POPIA Policy


Last updated: January 04, 2023


1.1. Name of Entity: OMNISIENT (RF) (PTY) LTD

1.2. Registration Number: 2014/187691/07

1.3. Registered place of Business: 1 Avondrust Lane, Kommetjie, Cape Town

1.4. Object of business: Software Company


2.1. ‘‘Biometrics’’ means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;

2.2. ‘‘Child’’ means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself;

2.3. ‘‘Competent Person’’ means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;

2.4. ‘‘Consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;

2.5. ‘‘Data Subject’’ means the person to whom personal information relates;

2.6. ‘‘Filing System’’ means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;

2.7. ‘‘Information Officer’’ of, or in relation to, a—

2.7.1. Private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;

2.8. ‘‘Operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

2.9. ‘‘Person’’ means a natural person or a juristic person;

2.10. ‘‘Personal Information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

2.10.1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

2.10.2. Information relating to the education or the medical, financial, criminal or employment history of the person;

2.10.3. Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

2.10.4. The biometric information of the person;

2.10.5. The personal opinions, views or preferences of the person;

2.10.6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

2.10.7. The views or opinions of another individual about the person; and

2.10.8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

2.11. ‘‘Processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

2.11.1. The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

2.11.2. Dissemination by means of transmission, distribution or making available in any other form;


2.11.3. Merging, linking, as well as restriction, degradation, erasure or destruction of information;

2.12. ‘‘Public Record’’ means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body;

2.13. ‘‘Record’’ means any recorded information—

2.13.1. Regardless of form or medium, including any of the following: Writing on any material; Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means; Book, map, plan, graph or drawing; Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;

2.13.2. In the possession or under the control of a responsible party;

2.13.3. Whether or not it was created by a responsible party; and

2.13.4. Regardless of when it came into existence;

2.14. ‘‘Responsible Party’’ means a private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information, which for purposes of this policy shall be Omnisient (Pty) Ltd and its Employees;

2.15. ‘‘Special Personal Information’’ means personal information as referred to in section 26 of POPIA;

2.15.1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

2.15.2. the criminal behaviour of a data subject to the extent that such information relates to— the alleged commission by a Data Subject of any offence; or any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.

2.16. ‘‘Unique Identifier’’ means any identifier that is assigned to a Data Subject and is used by a Responsible Party for the purposes of the operations of that Responsible Party and that uniquely identifies that Data Subject in relation to that Responsible Party.

3. Purpose of this policy

3.1. Omnisient (Pty) Ltd and its’ Employees (“the Entity”) regards all Personal Information as important and confidential and is committed to protecting this Personal Information.

3.2. The purpose of this policy is to give effect to the POPIA and to describe the way we collect, store, use and protect information that can be associated with a specific, identifiable, natural (living) or juristic person and can be used to identify that person.

3.3. This policy applies to:

3.3.1. Shareholders, directors, employees and volunteers of the Entity;

3.3.2. All of the branches and divisions of the Entity; and

3.3.3. All contractors, suppliers, service providers and other persons acting on behalf of the Entity.

3.4. This policy must at all times be read in conjunction with POPIA;

3.5. The type of information that will be processed by the Entity depends on the nature of the Data Subject and the need for which it is collected and will be processed for the purposes of rendering the specific service for which the Entity was contracted for.

3.5.1. The Entity will collect and process, for purposes of rendering its service to the Data Subject, the below mentioned Information: Personal Information such as identifying number, symbol, e-mail address, physical address, telephone number, location information, gender, sex, pregnancy, marital status, language, physical health, medical history and other personal information as may be relevant and/or necessary for the proper treatment and care of the Data Subject or for the administration of the institution or practice. Special Personal Information pertaining to the health and biometrics of the Data Subject or other Special Personal Information as may be relevant and/or necessary for the proper treatment and care of the Data Subject or for the administration of the institution or practice.

3.6. Personal Information excludes:

3.6.1. Information that has been made anonymous so that it does not identify a specific person;

3.6.2. Permanently de-identified information that does not relate or cannot be traced back to you specifically;

3.6.3. Non-personal statistical information collected and compiled; and

3.6.4. Information that a Data Subject has provided voluntarily in an open, public environment or forum including, but not limited to, any online discussion forum, community, classifieds or discussion board.

3.6.5. Non-Personal Information includes information that cannot be used to personally identify you, such as anonymous usage data, general demographic information we may collect, referring/exit pages and URLs, platform types, preferences you submit and preferences that are generated based on the data you submit and number of page clicks.

3.7. Please note: Should the information be displayed or disclosed in any public forum, it is no longer confidential and does not constitute Personal Information subject to protection under this policy.

4. Information Officer:

4.1. Jon Jacobson is the duly appointed and authorised Information Officer of the Entity and has been registered with the Information Regulator. Rivashani van Niekerk is the Deputy Information Officer of the Entity and will support Jon Jacobson in her capacity as such.

5. Purpose of collection of Personal Information:

5.1. The purpose of the collection of Personal Information by the Entity is to properly render and perform its service to the Data Subject.

5.2. The Personal Information may also be used for marketing purposes to ensure that the Entity’s product/service remains relevant and applicable to the existing and potential client’s current and future needs.

6. Consent by the Data Subject:

6.1. By entering into an engagement with the Entity, the Data Subject has consented to the processing of his/her/its Personal Information by the Entity for the fulfilment of any current or future contractual obligations agreed to between the parties.

6.2. The consent of the Data Subject is obtained during the introductory, appointment and/or needs analysis stage of the relationship between the Entity and the Data Subject.

6.3. If the Data Subject provides the Entity with Personal Information of or relating to other parties, albeit by accident, the Data Subject guarantees its consent and has in terms of the Customer Service Agreement between the parties, indemnified the Entity from any claim, harm, damage or loss suffered as a result of the Entity having, processing or providing this Personal Information of or relating to other parties to a third party in rendering the services to the Data Subject.

7. Marketing communication:

7.1. In accordance with POPIA the Data Subject must explicitly opt-in for their Personal Information to be used by the Entity for marketing communications.

7.2. By entering into an engagement with the Entity, the Data Subject has consented to the Entity processing his/her/its Personal Information for purposes of sending marketing communications to the Data Subject.

7.3. The Data Subject has the right to, at any time, opt-out of receiving marketing communications from the Entity.

7.4. The Entity will immediately cease to process the Data Subject’s Personal Information for the purposes of marketing communications as soon as the Data Subject has opted-out.

8. The Eight Conditions for Lawful Processing of Personal Information:

8.1. Condition 1: Accountability

8.1.1. The Entity shall ensure that all processing conditions as set out in POPIA are, to the extent reasonably possible, complied with at the time of determining the purpose and means of processing the Personal Information as well as during the processing itself.

8.1.2. The Entity shall take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and conditions set out in this policy.

8.2. Condition 2: Processing Limitation

8.2.1. Lawful grounds: The Entity will only process Personal Information in accordance with the given purpose thereof and if the information is appropriate, relevant and not excessive. The Entity will only process Personal Information if:

a) The Data Subject consents to the processing; or

b) Processing is necessary for the adequate performance of services to the Data Subject or for the conclusion of an agreement with the Data Subject and to maintain and improve the relationship between the parties; or

c) Processing complies with a legal responsibility imposed on the Entity; or

d) Processing protects a legitimate interest of the Data Subject; or

e) Processing is necessary for pursuance of a legitimate interest of the Entity or a third party to whom the information is supplied.

8.2.2. Collection directly from the Data Subject: The Entity will collect Personal Information directly from the Data Subject or a person duly authorised by the Data Subject, unless:

a) Personal Information is contained in a public record; or

b) Personal Information has been deliberately made public by the Data Subject; or

c) Personal Information is collected from another source with the Data Subject’s consent;


d) Collection of Personal Information from another source would not prejudice the Data Subject; or

e) Collection of Personal Information from another source is necessary to maintain, comply with or exercise any law or legal right; or

f) Collection from the Data Subject would prejudice the lawful purpose of collection; or

g) Collection from the Data Subject is not reasonably practicable.

8.2.3. Consent, Justification and Objection

The Entity shall inform the Data Subject of his/her right to refuse or withdraw their consent to the processing of their Personal Information and their right to object, at any time, to the processing of their Personal Information on any of the above grounds, unless legislation provides for such processing. If the Data Subject withdraws consent or objects to processing, then the Entity shall forthwith refrain from processing the Personal Information. Should the withdrawal of the Data Subject’s consent cause the Entity to be unable to render its service adequately, the Entity shall inform the Data Subject thereof and, if necessary, suspend the relationship with the Data Subject. The Entity shall not be in breach of contract in the circumstances where it is unable to adequately perform in terms of the contract, agreed to between the parties, due to the Data Subject’s refusal or withdrawal of consent for his/her/its Personal Information to be processed by the Entity.

8.3. Condition 3: Purpose Specification

8.3.1. The Entity shall only process Personal Information for the specific purposes as communicated with the Data Subject.

8.3.2. The Entity shall ensure that the Data Subject is aware of the purpose of the collection of the information unless the provisions listed in section 18(4) of POPIA are applicable, such as: The Data Subject or a competent person where the data subject is a child has provided consent for the non-compliance; Non-compliance would not prejudice the legitimate interests of the Data Subject; Non-compliance is necessary— To avoid prejudice to the maintenance of the law by any public body; or To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; or For the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or In the interests of national security; or Compliance would prejudice a lawful purpose of the collection; or Compliance is not reasonably practicable in the circumstances of the particular case; or The information will—

i. Not be used in a form in which the Data Subject may be identified; or

ii. Be used for historical, statistical or research purposes.

8.4. Condition 4: Further Processing Limitation

8.4.1. In the circumstances that the Entity will further process the Data Subject’s Personal Information, it will be compatible with the original purpose of processing;

8.4.2. Such further processing will be regarded as compatible with the purpose of collection by the Entity if: Data Subject has consented to the further processing; or Personal Information is contained in a public record; or Personal Information has been deliberately made public by the Data Subject; or Further processing is necessary to maintain, comply with or exercise any law or legal right;

or Further processing is necessary to prevent or mitigate a threat to public health or safety, or the life or health of the Data Subject or a third party; or Personal Information is used for historical, statistical or research purposes and the Entity ensures that the further processing is carried out solely for such purpose and will not be published in an identifiable form without the Data Subject’s permission; or The further processing of the information is in accordance with an exemption granted under section 37 of POPIA.

8.5. Condition 5: Information Quality

8.5.1. The Entity shall take reasonable steps to ensure that Personal Information is complete, accurate, not misleading and is updated.

8.5.2. The Entity shall periodically review Data Subject’s records to take reasonable steps to ensure that the Personal Information is still valid and correct.

8.5.3. The Data Subject is required to inform the Entity timeously of any changes to its Personal Information in order for the Entity to amend its records.

8.5.4. Employees of the Entity shall, as far as reasonably practicable, follow the following guidance when collecting Personal Information: Personal Information shall be dated when received; Changes to information records shall be dated; Irrelevant or unneeded Personal Information shall be deleted or destroyed unless otherwise agreed to by the parties; Personal Information shall be stored securely, either on a secure electronic database or in a secure physical filing system.

8.6. Condition 6: Openness

8.6.1. The Entity shall take reasonable steps to ensure that the Data Subject is made aware of: What Personal Information is collected and the source of the information; The purpose of collection and processing; Whether the supply of Personal Information is voluntary or mandatory and the consequences of a failure to provide such information; Whether collection is in terms of any law requiring such collection; Whether the Personal Information shall be shared with any third party or country and what level of protection will be afforded to the information by that third party or country.

8.7. Condition 7: Security Safeguards

8.7.1. The Entity shall ensure the integrity and confidentiality of all Personal Information in its possession, by taking reasonable steps to: Identify all reasonably foreseeable risks to information security; Establish and maintain appropriate safeguards against such risks; Regularly verify that the safeguards are implemented effectively; and Ensure that the safeguards are frequently reviewed and updated in response to new risks or

deficiencies in previous implemented safeguards.

8.7.2. Any loss or theft of, or unauthorised access to, Personal Information shall be immediately reported to the Information Officer and appropriate and reasonable measures shall be taken to prevent this from reccurring.

8.7.3. The Information Officer and Deputy Information Officer is responsible for ensuring that all processing of information by the Entity complies with the requirements for lawful processing of personal and other information.

8.7.4. The Entity’s Data Protection and Privacy Policy has been implemented and training on the said policy will be given to all staff.

8.7.5. The following are measures that are put in place by the Entity to ensure that personal information is safeguarded: Each employee has signed an employment contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPIA; Each employee has signed an undertaking of confidentiality in terms of which they agree not to disclose any confidential information which may have come to their knowledge during the course of their employment at the Entity and this information includes Data Subjects’ Personal Information; All service providers and Operators that the Entity works with is required to either have the necessary privacy policy in place or to sign a service level agreement or a non-disclosure

agreement guaranteeing their commitment to the protection of Personal Information; All written and/or physical records of Personal Information shall be kept in lockable cabinets and/or in a lockable office and/or on a lockable premise and monitored by a Camera security system. Further, only authorised personnel will have access to this information and when in use, these records shall not be left unattended in areas to which non-staff members have access. Employees of the Entity are prohibited from using their personal email accounts to transmit any Personal and Confidential Information in possession of the Entity without prior authorisation. All electronic files and data are backed up and the necessary system security that protects third party access and threats are put in place which includes any one or more of the following mechanisms:

i. Installation of an alarm system;

ii. Password-protected devices/folders and/or documents;

iii. Password management system;

iv. Encrypting files system and back-ups;

v. Rights management control by creating security permissions such as viewing or editing rights on files and folders containing Personal Information;

vi. Installation of antivirus software;

vii. Spam filters are enabled;

8.7.6. The Entity has set out minimum password requirements for all passwords used by staff and requires the passwords to be changed every 30 (thirty) days;

8.7.7. Unless the Entity has obtained permission to retain the Personal Information after completion of the services to the Data Subject, the Personal Information shall be destroyed after use and fulfilment of its specific function by way of: Shredding paper; or Deleting electronic files and folders.

8.7.8. Any loss or theft of computers, laptops or other devices which may contain Personal Information must immediately be reported to the Information Officer, who shall take all necessary steps to remotely delete the information, where possible, or employ the assistance of an IT consultant to do so.

8.8. Condition 8: Data Subject Participation

8.8.1. The Entity shall inform the Data Subjects of their right to request access to, amendment, or deletion of their Personal Information and to request information about all third parties who may have had access to the Data Subject’s Personal Information.

8.8.2. Data Subjects have the right to access the personal information the Entity holds about them. Data Subjects also have the right to ask the Entity to update, correct or delete their Personal Information on reasonable grounds. Once a Data Subject objects to the processing of their Personal Information, the Entity shall no longer process said Personal Information unless obliged to do so by law or to complete the services to which the Data Subject agreed, subject to the Data Subjects consent to do so.

8.8.3. The Entity shall take reasonable steps to confirm its Data Subject’s identity before providing details or making changes to said Data Subject’s Personal Information.

8.8.4. The Entity shall not disclose any Personal Information to any party unless the identity of the requester has been verified and the Entity has obtained the necessary consent from the Data Subject.

8.8.5. The Entity shall keep record of all third parties that have requested the Personal Information of a Data Subject.

9. Special type of Personal Information processed by Entity:

9.1. The Entity may collect Special Personal Information in its ordinary course of business.

9.2. The Entity will only process the Special Personal Information of the Data Subject if it is satisfied that:

9.2.1. The Data Subject has consented to such processing; or

9.2.2. The Special Personal Information was deliberately made public by the Data Subject; or

9.2.3. Processing is necessary for the establishment of a right or defense in law; or

9.2.4. Processing is for historical, statistical, or research reasons; or

9.2.5. Processing of race or ethnic origin is in order to comply with affirmative action laws.

9.3. In the circumstances where it is necessary for the Entity to collect and process the Personal Information and data of children, the Entity will ensure that:

9.3.1. It has the consent of a “competent person”; or

9.3.2. It is necessary for obligations under the law; or

9.3.3. It is required for upholding international public law; or

9.3.4. It is necessary for research purposes.

10. Retention of Personal Information by the Entity

10.1. Personal Information shall be retained by the Entity in order to prove the existence of facts, to exercise rights the Entity may have and to ensure that the Entity’s interests are protected.

10.2. Records of the Personal Information of the Data Subject shall not be kept longer than necessary for achieving the purpose for which it was collected unless:

10.2.1. The Entity is required by law or contract to retain the records; or

10.2.2. The Data Subject has consented to the retention thereof; or

10.2.3. The Information is required in terms of clause 10.1 above.

11. Section 72 Transfers of personal information outside the Republic

11.1. The Entity will not transfer Personal Information about a Data Subject to a third party who is in a foreign country unless:

11.1.1. The third party is subject to law, binding corporate rules or binding agreement which provide an adequate level of protection that – Effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and Includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country,

11.1.2. The Data Subject consents to the transfer; or

11.1.3. The transfer is necessary for the performance of a contract between the Data Subject and the Entity, or for the implementation of pre-contractual measures taken in response to the Data Subject’s request; or

11.1.4. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Entity and a third party; or

11.2. The transfer is for the benefit of the Data Subject, and—

11.2.1. It is not reasonably practicable to obtain the consent of the Data Subject to that transfer; and

11.2.2. If it were reasonably practicable to obtain such consent, the Data Subject would be likely to give it.

12. Data Breach Response Plan:

12.1. In the event that a data breach occurs the procedures and guidelines below shall, as soon as reasonably possible, be implemented by the Entity:

12.1.1. the detail of the breach (the date, time and manner in which the data breach was discovered), how it was discovered and when the response process began shall be determined;

12.1.2. The Information Officer and directors, shareholders and applicable stakeholders of the Entity shall be notified as soon as reasonably possible;

12.1.3. The Insurance Carrier and/or Legal Representative shall be notified;

12.1.4. All physical evidence surrounding the location of the breach shall be preserved;

12.1.5. All unaffected systems shall be protected from further data loss by disconnecting them from affected systems;

12.1.6. The Data Subject whose data has been compromised of the breach shall be informed;

12.1.7. The South African Information Regulator shall be informed of the breach;

12.1.8. The breach and cause of the breach shall be investigated; and

12.1.9. The necessary parties and/or third parties shall be consulted to ensure that the breach has been rectified.