1.1 Capitalised words in this Policy are as defined in Protection of Personal Information Act, 2013 (Act No. 4 of 2014).
1.2 The Foundation means Cyril Ramaphosa Foundation Trust.
1.3 Personal Information is information that identifies or relates specifically to You and includes Your name, age, identity number, contact details and payment information and history.
1.4 Biometrics are biological measurements or physical characteristics that can be used to identify individuals.
1.5 Platforms means all platforms used by the Foundation which includes but not limited to Twitter, LinkedIn, Facebook and Instagram.
2.1.1 What Personal Information the Foundation collects;
2.1.2 For what purpose the Foundation collects Personal Information;
2.1.3 How the Foundation collects Personal Information;
2.1.4 How long the Foundation retains Personal Information; and
2.1.5 Your rights as a data subject.
Personal Information includes:
a) certain information collected on entering competitions through all social media platforms comments.
b) optional information that you voluntarily provide to us.
c) additional data that you provide to the Foundation in the comments section on the Foundation Platforms, especially in forms of discussion boards and using the comment features of blogs (“comment data”).
d) your IP address, information about the amount of data transferred, stored in access log files (“usage data”).
e) first name, last name, date of birth, email address, country, job title, phone number, fax number, company name, and additional information that you provide when contacting us using our websites, especially information provided in free text fields of contact forms (“contact data”).
f) additional data that you provide to the Foundation while subscribing for any of the Foundation’s products and/or services etc. (“subscription information”).
g) email address, phone number, name, company name and country provided when subscribing to a newsletter or other marketing information of the Foundation (“direct marketing data”).
h) personal Information sent by your web browser, i.e. information about your type of web browser, your operating system, and selected settings (e.g. language, region, font size, font types and other configuration) may be collected (“browser data”).
Personal Information excludes:
a) information that has been made anonymous so that it does not identify a specific person;
b) permanently de-identified information that does not relate or cannot be traced back to you specifically; and
c) non-personal statistical information collected and complied by the Foundation and information that you have provided voluntarily in an open, public environment or forum including (without limitation) any blog, chat room, community, classified advertisement or discussion board. Since the information has been disclosed in a public forum, it is no longer confidential and does not constitute personal information subject to protection under this policy.
The Foundation has implemented the following approach concerning Personal Information:
4.1 To be transparent in its standard operating procedures that govern the collection and processing of Personal Information;
4.2 To comply with all applicable legal and regulatory requirements regarding the processing of Personal Information;
4.3 To collect Personal Information by lawful and transparent means and process Personal Information in a manner compatible with the purpose for which it was collected;
4.4 To strive to keep personal Information accurate, complete and up-to-date and reliable for its intended use;
4.5 To develop reliable, safe and sustainable means of protecting the Personal Information of employees whether physical or digitally so as to prevent leakage, loss, alteration or misuse of said information;
4.6 When consigning to outside entities for the protection of said information, the Foundation will only select those entities with the ability to safeguard and manage the said information.
4.7 This policy will be made known to the Foundation’s current or prospective employees, beneficiaries, suppliers and service providers; and
5 PERSONAL INFORMATION COLLECTED BY THE FOUNDATION
5.1 Personal information is defined by POPIA as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
5.1.1 Information relating to the race, gender, sexual orientation, pregnancy, marital status, national, ethnic or social origin, colour, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
5.1.2. Information relating to the education or the medical, financial, criminal or employment of the person;
5.1.3. Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
5.1.4. The fingerprints or other biometric information of the person;
5.1.5. The personal opinions, views or preferences of the person;
5.1.6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the content of the original correspondence;
5.1.7. The view or opinions of another individual about the person; and
5.1.8. The name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
5.2 The Foundation may process any of the types of Personal Information as defined above, although it will only be processed in so far as it is adequate, necessary, relevant and not excessive in relation to the purposes for which it is required.
6 PURPOSE FOR WHICH PERSONAL INFORMATION IS COLLECTED BY CRF
The purpose for which the Foundation uses your Personal Information will include amongst others:
6.1 When you are a beneficiary:
a) identify you and conduct appropriate checks, audits and procedures; marketing and promotions (including contacting you for such purposes);
b) administer and manage the products and services the Foundation offers to you; and
c) get a better understanding of you, your needs and how you interact with the Foundation, so the Foundation can engage in product and service research, development and business strategy including managing the delivery of the Foundation’s services and products via the ways the Foundation communicates with you.
6.2 When you are a supplier or service provider:
a) identify the company and conduct appropriate checks, audits, due diligence and procedures;
b) payment for the goods and/or services acquired and used;
c) communication in relation to the goods and/or services supplied;
d) review, compare and evaluate the goods and/or services supplied;
e) record keeping in accordance with the applicable legislation; and
f) performance of the parties’ respective obligations under the applicable agreement for the supply of the goods and/or services.
6.3 When you are an employee or prospective employee:
a) identify and conduct appropriate checks, audits and procedures;
b) payment of employment benefits and related deductions;
c) record keeping and reporting in accordance with the applicable legislation; contacting purposes;
d) review and evaluate your work experience and qualifications; and
e) recruitment purposes.
6.4 Further to above, the Foundation may use your Personal Information to:
a) pursue the Foundation’s legitimate interests such as to compile reports and statistical analysis;
b) comply with requests for information from any internal or external auditor, or any regulatory body;
c) meet legal and regulatory requirements to which the Foundation may be subject;
d) use in connection with legal proceedings; and
e) assist with any criminal or similar investigation.
6.5 Where the Foundation shares your Personal Information with the above third parties, the latter will be obliged to use that personal information for the reasons and purposes it was disclosed for.
7 SECURITY AND CONFIDENTIALITY
The Foundation takes appropriate and reasonable technical and structural security measures to protect your Personal Information in its possession against accidental or illegal damage, loss, modification, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing of the Personal Information.
7.1 Legal Basis for Processing
7.2 Lawfulness of Processing
7.2.1 The Foundation is committed to processing your Personal Information lawfully, within reason and in a manner that respects your right to privacy and aligned with the purpose for which it is processed, taking into account the adequacy and relevance thereof at all times.
7.2.2 The lawfulness for the processing of Personal Information is the performance of a contract or steps prior to communicating, engaging with you and/or referring you to the Foundation’s associates. Using this Personal Information is required to ensure that the Foundation is able to provide you with the information or assistance you require from it. Without this personal information you will not be able to communicate, engage with or be referred to the Foundation’s associates.
7.3 Data breach
In the event of a data breach leading to the accidental or illegal damage, loss, modification, unauthorised disclosure or any unauthorised access to any Personal Information that has been transmitted, stored or otherwise processed by the Foundation, the Foundation has the relevant measures and policies in place to cater for and assess the details relating to any such data breach in a prompt and efficient manner. The Foundation will notify you of such data breach as soon as possible in accordance with POPIA.
As stated above, when the Foundation contracts with third parties, the Foundation concludes agreements with them in terms of which the Foundation imposes appropriate security, privacy and confidentiality obligations on them to ensure that personal information is kept secure.
Whilst the Foundation will do all things reasonably necessary to protect your rights of privacy, the Foundation cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of your personal information, whilst in the Foundation’s possession, made by third parties who are not subject to the Foundation’s control, unless such disclosure is as a result of the Foundation’s gross negligence.
8 TRANSFER OF PERSONAL INFORMATION OUTSIDE SOUTH AFRICA
The Foundation will not transfer any personal information across a country border without complying with the provisions of section 72 of the POPIA and your prior written consent.
9 THE FOUNDATION PLATFORMS
9.1 The Foundation’s website also references and includes links to its platforms. As a rule, these are identified by stating the platform type and respective third-party internet address or the company/product logo in such a platform. The Foundation has no influence whatsoever on the contents and design of websites of other providers linked to the Foundation platforms. By referencing/linking these external websites the Foundatin does not adopt their content as its own.
10 PARTICIPATION ON THE FOUNDATION PLATFORMS
10.1 The Foundation website may offer you the opportunity to participate in the Foundation platforms. In order to use the Foundation platforms, it may be necessary to enter certain Personal Information (email address, first name and last name, company name and country, contact number (“Contact Data”) to enable the Foundation to identify and, where appropriate, comply with the obligation to retroactively identify authors of illegal content. The details of this Contact Data are voluntary for you. Please note that you may not be able to use the Foundation Platforms if you do not want to provide your Contact Data. This is associated with no further disadvantages.
10.2 When participating in the Foundation Platforms your Personal Information is not disclosed to other participants unless you have consented thereto in your user profile. In this context, the Foundation’s website terms pertaining to platforms apply when registering for access to the Foundation Platforms.
11 CONSENT, JUSTIFICATION AND OBJECTIVES
11.1 In so far that you have given the consent, the Foundation will also use your direct marketing data for marketing purposes, e.g., to send newsletters. The lawfulness for processing your direct marketing data is the Foundation’s legitimate interest, e.g. to improve the Foundation’s communication, engagement, services, or your consent.
11.2 In so far that you have given the consent, the Foundation will also use your browser data for market research and the improvement of the CRF website, the Foundation platforms and services, and to improve your user experience. The lawfulness for processing your browser data is your consent or the Foundation’s legitimate interest.
11.3 In so far that you have given the consent, the Foundation will also collect your usage data for statistical purposes, for the analysis of advertisement on the Foundation’s website, the Foundation platforms and for adapting the advertisement for the Foundation’s services to better match your interests. Log files are only used for statistical analysis of the visitors to the Foundation website. The usage data is deleted after having been analysed. The lawfulness for processing this usage data is for statistical purposes and is for the Foundation’s legitimate interest, e.g. internal organisation, or your consent.
11.4 The Foundation will also use your usage data for internal system-specific purposes to secure the Foundation website, the Foundation platforms, and IT systems from malicious attacks by third parties. The lawfulness is a balancing of interests of the conflicting interests of the security of the IT systems on the Foundation’s part and your potentially conflicting interests in a non-processing of the usage data by us. Considering the security and measures of the processing of the usage data by the Foundation, the Foundation considers your rights and interests appropriately taken into account and protected.
11.5 Beyond these purposes, CRF uses and processes your Personal Data only if you have expressly granted your prior consent thereto and if you have been informed about such purposes.
Please note that:-
a) you can object, at any time to the processing of your Personal Information irrespective of the purpose, on reasonable grounds (unless legislation allows for such Processing) by sending the Foundation an email at firstname.lastname@example.org, in a prescribed manner.
b) providing the direct marketing data and browser data is optional. If you do not provide this Personal Information, you will not receive any direct marketing information from the Foundation, and your data will not be used to improve your user experience and will not be used for statistical purposes; and
c) Once the Foundation obtains the abovementioned objections, the Foundation will no longer Process your Personal Information.
d) You can opt out of receiving communications from us at any time. Any direct marketing communications that CRF sends to you will provide you with the information and means necessary to opt out.
13 RETENTION PERIOD OF PERSONAL INFORMATION
In accordance with POPIA, the Foundation will keep your Personal Information on record for as long as:
a) It is legally obliged to do so;
b) A contract or agreement with you requires the Foundation to keep it;
c) You have consented to the Foundation keeping it;
d) The Foundation reasonably requires it to achieve the purpose set out in the terms of transaction or contract with you;
e) The Foundation requires it for legitimate business purposes; or
f) There is ongoing litigation, investigation or tax or other regulatory query relating to the Personal Information.
g) In order to protect information from accidental or malicious destruction when the Foundation deletes information from its services, the Foundation may not immediately delete residual copies and Personal Information from its backup systems.
h) If your Personal Information is no longer required on the Foundation platforms to comply with contractual or legal obligations, it will be deleted from the Foundation’s systems or anonymized accordingly so that identification is not possible, unless the Foundation has to keep the information, including your Personal Information, to comply with legal or regulatory obligations (e.g. statutory retention periods which may arise from the commercial laws or tax laws and may in principle be 5 to 10 years or, if during the statutory limitation periods, which are regularly 5 years, but may be up to 10 years, evidence must be secured).
14 DATA SUBJECT RIGHTS
As a data subject you have a legal right in terms of POPIA to:
14.1 request information about your stored Personal Information, (ii) rectification of your Personal Information, (iii) restriction of processing of your Personal Information, (iv) deletion of your Personal Information, (v) data portability, (vi) revocation of your consent for processing of your Personal Information and (vii) object to the processing of your Personal Information.
14.2 Important to note with regards to your rights is the following:
a) To exercise these rights, please contact the Foundation’s Information Officer at: email@example.com. The Foundation will require adequate proof of identification from you prior to responding to you (which the Foundation will do within a reasonable time);
b) The Foundation will correct or delete information unless it is required or entitled to keep such information under applicable laws, in which case the Foundation will inform you.
c) If the Foundation believes information does not require correction, the Foundation will provide you with credible reasoning for such.
e) The address of the Information Regulator is as follows:
The Information Regulator (South Africa)
33 Hoofd Street, Forum III, 3rd Floor. Braampark
PO Box 31533 Braamfontein, Johannesburg, 2017
Complaints email: complaints.IR@justice.gov.za
General enquiries email: firstname.lastname@example.org
f) For further information on how to exercise these rights, please refer to the Foundation’s PAIA and POPIA manual which is available on the CRF websites.
15 DETAIL OF DATA SUBJECT RIGHTS
15.1 Right to information: You have the right to ask the Foundation for confirmation of the Processing of your Personal Information in question and, if so, of your right to information about such Personal Information. The right to information includes, among other things, the processing purposes, the categories of Personal Information being processed and the recipients or categories of recipients to whom the Personal Information is disclosed. You may also have the right to receive a copy of the Personal Information that is the subject of the processing. However, this right is limited in that, the rights of others may limit your right to receive a copy.
15.2 Right to rectification: – You may be entitled to request the correction of incorrect Personal Information concerning you. In consideration of the purposes of processing, you have the right to request the completion of incomplete Personal Information, including by means of a supplementary statement.
15.3 Right to erasure (“Right to be forgotten”): – Under certain conditions, you have the right to ask the Foundation to delete your Personal Information.
15.4 Right to restriction of Processing: – Under certain circumstances, you have the right to demand that the Foundation restricts the processing of your Personal Information. In this case, the corresponding data will be marked and processed by the Foundation only for specific purposes.
15.5 Right to data portability: – Under certain circumstances, you have the right to receive the Personal Information relating to you that you have provided to the Foundation in a structured, commonly used and machine-readable format and you have the right to transfer that data to another person without obstruction by the Foundation.
15.6 Right to revocation of consent: – If you have given your consent for some data processing activities, you may revoke your consent at any time with future effect. Such revocation shall not affect the lawfulness of the processing because of the consent until the revocation.
15.7 Right to object: – For reasons arising from your particular situation, you have the right to object to the processing of Personal Information relating to you on the basis of Section 11 of Condition 2 of Part 3 of POPIA (data processing based on legitimate interests). If you object, the Foundation will no longer process your Personal Information unless the Foundation can establish compelling and legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising, or defending legal claims.
16 UPDATES TO THE POLICY