1. DEFINITIONS

1.1 Personal information

Personal information is defined as information relating to an identifiable, living, natural person, and where applicable an identifiable excising juristic person.

1.2 Special personal information

Special personal information is considered to be more sensitive in nature and relates among others to religious and philosophical beliefs, race, gender, sex life, health and criminal behaviour.

1.3 Data Subject

A data subject is the person or entity to which the data relates which includes persons, businesses, clients and employees. 

1.4 Processing of information

Data processing includes any operations, activities or sets of operations, including collection, receipt, recording, storage, updating or modification of personal information.

1.5 Operator

A data operator processes personal information on behalf of a responsible party under the terms of a contact or mandate but who is not under their direct control.

2. PURPOSE

2.1 The purpose of this policy is to comply with the conditions of the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”). Also, personal information of clients and employees are considered valuable and rules will be set out to govern the use, storage and protection of the above-mentioned information.

2.2 The following information is considered as personal information, but the list is not exhaustive:

1. 1. 1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
      2. Information relating to the education or the medical, financial, criminal or employment history of the person;
      3. Any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignments to the person;
      4. The blood type or any other biometric information of the person;
      5. Personal opinions, views or preferences of the person;
      6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
      7. The views or opinions of another individual about the person; and
      8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

3. SCOPE

3.1. This policy applies to:

1. 1. 1. all personal information held and processed by the company;
      2. all employees and clients of the company who are granted access to personal information;
      3. all contractors, suppliers, partners and external collaborators and visitors who may be authorised to access the company’s held personal information; and/or
      4. all locations from which personal information is accessed including home and off‐site/remote use.

4. POLICY STATEMENT

4.1 The company values the privacy of every individual’s personal information and is committed to the protection of personal information and will strive to:

1. 1. 1. promote an understanding and acceptance of the eight conditions for lawful processing of personal information as specified by POPI throughout the organisation;
      2. provide training and awareness about the protection of personal information;
      3. handle complaints received in an efficient and appropriate manner; and
      4. monitor compliance and keep the organisation informed of updates to the legislation and internal policies and procedures.

5. CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION

The following conditions for lawful processing of information are proposed as minimum standards to govern the appropriate protection of personal information.

5.1 Accountability:

5.1.1. The company must and will ensure that the conditions for lawful processing of personal information set out in POPI, and all measures required to give effect, are complied with.

5.1.2. All personal information will be identified internally. Accountability will commence from the time when the information is received or requested, the purpose for processing determined and will thereafter apply throughout the lifecycle of the processing, until the record has been destroyed.

5.2. Processing limitation

5.2.1. Personal information must be processed lawfully and in a manner, that does not infringe the privacy of an individual who is the subject of personal data (“Data Subject”). Personal information may only be processed, given the purpose that it is adequate, relevant, and not excessive.

5.2.2.1 Personal information may only be processed if:

5.2.2.2. the Data Subject or competent person where the Data Subject is a child has given consent, to the processing;

5.2.2.3. processing is necessary to carry out actions for the conclusion of the performance of a contract with the Data Subject;

5.2.2.4. processing is necessary to comply with a legal obligation;

5.2.2.5. processing is necessary to protect the legitimate interest of the Data Subject;

5.2.2.6. processing is necessary to pursue the legitimate interests of the company; or

5.2.2.7. processing is necessary for the performance of a public duty by a public body.

5.2.3. The company bears the burden of proof of consent.

5.2.4. The Data Subject can withdraw consent at any time, however, such withdrawal will not affect the lawfulness of the processing of the personal information that has been processed before the withdrawal.

5.2.5. Personal information will be collected directly from the Data Subject, unless:

5.2.5.1. the information is obtained from a public record;

5.2.5.2. the Data Subject consented or allowed the personal information to be collected from another person;

5.2.5.3. the processing and collection by a third party does not prejudice the legitimate interest of the Data Subject; or

5.2.5.4. the collection is necessary to comply with a legal obligation.

5.3 Purpose specification

5.3.1.Collection of personal information must be for a specifically defined, lawful purpose related to a function or activity of the company.

5.3.2. The Data Subject must be aware/informed of the purpose of processing information and why it is required.

5.3.3. The retention of personal information must not be for a period longer than necessary to achieve the purpose for which such personal information was processed.

5.3.4. Personal information can be retained for an extended period under the following conditions:

5.3.4.1.when the prolonged retention is reasonably required for specific lawful purposes;

5.3.4.2.when prolonged retention is required due to contractual requirements between parties; and

5.3.4.3.the Data Subject has consented to further retention of the information.

5.3.5. Furthermore, personal information may be kept in excess of a period longer than necessary to achieve the purpose for which such personal information was processed, if it is for historical, statistical or research purposes and the necessary safeguards have been established.

5.3.6. Destruction of personal information must be in a manner that prevents reconstruction in an intelligible form.

5.4. Further processing limitation

5.4.1. Further processing of personal information must be in accordance with or compatible with the purpose for which it was collected.

5.4.2. Where further processing is not compatible with the original purpose, it will be allowed where:

5.4.2.1. the Data Subject has given consent to the further processing;

5.4.2.2. the information was derived from a public record;

5.4.2.3. further processing is necessary to comply with a legal obligation or legislation;

5.4.2.4. further processing is necessary to avoid serious harm or imminent threat to public health or safety;

5.4.2.5. the personal information is used for historical, statistical or research purposes and the company can ensure that it will not publish the information in an identified form; or

5.4.2.6.further processing is in accordance with an exemption granted by the Regulator.

5.5  Information quality

5.5.1 The company will take reasonable steps to ensure that the personal information which is processed is correct, accurate, complete, reliable and updated where necessary.

5.5.2. The Data Subject must be informed of the right to update and correct any personal information belonging to him/her.

5.6. Openness

5.6.1. Processing of personal information must be done in an open and transparent manner.

5.6.2. The company will take reasonable steps to ensure that the Data Subject is aware of the type of personal information being collected, the purpose for which it is being collected, and if not collected directly from the Data Subject, from where it is being collected.

5.6.3. The company will record and provide the following details to the Data Subject:

5.6.3.1.the name and address of the company;

5.6.3.2.purpose of collection of the personal information and what it will be used for;

5.6.3.3.whether the supply of the information by the Data Subject is voluntary or mandatory;

5.6.3.4.the consequences of failure to provide personal information;

5.6.3.5. if the information will be transferred to another country; and

5.6.3.6. whether subsequent processing will occur.

5.7. Security safeguards

5.7.1 All personal information held by the company must be kept safe and secure.

5.7.2. The company will ensure the integrity and confidentially of the personal information under its control, by taking appropriate, reasonable, technical and organisational measures to prevent loss, damage or destruction or unlawful access. This includes the following:

5.7.2.1. identify personal information (structured and unstructured) in all business processes;

5.7.2.2.identify business processing manual controls, application systems and IT process controls, including procedures supporting the complete and accurate processing of personal information;

5.7.2.3.identify all reasonable, foreseeable internal and external risks;

5.7.2.4.establish appropriate safeguards;

5.7.2.5.regularly verify that safeguards are effectively implemented;

5.7.2.6.maintain the capability to detect security breaches;

5.7.2.7.regularly review the contractual obligations of third parties; and

5.7.2.8.prohibit the processing of special personal information.

5.7.3. Where services of third-party operators are used, a written contract must be in place which ensures that the Operator establishes and maintains the security measures required under POPI.

5.7.4. The company has a duty should it become aware of, or where there are reasonable grounds to believe that the personal information of a Data Subject has been accessed or acquired by an unauthorised person, the company will notify:

5.7.4.1. the Regulator; and/or

5.7.4.2. the Data Subject, unless the identity of the Data Subject cannot be established.

5.7.4.3. The notification must provide sufficient information to allow the Data Subject to take protective measures against any potential consequences of the leak or infringement.

5.8. Data Subject participation

5.8.1. The company will inform the Data Subject about the right to access personal information and the right to correct mistakes or inaccuracies.

5.8.2. The company following a request to correct personal information must correct or delete any personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

6. SECURITY AND DATA PROTECTION MEASURES

6.1. Physical security of personal information is maintained by ensuring physical security at each where personal information is kept.

6.2. The office environment is only accessed by authorised employees.

6.3. The office is locked when not in use.

6.4. Special information is kept in locked cabinets.

6.5. All digital or electronic information is password protected.

6.6. Each employee shall collect their printing from the printer immediately and ensure that a clean desk policy is followed. Employees shall limit their printing to only critical documents, especially if these contain personal information. 

6.7. The control room which contains personal information is safeguarded by physical double doors.

6.8. The premises is protected by camera surveillance.

6.9. A guard remains at the control room at all times.

6.1.0 All digital information is password protected and secured by an external service provider who has been contracted in terms of the protection of personal information.    

6.1.1 Employees who travel with any form of personal information about customers, service providers or fellow employees shall keep these documents in a vehicle which is locked. 

6.12. Once an employee resigns or is terminated an exit process will include changing of passwords and collecting of all personal information which was in the possession of the employee. 

7. MAINTENANCE

7.1. Physical security is maintained on a constant basis.

7.2. Passwords on devices where personal information is kept must be amended on a regular basis.

8. DATA BREACHES AND RECOVERY PLAN

8.1. The information officer shall notify the regulator of any data breaches. 

8.2. Data subject shall be notified as soon as possible by sending of an email or placing a notice or the Trojan Security website.

8.3. Where electronic information is accesses by unauthorised parties subject matter experts will assist in securing the environment.

8.4. Recovery plans will be determined based on the data breach and method of access where physical security is compromised. 

9. EXCLUSIONS

POPI does not affect or apply to the processing of personal information:

9.1. carried out in the course of a purely personal or household activity;

9.2. that has been deleted to the extent that it cannot be recovered or where such information has been de-identified;

9.3. held or used by or for the State, if it involves national security, defence, public safety or the prevention of crime;

9.4. held and used for exclusively journalistic purposes, by media companies that are subject to a code of ethics that has safeguards for the protection of personal information;

9.5. held or used by Cabinet, Provincial Executive Councils, and Municipal Councils;

9.6. if it relates to the exercise of judicial functions; or

9.7. if it has been specifically exempted under POPI; in cases where other legislation regulates the processing of that information.

10. RESPONSIBILITIES

The company recognises its responsibility under POPI as the Responsible Party. An information Officer will be appointed and registered with the Regulator to achieve these goals.

10.1.The Information Officer

10.1.1. The Information officer is responsible for:

10.1.1.1.providing advice, guidance, and training on information protection responsibilities and compliance with this policy;

10.1.1.2.administering subject access requests;

10.1.1.3.liaising with the Regulator;

10.1.1.4.preparing and submitting reporting requirements

10.1.1.5.co-ordinating the development and delivery of training materials; and

10.1.1.6.recording any incidences of breach of this policy.

10.1.2. Each employee is responsible to take every reasonable step to ensure that the processing of personal information complies to this policy and the Protection of Personal Information Act 4 of 2013.

Information Officer: Hannelie Koch

Email: finance@plasticolors.co.za

Tel: 011 452 6940

10.2. Staff

10.2.1. All staff must:

10.2.1.1.adhere to the conditions of this policy;

10.2.1.2.ensure that all personal information entrusted to them is kept securely;

10.2.1.3.ensure no personal information is disclosed to any unauthorised third party; and

10.2.1.4.ensure that their own personal data held by the company is kept up to date.

10.3. Vendors, Contractors, and Suppliers

10.3.1 The company is responsible for the use made of personal information by anyone working on its behalf. Employees and contractors, who employ vendors, contractors and/or suppliers, must ensure that they:

10.3.1.1.adhere to the terms of this policy;

10.3.1.2.do not have access to personal data beyond that required for the work to be carried out; and

10.3.1.3.return or destroy personal data on completion of the work