The risk of invading a person’s privacy through the misuse of their personal data and information has been recognised in countries around the globe, many of which have established legislation to prevent the abuse and in addition to regulate the collection, processing, retention, safeguarding and use of personal data. The right of privacy is enshrined in the South African Constitution which expressly states that everyone has the right to privacy. The Protection of Personal Information Act, No.4 of 2013 (“POPIA”) is aimed at facilitating the protection of this important right and comes into effect on 1 July 2021.
This Policy has been created to ensure that as a responsible organisation Blue Label is in alignment with local as well as global best practice with regard to the management of regulatory risk including control and processing mechanisms around the protection of personal information and data privacy.
This policy applies to the BLT Group, its business units and subsidiaries, its operations, processes, systems, websites as well as all its directors, employees and/or representatives within the jurisdiction of the Republic of South Africa. Adherence to this policy will assist the BLT Group in upholding the constitutional rights afforded to persons with regard to processing personal information and safeguarding their right to privacy.
Personal information (“PI”) is defined in POPIA as information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, and includes any information that identifies or relates specifically to you, including, for example, your name, age and identity number or other national identifier, your contact address, your location, your banking details, e-mail and contact numbers. In short, personal information refers to any information that identifies a person or specifically relates to a person.
Some types of personal information are considered special personal information (“SPI”). These include personal information revealing or related to a person’s health, racial or ethnic origin, religious or philosophical beliefs, sex life, political affiliation, or trade union membership; criminal behaviour and proceedings related thereto.
The following are some of the most applicable and essential definitions contained in POPIA: "consent" – means any voluntary, specific and informed expression of will in terms of which permission is given to the processing of personal information. "data subject" – means the person to whom the personal information relates. "de-identify" – in relation to the personal information of a data subject, means to delete any information that:
POPIA does not apply to the processing of personal information: for purely personal or household activities; that has been de-identified; processed by or on behalf of a public body for the purposes of:
POPIA further provides that the Act does not apply to: the processing of personal information for the purposes of journalistic, literary or artistic expression in defined circumstances; the exclusion for journalistic purposes requires the journalist to be subject to a code of ethics and provides adequate safeguards for the protection of personal information.
The Regulator may grant exemptions to compliance with the Conditions for the Lawful Processing of Personal Information.
POPIA lists eight (8) conditions or principles for the lawful processing of personal information, namely: Condition 1 – Accountability Condition 2 – Processing Limitation Condition 3 – Purpose Specification Condition 4 – Further Processing Limitation Condition 5 – Information Quality Condition 6 – Openness Condition 7 – Security Safeguards Condition 8 – Data Subject Participation
Personal information (“PI”) must be collected and processed for a specific, explicitly defined and lawful purpose relating to a lawful function or activity of the responsible party. The data subject must be made aware of this purpose from the outset (for example, this provision should and would normally be included in the terms and conditions of a contract with the responsible party).
Personal information (“PI”) must be processed lawfully and in a reasonable manner so that it does not unnecessarily infringe on the data subject’s right to privacy. PI must be processed in terms of the purpose for which it was originally collected whereby: the data subject must have consented to the processing; or processing is required for the completion of a transaction or conclusion of a contract or agreement (for example a credit or hire-purchase agreement, a lease or buy and sell agreement, etc.) entered into by the data subject; or processing is permitted in terms of a law (for example but not limited to the Companies Act; the Consumer Protection Act (CPA); the Electronic Communications and Transaction (ECT) Act; the Financial Advisory and Intermediary Services (FAIS) Act; the Financial Intelligence Centre Act (FICA); the National Credit Act (NCA); the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) amongst other legislation); or processing permitted in terms of a public law duty of a public body (for example but not limited to the Department of Justice (DoJ), the South African Revenue Service (SARS), the South African Police Service (SAPS), amongst others); or processing protects the legitimate interests of the data subject; or processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied
Unless the processing of personal information is provided for in law (see criteria above), the data subject may at any time and on reasonable grounds object to the processing of his or her personal information. Consequently, the responsible party may no longer process the personal information. Furthermore, non-compliance with these provisions of POPIA may result in regulatory sanction and/or hefty penalties which could adversely impact business operations and reputation of the BLT Group.
In the first instance, the further processing of personal information must be in accordance or compatible with the purpose for which it was originally collected. Consequently, personal information collected and processed in terms of RICA for example may not be further processed for activities outside of or foreign to the permissible purposes of RICA save for any of the exceptions listed below that may apply.
Further processing of personal information is permissible in the following instances (i.e. exceptions) only:
In terms of POPIA, we are required to only process personal information for lawful purposes relating to our business in any one or more of the following circumstances: where an existing customer is on our customer database. This means the customer has purchased a product from us or used our services; where the customer communicates, interacts and/ or transacts with us, our strategic partners, VAS providers and/ or promoters; where the customer uses our NFC services; where the customers’ personal information is held by another subsidiary in the BLT Group and has agreed to the processing of their PI by other entities in the BLT Group; if, where required, the person has explicitly consented thereto; if the person has not requested that we refrain from processing their personal information; if the law or a court, has consented thereto; if it is necessary to conclude or perform under a contract, we have with the person; if the processing is for statistical or research purposes; if the law requires or permits it; and/or if it is required to protect or pursue a customers’, employees’ or a third party’s legitimate interest.
We may process special personal information in any one or more of the following circumstances: if the person has consented to the processing; if the processing is needed to create, use or protect a right or obligation in law; if the processing is for statistical or research purposes and all legal conditions have been met; if the special personal information was made public by the person; if the processing is required by law; if the processing is required to identify a person; and/or if health information is processed, and the processing is to determine the insurance risk of the person, or to comply with an insurance policy or to enforce an insurance right or obligation.
Remember, the customer / data subject can choose not to provide personal information to us when requested. However, if their personal information is necessary to provide the customer with services and products and/or offers regarding the aforesaid, including access to our distribution channels, and/or to perform administrative functions, we may as a consequence be unable to perform such services.
We may use a data subjects’ personal information for the following reasons but this must always be in line with our business and the purpose for which the PI is collected: to enable the conclusion, implementation and enforcement of transactions the data subject may enter into with us or our strategic partners for products and services; to respond to the customers enquiries and/or complaints; to process returns and/or refunds; to provide information about products and/or services that the customer has requested and notifying them about important changes or developments to these products and/or services; to follow-up as part of our customer-care process; to update the data subjects’ records on our customer database and other internal records; to administer offers and transactions we make and/or enter into with the customer; to improve our products, services and/or distribution channels; to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and/or rules), voluntary and involuntary codes of conduct and industry agreements or to fulfil reporting requirements and information requests; sending marketing and other communications with the latest specials, deals, alerts, notifications and promotions in relation to our business, products and services, for marketing those products and services and to market related products, goods and services to the customer; to develop, test and improve products and services for customers and making our services or those of our strategic partners and/or service providers easier for customers to use; to detect, prevent and report theft, fraud, money laundering and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information or avoiding liability by way of deception; to enforce and collect on any agreement when customers are in default or in breach of the agreement terms and conditions, for the purposes of tracing customers or to institute legal proceedings against customers; to contact customers for market research purposes in relation to our business or the business of the BLT Group and to conduct market and behavioural research, including scoring and analysis to determine if customers qualify for products and services; evaluating the effectiveness of our marketing and for the purpose of research, training and statistical analysis; for historical, statistical and research purposes, such as market segmentation; to record and/or assist appointed payment processors to process instructions payment instructions (i.e. debit order or EFT); to manage and maintain customer relationships with ourselves; to enable us to deliver products, services, documents or notices to customers; for security, identity verification and to check the accuracy of a data subjects personal information; to communicate with customers and carry out their instructions and requests; for customer satisfaction surveys, promotional and other competitions; to enable data subjects to take part in customer loyalty reward programmes, to determine their qualification for participation, earning of reward points, determining their rewards level, monitoring their buying behaviour with our rewards partners to allocate the correct points or inform them of appropriate products, goods and services that they may be interested in or to inform our reward partners about customer purchasing behaviour; to enable customers to take part in and make use of VAS; and/or for any other customer relationship and service related purposes.
Data subjects have the right to: the information we hold about their personal details. access free of charge the information about themselves stored by us and its use. correct, destroy, or delete this data as and where permitted in law. opt-out of direct marketing calls or mail. remove their data from a direct marketing list. object on reasonable grounds to the processing of their personal information. withdraw consent to the processing of their personal information.
The customer / data subject may formally submit a request to our Information Officer to access their personal information that the BLT Group holds on them. By using the PAIA tab / link at the bottom of the landing page of our primary website, customers / data subjects may refer to our Promotion of Access to Information Act No. 2 of 2000 Manual (“PAIA Manual”) for access to their PI and further information related thereto.
Data subjects also have the right to lodge a complaint with the Information Regulator about how we process their personal information. E-mail: complaints.IR@justice.gov.za
We must take all reasonable and appropriate technical and organisational steps to ensure that personal information is kept secure and is protected against unauthorised or unlawful processing, misuse, unauthorised disclosure, loss, interference, destruction or damage, alteration, disclosure or access.
Our security systems must be in line with industry best practice and standards. We must monitor system developments to ensure that our security protocols evolve, as required. We must test our systems regularly, viz. penetration and vulnerability testing
Personal information must be destroyed or anonymised when no longer needed or when we are no longer required by law to retain it (whichever is the later). For further guidelines and requirements please refer to the Records Management / Records Retention Policy.
We are required to promptly notify the data subject if we become aware of any unauthorised use, disclosure or processing of their personal information.
Where storage is in another country, personal information must be stored in a jurisdiction that has equivalent, or better, data protection legislation than South Africa or with a service provider which is subject to an agreement requiring it to observe data protection requirements equivalent to or better than those applicable in South Africa.
Notwithstanding the above, no data transmission over the Internet or data storage system can be guaranteed to be completely secure. Customers should not send us sensitive information via email. Should a customer / data subject have reason to believe that their interaction with us is not secure (for example, if they feel that the security of any account they may have with us has been compromised), they must immediately notify us of the problem by contacting us at email@example.com
We may retain personal information for as long as is necessary to fulfil the purpose for which it was collected (minimum period of five (5) years) unless a longer retention period is required to comply with legal obligations, resolve disputes, protect our assets, or enforce agreements. The criteria we use to determine retention periods include whether: We are under a legal, contractual or other obligation to retain personal information, or as part of an investigation or for litigation purposes; Personal information is needed to maintain accurate business and financial records; There are automated means to enable the customer to access and delete their personal information at any time; The data subject has consented to us retaining their personal information for a longer retention period, in which case, we will retain personal information in line with their consent.
Personal information records may be retained for periods in excess than those stated above where they pertain to historical, statistical or research purposes provided BLT has established the necessary safeguards against the records being used for any other purposes.
General accepted practice is to retain records for at least five (5) years after the date of the last transaction or from the date the relationship or contract was terminated, however other legislation may call for personal and/or transactional records to be retained for longer retention periods.
Furthermore, POPIA requires a responsible party to destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record, i.e. after five (5) years have elapsed or where a specific law specifies a longer period. The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form.
For further guidelines and requirements please refer to the Records Management / Records Retention Policy
In general, we will only share personal information if any one or more of the following apply: if the law allows it; if, where necessary, the data subject has consented to this; if it is necessary to conclude or perform under a contract that we or our strategic partners, promoters, VAS providers and/or clients have with the data subject / customer; data subject has specifically consented to the sharing of their personal information during an interaction or transaction through our distribution channels or other communication channel; if the law requires it; and/or if it is necessary to protect or pursue our interests, our or the legitimate interest of a third party.
These technologies collect information that the customer browser sends to our Sites including browser type, information about the IP address (a unique identifier assigned to customer computer or device which allows their PC or device to communicate over the Internet), together with the date, time and duration of their visit, the pages they may view and the links they click on.
The information that we collect using cookies is non-personal information. Customers must always be free to decline our cookies if their browser permits, but some parts of our websites may not work properly should they elect to do so. We do not allow third parties to place cookies on our websites.
Our Sites may also contain web beacons or similar technologies from third party analytics providers, through which they collect information about certain customer activities across our Sites to help us compile aggregated statistics.
We may send customers direct marketing communications about our products and services as well as new products, promotions, special offers and other information. We will do this in person, via e-mail, SMS, WAP Push, newsletters, telephonically, or through instant chat.
Customers must be able to opt-out of receiving marketing materials from us at any time and manage their communication preferences by: Following the unsubscribe instructions included in each marketing communication from us or telling us they wish to unsubscribe; Sending an email to the sender of the marketing communications; or Registering on the Do Not Contact list of the Direct Marketing Association of South Africa which can be found on www.dmasa.org Including their details and a description of the marketing material they no longer wish to receive from us. We must comply with such customer requests as soon as is reasonably practicable but no longer than 30 days.
Should a customer elect to opt-out of receiving marketing related communications from us, we may still send them administrative or operational messages as part of their ongoing use of our products and services which they will be unable to opt-out of.
We may not provide customer personal information to unaffiliated third parties for direct marketing purposes or sell, rent, distribute or otherwise make personal information commercially available to unaffiliated third parties, whatsoever.
In all cases, the customer may request us to stop sending marketing communications to them at any time.
A Responsible Party in the Republic may not transfer personal information about a data subject to a third party which is in a foreign country unless adequate levels of protection are provided by: binding corporate rules of the Operator to which information is provided; a binding agreement between the Responsible Party in the Republic and the Operator in the foreign country; the law, corporate rules or binding agreement must effectively uphold the principles of reasonable processing, similar to the Conditions of Lawful Processing in Chapter 3 of POPIA.
In terms of the Promotion of Access to Information Act (PAIA) and now POPIA, BLT (or the responsible party) must appoint and register a designated Information Officer to ensure compliance to the Act and to liaise with the office of Information Regulator. All complaints, enquiries and investigations with regard to personal information and data privacy (as outlined in the policy above) must be referred to the BLT Information Officer.
If you have any questions about how personal data should be handled by the BLT Group, you have a privacy concern or you wish to escalate a request or a complaint relating to personal information, please contact our Data Privacy Office at the following email address: firstname.lastname@example.org
In order not to fall short of our privacy obligations and to assist with the inherent privacy challenges across the organisation, Data Privacy Champions will be strategically appointed to assist with promoting the POPIA compliance programme within their own teams and to help build a privacy culture to support the business with its compliance objectives.
Training and awareness are among the most important risk areas when it comes to data privacy readiness and ensuring POPIA compliance across the BLT Group. To ensure accountability for data privacy across the organisation, data privacy training and awareness will take place at every level of the organisation.
Consequently, all employees and management within the business must be trained and made aware of the provisions of POPIA on an ongoing basis. These initiatives will foster the adoption of a privacy by design approach whereby training and awareness are the backbone of the organisation’s data privacy culture and its compliance journey as a whole.
This policy must be read in conjunction with the following policies: The Promotion of Access to Information Act (PAIA) Manual and Policy The Data Breach and Notification Policy The Data Subject Access Request Policy The Records Management Policy / The Records Retention Policy The BLT website Privacy Notice.
Last updated: 31 March 2021.