The risk of invading a person’s privacy through the misuse of their personal data and information has been recognised in countries around the globe, many of which have established legislation to prevent the abuse and in addition to regulate the collection, processing, retention, safeguarding and use of personal data. The right of privacy is enshrined in the South African Constitution which expressly states that everyone has the right to privacy. The Protection of Personal Information Act, No.4 of 2013 (“POPIA”) is aimed at facilitating the protection of this important right and comes into effect on 1 July 2021.
This Policy has been created to ensure that as a responsible organisation Blue Label is in alignment with local as well as global best practice with regard to the management of regulatory risk including control and processing mechanisms around the protection of personal information and data privacy.
- Policy Scope
This policy applies to the BLT Group, its business units and subsidiaries, its operations, processes, systems, websites as well as all its directors, employees and/or representatives within the jurisdiction of the Republic of South Africa. Adherence to this policy will assist the BLT Group in upholding the constitutional rights afforded to persons with regard to processing personal information and safeguarding their right to privacy.
- What is Personal Information?
Personal information (“PI”) is defined in POPIA as information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, and includes any information that identifies or relates specifically to you, including, for example, your name, age and identity number or other national identifier, your contact address, your location, your banking details, e-mail and contact numbers. In short, personal information refers to any information that identifies a person or specifically relates to a person.
Some types of personal information are considered special personal information (“SPI”). These include personal information revealing or related to a person’s health, racial or ethnic origin, religious or philosophical beliefs, sex life, political affiliation, or trade union membership; criminal behaviour and proceedings related thereto.
- Key Definitions
The following are some of the most applicable and essential definitions contained in POPIA:
- “consent” – means any voluntary, specific and informed expression of will in terms of which permission is given to the processing of personal information.
- “data subject” – means the person to whom the personal information relates.
- “de-identify” – in relation to the personal information of a data subject, means to delete any information that:
- identifies the data subject;
- can be used or manipulated by reasonably foreseeable method to identify the data subject; or
- can be linked by reasonably foreseeable method to other information that identifies the data subject.
- “electronic communication” – means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipients terminal equipment until it is collected by the recipient.
- “operator” – means a person or entity who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
- “processing” – means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information.
- “regulator” – means Information Regulator established in terms of the Act;
- “responsible party” – means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
- “unique identifier” – means any identifier that is assigned to a data subject by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
POPIA does not apply to the processing of personal information:
- for purely personal or household activities;
- that has been de-identified;
- processed by or on behalf of a public body for the purposes of:
- safeguarding national security;
- the investigation and prosecution of criminal matters;
- processed by the cabinet and its committees or the executive council of a province; or
- relating to the judicial functions of a court.
POPIA further provides that the Act does not apply to:
- the processing of personal information for the purposes of journalistic, literary or artistic expression in defined circumstances;
- the exclusion for journalistic purposes requires the journalist to be subject to a code of ethics and provides adequate safeguards for the protection of personal information.
The Regulator may grant exemptions to compliance with the Conditions for the Lawful Processing of Personal Information.
- The Conditions for the Lawful Processing of PI
POPIA lists eight (8) conditions or principles for the lawful processing of personal information, namely:
- Condition 1 – Accountability
- Condition 2 – Processing Limitation
- Condition 3 – Purpose Specification
- Condition 4 – Further Processing Limitation
- Condition 5 – Information Quality
- Condition 6 – Openness
- Condition 7 – Security Safeguards
- Condition 8 – Data Subject Participation
- Collection and processing of PI must be for a specified purpose
Personal information (“PI”) must be collected and processed for a specific, explicitly defined and lawful purpose relating to a lawful function or activity of the responsible party. The data subject must be made aware of this purpose from the outset (for example, this provision should and would normally be included in the terms and conditions of a contract with the responsible party).
- Lawfulness of processing PI
Personal information (“PI”) must be processed lawfully and in a reasonable manner so that it does not unnecessarily infringe on the data subject’s right to privacy. PI must be processed in terms of the purpose for which it was originally collected whereby:
- the data subject must have consented to the processing; or
- processing is required for the completion of a transaction or conclusion of a contract or agreement (for example a credit or hire-purchase agreement, a lease or buy and sell agreement, etc.) entered into by the data subject; or
- processing is permitted in terms of a law (for example but not limited to the Companies Act; the Consumer Protection Act (CPA); the Electronic Communications and Transaction (ECT) Act; the Financial Advisory and Intermediary Services (FAIS) Act; the Financial Intelligence Centre Act (FICA); the National Credit Act (NCA); the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) amongst other legislation); or
- processing permitted in terms of a public law duty of a public body (for example but not limited to the Department of Justice (DoJ), the South African Revenue Service (SARS), the South African Police Service (SAPS), amongst others); or
- processing protects the legitimate interests of the data subject; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Unless the processing of personal information is provided for in law (see criteria above), the data subject may at any time and on reasonable grounds object to the processing of his or her personal information. Consequently, the responsible party may no longer process the personal information. Furthermore, non-compliance with these provisions of POPIA may result in regulatory sanction and/or hefty penalties which could adversely impact business operations and reputation of the BLT Group.
- Further processing limitation
In the first instance, the further processing of personal information must be in accordance or compatible with the purpose for which it was originally collected. Consequently, personal information collected and processed in terms of RICA for example may not be further processed for activities outside of or foreign to the permissible purposes of RICA save for any of the exceptions listed below that may apply.
Further processing of personal information is permissible in the following instances (i.e. exceptions) only:
- where the data subject has provided the necessary consent (must be informed and of own free will);
- in order to comply with an obligation imposed by a law (e.g. FICA, NCA, RICA, etc.);
- the personal information is available or derived from a public record or a record that has been made public by the data subject him/her-self (e.g. court judgment, telephone directory, etc.);
- for the detection, investigation, prevention and/or prosecution of offences (e.g. anti-money laundering activities, fraud detection and prevention, etc.);
- in the interests of national security;
- for the purposes preventing imminent or serious threat to life, health or public safety;
- for historical, statistical or research purposes (e.g. population census, research paper or report on consumer behaviour, economic or scientific studies, etc.); or
- where the Information Regulator has granted permission to do so.
- So what PI are we permitted to process at BLT?
In terms of POPIA, we are required to only process personal information for lawful purposes relating to our business in any one or more of the following circumstances:
- where an existing customer is on our customer database. This means the customer has purchased a product from us or used our services;
- where the customer communicates, interacts and/ or transacts with us, our strategic partners, VAS providers and/ or promoters;
- where the customer uses our NFC services;
- where the customers’ personal information is held by another subsidiary in the BLT Group and has agreed to the processing of their PI by other entities in the BLT Group;
- if, where required, the person has explicitly consented thereto;
- if the person has not requested that we refrain from processing their personal information;
- if the law or a court, has consented thereto;
- if it is necessary to conclude or perform under a contract, we have with the person;
- if the processing is for statistical or research purposes;
- if the law requires or permits it; and/or
- if it is required to protect or pursue a customers’, employees’ or a third party’s legitimate interest.
We may process special personal information in any one or more of the following circumstances:
- if the person has consented to the processing;
- if the processing is needed to create, use or protect a right or obligation in law;
- if the processing is for statistical or research purposes and all legal conditions have been met;
- if the special personal information was made public by the person;
- if the processing is required by law;
- if the processing is required to identify a person; and/or
- if health information is processed, and the processing is to determine the insurance risk of the person, or to comply with an insurance policy or to enforce an insurance right or obligation.
- The PI we can collect
- identifiers and contact information, such as the data subjects identity number, name, address, phone number/s, and/or email address;
- purchase or other commercial information, such as the products and/or services the data subject may purchase and/or use, delivery address, and contact information;
- payment information, such as payment method and payment information (such as debit or credit card number), and billing address belonging to the data subject;
- profile and account information, which may include contact, purchase, and preference information as well as information about the products and services the data subject has purchased and/or used, interaction with vendors at NFC events captured on an NFC chip purchased by the customer or offers they have shown an interest in and/or product or services review information;
- communications and interactions, which may include e-mail messages, chat sessions, text messages, and phone calls that we and/or our strategic partners and/or service providers exchange with the customer;
- demographic information, which may include age or birthdate, gender, postal code, the status of a customer, and other related information about the customer;
- call recordings, including information about the customers call and what they share when they call us or we call them on the phone;
- location or geolocation information of the customers device that they use, should their device settings allow us to collect location information;
- device and browsing information and other Internet activity information, including information about the customers phone, tablet, computer, or device, and online browsing activity (collectively, “automatically collected information”). Automatically collected information may include IP addresses, unique device identifiers, cookie identifiers, device and browser settings and information, and Internet Service Provider (“ISP”) information. Automatically collected information also may include information about when and how the customer may access and use the distribution channels or how they interact with us on the distribution channels, such as the date and time of their visit or use, the websites they visit before coming and after leaving our distribution channels, how they navigate and what they search for using our distribution channels, the website pages and items they view using our website and other distribution channels, and the items they purchase or offers they may show an interest in; and
- inferences about any of the information above that may relate to a customer’s preferences, or other matters; and
- when we collect information that does not personally identify the customer, including, information that has been anonymised or aggregated, if we link this information with the customers personal information, we must treat such linked information as personal information.
Remember, the customer / data subject can choose not to provide personal information to us when requested. However, if their personal information is necessary to provide the customer with services and products and/or offers regarding the aforesaid, including access to our distribution channels, and/or to perform administrative functions, we may as a consequence be unable to perform such services.
- How we may use PI
We may use a data subjects’ personal information for the following reasons but this must always be in line with our business and the purpose for which the PI is collected:
- to enable the conclusion, implementation and enforcement of transactions the data subject may enter into with us or our strategic partners for products and services;
- to respond to the customers enquiries and/or complaints;
- to process returns and/or refunds;
- to provide information about products and/or services that the customer has requested and notifying them about important changes or developments to these products and/or services;
- to follow-up as part of our customer-care process;
- to update the data subjects’ records on our customer database and other internal records;
- to administer offers and transactions we make and/or enter into with the customer;
- to improve our products, services and/or distribution channels;
- to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and/or rules), voluntary and involuntary codes of conduct and industry agreements or to fulfil reporting requirements and information requests;
- sending marketing and other communications with the latest specials, deals, alerts, notifications and promotions in relation to our business, products and services, for marketing those products and services and to market related products, goods and services to the customer;
- to develop, test and improve products and services for customers and making our services or those of our strategic partners and/or service providers easier for customers to use;
- to detect, prevent and report theft, fraud, money laundering and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information or avoiding liability by way of deception;
- to enforce and collect on any agreement when customers are in default or in breach of the agreement terms and conditions, for the purposes of tracing customers or to institute legal proceedings against customers;
- to contact customers for market research purposes in relation to our business or the business of the BLT Group and to conduct market and behavioural research, including scoring and analysis to determine if customers qualify for products and services;
- evaluating the effectiveness of our marketing and for the purpose of research, training and statistical analysis;
- for historical, statistical and research purposes, such as market segmentation;
- to record and/or assist appointed payment processors to process instructions payment instructions (i.e. debit order or EFT);
- to manage and maintain customer relationships with ourselves;
- to enable us to deliver products, services, documents or notices to customers;
- for security, identity verification and to check the accuracy of a data subjects personal information;
- to communicate with customers and carry out their instructions and requests;
- for customer satisfaction surveys, promotional and other competitions;
- to enable data subjects to take part in customer loyalty reward programmes, to determine their qualification for participation, earning of reward points, determining their rewards level, monitoring their buying behaviour with our rewards partners to allocate the correct points or inform them of appropriate products, goods and services that they may be interested in or to inform our reward partners about customer purchasing behaviour;
- to enable customers to take part in and make use of VAS; and/or
- for any other customer relationship and service related purposes.
- What are a data subjects rights under POPIA?
Data subjects have the right to:
- the information we hold about their personal details.
- access free of charge the information about themselves stored by us and its use.
- correct, destroy, or delete this data as and where permitted in law.
- opt-out of direct marketing calls or mail.
- remove their data from a direct marketing list.
- object on reasonable grounds to the processing of their personal information.
- withdraw consent to the processing of their personal information.
The customer / data subject may formally submit a request to our Information Officer to access their personal information that the BLT Group holds on them. By using the PAIA tab / link at the bottom of the landing page of our primary website, customers / data subjects may refer to our Promotion of Access to Information Act No. 2 of 2000 Manual (“PAIA Manual”) for access to their PI and further information related thereto.
Data subjects also have the right to lodge a complaint with the Information Regulator about how we process their personal information. E-mail: complaints.IR@justice.gov.za
- What safeguards are in place to secure PI?
We must take all reasonable and appropriate technical and organisational steps to ensure that personal information is kept secure and is protected against unauthorised or unlawful processing, misuse, unauthorised disclosure, loss, interference, destruction or damage, alteration, disclosure or access.
Our security systems must be in line with industry best practice and standards. We must monitor system developments to ensure that our security protocols evolve, as required. We must test our systems regularly, viz. penetration and vulnerability testing.
Personal information must be destroyed or anonymised when no longer needed or when we are no longer required by law to retain it (whichever is the later). For further guidelines and requirements please refer to the Records Management / Records Retention Policy.
We are required to promptly notify the data subject if we become aware of any unauthorised use, disclosure or processing of their personal information.
Where storage is in another country, personal information must be stored in a jurisdiction that has equivalent, or better, data protection legislation than South Africa or with a service provider which is subject to an agreement requiring it to observe data protection requirements equivalent to or better than those applicable in South Africa.
Notwithstanding the above, no data transmission over the Internet or data storage system can be guaranteed to be completely secure. Customers should not send us sensitive information via email. Should a customer / data subject have reason to believe that their interaction with us is not secure (for example, if they feel that the security of any account they may have with us has been compromised), they must immediately notify us of the problem by contacting us at email@example.com
- How long must we retain PI?
We may retain personal information for as long as is necessary to fulfil the purpose for which it was collected (minimum period of five (5) years) unless a longer retention period is required to comply with legal obligations, resolve disputes, protect our assets, or enforce agreements. The criteria we use to determine retention periods include whether:
- We are under a legal, contractual or other obligation to retain personal information, or as part of an investigation or for litigation purposes;
- Personal information is needed to maintain accurate business and financial records;
- There are automated means to enable the customer to access and delete their personal information at any time;
- The data subject has consented to us retaining their personal information for a longer retention period, in which case, we will retain personal information in line with their consent.
Personal information records may be retained for periods in excess than those stated above where they pertain to historical, statistical or research purposes provided BLT has established the necessary safeguards against the records being used for any other purposes.
General accepted practice is to retain records for at least five (5) years after the date of the last transaction or from the date the relationship or contract was terminated, however other legislation may call for personal and/or transactional records to be retained for longer retention periods.
Furthermore, POPIA requires a responsible party to destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record, i.e. after five (5) years have elapsed or where a specific law specifies a longer period. The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form.
For further guidelines and requirements please refer to the Records Management / Records Retention Policy.
- The sharing of PI
In general, we will only share personal information if any one or more of the following apply:
- if the law allows it;
- if, where necessary, the data subject has consented to this;
- if it is necessary to conclude or perform under a contract that we or our strategic partners, promoters, VAS providers and/or clients have with the data subject / customer;
- the data subject has specifically consented to the sharing of their personal information during an interaction or transaction through our distribution channels or other communication channel;
- if the law requires it; and/or
- if it is necessary to protect or pursue our interests, our or the legitimate interest of a third party.
Where permitted in law or where applicable subject to disclosure and/or informed consent, we may share personal information with the following persons. These persons have an obligation to keep the personal information secure and confidential:
- strategic partners, promoters, VAS providers and other duly appointed service providers;
- our employees in their performance of their duties;
- attorneys and other persons that may assist with the enforcement of agreements;
- payment processing services providers, merchants, banks and other persons that assist with the processing of payment instructions, such as card scheme providers;
- law enforcement and fraud prevention agencies and other persons tasked with the prevention and/or the prosecution of crime;
- regulatory authorities, industry ombuds, governmental departments, local and international tax authorities and other persons the law requires us to share personal information with;
- credit bureaux or other similar verification agencies;
- our service providers, agents and sub-contractors like couriers and other persons we use to offer and provide products and services to customers;
- persons to whom we have ceded our rights or delegated our obligations to under agreements, like where a business is sold;
- courts of law or tribunals that require the personal information to adjudicate referrals, actions or applications;
- the general public where customers submit content to our social media sites like our Facebook page;
- trustees, executors or curators appointed by a court of law;
- participating partners in our customer loyalty reward programmes, where customers purchase products and services or spend loyalty rewards;
- our joint venture and other partners with whom we have concluded business arrangements.
- Cookies and Similar Technologies
- Enabling customers to sign in to our Sites;
- Authenticating customers;
- Keeping track of information, customers have provided to us;
- Improving customer browsing experience;
- Customising our interactions;
- Storing and managing customer preferences and settings;
- Compiling statistical data;
- Analysing the performance and usability of our Sites;
- Measuring traffic patterns for our Sites; and
- Determining which areas of our Sites have been visited.
These technologies collect information that the customer browser sends to our Sites including browser type, information about the IP address (a unique identifier assigned to customer computer or device which allows their PC or device to communicate over the Internet), together with the date, time and duration of their visit, the pages they may view and the links they click on.
The information that we collect using cookies is non-personal information. Customers must always be free to decline our cookies if their browser permits, but some parts of our websites may not work properly should they elect to do so. We do not allow third parties to place cookies on our websites.
Our Sites may also contain web beacons or similar technologies from third party analytics providers, through which they collect information about certain customer activities across our Sites to help us compile aggregated statistics.
- Direct Marketing
We may send customers direct marketing communications about our products and services as well as new products, promotions, special offers and other information. We will do this in person, via e-mail, SMS, WAP Push, newsletters, telephonically, or through instant chat.
Customers must be able to opt-out of receiving marketing materials from us at any time and manage their communication preferences by:
- Following the unsubscribe instructions included in each marketing communication from us or telling us they wish to unsubscribe;
- Sending an email to the sender of the marketing communications; or
- Registering on the Do Not Contact list of the Direct Marketing Association of South Africa which can be found on dmasa.org
- Including their details and a description of the marketing material they no longer wish to receive from us.
- We must comply with such customer requests as soon as is reasonably practicable but no longer than 30 days.
Should a customer elect to opt-out of receiving marketing related communications from us, we may still send them administrative or operational messages as part of their ongoing use of our products and services which they will be unable to opt-out of.
We may not provide customer personal information to unaffiliated third parties for direct marketing purposes or sell, rent, distribute or otherwise make personal information commercially available to unaffiliated third parties, whatsoever.
In all cases, the customer may request us to stop sending marketing communications to them at any time.
- Transfer of PI across the borders of South Africa
A Responsible Party in the Republic may not transfer personal information about a data subject to a third party which is in a foreign country unless adequate levels of protection are provided by:
- the laws of that country;
- binding corporate rules of the Operator to which information is provided;
- a binding agreement between the Responsible Party in the Republic and the Operator in the foreign country;
- the law, corporate rules or binding agreement must effectively uphold the principles of reasonable processing, similar to the Conditions of Lawful Processing in Chapter 3 of POPIA.
- BLT Information Officer
In terms of the Promotion of Access to Information Act (PAIA) and now POPIA, BLT (or the responsible party) must appoint and register a designated Information Officer to ensure compliance to the Act and to liaise with the office of Information Regulator. All complaints, enquiries and investigations with regard to personal information and data privacy (as outlined in the policy above) must be referred to the BLT Information Officer.
If you have any questions about how personal data should be handled by the BLT Group, you have a privacy concern or you wish to escalate a request or a complaint relating to personal information, please contact our Data Privacy Office at the following email address: firstname.lastname@example.org
- Data Privacy Champions
In order not to fall short of our privacy obligations and to assist with the inherent privacy challenges across the organisation, Data Privacy Champions will be strategically appointed to assist with promoting the POPIA compliance programme within their own teams and to help build a privacy culture to support the business with its compliance objectives.
- Training and Awareness
Training and awareness are among the most important risk areas when it comes to data privacy readiness and ensuring POPIA compliance across the BLT Group. To ensure accountability for data privacy across the organisation, data privacy training and awareness will take place at every level of the organisation.
Consequently, all employees and management within the business must be trained and made aware of the provisions of POPIA on an ongoing basis. These initiatives will foster the adoption of a privacy by design approach whereby training and awareness are the backbone of the organisation’s data privacy culture and its compliance journey as a whole.
- Related and Applicable Policies
This policy must be read in conjunction with the following policies:
- The Promotion of Access to Information Act (PAIA) Manual and Policy
- The Data Breach and Notification Policy
- The Data Subject Access Request Policy
- The Records Management Policy / The Records Retention Policy
- The BLT website Privacy Notice.
- Policy Date
Last updated: 31 March 2021.