INTRODUCTION:

-        As a business, we are subject to the rules and principles found in the Protection of Personal Information Act 4 of 2013 (POPIA). The Act requires business to limit their use of personal data, get consent before using it, and let users withdraw their consent at a later stage. To ensure that you are informed, we have created this privacy policy, which contain several information regarding your personal information.

-        The POPIA Act covers personal information, which means any information that relates to a specific person. The law notes that this isn't limited to a "natural person" (that is, a human being) but also a "juristic person" which means an independent legal entity such as a company. The law gives a non-exhaustive list of examples of personal information. The law applies to any data processor that is legally based in South Africa. It also applies if the data processor is outside of South Africa "but makes use of automated or non-automated means in the [country]."

-        While some data privacy laws distinguish between the location of the data subject and the physical location of any data processing, this section of the law is widely interpreted as covering online activity where the data subject is in South Africa, even if the website's servers are outside the country. This is consistent with the law's stated intent of protecting the constitutional right to privacy of South African citizens.

-         

TERMINOLOGY

Important definitions for your attention would be that of processing and what is personal information:

 

Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

 

Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to

 

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

(d) the biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

 

POPIA REQUIREMENTS:

The POPIA Act is based around meeting eight conditions to make processing of personal information lawful. We'll run down the key points here and then cover what this means in detail below:

Condition 1 Accountability

This condition says that we must make sure to comply with all eight conditions, not only when processing personal information but when deciding what data to process and why. Basically, accountability is important through all stages of interaction with personal information.

Condition 2 Processing limitation

This condition sets out a principle of minimality, meaning only processing personal information that is relevant and only to the point needed for the stated purpose.

It also says we must get prior consent to process personal information unless doing so is a legal requirement. The burden of proof is on us to demonstrate the consent. The data subject can withdraw consent at any time.

Typically, personal information can only be collected directly from the data subject or from public records.

Condition 3 Purpose specification

We must give a specific, lawful purpose for collecting personal information. We must make the data subject aware of this reason and must only retain the personal information for as long as needed to meet this purpose.

Condition 4 Further processing limitation

After collecting the personal information, we can only process it in a way that's necessary for, and relevant to, the original stated purpose.

Condition 5 Information quality

We must make sure the personal information is "complete, accurate, not misleading and updated where necessary."

Condition 6 Openness

We must keep adequate records of our personal information processing. We must make the data subject aware of a range of details about the processing.

Condition 7 Security Safeguards

We must make sure data isn't lost, damaged, destroyed or accessed without authorization. Complying with this rule will involve auditing security, putting safeguards in place and then maintaining and updating those safeguards. If we use a third party to process personal information, you must make sure the third party follows this rule.

If a data breach happens, we must inform the Information Regulator and, if known, the relevant data subjects as soon as possible unless law enforcement ask us to delay doing so.

Condition 8 Data subject participation

Data subjects have the right to ask whether we store data about them. If so, the data subject has the right to either the details or a description of the personal information along with details of any third party who has had access to it.

The data subject then has the right to ask for any errors in the data to be corrected or, if relevant, destroyed. They can also object to us processing data for a specific purpose or for direct marketing.

 

INFORMATION COLLECTED BY US

Regarding employees, we collect the following:

Ø  Names, date of birth, residential address, next of kin details, contact details, email address;

Ø  Disciplinary record at the business, previous employer particulars, criminal history;

Ø  Employment and task-related experience;

Ø  SARS information and bank details;

Ø  Identity number

Regarding clients, we collect the following:

Ø  Your name, date of birth, address, contact information and email address;

Ø  Your contact with us, such as a note or recording of a call you make to us, an email or letter you send or other records of any contact you have with us;

Ø  Particular documents and information pertaining to your instruction; and

Ø  Your employer’s details

 

THE SOURCE OF THE INFORMATION

Unless indicated otherwise, the source of information will be from you, personally. If we receive any information from you from a third party, we will notify you thereof in order to determine the quality of such information.

 

OUR CONTACT DETAILS

stephan@millinlaw.co.za

078 676 5203 / 021 012 5706

 

OUR REASON FOR COLLECTING THE INFORMATION

Ø  To comply with the provisions of the Financial Intelligence Centre Act;

Ø  To carry out your instruction in terms of our mandate;

Ø  To examine the particulars of your instruction in order to provide the necessary and correct advice;

Ø  To obtain crucial information necessary for the drafting of correspondences, contracts, pleadings, notices or any other documents of a legal nature to be used in a dispute or that has been used in a dispute;

Ø  To keep as proof of an argument in a dispute;

Ø  To contact you in instances where instruction is required or to send our invoices and statements of account;

Ø  To verify your address for purposes of complying with the rules of Court;

Ø  To prepare the necessary trust, transfer or antenuptial documents

Ø  To transfer your information as our instruction of acting as an agent on your behalf;

Ø  To determine whether we need to appoint a correspondent for the prosecution or defence of your action; and

Ø  To determine the quantum of your matter insofar as it relates to your income.

To enable us to contact you with regard to further instruction or provision of updates on your matter.

 

COLLECTION OF INFORMATION:

You may object to the processing of the aforementioned information, which objection we may consider and will provide a response upon. We will provide an outcome of said consideration, based on the following:

Ø  How it affects our compliance with certain laws; and

Ø  How it affects the successful execution of our mandate;

Your information is collected and securely stored by us for a period of up to five years after your mandate has been finalised. After which, we are required to delete your information to such an extent that your information cannot be reproduced without your consent.

If you leave a comment on our site, you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

 

TRANSFER OF INFORMATION TO THIRD PARTIES:

The following third parties will, by default, receive your information from us:

Ø  Microsoft Office 365 / OneDrive - The servers provided by them have been used by our practice since the start. Any information received from you digitally is stored on these servers, with only us who can access it – we can confirm that they have a data protection policy in place in accordance with the standard of the GDPR;

Ø  Baobab Web Services (“BWS)” – These servers are used in relation to emails sent and received. As such, any information pertaining to yourself that is transmitted via email is passing the servers of BWS, this is only accessibly by us – we can confirm that BWS has a data protection policy in place and utilises state of the art security in transfer and receipt of emails;

Ø  South African Courts, CCMA or bargaining councils: If your matter is to be heard in a court, tribunal or other forum in South Africa, we will have to share your information, pertaining to your name and relevant details pertaining to the particular forum to the forum for purposes of the litigation of such matter;

Ø  The opposing party’s legal representative in your matter: Principles of Litigation requires litigating parties to share information that is intended to be used in a party’s case with each other prior to such a hearing before the aforementioned court date – this would in any event be the same information that is already shared with the particular court or forum;

Ø  The Master of the High Court: Pertaining to the requirements set out by the Masters office in relation to creation of trusts, administration of estates or lodging of curator applications, the Master’s office is entitled to certain information as prescribed by legislation, depending on the matter at hand;

Ø  The Registrar of the Deeds Office: Legislation such as the Deeds Registries Act and Matrimonial Property Act requires certain information to be transmitted to the Registrar for the successful transfer of a property or registration of an antenuptial contract or notarial document; and

Ø  Our bookkeepers and auditors: We are required by the Legal Practice Council to conduct annual financial audits and might require information such as your surname and file number for purposes of associating certain transactions that are relevant to your payments made. This may also include “source documents” which justifies the reason for the transaction, such as invoices issued, consents made and settlement agreements entered into. Our bookkeeper and auditor, GA Maclachlan Inc., have confirmed that they are POPIA Compliant and have a data protection policy in place.

 

INTERNATIONAL DATA TRANSFER

We do not, in our ordinary course of business, intend to transfer your data internationally, and shall obtain prior consent from you to do so.

 

YOUR PARTICIPATION:

You are welcome to contact us at the above address with regard to the following:

Ø  Further explanation with regard to our usage of your personal information

Ø  If you would like to correct your information held by us;

Ø  If you would like further information as to how we are securing your information

Ø  If you would like to receive information relating to who has access to your information

Ø  If you would like to object to the processing of your information