As a responsible corporate citizen, PG Group and its subsidiaries (“the GROUP”) complies with the Protection of Personal Information Act 4 of 2013, commonly referred to as POPIA, which requires the Group to inform their customers, suppliers, shareholders, investors, partners and employees, herein referred to as stakeholders, as to how their personal information is used, disclosed and destroyed.
The Group confirms its commitment to protecting the afore-mentioned stakeholders’ privacy and ensuring their personal information is used appropriately, transparently, securely and in accordance with applicable laws.
This document sets out how the Group deals with their stakeholders’ personal information and, in addition, the purpose for which the information is used.
- PERSONAL INFORMATION COLLECTED
Section 9 of the POPIA states that “Personal Information may only be processed if given the purpose for which it is processed; it is adequate, relevant and not excessive.”
The Group collects and processes stakeholder personal information in accordance with the needs of the business of the Group. The type of information processed will depend on the nature of each stakeholder (i.e. investor, employee, customer or supplier) and the need for which it is collected, and will be processed for that purpose only. Whenever possible, we will inform each stakeholder what minimum information they are required to provide us with and what information is optional. Examples of personal information we collect include but are not limited to:
- Employee’s Identity number; full names & surname; physical & postal addresses; marital status; how many dependants they have; tax information; banking details; race; gender, etc.
- Description of customer or supplier’s business; registered office; legal entity name; registration number; VAT and tax numbers; names, addresses and IDs of Directors and officers; assets & liabilities; financial information; banking details; credit scoring; clearance certificates; etc.
- Any information required by us in order to provide our services to customers in accordance to their needs; and
- Any information processed by the Group as required by the laws of the Republic of South Africa.
The PG Group also collects and processes customer Personal Information for marketing purposes to ensure our products and services remain relevant and applicable to our existing and potential customers’ current and future needs.
We aim to have agreements in place with all our suppliers, insurers and third party service providers to ensure there is a mutual understanding with regard to the protection of our customers’ Personal Information. They will be subject to the same regulations and/or responsibilities.
With customer consent, we may also supplement the information provided with the information we receive from other providers in order to offer a more consistent and personalised experience during customers’ interaction with us.
NOTE: Reference to customers includes potential, new and existing customers.
- HOW PERSONAL INFORMATION IS USED
Customers’ Personal Information will only be used for the purpose for which it was collected and agreed. This may include but is not limited to:
- Providing products or services to customers and to carry out the transactions required to service them;
- Conducting market or customer satisfaction research;
- Conducting credit reference checks or verification of information supplied;
- Confirming, verifying and updating customer details;
- For the detection and prevention of fraud, crime or other malpractice;
- For audit and record keeping purposes;
- In connection with legal proceedings;
- Providing communications in respect of PG Group and regulatory matters that may affect customers; and
- In connection with and to comply with legal and regulatory requirements or when it is otherwise
allowed by law.
According to section 10 of the POPIA, Personal Information may only be processed if certain conditions are met which are listed below:
- The Customer consents to the processing, i.e. consent is obtained during the introductory, appointment and needs analysis stage of our relationship;
- The processing is necessary in order to conduct an accurate analysis of customers’ needs for purposes of amongst other credit limits, insurance requirements, etc;
- Processing protects a legitimate interest of the customer, e.g. it is in the customer’s best interest to have a full and proper needs analysis performed in order to provide them with an applicable and beneficial product or service, which requires obtaining Personal Information;
- Processing is necessary for pursuing the legitimate interests of the PG Group or of a third party to whom information is supplied, e.g. in order to provide our customers with products and or services both ourselves and any of our product suppliers need certain Personal Information from the customers to make an expert decision on the unique and specific product and or service they may require; and
- Processing complies with an obligation imposed by law on the PG Group.
- DISCLOSURE OF PERSONAL INFORMATION
We may disclose customers’ Personal Information to any of our Group Companies or affiliated subsidiaries, Joint Venture Companies and/or approved third party service providers whose services we use to facilitate customer transactions. We have agreements in place to ensure that they comply with confidentiality and privacy conditions.
We may also share customer Personal Information with, and obtain information about customers from third parties for the reasons already discussed above. We may also disclose customers’ information where we have a duty or a right to disclose in terms of applicable legislation, the law or where it may be necessary to protect our rights.
- SAFEGUARDING CUSTOMERS INFORMATION
It is a requirement of the POPIA to adequately protect the Personal Information we hold and to avoid unauthorised access and use of your Personal Information. PG will continuously review our security controls and processes to ensure that your Personal Information is secure.
The following procedures are in place in order to protect your Personal Information:
- CONSENT to process customer information is obtained from customers (or a person who has been given authorisation from the customer to provide the customer’s Personal Information) during the introductory, appointment and needs analysis stage of the relationship;
- New suppliers and other Third Party Service Providers will be required to sign a SERVICE LEVEL AGREEMENT guaranteeing their commitment to the Protection of Personal Information, and existing suppliers and other Third Party Service Providers will be encouraged to sign addendums to existing SERVICE LEVEL AGREEMENTS guaranteeing their commitment to the Protection of Personal Information;
- NEW EMPLOYEES will be required to sign an EMPLOYMENT CONTRACT containing relevant consent clauses for the use and storage of employee information, or any other action so required in terms of the POPIA;
- CURRENT EMPLOYEES within the Group will be required to sign an addendum to their EMPLOYMENT CONTRACTS containing relevant consent clauses for the use and storage of employee information, or any other action so required in terms of the POPIA;
- ELECTRONIC FILES or data BACKED UP by our outsourced IT Partners will be subject to the POPIA requirements and these service providers will be responsible for system security which should protect these Data warehouses and servers against unauthorised third party access and physical threats. PG Group IT Division is responsible for Electronic Information Security;
- A SECURITY INCIDENT MANAGEMENT REGISTER will be kept to log any security incidents and to report on and manage said incidents. This register will be maintained by an appointed Security Manager;
- HARD COPY DOCUMENTS are securely STORE at the transacting site and may be archived as and when required at facilities approved by the Company
- ARCHIVED information is governed by the POPIA, and where Third Parties are involved as custodians, appropriate Service Level Agreements will be put in place; and
- The Company has appointed Sandy Beekhuizen as PG GROUP’s INFORMATION OFFICER, responsible for ensuring compliance with the conditions of the lawful processing of Personal Information and other provisions of the POPIA.
- ACCESS AND CORRECTION OF PERSONAL INFORMATION
Customers have the right to access the Personal Information we hold about them. Customers also have the right to ask us to update, correct or delete their Personal Information on reasonable grounds. Once a customer objects to the processing of their Personal Information, PG Group may no longer process said Personal Information. We will take all reasonable steps to confirm our customers’ identity before providing details of their Personal Information or making changes to their Personal Information.
Details of PG GROUP INFORMATION OFFICER are as follows:
NAME: Sandy Beekhuizen
TELEPHONE NUMBER: +27 (0) 11 417 5800
FAX NUMBER: +27 (0) 11 417 5896
POSTAL ADDRESS: PO Box 2329, Bedfordview, 2008
PHYSICAL ADDRESS: 18 Skeen Boulevard, Bedfordview, 2007
E-MAIL ADDRESS: firstname.lastname@example.org
Access to Information
The Promotion of Access to Information Act No. 2 of 2000 (“the Act”).
- Provides for the right of access to information, which fosters a culture of transparency and accountability in both public and private bodies.
However, the right of access to information cannot be unlimited and should be subject to justifiable limitations, including, but not limited to:
- limitations aimed at the reasonable protection of privacy;
- Commercial confidentiality; and
- Effective, efficient and good governance.
The purpose of this guideline is to provide clarity on dealing with requests for access to information of the PG Group of Companies.
NOTE: PG Group and its subsidiaries do not waive their right to refuse any party access to any information, and strictly reserve their right to do so as far as may be permitted by law.
- GROUNDS FOR REFUSAL
The grounds for refusing a request for information can relate to, without limitation:
- Mandatory protection of privacy of a third party who is a natural person;
- Mandatory protection of the commercial information of a third party;
- Mandatory protection of confidential information of third parties if it is protected in terms of any agreements;
- Mandatory protection of the safety of individuals and protection of property;
- Mandatory protection of records which would be regarded as privileged in legal proceedings;
- Mandatory protection of the commercial activities of PG Group;
- Requests for the disclosure of information which require third party consent; and
- Requests for information that are clearly frivolous or which involve an unreasonable diversion of
resources shall be refused.
- ACCESS TO RECORDS HELD BY PG GROUP
Records held by PG Group may be accessed by requests only once the prerequisite requirements for access have been met.
NOTE: All Company and client information must be dealt with in the strictest confidence and may only be disclosed, without fear of redress, in the following circumstances:
- Where disclosure is under compulsion of law;
- Where there is a duty to the public to disclose;
- Where the interests of the Company require disclosure; and
- Where disclosure is made with the express or implied consent of the data subject.
A requester is any person making a request for access to a record of PG Group.
A personal requester is a requester who is seeking access to a record containing personal information about the requester. PG Group will voluntarily provide the requested information, or give access to any record with regard to the requester’s personal information (to the personal requester only).
The requester (other than a personal requester) is entitled to request access to information on third and/or related parties. However, PG Group is not obliged to voluntarily grant access. The requester must fulfil the prerequisite requirements for access in terms of the Act, including the payment of a request and access fee.
A request must be directed to the PG Group Information Officer, and the prescribed form must be sent to his/her address, facsimile number or e-mail address, or may be provided to the requester by PG Group.
The requester must provide sufficient detail on the request form to enable the Group Information Officer to identify the record requested and the requester’s identity. When completing a request on the prescribed form, the requester should also indicate:
- The preferred language if applicable;
- Whether the requester wishes to be informed of the decision in another manner in addition to a written reply; and
- Facsimile number, e-mail and/or postal address.
If a request is made on behalf of another person, then the requester must submit proof of the capacity in which the requester is making the request to the reasonable satisfaction of the PG Group Information Officer.
If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request verbally.
NOTE: Requester must pay the prescribed fee (as determined and published by the Department of Justice and Constitutional Development) before any further processing can take place (refer to appendix B for more detail).
The form must be adequately completed, with sufficient information particularly so that the PG Group Information Officer can identify:
- From where and from whom the request is made;
- What record(s) are being requested; and
- What the access fee will be should access be granted.
- PRESCRIBED FORM (Refer to Annexure A, Form C)
The prescribed form is also available on the website of the Department of Justice and Constitutional Development at www.doj.gov.za
- FEES (Refer to Annexure B for detail)
The Act provides for two types of fees (contemplated in regulation 9, 11 and 54 of the Act), namely:
- A request fee, i.e. when requested by a party other than a personal requester; and
- An access fee, which must be calculated by taking into account reproduction costs, search and preparation time and cost, as well as postal costs.
When the request is received by the PG Group Information Officer, such officer shall by notice require the requester, other than a personal requester, to pay the prescribed request fee (unless excepted), before further processing of the request.
If the search for the record has been made and the preparation of the record for disclosure, including arrangement to make it available in the requested form, requires more than the hours prescribed in the regulations for this purpose, the PG Group Information Officer shall notify the requester to pay as a deposit the prescribed portion of the access fee which would be payable if the request is granted.
The PG Group Information Officer shall withhold a record until the requester has paid the required fees.
A requester whose request for access to a record has been granted, must pay an access fee for reproduction and for search and preparation, and for any time reasonably required in excess of the prescribed hours to search for and prepare the record for disclosure including making arrangements to make it available in the request form.
If a deposit has been paid in respect of a request for access, which is refused, then the PG Group Information Officer must repay the deposit to the requester.
PG Group will, within 30 days of receipt of the request, decide whether to grant or decline the request and give notice with reasons to that effect.
The 30 day period within which PG Group has to decide whether to grant or refuse the request, may be extended for a further period of not more than 30 days if the request is for a large number of information, or the request requires a search for information held at another office of PG Group and the information cannot reasonably be obtained within the original 30 day period. PG Group will notify the requester in writing should an extension be sought.
- REMEDIES AVAILABLE WHEN PG GROUP REFUSES A REQUEST FOR INFORMATION
PG Group does not have an internal appeal procedure. The Courts will have to be approached if the request for information is refused by the Group Information Officer, and the requester wishes to appeal this decision made by the Group Information Officer.
A requester who is dissatisfied with the PG Group Information Officer’s refusal to disclose information, may, within 180 days of notification of this decision, apply to a Court for relief. Likewise, a third party dissatisfied with the PG Group Information Officer’s decision to grant a request for information, may, within 30 days of notification of the decision, apply to a Court for relief. For purposes of the Act, the Courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another court of similar status and the Magistrates Court.
- RECORDS THAT CANNOT BE FOUND
If PG Group searches for a record and it is believed that the record either does not exist or cannot be found, the requester will be notified by way of an affidavit or affirmation. This will include the steps that were taken to try to locate the record.
- RECORDS THAT PREDATE REQUIRED RETENTION PERIODS
Requests for information relating to documentation that predates required retention periods will not be facilitated.