The Protection of Personal Information Act No. 4 of 2013 (“POPIA”/ “POPI”)
Organisation – Carpe Diem Media 2002/002907/07
Scope of policy – This policy applies to the business of the organisation wherever it is conducted, but based at the registered office. It applies to directors, paid staff, customers and suppliers. This policy describes the types of personal information that we may collect about you, the purposes for which we use the information, the circumstances in which we may share the information and the steps that we take to safeguard the information to protect your privacy.
Policy operational date –
Date approved by Information Officer-
Next policy review date –
Purpose of policy – The purpose of this policy is to enable the organisation to:
comply with the law in respect of the data it holds about individuals;
follow good practice;
protect the organisation’ staff and other individuals
protect the organisation from the consequences of a breach of its responsibilities.
Personal information – This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (hereinafter POPI Act).
Policy statement – The organisation will:
comply with both the law and good practice
respect individuals’ rights
be open and honest with individuals whose data is held
provide training and support for staff who handle personal data, so that they can act confidently and consistently
The organisation recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
keeping information securely in the right hands, and
retention of good quality information.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, the organisation will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
Key risks – The organisation has identified the following potential key risks, which this policy is designed to address:
Breach of confidentiality (information being given out inappropriately)
Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
Failure to offer choice about data use when appropriate
Breach of security by allowing unauthorised access
Harm to individuals if personal data is not up to date
Data Operator contracts
Information Officer Responsibilities
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and Chapter 5, Part B.
Information Officer Responsibilities – The Information Officer has the following responsibilities:
Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:
Reviewing the POPI Act and periodic updates as published
Ensuring that POPI Act induction training takes place for all staff
Ensuring that periodic communication awareness on POPI Act responsibilities takes place
Ensuring that Privacy Notices for internal and external purposes are developed and published
Handling data subject access requests
Approving unusual or controversial disclosures of personal data
Approving contracts with Data Operators
Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information
Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are in place
Handling all aspects of relationship with the Regulator as foreseen in the POPI Act
Provide direction to any Deputy Information Officer if and when appointed
Appointment – The appointment of the organisation Information Officer will be authorised by the Designated Head. Consideration will be given an annual basis of the re-appointment or replacement of the Information Officer; the need for any Deputy to assist the Information Officer.
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.
Processing Limitation – The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).
Forms of consent – The organisation undertakes to gain written consent where appropriate; alternatively, a recording must be kept of verbal consent.
Nature of Personal Information – The organisation has used the Data Inventory to identify all instances of personal information in the organisation.
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 3.
Purpose specification – The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to the following stipulation (Retention periods).
Retention periods – The organisation will establish retention periods for at least the following categories of data:
Further processing limitation
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.
Further processing limitation – The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, section 15.
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5. The organisation will comply with all of the aspects of Condition 5, section 16.
Accuracy – The organisation will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
Staff who keeps more detailed information about individuals will be given additional guidance on accuracy in record keeping.
Updating – The organisation will review all personal information on an annual. Should your personal information change, please inform us and provide us with updates to your personal information as soon as reasonably possible to enable us to update your personal information.
Archiving – All Personal Information which you provide to the Company will be held and/ or stored securely for the purpose of collection. Your Personal Information will be stored electronically in a database. Where appropriate, some information may be retained in hard copy. In either event, storage will be secure and audited regularly regarding the safety and the security of the information.
Where data is stored electronically outside the borders of South Africa, such is done only in countries that have similar privacy laws to our own or where such facilities are bound contractually to no lesser regulations than those imposed by POPI.
Once this information is no longer required, due to the fact that the purpose has been served, such Personal Information will be safely and securely archived for a period of 7 years, as per the requirements of the Companies Act, 71 of 2008, or longer, should this be required by any other law applicable in South Africa. Thereafter, all your Personal Information will be permanently destroyed. Information about our members is an important part of our business and we do not sell it to others. The Company shares customer information only as described below.
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6.
Openness – In line with Conditions 6 and 8 of the Act, the organisation is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
for what purpose it is being processed;
what types of disclosure are likely; and
How to exercise their rights in relation to the data.
Procedure – Data Subjects will generally be informed in the following ways:
Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7, and section 19 to 22. This section of the policy only addresses security issues relating to personal information. It does not cover security of the building, business continuity or any other aspect of security.
Specific risks – The organisation has identified the following risks:
Staff with access to personal information could misuse it.
Staff may be tricked into giving away information, either about customers / member or colleagues, especially over the phone, through “social engineering”.
Setting security levels – Access to information on the main the organisation computer system will be controlled by function.
Security measures – The organisation will ensure that all necessary controls are in place in terms of access to personal information.
Business continuity – The organisation will ensure that adequate steps are taken to provide business continuity in the event of an emergency.
Data Subject participation
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8, sections 23 to 25.
Responsibility – Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.
Procedure for making request – Subject access requests must be in writing. All staff is required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay.
Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA), as defined in the organisation PAIA Manual.
Provision for verifying identity – Where the individual making a subject access request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information.
Charging – Fees for access to personal information will be handled in compliance with the PAIA Act.
Procedure for granting access – Procedures for access to personal information will be handled in compliance with the PAIA Act, as defined in the organisation PAIA Manual.
Data Subject’s rights – You have the right to request a copy of the personal information we hold about you or to object to the processing of personal information held about you. To do this, contact us at the numbers/addresses listed earlier and specify what information you would like. We will take all reasonable steps to confirm your identity before providing details of your personal information. We make use of a variety of mediums for marketing purposes, which include, but is not limited to text messages, phone calls and E-mail communication, to the numbers and addressed provided by you, with you consent.
You have the right to ask us to update, correct or delete your personal information. You may do this by contacting us at the numbers/addresses provided earlier. We will take all reasonable steps to confirm your identity before making changes to personal information we may hold about you. We would appreciate it if you would keep your personal information accurate. Please update your information by contacting us at the numbers/addresses provided earlier whenever your details change.
Processing of Special Personal Information
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26 to 33.
Processing of Special Personal Information – The organisation has the policy of adhering to the process of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.
Special personal information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences.
Unless a general authorisation, alternatively a specific authorisation relating to the different types of special personal information applies, a responsible party is prohibited from processing special personal information.
Processing of Personal Information of Children
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35.
Processing of Personal Information of Children – The organisation has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 individuals, so an age check is required for all personal information records.
General authorisation concerning personal information of children only applies where under-18 are involved.
You input your credit/debit card information directly on the payment gateway portal and the organisation does not receive any credit/debit card information during order processing.
It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off and log off when finished using a shared computer.
Subscriptions and newsletters
By subscribing to any of our Newsletter, you give the organisation permission to send marketing emails, which includes special offers and new product information, from us and our partnering businesses, to the email address that you have provided and registered with. Please note that you are at liberty to unsubscribe at any time.
Our eReader is based on Verrso digital reader, which can be downloaded on Google Play. When you use the Verrso eReader, you agree that your data may be collected by and transmitted to Verrso via the eReader.
Trips and functions
When you book a function or trip with us you consent to some of your personal information to be provided on a need-to-know basis to our third party service providers and associates. As functions and trips are sometimes organised with assistance from third party service providers who assist us to interact with you via our website, email or any other method, for the arranging, booking and paying of trips or functions, and thus need to know your personal information in order to assist us to communicate with you properly and efficiently.
Our function and trip associates may collect, receive, use and share this data, but only in accordance with their Privacy Policies as amended from time to time.
Whilst we will do all things reasonably necessary to protect your rights of privacy, we cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of your personal information, whilst in our possession, made by third parties who are not subject to our control, unless such disclosure is as a result of our gross negligence.
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.
Direct Marketing, Directories and Automated Decision Making – The organisation undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.
Opting in – Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
Electronic contact – Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
Trans-border information flows
Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 9.
Trans border information flows – The organisation will ensure that the POPI Act Chapter 9, section 72 is fully complied with.
Compliance with section 72 will be achieved through the use of the necessary contractual commitments from the relevant third parties.
Staff training & acceptance of responsibilities
Scope – The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.
Documentation – Information for staff is contained in this policy document and other materials made available by the Information Officer.
Induction – The Information Officer will ensure that all staff that has access to any kind of personal information will have their responsibilities outlined during their induction procedures.
Continuing training – The organisation will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervisions.
Procedure for staff signifying acceptance of policy – The organisation will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.
Protection Of Personal Information
We strive to keep the personal information of our customers confidential and have taken steps to comply with the Protection of Personal Information Act. If you have any questions or concerns relating to your privacy or our use of your personal information, please contact us via email on [email protected]
Responsibility – The Information Officer is responsible for an annual review to be completed prior to the policy anniversary date.
Procedure – The Information Officer will ensure relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.
Hierdie webtuiste gebruik cookies om ons te help om die beste diens te lewer. Wanneer jy hierdie webtuiste besoek, gee jy toestemming vir die gebruik daarvan. Vir meer inligting, kyk asseblief na die bepalings en voorwaardes in ons beleid. Cookie stellingsAanvaar
Bepalings en Voorwaardes
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.