PROTECTION OF DATA AND PERSONAL INFORMATION POLICY

The purpose and principles contained in this policy, is to ensure to ensure compliance the legislative provisions contained in the Protection of Personal Information Act No. 4 of 2013 (POPIA). It further seeks to ensure that all personal information as defined in Section 1 of the Act is processed, retained and stored lawfully in accordance with the consent obtained from the a Data Subject.

 

1. SCOPE

This policy applies to all employees of Secure Cab (Pty) Ltd.

 

1. PERSONS RESPONSIBLE

• Information Officer
• Deputy Information Officer
• All employees of Secure Cab

 

 

1. Records

• Consent forms of all data subjects permitting the processing of personal information;
• PIAIA request register;
• Any information substantiating the approval or refusal to grant any request for information of any data subject that the company has stored, retained and/or processed

1. DEFINITIONS

 

                  In this Protection of Data and Personal Information Policy –

 

1. 1. Headings are for convenience and reference only and shall not be used in the interpretation thereof.

 

1. 1. Any gender includes the other genders, and a natural person includes a juristic person and vice versa.

 

1. 1. unless the context otherwise requires – 

 

1. 1. 1. "Consent" means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
      2.  "Company" means Secure Cab (Pty) Ltd (registration number: 2025/053773/07) a company registered and incorporated in accordance with the laws of the Republic of South Africa; 
      3. "Data Subject" means the natural or juristic person to whom the personal information relates;
      4. "Data Protection Laws" means any statutes, laws, secondary legislation or regulations or binding policy of any government authority that relates to the security and protection of personally identifiable information, data privacy, trans-border data flow or data protection in force from time to time in the Republic of South Africa, including but not limited to POPI and/or any equivalent or analogous legislation of the jurisdiction(s) where the Services are being provided or where information is being Processed;
      5. "Direct Marketing" in accordance with Section 69 "Direct Marketing" means to approach a Data Subject, by any means of communication (including but not limited to electronic communication, for the direct or indirect purpose of:
         1. promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or
         2. requesting the Data Subject to make a donation of any kind for any reason.

 

1. 1. 1. De-identify", in relation to personal information of a Data Subject, means to delete any information that –
         1. identifies the Data Subject;
         2. can be used or manipulated by a reasonably foreseeable method to identify the Data Subject; or
         3. can be linked by a reasonably foreseeable method to other information that identifies the Data Subject; and "de-identified" has a corresponding meaning.
      2. "Information Officer" means the person appointed by the Company, from time to time, who is responsible for the monitoring of compliance, by the Company, with the conditions for the lawful processing of Personal information; dealing with requests made to the Company in terms of the POPI Act; working with the Regulator in relation to investigations conducted in relation to prior authorisation by the Data Subject and ensuring compliance by the Company with the provisions of the POPI Act; 

 

1. 1. 1. "Operator" means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

 

1. 1. 1. "Person" means a natural person or a juristic person;

 

1. 1. 1. "Personal Information" means information relating to an unidentifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: 

 

1. 1. 1. 1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

 

1. 1. 1. 1. information relating to the education or the medical, financial, criminal or employment history of the person;

 

1. 1. 1. 1. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

 

1. 1. 1. 1. the biometric information of the person;

 

1. 1. 1. 1. the personal opinions, views or preferences of the person;

 

1. 1. 1. 1. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

 

1. 1. 1. 1. The views or opinions of another person relating to a data subject

 

1. 1. 1. 1. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person; 

 

1. 1. "POPI" means the Protection of Personal Information Act No. 4 of 2013;

 

1. 1. "Processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:

 

1. 1. 1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

 

1. 1. 1. 1. dissemination by means of transmission, distribution or making available in any other form; or
         2. merging, linking, as well as restriction, degradation, erasure or destruction of information;

 

1. 1. "Responsible Party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

 

1. ABBREVIATIONS USED

ABBRIEVATION	DESCRIPTION
POPIA	Protection of Personal Information Act 13 of 2013
PIAIA	Promotion of Access to Information Act 2 of 2002
IO	Information Officer – The Chief Executive Officer of Secure Cab has been appointed as the information officer in accordance with Section 55 of POPIA
DIO	Deputy Information Officer –has been appointed as the Deputy Information Officer in accordance with Section 17 of POPIA
PI	Personal information

 

1. WHAT IS PERSONAL INFORMATION

Personal information is defined as any information relating to an identifiable, living person or a juristic person (trust, closed corporation, private and public company) and includes information which includes but is not limited to:

• information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person
• information relating to the education or the medical, financial, criminal or employment history of the person;
• any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
• the biometric information of the person;
• the personal opinions, views or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
• the views or opinions of another individual about the person; and
• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Whilst the definition of personal information is vast, it is important to understand what types of personal information is collected during the course and scope our business operations which can be summarised as follows:

• Correspondences to and from various customers and/or suppliers;
• Telephone numbers and email addresses;
• Purchase orders sent to suppliers;
• Purchase orders received from customers;
• Invoices generated;
• Quotations issued to customers;
• Documents containing employee information such as: Employee contracts;
• Pay slips;
• Identity documents;
• Proof of residences;
• Banking information; and/or
• Documents relating to disciplinary processes (ie. Warning and notices etc)

 

Financial information received from a supplier and/or customer. This includes the following credit applications and supporting documents;

• Payment card details such as the following:
  • Credit or debit card number
  • Expiry dates;
  • Card Holder details;
  • CVV (usually tokenised or stored via a secured third party such as Peach Payments)
  • Billing information
  • Digital payment details such as Apple Pay or Google Pay
  • Transaction History
  • In-App Wallet or Credit Balance
  • Linked bank account information
  • VAT and Tax Numbers, if applicable.
• credit reports;
• contracts; and/or
• CIPC documents such as COR forms.

 

Please note that this list contained above is not exhaustive and employees are required to exercise their discretion in identifying any form of personal information and if uncertain, to raise such questions to their line manager for escalation.

 

CONDITION 1 – ACCOUNTABILITY

Where Secure Cab is considered to be the Responsible Party for the purposes of Processing Personal Information, it shall ensure that the eight conditions for the lawful processing of Personal Information as set out in the POPIA, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing of information collected.

 

CONDITION 2 – PROCESSING LIMITATION

Secure Cab processes Personal information lawfully and in a reasonable manner that does not infringe the privacy of the Data Subject.

The Company shall ensure that the processing of any special personal information of a Data Subject complies with sections 26 through 35 of the POPIA in that it is, amongst other things, only carried out where:

• Consent from the Data Subject has been obtained;
• it is necessary for the establishment, exercise or defence of a right or obligation in law; or
• it serves a public interest and the processing is necessary for the purpose concerned.

 

COMPLIANCE WITH LIMITATION ON THE PROCESSING OF PERSONAL INFORMATION

Data subjects will be required to consent to collection, processing and storage of their personal information. Secure Cab shall provide justification for such collection and provide the data subject with the opportunity to object to the collection thereof.

Personal Information is processed because it is necessary for the conclusion or performance of a contract to which the Data Subject is party or for pursuing the legitimate interests of  Secure Cab as a Responsible Party.

The Data Subject may withdraw their consent, if consent was provided to Secure Cab for the processing of their Personal Information at any time provided that the lawfulness of the processing of Personal Information before such withdrawal, or the processing of Personal Information, will not be affected.

The Data Subject may further object, at any time, to the processing of their Personal Information, by complying with the relevant process, and subject to there being reasonable grounds relating to their particular situation.

The Data Subject shall however, be forewarned that should they revoke consent or object to Secure Cab processing their Personal Information in terms of the POPIA, in circumstance where the processing of such Personal Information is necessary to carry out actions for the conclusion or performance of a contract, then the Data Subject may be excluded from any affected rights or benefits under the contract or transaction and, where such consent is operationally material to the continuation of the contract or transaction, that the relationship, undertaking, or arrangement, may have to be terminated, or suspended as the case be, for operational or otherwise legitimate reasons, to the extent as may be necessary.

Secure Cab regards the processing of Personal Information as justifiable under the POPIA, which includes, processing of personal information that is necessary to carry out actions for the conclusion or performance of contractual relationships with Data Subjects, processing complies with an obligation imposed by law on Secure Cab, processing protects a legitimate interest of the Data Subject, processing is necessary for the proper performance of a public law duty by Secure Cab, or processing is necessary for pursuing the legitimate interest of Secure Cab or a third party to whom the information is supplied.

COLLECTION FROM DATA SUBJECTS:

Personal information is collected directly from the Data Subject and also collected where contained in or derived from a public record or has deliberately been made public by the Data Subject.

 

COLLECTION FROM OTHER SOURCES

Collection by Secure Cab may take place when the Data Subject has:

• consented to the collection from another source,
• collection from another source would not prejudice any legitimate interest/s of the Data Subject;
  • where collection from another source is necessary: to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
  • to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
  • for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
  • in the interests of national security; or

• • to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
  • compliance would prejudice a lawful purpose of the collection; or
  • compliance is not reasonably practicable in the circumstances of the particular case.

Any and all form of personal information processed by Secure Cab is considered to be minimal and relevant for the purposes such information has been collected.

 

CONDITION 3 – NOTIFICATION OF COLLECTION AND COLLECTION FOR SPECIFIC PURPOSE

Secure Cab processes Personal Information only for specific, explicitly defined and legitimate reasons, which purpose is communicated to the relevant Data Subject by way of privacy notices, as part of concluding agreements with Secure Cab, in this policy and other policies and procedures where such policies or procedures require or may result in the collection of Personal Information.

Secure Cab complies with section 18 of the POPIA, in its reasonably practicable steps, by ensuring that Data Subjects are aware of the purpose of the processing of Personal Information.

When Secure Cab collects information directly from a Data Subject, it will notify a Data Subject during the time of the collection. However, should Personal Information be collected from another source, Secure Cab will apply a reasonable period of one month within which to notify a Data Subject of the collection of information, unless a shorter period is practicable.

Secure Cab is not entitled to notify a Data Subject in respect of the collection of Personal Information should we be justified to do so in compliance with section 18 of the POPIA.

The purpose of the collection of Personal Information includes but is not limited to the following instances:

1. Employee Personal Information

This constitutes Personal Information collected from a data subject upon application alternatively employment with Secure Cab.

In instances of the establishment of an employment relationship with the data subject, such information shall be collected, processed and stored for the duration of such relationship. Processing of such information is necessary for the following purposes:

• Personnel management;
• Work and general business management; and
• Regulatory and statutory compliance and reporting.

 

Upon termination, Personal Information will be processed for the administration of any post-employment benefits, if applicable.

All information collected shall be retained in accordance with the company policy on archiving.

 

1. Supplier and/or Service Providers Personal Information

Personal Information from Suppliers and/or Service providers shall be collected, processed and stored for the facilitation of business relationships between the parties in order to allow the supply of goods or the rendering of any services as agreed upon between the parties.

 

1. Customer Personal Information

Personal information from Customers will be collected, processed and stored in order to fulfill any services placed by the Customer with Secure Cab. Such personal information is crucial for the carrying out of any obligations placed with Secure Cab and shall be retained in accordance with our archiving policy.

 

Further Personal Information may be processed to monitor and analyse trends, usage and activities in connection with the Company’s products and services to understand which parts of the Company’s digital platforms and services are of the most interest and to improve the design and content of those platforms

RECORD OF PROCESSING ACTIVITIES

Secure Cab in compliance with section 17 of the POPIA, will document processing activities, including in both written and electronic means, as to the various processing activities.

RETENTION AND RESTRICTION OF RECORDS

Secure Cab has a retention and archiving policy that regulates the retention and archiving of information as required or authorised by law, as well as where such records are reasonably required for lawful purposes related to Secure Cab functions and/or activities. Secure Cab takes reasonable measures to delete records of Personal Information or de-identify it as soon as reasonably practically possible after Secure Cab is no longer authorised to retain the records (as per relevant statutory and regulatory frameworks) or ensures appropriate safeguards are maintained in the event that Personal Information is retained for longer than statutory prescribed periods for historical, statistical or research purposes.

 

CONDITION 4 – FURTHER PROCESSING LIMITATION

All personal information processed by Secure Cab shall be used for the purpose that such information was received in accordance with the consent granted by the Data Subject. Consequently, Secure Cab shall ensure compliance with Section 15 of POPIA.

 

CONDITION 5 – QUALITY OF INFORMATION

Secure Cab takes reasonable steps to ensure that the Personal Information collected is complete, accurate, not misleading and updated where necessary. Secure Cab has regard to the purpose for which Personal Information is collected or further processed when taking such steps. In this regard, Secure Cab complies with section 16 of the POPIA. 3. Data Subjects are required to ensure that the Personal Information they provide is complete, accurate, not misleading and consistently updated where necessary.

 

CONDITION 6 – OPENNESS

Secure Cab will take reasonable steps to ensure that the Data Subjects are aware of the Personal Information collected and the purpose for which the Personal Information is processed. Consequently, Secure Cab complies with sections 17 and 18 of the POPIA.

 

CONDITION 7 – SECURITY

Secure Cab secures the integrity and confidentiality of Personal Information that it processes by taking appropriate, reasonable, technical and organisational measures to prevent loss the following:

• damage to or unauthorised destruction of Personal Information; and
• unlawful access to or processing of Personal Information.

 

Ensuring compliance with condition 7, Secure Cab takes reasonable measures to:

• Identify all reasonably foreseeable risks to Personal Information that is

in our possession;

• Establish and maintain reasonable safeguards against the risks

identified;

• Regularly verify that the safeguards are effectively implemented

throughout the organization;

• Ensure that the identified safeguards are continually updated to ensure

that risks and/or deficiencies previously identified are mitigated.

 

Secure Cab ensure compliance with generally accepted information security practices and procedures within the organization to ensure compliance hereof. Further that, Secure Cab ensures compliance with sections 20 and 21 of the POPIA by entering into data processing agreements with Operators who process Personal Information for or on behalf of Secure Cab, thereby also ensuring that the Operator establishes and maintains the security measures referred to in section 19 of the POPIA.

 

NOTIFICATION OF SECURITY COMPROMISES

Although Secure Cab takes all reasonable measures to ensure the safety of the Personal Information that it processes, where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person or source, Secure Cab will, as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity Secure Cab’s information systems, notify the Information Regulator (in the manner prescribed by the POPIA) and the Data Subject (by e-mail to the Data Subject’s last known e-mail address) of the alleged breach. The notification referred to hereabove, shall include sufficient information to allow the Data Subject to take protective measures against the potential consequences of the compromise.

 

CONDITION 8 – DATA SUBJECT PARTICIPATION

Access to personal information: A Data Subject may (subject to the provision of adequate proof of identity to Secure Cab) request to know whether their Personal Information is held by Secure Cab, as well as the correction and/or deletion of any Personal Information held about them however, Secure Cab may charge an access fee to cover the cost of retrieving the information and supplying it to a Data Subject.

Should, Secure Cab and the Data Subject cannot reach agreement following the receipt of such a request, the Data Subject can request Secure Cab to make a note of the requested correction alongside the information.

In this regard, sections 23, 24 and 25 are applicable to Personal Information requests by Data Subjects.

The Data Subject’s access to Personal Information will need to adhere to Secure Cab’s Manual on the Promotion of Access to Information that is readily available on request.

 

9.  DATA SUBJECTS ACCESS TO PERSONAL INFORMATION

 

9.1. Data Subjects may, at any time, request access to their Personal Information held by the Company and request the correction or deletion of such Personal Information.

Such request must be directed, on the prescribed form, to the Information Officer.  

 

9.2. Data Subjects may challenge the accuracy or completeness of their Personal Information in Company records.  If the Data Subject successfully demonstrates that their Personal Information in Company records is inaccurate or incomplete, the Company will ensure that such Personal Information is amended or deleted as required by the Data Subject.

 

9.3. The Company may refuse to grant access to a requested record that falls within a certain category. Grounds on which the Company may refuse access include, but are not limited to: -

 

                                9.3.1.           Protecting Personal Information that the Company holds on a third party,

who is a natural person (including a deceased person), from unreasonable disclosure;

 

9.3.2. Protecting commercial information of the Company and/or information the Company holds on a third party, such as trade secrets, financial, commercial, scientific or technical information, that may harm the commercial or financial interests of the Company or third party;

  

9.3.3. If disclosure of the record would result in a breach of duty of confidentiality owed to a third party in terms of an agreement;

 

9.3.4.            If disclosure of the record would endanger the life or physical safety of an individual;

 

9.3.5. If disclosure of the record would prejudice or impair the security of property or means of transport;

 

9.3.6. If disclosure of the record would prejudice or impair the protection of a person in accordance with a witness protection scheme;

 

9.3.7. If disclosure of the record would prejudice or impair the protection of the safety of the general public;

 

9.3.8.            The record is privileged from production in legal proceedings, unless the legal privilege has been waived;

 

9.3.9. Disclosure of a record that would put the Company at a disadvantage in contractual or other negotiations or prejudice the Company in commercial competition;

 

                                9.3.10.           The record is a computer programme; and

 

9.3.11. The record contains information about research being carried out or about to be carried out on behalf of the Company or a third party.