Overview
Belle Montagne (Ltd), Riverstone Wine Estate (Belle Montagne) is obliged to comply with The Protection of Personal Information Act 4 of 2013 (The Act).
The Act requires the Responsible Party (Belle Montagne) to inform the Data Subject, whether natural or juristic, as to the manner in which their Personal Information is used, protected, disclosed and destroyed.
Belle Montagne guarantees its commitment to protecting the Data Subject’s privacy by ensuring that their Personal Information is used appropriately, transparently, securely and in accordance with applicable laws.
This Policy sets out the manner in which Belle Montagne deals with the Data Subject’s Personal Information and stipulates the purpose for which said information is used.
2. Purpose
The purpose of this policy is to inform the Data Subject and enable Belle Montagne to comply with;
• The laws in respect of Personal Information,
• Follow good practices,
• Protect BELLE MONTAGNE ’s reputation,
• Protect BELLE MONTAGNE from the consequences of a breach of its responsibilities,
• Protect the Data Subject against loss or breach of their Personal Information.
3. Scope
This policy is written in support of the provisions contained in Chapter 5, Part B of The Act.
BELLE MONTAGNE management will ensure that all employees that have access to any kind of Personal Information will have their responsibilities outlined during their induction procedures.
Ongoing training sessions will provide insights for employees to explore the requirements and various aspects of The Act.
4. Definitions
4.1 “Data Subject” the natural or juristic person to whom the Personal Information relates;
4.2 “POPI” the Protection of Personal Information Act No.4 of 2013;
4.3 “Processing” an operation or activity, whether or not by automatic means, concerning Personal Information, including:
4.4 “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others determines the purpose of and means for processing Personal Information.
4.5 “Personal Information” the information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, as defined in The Act.
5. Policy Statement and Responsibilities
BELLE MONTAGNE is committed in protecting the Data Subject’s privacy and ensuring that their Personal Information is used appropriately, transparently, securely and in accordance with applicable laws, as far as it applies to our specific industry.
6. Compliance with regards to the Protection of Personal Information.
6.1 The Data Subject has the following rights.
- Objection to the use of Personal Information;
- Notification if information is being used for something other than what was consented for;
- Establishing whether the Responsible Party holds information;
- Request that information can be corrected, destructed or deleted;
- Refuse processing for direct marketing by unsolicited electronic communications;
- Lodge a complaint with the Information Regulator.
- Institute civil proceedings.
6.2 Conditions for lawful processing
6.2.1 Accountability
The Responsible Party must ensure that the conditions set out in the Act and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.
- Processing Limitations
- Data Subjects must consent.
- Consent is necessary to carry out actions to conclude or perform a contract to which the Data Subject is a party.
- Processing compliance with an obligation imposed by law.
- Must process to protect the legitimate interest of the Data Subject.
- For proper performance of public law duty by a public body.
- Pursue legitimate interest of another Responsible Party or third party to whom the information was supplied.
- Data Subject may withdraw consent.
- Data Subject may object on reasonable grounds.
6.2.3 Specific Purpose
Personal Information must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the Responsible Party. The Data Subject must be made aware of the purpose of the collection.
Records must not be retained any longer than is necessary for achieving the purpose for which it was collected unless;
- further retention is required by law;
- the Responsible Party is reasonably required to keep it;
- retention is required by a contract between the parties;
- the Data Subject consents to the further retention;
- Personal Information must be destroyed, deleted or de-identified as soon as it becomes reasonably practical. Destruction or deletion must be done in a manner that prevents its reconstruction in an intelligible form.
- The information officer shall ensure that the information collected will not be used for any other purpose before obtaining the individual’s approval, unless the new purpose is required by law.
- The information officer shall ensure that a person collecting Personal Information will be able to explain to the individual why this is being done;
- The Information officer shall ensure that limited collection, limited use, disclosure, and retention principles are respected in identifying why Personal Information is to be collected.
6.2.4 Limiting collection and further Processing
- Must be in accordance or compatible with the purpose for which it was collected.
- The Responsible Party shall ensure that Personal Information will not be collected indiscriminately, but by fair and lawful means, and be limited to what is necessary to fulfil the specific purpose for which the Personal Information is being collected.
Personal Information may only be processed if:
- the Data Subject consents to the Processing;
- Processing is necessary for the conclusion or performance of a contract to which the Data Subject is a party;
- there is a legal obligation to do the Processing;
- Processing is necessary for the proper performance of a public law duty by a public body;
- Processing is necessary for the pursuit of legitimate interests of the Responsible Party.
- A Data Subject may object, at any time, on reasonable grounds, to the processing of their Personal Information, whereafter the Responsible Party may then no longer process the Personal Information.
Personal Information must be collected directly from the Data Subject except if:
- the information is contained in a public record or has deliberately been made public by the Data Subject;
- the Data Subject has consented to the collection from another source;
- collection from another source would not prejudice a legitimate interest of the Data Subject
Collection from another source is necessary:
- to maintain law and order;
- to enforce legislation concerning the collection of revenue;
- for the conduct of court or tribunal proceedings;
- in the interests of national security;
- to maintain the legitimate interests of the Responsible Party;
6.2.5 Information quality
- Information must be complete, accurate, not misleading and updated where necessary.
6.2.6 Openness
BELLE MONTAGNE takes reasonable steps to ensure the Data Subject is aware of:
- the information being collected;
- the name and address of the Responsible Party;
- the purpose for which the information is being collected;
- whether or not the supply of the information is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorising the acquisition of the collection;
- the right of access to and the right to rectify the information collected;
- the right to object to the processing of the information
This must be done prior to collecting Personal Information if the Personal Information is collected directly from the Data Subject, or in any other case as soon as is reasonably practical after collection.
6.2.7 Security Safeguards
- The Responsible Party must secure the integrity and confidentiality of Personal Information in its possession or under its control by taking appropriate, reasonable technical organisational measures.
Anyone processing Personal Information on behalf of the Responsible Party must:
- treat the information as confidential and not disclose it unless required by law;
- apply the same security measures as the Responsible Party;
- the processing must be governed by a written contract ensuring safeguards are in place; and
- if domiciled outside the Republic, comply with requirements and provisions as set out in the Act.
The Data Subject may request the Responsible Party to:
- correct or delete Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully;
- delete or destroy Personal Information that the Responsible Party is no longer authorised to retain;
- The Steering Committee shall ensure that all employees know the importance of keeping Personal Information confidential;
- The Steering Committee shall ensure that care is taken when Personal Information is disposed of or destroyed to prevent unauthorized parties from gaining access to it;
- The Responsible Party should notify the Data Subject and Regulator of any breach of data.
7. Information Regulator
- Has jurisdiction throughout South Africa;
- Are independent and is subject only to the Constitution;
- Must exercise its powers and perform its functions in accordance with The Act;
- Are accountable to the National Assembly;
- Enforce Offences and Penalties;
- Minor Offences imposed by the Regulator can be a fine and/or imprisonment up to 12 months;
- Major Offences imposed by the Regulator can be a fine and/or imprisonment up to 10 years.
8. Management Responsibilities
The Core focus or duties under The Act for BELLE MONTAGNE will be the following, but not limited to.
- Encourage compliance with the information protection conditions in terms of Section 55 of The Act;
- Developing, publishing and maintaining a Policy which addresses all relevant provisions of The Act;
- Reviewing The Act and periodic updates as published;
- Ensuring that The Act induction training takes place for all employees;
- Ensuring that awareness of the responsibilities as set out in The Act are distributed through periodic communication;
- Ensuring that Privacy Notices for internal and external purposes are developed and published;
- Handling the Data Subject access requests;
- Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of Personal Information;
- Ensuring that appropriate Security Safeguards in line with The Act for Personal Information are in place;
- Work with the Regulator in relation to investigations conducted pursuant to Chapter 6;
- Identify and govern all privacy related risks;
- Map all activities performed concerning the collection and storage of Personal Information;
- Map all privacy laws and industry codes;
- Coordinate the development, implementation, and maintenance of corporate customer (external) and employee (internal) privacy policies.
- Ensure compliance with corporate privacy policies and procedures;
- Create standards call scripts for responding to public enquiries;
- Investigate, analyse and document all privacy related incidents and complaints.
9. Policy review.
BELLE MONTAGNE Steering Committee is responsible for an annual review to be completed prior to the policy anniversary date. Further the committee will ensure that all relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.
10. Policy Compliance
- Compliance Measurement
The management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits.
10.2Exceptions
None.
10.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
11. Related Standards, Policies and Processes
- Human Resource Policy and Procedures Manual
- Information Security Management Policy