POPIA Policy | NightJarr
popi policy / privacy statement
You, as the
Disclosing Party, hereby consent to and are bound by this POPI Policy / Privacy
Statement (“Privacy Statement”) of NightJarr (Pty) Ltd Reg No. 2019/322716/07
(“Recipient”) in relation to the processing by the Recipient of
the personal information of the Disclosing Party. This Privacy Statement is
effective as of the date of consent hereto or the effective date of any main
agreement incorporating the terms of this Privacy Statement by reference (“Agreement”), whichever is earlier.
1. DEFINITIONS
1.1. “Affiliate” means, with respect to any entity,
any other entity Controlling, Controlled by or under common Control with such
entity, for only so long as such Control exists;
1.2. “Associated Personnel” means any staff member, independent
contractor, agent or the like of the Recipient;
1.3. “Control” means the direct or indirect ownership
of more than 50% of the voting capital or similar right of ownership of an
entity, or the legal power to direct or cause the direction of the general
management and policies of that entity, whether through the ownership of voting
capital, by contract or otherwise. Controlled and Controlling shall be
construed accordingly;
1.4. “Data Protection Laws and
Regulations” means
all mandatory laws and regulations, including laws and regulations of RSA,
applicable to the Processing of Personal Information, including but not limited
to, the POPI Act and any amendment or replacement thereof;
1.5. “Data Subject” means the individual to whom Personal
Information relates as defined in section 1 of the POPI Act;
1.6. “Disclosing Party” means the natural or juristic person
who consents to the terms of this Privacy Statement or agrees to an Agreement
incorporating the terms of this Privacy Statement by reference, and for the
purposes of this Privacy Statement, is the Data Subject;
1.7. “Operator” means a person as defined in section 1
of the POPI Act;
1.8. “Personal Information” means information relating to an
identifiable, living, natural person, and where it is applicable, an
identifiable, existing juristic person, as defined in section 1 of the POPI
Act;
1.9. “POPI Act” means the Protection of Personal
Information Act 4 of 2013 as may be amended from time to time;
1.10. “Processing” means processing
as defined in section 1 of the POPI Act;
1.11. “Recipient” means the person
which Processes Personal Information of the Disclosing Party, as defined in the
preamble above. For the purposes of this Privacy Statement, the Recipient
and/or Affiliates are the Responsible Parties;
1.12. “RSA” means the Republic
of South Africa;
1.13. “Responsible
Party” means
the person which determines the purpose and means for which Personal
Information is Processed, as defined in section 1 of the POPI Act; and
1.14. “Supervisory
Authority” means
the Information Regulator as established in RSA, pursuant to the POPI Act.
2. PROCESSING OF PERSONAL
INFORMATION
2.1. The
Disclosing Party hereby consents to the Processing of their Personal
Information in accordance with this Privacy Statement.
2.2. The
Recipient shall comply with Data Protection Laws and Regulations.
2.3. For
the avoidance of doubt, Disclosing Party’s instructions to the Recipient for
the Processing of Personal Information must comply with Data Protection Laws
and Regulations. In addition, Disclosing Party shall have sole responsibility
for the accuracy, reliability, integrity, quality, and legality of Personal
Information, and the means by which Disclosing Party acquired Personal
Information, including providing any required notices to, and obtaining any
necessary consent from, its employees, agents or third parties, if applicable.
2.4. The
Recipient will not sell, share, or rent Disclosing Party’s Personal Information
to any third party or use Disclosing Party’s phone number for unsolicited
messages, without the express consent of the Disclosing Party. Any messages
sent by the Recipient will only be pursuant to this Agreement.
2.5. It
is expressly stated that the Recipient agrees and warrants:
2.5.1. that
the Processing of Personal Information shall be carried out in accordance with
the relevant provisions of the Data Protection Laws and Regulations and does not
violate the relevant provisions of the POPI Act;
2.5.2. that
it shall throughout the duration of the Processing process the Personal
Information only on the Disclosing Party's behalf and in accordance with the
Data Protection Laws and Regulations; and
2.5.3. that
after assessment of the requirements of the Data Protection Laws and
Regulations, the security measures are appropriate to protect Personal
Information against accidental or unlawful destruction or accidental loss,
alteration, unauthorised disclosure or access to the Personal Information, in
particular where the Processing involves the transmission of data over a
network, and against all other unlawful forms of processing, and that these
measures ensure a level of security appropriate to the risks presented by the
Processing and the nature of the Personal Information to be protected having
regard to the state of the art and the cost of their implementation.
2.6. The
Recipient shall keep the Personal Information of the Disclosing Party
confidential and shall only Process Personal Information on behalf of and in
accordance with Disclosing Party’s documented and lawful instructions to:
2.6.1. fulfil
the purpose set out in the table at the end of this Privacy Statement; and
2.6.2. comply
with other documented, reasonable instructions provided by Disclosing Party
(for example, via email) where such instructions are consistent with the terms
of the Privacy Statement. The Recipient will not process Personal Information
outside of RSA without first having obtained Disclosing Party’s consent.
Provided the Recipient has sufficient legal framework under the Data Protection
Laws and Regulations to process Personal Information outside of the RSA, the
Disclosing Party’s consent shall not be unreasonably withheld in respect of the
Processing outside of the above two jurisdictions. Disclosing Party takes full
responsibility to keep the amount of Personal Information provided to the
Recipient to the minimum necessary for the fulfilment of the purpose or
otherwise as required by the Recipient. The Recipient shall not be required to
comply with or observe Disclosing Party’s instructions if such instructions
would violate Data Protection Laws and Regulations.
3. SCOPE OF PROCESSING
The
nature and purpose of Processing of Personal Information by the Recipient is as
set out in the table at the end of this Privacy Statement.
4.1. The
Disclosing Party shall have the right to:
4.1.1. access
and rectify their Personal Information collected by the Recipient. On the
request of the Disclosing Party, the Recipient will provide such access as is
reasonably practicable and either allow the Disclosing Party to rectify such
information themselves or implement any rectifications on behalf of the
Disclosing Party;
4.1.2. object
to the Processing of their Personal Information if Processing is not:
4.1.2.1. with
the Disclosing Party’s consent;
4.1.2.2. protecting
their legitimate interests;
4.1.2.3. necessary
for the proper performance of a public law duty by a public body; or
4.1.2.4. necessary
for pursuing the legitimate interests of the Recipient or its Affiliates,
unless
Processing is otherwise permissible under the Data Protection Laws and
Regulations or this Privacy Statement;
4.1.3. object
to the Processing of their Personal Information for the purposes of direct
marketing other than as allowed by the Data Protection Laws and Regulations;
and
4.1.4. lodge
a complaint with the Supervisory Authority at [email protected].
5. ASSOCIATED PERSONNEL
5.1. Confidentiality
The
Recipient shall ensure that its Associated Personnel engaged in the Processing
of Personal Information are informed of the confidential nature of the Personal
Information, have received appropriate training on their responsibilities and
have executed written confidentiality agreements or are under general
obligations of confidentiality towards the Recipient.
5.2. Reliability
The
Recipient shall take commercially reasonable steps to ensure the reliability of
the Associated Personnel engaged in the Processing of Personal Information.
5.3. Limitation of Access
The
Recipient shall ensure that access to Personal Information is limited to those
Associated Personnel of the Recipient directly involved in the fulfilling of
the purpose.
6. OPERATORS
Disclosing Party acknowledges and
agrees that:
6.1.1. the
Recipient is entitled to retain its Affiliates as Operators; and
6.1.2. subject
to clause 6.2 below, the Recipient or any such
Affiliate may engage any third parties from time to time to process Personal
Information on their behalf and in connection with the fulfilment of the
purpose envisaged in Attachment 1 to this Privacy Statement.
Except
as otherwise provided in this Privacy Statement, the Recipient shall not
provide any third party with access to Disclosing Party Personal Information
without the prior express approval of Disclosing Party. The Recipient shall provide
advanced written notice to the Disclosing Party should it desire to provide a
third-party access to Disclosing Party’s Personal Information. Where approval
has been granted by Disclosing Party in accordance this section, the Recipient
shall:
6.2.1. undertake due diligence on the Operator; and
6.2.2. enter
into a written agreement with the Operator that ensures that the Operator
Processes the Personal Information in line with this Privacy Statement and Data
Protection Laws and Regulations; and
6.2.3. Provide
Disclosing Party with such information regarding
the Operator as Disclosing Party may reasonably require.
7. SECURITY
MEASURES, NOTIFICATIONS REGARDING PERSONAL INFORMATION, CERTIFICATIONS AND
AUDITS, RECORDS
7.1. Security
Measures
Taking into account the state of art,
the costs of implementation and the nature, scope, context and purposes of
Processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the Recipient shall implement
appropriate organizational and technical measures towards a level of security,
appropriate to the risk (including risks that are presented by Processing, in
particular from accidental or unlawful destruction, loss alteration,
unauthorized disclosure of, or access to Personal Information transmitted,
stored or otherwise Processed), including but not limited to:
7.1.1. the
encryption of Personal Information in transit;
7.1.1.1. the
ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
7.1.1.2. the
ability to restore the availability and access to Personal Information in a
timely manner in the event of a physical and technical incident; and
7.1.1.3. a
process for regularly testing, assessing and evaluating the effectiveness of
technical and organizational measures for ensuring the
security of the Processing.
7.2. Notifications
Regarding Personal Information Breach
7.2.1. The
Recipient will ensure that it and its Operators have in place reasonable and
appropriate security incident management policies and procedures as required by
the POPI Act, and shall notify Disclosing Party without undue delay (but in any
event within 24 hours) where there are reasonable
grounds to believe that there has been, or after becoming aware of, the
unlawful or accidental destruction, alteration or damage or loss, unauthorized
disclosure of, or access to Personal Information, transmitted, stored or otherwise Processed by the Recipient or Operators of which the
Recipient becomes aware (hereinafter, a “Personal Information Breach”), as required to assist the
Disclosing Party in ensuring compliance with its:
7.2.1.1. obligations to notify the Supervisory
Authority;
7.2.1.2. obligations to communicate the
Personal Information Breach to the Recipient involved; and
7.2.1.3. documentation obligation regarding the
facts relating to the Personal Information Breach, its effects, and the
remedial action taken.
7.2.2. The Recipient shall make reasonable
efforts to identify the cause of such Personal Information Breach and take
those steps as it deems necessary and reasonable in order to remediate the
cause of such a Personal Information Breach, to the extent that the remediation
is within the Recipient’s reasonable control.
7.3. Records
The Recipient shall maintain complete
and accurate written records of the Processing it undertakes on behalf of
Disclosing Party in accordance with Data Protection Laws and Regulations.
8. RETURN
OF PERSONAL INFORMATION, COMMUNICATION
8.1. Return
of Personal Information
Unless otherwise required by law, the
Recipient and Operators, shall if required in terms of Data Protection Laws and
Regulations, upon termination or expiry of the Agreement for whatever reason,
either securely delete or return all the Disclosing Party Personal Information
to Disclosing Party in accordance with the Agreement, or in the absence of a
specific destruction provision, the Recipient will ensure it follows its standard
Personal Information destruction practices. If the Recipient or its Affiliates
are required to retain a copy of the Personal Information by law, it shall
retain that which is required by applicable Data Protection Laws and
Regulations for not longer than is reasonably necessary.
9. COOPERATION
WITH SUPERVISORY AUTHORITY
The Disclosing Party and the Recipient
as applicable, shall cooperate, on request, with the Supervisory Authority in
the performance of its tasks.
10. CONFLICT
If this Privacy Statement is
incorporated into and forms part of any other Agreement, for matters not
addressed under this Privacy Statement, the terms of the Agreement apply to the
extent of any inconsistency. With respect to the rights and obligation of the
parties to each other insofar as it pertains to the Processing of Personal
Information, in the event of a conflict between the terms of the Agreement and
this Privacy Statement, the terms of this Privacy Statement will prevail to the
extent of such inconsistency.
Nature and purpose of Processing
This table includes certain details of the Processing of Personal Information as required by section 18 of the POPI Act. | |
Nature and purpose of Processing | The Recipient and Operators will/may Process Personal Information as necessary to provide services and market. Failure to provide the Personal Information may mean that the Recipient will be unable to fulfil this purpose, and as such, is mandatory |
Categories of third parties Personal Information may be shared with the following categories of third parties: | · marketing service providers |
Types of Personal Information to be Processed in terms of this Privacy Statement | · First name · Last name · Email address · Phone number · Address · Demographic data · Text, audio, video or image files |