OBARO GROUP POLICY IN RESPECT OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013
- DEFINITIONS AND INTERPRETATION
1.1. Conditions for Lawful Processing means the conditions for the lawful processing of Personal Information as fully set out in Chapter 3 of POPIA and in paragraph 4 of this Policy;
1.2. Constitution means the Constitution of the Republic of South Africa, 1996;
1.3. Customer / Client refers to any natural of juristic person that received or receives services from OBARO;
1.4. Data Subject means the person or entity to whom the Personal Information relates;
1.5. Employee means any person who works for, or provides services to or on behalf of OBARO, and receives or is entitled to receive remuneration and any other person who assists in carrying out or conducting the business of OBARO, which includes, without limitation, directors, all permanent, temporary and part-time staff as well as contract workers;
1.6. Information Officer means the duly authorized persons as set out in paragraph 8;
1.7. OBARO / OBARO Group means the following entities:
| ENTITY | REGISTRATION NUMBER |
|---|---|
| OBARO Besigheidsbeleggings (Pty) Ltd | 1998/001621/07 |
| OBARO Beherend (Pty) Ltd | 1998/001599/07 |
| Obavest (Pty) Ltd | 2002/016404/07 |
| OBARO Eiendomsbeleggings (Pty) Ltd | 2007/009534/07 |
| OBARO Handel (Pty) Ltd | 1998/001675/07 |
| OBARO Korporatief (Pty) Ltd | 2005/007425/07 |
| OBARO Finansiële Dienste (Pty) Ltd | 1999/019726/07 |
| OBARO Makelaars (Pty) Ltd | 2005/003321/07 |
| OBARO Adviesdienste (Pty) Ltd | 2005/039250/07 |
| Infogro (Pty) Ltd | 2000/023821/04 |
| Erf 2443 Aerorand (Pty) Ltd | 2014/068268/07 |
| Auburn Avenue Trading (Pty) Ltd | 2007/009514/07 |
| OBARO Agrifin (Pty) Ltd | 2017/411078/07 |
| OBARO Tijgervallei (Pty) Ltd | 2009/005481/07 |
| Temo Agri Services (Pty) Ltd | 2008/015626/07 |
| OBARO Fuels (Pty) Ltd | |
| OBARO Employee Empowerment Share Trust | IT3939/2006 |
| OBARO Personeelaandele Trust | IT6143/2008 |
| OBARO BEE Farmers Empowerment Share Trust | IT3813/2006 |
| Obavest Share Trust | IT0520/2013 |
| OBARO Beherend Share Trust | IT518/2013 |
| OBARO SPV (RF) (Pty) Ltd | 2022/607480/07 |
| OBARO Mortgage SPV (RF) (Pty) Ltd | 2022/676928/07 |
| OBARO Security SPV (RF) (Pty) Ltd | 2022/601925/07 |
| OBARO Finansiële Beplanning (Pty) Ltd | 2023/594167/07 |
| OBARO Agrifin SPV (RF) (Pty) Ltd | 2024/191734/07 |
| OBARO Rural Development (Pty) Ltd | 2024/191791/07 |
- 8. Personal Information means information relating to an identifiable, living, natural person, and where it is applicable an identifiable, existing legal enity, including, but not limited to –
1.8.1. information relating to the race, gender, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of that person;
1.8.2. information relating to the education or the medical, financial, criminal or employment history of the person;
1.8.3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
1.8.4. the biometric information of the person;
1.8.5. the personal opinions, views or preferences of the person;
1.8.6. correspondence sent by the person that is implicitly or explicitly or a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
1.8.7. the views or opinions of another individual about the person; and
1.8.8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
1.9. POPIA means the Protection of Personal Information Act 4 of 2013;
1.10. POPIA Regulations means the Regulations promulgated in terms of Section 112(2) of POPIA;
1.11. Private Body means
1.11.1. a natural person who carries on or has carried on any trade, business or profession, but only in such capacity;
1.11.2. a partnership which carries on or has carried on any trade, business or profession; or
1.11.3. any former or existing legal entity, but excludes a public body;
1.12. Responsible Party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. - INTRODUCTION
2.1. The Protection of Personal Information Act 4 (“POPIA”) was assented to on 26 November 2013 and became effective on 1 July 2020 with a one year grace period for compliance. The purpose of POPIA is to give effect to section 14 of the Constitution, being the constitutional right to privacy by protecting Personal Information and regulating the free flow and processing of Personal Information. POPIA sets minimum limits which all responsible parties must comply with so as to ensure that Personal Information is respected and protected.
2.2. POPIA recognises that the rights to access to information and privacy respectively may be limited in accordance with section 36 of the Constitution, to the extent that such limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom.
2.3. Chapter 3 of POPIA provides for the minimum conditions of lawful processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPIA. The eight conditions of lawful processing are described in POPIA as:
2.3.1. Accountability – the Responsible Party has an obligation to ensure that there is compliance with POPIA in respect of the processing of Personal Information;
2.3.2. Processing limitation – Personal Information must be collected directly from a Data Subject to the extent applicable, must only be processed with the consent of the Data Subject and must only be used for the purposes for which it is obtained;
2.3.3. Purpose specification – Personal Information must only be processed for the specific purpose for which it was obtained and must not be retained for any longer than it is needed to achieve such purpose;
2.3.4. Further processing limitation – further processing of Personal Information must be compatible with the initial purpose for which the information was collected;
2.3.5. Information quality – the Responsible Party must ensure that Personal Information held is accurate and updated regularly and that the integrity of the information is maintained by appropriate security measures;
2.3.6. Openness – there must be transparency between the Data Subject and the Responsible Party;
2.3.7. Security safeguards – a Responsible Party must take reasonable steps to ensure that adequate safeguards are in place to ensure that Employee information is being processed responsibly and it not unlawfully accessed;
2.3.8. Data Subject participation – the Data Subject must be made aware that their information is being processed and must have provided their informed consent to such processing.
2.4. POPIA requires the OBARO Group to inform its clients as to how their Personal Information is used, processed, disclosed and destroyed.
2.5. OBARO guarantees its commitment to protecting the privacy of its clients and ensuring that their Personal Information is used appropriately, transparently, securely and in accordance with applicable legislation.
3. PERSONAL INFORMATION THAT MAY BE COLLECTED BY OBARO
3.1 In terms of section 9 of POPIA Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
3.2 OBARO collects and processes Personal Information of:
3.2.1 existing and potential clients for purposes of
– compliance with legislation
– verification of identity
– risk assessment
– credit assessment
– managing the relationship with the client
3.2.2 existing and potential employees for purposes of
– compliance with legislation
– verification of qualifications
– managing employer-employee relationship
3.3 Personal Information collected by OBARO includes, but are not limited to:
– identity number
– name
– surname
– address
– postal code
– marital status
– number of dependents
– description of client’s residence
– description of client’s business
– assets
– financial information
– banking details
– business activities
– personal views / preferences
– education and employment details
4. HOW PERSONAL INFORMATION MAY BE USED BY OBARO
4.1 Personal Information collected by OBARO may only be used for the purpose for which it was collected and to which the client agreed.
4.2 Purposes for which Personal Information may be used include, but are not limited to:
– Compliance with legal and regulatory requirements
– Support and management of employees
– Rendering services requested by clients
– Provision of value added services
– Provision of financial services and advice
– For underwriting purposes
– Assessing and processing claims
– Conducting credit reference searches and verification
– Confirming, verifying and updating client details
– For purposes of claims history
– For the detection and prevention of fraud, crime, money laundering and other malpractices
– Market research and statistical analysis
– For audit and record keeping purposes
– In connection with legal proceedings
– Use of CCTV systems to prevent and detect crime
4.3 In terms of section 10 of POPIA Personal Information may only be processed if the following conditions are met:
4.3.1 Client consents to the processing – consent must be obtained from clients during the introductory, appointment and needs analysis stage of the relationship;
4.3.2 The processing is necessary – in order to conduct an accurate analysis of client needs for purposes of amongst other credit limits, insurance requirements etc. the processing of certain Personal Information is required;
4.3.3 Processing complies with an obligation imposed by legislation;
4.3.4 Processing protects a legitimate interest of the client – it is in the client’s best interest to have a full and proper needs analysis performed in order to provide them with an applicable and beneficial product or service, this requires obtaining and processing Personal Information;
4.3.5 Processing is necessary for pursuing the legitimate interests of the OBARO Group or of a third party to whom information is supplied – in order to provide OBARO’s clients with products and or services both OBARO and any of its product suppliers need certain Personal Information from the clients to make an expert decision on the unique and specific product and or service they require.
5. DISCLOSURE OF PERSONAL INFORMATION
5.1 OBARO may disclose clients’ Personal Information to any of its group companies or subsidiaries, joint venture partners and approved product or third party service providers whose services or products clients elect to use.
5.2 OBARO may share client Personal Information with, and obtain Personal Information about clients from third parties for reasons already discussed in 4.2 above.
5.3 OBARO may also disclose client information where it has a duty or right to disclose in terms of applicable legislation, or where it may be necessary to protect its rights.
6. PROTECTING CLIENT INFORMATION
6.1 It is a requirement of POPIA to adequately protect the Personal Information OBARO holds and to avoid unauthorized access and use of the Personal Information of clients. OBARO continuously reviews its security controls and processes to ensure that Personal Information held by it is secure.
6.2 The following procedures are in place in order to protect the Personal Information of clients held by OBARO:
6.2.1 The OBARO Group Information Officer, assisted by the Deputy Information Officer, is responsible for compliance with the conditions of the lawful processing of Personal Information and other provisions of POPIA;
6.2.2 This POPIA policy will be implemented throughout the OBARO Group and training on this policy and POPIA will be done on an annual basis;
6.2.3 Each new employee will be required to sign an employment contract containing relevant consent clauses for the use and storage of employee information, or any action so required, in terms of POPIA;
6.2.4 Every employee already employed in the OBARO Group will be required to sign an addendum to their employment contracts containing relevant consent clauses for the use and storage of employee information, or any other so required, in terms of POPIA;
6.2.5 OBARO’s archived client information is stored on site and is also governed by this policy;
6.2.6 OBARO’s product suppliers, insurers and other third party service providers will be required to sign a service level agreement guaranteeing their commitment to the Protection of Personal Information;
6.2.7 All electronic files and data are backed up by the OBARO Group IT Division, who is also responsible for system security which protects third party access and physical threats. The OBARO Group IT Division is also responsible for electronic information security;
6.2.8 Consent to process Personal Information is obtained from clients (or a person who has been given authorization by the client to provide the client’s Personal Information) during the application stage of the relationship.
7. ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
7.1 Clients have the right access the Personal Information about them that OBARO holds.
7.2 Clients also have the right to request OBARO to update, correct or delete their Personal Information on reasonable grounds.
7.3 Once a client objects to the processing of their Personal Information, OBARO may no longer process said client’s Personal Information.
7.4 OBARO will take all reasonable steps to confirm the identity of the client before providing details of their Personal Information or making changes to their Personal Information.
8. OBARO GROUP POPIA INFORMATION OFFICERS
8.1 The Chief Executive Officer of the OBARO Group has delegated his powers in terms of POPIA to the Information Officer and Deputy Information Officer set out below, to ensure that the requirements of POPIA are administered in a fair, objective and unbiased manner. Any queries regarding POPIA must be referred to the following Information Officer or Deputy Information Officer.
8.1.1 POPIA INFORMATION OFFICER
Lynette Douglas
Telephone number: (012) 381 2910
E-mail: [email protected]
8.1.2 DEPUTY POPIA INFORMATION OFFICER
Adele Pieterse
Telephone number: (012) 381 2971
E-mail: [email protected]
