HAPPY HOLIDAY HOMES CC
Registered with the PPRA
COMPLIANCE FRAMEWORK FOR THE IMPLEMENTATION
OF THE PROTECTION OF PERSONAL INFORMATION ACT OF 2013
|3||Specific Words / Phrases|
|4||Processing personal information and protecting the right of our clients|
|6||What personal information do we collect?|
|6||Who might we share your personal information with?|
|6||Transborder Information Flows|
|7||Circumstances requiring prior authorisation|
|7||Special Personal Information|
|7||Processing of Personal Information of Children|
|8||Data Breach Notification|
|8||Contravention Of POPIA|
|8||The SA Information Regulator|
|9||Forms and clauses|
INFORMATION OFFICER: Lance Sean du Plessis
We respect and protects the privacy of all persons (both natural and juristic, like companies and close corporations) whose personal information we collect, regardless of form and medium. This includes our clients, employees, Property Practitioners, consultants, power partners and service providers. These privacy notices explain our personal information handling practices in relation to that particular purpose or service. It explains who we collect personal information from, with your consent, what information we collect, what we do with it, how you might access it and who it might be shared with and for what reason we collect it and how we will keep it before we destroy it. All of this is covered under the POPI Act.
Lance Sean du Plessis
Address: Shop 6 Déjà vu Boulevard
Cnr of Marine drive and Albert Meyer road
KwaZulu Natal, 4275
Mobile: +27 082 787 0711
Telephone: +27 039 315 6334
Organisation email: firstname.lastname@example.org
The Protection of Personal Information Act (POPI) is intended to balance the scale legally by protecting a person’s constitutional rights to privacy (which requires our personal information to be protected); and the needs of business to have access to and to process (work with) a person’s specific personal information to perform the task they are set out to do.
This Compliance Framework sets out the framework for our company’s compliance with the POPI Act and is focused on tasks that must performed in the property sector.
SPECIFIC WORDS/PHRASES (used in the act, will be used in this document, to make it clearer).
The person to whom the personal information relates. It is a living, identifiable natural person or
an existing juristic person. – companies, cc, trust, public entity (Mun) e.g., Seller / Buyer / employee
Is the person/s or company who is responsible for the processing of personal information.
Whether it is to collect, keep it safe, disseminate or destruct it to perform a specific task. e.g., Principal / Property Practitioner Business / Trustees / Body corporate.
Is the party processing personal information on behalf of the responsible party. The responsible party retains accountability., The Property Practitioner Business personnel who is processing the information. Or a third party if the processing is outsourced e.g., IT company.
Where reference is made to the “processing” of personal information, this will include any activity in which the information is worked with, from the time that the information is collected, shared, kept, up to the time that the information is destroyed, regardless of whether the information is a hard copy, or in electronic format.
INFORMATION OFFICER and deputy information officer
Our Information officer is: Lance Sean du Plessis
(Name and contact details) email@example.com
The Information officer must:
- Develop the compliance framework ensure it is implemented in line with the eight (8) conditions (see below) for the lawful processing of personal information.
- Do a personal information impact assessment to ensure adequate measures and standards. (What Personal information we hold, where we hold it and for what purpose and is it necessary)
- Review the forms our Property Practitioner Business uses to gather information (for example, application forms, employment contracts, lease, and purchase contracts) to determine whether it is necessary to request all the information dealt with in those forms and is the consent clause included.
- He/she must develop (this) framework and monitor, maintain it, and make it available as prescribed in sections 14 and 51 of the Act.
- Internal measures (7 forms) are developed together with adequate systems to process, requests for information from data subjects or access thereto, free of charge.
- Ensure internal training/awareness sessions to be conducted regarding the provisions of POPI Act and discuss it weekly on the office meeting.
- Working with the Regulator in relation to any investigations conducted in accordance with the relevant provisions of POPI Act. (When needed)
PROCESSING PERSONAL INFORMATION AND PROTECTING THE RIGHTS OF OUR CLIENTS:
We undertake to implement, monitor, and maintain the eight (8) conditions for the lawful processing of personal information to always follow POPI Act and to process personal information while protecting the right to privacy of our clients.
- Accountability (Form 6)
The Principal Lance Sean du Plessis (responsible party) must ensure that the conditions and all the measures set out in the Act are followed through in the office.
The deputy Information officer (operator) is Lance Sean du Plessis, who will be tasked with the responsibility of compliance in our office. This individual will be held liable for non-compliance in certain day to day situations as described on his/her employment contract.
- Processing Limitation (Forms 1, 2, 5, 7)
Personal information may only be processed in a fair and lawful manner and only with the consent of the person whose information it is (data subject) and for the intention for which it was collected.
- The personal information must be obtained directly from the person (Data Subject)
- The person should be aware that we gather his/her information and consent to the information to be used.
- If a third party is being used to collect personal data, the person (Data Subject) must consent to this information being shared and used by us first.
- Only information that is required for the specific purpose, for which it is gathered may be stored. (No more than what is necessary)
- Purpose Specific (Forms 1, 2, 3, 5, 7)
We limit the amount of personal information collected and processed to only what is fit for the purposes as needed.
- The specific purpose must be documented and adhered to.
- Data Subject has the right to know what information we have and for what purpose it was gathered.
- We will have to be able to link all personal information collected to legitimate reasons for collecting.
- Personal information may only be used for the specific purpose for which it was gathered and thereafter it must be destroyed.
- We will be required to account for what information we hold, for what purpose it was gathered and a date that that information must be destroyed.
- We will destroy Personal Information, in a manner that prevents its reconstruction, after we are no longer authorized to retain such records.
- Further Processing Limitation (Forms 1, 2, 3, 5, 7)
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
- We retain personal information only for as long as it is needed, or longer if required by law.
- If we retain your personal information for budget or statistical purposes, we ensure that the personal information cannot be used further. (It will be de-personalised)
- Before we use existing personal information for any other purpose, other than what the information was gathered for, consent will be required from the Data Subject again.
- If he/she refuse, processing will stop.
- When gathering information, we will advise the Data Subject what the information will be used for and for what period we will hold that information.
- Information Quality (Forms 1, 3)
While in our possession, together with the data subject’s assistance, we try to maintain the accuracy of personal information.
- We will obtain information directly from the data source to ensure accuracy, as far as possible.
- When advising Data Subjects of the information we hold and for what purpose we hold it, they will be given details of how to check, and update their information or withdraw consent.
- Openness (Form 1, 2, 5, 7)
The data subject whose information we are collecting will be made aware that we are collecting such personal information and for what purpose the information will be used and her/ his rights. (Even if this is public record or he/she consented to collection from a third party)
- We will gather personal information from Data Subjects after them signing a consent form.
- The Data Subject will be informed of how the data will be used at the time of gathering the information.
- The Data Subjects will be given a letter with the details of the principal (responsible person) in our Property Practitioner Business and the Information Regulator contact details.
- The Data Subject will be advised of his/her rights to complain to the Information Regulator if misuse is suspected.
- The Data Subject will always be advised of his/her rights to access his/her information and to object to the processing of said information.
- Security Safeguards (Form 6)
We restrict, secure, and control all our information against unauthorised access, interference, modification, damage, loss, or destruction; whether physical or electronic.
- We will do a safety and security risk assessment from time to time to ensure we keep up with requirements and this will be discussed at our monthly staff meeting for all personnel’s input.
- Our staff must be informed / trained to be compliant with POPI Act, and this training must be ongoing and up to date.
- We do everything we can to prevent personal information from falling into unauthorized hands.
- Our business premises where records are kept must remain protected by access control, burglar alarms and armed response.
- All our laptops, phones and computer network are protected by passwords which we changed on a regular basis.
- We are using firewalls and use Avira Antivir to protect our computers.
- We are a Small Property Practitioner Business, so it is easy to determine which employees are permitted access personal information and what information they are permitted to access.
- Personal information can only be accessed or modified by those employees with the password’s authorising them to do so.
- The online profiles and access of staff who left the Property Practitioner Business must be properly deleted.
- Each employee uses his/her own password to access the data, therefore we can identify the source of a data breach and we can neutralise such a breach.
- If there were a data breach, we will determine the source, neutralise it and prevent the re-occurrence of such a data breach.
- When we make use of an external operator our principal (responsible party) will, in terms of a written contract between our Property Practitioner Business and the operator, ensure that the operator establishes and maintains the required security measures.
- The operator must advise immediately if there is the possibility that personal data has been accessed or acquired by any unauthorized person.
- The Data Subject will be advised via e-mail or in writing immediately if it is suspected that their personal information has been access by unauthorized persons. Sufficient information will be provided to allow the Data Subject to put measures in place to safeguard themselves against potential consequences of the security compromise.
- The Information Regulator will be informed in the event of a security breach where personal information could be compromised. It is the duty of the Responsible Person to ensure this process is followed.
- Data Subject Participation (Forms 2, 3, 4)
Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.
- Data Subjects may request information from us on whether we are holding their personal information.
- This request will not be declined, and we will not charge for it.
- The Data Subject has the right to correct the personal information that we hold.
- They also have the right to withdraw consent at any time.
WHAT PERSONAL INFORMATION DO WE COLLECT?
We only collect the minimum amount of information that is relevant to the purpose. If you interact with us on the internet, the personal information we collect depends on whether you just visit our website or, require our services. If you visit our website, your browser transmits some data automatically, such as your browsing times, the data transmitted and your IP address.
- If you use our services, personal information is required to fulfil the requirements of that service.
- We usually collect only name and contact details, financial qualification (if completed by you), with property needs and requirement when we assist a buyer or lessee in finding a property.
- While doing a price estimation to place a property on the market, we need the basic info and will be able to source the property info from the deeds office systems (Lightstone / SAPTG/PayProp/CMA).
- To assist selling the property we need to have basic personal info and financial info to know if the sellers will be able to sell the property, cancel the bond, pay all fees, and move to another property.
Generally, we collect the following personal information to complete contracts. If there is any specific personal information to collect, we will indicate as such, at the time of collection.
- Name, surname, and birth name
- Identification Number/s
- Married/single status.
- E-mail address
- Physical / postal address / erf number / complex details
- Telephone number/s
- Financial & banking details (for bond qualification – buyers and bond cancellations -sellers and rentals)
WHO MIGHT WE SHARE YOUR PERSONAL INFORMATION WITH?
To maintain and improve our services, your personal information may need to be shared with or disclosed to our service providers:
- colleague’s or other Property Practitioner Business’s,
- bond consultants,
- compliance inspectors,
- homeowner association,
- in some cases, public or legal authorities.
TRANSBORDER INFORMATION FLOWS
Property Practitioner Business is unlikely to process personal information to be send transborder, but if there is an international component to the work which we are doing for you, and if we are required to share your personal information with an overseas recipient, you are entitled to ask us how your personal information will be protected in this foreign country, and we will endeavour to assist you.
CIRCUMSTANCES REQUIRING PRIOR AUTHORISATION
Property Practitioner Business is unlikely to process personal information under circumstances requiring authorisation from the regulator, but should it be necessary the guidance by the Information Officer will be sought regarding POPIA.
SPECIAL PERSONAL INFORMATION
While we recognise that protecting all personal information is important in gaining and maintaining your trust, special personal information is often afforded a higher level of protection. Property Practitioner Business is unlikely to process special personal information, but should it be necessary the guidance by the Information Officer will be sought regarding POPIA.
THE PROCESSING OF PERSONAL INFORMATION OF CHILDREN
Property Practitioner Business is unlikely to process any personal information of children except maybe with a young student or were adults put a property on a child’s name.
To all students. (Student accommodation)
This is an especially important notice which we must share with you and any one of your parents or legal guardians if you are under the age of eighteen. To make use of our services, we need information which is personal to you. For example, your name, your email address, and your phone number. It might be so that we cannot use your information unless your parent agrees.
To parents / legal guardians
In order for children to make use of our services we need to use their personal information and for this we are required by law to obtain the consent of a parent or legal guardian. Before deciding on consent, it is important for parents to understand our information security and privacy policies. It is equally important for parents to explain to children, the implications of not providing our organisation with the proper consent. Please sign our consent form on behalf of your child.
DIRECT MARKETING (Form 4)
Where we as a Property Practitioner Business wants to contact a person for the first time with marketing communication which was not requested (unsolicited),
- the Property Practitioner Business must obtain consent before any marketing to individuals.
- The Property Practitioner Business may approach someone for direct marketing consent once only,
- and only if they have not withheld consent previously.
We may only conduct direct marketing (using any form of communication) to previous clients if:
- the potential client was given an opportunity to object to receiving direct marketing material by us, at the time that their personal information was collected.
- and they did not object then.
- or at any other time, after receiving any such direct marketing communications from us.
We may only approach clients using their personal information,
- if we have obtained their consent to use their personal information in the context of providing services associated with marketing to them,
- and we may then only market Property Practitioner Business services to them.
We will stick to permitted contact times.
The prohibited times for marketing are:
- Sundays or public holidays.
- Saturdays before 09h00 and after 13h00.
- and all other days between the hours of 20h00 and 08h00 the following day
We are aware that we are not allowed to use lists purchased from a lead generation business if:
We purchased it from a lead generation business, without obtaining confirmation from the list’s provider, that the records have been obtained and stored in a way, which is compliant with POPIA.
The “unsubscribe” option must be on our marketing e-mails.
All electronic direct marketing communications must contain an “unsubscribe” option.
Similarly, physical post boxes containing a direction that “no junk mail”.
We will make use of a bulk email and SMS software that keeps track of “opt-in” and “opt out” information and automatically includes an automatic “opt out” on each message sent to existing clients and others that have “opted-in” to receive marketing; and to ask people directly if they may be added to the Property Practitioner Business’s database.
We will Include the sender’s details on all e-mails.
An address or other contact details to which the recipient may reply/send a request that such communications cease.
DATA BREACH NOTIFICATION
Where there are reasonable grounds to believe that a data subject’s personal information has been accessed or acquired by an unauthorised person, the Property Practitioner Business (as responsible party), or any third-party, processing personal information, on instruction from the Property Practitioner Business (the operator), must notify the Information Regulator and the data subject in writing as soon as possible.
THE INFORMATION REGULATOR IS RESPONSIBLE FOR THE INVESTIGATION AND ENFORCEMENT OF POPIA.
A person contravenes the provisions of POPIA if he/she it:
- hinders, obstructs, or unlawfully influences the Information Regulator.
- fails to comply with an information or enforcement notice.
- gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation.
- contravenes the conditions.
knowingly or recklessly, without the consent of the responsible party, obtains, discloses, or procures the disclosure, sell, or offers to sell details of a data subject to another person; and will be guilty of an offence.
CONTRAVENTION OF POPI Act.
Could result in far-reaching sanctions, these include the imposition of fines up to R10 million,
imprisonment for a period of 12 months to 10 years and/or damages claim by the data subject.
THE SA INFORMATION REGULATOR
You have the right to lodge a complaint with the SA Information Regulator.
The Information Regulator (South Africa)
PO Box 31533
27 Stiemens Street
The Information Regulator (South Africa)
SCHEDULE OF CLAUSES AND FORMS
- Form 1 CONSENT TO PROCESS (USE) PERSONAL INFORMATION
- Form 2 OBJECTION TO PROCESS (USE) PERSONAL INFORMATION
- Form 3 REQUEST TO CORRECT OR DELETE PERSONAL INFORMATION
- Form 4a CONSENT TO DIRECT MARKETING
- Form 4b REFUSAL OF DIRECT MARKETING
- Form 5 INTRODUCTORY LETTER TO CLIENT RE POPIA
- Form 6 EMPLOYEE COMPLIANCE WITH POPIA
- Form 7 SHOW HOUSE ATTENDANCE REGISTER
- CLAUSES FOR MANDATES AND CONTRACTS (Afrikaans & English)