This Data & Security Policy was last updated on 19 March 2021.
PayShyft (Pty) Ltd (PayShyft), Registration Number 2021/488028/07
On the one hand,
The Responsible Party Employees, and/or Any Other Person including without detracting from the generality thereof, any juristic or natural person, full time, fixed term, part time and temporary Responsible Party employees, prospective Responsible Party employees, employment candidates, bursary and study recipients, Responsible Party service providers, Responsible Party Operators, Responsible Party consumers and customers, governmental, provincial and municipal agencies or entities, regulators, persons making enquiries and/or other third parties, including all associated, related and /or family members of such Data Subjects, or any person who may be acting on behalf of/or in a representative capacity in respect of the Data Subject, and from whom the Responsible Party receives Personal Information,
On the other hand,
- The Protection of Personal Information Act, 4 of 2013, (“POPI”) regulates and controls the processing, including the collection, use, and transfer of a person’s personal information.
- In terms of POPI, a person (Responsible Party) has a legal duty to collect, use, transfer and destroy (process) another’s (Data Subject) personal information (Personal Information) in a lawful, legitimate and responsible manner and in accordance with the provisions and the eight processing conditions set out under POPI.
- Furthermore unless the processing is –
- necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party; or
- required and complies with an obligation imposed by law on either the Data Subject or the Responsible Party; or
- necessary to protect the legitimate interest(s) of the Data Subject or the Responsible Party; or
- necessary for the proper performance of a public law duty by a public body; or
- necessary for pursuing the Data Subject or the Responsible Party’s legitimate interests, or that of a third party to whom the Personal Information is supplied,
- all processing of a Data Subject’s Personal Information must be done with the Data Subject’s permission – i.e. the Data Subject must consent to the processing of its Personal Information.
- The Responsible Party does and will from time to time process Personal Information which belongs to or is held by a Data Subject.
- Following this, to comply with POPI, the Responsible Party in its capacity as the Responsible Party, requires the Data Subject’s permission to process the Data Subject’s Personal Information.
2. Explanatory Notes & POPI Definitions
- This Informed Consent Notice explains and sets out –
- what Personal Information belonging to the Data Subject will be processed by the Responsible Party;
- why the Responsible Party needs the Data Subject’s Personal Information;
- what the Responsible Party will do with the Data Subject’s Personal Information;
- who the Responsible Party will share the Data Subject’s Personal Information with;
- what the Responsible Party will do with the Data Subject’s Personal Information as and when the purpose for the processing comes to an end.
- Definitions which are used in this Informed Consent Notice:
- “Biometrics” means a technique of personal identification that is based on physical, physiological or behavioural characterization including blood typing, fingerprinting, DNA analysis, retinal scanning, facial recognition and voice recognition;
- “Child” means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him-or herself;
- “Competent Person” means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;
- “Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information;
- “Data Subject” means the person who will provide the Responsible Party or its Operator(s) with Personal Information and who consents, when providing such Personal Information to the Responsible Party’s use thereof, in accordance with this Informed Consent Notice.
- “Operator” means a natural person or a juristic person who processes a Data Subject’s Personal Information on behalf of the Responsible Party, in terms of a contract or mandate, without coming under the direct authority of the Responsible Party;
- “Person” means a natural person or a juristic person;
- “Personal Information” means information relating to any identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, namely the Data Subject, including, but not limited to—
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assignment to the person;
- the biometric information of the person;
- the individual opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;
- “Processing” means any operation or activity or any set of operations, whether by automatic means, concerning Personal Information, including—
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information;
- sharing with, transfer and further processing, to and with such information.
- “Record” means any recorded information— regardless of form or medium, including any of the following:
- Writing on any material;
- information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- book, map, plan, graph or drawing;
- photograph, film, negative, tape or other device in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced;
- in the possession or under the control of a responsible party;
- whether or not it was created by a responsible party; and
- regardless of when it came into existence;
- “Responsible Party” Smart Staff App (Pty) Ltd Smart Staff, Registration Number 2020/850341/07, including without detracting from the generality thereof, its directors, management, executives, HR practitioners, payroll department, core benefits provider, medical aid department, retirement funding department, internal auditors, legal practitioner and compliance officers, Responsible Party secretary, and all other employees and Operators who need to process a Data Subject/your personal Information for the Responsible Party business purposes.
- “Special Personal Information” includes any information relating to an individual’s – Ethnicity, Gender, Religious or other beliefs, Political opinions, Membership of a trade union, Sexual orientation, Medical history, Offenses committed or alleged to have been committed by that individual, Biometric details, and Children’s details.
3. Application of this Informed Consent Notice
This Informed Consent Notice will apply to the Responsible Party, and to the Data Subject, and/or the Data Subject’s Personal Information which is processed or may be processed by the Responsible Party, including any processing of the Data Subject’s Personal Information by any Operators duly appointed by the Responsible Party.
4. Purpose of the Collection
- In order for the Responsible Party to pursue its business objectives and strategies, the Responsible Party needs to process the Data Subject’s Personal Information, which Personal Information will be used for several lawful purposes, including, inter alia, the following:
- for the purposes of complying with a variety of lawful obligations, including without detracting from the generality thereof:
- Administrative laws,
- Responsible Party laws,
- Corporate governance codes,
- Communication laws
- Customs and Excise laws,
- Environmental laws,
- Financial and Tax laws,
- Health and Safety laws,
- Labour and Employment laws,
- Pension fund laws.
- for the purposes of carrying out actions for the conclusion and performance of a contract as between the Responsible Party and the Data Subject;
- for the purposes of protecting the Data Subject’s and/or the Responsible Party’s legitimate interest(s), including the performance of risk assessments and risk profiles;
- where required by law or Responsible Party policy receiving from or providing to any credit bureau or credit provider or credit association information about the Data Subject’s credit record, including personal information about any judgement or default history;
- for the purposes of any proposed or actual merger, acquisition or any form of sale of some or all the Responsible Party’s assets, providing the Data Subject’s Personal Information to third parties, in connection with the evaluation of the transaction and related due diligence procedures;
- for the purposes of contacting the Data Subject and attending to the Data Subject’s enquiries and requests;
- for the purpose of providing the Data Subject from time to time with information regarding the Responsible Party, its directors, employees, services and goods and other ad hoc business-related information. Should the Data Subject not want to receive these specific communications please specifically decline the opportunity by clicking here www.payshyft.com or by email@example.com.
- for academic research and statistical analysis purposes, including data analysis, testing, research and product development and product review purposes;
- for the purposes of a pursuing the Data Subject’s and/or the Responsible Party’s legitimate interests, or that of a third party to whom the Personal Information is supplied;
- for the purposes of providing, maintaining, and improving the Responsible Party’s products and services, and to monitor and analyse various usage and activity trends regarding thereto;
- for the purposes of performing internal operations, including management of employees, employee wellness programmes, the performance of all required HR and IR functions, call centres, customer care lines and enquiries, attending to all financial matters including budgeting, planning, invoicing, facilitating and making payments, making deliveries, sending receipts and generally providing commercial support, where needed, requested or required; and
- for the purpose of preventing fraud and abuse of the Responsible Party’s processes, systems, procedures and operations, including conducting internal and external investigations and disciplinary enquiries and hearings.
- The Data Subject agrees that the Responsible Party may use all the Personal Information which the Data Subject provides to the Responsible Party, which the Responsible Party requires for the purposes of pursuing its business objectives and strategies.
- The Responsible Party in turn undertakes that it will only use the Data Subject’s Personal Information for the purposes mentioned above and for no other reason, unless with the Data Subject’s prior authorization.
5. Consequences of the Data Subject Withholding Consent or Personal Information
Should the Data Subject refuse to provide the Responsible Party with his/her/its Personal Information, which is required by the Responsible Party for the purposes indicated above, and the required consent to process the above mentioned Personal Information, then the Responsible Party will be unable to engage with the Data Subject or enter into any agreement or relationship with the Data Subject.
6. Storage and Retention and Destruction of Information
- The Data Subject’s Personal Information will be stored electronically in a centralized data base, which, for operational reasons, will be accessible to all within the Responsible Party on a need to know and business basis, save that where appropriate, some of the Data Subject’s Personal Information may be retained in hard copy.
- All Personal Information which the Data Subject provides to the Responsible Party, will be held and/or stored securely. In this regard the Responsible Party undertakes to conduct regular audits in respect of the safety and the security of the Data Subject’s Personal Information.
- As and when the Data Subject’s Personal Information is no longer required, because the purpose for which the Personal Information was held has come to an end and expired, such Personal Information will be safely and securely archived for a period of 7 years, as per the requirements of the Companies Act, 71 of 2008 or longer should this be required by any other law applicable in South Africa. The Responsible Party thereafter will ensure that such Personal Information is permanently destroyed.
7. Access by Others and Cross Border Transfer
- The Responsible Party may from time to time have to disclose the Data Subject’s Personal Information to other parties, including its group companies or subsidiaries, joint venture companies, client companies and entities and/or approved product or third party service providers, regulators and/or governmental officials, international service providers and related companies or agents, but such disclosure will always be subject to an agreement, which will be concluded between the Responsible Party and the party to whom it is disclosing the Data Subject’s Personal Information, which contractually obliges the recipient of the Data Subject’s Personal Information to comply with strict confidentiality and data security conditions.
- Where Personal Information and related data is transferred to a country which is situated outside the borders of South Africa, the Data Subject’s Personal Information will only be transferred to those countries which have similar data privacy laws in place, or where the recipient of the Personal Information is bound contractually to a no lesser set of obligations than those imposed by POPI.
8. Right to Object and Complaints
The Data Subjects are encouraged to make immediate contact with the Responsible Party Information Officer at any time if he/she/it is not comfortable or satisfied with the way the Responsible Party is processing the Data Subject’s Personal Information. On receipt of the Data Subject’s objection the Responsible Party will place a hold on any further processing until the cause of the objection has been resolved. If the Data Subject is not satisfied with such process, the Data Subject has the right to lodge a complaint with the Information Regulator.
9. Accuracy of Information and Onus
POPI requires that all the Data Subject’s Personal Information and related details as supplied, are complete, accurate and up-to-date. While the Responsible Party will always use its best endeavours to ensure that the Data Subject’s Personal Information is reliable, it will be the Data Subject’s responsibility to advise the Responsible Party of any changes to the Data Subject’s Personal Information, as and when these may occur.
10. Access to the Information by the Data Subject
The Data Subject has the right at any time to request the Responsible Party to provide the Data Subject with details of his/her/its Personal Information which the RESPONSIBLE PARTY holds and/or the purpose for which it has been used provided that such request is made using the standard section 51 Responsible Party PAIA process, which procedure can be accessed by downloading and completing the standard request for information form, kept in the Responsible Party’s section 51 PAIA Manual, which can be found on the Responsible Party’s website at: www.payshyft.com or by firstname.lastname@example.org.
11. Amendments and Binding on Successors in Title
- The Responsible Party reserves the right to amend this Informed Consent Notice from time to time.
- The rights and obligations of the parties under this Informed Consent Notice will be binding on, and will be of the benefit to, each of the parties’ successors in title and/or assigns where applicable.
12. Declaration and Informed Consent
The Data Subject confirm that the Data Subject’s Personal Information, provided is accurate, up-to-date, not misleading and is complete in all respects, save where same may change and then in such an event, the Data Subject undertakes to advise the Responsible Party or its Operator(s) of these changes.
The Data Subject, in providing the required Personal Information to the Responsible Party and/or to its Operator, consents and gives the Responsible Party permission to process and further process the Data Subject’s Personal Information as and where required and acknowledge that the Data Subject understand the purposes for which the Personal Information is required and for which it will be used.
Should any of the Personal Information which has been provided by the Data Subject concern to a legal entity whom I represent, I confirm that I have the necessary authority to act on behalf of such legal entity/Data Subject and that I have the right to provide the Personal Information and/or the required consent to use said Personal Information, on behalf of the legal entity.
Should any of the Personal Information belong to any of my dependants and/or beneficiaries who are under age, I in my capacity as their legal guardian and competent person give the Responsible Party the appropriate authorisation to process their Personal Information for the purposes for which these details were given.