1. INTENT AND PURPOSE
The right to privacy in South Africa is an integral human right recognised and protected in the Constitution of the Republic of South Africa, 1995 and confirmed and buttressed in the Protection of Personal Information Act 4 of 2013 (“POPIA”).
POPIA aims to promote the protection of privacy by providing guiding principles intended to be applied to the processing of personal information in a relevant and reasonable manner, given the circumstances and context for the processing of such personal information.
A person’s right to privacy requires and demands having control over her personal information and being able to conduct her affairs so that (s)he is free from unwanted intrusions on his/her privacy.
Given the importance of privacy and the type of information dealt with by Remax Blue Chip Realty. (“Remax”), Remax is wholly committed to effectively managing personal information following the provisions of POPIA and the Constitution.
2. DEFINITIONS AND INTERPRETATIONS
Definitions
2.1. “Biometrics” Means a technique of personal identification based on physical, physiological or behavioural characterisation, including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
2.2. “Consent” means any voluntary, specific and informed expression of an individual’s will in terms of which permission is given for the processing of Personal Information by the Firm.
2.3. “Data Subject” This refers to the natural or juristic person to whom Personal Information relates, such as an individual client, customer or a Firm to whom the Firm renders services.
2.4. “De-Identify” This means to delete any information that identifies a Data Subject, or which can be used using a reasonably foreseeable method to identify, or when linked to other information, that identifies the Data Subject.
2.5. “Direct Marketing” Means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of—
promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or
requesting the Data Subject to donate any kind for any reason
2.6. “Filing System” Means any structured set of Personal Information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
2.7. “Information Officer” The Information Officer is the duly appointed and registered person responsible for ensuring the Firm’s compliance with POPIA.
2.8. “Operator” An Operator means a person who processes Personal Information for a Responsible Party in terms of a contract or mandate without coming under the direct authority of that party.
2.9. “Personal Information”
Personal information is any information that can be used to disclose and/or confirm a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including, but not limited to information concerning—
- race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, and birth of a person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other assignments particular to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person;
- the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
2.10. “Processing”
The act of processing information includes any activity or any set of operations, whether or not by automatic means, concerning Personal Information and includes—
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
- dissemination through transmission, distribution or making available in any other form;
- merging, linking, as well as any restriction, degradation, erasure or destruction of information.
2.11. “Record”
Means any recorded information, regardless of form or medium, including:
- Writing on any material;
- Information produced, recorded or stored through any tape-recorder, computer equipment, whether hardware or software or both, or other devices, and any material subsequently derived from information so produced, recorded or stored;
- Label, marking, or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- Book, map, plan, graph or drawing;
- Photograph, film, negative, tape or other devices in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced.
2.12. “Re-Identify” Concerning the Personal Information of a Data Subject means to resurrect any information that has been de-identified that identifies the Data Subject or can be used or manipulated by a reasonably foreseeable method to identify the Data Subject.
2.13. “Responsible Party” The Responsible Party is the entity that needs the Personal Information for a particular reason and determines the purpose of and means for processing the Personal Information. In this case, the Firm is deemed to be the Responsible Party.
2.14. “Unique Identifier” Means any identifier that is assigned to a Data Subject and is used by a Responsible Party for the operations of that Responsible Party, and that uniquely identifies that Data Subject concerning that Responsible Party.
Interpretation
For purposes of this policy document, unless the context requires otherwise:
2.15. The singular includes the plural and vice versa.
2.16. A reference to any one gender, whether masculine, feminine or neuter, refers to the other gender(s).
2.17. The headings in this policy document are for convenience only and are not to be considered when interpreting the agreement.
3. POLICY APPLICATION
This policy and its underlying guiding principles apply to:
- Remax;
- All employees and volunteers, and
- All contractors, suppliers and other people acting on behalf of Remax.
The policy’s guiding principles find application in all situations and must be read in conjunction with POPIA as well as the Remax’s PAIA Manual (attached hereto as Annexure “A” for ease of reference) as required by the Promotion of Access to Information Act (Act No 2 of 2000).
The legal duty to comply with POPIA’s provisions is activated in any situation where Personal Information is processed and entered into any record by or for a Responsible Party who is domiciled in South Africa.
POPIA does not apply in situations where the processing of Personal Information—
- is concluded in purely personal or household activities, or
- where the Personal Information has been de-identified.
4. RIGHTS OF DATA SUBJECTS
Where appropriate, Remax ensures that its clients or customers are aware of the rights conferred upon them as Data Subjects. Remax assures that it gives effect to the following six rights:
4.1 The Right to Access Personal Information
Remax recognises that a Data Subject has the right to establish whether Remax holds Personal Information related to him/her, including the right to request access to that Personal Information.
4.2 The Right to have Personal Information Corrected or Deleted
The Data Subject has the right to request, where necessary, that her Personal Information must be corrected or deleted where Remas is no longer authorised to retain the Personal Information.
4.3 The Right to Object to the Processing of Personal Information
The Data Subject has the right, on reasonable grounds, to object to the processing of her Personal Information. In such circumstances, Remax gives due consideration to the request and the requirements of POPIA. Remax may cease to use or disclose the Data Subject’s Personal Information and may, subject to any statutory and contractual record-keeping requirements, also approve the destruction of the Personal Information.
4.4 The Right to Object to Direct Marketing
The Data Subject has the right to object to processing his/her Personal Information for direct marketing purposes through unsolicited electronic communications.
4.5 The Right to Complain to the Information Regulator
The Data Subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and institute civil proceedings regarding the alleged non-compliance with protecting her Personal Information.
4.5 The Right to be Informed
The Data Subject has the right to be notified that Remax is collecting his/her Personal Information. The Data Subject also has the right to be notified in any situation where the organisation has reasonable grounds to believe that the Data Subject’s Personal Information has been accessed or acquired by an unauthorised person.
5. GENERAL GUIDING PRINCIPLES
All employees and persons acting on behalf of Remax will at all times be subject to, and act per, the following guiding principles:
5.1 Accountability
Failing to comply with POPIA could potentially damage Remax’s reputation or expose Remax to a civil claim for damages. The protection of Personal Information is, therefore, everybody’s responsibility.
Remax ensures that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, Remax may take appropriate sanctions, which may include disciplinary action, against those individuals who, through their intentional or negligent actions and/or omissions, fail to comply with the principles and responsibilities outlined in this policy.
5.2 Processing Limitation
Remax ensures Personal Information under its control is processed:
- in a fair, lawful and non-excessive manner, and
- only with the informed consent of the Data Subject, and
- only for a specifically defined purpose.
Remax shall inform the Data Subject of the reasons for collecting her Personal Information and obtain written consent before processing Personal Information. Alternatively, where services or transactions are concluded over the telephone or electronic video feed, Remax will, where practically and logistically possible, maintain a voice recording of the stated purpose for collecting the Personal Information followed by the Data Subject’s subsequent consent.
Remax will under no circumstances distribute or share Personal Information between separate legal entities, associated organisations, or any individuals that are not directly involved with facilitating the purpose for which the information was initially collected.
Where applicable, the Data Subject must be informed of the possibility that their Personal Information will be shared with other aspects of Remax’s business and be provided with the reasons for doing so.
5.3 Purpose Specification
All Remax’s business units and operations must be informed by the principle of transparency. Remax will process Personal Information only for specific, explicitly defined, and legitimate reasons.
Remax will inform Data Subjects of these reasons before collecting or recording the Data Subject’s Personal Information.
5.4 Further Processing Limitation
Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose.
Therefore, where Remax seeks to process Personal Information, it holds for a purpose other than the original purpose it initially collected. If this secondary purpose is not compatible with the original purpose, Remax will obtain additional consent from the Data Subject.
5.5 Information Quality
Remax will take reasonable steps to ensure that all Personal Information collected is complete, accurate and not misleading.
The more important it is for the Personal Information to be accurate, the greater the effort Remax will put into ensuring its accuracy.
Where Personal Information is collected or received from third parties, Remax will take reasonable steps to confirm that the information is correct by verifying the accuracy of the information directly with the Data Subject or by way of independent sources.
5.6 Open Communication
Remax will take reasonable steps to ensure that Data Subjects are notified and are aware that their Personal Information is being collected, including the purpose for which it is being collected and processed.
Remax will ensure that it establishes and maintains a “contact us” facility, for instance, via its website or through an electronic helpdesk, for Data Subjects who want to—
- enquire whether the Remax holds related Personal Information, or
- request access to related Personal Information, or
- request Remax to update or correct related Personal Information, or
- make a complaint concerning the processing of Personal Information.
5.7 Security Safeguards
Remax will manage the security of its filing/data record-keeping system to ensure that Personal Information is adequately protected. To this end, security controls will be implemented to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction of Personal Information.
Remax will continuously review its security controls, including regular testing of protocols and measures to combat cyber-attacks on Remax’s IT network. Remax will ensure that all paper and electronic records comprising Personal Information are securely stored and accessible only to authorised individuals.
All new employees will be required to sign employment contracts containing contractual terms to use and store employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of Personal Information for which Remax is responsible. After the required consultation process has been followed, all existing employees will be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.
Remax’s operators and third-party service providers will be required to enter into service level agreements with the organisation where both parties pledge their mutual commitment to POPIA and the lawful processing of any Personal Information according to the agreement.
5.6 Data Subject Participation
A Data Subject may request the correction or deletion of her Personal Information held by Remax. Remas will ensure that it provides a facility for Data Subjects who want to request the correction/deletion of their Personal Information. Remax will include a link to unsubscribe from any of its electronic newsletters or related marketing activities (if applicable).
6. INFORMATION OFFICER(S)
Remax appointed an Information Officer and, where necessary, a Deputy Information Officer to assist the Information Officer in fulfilling the obligations of Remax in due compliance with the terms of POPIA.
Where no Information Officer was appointed, or there is a vacancy in the appointment of the Information Officer, the head of Remax will assume the role of the Information Officer. Consideration will be given on an annual basis to the re-appointment or replacement of the Information Officer and the re-appointment or replacement of any Deputy Information Officer(s).
Once appointed, Remax will register the Information Officer with the Information Regulator established under POPIA before performing his or her duties.
7. SPECIFIC DUTIES AND RESPONSIBILITIES
7.1 Information Officer
- Remax’s Information Officer is responsible for:
- Taking steps to ensure Remax’s reasonable compliance with the provision of POPIA;
- Keeping the board of directors updated about Remax’s information protection responsibilities under POPIA;
- Continually analysing privacy regulations and aligning them with Remax’s Personal Information processing procedures. This will include reviewing the Firm’s information protection procedures and related policies;
- Ensuring that POPIA Audits are scheduled and conducted regularly;
- Ensuring that Remax makes it convenient for Data Subjects who want to update their Personal Information or submit POPIA related complaints to Remax;
- Approving any contracts entered into with Operators, employees, and other third parties may impact Remax’s Personal Information. This will include overseeing the amendment of Remax’s employment contracts and other service level agreements;
- Encouraging compliance with the conditions required for the lawful processing of Personal Information;
- Ensuring that employees and other persons acting on behalf of Remax are fully aware of the risks associated with the processing of Personal Information and that they remain informed about the Remax’s security controls;
- Organising and overseeing the awareness training of employees and other individuals involved in the processing of Personal Information on behalf of Remax;
- Addressing employees’ POPIA related questions;
- Addressing all POPIA related requests/complaints made by Remax’s Data Subjects;
- Report any incidents of any unauthorised access or exposure of Personal Information to the relevant client or related party within 24 (Twenty-Four) hours from the time that such unauthorised access became known to the Information Officer;
- Provide training to employees on their employment with Remax and update the necessary training regularly or, at the very least, in the event of any changes in the relevant regulations or legislation; and
- Working with the Information Regulator concerning any ongoing investigations. Therefore, the Information Officers will act as the contact point for the Information Regulator authority on issues relating to the processing of Personal Information and will consult with the Information Regulator where appropriate, with regard to any other matter.
7.2 IT Manager
The Firm’s IT Manager is responsible for:
Ensuring that the Remax’s IT infrastructure, filing systems and any other devices used for processing Personal Information meet acceptable security standards;
Ensuring that all electronically held Personal Information is kept only on designated drives and servers and uploaded only to approved cloud computing services (if applicable);
Ensuring that servers containing Personal Information are sited in a secure location, away from the general office space;
Ensuring that all electronically stored Personal Information is backed up, encrypted and tested regularly;
Ensuring that all back-ups containing Personal Information are protected from unauthorised access, accidental deletion, and malicious attempts to subvert the integrity of the IT system;
Ensuring that Personal Information being transferred electronically is encrypted;
Ensuring that all servers and computers containing Personal Information are protected by a firewall and the latest security software;
Performing regular IT audits to ensure that the security of Remax’s hardware and software systems are functioning correctly;
Performing regular IT audits to verify whether electronically stored Personal Information has been accessed or acquired by any unauthorised persons;
Performing a proper due diligence review before contracting with operators or other third-party service providers to process Personal Information on Remax’s behalf.
7.3 Employees and other persons acting on behalf of Remax
Employees and other persons acting on behalf of Remax will, during the performance of their services, gain access to and become acquainted with the Personal Information of specific clients, suppliers, and other employees.
Employees and other persons acting on behalf of Remax are required to treat Personal Information as a confidential business asset and respect Data Subjects’ privacy.
Employees and other persons acting on behalf of Remax may not directly or indirectly utilise, disclose or make public in any manner to any person or third party, either within Remax or externally, any Personal Information unless such information is already publicly known or the disclosure is necessary for the employee or person to perform his or her duties.
Employees and other persons acting on behalf of Remax must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to protecting a Data Subject’s Personal Information.
Employees and other persons acting on behalf of Remax will only process Personal Information where:
- The Data Subject, or a competent person where the Data Subject is a child, consents to the processing;
- The processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party;
- The processing complies with an obligation imposed by law on the Responsible Party;
- The processing protects a legitimate interest of the Data Subject; or
- The processing is necessary for pursuing the legitimate interests of Remax or of a third party to whom the information is supplied.
- Furthermore, Personal Information will only be processed where the Data Subject:
- Clearly understands why and for what purpose her Personal Information is being collected; and
- Has granted Remax explicit written or verbally recorded consent to process her Personal Information.
Employees and other persons acting on behalf of Remax will consequently, before processing any Personal Information, obtain a specific and informed expression of will from the Data Subject, in terms of which permission is given for the processing of Personal Information.
Therefore, informed consent is when the Data Subject clearly understands for what purpose her Personal Information is needed and with whom it will be shared.
Consent can be obtained in written form, including any appropriate electronic medium that is accurately and readily reducible to printed form. Alternatively, Remax will keep, where practically and logistically possible, a voice recording of the Data Subject’s consent in instances where transactions are concluded telephonically or via electronic video feed.
Consent to process a Data Subject’s Personal Information will be obtained directly from the Data Subject, except where—
- the Personal Information has been made public, or
- where valid consent has been given to a third party, or
- the information is necessary for effective law enforcement.
Employees and other persons acting on behalf of Remax will where reasonably and logistically possible:
- Process or have access to Personal Information where such processing or access is not a requirement to perform their respective work-related tasks or duties;
- Use their best endeavour to not save copies of Personal Information directly to their private computers, laptops or other mobile devices like tablets or smartphones. All Personal Information must be accessed and updated from Remax’s central database or a dedicated server;
- Share Personal Information informally. In particular, Personal Information should never be sent by email, as this form of communication is not secure. Where access to Personal Information is required, this may be requested from the relevant line manager or the Information Officer.
- Transfer Personal Information outside of South Africa without express permission from the Information Officer. Employees and other persons acting on behalf of Remax are responsible for—
- keeping all Personal Information that they come into contact with secure by taking sensible precautions and following the guidelines outlined within this policy;
- ensuring that Personal Information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created;
- ensuring that Personal Information is encrypted before sending or sharing the information electronically. The IT Manager will assist employees and, where required, other persons acting on behalf of Remax with the sending or sharing of Personal Information to or with authorised external;
- ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store Personal Information is password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons;
- ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks;
- ensuring that where Personal Information is stored on removable storage media, e.g. external drives/CDs/DVDs that these are kept locked away securely when not in use;
- ensuring that where Personal Information is stored on paper, such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet;
- ensuring that where Personal Information has been printed out, the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer;
- taking reasonable steps to ensure that Personal Information is kept accurate and up to date. For instance, confirming a Data Subject’s contact details when the client or customer phones or communicates via email. Where a Data Subject’s information is found to be out of date, authorisation must first be obtained from the relevant line manager or the Information Officer to update the information accordingly;
- taking reasonable steps to ensure that Personal Information is stored only for as long as it is needed or required in terms of its originally collected purpose. Where Personal Information is no longer required, authorisation must first be obtained from the relevant line manager or the Information Officer to delete or dispose of the Personal Information in the appropriate manner;
- undergoing POPIA Awareness training from time to time.
Where an employee, or a person acting on behalf of Remax, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of Personal Information, he or she must immediately report this event or suspicion to the Information Officer or the Deputy Information Officer.
8. POPIA AUDIT
Remax’s Information Officer will schedule periodic POPIA Audits, the purpose of which is to:
- Identify the processes used to collect, record, store, disseminate and destroy Personal Information;
- Determine the flow of Personal Information throughout Remax. For instance, the Firm’s various business units, divisions, branches, and other associated organisations;
- Redefine the purpose for gathering and processing Personal Information;
- Ensure that the processing parameters are still adequately limited and delineated;
- Ensure that new Data Subjects are made aware of the processing of their Personal Information;
- Re-establish the rationale for any further processing where information is received via a third party;
- Verify the quality and security of Personal Information;
- Monitor the extent of compliance with POPIA and this policy;
- Monitor the effectiveness of internal controls established to manage Remax’POPIA related compliance risk.
In performing the POPIA Audit, Information Officers will liaise with line managers to identify areas within Remax’s operation that are most vulnerable or susceptible to the unlawful processing of Personal Information.
Information Officers will be permitted direct access to and have demonstrable support from line managers and Remax’s board of directors in performing their duties.
9. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE
Data Subjects have the right to request details on the Personal Information retained by Remax, access it, and be informed on how to keep it up to date. A request in this regard must be made in writing which will be supplied to a Data Subject on request.
Once the request has been received in the correct form, it shall be processed and considered in terms of the Firm’s PAIA Manual (attached hereto as Annexure “A” for ease of reference).
10. POPIA COMPLAINTS PROCEDURE
Data Subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. Remax takes all complaints very seriously and will address all POPIA related complaints under the following procedure:
- POPIA complaints must be submitted to Remax in writing.
- Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within
1 (One) working day;
- The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days;
- The Information Officer will carefully consider the complaint and amicably address the complainant’s concerns. In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA;
- The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the Remax’s Data Subjects;
- Where the Information Officer has reason to believe that the Personal Information of Data Subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with the Remax’s board of directors whereafter the affected Data Subjects and the Information Regulator will be informed of this breach;
- The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to Remax’s board of directors within 7 (Seven) working days of receipt of the complaint. In all instances, Remax will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines;
- The Information Officer’s response to the Data Subject may comprise any of the following:
- A suggested remedy for the complaint;
- A dismissal of the complaint and the reasons as to why it was dismissed;
- An apology (if applicable) and any disciplinary action that has been taken against any employees involved.
- Where the Data Subject is not satisfied with the Information Officer’s suggested remedies, the Data Subject has the right to complain to the Information Regulator;
- The Information Officer will review the complaints process to assess the procedure’s effectiveness periodically and improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPIA related complaints.
11. DISCIPLINARY ACTION
If a complaint or infringement investigation in terms of POPIA has been concluded and Remax recommends any appropriate legal, disciplinary and/or administrative action against the relevant employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy document.
In the case of minor negligence or ignorance of such an employee, Remax will undertake to provide further training to the employee.
Any gross negligence or willful mismanagement of Personal Information by an employee will be considered a severe form of misconduct for which Remax may summarily dismiss the employee. Disciplinary procedures will commence without delay where there is sufficient evidence to support allegations of an employee’s gross negligence.
12. VERIFICATION AND DOCUMENT MANAGEMENT
This policy document was drafted by the Information Officer of Remax and has been duly approved by the board of directors, subject to a yearly review hereof.