PROTECTION OF PERSONAL INFORMATION ACT POLICYIntroduction
Edge Telematics acknowledges that a data subject, whether it be a natural or juristic person, is the owner of personal information and that consequently the data subject has the right to always exercise control over its personal information. Edge Telematics further acknowledges the increasing misuse and abuse of personal information in the modern age. We align ourselves with the Protection of Personal Information Act 4 of 2013 (“the POPI Act”) and its goal to protect personal information.
The definitions of the POPI Act and Regulations relating to the Protection of Personal Information (“Regulations”) are used in this policy. The following is an extract from the POPI Act of relevant definitions used in this policy:‘‘code of conduct’’
means a code of conduct issued in terms of Chapter 7;
’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;‘‘data subject’’
means the person to whom personal information relates;‘‘filing system’’
means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;“information officer’’
of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;‘‘operator’’
means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;‘‘person’’
means a natural person or a juristic person;‘‘personal information’’
means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;‘‘processing’’
means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;‘‘Regulator’’
means the Information Regulator established in terms of section 39;‘‘responsible party’’
means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;“special personal information”
means personal information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information or criminal behaviour;1. Introduction
The Constitution of the Republic of South Africa provides that every person has a right to privacy, which includes your right to have your personal information protected. The Protection of Personal Information Act 4 of 2013 (“the POPI Act”) aims to do exactly this, to protect your personal information. This policy sets out how we will comply with the POPI Act when we collect, process, or further handle your personal information.
Name: EDGE TELEMATICS (PTY) LTD
Telephone: 021 534 0516
Website: https://edgetelematics.com/2. Information Officer
Our information officer is responsible for ensuring that we stay compliant with the POPI Act. All requests regarding your personal information in our possession can be directed at him/her.
Name: Hanele Boonzaier
Telephone: 021 534 05163. The personal information record of the data subject
You are the data subject and we are the responsible party, meaning we collect and store your personal information (see definition clause). As the data subject you have certain rights that we as the responsible party need to adhere to:
- We may only collect and process your personal information if we have your consent;
- You may enquire about your personal information record;
- You may request the correction or deletion of your personal information record or part thereof;
- You may withdraw your consent;
- All above-mentioned enquiries or requests may happen at any time and must be free of charge.
You however need inform us as soon as possible of any changes that need to be made to your personal information record held by us. This will ensure that your personal information record stays accurate and up to date.
Please note the following exceptions where we do not need your express consent to process your personal information:
- For the conclusion or performance of a contract to which you are a party;
- Where it is required by law;
- Where it protects a legitimate interest of yourself;
- Where it is needed to protect our legitimate interests or that of an authorized third-party.
- Where the personal information is already public knowledge.
Please also consult our PAIA Manual for requests to information records in terms of The Promotion of Access to Information Act 2 of 2000.4. Collection of Personal Information
We collect your personal information so that we can fulfil our obligations towards you, provide you with an appropriate and accurate service and/or product, communicate with you, and to be informed of any changes or to inform you of any changes or results. We will always inform you why your personal information is being collected.
We therefore also collect and process your personal information to adhere to legislative duties placed upon us.
The collection of personal information may happen either automatically through our website or manually through other means, but we will always first obtain your consent to collect and process it. You will always be informed when your personal information is collected, and we will always honour your rights as set out in clause 3 above.
We will only collect and process the minimum personal information required to deliver to you the specific product and/or service required. We will specifically inform you what personal information is needed and for what purpose it will be used.5. Processing and use of personal information
When you first disclosed your personal information to us, you did so for a specific purpose, you gave us a mandate to deliver a service and/or product to you. We will only process your personal information in line with that specific and legitimate purpose or mandate. When the mandate has been completed, we will either store, delete or de-identify your information (depending on the specific circumstances) as set out in clause 8 below.
If any further processing of your personal information is necessary, we may and will only do so if the further processing is in line with the initial mandate that you have given us. If the further processing is not compatible with the initial mandate, then we will first acquire your consent before any further processing.
We do however reserve the right to process your personal information for other legitimate purposes as set out in clause 3. We will however notify you if we process your personal information regardless of our justification.6. Storage and Safeguards
Electronic records of personal information
We make use of IT-Specialists to design and implement a security framework on all our devices and servers to keep all electronic records of your personal information safe. Our IT-Specialists are seen as our operator by definition of the POPI Act (see definition clause) as they maintain and upgrade our IT systems and security. They only perform functions as mandated by us and are prohibited from processing your personal information, unless it is in line with the mandate that you in turn gave to us. These functions are:
- Implementing necessary cyber security systems to detect, investigate and effectively respond to threats to personal information or its systems.
- Optimising cloud services and the way in which personal information is stored and processed to be in line with POPI Act.
- Regular wiping of ‘free space’ on storage devices to make sure deleted personal information is irrecoverable.
- Implementing access control methods and mechanisms to ensure that only authorised users have access to your personal information.
- Upgrade our system and devices regularly.
We further maintain, update and implement a strict password policy where personal information is accessible.
Physical records of personal information
All active physical copies of personal information records are kept behind locked doors. All archived physical copies of personal information records are kept behind locked doors.7. Security Breaches
If there are reasonable grounds to believe that your personal information has been accessed by an unauthorised person, then we will notify you and the Information Regulator as soon as possible. The notice will be sufficiently detailed in order for you to take any necessary protective measures.8. Retaining and Deletion of Personal Information
We only keep your personal information records for as long as it is needed to fulfil the initial or a further mandate that you have given us. Therefore, if you do not give us a new mandate to use your existing personal information record, we will delete your personal information record.
We will delete your personal information record 30 days after we complete the mandate given by you. We implement regular “wipes” of our storage devices after which any deleted personal information record will be completely irrecoverable. During this 30 day period you may elect to not have your personal information record deleted in order to make future business transactions easier or for any other legitimate purpose.
Where it is required by law that we must retain your personal information record for a specific period we will not delete it after the completed mandate as described above, but only after the period that the law prescribes, has lapsed. We will inform you of the relevant legislation and the prescribed time period. During this period, we may archive your personal information with the necessary safeguards as stated in clause 6 above.
Where your personal information is of value for historical, statistical or research purposes, then we may permanently de-identify your personal information in order to use the remaining data for the above-mentioned purposes.9. Child and Special Personal Information
Special Personal Information
The POPl Act prohibits the processing of your special personal information (see definition clause), subject to the following exceptions:
- the processing is carried out with the data subject’s consent;
- the processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- the processing is necessary to comply with an obligation of international public law;
- the processing is for historical, statistical or research purposes subject to certain requirements being met;
- the information has deliberately been made public by the data subject; or
- the provisions of sections 28 to 33 of the POPI Act (as may be applicable) are complied with.
Please note that we generally do not collect your special personal information, because it is not needed. If there are exceptional circumstances that require us to process your special personal information we will only do so according to the law.
Personal Information of a child
The POPI Act prohibits the processing of the personal information of a child, subject to the following exceptions:
- prior consent of legal guardian is obtained;
- processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- personal information is being used for historical, statistical or research purposes if it serves a public interest and it appears impossible or would involve a disproportionate effort to ask for consent.
- If the child has deliberately made the personal information public with the consent of his/her legal guardian.
Please note that we generally do not process personal information of children, but in the exceptional circumstance that it is required we will do so according to the law.
10. Marketing of our products and/or services
We may occasionally send you marketing information regarding our products and/or services that might be useful for you. There will always be an option for you to opt-out from receiving marketing information in the future.
Please further note that we will never send you marketing information without your consent if we do not have an existing relationship with you.