Africa cosmos horizontal logo colour

POPIA Compliance

1. Policy Statement

Africa Cosmos is an accredited training and skills development provider and as such deals with a significant amount of personal information. Africa Cosmos is obliged to comply with the Protection of Personal Information Act (POPIA). Our commitment to our clients, employees and contractors is that we will ensure that the personal information is used appropriately, transparently, securely and in accordance with the applicable laws. This policy sets out the measures and standards in which The Company deals with personal information as well as stipulates the purpose for which information is used.

2. Scope

Africa Cosmos has statutory legal obligations in relation to the management of personal information. The Policy applies to all operations and functions within Africa Cosmos, as well as any outsourced departments.

This policy applies to all employees, management team, contractors and consultants at Africa Cosmos.

3. Definitions

a) Consent – any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

b) Data subject – the person to whom personal information relates.

c) Deputy Information Officer (DIO) – is an employee who is delegated powers and duties by an information Officer.

d) Information Regulator – the regulatory authority responsible for enforcing POPIA.

e) Information Officer (IO) – Appointed person registered with the SA Information regulator. Is responsible for protecting personal information and ensuring that an organisation complies with the POPIA in SA.

f) Operator – A person who processes personal information for a responsible party under a contract or mandate.

g) Personal Information – all information which may be considered to be personal information or information about an identifiable individual in terms of the Electronic Communications and Transactions Act (“ECTA”), the Consumer Protection Act (“CPA”) and the Protection of Personal

Information Act (POPIA) and include the following criteria:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; education or the medical, financial;
  • criminal or employment history of the person.
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, the biometric information of the person.
  • the personal opinions, views, or preferences of the person.
  • Person – a natural person or a juristic person.
  • Retention of Personal Information – all Personal Information retained within the Company is in accordance with the retention provisions set out in the applicable Laws and regulations of South Africa and as set out in the Retention of Records Policy.

4. Security of Personal Information

a) Africa Cosmos ensures that necessary controls are in place in terms of access to personal information. It is a requirement of POPIA to adequately protect personal information and as such the Company will continuously review and enforce its security controls and processes to ensure that personal information is adequately protected.

b) Africa Cosmos suppliers, insurers and other third-party service providers are subject to service level agreements guaranteeing their commitment and compliance to the Protection of Personal Information Act.

c) Employees, regulators, industry, unions, customers and other relevant Company stakeholders will be required to adhere to the relevant POPIA legislation and Africa Cosmos policy.

5. Use of Personal Information

a) Africa Cosmos will only use personal information subject to the following requirements being met and will not infringe on the privacy of any data subject.

  • Consent is obtained from the data subject for the use of the personal information.
  • The personal information is used only for the purpose for which it was collected.

b) The use of personal information may include but will not be limited to the following.

    • To provide a service to employees, clients and other stakeholders;
    • To communicate with data subjects;
    • To facilitate the recruitment process;
    • For underwriting purposes;
    • Assessing and processing claims;
    • Conduct credit reference searches or verification;
    • For the detection and prevention of fraud, crime, money laundering or other malpractice;
    • To confirm, verify and update client, employee, service provider or other stakeholder details;
    • To conducting market or customer satisfaction research;
    • For audit and record keeping purposes;
    • In connection with legal proceedings;
    • To maintain and constantly improve the client relationship;
    • In connection with and to comply with legal and regulatory requirements.

    6. Data Subject Rights

    a) Data subjects have a right to ensure that personal information is accurate, complete and up to date.

    b) Data subjects can contact the relevant department to correct and update personal information. Refer to the POPI Notice & What Employees need to know Annexure A Template.

    c) Data subjects have a right to access their personal data held by The Company.

    d) Data subjects have a right to take action to rectify inaccurate personal data.

    e) Data subjects have a right to erase personal data (subject to specific requirements).

    f) Data subjects have a right to restrict the processing of personal data.

    g) Data subjects have a right to lodge a complaint about The Company’s handling of personal data to an internal Information Officer and to the Information Regulator who is an external authority where the data subject resides.

    7. Africa Cosmos Obligations

    a) Africa Cosmos will not sell, rent or share personal information of any data subject.

    b) Africa Cosmos has a duty to provide data subjects with certain information when personal data is requested and obtained.

    c) Africa Cosmos will attempt to correct inaccuracies noted by a data subject by other means in a timely manner.

    d) A template “Request, Correction and Erasure” letter (Annexure A) must be available to data subjects upon request.

    8. Disclosure of Personal Information

    a) All data subjects have a duty of confidentiality in relation to The Company and related clients, which is protected in the Constitution, POPIA and in terms of the Electronic Communication and Transactions Act.

    b) Information may be given to a third party if the data subject has consented in writing to such a disclosure.

    c) Data subject information shall be dealt with in the strictest confidence and may only be disclosed, without fear of redress, under specific circumstances as detailed below:

    • Where disclosure is under compulsion of law;
    • Where there is a duty to the public to disclose;
    • Where the interests of the Company require disclosure; and
    • Where disclosure is made with the express or implied consent of the individual.

    9. Operating Controls

    Africa Cosmos will regularly review its procedures for ensuring that its records remain accurate and consistent, in particular:

    a) Effective procedures are in place so that all relevant systems are updated when information about any data subject changes;

    b) Staff are given guidance and training on accuracy in record keeping;

    c) Storage and archiving of electronic records and paper records are carried out in accordance with QMS policy;

    d) Clean desk policy applies in the workplace; Where transfer of personal information to another country for processing or storage is required, all the controls shall be complied with in order to safeguard personal information.

    10. Conditions for Lawful Processing of Personal Information

    Condition 1: Accountability

    1. The conditions for lawful processing must be complied with at the time of processing personal information.
    2. Reasonable steps must be taken to ensure that personal information obtained from data subjects is stored safely and securely.

    Condition 2: Processing limitation

    1. Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
    2. Personal information may only be processed if the purpose for which it is processed is adequate, relevant and not excessive.
    3. Personal information must be collected directly from a data subject. Exceptions to this condition are allowed in the following instances:
      • The information is obtained from a public record;
      • Collection from another source would not prejudice the data subject;
      • The personal information is required by law;
      • In the operation of legitimate business processes and requirements;

    Condition 3: Specific purpose

    1. Personal information must be collected for a specific, defined and lawful purpose related to the purpose of function within The Company.
    2. The data subject must be made aware of the purpose of the collection of the information.

    iii. Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless retention is required by law, The Company requires the record for lawful business purposes, or it is required by a contract between the parties.

    Condition 4: Limitation on further processing

    1. Personal information may not be processed further in a way that is not compatible with the purpose for which the information was collected initially.

    Condition 5: Information quality

    1. The Company must ensure that personal information obtained is complete, up to date and accurate before using the personal information.
    2. It may be necessary to request data subjects to update their information and confirm relevance periodically.

    Condition 6: Transparency/openness

    1. Where personal information is collected from a source other than directly from the data subject example social media, the Company must make the data subject aware of such.

    Condition 7: Security safeguards

    1. The Company must ensure technical and organisational measures are in place to secure the integrity of personal information, and guard against the risk of loss, damage or destruction thereof.
    2. Personal information must be protected against any unauthorised or unlawful access or processing.
    3. The Company must ensure that information is only used for legitimate purposes with consent from the data subject.
    4. The Company must ensure that any personal information data breaches are managed in accordance with the Company Policy.

    Condition 8: Data subject participation

    1. Data subjects are entitled to know particulars of their personal information held by The Company, and the identity of any authorised employees of The Company that have access to the personal information.
    2. Data subjects are entitled to correct any information held by The Company.

    11. Cross-Border Transfer of Personal Information

    The personal information from data subjects may be stored and processed in any country where Africa Cosmos has facilities, where we render services or where it is required as part of our business activities, and by using the consent to the transfer of information to countries outside of the user country of residence, which have different data protection rules than in South Africa.

    12. Request Your Personal Information

    You have the right to ask us to update, correct, delete your personal information, or raise an objection to us holding your personal information. We will take all reasonable steps to confirm your identity before making changes to personal information we may hold about you. We may and if you request it, also provide you with information about the retention periods which apply to your personal information.

    Request Form (Annexure 1)

    This form needs to be completed should you want us to supply you with the details or a copy of any personal information we hold. We will endeavour to respond promptly and in any event within one (1) month following:

    1. Our receipt of your written request; or
    2. Our receipt of any further information we may ask you to provide to enable us to comply with your request.

    The information you supply in this form will only be used for the purposes of identifying the personal data you are requesting and responding to your request.

    13. Related Documents

    This policy has been developed based on the following legislative frameworks:

    • Protection of Personal Information Act (POPIA)
    • Promotion of Access to Information Act (PAIA)
    • Electronic Communications and Transactions Act
    • Consumer Protection Act

    14. Policy Governance

    a) Ownership: The policy owner is Anooradha Parsard supported by Ivan Du Plooy in his capacity of Deputy Information Officer.

    b) Review and approval

    c) The policy will be reviewed every 2 years unless changes in business structure or legislation require review sooner.

    d) Action for non-compliance: Deviations or non-compliance with this policy may result in disciplinary actions up to and including termination as allowed by the Africa Cosmos Disciplinary procedure.