POPIA

Policy

 

Version

1

Publishing Date

1 July 2021

Last Review Date

n/a

Frequency of Review

annually

Next Review Date

1 July 2022

Policy Owner

Compliance Department

Responsible Business Unit/s

Information Officer and Deputy Information Officer/s

 

  1. INTRODUCTION

The right to privacy is a human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 2013 (“POPIA”).

Pixel Forest Pty (Ltd) Reg# – 2018/010485/07 as [*] services providers, collects, uses and discloses the personal information (PI) of its clients, partners or third-party service providers, employees and other legal and business connections. 

A person’s (juristic and non-juristic) right to privacy entails having control over their personal information and being able to conduct their affairs relatively free from unwanted disclosures or intrusions.

  1. PRIVACY STATEMENT
    1. Pixel Forest is committed to protecting personal information. This policy describes why and how we collect and use and disclose personal data and provides information about rights in relation to personal information.
    1. It applies to personal information provided to us, both by data subjects themselves or by others. We may use personal data provided to us for any of the purposes described in this policy or as otherwise stated at the point of collection.
    1. In this policy, we refer to information about you or information that identifies you as “personal data” or “personal information”. Like POPIA we may collectively refer to collecting, receiving, recording, organising, collating, storing, updating, disseminating and using personal information as “processing” such personal information.
    1. Pixel Forest, its subsidiaries, associate companies, business partners and third parties are obliged to process personal information collected through distribution channels and other channels as private and confidential.
    1. Pixel Forest itself and through third-parties collects personal information from the data subject and where, lawful and reasonable, we collect personal information about you from third parties and from publicly available sources, such as credit reporting and or government agencies;
    1. Our security systems are designed to prevent loss, unauthorised destruction, damage and/or access to your personal information by unauthorised third parties;
    1. As a data subject, you may: (a) ask us to give you a description of your personal information that we hold; and (b) ask us to correct or update your personal information through our customer service channels;
    1. The information collected by Pixel Forest may also be disclosed to a public body in terms of a law binding on Pixel Forest to fulfil obligations imposed by law.
  1. REASONS FOR PROCESSING
    1. Pixel Forest collects personal information relating to its business as a service provider, including:
  1. Negotiating and finalizing project or work agreements and contracts; 
  2. Sharing advice, costs and quotes for products and services (solutions); 
  3. Assisting with administering and/or managing solutions; 
  4. Managing related issues on projects, products and services; 
  5. Notifying of new services, products or developments that are relevant / of interest to you; 
  6. Confirming, verifying and updating your details; 
  7. Addressing requests and requirements as raised; 
  8. Complying with any contractual, legal and regulatory related obligations.
      1. Processing personal information enables Pixel Forest to discharge its operational, service and legal obligations and to perform its functions as an employer within the framework of employment relationships as is required by law and for the recruitment of new employees of Pixel Forest; and
      1. for the purposes of contracting and entering into agreements with third party service providers including those performing intermediary function, binder functions and or outsource functions, who may be the policyholder’s appointed third-party.
  1. DEFINITIONS
    1. Personal Information

Personal information is information used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:

  • race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person;
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
    1. Data Subject

A natural or juristic person to whom personal information relates.

    1. Responsible Party

The person who determines the purpose of and means for processing the personal information.

    1. Operator

An operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

    1. Information Officer

The Pixel Forest Information and/or Deputy Officers are responsible for ensuring Pixel Forest’s compliance with POPIA.

    1. Processing

The act of processing information includes any activity or any set of operations, whether or not by automatic means, concerning personal information and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as any restriction, degradation, erasure or destruction of information.

    1. Record

Any recorded information, regardless of form or medium, including: Writing on any material, information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored, a label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means, a book, map, plan, graph or drawing, a photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.

    1. Filing System

Any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

    1. Unique Identifier

Any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

    1. De-Identify

To delete any information that identifies a data subject or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.

    1. Re-Identify

To resurrect any personal information that has been de-identified that identifies the data subject, or can be used or manipulated by a reasonably foreseeable method to identify the data subject.

    1. Consent

Any voluntary, specific and informed expression of will in terms of which permission to process personal information is given.

    1. Biometrics

A technique of personal identification based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, and voice recognition.

  1. POLICY PURPOSE

The purpose of this policy statement is to prevent compliance risks including:

  • Breaches of law;
  • Breaches of confidentiality;
  • Unfair treatment of policyholders;
  • Reputational damage.

This policy demonstrates Pixel Forest’s commitment:

  • Through stating desired behaviour and directing compliance with the provisions of POPIA;
  • By cultivating an organisational culture that recognises privacy as a valuable human right;
  • By developing and implementing internal controls for the purpose of managing the compliance risk;
  • By creating business practices that will provide reasonable assurance that the rights of data subjects are protected;
  • By assigning specific duties and responsibilities;
  • By raising awareness through training.
  1. POLICY APPLICATION

This policy statement and its guiding principles apply to:

  • Pixel Forest’s management (governing) body;
  • HR Staff members of Pixel Forest;
  • All branches, business units and divisions of Pixel Forest;
  • All Pixel Forest employees and volunteers;
  • Pixel Forest Clients;
  • Approved intermediary and/or outsourced legal service providers of Pixel Forest;
  • Regulatory and Law entities;
  • Third-party officers / consultants / professional advisers / investigators.

 

  1. RIGHTS OF DATA SUBJECTS

Clients and customers must acquaint themselves with their rights including the following:

    1. The Right to Access Personal Information

A data subject has the right to establish whether Pixel Forest holds personal information and to request that personal information. A “Personal Information Request Form” can be found as Annexure A for submission to the Information Officer.

    1. The Right to have Personal Information Corrected or Deleted

The data subject has the right to request that the personal information must be corrected / deleted where Pixel Forest is no longer authorised to retain the personal information. Please contact Pixel Forest’s Information Officer.

    1. The Right to Object to the Processing of Personal Information

The data subject has certain rights, on reasonable grounds, to object to the processing of their personal information which is not required by Pixel Forest to enter into and perform its contract or to protect your legitimate interests or Pixel Forest’s legitimate interests or to comply with any obligation imposed by law.

Pixel Forest will give due consideration to the request and the requirements of POPIA. Subject to their lawful requirements, Pixel Forest may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.

    1. The Right to Complain to the Information Regulator

The data subject has the right to submit a complaint to the Information Regulator. The “POPIA Complaint Form” can be found as Annexure B.

7.6 The Right to be Informed

Pixel Forest’s privacy notice serves the purpose of informing data subjects that, and why, their personal information is being collected by Pixel Forest.

The data subject has the right to be notified in any situation where Pixel Forest has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.

  1. GENERAL GUIDING PRINCIPLES

All employees including human resources (HR) and persons acting on behalf of Pixel Forest are subject to, and must act in accordance with, the following guiding principles:

    1. Accountability

Failing to comply with POPIA could potentially damage Pixel Forest’s reputation or expose Pixel Forest to penalties or a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.

    1. Processing Limitation

Pixel Forest will process personal information:

  • in a fair, lawful and non-excessive manner,
  • in the manner set out in this document; and
  • for purposes lawful in terms of POPIA.

Pixel Forest may distribute or share personal information between separate legal entities, associated organisations (such as subsidiary companies) or with any individuals that are involved with facilitating the purpose for which the personal information was collected.

    1. Purpose Specification

Pixel Forest will process personal information for specific, explicitly defined and legitimate reasons related to its data management and analysis services and related business.

    1. Further Processing Limitation

Personal information will not be processed for a further purpose unless that further processing is in accordance or compatible with the purpose for which it was collected.

Therefore, where Pixel Forest seeks to process personal information it holds for a purpose other than the original purpose for which it was originally collected, and where this further purpose is not in accordance with or compatible with the original purpose, Pixel Forest requires authority to do so from the data subject.

    1. Information Quality

Pixel Forest will take reasonable practicable steps to ensure that all personal information collected is complete, accurate and not misleading and updated where necessary.

    1. Open Communication

Pixel Forest will take reasonable steps to ensure that data subjects are aware that their personal information is being collected including the purpose for which it is being collected and processed.

Pixel Forest will maintain a facility for data subjects who want to:

  • Enquire whether Pixel Forest holds their personal information, or
  • Request access to their personal information, or
  • Request Pixel Forest to update or correct their personal information, or
  • Make a complaint concerning the processing of their personal information.
    1. Security Safeguards

Pixel Forest will secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to secure the information from loss, damage, destruction or unlawful access or processing.

  1. INFORMATION OFFICERS

Pixel Forest’s Information Officers (IO) are responsible for ensuring compliance with POPIA and can be contacted on:

Head Office Contact Number

  012 111 7254

E-mail

michelle@pixelforest.design

Website

www.pixelforest.co.za

 

  1. SPECIFIC DUTIES AND RESPONSIBILITIES
    1. The Board of Directors

The board of directors is responsible for ensuring that:

  • Pixel Forest appoints an Information Officer, and where necessary, a Deputy Information Officer.
  • All persons responsible for the processing of personal information on behalf of Pixel Forest:
    • are appropriately trained and supervised to do so,
    • understand that they are contractually obliged to protect the personal information they come into contact with, and
    • are aware that a wilful or negligent breach of this policy’s processes and procedures may lead to disciplinary action being taken against them.
  • Data subjects who want to make enquires about their personal information are made aware of the procedure that needs to be followed should they wish to do so.
  • The scheduling of a periodic POPIA Audits.
    1. Information Officer/s

Pixel Forest’s Information Officer is responsible for:

  • Taking steps to ensure Pixel Forest’s reasonable compliance with the provision of POPIA.
  • Take steps to organise training at least once a year.
  • Keeping the Board of Directors updated about Pixel Forest’s information protection responsibilities under POPIA.
  • Continuously analysing privacy regulations and aligning them with Pixel Forest’s personal information processing procedures.
  • Ensuring that POPIA Audits are scheduled and conducted on a regular basis.
  • Ensuring that Pixel Forest makes it convenient for data subjects who want to update their personal information or submit POPIA related complaints to Pixel Forest.
  • Approving any contracts entered into with operators, employees and other third parties which may have an impact on the personal information held by Pixel Forest.
  • Encouraging compliance with the conditions required for the lawful processing of personal information.
  • Ensuring that employees and other persons acting on behalf of Pixel Forest are fully aware of the risks associated with the processing of personal information and that they remain informed about Pixel Forest’s security controls.
  • Addressing employees’ POPIA related questions.
  • Addressing all POPIA related requests and complaints made by Pixel Forest’s data subjects.
  • Handling and managing complaints related to personal Information and POPIA.
  • Working with the Information Regulator in relation to any ongoing investigations.

All employees are required to assist and co-operate with the Information Officer in performing the obligations.

 

    1. IT SERVICE PROVIDER

Pixel Forest’s IT Service Provider is responsible for:

  • Ensuring that Pixel Forest’s IT infrastructure, filing systems and any other devices used for processing personal information meet acceptable security standards.
  • Ensuring that all electronically held personal information is kept only on designated drives and servers and uploaded only to approved cloud computing services.
  • Ensuring that servers containing personal information are sited in a secure location, away from the general office space.
  • Ensuring that all electronically stored personal information is backed up and tested on a regular basis.
  • Ensuring that all back-ups containing personal information are protected from unauthorised access, accidental deletion and malicious hacking attempts.
  • Ensuring that personal information being transferred electronically is encrypted.
  • Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software.
  • Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by any unauthorised persons.
  • Performing a proper due diligence review prior to contracting with operators or any other third-party service providers to process personal information on Pixel Forest’s behalf.
  • All employees are required to assist and cooperate with the IT Manager in performing the obligations.
    1. Marketing

Pixel Forest’s Marketing is responsible for:

  • Approving and maintaining the protection of personal information statements and disclaimers that are displayed on Pixel Forest’s website, emails and electronic newsletters.
  • Addressing in consultation with the Information Officer any personal information protection queries from journalists or media outlets such as newspapers.
  • Where necessary, working with the Information Officer and any other persons acting on behalf of Pixel Forest to ensure that any outsourced marketing initiatives comply with POPIA.
    1. Employees and other Persons acting on behalf of Pixel Forest

Employees and other persons acting on behalf of Pixel Forest will, during the course of the performance of their services, gain access to and become acquainted with the personal information of clients, suppliers and other employees. Employees and other persons acting on behalf of Pixel Forest are required to treat personal information as a confidential business asset and to respect the privacy of data subjects and to comply strictly with their policy.

Employees and other persons acting on behalf of Pixel Forest may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within Pixel Forest or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform their duties or otherwise in accordance with this policy and POPIA. 

Employees and other persons acting on behalf of Pixel Forest must request assistance from    their line manager or the Information Officer if they are unsure about any aspect related to the protection of a data subject’s personal information.

 

  1. POPIA AUDIT

Pixel Forest’s Information Officer will schedule periodic POPIA Audits. The purpose of a POPIA audit is to:

  • Identify the processes used to collect, record, store, disseminate and destroy personal information.
  • Determine the flow of personal information throughout Pixel Forest;
  • Redefine the purpose for gathering and processing personal information;
  • Ensure that the processing parameters are still adequately limited;
  • Ensure that new data subjects are made aware of the processing of their personal information;
  • Re-establish the rationale for any further processing where information is received via a third party;
  • Verify the quality and security of personal information;
  • Monitor the extent of compliance with POPIA and this policy;
  • Monitor the effectiveness of internal controls established to manage Pixel Forest’s POPIA related compliance risk.

In performing the POPIA Audit, Information Officers will liaise with line managers in order to identify areas within in Pixel Forest’s operation that are most vulnerable or susceptible to the unlawful processing of personal information.

Information Officers will be permitted direct access to and have demonstrable support from line managers and Pixel Forest’s governing body in performing their duties.

  1. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE

Data subjects have the right to:

  • Request what personal information Pixel Forest holds about them and why.
  • Request access to their personal information.
  • Be informed how to keep their personal information up to date.

Access to information requests using Annexure A can be made by email, addressed to the Information Officer. The Information Officer will verify the identity of the data subject prior to handing over any personal information.

  1. POPIA COMPLAINTS PROCEDURE

Pixel Forest will address all POPIA related complaints in accordance with the following procedure:

  • POPIA complaints must be submitted to Pixel Forest in writing. Where so required, the Information Officer will provide the data subject with a “POPIA Complaint Form” (Annexure B).
  • Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 1 working day.
  • The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within two working days.
  • The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner.
  • The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on Pixel Forest’s data subjects.
  • Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with Pixel Forest’s governing body whereafter affected data subjects and the Information Regulator will be informed of this breach.
  • The Information Officer will revert to the complainant with a proposed solution with the option of escalating a complaint to Pixel Forest’s governing body within 10 working days of receipt of the complaint.
  • The Information Officer’s response to the data subject may comprise any of the following:
    • A suggested remedy for the complaint,
    • A dismissal of the complaint and the reasons as to why it was dismissed,
    • An apology (if applicable) and (if applicable) stating that disciplinary action has been taken against any employees involved.
  • Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to complain to the Information Regulator.
  • The Information Officer will periodically review the complaints process to assess the effectiveness of the procedure.

 

PERSONAL INFORMATION REQUEST

Please submit your request or complaint to the information officer.

Please be aware that we may require you to provide proof of identification prior to processing your request. There may also be a reasonable charge for providing copies of the information requested.

We are committed to safeguarding your privacy and the confidentiality of your personal information and are bound by the Protection of Personal Information Act.