This procedure supports Buy Annique Online, trading as Techniworld CC’s – hereafter called Techniworld CC – Protection of Personal Information Policy which has been developed to give effect to the Protection of Personal Information Act, 4 of 2013 (herein after referred to as “POPIA”) and the regulations promulgated in terms thereof (herein after referred to as “Regulations”).
POPIA provides for a number of different personal information requests to be made to the Information Officer of a company, who processes information of data subjects.
This procedure outlines the steps to be taken to address any one of the above according to the specified requirements regarding time scales and manner prescribed by POPIA, the Promotion of Access to Information Act, 2 of 2000 (herein after referred to as “PAIA”) and the regulations promulgated in terms of the mentioned legislation.
The Data Request Decision-making Guidelines supports this Procedure and must be used as and when a decision to grant or refuse a request by a requester is taken.
The following documents need to be considered part of this Procedure:
Techniworld CC’s Protection of Personal Information Policy
Customer Privacy Notice
Request Procedure flowchart (step by step process)
Request/Objection Forms, 1, 2, 3, and 4
Form 1 Request for Access and Additional Information
Form 2 – Request for Correction or Deletion
Form 3 – Request to Limit Processing
Form 4 – Objection to Processing
Personal Information Processing Manual Procedures
Records Retention Policy
Security Incident Management Policy
Security Incident Notification Procedures
2. SECTIONS OF POPI AND PAIA ADDRESSED
Section 5 – Rights of Data Subjects
Section 11(3)(a) – Objection to Processing of Personal Information read with section 11(1(d) to (f)
Section 3(b) – Objection to processing of Personal Information for purposes of direct marketing other than by means of unsolicited electronic communications
Section 23 – Access to Personal Information
Section 24 – Correction and/or deletion of Personal Information
Section 55 and Regulation 4 – Duties and responsibilities of Information Officers
Section 74 (1) or (2) – Appeals to the Information Regulator
Regulation 2 and 3 and Forms 1 and 2 Regulation 6 –
Section 50 – Right of access to records of private bodies
Section 51 – Manual
Section 52 – Voluntary disclosure and automatic availability of certain records
Section 53 – Form of request
Section 54 – Fees
Section 55 – Records that cannot be found or do not exist
Section 56 – Decision on Request and notification thereof
Section 57 – Extension of period to deal with the request
Section 58 – Deemed refusal of request
Section 59 – Severability
Section 60 – Form of access
Section 61 – access to health and other records
Sections 62 – 70 – Grounds for refusal of access to records
3. WHO MAY REQUEST INFORMATION OR RECORDS
The POPIA provides that a person may only request information if that information is required for the exercise or protection of a right.
The capacity in terms of which a requester requests documentation/ information will determine the category in which he/she/it falls.
The Requester category has a bearing on the conditions of access to the information.
Requesters are classified into 4 (four) categories:
A personal requester/data subject requester requests information about himself/herself/itself.
A representative requester requests information on behalf of and with the necessary authorisation of a data subject.
A third-party requester requests information, without express authorisation of a data subject to protect a right of interest of such third Party
A public body requests information of a data subject based on public interest
4 TYPES OF REQUESTS AND COMPLAINTS
Request for access to personal information/record and access to additional personal information/record
Request for correction and or deletion of personal Information/record
Request for a restriction on the processing of personal information/record
Objection to the processing of personal Information
Objection to processing of information for the purpose of direct marketing by means of unsolicited electronic communications
If a Data Subject raises a complaint regarding how Techniworld CC has handled his/her/its PI, such Data Subject may contact Techniworld CC’s Information Officer who must investigate the matter.
If a Data Subject is not satisfied with Techniworld CC’s response or believes that Techniworld CC is not processing his/her/its PI in accordance with the POPIA, such Data Subject may lodge a complaint with the Information Regulator as per Section 74 (1) or (2) of POPIA.
5 ACCESS POINT FOR REQUESTS AND COMPLAINTS
Techniworld CC’s Information Officer shall be the only entry point through which any Personal Information Request in terms of the POPIA must be channelled and processed.
A requester may also make a request to Techniworld CC by means of email, telephone or in person, to send him/her/it the necessary Forms.
All requests in terms of the POPIA must therefore be addressed to:
The Information Officer Techniworld CC
PO Box 3063
Techniworld CC Reception: +27 870 736 928
All requests must be emailed or sent to the Information Officer.
6. REQUEST PROCESSING PROCEDURE
Any request in terms of the POPIA must be submitted by the Requester to Techniworld CC at the address specified on the Form and set out in clause 5 above (i.e. Access Point for Requests for Information) of this Procedure, together with any other information that may be required when making a decision pertinent to the request.
A Data Request Processing Register shall be kept.
The Request Administrator, appointed by the Information Officer, shall immediately when a request or objection is received, log the request/objection in the Data Request Processing Register and track the progress of the processing of the request in the mentioned Register.
The Information Officer is authorised to refer a request to any one of Techniworld CC’s Deputy Information Officers for processing.
A request which does not comply with the formalities contained in this Procedure will be referred to the requester with advice on the necessary steps for compliance and re-submission.
Techniworld CC shall not commence processing of the Data Subject Request unless:
The Request documentation is complete.
The Requester who lodged a request/objection provides sufficient information to enable Techniworld CC:
To properly identify the requester (i.e. submit acceptable proof of identity such as a certified copy of their Identity Document/Passport or other legal form of identification
To properly confirm that the requester indeed has the legal authority to make the request (i.e. an explanation of the requester’s right to exercise any of the rights provided for in POPIA)
To identify the legal basis and purpose/reasons of the specific request.
A request shall be processed within 30 days from the date that Techniworld CC has received such data request, except where Techniworld CC has, prior to the expiry of the above 30 days, arranged with the requester for an extension of no longer than an additional 30 days
Where the requester is required to pay a fee for services or information provided to him/her/it, Techniworld CC:
Must provide the requester with a written estimate of the amount payable before providing the service
May require that the requestor pay a deposit for all or part of the fee, if any, to be charged
Each request shall be considered on its own merits talking into account Techniworld CC’s POPIA Decision- making Guidelines.
In case of Techniworld CC denying/refusing the request/objection, the written notification will include the reasons for the refusal.
The response shall always be in writing and (as far as reasonably practicable) in the manner/format as indicated by the requester in the applicable Form.
Techniworld CC’s response to a request/objection shall always contain a statement:
Advising the requester that in case of the requester disagreeing with Techniworld CC’s response, that the requester may approach the Information Regulator as per Section 74 (1) or (2) of the POPI Act.
Advising the requester of his/her right to request the correction of the information.
In the case where Techniworld CC may or must refuse a part of the request as per the grounds set out in the Guidelines, every other part shall still be disclosed.
There is no internal appeal procedure within Techniworld CC against a decision of the Information Officer.
The POPIA provides for the lodgement of a complaint with the Information Regulator by a Requester against:
The fee charged, or the form of access granted;
Refusal of the request to grant a request; and/or
Decision to extend the 30 days’ period for granting the requested access.
7. REQUEST FOR ACCESS TO PERSONAL INFORMATION/RECORD
Request for Access to Personal Information/Record
A requester, has the right to ask Techniworld CC whether or not Techniworld CC processes any PI concerning him/her/it (i.e. the Data Subject self) or another data subject, provided that the requester has the legal authority to make a such a request.
Form 1 (Request for Access to PI) must be completed by the Requester to make the above Request.
The processing of this type of requests is FREE OF CHARGE.
8. REQUEST FOR ACCESS TO ADDITIONAL INFORMATION
Where the response to the request in clause 7 has been in the affirmative, a requester may request additional information relating to the PI that Techniworld CC is processing.
The additional information may relate to the following:
The record or description of the PI;
The purposes of the processing of the PI;
The categories in which such PI falls;
The recipient or categories of recipients of the PI;
Whether any cross-border transfer of PI has or will occur and what safeguards to protect the PI are in force;
How long the PI is stored (or what criteria or legal platform is used to determine the time-period that the data will be stored for);
If the PI was not directly collected from the data subject, the disclosure of the identity of the source of the PI, i.e. PI collected from a third-party source;
Whether the PI is and/or will be subjected to any automated processing and/or profiling and any potential consequences involved.
Form 1 (Request for Access to Personal Information) must be completed by the Requester to make this request. This form is used for both a request for confirmation and additional information).
A REASONABLE FEE in respect of the provisioning of the above information (or where a fee has been prescribed by regulation, the prescribed fee) may be levied by Techniworld CC:
Techniworld CC will provide the requester with a written estimate of the fee before providing the above information;
Techniworld CC may require the requester to pay a deposit for all or part of the fee before processing the request.
9. REQUEST TO CORRECT OR DELETE PERSONAL INFORMATION/RECORD
A requester may submit a request to correct and or delete Personal Information/record that Techniworld CC has under its control.
The grounds on which such a request may be made are that the Personal Information is:
Out of date;
Obtained unlawfully; or
In case of a request for the destruction or deletion of Personal Information, that Techniworld CC is no longer authorised to retain the personal information/record, i.e. the retention of the personal information is no longer necessary to achieve the purpose for which the Personal Information was originally collected.
Form 2 (Request for Correction or Deletion of Personal Information) must be fully completed by the Requester to make the above Request.
The Requester must provide Techniworld CC with the necessary information to process such a request, i.e.:
In case of a request to correct personal information, accurate information regarding the personal information to be corrected; or
in case of a request to delete personal information, a full explanation of the grounds on which the request to delete is based.
Techniworld CC must, as far as reasonably practicable, ensure that the information provided by the requester is correct, before changing and/or deleting the Personal Information/record.
After consideration of the request AND in the case where Techniworld CC agrees to the correction or deletion, Techniworld CC shall:
Correct the information;
Destroy or delete the information; and/or
Provide the requester with credible evidence in support of the actions taken by Techniworld CC in writing.
In the case where Techniworld CC DOES NOT AGREE with the request to correct or delete the information AND Techniworld CC has endeavoured to reach agreement with the requester BUT has failed to reach agreement with the Requester, AND the requester so requests, Techniworld CC shall take such reasonable practicable steps to attach to the Personal Information a note, (which must at all times be able to be read with the Personal Information), that a request for correction and/or deletion has been made, but not granted.
In case where Personal Information has been changed and the change impacts on decisions that have or will be taken regarding the data subject, Techniworld CC must (if reasonably practicable) inform each person or body (company) to whom the information has been disclosed, of the steps that Techniworld CC has taken.
10. REQUEST TO RESTRICT PROCESSING OF PERSONAL INFORMATION/RECORD
A requester may request a restriction/limitation of the processing of Personal Information in one of the following circumstances1:
The data subject contests the accuracy of the processed personal information/record –
Techniworld CC must restrict processing until the accuracy of information has been verified.
The data subject is of the view that the processing is unlawful;
The data subject is of the view that Techniworld CC does not need the information for the original purpose for which it was processed or further processed, BUT the information must be retained/maintained for purposes of proof; * 1 Section 14(6)
The processing is unlawful BUT the data subject opposes the destruction or deletion of information/record and requests the restriction of its use instead;
The data subject requests to transmit the personal information into another automated processing system; or
Processing must be restricted pending a decision regarding an objection to processing.
Form 3 (Request for restriction of processing of personal information) must be completed by the Requester to make the above request.
Where a processing restriction is in place, the personal Information may indeed be stored but not processed without the data subject’s consent, except
Where processing may continue for legal reasons -in which case the data subject must be informed.
Third parties who process Personal Information on behalf of Techniworld CC must also be informed of any restrictions.
11 OBJECTION TO PROCESSING OF PERSONAL INFORMATION/RECORD
A data subject has the right to object to the processing of personal information/record, on reasonable grounds relating to his/her particular situation, on the grounds set out in 11.2 below, unless legislation provides for such processing2.
The grounds for objection to processing are:
The data subject disputes the basis of Techniworld CC’s authority to process the Personal Information, i.e. Techniworld CC’s basis for processing is:
The protection of the legitimate interests of the data subject; or
It is necessary for the proper performance of a public law duty by a public body; or
It is necessary for pursuing the legitimate interests of Techniworld CC or of a third party to whom the information is supplied.
The data subject may also object to the processing of his/her personal information for the purpose of direct marketing other than direct marketing by means of unsolicited electronic communications. * Section11(1)(d)- (f) and 11(3)(a) and (b)
Form 4 (Objection to the processing of personal information) must be completed by the requester to make the above Request.
During the time that Techniworld CC is considering the objection the processing of the personal information in question must be restricted or Techniworld CC must be able to justify the reasons for the continued processing.
During a restriction on processing of personal information, information may be stored but not processed without the data subject’s consent, except where processing may continue for legal reasons, in which case the data subject must be informed.
Third parties who process data on behalf of Techniworld CC must also be informed in writing of any restrictions pertinent to the processing of the specific Personal Information, or where an objection to the processing of Personal Information has been successful, such third parties must be notified in writing of the termination of processing of the personal information.
12. OWNERSHIP AND REVISION
Techniworld CC’s Information Officer owns this procedure and shall revise this procedure as and when necessary.
13. ANNEXURE A – REQUEST PROCEDURE FLOWCHART
Notes on flowchart above
Note 1 Request received from Requester.
A request may be received via email; from our web site; a telephonic enquiry.
Forms for the different type of requests/objection are available for this purpose to assist the requester.
The request should be directed to the Information Officer.
In the instance where a request/objection is received by any department of Techniworld CC such request should immediately be directed to the Information Officer or appointed representative.
Note 2 Enter the request into the Request/Objection Register (log).
All requests received to be logged in the Request/Objection Register with the date of the request.
Entries to be made by Request Administrator under supervision of the Information Officer.
Note 3 Confirm identity and authority of requester/data subject.
If the requester’s identity and/or authority cannot be confirmed the request is rejected.
Only official forms or methods of identification are accepted.
If the request is denied/rejected, due to failure to confirm identity and/or authority, the rejection and the reason must be communicated to the requester/data subject.
The Request Administrator is responsible for identity and authority confirmation.
Note 4 Ascertain the lawfulness/validity of the request.
If the request is considered/adjudged to be unlawful, or without any basis in fact, it is to be rejected and the grounds for rejection are to be communicated to the requester.
The rights of the requester must also be communicated in writing, including their right to lay a complaint with the Regulator.
If the request is considered/adjudged to be lawful and reasonable, it must be decided whether a charge will be levied or not.
These charges and the time periods required to complete the request must be communicated to the requester.
The Information Officer (and the Request Administrator) must be part of the decision and further communication.
Note 5 Levying a charge for the request.
Section 54 of the POPI Act entitles a Techniworld CC (a private body) to levy a prescribed request fee to a Requester before further processing the request.
The fees that may be charged have been published by the Minister of Justice and Constitutional Development and are available on request.
According to POPI a Responsible Party is entitled to levy a prescribed fee for the provision of Personal Information about the Data Subject in its possession at R3.50 per page.
Note 6 Preparing the requested information.
30 (thirty) days is allowed to comply with the request.
If more time is required by Techniworld CC because of planning and other time constraints, this fact and the reasons for the delay and extension must be communicated to the requester.
This communication must take place within the first thirty (30) days of the request being received.
No more than a further 2 (two) months is permissible.
The Information Officer (and the Request Administrator) must communicate with the data owner and together must be part of the decision and further communication.
Note 7 Provide the requested information or taking of action
The requested information is provided to the requester in the format requested.
Actions such as corrections or deletions are taken, if necessary.
Limitation or objection to processing are implemented.
Any one of the above is refused/denied.
The above to be communicated to the Requester by the Request Administrator or Information Officer.
Note 8 Close out the request.
Update the request register/log with relevant actions taken and date of compliance with the request.
Request Administrator signs off on the completion of the request and updating of the register/log.