- 031 502 7878
- sales@cater2u.co.za
Policy | Company Name Privacy Policy |
Applicable to | All employees |
Person responsible | Information Officer |
Document No. | POL # |
Cater 2 U Catering Supplies CC – Protection of Personal Information Act
2.1. “automated means”: means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
2.2. “automatic calling machine”: means a machine that is able to do automated calls without human intervention.
2.3. “binding corporate rules”: means personal information processing policies, within a group of undertakings, which are adhered to by Cater 2 U Catering Supplies CC or operation within that group of undertakings when transferring personal information to a business or operator within that same group of undertakings in a foreign country.
2.4. “data subject”: means the person to whom personal information relates.
2.5. “direct marketing”: means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
2.6. “electronic communication”: means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
2.7. “filing system”: means any structured set of personal information, whether centralised, decentralised dispersed on a functional or geographical basis, which is accessible according to specific criteria.
2.8. “group undertakings”: means a controlling undertaking and its controlled undertakings.
2.9. “information officer”: of, or in relation to, a –
2.10. “operator”: means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
2.11. “person”: means a natural person or a juristic person.
2.12. “personal information”: means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –
2.13. “private body”: means –
2.14. “processing”: means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
2.15. “Promotion of Access to Information Act”: means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).
2.16. “public body”: means –
a: Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
b: Any other functionary or institution when –
2.17. “public record”: means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.
2.18. “record”: means any recorded information –
a: Regardless of form or medium, including any of the following:
b: In the possession or under the control of a responsible party; and
c: Regardless of when it came into existence.
2.19. “re-identify”: in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that –
a: Identifies the data subject;
b: Can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
c: Can be linked by a reasonably foresee ably method to other information that identifies the data subject, and
2.20. “re-identified”: has a corresponding meaning.
2.21. “responsible party”: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
2.22. “restriction”: means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information.
2.23 Cater 2 U Catering Supplies CC”: means Insert if this policy applies to a Group of Companies;
2.24. “special personal information”: means personal information as referred to in Section 26 of this Act.
2.25. “terrorist and related activities”: means those activities referred to in Section 4 of the Protection of Constitutional Democracy against Terrorist and Related Activities Act 33 of 2004.
2.26. “this Act”: means the Protection of Personal Information Act, No. 4 of 2013.
2.27. “unique identifier”: means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
3.1 Policy Statement:
Cater 2 U Catering Supplies CC recognises its accountability in terms of the Protection of Personal Information Act, together with its Regulations to all its stakeholders. Cater 2 U Catering Supplies CCneeds to collect personal information from its employees, clients, suppliers, operators as well as other stakeholders to carry out its business.
To maintain a trust relationship with our stakeholders, we are committed to complying with both the spirit and the letter of this Act and to always act with due skill, care, and diligence when dealing with personal information. This is to mitigate the risk, which may include loss of reputation, fines, imprisonment, and exodus of clients.
The responsibility to facilitate compliance throughout Cater 2 U Catering Supplies CChas been delegated to the appointed Information officer and his or her deputies who have the responsibility for supervising, managing, and overseeing the compliance of this Act. However, it must be emphasised that the primary responsibility for complying with this Act lies with all members of staff dealing with personal information. All staff must therefore understand their responsibility in terms of this act as well as with the compliance manual and/or guidance notes and ensure that they are applied when processing personal information.
The compliance policy sets out the approach to managing the compliance risks faced by the organisation.
Any breach of this compliance policy is considered serious and may result in disciplinary action that could ultimately lead to the dismissal of the offender.
3.2 Breaches of this Policy and Reporting lines
3.2.1 Any Employee who is part, or becomes aware of a Data breach must report to his or her respective departmental manager/Deputy Information Officer.
3.2.2 The Deputy Information Officer reports to the Information Officer
3.2.3 The Information Officer reports to the Managing Director and the Board of Directors to the Information Regulator.
3.3 Roles and Responsibilities
3.3.1 The information officer has to ensure this policy is followed by each employee through the support of all management levels who must discharge their responsibilities.
3.3.2 The Deputy Information Officer(s) must support the Information Officer in his duty to ensure data privacy risk management.
The Deputy Information Officer must:
3.3.3 The Head of IT supports the Information Officer and the Deputy Information Officers by:
A: The Information Officer must ensure that Cater 2 U Catering Supplies CC adheres to the following conditions for the lawful processing of personal information in terms of the Protection of Personal Information Act:
4.1 Conditions 1: Accountability
4.1.1 Cater 2 U Catering Supplies CC must ensure that the conditions of lawful processing of personal information and all measures that give effect to such conditions are complied with at all times.
4.2 Conditions 2: Processing Limitation
4.2.1 Personal information must be processed in a lawful and reasonable manner that does not infringe the privacy of the data subject.
4.2.2 Personal information may only be processed providing the purpose for which it is processed, it is adequate, relevant, and not excessive;
4.2.3 You may only process and access information as is allowed for in order to perform your duties in terms of your employment function.
4.2.4 Information may not be accessed, stored, or distributed other than is required by your employment function.
4.2.5 You may only process personal in following legal or contractual obligations, to achieve business goals, alternatively with the consent of the data subject after the purpose has been explained to the data subject, who confirmed that the purpose is understood. You may also process information when the processing is in the legitimate interest of the data subject, Cater 2 U Catering Supplies CC or a third party.
4.2.6 Information must be collected directly from the data subject where possible. If personal information is collected from another source, the data subject must be advised thereof, and the purpose for the collection.
4.6 Conditions 6: Openness:
4.6.1 When Cater 2 U Catering Supplies CCcollects personal information, reasonable practicable steps must be taken to ensure that the data subject is aware that the personal information is being collected in line with this and other related policies.
4.7 Conditions 7: Security Safeguards:
4.7.1 Each employee of Cater 2 U Catering Supplies CCmust secure the integrity and confidentiality of all personal information this is in its or under its control to prevent –
4.7.2 To comply with this principle, you must consider the following policies:
4.7.3 When sharing personal information with an operator, the employee must ensure that an Operator’s Agreement is entered into with the operator which must make provision for the following:
4.8 Conditions 8: Data Subject Participation:
4.8.1 When a data subject provides sufficient proof of identity (for example copy of an ID document of Driver’s License) the data subject is entitled to:
B: Cater 2 U Catering Supplies CC must adhere to the following provisions of the Protection of Personal Information Act when Special Personal Information is being processed.
4.9 Prohibition on the processing of personal information (Section 26)
4.9.1 Cater 2 U Catering Supplies CC will not process personal information, concerning –
unless such processing is justified as follows:
C: Cater 2 U Catering Supplies CC must adhere to the following provisions of the Protection of Personal Information Act when processing Personal Information of Children
4.10 Prohibition on processing personal information of children (Section 34)
4.10.1 It is important to note that Cater 2 U Catering Supplies CC may not process personal information concerning a child.
4.10.2 In terms of this Act a “child”, means a natural person under the age of 18 years who is not legally competent when determining the parameters of the processing of personal information of children.
Unless such processing is:
D. Cater 2 U Catering Supplies CC must adhere to the following provisions of the Protection of Personal Information Act when Marketing Directly to a Data Subject through unsolicited electronic communication
4.11.1 The processing of personal information of a data subject for the purpose of direct marketing through any form of electronic communication, including automatic calling machines, facsimile machines, SMSs, or e-mail is prohibited unless the data subject –
4.11.2 Cater 2 U Catering Supplies CC may approach a data subject only once to request the consent of that data subject and only if the data subject has not previously withheld such consent.
4.11.3 The data subject’s consent must be requested in the prescribed manner and form 4 to the Regulations.
4.11.4 Cater 2 U Catering Supplies CC may only process the personal information of a data subject who is a customer of Cater 2 U Catering Supplies CC if –
4.11.5 Any communication for the purpose of direct marketing must contain –
E: Cater 2 U Catering Supplies CC must adhere to the following provisions of the Protection of Personal Information Act when Transferring Personal Information outside of the Republic of South Africa
4.12 Cater 2 U Catering Supplies CC may not transfer personal information about a data subject to a third party who is in a foreign country unless the personal information that is collected automatically is collected by third parties whose technology we use to provide website functionality and acquire website analytics information. Some of these third parties will be outside of the borders of South Africa and data subject’s information will be stored outside the borders of South Africa. We make use of a Google Business Account and the information collected through this third party will be kept on the servers used by Google.
We take compliance with this policy very seriously. Failure to comply puts both you and the organization at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.