DPO SOUTH AFRICA PRIVACY POLICY

Your data privacy is of utmost importance to DPO South Africa. Please see our privacy policy below. You can also view our PCI and GDPR policies on the links indicated.

  1. INTRODUCTION
    1. DPO South Africa operates in the Republic of South Africa. The company is fully compliant with the Protection of Personal Information Act No. 4 of 2013 (“POPIA”) and acts as both a responsible party and a operator on behalf of data subjects that DPO South Africa performs processing for. DPO South Africa is committed to compliance with all relevant South African laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information DPO South Africa collects and processes in accordance with POPIA.
    2. This Data Privacy Policy Notice is intended to provide transparency to data subjects about what happens with their personal data.
    3. POPIA applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.
    4. POPIA will apply to the processing of all personal information for a responsible party where the responsible party is domiciled in the Republic of South Africa or not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic. DPO South Africa qualifies under all these categories. DPO South Africa qualifies in some instances as a responsible party and in some instances as an operator, POPIA therefore applies.
  2. WHICH PERSONAL DATA ARE COLLECTED AND PROCESSED
    1. DPO South Africa endorses and adheres to the POPIA principal of ‘minimality’ whereby DPO South Africa only collects, processes or stores the minimum amount of data that it requires to provide the requested service.
    2. Different data is required at different points of the service provided by DPO South Africa and is not all collected at the same time.
    3. Depending on the service provided, this can include any or all the following data:
      1. name;
      2. email address;
      3. contact telephone number;
      4. delivery address;
      5. bank card or account details;
      6. passport or national ID;
      7. username and password for DPO South Africa account access;
      8. Photo.
    4. In certain cases DPO South Africa may require additional information for either the service provided or any other legitimate reason. In these instances DPO South Africa will always seek consent from the data subject, together with an explanation of why the additional information is necessary.
  3. LEGAL BASIS FOR OBTAINING OR REQUESTING PERSONAL INFORMATION
    1. DPO South Africa requests personal information in its capacity as a responsible party and obtains personal information from responsible parties for processing purposes in its capacity as an operator.
    2. The legal basis for collecting personal information is primarily as follows:
      1. predominantly based on consent received from a data subject and on a legitimate business need to provide the data subject with the service requested;
      2. where DPO South Africa is under legal obligation to collect personal information;
      3. in order to protect the legitimate interests of the data subject;
      4. where processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
      5. where processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
  4. PURPOSE FOR WHICH WE COLLECT PERSONAL INFORMATION
    1. DPO South Africa is a responsible party and operator under POPIA.
    2. DPO South Africa uses personal information in a number of different ways, including but not limited to:
      1. providing the services requested by the data subject;
      2. providing the data subject or the responsible party with customer support inquiries;
      3. providing data subjects with information on new products;
      4. for analyses of information to establish user trends and needs;
      5. to communicate with the data subject on changes to services, policies, terms and conditions or other important information.
  5. SECURITY & QUALITY OF PERSONAL DATA
    1. DPO South Africa protects and secures all data in line with its PCI-DSS Level 1 compliance.
    2. DPO South Africa aims at the highest standards of quality data processing, in line with our PCI-DSS Compliance and DPO South Africa will shortly be compliant.
    3. DPO South Africa records all personal information in line with its data protection impact assessment and data inventory policies. These policies are reviewed and updated at least annually.
    4. Where personal data is compromised and the breach is likely to result in a high risk to the rights and freedoms of natural persons, DPO South Africa shall communicate the personal data breach to the data subject without undue delay, and as clearly and simply put as possible. Where DPO South Africa has reasonable doubts concerning the identity of the natural person making a request, DPO South Africa may request the provision of additional information necessary to confirm the identity of the data subject.
  6. DATA SUBJECT RIGHTS
    1. In accordance with POPIA, data subjects are provided with the following rights by DPO South Africa:
      1. Right  to be notified that personal information about him, her or it is being collected or his, her or its personal information has been accessed or acquired by an unauthorised person;
      2. Right to request access to his, her or its personal information and to establish whether a responsible party holds personal information of that data subject;
      3. Right to request the correction, destruction or deletion of his, her or its personal information;
      4. Right to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information; as well as to object at any time to the processing of personal information for purposes of direct marketing;
      5. Right not to be subject  to a decision  based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person;
      6. Right to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator; and
      7. Right to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.
  7. RETENTION OF PERSONAL AND OTHER DATA
    1. DPO South Africa retains personal and processing data in line with PCI-DSS standards.
    2. All data that is required to be retained for compliance, legal, archiving, client support or ongoing processing is retained for only as long as is absolutely required and in line with DPO South Africa’s PCI-DSS compliance, where after it is erased and disposed of.
  8. CONSENT
    1. By the Data Subject providing consent, and being advised about this privacy policy, he is giving DPO South Africa permission to process personal data specifically for the purpose of the requested service.
    2. Consent is required by DPO South Africa to proceed with the requested service and will be explicitly requested and given.
  9. GENERAL INFORMATION
    1. DPO South Africa has appointed a board approved Data Protection Officer (who acts in the same capacity as an Information Officer under POPIA) to ensure the enforcement and compliance with POPIA. Any requests, complaints or communications by staff, third parties, service provides, data subject, controllers, processors or the data security authority should be directed to the following email, namely dataprotectionofficer@directpay.online.
    2. DPO South Africa as a responsible party and operator, its staff, third parties and service providers are all subject to the Data Protection Policy and this Data Privacy Policy, under the control of the Data Protection Officer.
    3. DPO South Africa will never sell, share or obtain personal information for any purpose whatsoever, unless it receives the data subject’s consent, and that the recipient is POPIA compliant and has the appropriate security facilities in place.
  10. COMPLAINTS PROCEDURE
    1.  Scope
      1. This procedure addresses complaints from data subject(s) related to the processing of their personal data, DPO South Africa’s handling of requests from data subjects, and appeals from data subjects on how complaints have been handled.
    2. Responsibilities
      1. All Employees/Staff are responsible for ensuring any complaints made in relation to the scope of this procedure are reported to the Data Protection Officer.
      2. Data Protection Officer is responsible for dealing with all complaints in line with this procedure.
    3. Procedure
      1. DPO South Africa has the contact details of its Data Protection Officer published on its website, clearly under the ‘Contact us’ section.
      2. DPO South Africa has clear guidelines on this page and that enables the data subject to lodge a complaint.
      3. DPO South Africa clearly provides data subject(s) with the DPO South Africa POPIA Data Privacy Policy by publishing it on its website.
    4. Data subjects are able to complain to DPO South Africa about:
      1. how their personal data has been processed;
      2. how their request for access to data has been handled;
      3. how their complaint has been handled; and
      4. appeal against any decision made following a complaint.
    5. Data subject(s) lodging a complaint with the DPO South Africa’s Data Protection Officer are able to do so by contact form published on the company website, and/or via email direct to the Data Protection Officer as published on the company website.
      1. Complaints received via the website contact form are directed to the Data Protection Officer for resolution.
      2. Complaints are to be resolved within one month.
      3. Appeals on the handling of complaints are to be resolved within one month.
    6. If DPO South Africa fails to act on a data subject’s access request within one month, or refuses the request, it sets out in clear and plain language the reasons it took no action/refusal. DPO South Africa will also inform the data subject(s) of their right to complain directly to the supervisory authority. In doing so, DPO South Africa provides the data subject(s) with the contact details of the supervisory authority and informs them of their right to seek judicial remedy.