PROCESSING OF PERSONAL INFORMATION POLICY
1. Conditions for lawful processing
The Marathon Group consist of various individual companies and every company within the Group is committed to processing data following its responsibilities under the Protection of Personal Information Act (“POPI Act”).
Personal information must be processed—
- lawfully and in a reasonable manner that does not infringe the privacy of the client Personal information may be processed—
- if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
- only if the client or a competent person where the client is a child, consents to the processing
- if processing is necessary to carry out actions for the conclusion or performance of a contract to which the client is party
- if the processing complies with an obligation imposed by law on the company
- if the processing protects a legitimate interest of the client
- if the processing is necessary for the proper performance of a public law duty by a public body
- if the processing is necessary for pursuing the legitimate interests of the company or of a third party to whom the information is supplied.
The conditions for the lawful processing of personal information by or for a company are the following:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Client participation
The company is obligated to ensure compliance with the conditions for lawful processing of information, as provided for in terms of the POPI Act, and the measures that the company implement to give effect to the conditions throughout its engagement with its clients, employees and other stakeholders.
This policy sets out the principles for the personal information framework which shall include various measures, procedures and controls to ensure that all personal information processed by the company is protected. The company shall establish a function which shall be responsible for encouraging and ensuring compliance with the POPI Act and the company’s personal information risk management and compliance framework.
3. Processing limitation
The company shall process personal information lawfully and fairly. The company shall process information for a specific reason and only adequate, relevant information which is limited to the purposes for which they are processed. Furthermore, information under the company’s control shall only be processed with the informed consent of the client or for legitimate and justifiable reasons as provided for in the POPI Act.
The company shall inform its clients for the purpose or reasons for the collection of personal information and shall obtain written consent from the client. Information shall be obtained directly from the client unless the client has consented to the collection of personal information from another party or if the company can demonstrate a justifiable reason for collecting information from another source as provided for in the POPI Act.
The client has the right to withdraw consent or object to the processing of personal information and is required to do so in the prescribed manner.
The company shall further take special care to limit processing in respect of special information and shall in all such cases aim to comply with the conditions of the POPI Act.
4. Purpose specification
The company shall collect personal information for a specific, explicitly defined and lawful purpose that relates to the function or the activity of the company. The company shall endeavour to ensure that the client is aware of the purpose for the collection of information to enable the client to make an informed decision on whether or not to disclose the personal information to our organisation.
The company may not retain personal information any longer than necessary for achieving the purpose for which we have collected or processed the information unless:
- We are required by law to retain information for a longer period;
- Retention is required for lawful purposes related to our functions or activities;
- Retention is required in terms of a contract between the client and the company;
- In the case of a child's personal information, a competent person has consented to the retention of the records.
Once the personal information has been retained for the period mentioned above, the POPI Act requires that the company:
- Destroy or delete the record; or
- De-identify personal data to such an extent that it cannot be reconstructed in a clear form.
In circumstances where the company is required to restrict the processing of personal data as prescribed by the POPI Act we shall only process information for the following purposes and before lifting the restriction inform the data subsequently:
- For storage purposes;
- For purposes of proof;
- With the consent of the client;
- For the protection of another person’s rights; or
- If such processing is in the public interest.
5. Further processing limitation
If the company wants to process the personal information further or for additional purposes, it must be compatible or in line with the purpose for which it was collected.
To determine whether this is the case the company shall consider the following:
- The relationship between the purpose for which it wants to further process the information and the purpose for which the information was collected;
- The nature of the information;
- What are the consequences of further processing of information for the client;
- The manner of how the information was collected; and
- Our contractual obligations.
Thus if the company wants to process the information it holds further and the purpose is not compatible with the original purpose, the company shall be required to obtain consent from the client or demonstrate a justifiable reason as provided for in the POPI Act for further processing personal information.
6. Information quality
The company will take reasonably practicable steps to ensure that the personal information obtained from our clients or third parties is complete, accurate, not misleading and updated where necessary.
As an organisation, we understand that personal information is sensitive and we have implemented reasonable measures to ensure that personal data is not modified or misused by an unauthorised person.
The company is required to maintain documentation of all processing operations under its responsibility as referred to in terms of the Promotion of Access to Information Act.
The company will take reasonable steps to ensure that the client knows that personal information about him or her is being collected; the source from which this is collected; and the purpose for which information is collected before collecting information, including the information below:
- The name and address of the company;
- Whether the information provided is mandatory or voluntary;
- Consequences of failure to provide the information;
- A law authorising or requiring the collection of information;
- If applicable, whether the company intends to transfer the information to a third country or international organisation and the level of protection afforded;
- Recipients of the information;
- Nature and category of the information;
- The client’s right of access and the right to rectify the information collected;
- The client’s right to object to the processing of personal information;
- The right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator.
8. Security safeguards
The company has the responsibility to secure the integrity and confidentiality of personal information in its possession or under its control and the company shall take reasonable and appropriate technical and organisational measures to prevent the loss, damage unauthorized destruction of personal information and unlawful access to or processing of personal information.
The company shall identify all reasonably foreseeable internal and external risk to personal data under its control and establish safeguards against those risks. The company will review its control measures and their effectiveness and update the safeguards in response to new risks or deficiencies in safeguards.
In the unfortunate event that the safeguards implemented were breached or if the company has reasonable grounds to believe that the personal information has been accessed or acquired by an unauthorised person, the company will be required to notify the Information Regulator and the client as soon as reasonably possible after the discovery was made.
9. Client participation
A client has the right to request from the company whether it holds personal information about the client and the company shall provide confirmation free of charge. A client may further request records of personal information. The company must first establish the identity of the client before disclosing the information and must respond to such a request within a reasonable period and in a form that is generally understandable.
If there are grounds for refusal of access to records set out in PAIA the company may refuse access to the information, but information that does not fall within the ambit of the exclusion in terms of PAIA must be disclosed. The company shall provide the client with reasons for refusing to provide access to information.
10. Amendments to this Policy
Amendments to this Policy will take place on an ad hoc basis or at least once a year. Clients are advised to check our website periodically to ensure whether any changes did occur. Where material changes are effected, clients will be notified accordingly.