DATA PROTECTION POLICY

1 Introduction

Kruinkloof Bushveld Estate, registration number 2012/106919/08 (“Company”, “we“, “us” or “our“) conducts its business with offices at Sherwell Ave and Lesley Road, Boskruin, Randburg, Johannesburg, South Africa.

The Company needs to gather and use certain personal information about individuals and companies including the Company’s customers, suppliers, business contacts, employees, and other people the organization has a relationship with or may need to contact (“you“, “your” or “data subject“). “Personal information” means any information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.

This data protection policy (“Policy“) describes what personal information is processed, how this personal information is collected, processed, stored and shared to meet the Company’s data protection standards and to comply with the law.

2 Data protection law

The South African Protection of Personal Information Act 2013 (“POPIA”) ensures that organizations (including the Company) collect, process, store and share personal information in a responsible manner, by holding them accountable should they abuse or compromise personal information in any way. POPIA requires us to tell you about your rights and our obligations to you in regard to the processing and control of your personal information.

These rules apply regardless of whether personal information is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

3 What personal information do we process?

We may collect, use, store and transfer different kinds of personal information about you including your –

Identity Information: Your first name, last name, title, date of birth, marital status, title, occupation, interests, date of birth, gender, race and legal status, as well as copies of your identity documents, photographs, identity number, registration number and your qualifications, and other identifiable information that you may have provided at some time.
Contact information: Your billing address, delivery address, email address, telephone numbers and any other information you have given to us for the purpose of communication or meeting.
Financial information: Your bank account details, insurance information, financial statements, tax clearance certificates and VAT registration numbers.
Transaction Information: Information about payments made to or received from you and company information, which may consist of financial activity.
Technical information: Your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website, your access to and use of the website, products and services, such as what links you went to, what content you accessed, the amount of content viewed and the order of that content, as well as the amount of time spent on the specific content.
Marketing information: Your preferences in receiving marketing from us; communication preferences; responses, and actions in relation to your use of our services.
Special personal information: Special personal information is information about your race or ethnicity, religious or philosophical beliefs, sex life, political opinions, trade union membership, information about your health and biometric data. We make every effort to limit our collection of any special personal information about you but may be required to process such special personal information from employees, consultants, independent contractors and other staff members to comply with applicable laws (such as broad-based black economic empowerment, employment equity legislation, and other employment related legislation). We may also conduct background checks on prospective employees and contractors or service providers but will request your consent before we do so. We are also required in terms of applicable laws to process some of your health data to comply with COVID-19 regulations and protocols.

We may aggregate anonymous information such as statistical or demographic data for any purpose. Anonymous information is information that does not identify you as an individual. Aggregated information may be derived from your personal information but is not considered personal information in law because it does not reveal your identity. However, if we combine or connect aggregated data with your personal information so that it can identify you in any way, we treat the combined data as personal information, and it will be used in accordance with this Policy.

Unless otherwise stated, all of the information we request from you is obligatory. If you do not provide and/or allow us to process all the obligatory information as requested, we will not be able to keep complete information about you, thus affecting our ability to accomplish the above stated purposes.

4 How do we collect personal information?

Most of the personal information we process is information that you knowingly provide to us i.e., we collect personal information directly from you. However, in some instances, we process personal information that we are able to infer about you based on other information you provide to us or on our interactions with you, or personal information about you that we receive from a third party using a process that we have told you about. For example, we may contract with third parties to support us to do credit and background checks.

5 What is the purpose for us collecting your personal information and the lawful basis to do so?

The reason for us processing your personal information is as follows –

Clients / customers: We process your personal information to enter into agreements with you and to perform in terms of that agreement; to send notices and information to you regarding the agreement or legal proceedings; to follow up as part of our customer service; to send direct marketing (if you have consented); to comply with applicable laws.
Service providers / vendors: We process your personal information to enter into agreements with you and to perform in terms of that agreement; to send notices and information to you regarding the agreement or legal proceedings; to decide on your suitability for appointment; to comply with applicable laws.
Employees and other staff: We process your personal information to enter into agreements with you and to perform in terms of that agreement; to send notices and information to you regarding the agreement or legal proceedings; to evaluate applications for employment and to manage all aspects of the employment relationship (including, but not limited to, payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, disciplinary and grievance processes and other general administrative and human resource-related processes); to decide on your suitability for employment; to notifying your emergency contact in the event of an emergency; to contact your references as part of the recruitment process; to protect the safety and security of the Company, its clients, staff and property; to assess work performance and whether facilities are being used in accordance with acceptable use policies in effect; to administer termination of employment and provide and maintain references.

In terms of POPIA, we must have a legal (lawful) basis for collecting and processing your personal information. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. The basis on which we rely for the purposes above are –

Legitimate interests: In most cases, we process your personal information in line with our legitimate business interests, which interest is not overridden by your data protection interests or fundamental rights and freedoms.
Contract: We will also process your personal information to the extent that it is necessary to conclude or perform under the contract we have with you.
Legal obligation: We have certain legal obligations which require us to process your personal information. This includes processing for tax purposes and employment equity legislation.
Consent: In certain instances, we will only process your personal information with your consent. You can withdraw your consent at any time by contacting our Information Officer (see section 10 below).

6 Data storage, security and retention

We keep records of your personal information no longer than necessary for the purpose for which we obtained them and for any other permitted compatible purposes, including compliance with legal obligations. If you wish to understand more about the retention periods applicable to your personal information, contact our Information Officer (see section 10 below).

The personal information we collect from you is stored by us and/or our service providers on databases protected through a combination of physical and electronic access controls, firewall technology and other appropriate administrative, technical, personnel and physical security measures. Nevertheless, such security measures cannot prevent all loss, misuse or alteration of personal information and we are not responsible for any damages or liabilities relating to any such incidents to the fullest extent permitted by applicable law and other applicable laws. Where required under law, we will notify you of any such loss, misuse or alteration of personal information that may affect you, so that you can take the appropriate actions for the due protection of your rights.

7 Sharing and transferring your personal information

General. In order to carry out the purposes outlined above, information about you will be disclosed for the purposes set out above to other third parties. When we share your personal information, we require that all third party recipients treat your personal information as confidential and in conformity with this Policy.

Centralized Data Processing Activities. Like most businesses, we have centralized certain aspects of our data processing and administration in accordance with applicable data protection laws and any other applicable laws in order to allow us to better manage our business. That centralization may result in the transfer of personal information from one country to another or from one entity in the Group to another entity in the Group. If one entity in the Group disclose the personal information it hold about you to any other entity in the Group, those entities must first have agreed to be bound by this Policy with respect to their processing of your personal information or are required to enter into a binding agreement to regulate their use of your personal information.

Third party service providers. Like many businesses, from time to time, we outsource the processing of certain functions and/or information to third parties. When we do outsource the processing of your personal information to third parties or provide your personal information to third party service providers, we oblige those third parties to (i) enter into a written contract with us; (ii) protect your personal information in accordance with the terms and conditions of this Policy; (iii) treat the personal information and confidential and not share or transfer your personal information to any other entity without our express written permission; (iv) adopt appropriate security measures; and (v) only use your personal information for the purposes of fulfilling their obligations to us.

Business Transfers. As we continue to develop our business, we may buy or sell the business or certain assets. In such transactions, contracts with you and your personal information is generally one of the transferred business assets. We may share your personal information with any prospective or actual third-party buyers (and their advisors) in respect of such business transfers.

Legal Requirements. We reserve the right to disclose any personal information we have concerning you if we are compelled to do so by a court of law or requested to do so by a governmental entity or if we determine it is necessary or desirable to comply with the law or to protect our legitimate interests in accordance with applicable laws. We also reserve the right to retain personal information collected and to process such personal information to comply with accounting, tax rules, regulations, and any specific record retention laws.

Transfers outside of the applicable jurisdiction. Should your personal information move outside of South Africa, we use POPIA-compliant mechanisms to require that the same level of protection be applied in the jurisdiction where the data is being processed by the data recipient. We also ensure that model data protection clauses are in force in any relevant legal contracts and agreements (including agreements between Group companies) to ensure that your personal information is treated by third parties in a way that is consistent with and which respects all applicable local laws.

8 Your rights

As a data subject, you have a number of rights including –

Access rights: You have the right to access your personal information in many circumstances. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Right to rectification: You can require us to have inaccurate personal information corrected.
Right to erasure and object: You can require us to erase personal information in certain circumstances where there is no lawful basis for us to retain such personal information. Please note, however, that in some instances we must retain your personal information for certain periods of time as required by law. You can also object to our processing of your personal information.
Right to restrict: You can require us to restrict our processing of your personal information in certain circumstances.
Right to withdraw consent: You can withdraw any consents to processing that you have given us and prevent further processing if there is no other legitimate ground upon which we can process your personal information.
Right to complain: You can raise a complaint about our processing with the Information Regulator, or with our Information Officer.

Your duty

Duty to inform us of changes to your personal information: It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

9 People, risks and responsibilities

Policy scope: This policy applies to all staff, contractors, suppliers and other people working on behalf of the Company. It applies to all personal information that the Company processes.

Responsibilities: Every individual who works for or with the Company, has a responsibility to ensure that personal information is collected, stored and handled appropriately. Personal information must be handled and processed in line with this Policy and POPIA.

General staff guidelines

The only individuals able to access data covered by this Policy should be those who require it for their work.
No staff member shall share personal information informally within the Company, or with any external parties unless required or authorized to do so.
Staff must keep all data secure, by taking sensible precautions and follow all Company policies and instructions regarding information security.
In particular, strong passwords must be used and should never be shared.
Personal data should not be disclosed to unauthorized people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
Employees should request assistance from senior management if unsure about any aspect of data protection.

10 Information Officer

We have appointed an Information Officer who is responsible for, amongst other things, ensuring that this Policy is followed. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact our Information Officer:

Attie Pretorius

Email: attiepretorius65@gmail.com

Contact: 082 554 0806

You have the right to complain to the Regulator in your jurisdiction, in particular in the state of your usual place of residence, place of work or the place of alleged infringement, if you believe that the processing of your personal information is in breach of POPIA. The South African Information Regulator’s details are as follows: