Privacy Policy

PRIVACY NOTICE AND INFORMED CONSENT NOTICE

 

CONSENT FOR DOMUM AFRICA (PTY) LTD (“DOMUM”) TO PROCESS PERSONAL INFORMATION IN TERMS OF THE PROTECTION OF INFORMATION ACT, 4 OF 2013 (POPIA)

(EMAIL, WEBSITE AND SOCIAL MEDIA PRIVACY NOTICE)

 

The Protection of Personal Information Act, 4 of 2013 (POPIA) gives effect to the constitutional right to data privacy in terms of Section 14 of the Bill of Rights of the Constitution.

 

The responsible use of the DOMUM website and related resources in respect of data privacy is important to DOMUM.

 

DOMUM is committed to protecting all persons’ rights to privacy and ensuring that personal information is used appropriately, transparently and in accordance with applicable law. DOMUM also seeks to ensure that the rights to privacy are balanced with other rights such as the right to use and have access to DOMUM’s information, communications and services including its online and social media platforms.

 

This Policy sets out the responsibilities and obligations of persons who make use of, access or receive DOMUM’s information, communications and services via its electronic communication facilities and resources including inter alia its website, email and social media platforms to ensure that they respect and process Personal Information lawfully and in accordance with the provisions of POPIA and the 8 Personal Information Processing Principles.

 

PLEASE READ THE DOCUMENT BEFORE YOU, AS A DATA SUBJECT, MAKE USE OF THE DOMUM ELECTRONIC FACILITIES OR PROVIDE DOMUM WITH ANY PERSONAL INFORMATION. BY PROVIDING DOMUM WITH YOUR PERSONAL INFORMATION, YOU, AS A DATA SUBJECT, CONSENT TO DOMUM PROCESSING YOUR PERSONAL INFORMATION, WHICH DOMUM UNDERTAKES TO PROCESS STRICTLY IN ACCORDANCE WITH THIS PRIVACY POLICY.

 

  1. DEFINITIONS

 

In this Policy (as defined below), unless the context requires otherwise, the following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings–

 

1.1          “Child” means any natural person under the age of 18 (eighteen) years;

 

1.2          “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information under the control of or in the possession of DOMUM;

 

1.3          “Data Subject” has the meaning ascribed thereto under POPIA;

 

1.4          “Direct Marketing” means to approach a person, by electronic communication, for the purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject;

 

1.5          “Direct Marketer” means a supplier who employs Direct Marketing as an advertising mechanism;

 

1.6          “DOMUM” means Domum Africa (Pty) Ltd (registration number 2011/145059/07) with its registered address at Waterway House, 3 Dock Road, Victoria & Alfred Waterfront, Cape Town, 8001, including all affiliates, subsidiaries, related and inter-related parties;

 

1.7          “Employee(s)” means any employee of DOMUM;

 

1.8          “Government” means the Government of the Republic of South Africa;

 

1.9          “Operator” means a person or entity who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party;

 

1.10        “PAIA” means the Promotion of Access to Information Act, No 2 of 2000;

 

1.11        “Personal Information” has the meaning ascribed thereto under POPIA and specifically includes any form of information that can be used to identify a Data Subject;

 

1.12        “Policy” means this Privacy Policy;

 

1.13        “POPIA” means the Protection of Personal Information Act No. 4 of 2013;

 

1.14        “Processing” has the meaning ascribed thereto under POPIA. “Process” has a corresponding meaning;

 

1.15        “Regulator” means the Information Regulator established in terms of POPIA;

 

1.16        “Responsible Party” means a public or private body or any other person which alone or in conjunction with others determines the purpose of and means for Processing Personal Information;

 

1.17        “Special Personal Information” means Personal Information concerning a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, biometric information or criminal behaviour; and

 

1.18        “Third Party” means any independent contractor, agent, consultant, sub-contractor or other representative of DOMUM.

 

  1. PURPOSE OF THIS POLICY

 

2.1          The purpose of this Policy is to inform Data Subjects about how DOMUM Processes their Personal Information.

 

2.2          DOMUM in its capacity as Responsible Party and/or Operator where applicable shall strive to observe and comply with its obligations under POPIA as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

 

2.3          This Policy applies to Personal Information collected by DOMUM in connection with the products and services which DOMUM provides. This includes information collected directly from you as a Data Subject as well as information DOMUM collects indirectly through its service providers who collect your information on its behalf.

 

2.4          This Privacy Policy does not apply to the information practices of Third Party companies with whom DOMUM may engage in relation to its business operations (including, without limitation, their websites platforms and/or applications) that DOMUM does not own or control; or individuals that DOMUM does not manage or employ. These Third Party sites may have their own privacy policies and terms and conditions and DOMUM encourages you, as the Data Subject, to read them before using them.

 

  1. PROCESS OF COLLECTING PERSONAL INFORMATION

 

3.1          DOMUM collects Personal Information directly from Data Subjects as and when required for a defined purpose, unless an exception is applicable (such as, for example, where the Data Subject has made the Personal Information public, or the Personal Information is contained in or derived from a public record).

 

3.2          DOMUM will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects the Data Subject’s privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect the Data Subject in question.

 

3.3          DOMUM often collects Personal Information directly from the Data Subject and/or in some cases from Third Parties. Where DOMUM obtains Personal Information from Third Parties DOMUM will ensure that it obtains the consent of the Data Subject to do so or will only Process the Personal Information without the Data Subject’s consent where DOMUM is permitted to do so in terms of clause 3.1 above or the applicable law.

 

3.4          An example of such Third Parties includes: (i) recruitment agencies; (ii) other companies providing services to DOMUM; and (iii) where DOMUM makes use of publicly available sources of information (e.g. the Companies and Intellectual Property Commission, an agency of the Department of Trade and Industry in South Africa (CIPC)).

 

  1. LAWFUL PROCESSING OF PERSONAL INFORMATION

 

4.1          Where DOMUM is the Responsible Party, it will only Process a Data Subject’s Personal Information (other than for Special Personal Information) where –

 

4.1.1       consent of the Data Subject (or a competent person, where the Data Subject is a Child) is obtained;

 

4.1.2       Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party;

 

4.1.3       Processing complies with an obligation imposed by law on DOMUM;

 

4.1.4       Processing protects a legitimate interest of the Data Subject;

 

4.1.5       Processing is necessary to pursue the legitimate interests of DOMUM or of a Third Party to whom the information is supplied.

 

4.2          DOMUM will only Process Personal Information where one of the legal bases referred to in paragraph 4.1 above are present.

 

4.3          DOMUM will make clear to the Data Subject the manner and reason for which the Personal Information will be Processed.

 

4.4          Where DOMUM is relying on the consent of the Data Subject as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to DOMUM Processing of the Personal Information at any time. Such withdrawal or objection by the Data Subject shall not affect the lawfulness of any Processing carried out prior to the withdrawal of consent or objections, nor any Processing justified by any other legal ground provided under POPIA.

 

4.5          If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information, DOMUM will ensure that the Personal Information is no longer Processed.

 

  1. RIGHTS OF DATA SUBJECTS

 

5.1        Data Subjects have the right to know what Personal Information DOMUM has about the Data Subject, to correct it and to opt out of any marketing, as detailed below.

 

  • Data Subjects have the right to:

 

  • enquire with DOMUM as to what Personal Information is held by DOMUM about the Data Subject;

 

  • enquire with DOMUM what Personal Information was sent to DOMUM’s suppliers, service providers or any other Third Party;

 

  • request DOMUM to update, correct or delete any out-of-date or incorrect Personal Information held by DOMUM about the Data Subject;

 

  • unsubscribe from any direct marketing communications that DOUMUM may send to the Data Subject; and

 

  • object to the processing of the Data Subject’s Personal Information.

 

  • Should the Data Subject require DOMUM to delete all Personal Information held by DOMUM about the Data Subject, DOMUM reserves the right to terminate all agreements that the Data Subject has with DOMUM, as DOMUM cannot maintain its relationship with the Data Subject without having some of the Data Subject’s Personal Information.

 

  • DOMUM also reserves the right to refuse to delete a Data Subject’s Personal Information if DOMUM are required by law to keep it or if DOMUM require it to protect its rights. 

 

  1. STORAGE AND PROCESSING OF PERSONAL INFORMATION BY DOMUM AND THIRD PARTY SERVICE PROVIDERS

 

6.1          DOMUM may store the Data Subject’s Personal Information in hardcopy format and/or in electronic format using DOMUM’s own secure on-site servers or other internally hosted technology. The Data Subject’s Personal Information may also be stored by Third Parties, via cloud services or other technology, with whom DOMUM has contracted with, to support DOMUM’s operations

 

6.2          DOMUM’s Third Party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

 

6.3          DOMUM will ensure that such Third Party service providers will Process the Personal Information in accordance with the provisions of this Policy and all other relevant internal policies and procedures and POPIA.

 

6.4          DOMUM will ensure that such Third Party service providers do not use or have access to the Personal Information of the Data Subject except for the purposes specified by DOMUM, and DOMUM requires such parties to employ at least the same level of security that DOMUM uses to protect the personal data of the Data Subject.

 

6.5          Personal Information may be Processed in South Africa or another country where DOMUM, its affiliates and their Third Party service providers maintain servers and facilities and DOMUM will take steps including by way of contracts to ensure that Personal Information continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under applicable law, including POPIA.

 

  1. PERSONAL INFORMATION FOR DIRECT MARKETING PURPOSES

 

7.1          To the extent that DOMUM acts in its capacity as a Direct Marketer, it shall strive to observe and comply with its obligations under POPIA when implementing principles and practices in relation to Direct Marketing.

 

7.2          DOMUM acknowledges that it may only use Personal Information to contact the Data Subject for purposes of Direct Marketing from time to time where it is permissible to do so.

 

7.3          DOMUM may use Personal Information to contact a Data Subject and/or market DOMUM’s services directly to such Data Subject where the Data Subject is one of DOMUM’s existing clients or where the Data Subject has requested to receive marketing material from DOMUM or where DOMUM has the Data Subject’s consent to market its services directly to the Data Subject.

 

7.4          If the Data Subject is an existing client, DOMUM will only use his/her/its Personal Information where it has obtained the Personal Information through the provision of a service to the Data Subject and only in relation to similar services to those that DOMUM previously provided to the Data Subject.

 

7.5          DOMUM will ensure that a reasonable opportunity is given to the Data Subject to object to the use of its Personal Information for DOMUM’s marketing purposes when collecting the Personal Information and on the occasion of each communication to the Data Subject for purposes of Direct Marketing.

 

7.6          DOMUM will not use Personal Information to send marketing materials where the Data Subject has requested not to receive such marketing materials. If the Data Subject requests that DOMUM stops Processing Personal Information for marketing purposes, DOMUM shall do so. DOMUM requests that such requests to opt-out of marketing be made via forms and links provided for that purpose in the marketing materials sent to the Data Subject.

 

  1. RETENTION OF PERSONAL INFORMATION

 

8.1          DOMUM may keep records of the Personal Information, correspondence, or comments it has collected in an electronic or hardcopy file format.

 

8.2          In terms of POPIA, DOMUM may not retain Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or Processed and is required to delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as it is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances –

 

8.2.1       where the retention of the record is required or authorised by law or by any Government authority;

 

8.2.2       DOMUM requires the record to fulfil its lawful functions or activities;

 

8.2.3       retention of the record is required by a contract between the parties thereto;

 

8.2.4       the Data Subject (or competent person, where the Data Subject is a Child) has consented to such longer retention; or

 

8.2.5       the record is retained for historical, research, archival or statistical purposes provided safeguards are put in place to prevent use for any other purpose. Accordingly, DOMUM will, subject to the exceptions noted in this Policy, retain Personal Information for as long as necessary to fulfil the purposes for which that Personal Information was collected and/or as permitted or required by applicable law.

 

8.3          Where DOMUM retains Personal Information for longer periods for statistical, historical, archival or research purposes, DOMUM will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and applicable laws.

 

8.4          Once the purpose for which the Personal Information was initially collected and Processed no longer applies or becomes obsolete, DOMUM will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that a person cannot re-identify such Personal Information. In instances where DOMUM de-identify the Data Subject’s Personal Information, DOMUM may use such de-identified information indefinitely.

 

  1. SAFE-KEEPING OF PERSONAL INFORMATION

 

9.1          DOMUM shall preserve the security of Personal Information and prevent its alteration, loss and damage, or access by non-authorised third parties.

 

9.2          DOMUM will ensure the security and integrity of Personal Information in its possession or under its control with appropriate, reasonable technical and organisational measures to prevent loss, unlawful access and unauthorised destruction of Personal Information.

 

9.3          DOMUM has implemented physical, organisational, contractual and technological security measures (having regard to generally accepted information security practices or industry specific requirements or professional rules) to keep all Personal Information secure, including measures protecting any Personal Information from loss or theft, and unauthorised access, disclosure, copying, use or modification. Further, DOMUM maintains and regularly verifies that the security measures are effective and regularly updates same in response to new risks.

 

  1. INFORMATION DISCLOSURE

 

10.1        Notwithstanding anything to the contrary in this Policy, DOMUM reserves the right to disclose any Personal Information about a Data Subject if DOMUM is required to do so by law, and/or if DOMUM believe that such action is necessary to:

 

10.1.1    fulfil a Government request;

 

10.1.2     conform with the requirements of the law or legal process;

 

10.1.3    protect or defend DOMUM’s legal rights or property, its website, or other users; or

 

10.1.4     in an emergency to protect the health and safety of its website’s users or the general public.

 

  1. BREACHES OF PERSONAL INFORMATION

 

11.1        A Data Breach refers to any incident in terms of which reasonable grounds exist to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.

 

11.2        A Data Breach can happen for many reasons, which include: (a) loss or theft of data or equipment on which Personal Information is stored; (b) inappropriate access controls allowing unauthorised use; (c) equipment failure; (d) human error; (e) unforeseen circumstances, such as a fire or flood; (f) deliberate attacks on systems, such as hacking, viruses or phishing scams; or (g) alteration of Personal Information without permission and loss of availability of Personal Information.

 

11.3        DOMUM will address any Data Breach in accordance with the terms of POPIA.

 

11.4        DOMUM will notify the Regulator and the affected Data Subject (unless the applicable law or a Government authority requires that DOMUM delays notification to the Data Subject) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of the Personal Information of the Data Subject.

 

11.5        DOMUM will provide such notification as soon as reasonably possible after it has become aware of any Data Breach in respect of the Personal Information of the Data Subject.

 

11.6        Where DOMUM acts as an ‘Operator’ for purposes of POPIA and where any Data Breach affects the data of the Data Subject whose information DOMUM Processes as an Operator, DOMUM shall (in terms of POPIA) notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of the relevant Data Subject has been accessed or acquired by any unauthorised person.

 

 

 

  1. PROVISION OF PERSONAL INFORMATION TO THIRD PARTY SERVICE PROVIDERS

 

12.1        DOMUM may disclose Personal Information to Third Parties and will enter into written agreements with such Third Parties to ensure that they Process Personal Information in accordance with the provisions of this Policy and POPIA.

 

12.2        DOMUM notes that such Third Parties may assist DOMUM with the purposes listed in paragraph 5.3 above – for example, Third Parties may be used, inter alia,

 

12.2.1     for data storage;

 

12.2.2     to assist DOMUM with auditing processes (external auditors);

 

12.2.3                    for providing outsourced services to DOMUM, including in respect of its (i) legal, (ii) data storage requirements and (iii) upskilling of its Employees;

 

12.2.4                    to notify the Data Subjects of any pertinent information concerning DOMUM.

 

12.3        DOMUM will disclose Personal Information with the consent of the Data Subject or if DOMUM is permitted to do so without such consent in accordance with applicable laws.

 

12.4        DOMUM may send Personal Information to a foreign jurisdiction outside of the Republic of South Africa including for Processing and storage by Third Parties.

 

12.5        When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa including to any cloud, data centre or server located outside of the South Africa, DOMUM will obtain the necessary consent to transfer the Personal Information to such foreign jurisdiction or may transfer the Personal Information where DOMUM is permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under POPIA.

 

12.6        Processing of Personal Information in a foreign jurisdiction and to the extent such Processing does occur, may be subject to the laws of the country in which the Personal Information is held and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

 

  1. USE OF WEBSITE COOKIES

 

13.1        DOMUM’s website uses cookies, which are small text files sent by a web server to store on a web browser. They are used to ensure websites function properly, store user preferences when needed and collect anonymous statistics on website usage.

 

13.2        DOMUM’s website may also contain electronic image requests (called a single-pixel gif or web beacon requests) that allows DOMUM to count page views and to access cookies. Any electronic image viewed as part of a web page can act as a web beacon. DOMUM’s web beacons do not collect, gather, monitor or share any of the Data Subject’s Personal Information. DOMUM merely uses them to compile anonymous information about its website.

 

13.3        The Data Subject may also provide additional information to DOMUM on a voluntary basis (optional information). This includes content or products that the Data Subject decides to upload or download from DOMUM’s website or when the Data Subject enters competitions, takes advantage of promotions, responds to surveys, orders certain additional goods or services, or otherwise uses the optional features and functionality of DOMUM’s website.

 

13.5        The Data Subject may refuse to accept cookies by activating the setting on its browser which allows it to refuse the setting of cookies. However, if selected this setting may prevent the Data Subject from accessing certain parts of the website. Unless a browser setting is adjusted so that it will refuse cookies, the system will issue cookies when one logs on to the website. If a “cookie” is accepted or there is a failure to deny the use of “cookies”, the Data Subject agrees that it is the Data Subject’s Personal Information collected using “cookies” and may be used (subject to the provisions of this Policy). Where the Data Subject either rejects or declines cookies, the Data Subject may not be able to fully experience the interactive features of the website.

 

  1. CHANGES TO THIS POLICY

 

14.1        DOMUM reserves the right to make amendments to this Policy from time to time and will use reasonable efforts to notify the Data Subject of such amendments.

 

14.2        The current version of this Policy will govern the respective rights and obligations between the Data Subject and DOMUM each time that the Data Subject accesses and uses the DOMUM site.

 

  1. DATA SUBJECT ACCESS REQUESTS

 

  • All Data Subjects are entitled to request information from DOMUM pertaining to the Data Subject’s Personal Information that is held by DOMUM.

 

  • All requests for information should be made in writing by the Data Subject to DOMUM. DOMUM will furnish the Data Subject with the requested information within 21 (twenty-one) days from the date of receipt of the written request by DOMUM.

 

  • Prior to furnishing the Data Subject with the requested information, DOMUM will first have to verify the identity of the Data Subject.
  1. CONTACTING US

 

16.1        All comments, questions, concerns or complaints regarding your Personal Information or this Policy, should be forwarded to DOMUM at info@domum.co.za.

 

16.2        Our Information Officer contact details are:

Information Officer / Deputy Information Officer

Name:                    The Managing Director

 

Address:                Domum Africa (Pty) Ltd, Waterway House, 3 Dock Road, Victoria & Alfred Waterfront, 8001

Tel:                        +27 (0)21 4195445

Email:                    info@domum.co.za