Privacy Policy

Abstract

This document serves as the Privacy Policy (“Policy”) of OIM Consulting (Pty) Ltd. We acknowledge that the protection and processing of personal information have become a global phenomenon and pose great risks. We recognise that the right to privacy enshrined in section 14 of the Republic of South Africa Constitution, 1996 (“Constitution”) forms the cornerstone of the protection of personal information and must provide guidance on how we process personal information.

Compliance with POPI is required as of 30 June 2021, and our Team is committed to complying with its provisions in fulfilment of our client’s instructions. We acknowledge our clients’ right to protection against the unlawful collection, retention, dissemination, and use of personal information, subject to justifiable limitations that are aimed at protecting other rights and important interests.

Key Definitions

The following definitions contained in section 1 of POPI are of importance: ‘data subject’ means the person to whom the personal information relates; ‘information officer’ means the person(s) as identified in this Policy; ‘personal information’ means information relating to an identifiable, living, natural person, and where it is applicable and identifiable, existing juristic person, including, but not limited to –
  1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and the birth of the person;
  2. information relating to the education or the medical, financial, criminal, or employment history of the person;
  3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other assignments to the person;
  4. the biometric information of the person;
  5. the personal opinions, views, or preferences of the person;
  6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  7. the views or opinions of another individual about the person; and
  8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

‘processing’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including-

  1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  2. dissemination by means of transmission, distribution or making available in any other form; or
  3. merging, linking, as well as restriction, degradation, erasure, or destruction of information;

‘record’ means any recorded information-

  1. regardless of form or medium, including any of the following:
    1. Writing on any material;
    2. information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other devices, and any material subsequently derived from information so produced, recorded or stored;
    3. label, marking, or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
    4. book, map, plan, graph, or drawing;
    5. photograph, film, negative, tape, or other devices in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced;
  2. in the possession or under the control of a responsible party;
  3. whether or not it was created by a responsible party; and
  4. regardless of when it came into existence;

‘responsible party’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;

‘special personal information’ means information relating to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information or the criminal behaviour of a data subject.

Information Officer (Internal)

Should you have any questions / complaints / suggestions regarding the processing of personal information, we encourage you to contact our firm’s Information Officer(s):

Deputy Information Officer
Ben Nel
083 456 2859
nel@oimconsulting.com

Information Officer
Arjen de Bruin
083 456 2859
debruin@oimconsulting.com

You are further invited to contact our Information Officer(s) regarding issues specifically pertaining to-

  1. Any objection to the processing of your personal information;
  2. A request for the deletion/destruction/correction of your personal information or records; and/or
  3. The submission of a complaint relating to the processing of your personal information.

Our Information Officer is responsible for encouraging and ensuring compliance with POPI, and will deal with requests relating thereto and work closely with the Information Regulator whenever necessary.

You can also complain to the Information Regulator if you are unhappy with how we have used your Information. Their contact details are as follows:

The Information Regulator (South Africa): JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Complaints email: POPIAcomplaints.IR@justice.gov.za

In addition, thereto, our Information Officer will ensure that:

  • a compliance framework is developed, implemented, monitored and maintained;
  • a risk analysis is done on at least a quarterly basis to ensure continued compliance with POPI;
  • a manual as described in sections 14 and 51 of the Promotion of Access to Information Act 2 of 2000 is developed and maintained;
  • training and awareness sessions are conducted every six months to current employees, and immediately to new employees, on the provisions and application of POPI; and
  • to do all things necessary to ensure compliance with POPI and process requests relating thereto.

Our Information Officer and Deputy Information Officers have been duly appointed by resolution and have been registered accordingly with the Information Regulator.

Information Regulator (External)

Should you prefer not to contact our offices directly regarding any personal information related issues, you may forward your complaint/request directly to the Information Regulator at: inforeg@justice.gov.za 6

Action Plan and Information Policies

We worked closely with our legal representatives to ensure compliance with POPI and the lawful and secure processing of your personal information. This process involved the following steps:

  • Conducting a risk analysis and developing a POPI action plan;
  • Obtaining the necessary board resolutions and appointing our Information Officer and Deputy Information Officer(s);
  • Developing our POPI Policies (see below); and
  • Implementing a strategy and a review process for continued compliance with POPI in the future.

With the assistance of our legal representatives, we have developed and implemented the following policies regulating the processing of personal information in our business-

  • Risk analysis
    • We have identified certain areas that carry more risk than others, specifically relating to those wherein third parties are involved or where mass volumes of electronic data are stored and have implemented further measures to ensure the security of personal information herein;
    • These measures include cybersecurity checks and updates, and the implementation of Operator Undertakings (see below).
  • Privacy Policy
    • An external document (this document) available to outside parties explaining how we process personal information and regulating everything else POPI-related;
  • POPI Policy
    • An internal document specifically applicable to our employees wherein they acknowledge that they are aware of the provisions of POPI and undertake to comply with our Information Policies;
    • An internal guideline highlighting the principles applicable to processing of personal information in our business;
  • Operator Undertakings
    • We have worked closely with third parties who may have access or deal with any personal information held by us and inquired on whether they are aware of the provisions of POPI;
    • These third parties have provided us with undertakings, confirming that they will only process personal information in line with the purpose that it was provided to them for and in line with the principles enshrined in POPI.

 

Description of Business Activities

OIM Consulting is a business consulting firm specialising in business operations optimisation, organisational development, culture change and leadership development. Furthermore, we offer psychometric/psychological and competency assessments and implement practical solutions through assessments, training, and coaching to develop and manage talent to benefit the individual and organisation. We also gather business performance data to guide interventions and measure the success of our implementation.

Processing of Personal Information

Section 18 of POPI requires us to ensure you are aware of the following:

  • We may process your personal information in line with the purpose that it was provided by you for (see ‘description of business activities’ above) and will be used solely for this purpose; and
  • The provision of your personal information is not mandatory; however, take caution that failure to provide us with your information as requested m

By engaging our services, you, therefore, consent to us processing your personal information in line with the purpose it was provided to us.

Retention and Deletion Of Personal Information

You are further advised that your records will be retained by us for a period 5 (five) years from the date of last entry on your file, as required by South African Revenue Service guidelines, after which it will be destroyed and/or deleted and/or destructed and/or de-identified in a manner that prevents its reconstruction in an intelligible form. However, kindly note that we generally hold data in an electronic format, stored securely, as explained under “Security Safeguards” below.

Grounds for Processing Personal Information

In conducting our Business Activities as described above, we will generally rely on the following grounds as listed in section 11 of POPI to process your personal information:

  • Consent;
  • Processing is necessary to carry out actions for the conclusion or performance of a contract;
  • Processing complies with an obligation imposed on us by law;
  • To protect a legitimate interest of a data subject; or
  • Processing is necessary for pursuing a legitimate interest of ours or of a third party to whom the information is supplied.

Grounds for Processing Special Personal Information

POPI contains a general prohibition on the processing of special personal information, unless one of the exclusions in POPI apply. The categories of special personal information we may process include-

  • Philosophical beliefs;
  • Race or ethnic origin;
  • Health information.

We are authorised to process the above information based on the following grounds listed in POPI:

  • Consent;
  • Regarding philosophical beliefs- where processing is necessary to protect the spiritual welfare of the data subjects, unless they have indicated that they object to the processing, and wherever otherwise allowed by POPI.
  • Regarding race or ethnic origin- only to identify data subjects whenever it is essential and to comply with laws to protect or advance persons disadvantaged by unfair discrimination;
  • Regarding health/medical information- we may be authorised to process this information where the processing is necessary for the enforcement of contractual rights or obligations. We are generally authorised to process this information where the processing is necessary for the establishment, exercise or defence of a right in law.

The processing of the above information involves greater risk, and as such, we take special care to protect this information. We will only collect special information insofar it is allowed by POPI. Our security measures implemented are discussed under “SECURITY SAFEGUARDS” below.

We have worked closely alongside our legal representatives and IT service providers to identify any risks associated herewith and have implemented the below measures to combat these risks.

Your Rights

Kindly be advised that, as a data subject, you have the right to-

  1. Be informed that your personal information is being collected;
  2. Be informed that your personal information has been accessed by an unauthorised person;
  3. Establish whether we hold your personal information and request access thereto;
  4. Request deletion, destruction or correction of your personal information;
  5. Object to the processing of your personal information (on reasonable grounds);
  6. Object to the processing of your personal information for purposes of direct marketing;
  7. Not be subject to a decision based solely on the automated processing of your personal information;
  8. Submit a complaint to the Information Regulator;
  9. Institute civil proceedings regarding an alleged interference with your personal information.

Your Duty

In order for us to properly execute our mandate and provide the best legal assistance possible, we kindly request that you provide us with the accurate and complete personal information required by us to fulfil our mandate. Lastly, we kindly ask that you update us of any changes to your personal information to endorse the same in our records.

Forms

Kindly contact our Information Officer to inquire on the following forms:

  • Objection to the processing of personal information;
  • Request for correction or deletion of personal information;
  • Consent in respect of direct marketing; and
  • Complaint regarding interference with personal information.

Once received, you are encouraged to complete these forms and present them to our Information Officer, alternatively the Information regulator, whichever may be applicable.

Conditions for the Lawful Processing of Personal Information

Our Team is committed to the fulfilment of the following condition imposed by POPI:

  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security safeguards
  8. Data subject participation

Accountability

We are committed to ensuring that your personal information will only be processed in accordance with the provisions of POPI and in line with the purpose for which it was supplied to us.

Processing limitation

Personal information will only be-

  • Processed lawfully and in a reasonable manner;
  • Processed for a specific purpose and reason for which it was supplied to us; and
  • Collected directly from the data subject, subject to justifiable limitations in the execution of our services insofar as allowed by POPI.

As mentioned above, personal information will only be processed by us on one of the following grounds listed in POPI:

  • Consent;
  • Processing is necessary to carry out actions for the conclusion or performance of a contract;
  • Processing complies with an obligation imposed on us by law;
  • To protect a legitimate interest of a data subject; or
  • Processing is necessary for pursuing our legitimate interests or a third party to whom the information is supplied.

Purpose specification

Data subjects will always be made aware of the purpose for which their personal information is being processed.

As mentioned above, section 18 of POPI requires us to ensure you are aware that your personal information may be processed by us in the execution of our services to you and will be used solely for this purpose. By engaging our services, you, therefore, consent to us processing your personal information in line with the purpose it was provided to us.

Personal information will always be collected directly from the data subject, unless-

  • The information has been made public;
  • Consent;
  • The collection from a third party would not prejudice a legitimate interest of the data subject;
  • The collection of the information from another source is necessary for the conduct of legal proceedings or to maintain a legitimate interest of ours or of a third party to whom the information is supplied;
  • The collection directly from the data subject would prejudice a lawful purpose of the collection; or
  • Compliance is not reasonably practicable in the circumstances of the particular case.

Data subjects will be notified by us once their personal information is collected, unless-

  • Consent has been granted for the collection thereof;
  • Failure to notify would not prejudice a legitimate interest of the data subject;
  • It is collected for purposes of legal proceedings;
  • Notification would prejudice a lawful purpose of the collection;
  • Notification is not reasonably practicable in the circumstances of the particular case; or

The information will not be used in a form in which the data subject may be identified or unless the information is merely for historical, statistical or research purposes.

Further processing limitation

In line with the previous paragraph (‘PURPOSE SPECIFICATION’), any further/subsequent processing of your personal information will still be done in accordance with the original purpose and only when processing thereof is necessary for the circumstances described above.

Information quality

Upon collecting your personal information, our staff will take all steps necessary to ensure the correctness of your personal information. All of your personal information is stored securely for if and when we require same to be processed (refer to “Security Safeguards” below).

In order for us to properly assist our clients, we kindly request that you provide us with the accurate and complete personal information required by us to fulfil our services. Lastly, we kindly request that you update us of any changes to your personal information to endorse the same in our records.

Openness

  • What information is collected and from where;
  • Our business’ name, address and contact details;
  • The purpose for which their personal information is collected;
  • Whether or not the supply of personal information is mandatory or voluntary;
  • Consequences of failure to provide personal information;
  • Any particular law authorising the collection of personal information;
  • Their right to access or rectify the information;
  • Their right to object to the processing of their personal information; and
  • Their right to lodge a complaint to the Information Regulator and the details of the Information Regulator.

Security safeguards

Upon collecting your personal information, our staff will take all steps necessary to ensure the correctness of your personal information. All of your personal information is stored securely for if and when we require same to be processed (refer to “Security Safeguards” below).

To properly assist our clients, we kindly request that you provide us with the accurate and complete personal information required by us to fulfil our services. Lastly, we kindly ask that you update us of any changes to your personal information to endorse the same in our records.

Your personal information will be stored in a secure system, as explained later on under ‘SECURITY SAFEGUARDS’. Our goal with this Privacy Policy is to ensure that a data subject is made aware of:

In order to protect our clients’ personal information, our Team will-

  • Implement reasonable, appropriate, technical and organisational measures; and
  • Notify data subjects and the Information Regulator of any security compromises as soon as reasonably possible and state:
    • Possible consequences;
    • Steps taken to address the compromise;
    • Recommendation to data subject on what steps to take;
    • Identity of person who accessed the information (if known).

Kindly refer to ‘STEPS IN EVENT OF A COMPROMISE’ in the next section.

We have implemented the following physical and software/electronic safeguards-

  • Electronic data:
    • Our Wi-Fi network is password protected and secure, allowing only specific identified devices to connect;
    • Our server is protected and locked away securely;
    • We use trusted and approved cloud-based software with high-security standards;
    • Strong passwords that are reviewed frequently;
    • Regular software updates;
    • Data encryption;
    • Secured all devices with access control and lock screens;
    • Regular backups of data;
    • Employee training and awareness programs.

We work closely alongside our IT service providers to ensure that our safeguarding mechanisms are frequently updated and reviewed.

  • Physical safeguards:
  • Our offices are further equipped with-
    • Alarm system;
    • All access points are securely locked;
    • Access control;
    • We are in a secure office complex;
    • Armed response 24 hours a day; and
    • Security guards patrolling the office areas.

Data subject participation

Furthermore, all our agreements with third-party operators have been reviewed and/or Operator Undertakings have been provided to ensure compliance by third parties with POPI.

Data subjects can request confirmation from us on whether we hold personal information and/or the correct personal information. Data subjects can further request for such information to be deleted or destroyed.

Our Team will not process special personal information unless expressly provided for in POPI and unless specifically necessary for the purpose it was provided to us for. 

Steps in Event of a Compromise

The following steps will be taken by us in the unlikely event of a data breach/information compromise:

  1. Notify our service provider;
  2. Attempt to establish (internal analysis)
    • Whether there was in fact a breach;
    • What data, if any, was compromised;
    • Which parties were affected; and
    • The extent of the compromise.
  3. Draft an internal report with the assistance of our IT service providers;
  4. Notify affected persons of the breach;
  5. Notify the Information Regulator of the breach;
  6. Notify our insurers;
  7. Cooperate with our service providers and data subjects to prevent any processing of the compromised data; and
  8. Review our safeguarding structures to prevent a reoccurrence.

 

Cross-Border Transmission of Personal Information

In conducting our business activities, we may transmit personal information to other countries. The processing of the above information involves greater risk, and as such, we take special care to protect this information. Our security measures implemented are discussed under “SECURITY SAFEGUARDS” below. We have worked closely alongside our legal representatives and IT service providers to identify any associated risks and have implemented applicable measures to combat these risks.

We will ensure that the cross-border transmission of your information complies with the standards set out in POPI, alternatively, a higher standard as required in the destination countries (for example, the General Data Protection Regulation applicable in the European Union)

We will not send your personal information abroad unless-

  • Consent has been provided;
  • It is required to perform in terms of a contract; or
  • The foreign laws are equally or more strict than those contained in POPI.

 

Personal Information of Children

We do not process the personal information of any children in the ordinary course of our business. We acknowledge that the processing of the above information involves great risk, and such information may only be processed where consent has been provided by a competent person (parent or guardian) or where otherwise authorised by POPI.

Account Numbers

We will never sell, obtain or disclose your account number (whether this relates to any sort of bank account details, credit card numbers or credit application numbers) to any person without your consent.

Correspondence From Us

As a client of ours, we will communicate with you as and when required in the ordinary course of business. We will only correspond with you if you are an existing or prospective customer or if you provided consent. Communications will only be sent if we obtain your contact details in the context of the sale of our products or services as in the ordinary course of business. Communications received from us will always clearly identify us as the sender, and should you wish to stop receiving correspondence from us, you are encouraged to notify us thereof.

Conclusion

Our Team is committed to complying with POPI and we acknowledge our clients’ right to protection against the unlawful collection, retention, dissemination and use of personal information, subject to justifiable limitations that are aimed at protecting other rights and important interests.

Kindly contact our Information Officer for any queries relating to the processing of personal information.