Protection Of Personal Information Act

Adherence to the Protection Of Personal Information Act

The Protection of Personal Information Act (POPI) is intended to balance two competing interests.  These are:

  1. Our individual constitutional rights to privacy (which requires personal information to be protected);
  2. The need for society to have access to and to process personal information for legitimate purposes, including the purpose of doing business.

Our Undertakings To Our Clients

We undertake to follow POPI at all relevant times and to process personal information lawfully and reasonably, so as not to infringe unnecessarily on the privacy of our clients.

We undertake to process information only for the purpose for which it is intended, to enable us to do our work, as agreed with our clients.

Whenever necessary, we shall obtain consent to process personal information.

Where we do not seek consent, the processing of our client’s personal information will be following a legal obligation placed upon us, or to protect a legitimate interest that requires protection.

We shall stop processing personal information if the required consent is withdrawn, or if a legitimate objection is raised.

We shall collect personal information directly from the client whose information we require, unless:

We shall advise our clients of the purpose of the collection of the personal information.

We shall retain records of the personal information we have collected for the minimum period as required by law unless the client has furnished their consent or instructed us to retain the records for a longer period.

We shall destroy or delete records of the personal information (so as to de-identify the client) as soon as reasonably possible after the time period for which we were entitled to hold the records have expired.

We shall restrict the processing of personal information. The further processing of personal information shall only be undertaken:

  • if the requirements of paragraphs 3; 6.1; 6.4; 6.5 or 6.6 above have been met;
  • where the further processing is necessary because of a threat to public health or public safety or to the life or health of the client, or a third person;
  • where the information is used for historical, statistical or research purposes and the identity of the client will not be disclosed; or
  • where this is required by the Information Regulator appointed in terms of POPI.

We undertake to ensure that the personal information which we collect and process is complete, accurate, not misleading and up to date.

We undertake to retain the physical file and the electronic data related to the processing of the personal information.

We undertake to take special care with our client’s bank account details, and we are not entitled to obtain or disclose or procure the disclosure of such banking details unless we have the client’s specific consent.

Our Clients’ Rights

In cases where the client’s consent is required to process their personal information, this consent may be withdrawn.

In cases where we process personal information without consent to protect a legitimate interest, to comply with the law or to pursue or protect our legitimate interests, the client has the right to object to such processing.

All clients are entitled to lodge a complaint regarding our application of POPI with the Information Regulator.

A Form shall be completed by each client when we accept a mandate of any sort, to obtain the client’s consent to process their personal information while we do our work for them, unless this consent has been obtained within another document signed by the client.

Clients Requesting Records

On production of proof of identity, any person is entitled to request that we confirm, free of charge, whether or not we hold any personal information about that person in our records.

If we hold such personal information, on request, and upon payment of a fee of R500,00 plus VAT, we shall provide the person with the record, or a description of the personal information, including information about the identity of all third parties or categories of third parties who have or have had access to the information.  We shall do this within a reasonable period of time, in a reasonable manner and in an understandable form.

A client requesting such personal information must be advised of their right to request to have any errors in the personal information corrected, which request shall be made on the prescribed application form.

In certain circumstances, we will be obliged to refuse to disclose the record containing the personal information to the client.  In other circumstances, we will have discretion as to whether or not to do so.

In all cases where the disclosure of a record will entail the disclosure of information that is additional to the personal information of the person requesting the record, the written consent of the Information Officer (or his delegate) will be required, and that person shall make their decision having regard to the provisions of Chapter 4 of Part 3 of the Promotion of Access to Information Act.

If a request for personal information is made and part of the requested information may, or must be refused, every other part must still be disclosed.

The Correction Of Personal Information

A client is entitled to require us to correct or delete personal information that we have, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully. A client is also entitled to require us to destroy or delete records of personal information about the client that we are no longer authorised to retain. Any such request must be made on the prescribed form, [Form 2 in the Regulations].

Upon receipt of such a lawful request, we must comply as soon as reasonably practicable.

In the event that a dispute arises regarding the client’s rights to have information corrected, and in the event that the client so requires, we must attach to the information, in a way that it will always be read with the information, an indication that the correction of the information has been requested but has not been made.

We must notify the client who has made a request for their personal information to be corrected or deleted what action we have taken as a result of such a request.

Special Personal Information

Special rules apply to the collection and use of information relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.

We shall not process any of this Special Personal Information without the client’s consent, or where this is necessary for the establishment, exercise or defense of a right or an obligation in law.

Having regard to the nature of our work, it is unlikely that we will ever have to process special personal information, but should it be necessary the guidance of the Information Officer, or their deputy/delegate, must be sought.

Direct Marketing

We may only carry out direct marketing (using any form of electronic communication) to clients if:

  • they were given an opportunity to object to receiving direct marketing material by electronic communication at the time that their personal information was collected; and
  • they did not object then or at any time after receiving any such direct marketing communications from us.

We may only approach clients using their personal information, if we have obtained their personal information in the context of providing loans to them. We may approach a person to ask for consent to receive direct marketing material once and we may not do so if they have previously refused their consent.

A request for consent to receive direct marketing must be made in the prescribed manner and form. All direct marketing communications must disclose our identity and contain an address or other contact details to which the client may send a request that the communications cease.