WEBSITE PRIVACY POLICY | POPI | PAIA
1. INTRODUCTION
- This Website Privacy Policy (“the Policy”) is implemented as a guideline, in compliance with the provisions of the Protection of Personal Information Act 4 of 2013 (“POPI”) and its Regulations in order to give effect to the Constitutional right to privacy as enshrined by section 14 of the Constitution of the Republic of South Africa, 1996.
- This Policy will regulate the processing of Personal Information of Data Subjects who make use of the website and social media pages of Cowan-Harper-Madikizela Attorneys (“CHM”). In processing Personal Information of Data Subjects, CHM will protect privacy rights and comply with POPI and the relevant Regulations.
- This Policy further aims to help Data Subjects understand how CHM processes Personal Information when they use the website, join, access or use the social media pages.
- CHM reviews its policies regularly and may need to change or update them when necessary. Any updated versions of this Policy will be posted on the Website and will be effective from the date of posting.
2. PURPOSE AND SCOPE
- This Policy applies to Personal Information processed by CHM through its Website and social media pages. Any Personal Information collected by CHM will be linked to the scope of its business and services provided.
- The Personal Information processed by CHM includes information collected directly from the Data Subject whilst making use of the website or social media pages, or indirectly through CHM’s direct marketing campaigns on third party platforms and applications which are operated by or on behalf of CHM.
- This Policy does not apply to any third-party websites which may be accessible through links on the CHM website and/or Social Media Pages. CHM does not accept any responsibility for the privacy practices of, or content displayed on third party websites. Third party website providers are responsible for informing Data Subjects about their own privacy practices.
3. DEFINITIONS
In this Policy, unless the context requires otherwise, the following words and expressions are defined as follows:-
- “Biometric” means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;
- “Child” means a natural person under the age of 18 (eighteen) years who is not legally competent without the assistance of a competent person, to take any action or decision in respect of any matter concerning him or herself;
- “Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information;
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information under the control of or in the possession of CHM;
- “Data Subject” means the person to whom Personal Information relates and in this context, refers to any user of the CHM website and social media pages;
- “Deputy Information Officer” means any person(s) who has been designated by the Information Officer to perform certain delegated duties and responsibilities of the Information Officer;
- “Direct Marketing” means to approach a Data Subject either in person or by mail or by electronic communication, for the purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject;
- “Employees” means any employee of CHM;
- “GDPR” means the General Data Protection Regulation (EU) 2016/679 which is a regulation on the protection of Personal Information of persons under the European Union;
- “Information Officer” means the head of a private body being either the Chief Executive Officer, the acting Chief Executive Officer or an equivalent officer or any person duly authorized by that officer. The duly appointed Information Officer is Ms Tanya Mulligan;
- “Operator” means a person or entity who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party;
- “Personal Information” information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: -
- Information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Information relating to education or the medical, financial, criminal or employment history of the person;
- Any identifying number, names, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- any biometric information;
- personal opinions, views, or preferences;
- correspondence that is implicitly or expressly of a personal, private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
- Information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- “Policy” means this Website Privacy Policy;
- “POPI” means the Protection of Personal Information Act 4 of 2013;
- “Processing” means any operation or activity or any set of operations, whether by automatic means, concerning Personal Information, including:-
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, blocking, degradation, erasure, or destruction of information;
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
- “Process” and “Processed” has the same meaning;
- “Regulator” means the Information Regulator of South Africa established in terms of section 39 of POPI;
- “Responsible Party” means a public or private body or any other person which alone, or in conjunction with others, determines the purpose of and means for Processing Personal Information. In the circumstances, CHM is the Responsible Party;
- “Special Personal Information” means Personal Information referred to in terms of section 26 of POPI, namely Personal Information concerning a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health or sex life, sexual orientation, biometric information, or criminal behaviour.
- “Third Party” means a representative of CHM such as a contractor, agent, consultant, sub-contractor etc;
- “Website” means the CHM website which is accessible at https://www.chmlegal.co.za
4. LAWFUL PROCESSING OF PERSONAL INFORMATION
- CHM is required, in the normal exercise of its functions and obligations as a business entity, to process the Personal Information of Data Subjects from time to time.
- CHM, as the Responsible Party, will only Process a Data Subject’s Personal Information in accordance with the eight conditions of lawful processing as set out in POPI.
- The Data Subject may withdraw consent or may object to CHM’s processing of the Personal Information at anytime. It is recorded however that such withdrawal or objection will not affect the lawfulness of any processing of Personal Information which was done prior to the withdrawal or objection.
- In circumstances where the consent is withdrawn or if there is a justified objection against the processing of such Personal Information, CHM may no longer process the Personal Information.
- Data Subjects who withdraw their consent to the processing of Personal Information or objects to the processing of their Personal Information where CHM requires it, those Data Subjects may not be able to access the Website or join, access or use the social media pages or enjoy the full use and benefit of the website.
5. COLLECTING PERSONAL INFORMATION
- CHM will always collect Personal Information in a fair, lawful and reasonable manner which does not adversely affect the rights of the Data Subject.
- As a general rule, CHM will always collect Personal Information directly from Data Subjects, unless in circumstances where the Data Subject has made the Personal Information public, or the Personal Information is contained in or derived from a public record, or in the event that any other exception is applicable in terms of POPI.
- Where CHM collects Personal Information from Third Parties, CHM will ensure that it obtains the consent of the Data Subject.
6. PURPOSE FOR PROCESSING PERSONAL INFORMATION
- CHM will only process Personal Information for a specific, explicitly defined and lawful purpose related to the exercise of its functions and obligations as a business entity. CHM will ensure that such purpose is identified and explained to the Data Subject.
- CHM will process Personal Information for one or more of the following non-exhaustive purposes: -
- carrying out any actions necessary for the conclusion or performance of the contract and when a Data Subject purchases services, legal packages and accepts other offers on or through the Website;
- updating its records;
- processing and responding to any correspondence from Data Subjects;
- marketing, subject to paragraph 7 below and POPI;
- any other purposes to which the Data Subject may consent from time to time; and
- for any other lawful purpose.
- carrying out any actions necessary for the conclusion or performance of the contract and when a Data Subject purchases services, legal packages and accepts other offers on or through the Website;
7. DIRECT MARKETING
- CHM may only use Personal Information to contact the Data Subject for purposes of Direct Marketing where it is permissible to do so and in accordance with POPI.
- CHM may use Personal Information of a Data Subject to contact them for direct marketing purposes under the following circumstances:-
- If the Data Subject is one of CHM’s existing clients; or
- the Data Subject has requested or consented to receiving marketing material from CHM.
- If the Data Subject is one of CHM’s existing clients; or
- The Data Subject may object to the use of their Personal Information for CHM’s marketing purposes and CHM must ensure that a reasonable opportunity is given to the Data Subject to object.
- If a Data Subject request that CHM stops Processing their Personal Information for marketing purposes, CHM shall do so. CHM encourages Data Subjects to make use of the opt-out links or forms should they no longer wish to have their Personal Information processed for direct marketing purposes.
8. TRANSBORDER INFORMATION FLOWS
- CHM may only transfer a Data Subject’s Personal Information for some of the purposes listed in POPI and where other relevant legislation permits.
- CHM acknowledges that it may not transfer Personal Information to jurisdictions which do not have laws governing the protection of Personal Information or whose laws are not of an equivalent status to POPI.
- Where a Data Subject’s Personal Information is transferred outside of South Africa, CHM will take all reasonable steps to ensure that any transferred Personal Information is safeguarded and is afforded a similar level of protection as that which it receives in South Africa.
9. SPECIAL PERSONAL INFORMATION
- CHM will seek to obtain the specific consent of Data Subjects to the processing of their Special Personal Information.
- CHM acknowledges that it will generally not process Special Personal Information unless it is for one of the non-exhaustive reasons:-
- the Data Subject has explicitly consented; or
- the Special Personal Information has made public by the Data Subject; or
- processing is necessary for reasons of public interest; or
- processing is necessary for the establishment, exercise or defence of a right or legal claim or obligation in law;
- processing is for historical, statistical or research purposes, subject to stipulated safeguards; or
- For any other lawful reason.
- the Data Subject has explicitly consented; or
10. SAFEGUARDING OF PERSONAL INFORMATION
- CHM treats any and all Personal Information processed by it as confidential and shall make every effort to ensure the security and integrity of such Personal Information is not compromised.
- Furthermore, CHM will ensure that reasonable, technical and organisational measures are put in place in order to mitigate or prevent loss, unlawful and unauthorised access and destruction of Personal Information.
- CHM will ensure that it maintains and regularly verifies that the security measures are effective and regularly update same in response to new risks.
11. RETENTION OF PERSONAL INFORMATION
- CHM will not retain Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or processed. The exception to this rule shall apply in the following circumstances:-
- where the retention of the record is required or authorised by law;
- the Data Subject has consented to retaining the Personal Information for a longer period;
- CHM retains the record in order to fulfil its lawful functions or activities;
- the retention of the record for extended periods is required by a contract between the Data Subject and the Responsible Party;
- the record is retained for historical, research or statistical purposes on condition that the necessary measures and safeguards are implemented so as to prevent the use of the information for any other purpose.
- where the retention of the record is required or authorised by law;
- Once the purpose for which the Personal Information was initially collected and processed no longer applies, CHM will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that it cannot be reconstructed to identify the Data Subject.
12. STORAGE AND PROCESSING OF PERSONAL INFORMATION BY CHM AND THIRD-PARTY SERVICE PROVIDERS
- Personal Information may be stored by CHM or Third Parties, by way of hard copy devices or formats, electronic platforms, cloud services or other technology.
- Third Parties may only have access to Personal Information of Data Subjects in circumstances where they have contracted with CHM and serve to support CHM’s business operations.
- CHM will ensure that such Third-Party service providers will process the Personal Information in accordance with the provisions of this Policy, read with POPI, and where applicable, the GDPR.
13. BREACHES OF PERSONAL INFORMATION
- Data Breaches refer to incidents or allegations of unlawful or unauthorised processing of Personal Information, which would also include the loss of, destruction of, access to Personal Information by any unauthorised person.
- CHM will address any Data Breach in accordance with the terms of POPI, its Breach Policy and GDPR (where applicable).
- CHM will notify the Regulator and the affected Data Subject in writing in the event of a Data Breach, or a reasonable belief of a Data Breach. In circumstances where there is a breach, the affected Data Subject will be informed by CHM’s Information Officer or Deputy Information Officer.
- CHM will notify the Regulator as soon as reasonably possible and, where practicable, no later than 72 (seventy-two) hours after becoming aware of such Data Breach.
- In circumstances where CHM acts as an Operator, it will notify the Responsible Party of any Data Breaches.
14. INFORMATION QUALITY
- CHM will take reasonably practicable steps to ensure that all Personal Information is complete, accurate, not misleading, and updated where necessary, having regard to the purpose for which the Personal Information has been collected.
- It is important to note that CHM requires the Data Subject to notify it in writing of any updates to his/her/its Personal Information.
15. DATA SUBJECT PARTICIPATION
- Data Subjects may, after providing adequate proof of their identity, request access to relevant Personal Information in the possession of CHM which must be provided to the Data subject.
- Data Subjects may request that their Personal Information be corrected or deleted or that a record containing Personal Information of the Data Subject be destroyed or deleted if the Data Subject believes that the Personal Information or record of the Personal Information is inaccurate, irrelevant, excessive, incomplete, outdated or obtained unlawfully.
- CHM must, when in receipt of a request to correct, update or delete Personal Information, do so in compliance with POPI.
- CHM will try to provide Data Subjects with suitable means of accessing information, where Data Subjects are entitled to it, by for example, posting or emailing it to them.
- CHM may refuse Data Subjects access to their Personal Information if their access would interfere with the privacy of others or would result in a breach of confidentiality. If CHM refuses access, it will give written reasons for its refusal.
- CHM may charge a reasonable fee to cover its administrative and other reasonable costs in providing the information to Data Subjects. The prescribed fees to be paid for copies of the Data Subject’s Personal Information are listed in the PAIA Manual.
16. TIME PERIODS
CHM will endeavour to respond to each written request to update, delete or correct personal information of a Data Subject within 30 (thirty) days of such requests being made. Where necessary, CHM may extend the 30 (thirty) day period for a further period.
17. USE OF WEBSITE COOKIES
- CHM’s website uses cookies, which are small text files are often used by websites or other platforms to recognise repeat Data Subjects and are also used to ensure that the website functions properly.
- CHM makes use of “cookies” to automatically collect information and data about Data Subjects.
- Data Subjects may elect to block cookies. However, this may result in the Data Subject being unable to fully access and enjoy parts of the CHM website.
- As the website and social media pages are accessible via the internet, and the internet is inherently insecure, CHM cannot provide any assurance regarding the security of the transmission of information Data Subjects communicate to CHM online.
- CHM also cannot guarantee that the information Data Subjects supply will not be intercepted while being transmitted. Accordingly, any Personal Information or other information which Data Subjects transmit to CHM online is transmitted at the Data Subjects’ own risk. CHM will however ensure that the Personal Information in its possession is protected.
18. CHM’S CONTACT DETIALS
NAME OF BODY
Cowan-Harper-Madikizela Attorneys
PHYSICAL & POSTAL ADDRESS
136 Sandton Drive, Sandhurst
Sandton, 2196
Po. Box 318, Gallo Manor, 2052
Tel: 011 783 8711/011 048 3000
Fax: 011 784 1641
INFORMATION OFFICER
Ms Tanya Mulligan
E: tmulligan@chmlegal.co.za
T: + (011) 783 8711
F: + (011) 784 1641
DEPUTY INFORMATION OFFICER
Ms Gael Barrable
E: gbarrable@chmlegal.co.za
T: + (011) 783 8711
F: + (011) 784 1641
If a Data Subject is unsatisfied with the way CHM addresses any complaint regarding CHM’s processing of Personal Information, the Data Subject can contact the office of the relevant Regulator.