1. Introduction and overview
2. The Nature of personal information collected
3. The Usage of personal nature
4. Disclosure of personal information
5. Informed consent
6. Safeguarding data subject information
7. Right of access to and correction of personal information
8. Amendments to the policy
9. Missing information or data
10. Complimentary and supplemental governance policies

1. INTRODUCTION & OVERVIEW

Code Craft ZA (Pty) Ltd is a technology consulting and support company and is functioning within the Information Technology industry type and operated out of Durban, KZN, South Africa. And is obligated to comply in terms of South African regulations with The Protection of Personal Information Act 4 of 2013.

‘The Company’ as referred to in this document, is defined as Code Craft ZA (Pty) Ltd.

POPIA requires that The Company inform their Data Subject(s) as to the manner in which their personal information is used, disclosed and destroyed.

The Company guarantees its commitment to protecting its Data Subject’s privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.

This Policy sets out the manner in which The Company deals with their Data Subject’s personal information as well as and stipulates the purpose for which said information is used. The Policy document is publicly available on The Company’s official website and by request from The Company’s head office.

2. THE NATURE OF PERSONAL INFORMATION COLLECTED

Section 10 of POPIA states that “Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.” (i.e. Endeavour to ensure the Minimality of data collected and processed)

The Company collects and processes personal information pertaining to The Company’s financial and operational needs. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Whenever possible, The Company will inform its Data Subject(s) as to the information required and the information deemed optional. Examples of personal information we may collect include, but is not limited to:

Identity number, name, surname, address, postal code, marital status, race, gender, number of dependants, business, assets; financial information, banking details, etc.

Any other information required by The Company, our customers, suppliers and insurers in order to provide relevant and accurate services

The Company also collects and processes personal information for marketing purposes in order to ensure that our products and services remain relevant to our Data Subject(s) and potential Data Subject(s).

The Company aims to have agreements in place with all product suppliers, insurers and third-party service providers to ensure a mutual understanding with regard to the protection of The Company’s personal information.

With Data Subjects’ consent, The Company may also supplement the information provided with information The Company receives from other providers, in order to offer a more consistent and personalized experience when interacting with Data Subjects.

3. THE USAGE OF PERSONAL INFORMATION

A) The Company’s Personal Information will only be used for the purpose for which it was collected and as agreed.

This may include:

• Providing products or services to Data Subject(s) and to carry out the transactions requested;
• Conducting credit reference searches or verification;
• Confirming, verifying and updating Data Subject details;
• For the detection and prevention of fraud, crime, money laundering or other malpractices;
• Conducting market or customer satisfaction research;
• For audit and record keeping purposes;
• In connection with legal proceedings;
• Providing The Company’s services to Data Subject(s), to render the services requested and to maintain and constantly improve the relationship;
• Providing communication in respect of The Company and regulatory matters that may affect Data Subject(s); and
• In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.

B) In accordance with section 11 of POPIA, personal information may only be processed if certain conditions, listed below, are met along with supporting information for The Company’s processing of Personal Information:

a. The Data Subject(s) consents to the processing and Consent is obtained from Data Subject(s) during the introductory, appointment and needs analysis stage of the relationship;

b. The necessity of processing for pursuing the legitimate interests of The Company or of a third party to whom information is supplied:

i. In order to accurately assess The Company’s information needs; The Company annually conducts an internal needs analysis review and obtains information from Data Subject(s) about their needs in order to provide them with applicable and beneficial products/services.

ii. In order to provide The Company’s Data Subject(s) with products and or services both The Company, and any of our product suppliers require certain personal information from The Company, in order to make an informed decision on the unique and specific product and or service required.

c. Processing complies with all known obligations imposed by law on The Company.

4. DISCLOSURE OF PERSONAL INFORMATION

The Company may disclose a Data Subject’s personal information to any subsidiaries, joint venture companies and or approved product- or third-party service providers whose services or products the Data Subject(s) elect to use. The Company has agreements in place to ensure that compliance with confidentiality and privacy conditions.

The Company may also share Data Subject personal information with and obtain information about Data Subject(s) from third parties for the reasons already discussed above.

The Company may also disclose a Data Subject’s information where it has a duty or a right to disclose in terms of applicable legislation, the law, or where it may be deemed necessary in order to protect The Company’s rights.

5. INFORMED CONSENT

Informed Consent to process Data Subject information is obtained from Data Subject(s) during the introductory, appointment and needs analysis stages of the relationship.

Or from a person or entity who has been given authorisation from the Data Subject to provide the Data Subject’s personal information.

6. SAFEGUARDING DATA SUBJECT INFORMATION

It is a requirement of POPIA to adequately protect personal information. The Company will regularly review its security controls and processes to ensure that personal information is secure.

The following procedures are in place in order to protect personal information:

a. THE COMPANY’s INFORMATION OFFICER is Stephen Morgans whose details are available below and who is responsible for the compliance with the conditions of the lawful processing of personal information and other provisions of the POPIA Act. The Information Officer is assisted by Stephen Morgans who will function as The Company’s Deputy Information Officer;

b. This policy has been put in place throughout The Company’s workforce and training on this policy and the POPIA Act has been (or shall take place soon) conducted in 2020 onwards by The Company’s training. In addition to third party service providers and the Group Compliance function;

c. Each new and current employee will be required to sign an Employment Contract and Individual Agreement Policy containing relevant consent clauses for the use and storage of personal information, or any other action so required, in terms of POPIA;

d. The Company’s archived Data Subject information is stored on sites which is also governed by POPIA. Access is limited to these areas to authorized personal.

e. The Company’s suppliers, vendors, insurers and other third-party service providers will be required to sign a Non-Disclosure Agreement (NDA) and Service Level Agreement (SLA) and disclose their compliance status in regards to the Protection of Personal Information Act.

f. All electronic files or data are backed-up by The Company’s preferred I.T. Service Provider, which is also responsible for system security that defends against third party access and physical threats. The I.T. Service Provider is responsible for Electronic Information Security; The appointed I.T. Service Provider is ODEK Technologies.

7. RIGHT OF ACCESS TO AND CORRECTION OF PERSONAL INFORMATION

Data Subject(s) have the right to access the personal information The Company holds about them. Data Subject(s) also have the right to ask The Company to update, correct or delete their personal information on reasonable grounds. Once a Data Subject objects to the processing of their personal information, The Company may no longer process said personal information. The Company will take all reasonable steps to confirm its Data Subject(s)’ identity before providing details of their personal information or making changes to their personal information.

The details of The Company’s Information Officer (IO) and Head Office are as follows:

The IO is also synonymously referred to as the ‘Information Security Manager’ in The Company’s Policies and procedures manuals.

The POPIA Policy, Privacy Policy and Information Officer’s contact details are published on The Company’s website.

INFORMATION OFFICER DETAILS

HEAD OFFICE DETAILS

8. AMENDMENTS TO THE POLICY

Amendments to, or a review of this Policy, will take place on an ad hoc basis following any significant systems changes, or at least annually. Data Subject(s) are advised to access The Company’s website periodically to keep abreast of any changes. Where material changes take place, Data Subject(s) will be notified directly, or changes will be stipulated on The Company’s website.

9. MISSING INFORMATION OR DATA

If The Company searches for a record and it is believed that the record either does not exist or cannot be found, the requester will be notified by way of an affidavit or affirmation. This will include the steps that were taken in the attempt to locate the record.

10. COMPLIMENTARY AND SUPPLEMENTAL GOVERNANCE POLICIES

The Company is committed to a very high standard of Information Systems Governance.

Further Definitions, Incumbents in the Roles and Acronyms are described in The Company’s Information Systems Governance Framework.

These related standard internal Policies below and others are available upon request (and subject to Confidentiality and Intellectual Property rights) from the Information Officer. These contain greater detail and augment the clauses contained in this policy for the purposes of a comprehensive governance regime: (in some instances beyond that of POPIA standards)