1. THE PURPOSE OF THIS DOCUMENT
1.1. BUSINESS/PARTNERS is committed to protecting the privacy and security of your personal information.
1.3. BUSINESS/PARTNERS is a “responsible party”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
1.4. This notice applies to current and former clients, directors, stakeholders, applicants for employment and independent contractors of BUSINESS/PARTNERS (“Data Subjects”), including interested clients and interested stakeholders.
1.5. Not all of the sections in the notice will be relevant to everyone. The notice is intended to provide details of all the processing activities that we undertake and therefore the mere listing of an activity does not mean that we are processing your personal information in this manner and for these purposes.
We reserve the right to update this privacy notice at any time, and we will provide you with a notice when we make any substantial updates. We will post the updated version on our website and provide the date of the latest version, which will be effective from the date of posting. We may also notify you in other ways from time to time about the processing of your personal information.
1.6. Other privacy notices
1.7. This policy should be read with our PAIA Manual and any contract(s) we may have with you from time to time. Our PAIA Manual is published on our website at PAIA Manual Link or available on request from our Information Officer.
2. DATA PROTECTION CONDITIONS
2.1. We will comply with POPIA. This says that the personal information we hold about you must be:
- used lawfully, fairly and in a transparent way;
- collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- relevant to the purposes we have told you about and limited only to those purposes;
- accurate and kept up to date;
- kept only as long as necessary for the purposes we have told you about; and
3. THE KIND (CATEGORIES) OF INFORMATION WE HOLD ABOUT YOU
3.1. Personal data, or personal information, means any information about an individual or a juristic person from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
3.2. There are certain types of more sensitive or special personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. Information about criminal convictions also warrants this higher level of protection.
- log information;
- information we infer about you based on your interaction with products and services;
- device information (for example the type of device you’re using, how you access platforms, your browser or operating system and your Internet Protocol (“IP”) address); and
- location information.
3.4. We may receive additional information about you that is publicly or commercially available and combine that with the information we have collected or received about you in other ways.
3.5. We process your name, title, position, email, telephone number, website, address, and details of our interactions with you. We may also process other personal information regarding you or your colleagues that have been provided to us by you, your colleagues or our customer. This could include detail on the issues you are interested in and your opinion of BUSINESS/PARTNERS. For a comprehensive list of the categories of personal information we may collect, store, and use about you, please refer to our PAIA manual.
4. HOW IS YOUR PERSONAL INFORMATION COLLECTED?
4.1. We collect personal information about Data Subjects directly from such data subject. We may sometimes collect additional information from third parties, including your (former) employers, your colleagues, other customers, suppliers and other business partners, credit reference agencies or bureaus or other background check agencies. Some of this personal data will come from internal sources in the BUSINESS/PARTNERS. In addition, we may also gather some personal information from publicly available sources.
4.2. We may also collect personal information from the trustees or managers of pension arrangements.
4.3. We may collect information when you use websites by using cookies, web beacons and other technologies.
5. HOW WE WILL USE INFORMATION ABOUT YOU? / WHAT PROCESSING ACTIVITIES DO WE UNDERTAKE USING YOUR PERSONAL INFORMATION?
5.1. Circumstances and legal grounds for which we will need to use your personal information
We will only use your personal information when the law allows us to. Most commonly, the legal grounds relied on to carry out these processing activities is in the following circumstances:
- where we need to perform/execute the contract we have entered into with you;
- where we need to comply with a legal obligation;
- where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; and
- we may also use your personal information in the following situations, which are likely to be rare:
- where we need to protect your legitimate interests (or someone else’s interests); and
- where it is needed for the proper performance of a public law duty; and
- alternatively, the legal ground for processing your personal information is your consent, for e.g., where we are required to do so by applicable law, we will get your explicit consent for marketing communications.
With regard to the legitimate interests referred to above:
- BUSINESS/PARTNERS considers that it has a legitimate interest in managing and operating its business, including undertaking appropriate promotional activity.
- BUSINESS/PARTNERS considers that it has a legitimate interest in managing and operating its business. This includes ensuring compliance with legal requirements placed upon it.
- In addition, BUSINESS/PARTNERS considers that its customers and contacts have legitimate interests in maintaining their relationships with BUSINESS/PARTNERS and the management and operation of their own businesses.
- BUSINESS/PARTNERS considers that it has a legitimate interest in managing and operating its business, including undertaking appropriate promotional activity.
5.2. What is the reason for these processing activities?
We need all the categories of information in the list above primarily to allow us to perform/execute our services and contract with you and to enable us to comply with legal obligations.
In some cases we may use your personal information to pursue legitimate interests, provided your interests and fundamental rights do not override those interests.
Examples of specific situations in which we will process your personal information are listed below:
- communication with data subjects;
- to maintain a contact database for relationship management, and providing networking between BUSINESS/PARTNERS and contacts
to improve our services;
- to send your targeted marketing information, which is intended to promote our business products and services;
- conducting research and compiling research reports;
- provision of support services to data subjects;
- creating, managing and maintaining a Customer Relationship Management (CRM) database, including relevant organisational charts;
- keeping records and audit information relating to our customers and contacts, including minutes of meetings and other notes;
- preparing aggregated and anonymised reports;
- customer and supplier account management and administration, receive and provide services, raise invoices and process payments;
- to assess the suitability of job applicants for employment;
- meeting legal obligations in respect of employment equity and to comply with other applicable laws;
- employment equity and broad-based black economic empowerment monitoring;
- sourcing, securing and administering of group insurance schemes for the benefit of Data Subjects and their families;
- liaising with the trustees or managers of a retirement and/or medical aid arrangements and any other provider of benefits;
- administering the contract we have entered into with you;
- business management and planning, including accounting and auditing;
dealing with legal disputes involving you, or other data subjects, directors and independent contractors;
- to prevent fraud;
- to monitor your use of our information and communication systems to ensure compliance with our IT policies;
- to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
- to conduct market analysis and data analytics studies to review and better understand consumer behaviour, customer retention and attrition rates.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
5.2 If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to provide a service to you or perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure we comply with various statutory compliance requirements).
5.3 Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
5.4 Do we need your consent?
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6. HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION
6.1 “Special categories” of particularly sensitive personal information, such as information about your health, racial or ethnic origin, sexual orientation or trade union membership, religious or philosophical beliefs, trade union membership, political persuasion or biometric information; or your criminal behaviour to the extent that such information relates to the alleged commission of any offence or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
6.2 We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
- in limited circumstances, with your explicit written consent;
- where we need to carry out our legal obligations or exercise rights in connection with the services we provide to you; and
- where it is needed for the establishment, exercise, or defence of a right or obligation under law.
6.3 Less commonly, we may process this type of information where you have already made the information public.
6.4 Situations in which we will use your special personal information
In general, we will not process particularly sensitive personal information about you unless it is necessary for performing or exercising obligations or rights in connection with law or our contract with you.
6.5 Do we need your consent?
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in terms of law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive personal information. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
6.6 Information about criminal convictions
7. AUTOMATED DECISION-MAKING
7.1 Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
- where we have notified you of the decision and given you 21 days to request a reconsideration;
- where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights;
- in limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights; and
- if we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
7.2 You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
8. DATA SHARING
8.1 We may have to share your data with third parties, including third-party service providers and other entities in the group. If we do, you can expect a similar degree of protection in respect of your personal information.
8.2 We require third parties to respect the security of your data and to treat it in accordance with the law.
8.3 Why might we share your personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
8.4 Which third-party service providers process your personal information?
“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group.
Depending on the nature of the personal information, BUSINESS/PARTNERS may supply information or records to the following categories of recipients:
- companies in the BUSINESS/PARTNERS Group;
- our business partners;
- statutory oversight bodies, regulators or judicial commissions of enquiry making a request for data;
- any court, administrative or judicial forum, arbitration making a request for data or discovery in terms of the applicable rules (i.e. South African Revenue Services, or another similar authority) and anyone making a successful application for access in terms of PAIA; and
- any person who conducts business with BUSINESS/PARTNERS, in the ordinary course of business;
- companies that provide services to BUSINESS/PARTNERS or act on its behalf may have access to information about data subjects;
- internally, including BUSINESS/PARTNERS’ departments in connection with the relevant business, the support services team, the finance team, governance and risk management departments, the enterprise development team and the marketing team (as appropriate).
- In addition, some of your personal data may be shared externally with the relevant customer or contact, your employer, your colleagues, other customers and suppliers and as otherwise set out in this notice;
- In connection with marketing activity, some of your personal data may be shared externally with our vendors and suppliers as needed; and
third parties where the data subject provides consent.
8.5 How secure is your information with third-party service providers and other entities in our group?
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.
8.6 Transferring information outside South Africa
We might transfer your personal information to places outside of South Africa and store it there, where our suppliers might process it. If that happens, your personal information will only be transferred to and stored in a country that has equivalent, or better, data protection legislation than South Africa or with a service provider which is subject to an agreement requiring it to comply with data protection requirements equivalent or better than those applicable in South Africa.
9. DATA SECURITY
9.1 We have put in place measures to protect the security of your information.
9.2 Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
9.3 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those Data Subjects, agents, contractors and other third parties who have a need to know for business reasons. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
9.4 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
10. DATA RETENTION
10.1 We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention schedule which is available from our Information Officer. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
10.2 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a client, director or independent contractor of the company we will retain and securely destroy your personal information in accordance with our data retention schedule and/or applicable laws and regulations.
11. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
11.1 It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
11.2 Your rights in connection with personal information: under certain circumstances, by law you have the right to:
- request access to your personal information as set out in our PAIA Manual (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes;
- request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
- request the transfer of your personal information to another party.
11.3 You can review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party. Requests may be made in writing to the Information Officer. Please consult our Promotion of Access to Information Manual (commonly known as the PAIA Manual or “data subject access request”) published on our website at PAIA Manual Link or available on request from our Information Officer.
11.4 No fee usually required: you will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
11.5 What we may need from you: We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
11.6 Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Information Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
12 COLLECTION OF INFORMATION FROM WEBSITE USERS AND USING COOKIES
What are cookies and why do we use them?
The type of information collected by the cookies we use is not used to personally identify you.
13. INFORMATION OFFICER
We have appointed an Information Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Information Officer.
CONTACT DETAILS OF THE INFORMATION OFFICER (IO)
Name: Ms Marjan Gerbrands
Physical Address: Business Partners Centre, 37 West Street, Houghton Estate, Johannesburg, South Africa 2198
Postal Address: P. O. Box 7780, Johannesburg, South Africa 2000
E-mail address: InformationOfficer@businesspartners.co.za
Fax number: +27(0)11 7136650
Telephone number: +27 (0)11 713 6600
14. INFORMATION REGULATOR
You have the right to make a complaint at any time to the Information Regulator.
CONTACT DETAILS OF THE INFORMATION REGULATOR
The Information Regulator
Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg