1. Purpose
Mr Home Repair cc strives to comply with applicable laws and regulations relating to privacy and Personal Information protection, including the Protection of Personal Information Act, 2013 (“POPI”). This Policy sets forth the basic principles (referred to as Processing Conditions) which Mr Home Repair cc applies when processing the Personal Information of consumers, customers, suppliers, business partners, employees and other individuals. This policy also outlines the responsibilities of Mr Home Repair cc’s respective business departments and employees while Processing Personal Information.
2. Scope
2.1. This Policy applies to Mr Home Repair cc
2.2. Any breach of this Policy amounts to serious misconduct and may result in disciplinary action.
3. Basic Conditions to be applied in respect of Privacy Protection and Personal Information being Processed (Processing Conditions)
3.1. When Mr Home Repair cc Processes Personal Information, it must comply with the following 8 Processing conditions:
- Condition 1: Accountability;
- Condition 2: Processing Limitation;
- Condition 3: Purpose Specification;
- Condition 4: Further Processing Limitation;
- Condition 5: Information Quality;
- Condition 6: Openness;
- Condition 7: Security Safeguards; and
- Condition 8: Data Subject Participation.
Condition 1: Accountability
3.2. Mr Home Repair cc must ensure that the Processing Conditions are complied with.
3.3 Mr Home Repair cc is responsible for drafting an information security policy, which will, among other things, address document retention, access to information and classification of Personal Information.
3.4. Mr Home Repair cc will furthermore designate specific individuals to monitor compliance with information security standards.
3.5. Training or awareness sessions for employees on information security will be conducted on a regular basis.
Condition 2: Processing Limitation
3.6. Personal Information may only be Processed if, given the purpose for which it is Processed, it is adequate, relevant and not excessive.
3.7. This condition applies to electronic Personal Information and paper-based records stored in a non-automated filing system.
3.8. Mr Home Repair cc requires a justification to Process Personal Information. To this end, and where possible and necessary, Mr Home Repair cc will obtain voluntary, informed and specific consent by means of an expression of will from Data Subjects, before collecting their Personal Information. Where this is not possible or necessary, Mr Home Repair cc may seek to rely on one of the exceptions to having obtain consent set out in section 11 of POPI.
3.9. A Data Subject may withdraw consent at any time and such withdrawal of consent should be noted. A Data Subject may also object at any time on reasonable grounds, to the Processing of its Personal Information, save if legislation (including POPI) provides for such Processing. Mr Home Repair cc will then no longer Process the Personal Information unless it is authorised to do so under relevant laws.
Condition 3: Purpose specification
3.10. Personal Information may only be Processed for specific, explicitly defined, and legitimate reasons relating to the functions or activities of Mr Home Repair cc, of which the Data Subject is made aware.
3.11. Personal Information will only be collected to the extent that it is required for the specific purpose notified to the Data Subject unless it is not reasonably practicable to do so in the circumstances or collection will not affect a legitimate interest of the Data Subject. Any Personal Information which is not necessary for such purpose will not be collected in the first place unless Data Subject consent is obtained.
3.12. Records of Personal Information may only be kept for as long as necessary for achieving the purpose for which the information was collected or subsequently Processed, unless:
3.12.1. retention of the record is required or authorised by law;
3.12.2. Mr Home Repair cc reasonably requires the record for lawful purposes related to its functions or activities;
3.12.3. retention of the record is required by a contract between Mr Home Repair cc and a third party thereto; or
3.12.4. the Data Subject or a competent person, where the Data Subject is a child, has consented to the retention of the record.
3.13. Personal Information will therefore not be kept longer than is necessary for the purpose for which it was collected. This means that Personal Information must be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form or be de-identified as soon as reasonably practicable after Mr Home Repair cc is no longer authorised to retain the record.
Condition 4: Further Processing limitation
3.14. Further Processing of Personal Information must be compatible or in accordance with the purpose of collection unless the Data Subject has consented to such further Processing.
3.15. Once collected, Personal Information will only be Processed for the specific purposes notified to the Data Subject when the Personal Information was first collected under Condition 3 or for other purposes which are compatible with such purpose. This means that Personal Information will not be collected for one purpose and then used for another incompatible purpose. If it becomes necessary to change the purpose for which the Personal Information is Processed, the Data Subject will be informed of the new purpose and the Data Subject’s consent will be obtained before any Processing occurs.
3.16. Where Personal Information is transferred to a third party for further Processing, the further Processing must be compatible with the purpose for which it was initially collected.
Condition 5: Information quality
3.17. Mr Home Repair cc must take reasonably practicable steps to ensure that Personal Information is complete, accurate, not misleading and updated where necessary in light of the purpose for which such information is collected.
3.18. Information which is incorrect, or misleading is not accurate, and steps will therefore be taken to check the accuracy of any Personal Information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date information will be destroyed.
3.19. Mr Home Repair cc will develop appropriate Processes to ensure compliance with the above as well as the applicable provisions of the POPI.
Condition 6: Openness
3.20. Mr Home Repair cc must take reasonably practicable steps to ensure that the Data Subject is aware of:
3.21.1. the Personal Information being collected and where the information is not collected from the Data Subject, the source from which it is collected;
3.21.2. the name and address of Mr Home Repair cc;
3.21.3. the purpose for which the information is being collected;
3.21.4. whether or not the supply of the information by that Data Subject is voluntary or mandatory;
3.21.5. the consequences of failure to provide the information;
3.21.6. any particular law authorising or requiring the collection of the information;
3.21.7. where applicable, the fact that Mr Home Repair cc intends to transfer the information within South Africa and the level of protection afforded to the information by that country;
3.21.8. any further information such as the recipient or category of recipients of the information, the nature or category of the information and the existence of the right of access to and the right to rectify the information collected;
3.21.9. the existence of the right to object to the Processing of Personal Information; and
3.21.10. the right to lodge a complaint to the Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be Processed, to enable Processing in respect of the Data Subject to be reasonable.
Condition 7: Security safeguards
3.22. Mr Home Repair cc will take reasonable organisational and technical measures to ensure that all Personal Information is secure against the risk of loss, unauthorised access, interference, modification, destruction, or disclosure and conduct regular risk assessments to identify and manage all reasonably foreseeable internal and external risks to Personal Information under its control.
Duty in Respect of Operators
3.23. Operators (i.e., third parties which may further Process Personal Information collected by Mr Home Repair cc on its behalf) include, but is not limited to, call centres, outsourced payroll administrators, marketing database companies, recruitment agencies, psychometric assessment centres, document management warehouses, external consultants, credit bureaus and persons who clear the payment instructions of Mr Home Repair cc’s clients.
3.24. Mr Home Repair cc will implement the following key obligations in respect of Operators:
3.24.1. The Operator may not Process Personal Information on behalf of Mr Home Repair cc without the knowledge and authorisation of Mr Home Repair cc;
3.24.2. Mr Home Repair cc will ensure that the Operator implements the security measures required in terms of Condition 7: Security Safeguards;
3.24.3. There will be a written contract in place between Mr Home Repair cc and the Operator which requires the Operator to maintain the confidentiality and integrity of Personal Information Processed on behalf of Mr Home Repair cc;
3.24.4. The written contract between Mr Home Repair cc and the Operator will include the mandatory provisions under sections 19 to 21 of POPI; and
Duties in Respect of Security Compromises
3.25. In the event that Personal Information has been compromised, or if there is a reasonable belief that a compromise has occurred, Mr Home Repair cc (or an Operator Processing Personal Information on its behalf) will comply with the notification requirements set out in section 22 of POPI.
Condition 8: Data subject participation
Request for Information
3.26. Mr Home Repair cc recognises that a Data Subject has the right to request Mr Home Repair cc to confirm, free of charge, whether or not it holds Personal Information about the Data Subject and request Mr Home Repair cc to provide a record, or a description of the Personal Information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information at a prescribed fee.
Request to Correct or Delete
3.27. The Data Subject may request Mr Home Repair cc to:
3.27.1. correct or delete Personal Information relating to the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading, or obtained unlawfully; or
3.27.2. destroy or delete a record of Personal Information about the Data Subject that Mr Home Repair cc is no longer authorised to retain.
3.28. Mr Home Repair cc will provide credible proof to the Data Subject of the action that has been taken in response to the request.
3.29. If any changes to the Personal Information are made and has an impact on any decisions to be made in respect of the Data Subject, Mr Home Repair cc will inform all third parties to whom the information has been disclosed of such changes.
4. Building Privacy Protection and the Processing Conditions into Business Activities
4.1. Notification to Data Subjects:
4.1.1. In compliance with Condition 6, before Processing Personal Information in respect of products, services, or marketing activities, Mr Home Repair cc will use reasonable endeavours to notify Data Subjects of:
4.1.1.1. the types of Personal Information that will be Processed;
4.1.1.2. the purpose/s of the Processing;
4.1.1.3. the Processing methods that will be used;
4.1.1.4. the Data Subjects’ rights with respect to their Personal Information; and
4.1.1.5. Mr Home Repair cc’s security measures to protect the Personal Information that is being Processed.
4.2. Data Subject’s choice and consent:
In compliance with Condition 2, the Processing of Personal Information will be based on the Data Subject’s consent, customers’ written authorisation or other lawful grounds and a record of such consent or authorisation must be retained and stored. Mr Home Repair cc will also provide Data Subjects with the option to withdraw the consent given by them to Process their Personal Information.
4.3. Processing of Personal Information which includes collection of Personal Information:
When processing the Personal Information of a Data Subject, Mr Home Repair cc will strive to collect the least amount of Personal Information possible to achieve the purpose of the Processing and ensure that the Personal Information being Processed is:
4.3.1. relevant to the purpose of the Processing;
4.3.2. necessary for the purpose/s of the Processing.
4.3.3. is not excessive considering the purpose/s of the Processing.
If Personal Information is collected from a third party, Mr Home Repair cc will try to ensure that the Personal Information is Processed in accordance with applicable laws and regulations.
4.4. Use, retention, and disposal:
4.4.1. In compliance with Condition 3, the use, purpose/s for Processing, method/s of Processing and the retention period of Personal Information should be consistent with the information contained in the notice to the Data Subjects or authorisations by customers. Mr Home Repair cc will maintain the accuracy, integrity and relevance of Personal Information based on the purpose/s of the Processing.
4.4.2. Under Condition 7, security mechanisms designed to protect Personal Information shall be used to prevent Personal Information from being stolen, leaked, damaged, accessed unlawfully, misused, abused, disseminated unlawfully or without approval. For example:
4.4.2.1. Personal Information should be anonymised or de-identified in a manner that makes re-identification impossible where practicable and appropriate or aggregate data, such as statistical or research results that does not identify an individual, should be used, if possible.
4.4.2.2. Mr Home Repair cc encourages Pseudonymisation, if possible, to reduce the ability to link Personal Information to a Data Subject.
4.4.2.3. Access to and Processing of Personal Information should be controlled. Encryption or other methods should be used to help ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems.
4.4.2.4. Personal Information should be restored in a timely manner in the event of a data security incident.
4.4.2.5. Security measures should be evaluated regularly.
4.5. Disclosure to third parties:
4.5.1. In compliance with Condition 7, when Mr Home Repair cc authorises a supplier or business partner to Process Personal Information on behalf of Mr Home Repair cc, i.e., act as an operator, Mr Home Repair cc should seek to ensure that the supplier or business partner provides security measures to safeguard Personal Information that are appropriate to the risks associated with the Personal Information.
4.5.2. Mr Home Repair cc should also ensure that the supplier or business partner provides the same level of data protection as Mr Home Repair cc would have provided through the conclusion of a contract containing data protection provisions.
4.5.3. The supplier or business partner should only Process Personal Information to the extent necessary to carry out its contractual obligations to Mr Home Repair cc or upon the instruction of Mr Home Repair cc and not for any other purpose.
4.5.4. When Mr Home Repair cc Processes Personal Information jointly with an independent third party, Mr Home Repair cc should explicitly specify the respective responsibilities of Mr Home Repair cc and the third party in the relevant contract.
4.6. Access to Personal Information by Data Subjects:
4.6. In compliance with Condition 8, when acting as a Responsible Party, Mr Home Repair cc should provide Data Subjects with a mechanism which will enable them to:
4.7.1. access their Personal Information;
4.7.2. request that the Personal Information relating to them that is being Processed be updated, rectified, erased and/or deleted; and
4.7.3. object to the Processing of their Personal Information.
4.8. The Processing of Special Personal Information:
4.8.1. In most cases when Special Personal Information is being Processed, the Data Subject’s explicit consent to the Processing of such information will usually be required.
4.8.2. Examples of when special Personal Information of employees is likely to be Processed are set out below and may include, but are not necessarily limited to:
4.8.2.1. information about an employee’s physical or mental health or condition in order to monitor sick leave and take decisions as to the employee’s fitness for work;
4.8.2.2. the employee’s racial or ethnic origin or religious or similar information, in so far as it is required to monitor compliance with employment equity legislation; and
4.8.2.3. in order to comply with legal requirements and obligations to third parties.
4.9. Authorisation from the Regulator:
Mr Home Repair cc will obtain prior authorisation from the Regulator, in terms of section 58 of POPIA, prior to any processing if that Mr Home Repair cc plans to-
4.9.1. process any unique identifiers of Data Subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information together with information processed by other responsible parties;
4.9.2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
4.9.3. process information for the purposes of credit reporting; or
4.9.4. transfer special personal information, the personal information of children under the age of 18, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72 of POPIA.
4.10. Organisation and Responsibilities:
4.10.1. The objective of Mr Home Repair cc’s privacy program is to take a risk-based approach to ensuring legal compliance, if required, and business competitiveness.
4.10.2. The Information Officer is the owner of managing Mr Home Repair cc’s Privacy protection program and is responsible for the development and promotion of end-to-end Privacy protection policies. The Information Officer of Mr Home Repair cc is responsible for and ensures that the various departments:
4.10.2.1. develop privacy protection policies and guidance in its business;
4.10.2.2. determine privacy protection roles and responsibilities;
4.10.2.3. apply data protection requirements to Process management and business decision making systems;
4.10.2.4. audit data protection compliance and promotes improvements.
4.10.3. The Administration Department, as a legal competence centre for privacy protection, monitors and analyses the privacy laws and regulations, develops compliance requirements, and assists business departments in achieving their Privacy goals.
4.10.4. The Human Resource Department is responsible for improving all employees’ awareness about user privacy protection, organising privacy protection expertise and awareness training for privacy protection practitioners and introducing training materials and certification criteria from the industry.
4.10.5. In the consumer domain, Mobile Range, Spares, Consumables Department of Mr Home Repair cc is responsible for end-to-end privacy protection. When Mr Home Repair cc acts as a Responsible Party, Mr Home Repair cc should observe laws to proactively protect consumers’ privacy, enhance consumers’ trust, and facilitate business success.
4.10.6. When Mr Home Repair cc acts as a Responsible Party or joint Responsible Party, Mr Home Repair cc should strictly comply with paragraph 4 of this Policy. At the same time, Mr Home Repair cc should expressly clarify the responsibilities of relevant parties in legal documents, such as the contracts signed with customers and partners. The reference to responsibilities include, but is not limited to:
4.10.7.1. which party is responsible for notifying Data Subjects of the Processing of their Personal Information;
4.10.7.2. which Party is responsible for obtaining the Data Subject’s consent (where apposite) in order for their Personal Information to be Processed;
4.10.7.3. which party is responsible for responding to Data Subjects’ complaints and requests for access to their Personal Information, if necessary and/or required.
4.10.8. If a customer’s instruction violates applicable laws, regulations or the Basic Principles on Privacy Protection and Personal Information Processing of Mr Home Repair cc, as set out in this Policy or any other privacy protection communication sent out by Mr Home Repair cc, Mr Home Repair cc should reject the customer’s instruction.
4.10.9. In the employee domain, the Human Resource Department is responsible for end-to-end employee Privacy protection. Employees’ Personal Information should be Processed in accordance with the abovementioned principles and in compliance with POPI and other relevant laws.
4.10.10. The Administration and Accounts Department is responsible for taking measures to protect visitor’s Personal Information and flow down privacy requirements to suppliers (i.e., receptionists).
4.10.11. The Procurement and Shipping Department is responsible for imposing Privacy protection obligations and responsibilities, which includes but is not limited to meeting certification requirements, incorporating legal terms into contracts and monitoring implementation, on suppliers and improving suppliers’ levels of privacy protection.
4.10.12. The Supply Chain Department is responsible for taking reasonable measures to protect Personal Information associated with supply centres and to prevent Personal Information breaches.
4.10.13. The Information Technology and Marketing Department is responsible for delivering key messages about Mr Home Repair cc’s privacy compliance in response to government and media enquiries.
4.10.14. Directors of relevant business departments at all levels are primarily responsible for ensuring the implementation of privacy protection practices, requirements, and policies within business departments under their charge.
5. Response to Personal Information security breach incidents:
5.1. In compliance with Condition 7, if Mr Home Repair cc obtains knowledge of an actual or suspected Personal Information security breach incident, Mr Home Repair cc shall perform an internal investigation and take appropriate remedial measures, as soon as reasonably possible.
5.2. If there are reasonable grounds to believe that a security breach occurred and it is required by applicable law, Mr Home Repair cc’s authorised representative/s should notify the competent regulatory authority, the Data Subject and any affected stakeholders in a manner and within the time period required by law.
6. DIRECT MARKETING
Personal Information of Data Subjects will only be Processed for Direct Marketing purposes, in compliance with relevant legislation, including POPI.
7. Audit and Accountability:
7.1. The Administration / Accounts Department. is responsible for auditing how well business departments implement this Policy.
7.2. Any Mr Home Repair cc employee who acts in contravention of this Policy may be subjected to disciplinary action within Mr Home Repair cc and the employee may also be subjected to civil or criminal proceedings if his or her conduct is in breach of applicable laws or regulations.
8. Policy Hierarchy
This Policy is the basis for Mr Home Repair cc’s privacy protection practice.
9. Conflicts of Law
This Policy is intended to comply with the applicable laws and regulations of South Africa, including POPI, or any other applicable jurisdiction (the “Applicable Laws”). In the event of any conflict between this Policy and Applicable Laws, the latter shall prevail.
10. Interpretation and Maintenance
The Information Officer of Mr Home Repair cc is responsible for interpreting and maintaining this Policy.
11. Date of Validity
This policy takes effect on the day it is issued.
12. Definitions
12.1. Anonymisation: irreversibly de-identifying Personal Information such that the person cannot be identified by using reasonable time, cost, technology either by the Responsible Party or by any other person to identify that individual (also known as de-identification);
12.2. Child / Children: means a natural person under the age of 18 (eighteen) years old and who is not legally competent to take certain actions;
12.3. Data Subject: means the natural or juristic person to whom Personal Information relates;
12.4. Direct Marketing: means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
12.4.1. promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or
12.4.2. requesting the Data Subject to make a donation of any kind for any reason;
12.5. Operator: means a person who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party;
12.6. Personal Information: means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
12.7.1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language, and birth of the person;
12.7.2. information relating to the education or the medical, financial, criminal or employment history of the person;
12.7.3. any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
12.7.4. the biometric information of the person;
12.7.5. the personal opinions, views or preferences of the person;
12.7.6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
12.7.7. the views or opinions of another individual about the person; and
12.7.8. the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;
12.8. Processing/Process/Processed: means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including: (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure, or destruction of information;
12.9. Pseudonymisation: means the Processing of Personal Information in such a manner that the Personal Information can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Information are not attributed to an identified or identifiable natural person. Pseudonymisation reduces, but does not completely eliminate, the ability to link Personal Information to a Data Subject;
12.10. Responsible Party: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;
12.11. Special Personal Information: includes Personal Information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or the criminal behaviour of a Data Subject to the extent that such information relates to the alleged commission by a Data Subject of any offence; or any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.