data adheres to internationally acceptable standards of security and data safeguarding, and is regularly updated to continue to
comply with such standards;
issuing appropriate, clear, and regular rules and directives, whether for THE COMPANY as a whole or a particular part of it, department, person or level of person in relation to any aspect of THE COMPANY work,
including password protocols, data access protocols, levels of persons who enjoy access to certain data sign-on procedures, password safeguarding protocols, sign-on and sign-off procedures, log-on and log-off
procedures; the description of accessories, applications and equipment that will or may be used, and/or that may not be used under any circumstances, and the like.
evaluate any third-party services which THE COMPANY is considering or may acquire to Process or store data, e.g., cloud computing services and ensuring that appropriate and effective operational and technological
data protection procedures and standards are in place in order to address all IT security risks which may present themselves in respect of these external service providers.
THE COMPANY will use reasonable endeavours and as far as reasonably practicable conduct regular training sessions covering the contents of the data privacy laws and THE COMPANY related Personal Information Processing
policies and procedures, which will be available to all Personnel.
Personnel must use reasonable endeavours and as far as reasonably practicable:
- attend the scheduled and offered training;
- do all that is necessary in order to understand the data privacy laws and how they may impact on THE COMPANY Personal Information Processing activities;
- familiarise themselves with THE COMPANY Personal Information Processing policies, procedures and prescribed forms;
ensure that they Process Personal Information in accordance with the Data Processing laws, this Policy, the training, the related policies and procedures and/or any guidelines issued by THE COMPANY from time to
The website makes use of “cookies” to automatically collect information and data through the standard operation of the Internet servers. “Cookies” are small text files a website can use (and which we may use) to
recognise repeat users, facilitate the user’s on-going access to and use of a website and allow a website to track usage behaviour and compile aggregate data that will allow the website operator to improve the
functionality of the website and its content, and to display more focused advertising to a user by way of third party tools. The type of information collected by cookies is not used to personally identify you. If you do
certain features available on our website, and thus if you disable the cookies on your browser you may not be able to use those features, and your access to our website will therefore be limited.
- Compliance with this Policy and any related procedures and policies is mandatory.
- Any transgression of this Policy, and any related procedures and policies, will be investigated and may lead to action being taken against the transgressor.
Further information on the relevant Data protection laws, the THE COMPANY Processing of Personal Information procedures and issues, including specific practical guidance on issues of particular relevance to THE COMPANY
staff, can be found on THE COMPANY ’s website.
VERSION AND AMENDMENTS
This Policy is effective as of 1 July 2021.
Download Annexure A here.
Download Annexure B here.