POPI Policy

Effective date: 2020-07-01

WHAT IS POPI?

The Protection of personal Information Act No.4 of 2013 (POPI) is South Africa's legislation for the protection of individual's personal information againts unethical use. THe preamble to the Act states the intention is to:

"Regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests."

Since its passing into law, the Government has taken an incremental approach to the commencement of different sections of the Act. In terms of a proclamation issued by the President, sections 110 and 114(4) of the Act commenced on 30 June 2020 and the remainder of the Act’s sections commenced on 1 July 2020.

The commencement date denoted the start of a one year grace period for businesses to ensure that they fully comply with POPI, which in turn ended on 1 July 2021.

The purpose behind POPI can therefore be seen as the promotion of the constitutional right to privacy by ensuring that responsible parties and operators engage in lawful processing of personal information in accordance with, and with respect for, the rights of data subjects.

RESPONSIBLE PARTIES AND OPERATORS

The responsible party in respect of POPI is the public or private body or any other person which determines the purpose of and means for the processing of information.

An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

Putting this into context, you, the client are the responsible party for your employees’ (data subjects) personal information. JS JACOBS AND ASSOCIATES INCORPORATED is acting as an operator for your benefit, processing your employees’ personal information in order to assist you in your payroll obligations. The relevance of this is that a party’s role determines their rights, obligations and liabilities

LAWFUL PROCESSING OF PERSONAL INFORMATION

Personal information is information which can be used to identify a data subject – a definitive list can be found in Section 1 of the Act. The data subject is the person to whom the personal information relates and can be either a natural or juristic person. Almost any way that a company interacts with the personal information of a data subject constitutes processing – a definitive list is once again available in Section 1 of the Act.

Under POPI there are eight principles for the lawful processing of information, aimed at posing a balance between the necessary processing of data for business purposes and protecting the rights of individuals. These are:

1. Accountability

2. Processing Limitation

3. Purpose Specification

4. Further Processing Limitation

5. Information Quality

6. Openness

7. Security Safeguards

8. Data Subject Participation

More detailed information on each of these principles is provided in Chapter 3 of POPI.

Who’s legal responsibility it is to ensure compliance with POPI depends on the relationship between the data subject and the organization doing the processing.

RIGHTS OF DATA SUBJECTS

Under POPI, data subject rights include the right to access what information of theirs is held, the right to correct information, the right to be notified of collection and the purpose of the collection, the right to object to the processing of their information and, in certain circumstances, the right to erasure.

In the case of an alleged infringement of a data subject’s rights, any person has the right to lodge a formal complaint with the Regulator. Pursuant to section 74, complaints can be made to the Information Regulator, by completing and submitting the relevant form found on their website.

POPI AND JS JACOBS AND ASSOCIATES INCORPORATED

JS JACOBS AND ASSOCIATES INCORPORATED has always been committed to the strictest levels of data protection and privacy. We treat the personal information of your company and employees with the utmost circumspection and respect for the rights of data subjects.

Privacy and data protection are cornerstones of the culture at JS JACOBS AND ASSOCIATES INCORPORATED, and, as such, we have for some time been largely compliant with the obligations that are now statutorily imposed by virtue of being an operator under POPI.

These obligations have been codified within POPI as follows:

• Processing – Only process information with the authorization of the responsible party.

• Confidentiality – Treat personal information which comes to their knowledge as confidential.0.5. Cookies and Usage Data

• Security – Put in place technical and organizational measures to ensure that the confidentiality and integrity of personal information is protected, and immediately notify the responsible party where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorized person.We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link.

The personal information provided to JS JACOBS AND ASSOCIATES INCORPORATED by you includes information such as data subjects’ names, dates of birth, nationality, gender, physical address, email address and bank details. On signup and in order to make use of JS JACOBS AND ASSOCIATES INCORPORATED, you are required to agree to our Terms of Service. These contain a clause consenting to the lawful collection and processing of personal information.

As was the case before POPI, JS JACOBS AND ASSOCIATES INCORPORATED will continue to make reasonable efforts to assist you in the provision of personal information in line with your obligations to your employees’ (data subjects) rights under POPI, as laid out in sections 23 to 25 of the Act.

As well as complying with the principles of lawful processing, which for JS JACOBS AND ASSOCIATES INCORPORATED includes meeting the three obligations covered above, the following are relevant:

• Appointment and registration of a company Information Officer – JS JACOBS AND ASSOCIATES INCORPORATED has completed the registration of our Information Officer. They can be contacted at desiree@jsjacobs.co.za

• Processing of Special Personal Information – processing of certain data, such as race and philosophical beliefs, is prohibited except in certain circumstances, including where such processing is necessary to meet legal obligations. It is under this exception that JS JACOBS AND ASSOCIATES INCORPORATED is allowed to process special personal information with your (and by extension your employees’) consent.