TABLE OF CONTENTS
TANDM (Refers to either of the respective: TANDM Technologies (Pty) Ltd OR TANDM Systems (Pty) Ltd) (the Company) is involved in the collection, use and disclosure of certain aspects of the personal information of natural and juristic persons. Given the importance of privacy, the Company is committed to protecting the privacy of all data subjects and to ensure that personal information is processed properly, lawfully and transparently.
The purpose of this Policy is to inform data subjects about the type of personal information the Company collects, the ways in which it is collected, used, shared, stored and protected.
scope & application
This policy adheres to the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act of 2000 and the Promotion of Access to Information Act 2 of 2000 (PAIA).
POPIA aims to give effect to the constitutional right to privacy by balancing the right to privacy against that of access to information. POPIA requires that personal information pertaining to all persons and entities be processed lawfully and in a reasonable manner that does not infringe on the right to privacy. A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.
PAIA aims to give effect to the constitutional right of access to any information held by private bodies for the exercise and protection of any rights. PAIA allows data subjects to access their personal information that is held by the Company without request. The Company’s PAIA manual stipulates which information is automatically available to the public, and which information must be requested following the procedure stipulated in the Company’s PAIA manual.
collection of personal information
How personal information is collected
The Company collects personal information from the following sources:
- directly from the data subject;
- based on the use of the Companies products, services, or service channels;
- based on how the data subject interacts with the Company, such as on social media, through emails, letters, telephone calls, the website and surveys;
- from public sources (such as newspapers, social media, websites and online public directories);
- from affiliate parties for the purpose of conducting business.
When personal information is collected, the Company will indicate the purpose for the collection and whether the information required is compulsory or voluntary.
Types of personal information collected
Personal information collected by the Company may include, but is not limited to, a data subjects name, email address, phone number and employment details. The Company may, at sole discretion, request additional information such as physical address, account information, identifying numbers or any other information required for the purpose at hand.
If the data subject is a juristic person, such as a company or close corporation, the Company may collect and use personal information of a person related to the juristic person. These related persons may include the juristic person’s owners, directors, officers, employees, partners, shareholders, members, authorised signatories, representatives, agents, payers, payees, customers, guarantors, sureties and other security providers and persons related to the juristic person. If the personal information of a related person is provided, the Company assumes that the related person is aware that his/her personal information is being shared, and that consent has been provided.
The Company does not knowingly collect personal information of children and will not process the personal information concerning a child.
In all cases, the Company will collect the minimum information required for the purpose of which the information is collected. Information will only be retained for as long as necessary to achieve the purpose for which it was collected unless the retention of information is required by law or for contractual purposes.
Processing personal information
Conditions for processing personal information
The Company will only process personal information for lawful purposes relating to the Company’s business if the following conditions are met:
- the data subject has consented thereto;a person legally authorised by the data subject, the law or a court has consented thereto;
- it is necessary to conclude or perform on a contract with the data subject;
- it is required to pursue a legitimate interest of the data subject, the Company or an affiliate party;
- the law requires or permits it.
Reasons for processing personal information
The Company will process personal information for the following reasons:
- to open, manage and maintain a data subject’s accounts, contracts, agreements or relationship with the Company;
- to enable the Company to deliver goods, documents or notices;for security and identity verification, and to verify the accuracy of personal information;
- to communicate with the data subject and carry out instructions and requests;to process payment instructions;
- to conduct affordability assessments, credit assessments and credit scoring (where applicable);
- for customer satisfaction surveys, promotions and competitions;
- to enable the data subject to participate in and make use of value-added products and services.
Processing information for direct marketing
If a data subject is a customer of the Company, his/her personal information may be used to inform him/her about products, services and special offers from the Company or related subsidiaries. This marketing will be conducted in-person, by telephone or through electronic channels such as SMS and email.
If a data subject is not a customer of the Company, or in any instances where the law requires, the Company will only market to the data subject by electronic communications and only when consent has been provided.
In all cases the data subject can request the Company to stop sending marketing communication at any time.
Managing personal information
Correcting and updating information
All reasonable practical steps will be taken by the Company to ensure that the personal information is complete, accurate, not misleading and updated where necessary. However, it is the data subject’s responsibility to advise the Company of any changes to his or her personal information, as and when these may occur.
A data subject can request the Company to review his or her personal information contained in the Company’s records any time to correct or update the information. This request can be directed to the company via email or phone.
Where personal information is collected or received from third parties, the Company will take all reasonable steps to confirm that the information is correct by verifying it directly with the data subject.
Deletion and/or retention of information
A data subject may request the Company to delete his/her personal information. However, the Company may keep a record of the personal information if it is required for historical, statistical or research purposes or if it has been de-identified. Usually, personal information must be retained for a minimum of five years from the last date of transaction, unless otherwise specified in the Company’s relevant documents and data retention policy. Should the data retention be influenced by additional legislation, the legislation with the longest retention period will take preference.
disclosure of personal information
The Company will not sell, rent or provide the personal information of a data subject to unauthorised entities or third parties, for their independent use, without the consent of a data subject. However, information may be released when it is necessary to enforce the Company’s policies, protect the rights and safety of the Company or affiliate parties or if the Company has a duty to disclose in term of the law.
Access to information
The Company and its employees are not allowed to share personal information informally. Where access to personal information is required, this may be requested from the Information Officer following the guidelines and procedures available in the Company’s PAIA Manual.
Prior to processing any personal information, the Company will obtain specific and informed consent from the data subject for a specific processing purpose. Informed consent is when the data subject clearly understands for what purpose his or her personal information is needed and who it will be shared with.
The request for consent must be written in plain language and must be in an opt-in format, that is, not any pre-ticked boxes or any type of default consent. The data subject may change this consent at any point.
Consent to process personal information will be obtained directly from the data subject except where the personal information has been made public, valid consent has been given to a third party or where the information is necessary for effective law enforcement.
To limit the collection of information, a data subject can disable cookies on his/her browser. A data subject can also modify browser settings to require permission each time a site attempts to set a cookie. However, cookies enable certain website functions, and disabling cookies may render some of the Company’s website features and functionality unavailable.
Website tracking & analytics
The Company uses Google Analytics for third-party behavioural tracking. Google Analytics is a web analytics service offered by Google to track, monitor and report on the Company’s website traffic and usage. The data collected is shared with other Google services and may be used by Google to contextualize and personalize advertisement on own advertising network. A data subject can opt-out of having his/her activity made available to Google Analytics by installing a Google Analytics opt-out browser add-on. More information about the privacy practices of Google can be found on the Google Privacy & Terms page.
partners, third parties & service providers
The Company may disclose the data subject’s personal information to affiliate partners, third parties and service providers. The Company has service agreements in place to ensure that these affiliates treat personal information as a confidential business asset. Affiliate parties may not directly or indirectly, utilise, disclose or make public in any manner any personal information, unless the disclosure is necessary to perform duties determined by the service agreement between the Company and the affiliate party or if it is required by law or court order.
Cross-border transferal of personal information
As the Company works closely with affiliate parties in several countries, the personal information of a data subject may be shared with these affiliate parties in other countries and processed in those countries as part of the normal service process of the Company.
The Company will only transfer a data subject’s personal information to third parties in another country under the following circumstances:
- where a data subject’s personal information will be adequately protected under the other country’s laws or an agreement with the affiliate recipient;
- where the transfer is necessary to enter into, or perform, under a contract with the data subject or a contract with an affiliate that is in the interest of the data subject;
- where the data subject has consented to the transfer;
- where it is not reasonably practical to obtain the consent of the data subject, and the transfer is in the interest of the data subject; and
- the transfer will happen within the requirements and safeguards of the law.
Securing personal information
The Company implements various technical, administrative and physical security measures when a data subject enters, submits or accesses his/her personal information. All information will be stored in secured environments that is only accessible by a limited number of employees with special access rights. The Company takes every precaution to prevent the loss, misuse and alteration of information under its control.
In the event of a data breach, the Company will follow the procedure stipulated in POPIA. The Company will inform the Information Regulator and affected data subjects or an information breach in writing as soon as reasonably possible. The notification must provide the data subject with sufficient information to allow the data subject to take protective measures against the potential consequences of the unauthorized access. In addition, the Company has a data breach response plan that will enable the Company to contain the breach, investigate the cause of the breach and minimize the potential damage to data subjects and affiliate parties.
review of this policy
The Company reserves the right to amend, including without limitation by the addition of new terms and conditions, this Policy. This Policy will be reviewed at least annually by the Company and where and where necessary, updated to ensure that the provisions remain sufficient to identify, assess, evaluate and mitigate any compliance risks associated with the provisions of POPIA and PAPIA. The amended version of this Policy shall supersede and replace all previous versions thereof.
Should a data subject believe that the Company has utilised his/her personal information contrary to provisions made in POPIA and PAPIA, the data subject undertakes to first attempt to resolve the concern with the Company using the contact details listed below:
342 The Rand Street, Lynnwood, Pretoria, 0081
+27 87 092 0920
Last revision date: August 2021