In accordance with the Protection of Personal Information Act, 2013
INTRODUCTIONThe Protection of Personal Information Act (POPI) is intended to balance the scale legally by protecting a person’s constitutional rights to privacy (which requires our personal information to be protected); and the needs of business to have access to and to process (work with) a person’s specific personal information to perform the task they are set out to do.
Definition of SPECIFIC WORDS/PHRASES used in the Act:
The person to whom the personal information relates to. It is a living, identifiable natural person or an existing juristic person. – companies, cc, trust, public entity (Mun) e.g., Seller / Buyer / employee
Is the person/s or company who is responsible for the processing of personal information. Whether it is to collect, keep it safe, disseminate or destruct it to perform a specific task. e.g., Principal / estate agency / Trustees / Body corporate.
Is the party processing personal information on behalf of the responsible party. The responsible party retains accountability., The estate agency personnel who is processing the information. Or a third party if the processing is outsourced e.g., IT company.
Where reference is made to the “processing” of personal information, this will include any activity in which the information is worked with, from the time that the information is collected, shared, kept, up to the time that the information is destroyed, regardless of whether the information is a hard copy, or in electronic format.
PROCESSING PERSONAL INFORMATION AND PROTECTING THE RIGHTS OF OUR CLIENTS:
We undertake to implement, monitor, and maintain the eight (8) conditions for the lawful processing of personal information to always follow POPI Act and to process personal information while protecting the right to privacy of our clients.
The Principal/Manager (responsible party) must ensure that the conditions and all the measures set out in the Act are followed through in the office.
2. Processing Limitation
Personal information may only be processed in a fair and lawful manner and only with the consent of the person whose information it is (data subject) and for the intention it was collected for.
The personal information must be obtained directly from the person (Data Subject)
The person should be aware that we gather his/her information and consent to the information to be used.
If a third party is being used to collect personal data, the person (Data Subject) must consent to this information being shared and used by us first.
Only information that is required for the specific purpose, for which it is gathered may be stored. (No more than what is necessary)
3. Purpose Specific
We limit the amount of personal information collected and processed to only what is fit for the purposes as needed.
The specific purpose must be documented and adhered to.
Data Subject has the right to know what information we have and for what purpose it was gathered.
We will have to be able to link all personal information collected to legitimate reasons for collecting.
Personal information may only be used for the specific purpose for which it was gathered and thereafter it must be destroyed.
We will be required to account for what information we hold, for what purpose it was gathered and a date that that information must be destroyed.
We will destroy Personal Information, in a manner that prevents its reconstruction, after we are no longer authorized to retain such records.
4. Further Processing Limitation
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
We retain personal information only for as long as it is needed, or longer if required by law.
If we retain your personal information for budget or statistical purposes, we ensure that the personal information cannot be used further. (It will be de-personalised)
Before we use existing personal information for any other purpose, other than what the information was gathered for, consent will be required from the Data Subject again.
If he/she refuse, processing will stop.
When gathering information, we will advise the Data Subject what the information will be used for and for what period we will hold that information.
5. Information Quality
While in our possession, together with the data subject’s assistance, we try to maintain the accuracy of personal information.
We will obtain information directly from the data source to ensure accuracy, as far as possible.
When advising Data Subjects of the information we hold and for what purpose we hold it, they will be given details of how to check, and update their information or withdraw consent.
The data subject whose information we are collecting will be made aware that we are collecting such personal information and for what purpose the information will be used and her/ his rights. (Even if this is public record or he/she consented to collection from a 3rd party)
We will gather personal information from Data Subjects after them signing a consent form.
The Data Subject will be informed of how the data will be used at the time of gathering the information.
The Data Subjects will be given a letter with the details of the principal (responsible person) in our agency and the Information Regulator contact details.
The Data Subject will be advised of his/her rights to complain to the Information Regulator if misuse is suspected.
The Data Subject will always be advised of his/her rights to access his/her information and to object to the processing of said information.
7. Security Safeguards
We restrict, secure, and control all our information against unauthorised access, interference, modification, damage, loss, or destruction; whether physical or electronic.
We will do a safety and security risk assessment from time to time to ensure we keep up with requirements and this will be discussed at our monthly staff meeting for all personnel’s input.
Our staff must be informed / trained to be compliant with POPI Act, and this training must be ongoing and up to date.
We do everything we can to prevent personal information from falling into unauthorized hands.
1. Our business premises where records are kept must remain protected by access control, burglar alarms and armed response.
All our laptops, phones and computer network are protected by passwords which we changed on a regular basis.
We are using Outlook 365 which comply with industry standard security safeguards and meet the General Data Protection Regulation (GDPR), which is standard in the European Union. We have firewalls and use anti virus software.
We are a small estate agency, so it is easy to determine which employees are permitted to access personal information and what information they are permitted to access.
Personal information can only be accessed or modified by those employees with the password’s authorising them to do so.
The online profiles and access of staff who left the agency must be properly deleted.
Each employee uses his/her own password to access the data, therefore we can identify the source of a data breach and we can neutralize such a breach.
If there were a data breach, we will determine the source, neutralise it and prevent the re-occurrence of such a data breach.
When we make use of an external operator our principal (responsible party) will, in terms of a written contract between our agency and the operator, ensure that the operator establishes and maintains the required security measures.
The operator must advise immediately if there is the possibility that personal data has been accessed or acquired by any unauthorized person.
The Data Subject will be advised via e-mail or in writing immediately if it is suspected that their personal information has been access by unauthorized persons. Sufficient information will be provided to allow the Data Subject to put measures in place to safeguard themselves against potential consequences of the security compromise.
The Information Regulator will be informed in the event of a security breach where personal information could be compromised. It is the duty of the Responsible Person to ensure this process is followed.
8.Data Subject Participation
Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.
Data Subjects may request information from us on whether we are holding their personal information.
This request will not be declined, and we will not charge for it.
The Data Subject has the right to correct the personal information that we hold.
They also have the right to withdraw consent at any time.
WHAT PERSONAL INFORMATION DO WE COLLECT?
We only collect the minimum amount of information that is relevant to the purpose. If you interact with us on the internet, the personal information we collect depends on whether you just visit our website or, require our services. If you visit our website, your browser transmits some data automatically, such as your browsing times, the data transmitted and your IP address.
If you use our services, personal information is required to fulfil the requirements of that service.
We usually collect only name and contact details, financial qualification (if completed by you), with property needs and requirement when we assist a buyer in finding a property.
While doing a price estimation to place a property on the market, we need the basic info and will be able to source the property info from the deeds office systems (Lightstone / Windeed /SAPTG).
To assist selling the property we need to have basic personal info and financial info to know if the sellers will be able to sell the property, cancel the bond, pay all fees, and move to another property.
Generally, we collect the following personal information to complete contracts. If there is any specific personal information to collect, we will indicate as such, at the time of collection.
Name, surname, and maiden name
Physical / postal address / erf number / complex details
Financial & banking details (for bond qualification - buyers and bond cancellations -sellers and rentals)
WHO MIGHT WE SHARE YOUR PERSONAL INFORMATION WITH?
To maintain and improve our services, your personal information may need to be shared with or disclosed to our service providers:
colleague’s or other estate agencies,
in some cases, public or legal authorities.
TRANSBORDER INFORMATION FLOWS
Estate agencies are unlikely to process personal information to be sent transborder, but if there is an international component to the work which we are doing for you, and if we are required to share your personal information with an overseas recipient, you are entitled to ask us how your personal information will be protected in this foreign country, and we will endeavour to assist you.
CIRCUMSTANCES REQUIRING PRIOR AUTHORISATION
Estate agencies are unlikely to process personal information under circumstances requiring authorisation from the regulator, but should it be necessary the guidance by the Information Officer will be sought regarding POPIA.
SPECIAL PERSONAL INFORMATION
While we recognise that protecting all personal information is important in gaining and maintaining your trust, special personal information is often afforded a higher level of protection. Estate agencies are unlikely to process special personal information, but should it be necessary the guidance by the Information Officer will be sought regarding POPIA.
THE PROCESSING OF PERSONAL INFORMATION OF CHILDREN
Estate agencies are unlikely to process any personal information of children except maybe with a young student or were adults put a property on a child’s name.
To all students. (Student accommodation)
This is an especially important notice which we must share with you and any one of your parents or legal guardians if you are under the age of 18. To make use of our services, we need information which is personal to you. For example, your name, your email address, and your phone number. It might be so that we cannot use your information unless your parent agrees.
To parents / legal guardians
In order for children to make use of our services we need to use their personal information and for this we are required by law to obtain the consent of a parent or legal guardian. Before deciding on consent, it is important for parents to understand our information security and privacy policies. It is equally important for parents to explain to children, the implications of not providing our organisation with the proper consent. Please sign our consent form on behalf of your child.
Where we as an estate agency want to contact a person for the first time with marketing communication which was not requested (unsolicited),
the agency must obtain consent before any marketing to individuals.
The agency may approach someone for direct marketing consent once only,
and only if they have not withheld consent previously.
We may only carry out direct marketing (using any form of communication) to previous clients if:
the potential client was given an opportunity to object to receiving direct marketing material by us, at the time that their personal information was collected.
and they did not object then.
or at any other time, after receiving any such direct marketing communications from us.
We may only approach clients using their personal information,
if we have obtained their consent to use their personal information in the context of providing services associated with marketing to them,
and we may then only market estate agency services to them.
We will stick to permitted contact times.
The prohibited times for marketing are:
Sundays or public holidays.
Saturdays before 09h00 and after 13h00.
and all other days between the hours of 20h00 and 08h00 the following day
We are aware that we are not allowed to use lists purchased from a lead generation business if:
We purchased it from a lead generation business, without obtaining confirmation from the list's provider, that the records have been obtained and stored in a way, that is compliant with POPIA.
The “unsubscribe” option must be on our marketing e-mails.
All electronic direct marketing communications must contain an “unsubscribe” option..
We will Include the sender’s details on all e-mails.
An address or other contact details to which the recipient may reply/send a request that such communications cease.
DATA BREACH NOTIFICATION
Where there are reasonable grounds to believe that a data subject's personal information has been accessed or acquired by an unauthorised person, the estate agency (as responsible party), or any third-party, processing personal information, on instruction from the estate agency (the operator), must notify the Information Regulator and the data subject in writing as soon as possible.
THE INFORMATION REGULATOR IS RESPONSIBLE FOR THE INVESTIGATION AND ENFORCEMENT OF POPIA.
A person contravenes the provisions of POPIA if he/she it:
hinders, obstructs, or unlawfully influences the Information Regulator.
fails to comply with an information or enforcement notice.
gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation.
contravenes the conditions.
knowingly or recklessly, without the consent of the responsible party, obtains, discloses, or procures the disclosure, sell, or offers to sell details of a data subject to another person; and will be guilty of an offence.
QUERIES OR COMPLAINTS
Should you have any queries or complaints about this policy, you may email our information officer, Di Ahlfeld at firstname.lastname@example.org.
THE SA INFORMATION REGULATOR
You have the right to lodge a complaint with the SA Information Regulator.
The Information Regulator (South Africa) PO Box 31533 Braamfontein 27 Stiemens Street Braamfontein 2017 The Information Regulator (South Africa) complaints.IR@justice.gov.za.