PURPOSE AND OVERVIEW
As a business, Bastion Group is committed to the highest standards of professionalism, ethics and service delivery. We are committed to upholding every person’s constitutional right to privacy and ensuring that any personal information we process is completed in a lawful and transparent manner. We maintain a strict standard of confidentiality with our clients and never share personal information with third parties unless required by law or with the express consent of our clients.
Any personal information processed by Bastion Group is processed in accordance with the provisions of the Protection of Personal Information Act 4 of 2013 (“POPI”), and, where applicable, the General Data Protection Regulation 2016/679 (“GDPR”).
POPI
Bastion Group has taken comprehensive steps to ensure that its staff process any personal information in accordance with the provisions of POPI. Personal information is defined in section 1 of POPI to mean: “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”
Depending on who determines the purpose of and means for processing personal information in a particular instance, Bastion Group acknowledges that it may be acting in the capacity of either a “responsible person” or “operator” as defined in section 1 of POPI. Where a client is also the “data subject” as defined in section 1 of POPI and has not mandated Bastion Group to process personal information on the client’s behalf, it is a determining factor that puts Bastion Group in the role of a responsible party. Where Bastion Group processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party, Bastion Group will be acting as an operator. Whether acting as a responsible party or operator, Bastion Group will process personal information in accordance with the applicable provisions of POPI.
General Data Protection Regulation 2016/679
Bastion Group acknowledges that it offers its goods and/or services to persons domiciled in the European Union, and which compels that data processing activities for such persons are completed in accordance with GDPR.
Depending on who determines the purpose of and conditions for processing personal information in a particular instance, Bastion Group acknowledges it may be acting in the capacity of either a “controller” or “processor” as defined. Where a client is also the “data subject” as defined in GDPR and has not mandated Bastion Group to process personal information on the client’s behalf, it is a determining factor which puts Bastion Group in the role of a controller. Where Bastion Group processes personal information for a controller in terms of a contract or mandate, Bastion Group will be acting as a processor. Whether acting as a controller or processor, Bastion Group will process data in respect of persons in the European Union in accordance with the applicable provisions of GDPR.
PRIVACY AND DATA PROTECTION OBLIGATIONS
Bastion Group acknowledges its privacy and data protection obligations and adheres to the highest standards possible to ensure legal and safe processing of data, including personal information. Bastion Group remains accountable to ensure compliance with POPI and/or GDPR, and that it has accordingly implemented measures and procedures which give effect to such compliance. In this regard, Bastion Group has registered its designated Information Officer with the Information Regulator established in terms of section 39 of POPI, as well as its Deputy Information Officers to whom the Information Officer has delegated its duties. Bastion Group further regularly trains its staff as to their obligations arising from POPI and GDPR, and general best practice insofar as privacy and data protection. Bastion Group also maintains an expert Information Technology team, who maintains its information security systems. In addition to this Policy, Bastion Group has published various other policies which assist in the enforcement of privacy and data protection measures by its staff.
The measures and procedures implemented by Bastion Group, extend to the fulfilment of the following obligations insofar as privacy and data protection. The client or person whose data/personal information is processed is referred to as the “data subject”.
Processing limitation
- Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
- Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
- Personal information may only be processed if—
- the data subject or a competent person where the data subject is a child consents to the processing;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- processing complies with an obligation imposed by law on Bastion Group;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of Bastion Group or of a third party to whom the information is supplied.
- The data subject or competent person may withdraw his, her or its consent, provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information will not be affected.
- A data subject may object, at any time, to the processing of personal information—
- on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
- for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.
- If a data subject has objected to the processing of personal information, Bastion Group may no longer process the personal information.
- Personal information must be collected directly from the data subject, except if—
- the information is contained in or derived from a public record or has deliberately been made public by the data subject;
- the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
- collection of the information from another source would not prejudice a legitimate interest of the data subject;
- collection of the information from another source is necessary—
- to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997;
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
- in the interests of national security; or
- to maintain the legitimate interests of Bastion Group or of a third party to whom the information is supplied;
- compliance would prejudice a lawful purpose of the collection; or
- compliance is not reasonably practicable in the circumstances of the particular case.
Purpose specification
- Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Bastion Group.
- Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
- retention of the record is required or authorised by law;
- Bastion Group reasonably requires the record for lawful purposes related to its functions or activities;
- retention of the record is required by a contract between the parties thereto; or
- the data subject or a competent person where the data subject is a child has consented to the retention of the record.
- Records of personal information may be retained for historical, statistical or research purposes if Bastion Group has established appropriate safeguards against the records being used for any other purposes.
- Bastion Group must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after Bastion Group is no longer authorised to retain the record.
Further processing
- Further processing of personal information must be in accordance or compatible with the purpose for which it was collected.
Information quality
- Bastion Group must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
Openness
- Bastion Group must maintain the documentation of all processing operations under its responsibility.
- If personal information is collected, Bastion Group must take reasonably practicable steps to ensure that the data subject is aware of—
- the information being collected and where the information is not collected from the data subject, the source from which it is collected;
- the name and address of Bastion Group;
- the purpose for which the information is being collected;
- whether or not the supply of the information by that data subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorising or requiring the collection of the information;
- the fact that, where applicable, Bastion Group intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
- any further information such as the—
- recipient or category of recipients of the information;
- nature or category of the information;
- existence of the right of access to and the right to rectify the information collected;
- existence of the right to object to the processing of personal information; and
- right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
- It is not necessary for Bastion Group to make the data subject aware of its data processing if—
- the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
- non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
- non-compliance is necessary—
- to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1of the South African Revenue Service Act, 1997;
- for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
- in the interests of national security;
- compliance would prejudice a lawful purpose of the collection;
- compliance is not reasonably practicable in the circumstances of the particular case; or
- the information will—
- not be used in a form in which the data subject may be identified; or
- be used for historical, statistical or research purposes.
Security safeguards
- Bastion Group must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent —
-
- loss of, damage to or unauthorised destruction of personal information; and
- unlawful access to or processing of personal information.
- Bastion Group must take reasonable measures to—
- identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
- establish and maintain appropriate safeguards against the risks identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
- The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
Acting as operator
- Where Bastion Group acts as an operator, it must—
- process such information only with the knowledge or authorisation of responsible party; and
- treat personal information which comes to their knowledge as confidential and must not disclose it,unless required by law or in the course of the proper performance of their duties.
- A responsible party must, in terms of a written contract between the responsible party and Bastion Group (as the operator), ensure that Bastion Group establishes and maintains the security measures referred to POPI.
- Bastion Group (as operator) must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Security compromises
- Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, Bastion Group must notify—
- the Regulator; and
- the data subject, unless the identity of such data subject cannot be established.
- The notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:
- Mailed to the data subject’s last known physical or postal address;
- sent by e-mail to the data subject’s last known e-mail address;
- placed in a prominent position on the website of Bastion Group;
- published in the news media; or
- as may be directed by the Regulator.
- The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including —
-
-
- a description of the possible consequences of the security compromise;
- a description of the measures that Bastion Group intends to take or has taken to address the security compromise;
- a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- if known to Bastion Group, the identity of the unauthorised person who may have accessed or acquired the personal information.
-
Data subject participation
- A data subject, having provided adequate proof of identity, has the right to —
-
- request Bastion Group to confirm, free of charge, whether or not Bastion Group holds personal information about the data subject; and
- request from Bastion Group the record or a description of the personal information about the data subject held by Bastion Group, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
- If, in response to a request, personal information is communicated to a data subject, the data subject must be advised of the right to request the correction of information.
- Bastion Group may or must refuse, as the case may be, to disclose any information requested to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act
- A data subject may, in the prescribed manner, request Bastion Group to—
- correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
- destroy or delete a record of personal information about the data subject that Bastion Group is no longer authorised to retain.
- On receipt of a request, Bastion Group must, as soon as reasonably practicable—
- correct the information;
- destroy or delete the information;
- provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
- where agreement cannot be reached between Bastion Group and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
- If Bastion Group has taken steps that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, Bastion Group must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
- Bastion Group must notify a data subject, who has made a request, of the action taken as a result of the request.
Special personal information
- Bastion Group may not process personal information concerning—
- the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
- the criminal behaviour of a data subject to the extent that such information relates to—
- the alleged commission by a data subject of any offence; or
- any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
-
- The prohibition on processing personal information does not apply if the—
-
- processing is carried out with the consent of a data subject;
- processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- processing is necessary to comply with an obligation of international public law;
- processing is for historical, statistical or research purposes to the extent that—
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent,
- and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
- information has deliberately been made public by the data subject; or
- provisions of sections 28 to 33 of POPI are, as the case may be, complied with.
- The prohibition on processing personal information concerning a data subject’s race or ethnic origin does not apply if the processing is carried out to—
- identify data subjects and only when this is essential for that purpose; and
- comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.
- The prohibition on processing personal information concerning a data subject’s criminal behaviour or biometric information does not apply if the processing is carried out by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law.
Personal information of children
- Bastion Group may not process personal information concerning a child.
- The prohibition on processing personal information of children does not apply if the processing is—
- carried out with the prior consent of a competent person;
- necessary for the establishment, exercise or defence of a right or obligation in law;
- necessary to comply with an obligation of international public law;
- for historical, statistical or research purposes to the extent that—
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent,
- and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
- of personal information which has deliberately been made public by the child with the consent of a competent person.
Direct marketing
- The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
- has given his, her or its consent to the processing; or
- is a customer of Bastion Group.
- Bastion Group may approach a data subject—
- whose consent is required; and
- who has not previously withheld such consent,only once in order to request the consent of that data subject.
- The data subject’s consent must be requested in the prescribed manner and form.
- Bastion Group may only process the personal information of a data subject who is a customer of Bastion Group –
- if Bastion Group has obtained the contact details of the data subject in the context of the sale of a product or service;
- for the purpose of direct marketing of Bastion Group’s own similar products or services; and
- if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
- at the time when the information was collected; and
- on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
- Any communication for the purpose of direct marketing must contain
- details of the identity of the sender or the person on whose behalf the communication has been sent; and
- an address or other contact details to which the recipient may send a request that such communications cease.
Transfers of personal information outside Republic
- Bastion Group in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—
- the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that—
- effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
- includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
- the data subject consents to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and Bastion Group, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Bastion Group and a third party; or
- the transfer is for the benefit of the data subject, and—
- it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
- if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
- the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that—
- For the purpose of this provision—
- ‘‘binding corporate rules’’ means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
- ‘‘group of undertakings’’ means a controlling undertaking and its controlled undertakings.
CHANGES TO THIS NOTICE
This Policy was last updated on 30 June 2021. Please note that we may amend this Policy from time to time.
HOW TO CONTACT US
If any person has questions about this Policy or believes Bastion Group has not adhered to it, or needs further information about Bastion Group’s privacy practices or wishes to give or withdraw consent, exercise preferences or access or correct the person’s personal information, please feel free to contact Bastion Group at:
South Africa: 011 778 5800
International: +27 11 778 5800
Email: info@bastiongroup.co.za
INFORMATION REGULATOR
Any person has the right to complain to the Information Regulator regarding any breach of the POPI provisions by Bastion Group, whose contact details are:
Information Regulator
Email: inforeg@justice.gov.za