POPIA ACT

Services supplied: Accounting, Secretarial, Taxation and Administration

In line with the provisions in the Protection of Information Act no. 4 of 2013, (POPIA), responsible parties are required to obtain consent from all data subjects when processing information or providing personal information of the data subject to third parties. Therefore, this addendum deals with terms relating to the processing of such information to ensure that Veritas Rekenmeesters-Accountants CC and the client (the parties) comply with the legislative requirements and that all parties are aware of the protection afforded to their and third parties’ personal information.

In this agreement:

Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;

“Data subject” – means the person to whom personal information relates;

“Operator” – means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

“Person” means a natural person or a juristic person;

“Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

  1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  2. information relating to the education or the medical, financial, criminal or employment history of the person;
  3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  4. the personal opinions, views or preferences of the person;
  5. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  6. the views or opinions of another individual about the person;
  7. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

‘‘Processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

  1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  2. dissemination by means of transmission, distribution or making available in any other form; or
  3. merging, linking, as well as restriction, degradation, erasure or destruction of information;

“Responsible party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;

1. Personal Information

1.1 Each party shall ensure that all the personal information they collect from the other party is obtained directly from the other party or an authorised representative, or in terms of Section 12 of POPIA.

1.2 Each party shall ensure at all times that the personal information provided to them by the other party is protected and retained with the utmost confidentiality.

1.3 Personal information collected shall only be used for the purpose it was originally obtained.

1.4 Where the information requires furthering process or utilizing for a different purpose from when originally obtained, such party shall request consent from the other party for further processing.

1.5 The supply of personal information is mandatory and provided by the parties voluntarily to give effect to the business relationship between the parties.

1.6 Each party shall ensure that the personal information obtained from the other party is kept for the minimum timeframe stipulated by applicable legislative requirements.

1.7 Each party may withdraw consent for or object to the processing of their personal information, which will lead to the termination of the business relationship, and the personal information may be retained for a period to satisfy other legislative requirements which the parties are required to retain records for.

1.8 If a party processes any Personal Information on behalf of the other party in the course of rendering the Services, such party –

      1.8.1 does so with the knowledge or authorisation of the other party, who is the Responsible Party in terms of the Protection of Personal Information Act; and   

1.8.2 will treat Personal Information which comes to its knowledge as confidential and will not disclose it, Unless required by law or in the course of the proper performance of the party’s duties.

1.9 A party that is a Responsible Party as defined is responsible to ensure that Person Information is processed in accordance with all relevant laws, in particular the Protection of Personal Information Act and is therefore responsible to-

      1.9.1 establish and maintain security measures to secure the integrity and confidentiality of the Personal Information in its (the Operator’s) possession or under its control by taking appropriate , reasonable technical and organisational measures to prevent—

  • loss of, damage to or unauthorised destruction of Personal Information; and
  • unlawful access to or processing of Personal Information,

In accordance with generally accepted information security practices and procedures which may apply to the Company’s industry.

      1.9.2 take reasonable measures to —

  • identify all reasonably foreseeable internal and external risks to Personal Information in its possession or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

10.1 Where the other party processes information on behalf of the responsible party, the other party is an Operator as defined and agrees to:

      1.10.1 establish and maintain security measures to secure the integrity and confidentiality of the Personal Information in its (the Operator’s) possession or under its control by taking appropriate , reasonable technical and organisational measures to prevent—

  • loss of, damage to or unauthorised destruction of Personal Information; and
  • unlawful access to or processing of Personal Information,

In accordance with generally accepted information security practices and procedures which may apply to the Company’s industry.

      1.10.2 take reasonable measures to —

  • identify all reasonably foreseeable internal and external risks to Personal Information in its  possession or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

A party who is an operator must notify the other party (Responsible Party/The Client) immediately where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person. The Client therefore gives consent and agrees to supply Veritas Rekenmeesters-Accountants CC with its personal information in order to supply the client with the required services.