CONTENTS

• Privacy Notice
• Contact Details
• Introduction
• Specific Words/ Phrases
• Information Officer
• Processing personal information and protecting the right of our clients
• What personal information do we collect?
• Who might we share your personal information with?
• Transborder Information Flows
• Circumstances requiring prior authorisation
• Special Personal Information
• Processing of Personal Information of Children
• Direct Marketing
• Data Breach Notification
• Contravention of POPIA
• The SA Information Regulator
• Forms and clauses

INFORMATION OFFICER: Jillian Marjorie Tyson

PRIVACY NOTICE

We respect and protect the privacy of all persons whose personal information we collect, regardless of form and medium. This includes our clients, employees, agents, consultants, power partners and service providers. These privacy notices explain our personal information handling practices in relation to that particular purpose or service. It explains who we collect personal information from, with your consent, what information we collect, what we do with it, how you might access it and who it might be shared with and for what reason we collect it and how we will keep it before we destroy it. All of this is covered under the POPI Act.

CONTACT DETAILS:

South Africa
Mobile: 083 282 4019
Telephone: 046 636 1388
Organisation email: jillian@grahamstownproperties.co.za

INTRODUCTION

The Protection of Personal Information Act (POPI) is intended to balance the scale legally by protecting a person’s constitutional rights to privacy (which requires our personal information to be protected); and the needs of business to have access to and to process (work with) a person’s specific personal information to perform the task they are mandated to do.

This Compliance Manual sets out the framework for our company’s compliance with the POPI Act and is focused on tasks that must performed in the property sector.

Data Subject

Ther person to whom the personal information relates. This is a natural person or an existing juristic person. - companies, cc, trust, public entity (Mun) e.g., Seller/ Buyer/ employee

Responsible party

Is the person/s or company who is responsible for the processing of personal information, whether it is to collect, secure, disseminate or construct it to perform a specific task. e.g., Principal / estate agency / Trustees / Body corporate.

Operator

Is the party processing personal information on behalf of the responsible party. The responsible party retains accountability., In an estate agency this is the person who is processing the information. It could be a third party if the processing is outsourced e.g., IT company.

Processing

Where reference is made to the “processing” of personal information, this will include any activity in which the information is worked with, from the time that the information is collected, shared, kept, up to the time that the information is destroyed, regardless of whether the information is a hard copy, or in electronic format.

INFORMATION OFFICER

Our Information Officer is: Jillian M. Tyson
(Contact details): 046 636 1388

The Information officer must:

• Develop the compliance framework and ensure it is implemented in line with the eight (8) conditions (see below) for the lawful processing of personal information.
• Do a personal information impact assessment to ensure adequate measures and standards. (What Personal information we hold, where we hold it and for what purpose and is it necessary)
• Review the forms our agency uses to gather information (for example, application forms, employment contracts, lease, and purchase contracts) to determine whether it is necessary to request all the information dealt with in those forms and whether the consent clause is included.
• He/she must develop the manual and monitor, maintain, and make it available as prescribed in sections 14 and 51 of the Act.
• Internal measures (7 forms) are developed together with adequate systems to process, requests for information from data subjects or access thereto, free of charge.
• Ensure internal training/awareness sessions to be conducted regarding the provisions of POPI Act and discuss it weekly on the office meeting.
• Working with the Regulator in relation to any investigations conducted in accordance with the relevant provisions of POPI Act. (When needed)

PROCESSING PERSONAL INFORMATION AND PROTECTING THE RIGHTS OF OUR CLIENTS:

We undertake to implement, monitor, and maintain the eight (8) conditions for the lawful processing of personal information; to always follow POPI Act and to process personal information while protecting the right to privacy of our clients.

The Principal/Manager (responsible party) must ensure that the conditions and all the measures set out in the Act are followed through in the office.

The Information Officer (operator) is Jillian Marjorie Tyson, who will be tasked with the responsibility of compliance in our office. She will be held liable for non-compliance in certain day to day situations as described on her employment contract.

Personal information may only be processed in a fair and lawful manner and only with the consent of the person whose information it is (data subject) and for the intention it was collected for.

• The personal information must be obtained directly from the person (Data Subject)
• The person should be aware that we gather their information, and they must consent to their information being used.
• If a third party is being used to collect personal data, the person (Data Subject) must consent to this information being shared and used by us.
• Only information that is required for the specific purpose for which it is gathered may be stored. (No more than what is necessary)

We limit the amount of personal information collected and processed to only what is needed for the function we are performing.

• The specific purpose must be documented and adhered to.
• The Data Subject has the right to know what information we have and for what purpose it was gathered.
• We will link all personal information collected to legitimate reasons for collecting it.
• Personal information may only be used for the specific purpose for which it was gathered and thereafter it must be destroyed.
• We will account for what information we hold, what purpose it was gathered for and a date by which that information must be destroyed.
• We will destroy Personal Information in a manner that prevents its reconstruction, after we are no longer authorized to retain such records.

Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.

• We retain personal information only for as long as it is needed, or longer if required by law.
• If we retain your personal information for budget or statistical purposes, we ensure that the personal information cannot be used further. It will be de-personalised.
• Before we use existing personal information for any other purpose other than what the information was originally gathered for, consent will be required from the Data Subject.
• If he/she refuses permission, processing will stop.
• When gathering information, we will advise the Data Subject what the information will be used for and for what period we will hold that information.

While in our possession, together with the data subject's assistance, we try to maintain the accuracy of personal information.

• We will obtain information directly from the data source to ensure accuracy, as far as possible.
• When advising Data Subjects of the information we hold and for what purpose we hold it, they will be given details of how to check, and update their information or withdraw consent.

The Data Subject whose information we are collecting will be made aware that we are collecting such personal information and for what purpose the information will be used and her/ his rights. (Even if this is public record or he/she consented to collection from a 3rd party)

• We will gather personal information from Data Subjects after signing a consent form.
• The Data Subject will be informed of how the data will be used at the time of gathering the information.
• The Data Subjects will be given a letter with the details of the Responsible Person in our agency and the Information Regulator’s contact details.
• The Data Subject will be advised of his/her rights to complain to the Information Regulator if misuse is suspected.
• The Data Subject will always be advised of his/her rights to access his/her information and to object to the processing of said information.

We restrict, secure, and control all our information against unauthorised access, interference, modification, damage, loss, or destruction; whether physical or electronic.

• We will do a safety and security risk assessment from time to time to ensure we keep up with requirements.
• Our staff must be informed / trained to be compliant with POPI Act, and this training must be ongoing and up to date.
• We do everything we can to prevent personal information from falling into unauthorized hands.
• Our business premises where records are kept must remain protected by access control and complex security, including guards.
• All our laptops, phones and computer network are protected by passwords which we changed on a regular basis.
• We are using Outlook 365 which complies with industry standard security safeguards and meets the General Data Protection Regulation (GDPR), which is standard in the European Union. We have firewalls and AVG Secure.
• We are as small estate agency, so it is easy to determine which employees are allowed to access personal information and what information they are permitted to access.
• Personal information can only be accessed or modified by those employees with the authority to do so.
• The online profiles and access of staff who left the agency must be properly deleted.
• Each employee uses his/her own password to access the data, therefore we can identify the source of a data breach and we can neutralize such a breach.
• If there is a data breach, we will determine the source, neutralise it and prevent the re-occurrence of such a data breach.
• When we make use of an external operator our Responsible Party will, in terms of a written contract between our agency and the operator, ensure that the operator establishes and maintains the required security measures.
• The operator must advise immediately if there is the possibility that personal data has been accessed or acquired by any unauthorized person.
• The Data Subject will be advised via e-mail or in writing immediately if it is suspected that their personal information has been accessed by unauthorized persons. Sufficient information will be provided to allow the Data Subject to put measures in place to safeguard themselves against potential consequences of the security breach.
• The Information Regulator will be informed in the event of a security breach where personal information could be compromised. It is the duty of the Responsible Person to ensure this process is followed.

Data Subjects may request where their personal information is held, as well as the correction and/or deletion of any personal information held about them.

• Data Subjects may request information from us on whether we are holding their personal information.
• This request will not be declined, and we will not charge for it.
• The Data Subject has the right to correct the personal information that we hold.
• They also have the right to withdraw consent at any time.

WHAT PERSONAL INFORMATION DO WE COLLECT?

We only collect the minimum amount of information that is relevant to the purpose. If you interact with us on the internet, the personal information we collect depends on whether you just visit our website or require our services. If you visit our website, your browser transmits some data automatically, such as your browsing times, the data transmitted and your IP address.

• If you use our services, personal information is required to fulfil the requirements of that service.
• We usually collect only names and contact details, financial qualification, with property needs and requirement when we assist a buyer in finding a property.
• While doing a price estimation (valuation) to place a property on the market, we need the basic information and will be able to source the property information from the deeds office systems.
• To assist selling the property we need to have basic personal and financial information to know if the sellers will be able to sell the property, cancel the bond, pay all fees, and move to another property.

Generally, we collect the following personal information to complete contracts.If there is any specific personal information to collect, we will indicate as such, at the time of collection.

• Name, surname, and maiden name
• Identification Number/s
• Married/single status.
• E-mail address
• Physical / postal address / erf number / complex details
• Telephone number/s
• Financial & banking details (for bond qualification - buyers and bond cancellations -sellers and rentals)

WHO MIGHT WE SHARE YOUR PERSONAL INFORMATION WITH?

To maintain and improve our services, your personal information may need to be shared with or disclosed to our service providers:

• colleague’s or other estate agencies,
• attorneys,
• bond consultants,
• compliance inspectors,
• homeowner association,
• trustees,
• in some cases, public or legal authorities.

TRANSBORDER INFORMATION FLOWS

Estate agencies is unlikely to process personal information to be send transborder, but if there is an international component to the work which we are doing for you, and if we are required to share your personal information with an overseas recipient, you are entitled to ask us how your personal information will be protected in this foreign country, and we will endeavour to assist you.

CIRCUMSTANCES REQUIRING PRIOR AUTHORISATION

Estate agencies are unlikely to process personal information under circumstances requiring authorisation from the regulator, but should it be necessary the guidance by the Information Officer will be sought regarding POPIA.

SPECIAL PERSONAL INFORMATION

While we recognise that protecting all personal information is important in gaining and maintaining your trust, special personal information is often afforded a higher level of protection. Estate agencies is unlikely to process special personal information, but should it be necessary the guidance by the Information Officer will be sought regarding POPIA.

THE PROCESSING OF PERSONAL INFORMATION OF CHILDREN

Estate agencies is unlikely to process any personal information of children except maybe with a young student or were adults put a property on a child’s name.

This is an especially important notice which we must share with you and any one of your parents or legal guardians if you are under the age of 18. To make use of our services, we need information which is personal to you. For example, your name, your email address, and your phone number. It might be so that we cannot use your information unless your parent agrees.

To parents/ legal guardians.

In order for children to make use of our services we need to use their personal information and for this we are required by law to obtain the consent of a parent or legal guardian. Before deciding on consent, it is important for parents to understand our information security and privacy policies. It is equally important for parents to explain to children, the implications of not providing our organisation with the proper consent. Please sign our consent form on behalf of your child.

Where we as an estate agency want to contact a person for the first time with marketing communication which was not requested (unsolicited),

• the agency must obtain consent before any marketing to individuals.
• The agency may approach someone for direct marketing consent once only,
• and only if they have not withheld consent previously.

We may only carry out direct marketing to previous clients if:

• the potential client was given an opportunity to object to receiving direct marketing material by us at the time that their personal information was collected;
• and they did not object then;
• or at any other time, after receiving any such direct marketing communications from us.

We may only approach clients using their personal information,

• if we have obtained their consent to use their personal information in the context of providing services associated with marketing to them,
• and we may then only market estate agency services to them.

We will stick to permitted contact times.

The prohibited times for marketing are:

• Sundays or public holidays.
• Saturdays before 09h00 and after 13h00.
• and all other days between the hours of 20h00 and 08h00 the following day.

We are aware that we are not allowed to use lists purchased from a lead generation business if:

We purchased it from a lead generation business, without obtaining confirmation from the list's provider, that the records have been obtained and stored in a way, that is compliant with POPIA.

The “unsubscribe” option must be on our marketing e-mails.

All electronic direct marketing communications must contain an “unsubscribe” option.

Similarly, physical post boxes containing a direction that “no junk mail”.

We will make use of a bulk email and SMS software that keeps track of “opt-in” and “opt out” information and automatically includes an automatic “opt out” on each message sent to existing clients and others that have “opted-in” to receive marketing; and to ask people directly if they may be added to the agency’s database.

We will Include the sender’s details on all e-mails.

An address or other contact details to which the recipient may reply/send a request that such communications cease.

DATA BREACH NOTIFICATION

Where there are reasonable grounds to believe that a data subject's personal information has been accessed or acquired by an unauthorised person, the estate agency (as responsible party), or any third-party, processing personal information, on instruction from the estate agency (the operator), must notify the Information Regulator and the data subject in writing as soon as possible.

THE INFORMATION REGULATOR IS RESPONSIBLE FOR THE INVESTIGATION AND ENFORCEMENT OF POPIA.

A person contravenes the provisions of the POPIA if he/she it:

• hinders, obstructs, or unlawfully influences the Information Regulator.
• fails to comply with an information or enforcement notice.
• gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation.
• contravenes the conditions.

knowingly or recklessly, without the consent of the responsible party, obtains, discloses, or procures the disclosure, sell, or offers to sell details of a data subject to another person; and will be guilty of an offence.

CONTRAVENTION OF POPI Act.

Could result in far-reaching sanctions, these include the imposition of fines up to R10 million, imprisonment for a period of 12 months to 10 years and/or damages claim by the data subject.

THE SA INFORMATION REGULATOR

You have the right to lodge a complaint with the SA Information Regulator

The Information Regulator (South Africa)
PO Box 31533
Braamfontein
27 Stiemens Street
Braamfontein
2017
The Information Regulator (South Africa)
complaints.IR@justice.gov.zaA. INTRODUCTION

SCHEDULE OF CLAUSES AND FORMS

1. Form 1 CONSENT TO PROCESS (USE) PERSONAL INFORMATION
2. Form 2 OBJECTION TO PROCESS (USE) PERSONAL INFORMATION
3. Form 3 REQUEST TO CORRECT OR DELETE PERSONAL INFORMATION
4. Form 4a CONSENT TO DIRECT MARKETING
5. Form 4b REFUSAL OF DIRECT MARKETING
6. Form 5 INTRODUCTORY LETTER TO CLIENT RE POPIA
7. Form 6 EMPLOYEE COMPLIANCE WITH POPIA
8. Form 7 SHOW HOUSE ATTENDANCE REGISTER
9. CLAUSES FOR MANDATES AND CONTRACTS (Afrikaans & English)