SECTION 21 – OPERATOR AGREEMENT
1. Interpretation
It is recorded that this agreement will be subject to the provisions and definitions of the Protection of Personal Information Act 4 of 2013.
2. Processing Limitations
2.1 It is recorded that, pursuant to its obligations under this Agreement, the Service Provider will process Personal Information in connection with and for the purposes of the provision of the services for or on behalf of the Responsible Party and will act as an Operator for purposes of POPI.
2.2 The parties have agreed on the following contractual clauses in order to adduce adequate safeguards with respect to the protection of Personal Information.
2.3 Unless required by law, the Services Provider shall process the Personal information only:
2.3.1 On behalf of the Responsible Party and in compliance with its instructions and this Agreement;
2.3.2 For the purposes connected with the provision of the services or as specifically otherwise instructed or authorised by the Responsible Party in writing.
2.4 The Services Provider shall treat the Personal Information that comes to its knowledge or into its possession as confidential and shall not disclose it without the prior written consent of the Responsible Party.
3. Security Measures
3.1 The Service Provider warrants that it shall secure the integrity of the Personal Information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
3.1.1 Loss of, our damage to, or unauthorised destruction of the Personal Information of the Personal Information;
3.1.2 Unlawful access to or processing of the Personal Information.
3.2 The Service Provider shall take reasonable measures to:
3.2.1 Identify all reasonable foreseeable internal and external risks to the Personal Information in its possession or under its control;
3.2.2 establish and maintain appropriate safeguards against the risks identified;
3.2.3 regularly verify that the safeguards are effectively implemented;
3.2.4 ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards and shall notify the Responsible party of the risks identified and the safeguards established and implemented from time to time.
3.2.5 Reasonable measures include:
3.2.5.1 encryption of all disks, USB or flash memory data storage devices, laptops, tablet or removable device capable of storing Personal Information.
3.2.5.2 taking immediate steps to address identified risks and deficiencies.
3.3 The Services Provider shall:
3.3.1 have due regard to generally accepted information security practices and processes which may apply to it:
3.4 Within five (5) Business Days of a request from the Responsible Party, the Service Provider shall provide to the Responsible Party a written explanation and full details of the appropriate technical and organisational measures taken by or on behalf of the Service Provider to demonstrate and ensure compliance with this clause.
4. Service Provider’s general obligations with regards to Personal Information
4.1 In addition to the other obligations set out in this clause, the Services Provider shall:
4.1.1 take responsible steps to ensure the reliability of any if its Staff who have access to the Personal Information;
4.1.2 limit access to the Personal Information only to those Staff who need to know to enable the Service Provider to perform the services and ensure that Staff used by the Services Provider to provide the services have undergone training in the care and handling of the Personal Information;
4.1.3 deal promptly and properly with all reasonable inquiries from the Responsible Party relating to its Processing of the Personal Information and provide to the Responsible Party copies of the Personal Information in the format reasonably specified by the Responsible Party;
4.1.4 provide the Responsible Party of its inability to comply with the Responsible Party’s instructions and this clause, in which case the Responsible Party is entitled to suspend the Processing of Personal Information and/or terminate this Agreement;
4.1.5 provide the Responsible Party with full co-operation and assistance in relation to any requests for access or correction or complaints made by Data Subjects;
4.1.6 at the request of the Responsible Party or any regulatory body, submit its Personal Information Processing facilities for audit of the Processing activities covered by this Agreement.
5. Notifications
5.1 The Services Provider must notify the Responsible Party in writing:
5.1.1 within 2 (two) Business Day or otherwise as soon as reasonably possible if any Personal Information has been or may reasonably believed to have been access or acquired by an unauthorised person or if a breach has occurred with reference to its use of the Personal Information under this Agreement. The notification must provide sufficient information to allow affected Data Subjects to take measures against the potential consequences of the compromise, including , if known to the Services Provider, the identity of the unauthorised person who may accessed or acquired the Personal Information.
5.1.2 within 3 (three) Business Days of receipt thereof, of any request for access to or correction of the Personal Information or complaints received by the Services Provider relating to the Responsible Party’s obligations in terms of POPI and provide the Responsible party with full details of such request or complaint;
5.1.3 promptly of any legally binding request for disclosure of Personal Information or any other notice or communication which relates to the processing of the Personal Information from any supervisory or governmental body.
6. Return / destruction of Personal Information
6.1 Upon termination of this Agreement or upon request by the Responsible Party, the Services Provider shall return any material containing, pertaining or relating to the Personal Information disclosed pursuant to this Agreement to the Responsible Party. Alternatively, the Services Provider shall, at the instance of the Responsible Party, destroy or return such material and shall certify to the Responsible Party that it has done so, unless the law prohibits the Service Provider from doing so. In that case, the Service Provider warrants that it will guarantee the confidentially of the Personal Information and will not actively process the Personal Information any further.
7. Indemnities
7.1 The Service Provider hereby indemnifies and holds harmless the Responsible Party from any and all claims, loss or damage arising from any claim or action brought against the Responsible Party and arising from or due to the Service Provider’s breach of its information protection obligations set out in this clause.
7.2 Damages that the Service Provider will be responsible for will include but not limited to any fines/penalties, payments to data subject, reputational damages to correct the public relationship with data subjects/potential data subject.
8. Ownership
8.1 The Service Provider acknowledges and agrees that the Responsible Party retains all right, title and interest in and to the Personal Information.
8.2 The Services Provider shall not possess or assert any lien or other right against or to such Personal Information and no such Personal Information shall be sold, assigned, leased or otherwise disposed of to third parties by the Service Provider or commercially exploited by or on behalf of the Service Provider or its Staff.
You have the right at any time to rectify the Personal Information collected, object to the processing of Personal Information (subject to legislation) and to lodge a complaint at the Information Regulator with contact details:
Contact details of 4R Technologies (Pty) Ltd: P.O. Box 4844, Tygervalley, 7536.
All enquiries must be addressed to the Information Officer: Mr Mark van Rensburg contactable via email at [email protected].
POPI (PROTECTION OF PERSONAL INFORMATION)
What is the POPI Act
We respect your right to privacy and therefore aim to ensure that we comply with the legal requirement of the POPI Act which regulates the manner in which we collect, process, store, share and destroy any personal information which you have provided to us.
What information will we collect
1. The types of personal information we request of data subjects;
Employees:
ID numbers
Copy of ID’s
Mobile number
Residential address
Private e-mail addresses
CV’s
Medical Aid details / Investments / RA’sBank details
Clients:
Client Name, Key contacts names, Contact Details
Client Name, Key contacts names, Contract Details, VAT #
Servers / VPN Access Details
Client’s Staff Data / Name / E-mail / Contact Details / ID’s / Addresses / Position
4R Login Details
Suppliers:
Name of Supplier
Bank Details
We collect information directly from you where you provide us with your personal details. Where possible, we will inform you what information you are required to provide to us and what information is optional.
Minors
If you are under 18 years of age (minor), we will require the consent of your parent/guardian/competent person before we process such personal information.
Processing of Information
- We will share your personal information:
1. in order to comply with applicable law or with legal process served on our company;
2. in order to protect and defend the rights or property of our company; and
3. with employees and/or third parties who assist us in providing services to you and thus require your personal information in order to render a proper and efficient service. We will ensure that all such employees and third party service providers, having access to your personal information, are bound by confidentiality agreements.
Collection of Information by “Cookies”
You are aware that information and data is automatically collected through the standard operation of the Internet servers and through the use of “cookies.” “Cookies” are small text files a website can use to recognise repeat users, facilitate the user’s ongoing access to and use of the website and allow a website to track usage behaviour and compile aggregate data that will allow content improvements and targeted advertising. Cookies are not programs that come onto your system and damage files. Generally, cookies work by assigning a unique number to you that has no meaning outside the assigning site. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature; however, you should note that cookies may be necessary to provide you with certain features (e.g., customized delivery of information) available on our Websites.
Your rights
You have the right at any time to:
1. rectify the Personal Information collected by us;
2. object to the processing of Personal Information (subject to legislation);
3. request the return or destruction of Personal Information (subject to legislation);
4. lodge a complaint with the company.
Personal Information processed by us will be routed/transferred to a third country or International organization. The following security measures will apply Company information security policies are in place:
- Computers are controlled through security group policies
- Password protection on all company devices
- Anti-virus active on all computers
- Staff been trained on physical and cyber security measures
- Regular audits done on security status
- POPI Training done with staff
You can also complain to the Information Regulator if you are unhappy with how we have used your Information.
The Information Regulator (South Africa)
JD House
27 Stiemens Street
Braamfontein
Johannesburg, 2001
Complaints email for POPIA: [email protected]
Complaints email for PAIA: [email protected]
PAIA Manual
Form 02 – Request for access to records
Form 03 – Outcome of request and fees payable
All enquiries must be addressed to the information officer: Mark van Rensburg who can be contacted via email at [email protected] or via telephone on (083) 4844300.