1. Definitions

The definitions have been taken from the Promotion of Access to Personal Information Act 2 of 2000 as amended (PAIA) and the Protection of Personal Information Act 4 of 2013 (POPIA):

• 1.1 The Company: WANATU (Pty) Ltd
• 1.2 Data subject: the person whether natural or juristic, to whom personal information relates.
• 1.3 Consent: any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
• 1.4 Information officer: the head of a private body as contemplated in section 1 of POPIA.
• 1.5 Personal information: information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including but not limited to:
  • 1.5.1 Information relating to the race, gender, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person.
  • 1.5.2 Information relating to the education, medical, financial, criminal, or employment history of the person.
  • 1.5.3 Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other assignment to the person.
  • 1.5.4 The biometric information of the person.
  • 1.5.5 The personal opinions, views, or preferences of the person.
  • 1.5.6 Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
  • 1.5.7 The views or opinions of another individual about the person.
  • 1.5.8 The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
• 1.6 Processing: any operation or activity or any set of operations, whether by automatic means, concerning personal information, including:
  • 1.6.1 The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use.
  • 1.6.2 Dissemination by means of transmission, distribution or making available in any other form.
  • 1.6.3 Merging, linking, as well as restriction, degradation, erasure, or destruction of information.
• 1.7 Record: any recorded information regardless of form or medium, including:
  • 1.7.1 Writing on any material.
  • 1.7.2 Information produced, recorded, or stored by means of any tape recorder, computer equipment, whether hardware or software, or both, or other device, and any material subsequently derived from information so produced, recorded, or stored.
  • 1.7.3 Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means.
  • 1.7.4 Book, map, plan, graph, or drawing.
  • 1.7.5 Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.
  • 1.7.6 In the possession or under the control of a responsible party.
  • 1.7.7 Whether or not it was created by a responsible party.
  • 1.7.8 Regardless of when it came into existence.
• 1.8 Responsible party: a private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
• 1.9 Requestor: any person, including, but not limited to, a public body or an official thereof, making a request for access to a record of the Company, or a person acting on behalf of such body or person.

2. Scope and Application

The purpose of this policy is to ensure that the data subject’s right to privacy, respect, confidentiality, and autonomy is respected and attained. The policy applies to the collection, storage, access, use, and disclosure of the data subject’s personal information in accordance with the following legislation and guidelines:

• 2.2.1 South African Constitution 1996.
• 2.2.2 Protection of Personal Information, Act No. 4 of 2013.
• 2.2.3 Basic Conditions of Employment Act, No. 75 of 1997.
• 2.2.4 Labour Relations Act, No. 66 of 1995.
• 2.2.5 The Unemployment Insurance Contributions Act, No. 4 of 2002.
• 2.2.6 Income Tax Act, No. 113 of 1993.
• 2.2.7 Skills Development Act, No. 97 of 1998.
• 2.2.8 The Promotion of Access to Information Act 2 of 2000.

3. Information Officer

The details of the Information Officer for purposes of gathering information, updating information and withdrawal of consent by the data subject is:

• Person: Judith van der Walt
• Email address: wanatu@wanatu.co.za

4. Process Limitation

The Company will collect only necessary personal information from data subjects as outlined in this Policy and utilise it solely for its designated purpose.

• 4.1 All information gathered by the Company will be gathered by a duly authorised representative of such Company.
• 4.2 The following methods will be used to collect the necessary personal information:
  • 4.2.1 When the data subject contacts the Company through the website.
  • 4.2.2 When the data subject contacts the Company by e-mail.
  • 4.2.3 When the data subject contacts the Company by telephone.
  • 4.2.4 When the data subject contacts the Company through Social Media Platforms, APPs, where applicable.
  • 4.2.5 When the Company enters into a contract for services with the data subject.
  • 4.2.6 Where the data subject otherwise engages with the Company.

5. Justification

The Company will only process information under either one of the following conditions:

• 5.1.1 With the consent of the data subject.
• 5.1.2 Where the processing is necessary for the performance or conclusion of a contract between the Company and the data subject.
• 5.1.3 Such processing is placed on the Company by law.
• 5.1.4 The processing protects the legitimate interest of the Company to whom the information is supplied.

6. Information Classification

The personal information collected by the Company may include the following:

• 6.1 In respect of the Company’s clients:
  • 6.1.1 Names, contact details, registration numbers, and Company registration documents.
  • 6.1.2 Addresses.
  • 6.1.3 Bank Account details.
  • 6.1.4 VAT Numbers.
  • 6.1.5 References from client suppliers.
  • 6.1.6 Information obtained from Credit Checks.
  • 6.1.7 Operational information of the client to carry out the services the clients have requested.

7. Purpose of Gathering

The purpose of gathering the information is to render goods and services in pursuance of a contract, in pursuance of entering and considering entering into agreements with distributors, or for employment in relation to employees or as required by law.

8. Retention and Destruction

• 8.1 All personal information will be recorded on the following formats:
  • 8.1.1 Electronically.
  • 8.1.2 Paper.
• 8.2 Electronic information will be retained on servers.
• 8.3 Information held on paper is kept in locked-up storage.
• 8.4 All personal information of data subjects is stored in line with applicable legislation, only that which is necessary for achieving the purpose for which the information was gathered.
• 8.5 We retain personal information of active users for the duration of their service usage. All live chats between users and the Company on our Apps are stored indefinitely.
• 8.6 Client records will be kept for the duration of engagement with the Company, and once the client is deemed as non-active, the Company will delete all electronic information and shred all information held on paper, subject to paragraph 8.7.
• 8.7 The Company collects and stores all records in accordance with law for a maximum of five (5) years. After this period, the Company destroys the information in a way that prevents reconstruction. To ensure confidentiality and security, all information is stored on a password-protected server, monitored by independent service providers. Access to the Company's devices and server is granted only through verified usernames and passwords.

9. Disclosure

• 9.1 Where applicable, an authorised person of the Company may disclose personal information of the data subject to the following categories, including but not limited to:
  • 9.1.1 Bookkeeper, payroll administrator, or financial institution.
  • 9.1.2 Directors, shareholders, and personnel of the Company.
  • 9.1.3 Service providers of the Company.
  • 9.1.4 Legal representatives when enforcing terms and conditions of service agreements, or defending actions or applications instituted against the Company.
  • 9.1.5 Any authority requiring the information by law.
• 9.2 The Company ensures that persons to whom information is disclosed are subject to strict agreements to keep information confidential and compliant with the Act.

10. Information Quality

• 10.1 Should a data subject wish to update their information or withdraw their consent to use their personal information, the requestor is to address such information to the Information Officer at the address reflected in paragraph 3.

11. Restriction

• 11.1 The Company will restrict the processing of a data subject’s personal information under the following conditions:
  • 11.1.1 When a data subject contests the accuracy of the information, the Company will restrict the information for a reasonable time period to enable the data subject to verify the accuracy of the information.
  • 11.1.2 The personal information is no longer necessary for the Company to achieve the purpose for which it was collected but is required to be retained for purposes of proof.
  • 11.1.3 Should the information become unlawful, and the data subject requests the restriction thereof as opposed to the destruction thereof.
  • 11.1.4 The data subject requests to transmit the personal information to another automated processing system.
• 11.2 If the Company plans to use a data subject's personal information for any purpose beyond services or employment, it will first obtain consent from the data subject.
  • 11.2.1 An authorised representative of the Company must obtain written consent directly from the data subject as soon as the Company determines that such information will be used.

12. Security Safeguards

• 12.1 The Company uses servers in relation to electronic information held to store data managed in terms of the following security measures:
  • 12.1.1 Policies to detect and notify the Company of any risky activity.
  • 12.1.2 Regularly reviews the collection, storage, and processing practices, including physical safety measures, to prevent unauthorised access to the system.
  • 12.1.3 Restricts access to personal information to employees, contractors, and agents who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet those obligations.
• 12.2 The Company’s system can only be accessed with usernames and passwords.
• 12.3 All devices of the Company’s representatives are password-protected.
• 12.4 In relation to all documents in paper format, the Company ensures that such documents are locked in cabinets held in secured offices.
• 12.5 The Company follows a procedure to identify the source of any data breach, neutralise the breach, and improve measures to prevent reoccurrence.
• 12.6 The Company’s devices are administered by independent service providers, who are responsible for regular data backups and safekeeping. They work closely with the server host to ensure the integrity of the entire system.

13. Security Breach

• 13.1 Should any personal information of the data subject be accessed by unauthorised persons, the Company will immediately alert the data subject together with the Information Regulator in writing.
• 13.2 Process: The data subject and the Information Regulator shall be notified in either of the following ways:
  • 13.2.1 E-mail to the last known e-mail address.
  • 13.2.2 On the website of the Company, displayed in a prominent manner.
  • 13.2.3 Published in the news and/or media.
  • 13.2.4 As may be directed by the Regulator.
• 13.3 The notification will include the following information:
  • 13.3.1 The possible consequences of the compromise.
  • 13.3.2 The measures that the Company intends on taking to address the compromise.
  • 13.3.3 A recommendation of the measures to be taken by the data subject to mitigate possible prejudice caused by the compromise.
  • 13.3.4 If the identity of the person who compromised the security is known by the Company, then such identity will be disclosed.

14. Consent by a Data Subject

• 14.1 You consent to the Company's processing of your personal information and acknowledge its commitment to confidentiality. The Company treats all information as private and confidential. Your explicit and informed consent is necessary to comply with both the Company's privacy standards and legal requirements.
• 14.2 You voluntarily give the Company, through its authorised representatives, permission to process your personal information. You understand and acknowledge the purposes for which this information is required and will be used.
• 14.3 The data subject (or a competent person if the data subject is a child) gives explicit and informed consent to the processing of their personal information. This consent is given voluntarily and with a full understanding of the purposes for which the information will be used.
• 14.4 Access to information will be subject to the following Acts:
  • 14.4.1 Protection of Personal Information Act, No 4 of 2013.
  • 14.4.2 Promotion of Access to Information Act, No. 2 of 2000.

15. Third Parties

• 15.1 You acknowledge and agree to the following:
  • 15.1.1 The Company may, if necessary, obtain information from third parties.
  • 15.1.2 In certain circumstances, the Company may need to share information with third parties, including but not limited to service providers.
  • 15.1.3 The Company does not intend to transfer your personal information to any other country or international organization.
  • 15.1.4 You give your consent for the Company to obtain information from third parties and share your information as set forth above, when deemed necessary.

16. Accuracy of Information

• 16.1 When you provide information to the Company, you are responsible for ensuring that it is complete, accurate, up-to-date, and not misleading.
• 16.2 If any of your information changes, you must notify the Company's Information Officer immediately and provide all necessary updates.

17. Right to Object and Withdraw Consent

• 17.1 You have the right to object to the Company's processing of your personal information and withdraw any consent you have previously given.
• 17.2 To object to the processing of your personal information or withdraw your consent, notify the Information Officer in writing. State your reasons clearly, sign the document, and email it to the Company's Information Officer at the email address reflected in paragraph 3.

18. Right of Access to Information Held by the Company

• 18.1 You have the right to request, at any time and free of charge, whether the Company holds any of your personal information. The Company will not withhold this information from you. However, if you require the full details of the personal information held by the Company, a fee will be charged.

19. Filing Complaints with the Information Regulator

• 19.1 You have the right to lodge a complaint with the Information Regulator if you suspect that the Company has misused your personal information. You can submit your complaint to the following address:
  • Name: Information Regulator South Africa
  • Address: 33 Main Street, Forum III, 3rd Floor, Braampark
  • P.O. Box: 31533, Braamfontein, Johannesburg
  • Phone: 010 023 5207
  • Email: inforeg@justice.gov.za

20. Denying Permission

• 20.1 By providing your personal information and consenting to its processing by the Company, you do so voluntarily. You have the right to refuse consent to the processing of your information. However, if you refuse consent, the Company will not be able to provide services as requested or fulfill any contractual obligations.

21. Contact Details

• 21.1 For any questions or concerns about this Policy, please email the Company's Information Officer at wanatu@wanatu.co.za.