PRIVACY POLICY

We at Wendy Oldfield Website know you care about how your personal information is used and shared, and we take your privacy seriously. Please read the following to learn more about how we collect, store, use and disclose information about you when you interact or use our websites (collectively the “Websites”) or any related events, trade shows, sales or marketing, and/or if you use any of our products, services or applications (collectively the “Services”) in any manner.


What does this Privacy Policy cover?

This Privacy Policy covers our treatment of information that we gather when you are accessing or using our Websites or Services or when you contact us in any manner. We gather various types of information, including information that identifies you as an individual (“Personal Information”) from our users, as explained in more detail below.


What information does Wendy Oldfield Website Collect?

Information You Provide to Us:

When you use our website We may collect any Personal Information that you choose to send to us or provide to us, for example, on our “Newsletter” (or similar) online form or if you register for a Wendy Oldfield Website Membership Account. If you contact us through the Websites, we will keep a record of our correspondence.

When you use the Services: We receive and store information you provide directly to us. For example, when setting up new users, we collect Personal Information, such as name and e-mail address, to provide them with Services. The types of information we may collect directly from our customers include: name, username, email address, postal address, phone number, transactional information (including Services purchased), as well as any other contact or other information they choose to provide us or upload to our systems in connection with the Services.


Information We Automatically Collect:

When you use the Websites: When you visit the Websites, we collect certain information related to your device, such as your device’s IP address, referring website, what pages your device visited, and the time that your device visited our Website.

When you use the Services: 

Usage information: we keep track of user activity in relation to the types of Services our customers and their users use and performance metrics related to their use of the Services.  

Log information: we log information about our customers and their users when you use one of the Services including Internet Protocol (“IP”) address. 

Information collected by cookies and other similar technologies: we use various technologies to collect information which may include saving cookies to users’ computers.

For further information, please see the section below headed "Cookie Policy".


How do we use the information?

Websites: We will use the information we collect via our Websites:

Services: We may use the information we collect from our customers and their users in connection with the Services we provide for a range of reasons, including to:

For any other purposes about which we notify customers and users.

We may also use the information you send to us via the Websites and/or Services, to communicate with you via email and, possibly, other means, regarding products, services, offers, promotions and events we think may be of interest to you or to send you our newsletter, if this is in accordance with your marketing preferences.  However, you will always be able to opt-out of such communications at any time (see the “Your Choices” section below).


How do we share and disclose information to third parties?

We do not rent or sell your Personal Information to anyone. We may share and disclose information (including Personal Information) about our customers in the following limited circumstances:

Vendors, consultants and other service providers: We may share your information with third party vendors, consultants and other service providers who we employ to perform tasks on our behalf. These companies include:

Name

Website

Why

Required

Email

Phone

Ginger Blast Production

www.gbproduction.co.za

Website hosting and management company providing essential components for functionality of this website

Yes

start@gbproduction.co.za

+2784 7727 828

If Wendy Oldfield website has received your Personal Information in the United States and or South Africa and subsequently transfers that information to a third party agent or service provider for processing, Wendy Oldfield Website shall remain responsible for ensuring that such third party agent or service provider processes your Personal Information to the standard required by law (see the section below headed "International Data Transfers"). Unless we tell you otherwise and you consent, our vendors do not have any right to use the Personal Information we share with them beyond what is necessary to assist us.

Business Transfers: We may choose to buy or sell assets, and may share and/or transfer customer information in connection with the evaluation of and entry into such transactions. Also, if we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information could be one of the assets transferred to or acquired by a third party.

Protection of Wendy Oldfield Website and Others: We reserve the right to access, read, preserve, and disclose any information as necessary to comply with law or court order; enforce or apply our agreements with you and other agreements; or protect the rights, property, or safety of Wendy Oldfield Website, our employees, our users, or others.

Disclosures for National Security or Law Enforcement: Under certain circumstances, we may be required to disclose your Personal Information in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

South Africa’s Protection of Personal Information Act (POPIA) is a legal framework to protect the country’s residents from harm by protecting their personal information. It is enforced by the country’s Information Regulator. It is sometimes referred to as POPIA or the POPI Act, but POPIA is preferred by regulators and the South African government. POPI is more commonly used as a synonym for data protection, rather than specifically referring to the legal framework.

Who is affected by POPIA depends on context. It affects both those providing and processing personal information. On a day to day basis, it would likely affect companies and other organizations more, as they must achieve and maintain compliance with POPIA. Most individuals wouldn’t be actively affected unless notified of a data breach or other violation affecting their personal information.

POPIA is distinct from the Promotion of Access to Information Act (PAIA), which is even older, having been passed in 2000. PAIA provides the constitutional right of access to information held by the South African government or by private organization, if it is required to protect or exercise individuals’ rights. PAIA is enforced by the South African Human Rights Commission.

South Africa’s POPIA went into full effect in 2020, though it had been rolled out in sections starting from when it received Presidential assent seven years earlier. Enforcement then began in 2021. In modern terms, it is one of the older data privacy laws, predating the European Union’s General Data Protection Regulation (GDPR) by several years.

What is South Africa’s Protection of Personal Information Act (POPIA)?

The Protection of Personal Information Act (POPIA) is South Africa’s federal data protection law to protect people’s privacy, which is considered a human right. The Act outlines when it is legal for one entity, like a company, to process another entity’s personal information, like that of an individual.

POPIA received parliamentary assent on November 19th, 2013, however, the Act did not fully go into effect immediately. Sections have gone into effect since 2013, but a number of key sections didn’t go into effect until July 1st, 2020, which the President proclaimed to be the date of commencement. Organizations had 12 months to work toward compliance with the Act, and enforcement began on July 1st, 2021.

The Information Regulator was established on December 1st, 2016, and is responsible for enforcing POPIA. It handles both investigations of alleged violations as well as penalties where noncompliance has been demonstrated. The Information Regulator reports to the South African Parliament.

POPIA has 12 Chapters, containing 115 Sections. The rights of data subjects are covered in Section 5. Chapter 3 of POPIA covers Conditions for Lawful Processing. Section 11 outlines the conditions for data subjects’ consent or objection, and other legal justifications and responsibilities for data processing:

Additionally, the responsible party bears the burden of proof for the data subject’s (or competent person as representative’s) consent, and the data subject or competent person may withdraw consent at any time.

Data subjects may also object to the processing of their personal information at any time on reasonable grounds, via the prescribed manner, as long as prevention or termination of that data processing is not prevented by active legislation.

Conditions for lawful data processing under South Africa’s Protection of Personal Information Act?

Section 4 outlines the lawful conditions of data processing:

Who does South Africa’s Protection of Personal Information Act apply to?

POPIA applies to “any natural or juristic person who processes personal information” by “automated or non-automated means” (Section 3). So it does apply to individuals, though more commonly to companies, other organizations, and the government.

 

Note that under the definitions in Section 1, the “responsible party” is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

 

Also per Section 3, POPIA applies to responsible parties both “domiciled in the Republic”, or not, i.e. POPIA is extra-territorial. The key consideration is if data subjects are located in South Africa, not whether the entity that is processing their data is located there.

Exclusions from South Africa’s Protection of Personal Information Act

Section 6 outlines exclusions from POPIA compliance requirements, which are fairly common in comparison to other data privacy laws:

Section 7 has some further exclusions and specific requirements relating to “journalistic, literary or artistic expression”. This section helps enable freedom of expression and the freedom of the press, while ensuring responsible actions, e.g. adherence to “domestic and international standards, and to professional codes of ethics.

What are consumers’ rights under South Africa’s Protection of Personal Information Act?

Section 5 covers the rights of data subjects under POPIA. They include rights to:

POPIA does not include a right not to be discriminated against when exercising one’s other rights as a data subject. The GDPR doesn’t either, though the CCPA does. Note that POPIA uses an opt-in model of data subject consent, i.e. consumers’ consent must be obtained prior to collection or processing of their personal information.

Key definitions from South Africa’s Protection of Personal Information Act

Definitions of key terms in POPIA are in Section 1.

 Personal information

 Covered in Chapter 3, Part A, this is information that relates to “an identifiable, living, natural person” or identifiable, existing juristic person. Personal information can include, but is not limited to:

 (a) race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

(d) biometric information of the person;

(e) personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) views or opinions of another individual about the person; and

(h) name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

It should be noted that while physical or mental health, religion, disability, ethnic origin, colour, sexual orientation, and some other information are included in POPIA’s definitions of “personal information”, in fact they qualify as “special personal information” and thus require specialized and/or restricted handling. In some cases processing of this type of information is prohibited.

Special personal information

This type of personal information is covered in Section 26, or, more specifically, there are prohibitions on processing this type of personal information due to the potential for it to be used harmfully. Types of personal information classified as “sensitive” include:

(a) religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

(b) criminal behaviour of a data subject to the extent that such information relates to—

Processing special personal information is prohibited unless it is performed under the exceptions outlined in Section 27, which include consent, legal obligations, the subject having already made the information public, and other stipulations.

Processing

This refers to “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

Data subject

The natural or juristic person to whom personal information relates. Refers to persons residing in South Africa. A juristic person is an organization legally recognized to have rights and responsibilities like a human individual.

Responsible party

POPIA does not refer to “controllers” like some other privacy laws, i.e. the party responsible for the collection and processing of data, and, as a result, safeguarding it as well. POPIA does refer to the responsible party, meaning “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

Operator

Under some other privacy laws, the operator performs the processing for the controller. Under POPIA, the operator does this for the responsible party. Specifically, the operator is “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”.

Regulator

The data protection authority, officially the Information Regulator (SAIR), as defined and with duties covered in Sections 39-54, including education, guidance, research, monitoring, handling complaints and enforcement. This entity is also responsible to advise on and direct the evolution of the law.

De-identification

 Some privacy laws refer to the anonymization of data. Under POPIA, the term is de-identification, which “in relation to personal information of a data subject, means to delete any information that—

 (a) identifies the data subject;

(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or

(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject”

 Child

 A natural person under the age of 18 who is not legally competent to consent to actions or decisions. A competent person (an adult of over the age of 18 legally able to make decisions for a child) is required where consent regarding a child’s personal information is needed.

Definition of consent under South Africa’s Protection of Personal Information Act

Per the definitions in Section 1, consent under POPIA is “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. Consent is one of the legal bases for data processing, as outlined in Section 11.

Like the GDPR and some other international privacy laws, POPIA uses an opt-in model of consent, so generally data subject consent must be procured from a legally competent person, or their representative in the case of a child, before collecting or processing their data.

Legal bases under South Africa’s Protection of Personal Information Act

Section 11 covers justifications for personal information processing, commonly referred to as “legal bases” in the GDPR and elsewhere. These requirements are quite similar to those listed in the GDPR:

 (a) the data subject or a competent person where the data subject is a child consents to the processing;

(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

(c) processing complies with an obligation imposed by law on the responsible party;

(d) processing protects a legitimate interest of the data subject;

(e) processing is necessary for the proper performance of a public law duty by a public body; or

(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied

Justification like legitimate interest might seem convenient as it would not require obtaining data subject consent, but as with other laws, entities would not just be able to claim legitimate interest and start collecting and processing personal information at will. There are requirements specific to claiming legitimate interest (and any other legal basis) as well.

Companies’ responsibilities under South Africa’s Protection of Personal Information Act

Under POPIA, companies are not the only organizations required to comply, but those inside and outside of South Africa (but doing business there) are substantially affected.

Chapter 3 covers companies’ responsibilities, i.e. conditions of lawful processing. Part A of Chapter 3 outlines POPIA’s eight conditions for processing personal information that are companies’ responsibilities. The Information Regulator can conduct an assessment or audit of an organizations’ POPIA compliance either by request or on its own initiative (Section 40).

Accountability

Per Section 8, the responsible party must ensure conditions for lawful processing, such as the general ones for processing of personal information, as well as specific conditions and prohibitions for processing of sensitive personal information or the information of children

Processing limitation

Per Sections 9-12, the responsible party does not infringe on data subjects’ rights and limits processing to only that which is needed for the stated purpose, for which they have a legal basis, and respond to requests or complaints from data subjects regarding their personal information.

Purpose specification

Per Sections 13-14, the responsible party can only collect and process personal information for a specific, stated and legal purpose, can only retain the information for as long as necessary to fulfill the purpose, and must securely store, restrict access to, and delete the information as necessary.

Further processing limitation

Per Section 15, for any further processing of the information beyond the stated and legal purpose, a number of conditions must be met, including, potentially, obtaining new data subject consent. This also affects retaining personal information after the period of time necessary for the original processing purpose.

Information quality

Per Section 16, the responsible party must reasonably ensure that personal information collected and processed is complete, accurate, and up to date. Related to this is being responsive to requests or complaints from data subjects regarding access to, update of, or deletion of their personal information.

Openness

Per Sections 17-18, the responsible party must maintain documentation regarding all processing activities, and take reasonable steps to ensure that data subjects are notified about the conditions of processing and can contact the responsible party. Information regarding processing activities and related requirements also need to be easily accessible to data subjects, e.g. via a website cookie or privacy policy.

Security safeguards

Per Section 19-22, the responsible party must take reasonable actions to ensure the security of all personal information processed, including if it is passed to other parties (e.g. the operator, for processing), and to take appropriate and immediate action if there is a breach of security, which would include contacting the Regulator and affected data subjects.

Data subject participation

Per Sections 23-25, data subjects have rights of request and access to their personal information, to which responsible parties must be responsive. There are also conditions under which such requests can be denied.

Information Officer

All organizations that are required to comply with POPIA must have an information officer, which is the same as a data protection officer or similar titles. Depending on the volume and types of duties, it may also be necessary to appoint one or more Deputy Information Officers (Section 56). The information officer and any deputies must be registered with the Regulator by the responsible party before they can begin performing any duties.

Section 55 covers their duties and responsibilities, which include encouraging compliance, managing requests, working with the Regulator on investigations, and related duties. Section 56 covers the designation of deputy information officers, if needed.

More granularly, the information officer will be involved in tasks like drafting and maintaining the privacy policy and other related documentation, conducting risk assessments, training employees, drafting and maintaining contracts with third parties, handling security issues — including data breaches — and reporting/liaising with the Regulator and data subjects affected, and other tasks.

Data transfers

POPIA goes into less detail regarding data transfers (“transborder information flows”) than the GDPR does, but there are still restrictions in the name of privacy and security, outlined in Section 72. Broadly, the conditions are similar to legal bases for personal information processing, e.g. contractual agreement, data subject consent, performance of a contract, legitimate interest, etc.

POPIA does not have a requirement for adequacy decisions, i.e. international agreements among countries where it has been determined that the country or organization in question has established an adequate level of data protection. These decisions can significantly streamline contractual requirements and obligations between relevant parties when data transfers need to occur, or cause large headaches when companies have to reorganize operations because of a lack of them.

Reporting data breaches

Sections 19-22 cover security safeguards, including specific requirements in the event of a data breach. Unsurprisingly, two key requirements are the notifications to the Regulator and impacted data subjects (unless their identities can’t be determined) as soon as reasonably possible (Section 22). There are also specifications for how notifications must be delivered and information they need to contain. The Regulator may also require the responsible party to publicize the breach if it would benefit data subjects (e.g. to help notify them where it was otherwise not possible).

South Africa’s Protection of Personal Information Act and children

Under POPIA, children are classified as people under age 18, who are not considered legally competent. This is a higher age threshold than with the GDPR. In most cases, in order to process children’s personal information, consent from their parent, guardian, or other legal representative (“competent person”) must be obtained in advance, though there are a number of other conditions under which it can take place, broadly following standard processing legal bases, but with additional bases.

Processing of children’s personal information is covered in Sections 34-35, with the latter section covering conditions under which children’s personal information can be processed.

Penalties and enforcement under South Africa’s Protection of Personal Information Act

Enforcement is covered in considerable detail in POPIA in Chapter 10, Sections 73-99. As noted, enforcement comes under the responsibility of the Information Regulator, which is a federal level government position. The Regulator is involved with investigating alleged violations, making referrals to other regulatory bodies, working toward securing warrants from a judge or magistrate, handing down penalties, and other actions.

Under Section 109, the maximum fine for a POPIA violation is ZAR 10 million. Regarding potential fines, the Regulator must consider the following:

(a) the nature of the personal information involved

(b) the duration and extent of the breach or issue

(c) the number of data subjects (potentially) affected

(d) whether or not the breach raises an issue of public importance

(e) the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects

(f) whether the responsible party or a third party could have prevented the breach

(g) any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information

(h) whether the responsible party has previously committed a POPIA-related offence

 POPIA also has provisions (Section 107) for sanctions of “natural or juristic persons” and prison sentences of up to 10 years for certain violations for responsible individuals, which isn’t included in the GDPR or LGPD. Offenders can also be required to pay compensation to data subjects.

Less “official” penalties for a POPIA violation include loss of reputation and loss of existing customers and failure to attract new ones, which can impact revenues.


Copyright 2023 © Wendy Oldfield. All rights Reserved.