We are committed to protecting your privacy and to ensure that your personal information is collected and used properly, lawfully and transparently.

 

Please see Environmental Assurance (Pty) Ltd’s (Responsible Party) Protection of Personal Information Manual for your attention at https://www.envass.co.za/promotion-of-access-to-information-act/. Should you have any questions, you are welcome to contact Environmental Assurance (Pty) Ltd. at info@envass.co.za or 012 460 9768

 

  1. INTRODUCTION

 

1.1 The Protection of Personal Information Act, No. 4 of 2013 (“the Act”), regulates and controls the processing of a person or legal entity’s Personal Information, as defined in the Act, within South Africa, in which processing includes the collection, use, and transfer of a person or legal entity’s Personal

 

1.2 In terms of the Act, where a person processes another’s Personal Information, such processing must be done in a lawful, legitimate and responsible manner and in accordance with the provisions, principles and conditions set out under the Act.

 

1.3 Where a person who holds Personal Information of another and who asks a third party, who is not directly under its control, to process that information on its behalf, in terms of a mandate or contract, then in such an event, the Act stipulates that an Operator Agreement (as defined under the Act) must be concluded between the person requesting the processing and the third party who has been mandated to process the information.

 

1.4 The parties therefore enter into this Agreement:

 

1.4.1 in terms of which the Operator as the Data Subject, provides consent to the Responsible Party for using the Personal Information of the Operator for the purposes for which it was collected and agreed to with the Operator; and

1.4.2 to allow the Operator to process the Personal Information on behalf of the Responsible Party.

 

  1. SOME IMPORTANT REFERENCES

 

2.1 The Act makes use of certain references which are explained below. Please familiarise yourself with the following references as they may be referred to under this Agreement:

 

2.1.1 “Data Subject“, means the person who owns Personal Information, which reference is found under the Act;

 

2.1.2 “Operator” is any person who processes Personal Information on another’s behalf as a sub – contractor, in terms of a contract or mandate, without coming under the direct authority of the person requesting the processing;

 

2.1.3 “Personal Information” means personal information relating to any identifiable, living, natural person, and an identifiable, existing juristic person, including, but not limited to:

 

2.1.3.1 in the case of an individual:

 

2.1.3.1.1 name, address, contact details, date of birth, place of birth, identity number, passport number, bank details, details about your employment, tax number and financial information;

2.1.3.1.2 vehicle registration;

2.1.3.1.3 dietary preferences;

2.1.3.1.4  financial history;

2.1.3.1.5 information about next of kin and or dependants;

2.1.3.1.6 information relating to education or employment history; and

2.1.3.1.7 Special Personal Information including race, gender, pregnancy, national, ethnic or social origin, colour, physical or mental health, disability, criminal history, including offences committed or alleged to have been committed, membership of a trade union and biometric information, such as images, fingerprints and voiceprints, blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;

 

2.1.3.2 in the case of a juristic person:

 

2.1.3.2.1 name, address, contact details, registration details, financials and related history, B-BBEE score card, registered address, description of operations, bank details, details about employees, business partners, customers, tax number, VAT number and other financial information.

 

2.1.4 processing”, “process” or ”processed” means in relation to Personal Information, the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; merging, linking, as well as restriction, degradation, erasure or destruction of information; or sharing with, transfer and further processing, including physical, manual and automatic means. This is a wide definition and therefore includes all types of usage of Personal Information including the initial processing and any further and ongoing processing;

 

2.1.5 Purpose” means the reason why Personal Information needs to be processed; and

 

2.1.6 Responsible Party” means the person who is processing a Data Subject’s Personal Information and who may under certain circumstances ask an Operator to process the Personal Information on its behalf under and in terms of an Operator Agreement.

 

  1. APPOINTMENT OF OPERATOR

 

3.1 In terms of Section 20 of the Act, where a Responsible Party makes use of the services of an Operator, to process personal information of a Data Subject or Data Subjects on its behalf, then the Responsible Party is legally obliged to conclude a written agreement with such Operator, which written agreement contractually obliges the Operator to:

 

3.1.1. comply with the provisions of the Act when processing any Personal Information on behalf of the Responsible Party;

 

3.1.2. only process the Personal Information in accordance with the mandate or written instruction received from the Responsible Party in relation to such processing activities;

 

3.1.3. keep all the Personal Information belonging to the Data Subjects which has been processed on behalf of the Responsible Party and held by it in its capacity as Operator confidential; and

 

3.1.4. put measures in place in order to keep all the aforementioned Personal Information confidential, safe and secure from misuse, abuse and / or unauthorised use or access.

 

3.2 In accordance with Section 20 of the Act, this Operator Agreement seeks to manage the processing relationship as between the Responsible Party and the Operator in relation to the Personal Information which the Operator has been mandated to process on behalf of the Responsible Party, the description of the information, the purpose for the processing and period for which the processing will take place, as set out under Annexure “A”, attached hereto.

 

  1. OBLIGATIONS OF THE OPERATOR

 

4.1. The Operator expressly warrants and undertakes that it will:

 

4.1.1 process the Personal Information strictly in accordance with the instructions detailed under this Operator Agreement read together with Annexure “A”, any main agreement concluded as between the Operator and the Responsible Party and any specific instructions provided to it by the Responsible Party from time to time;

 

4.1.2 not use the Personal Information for any other purpose, save for the purpose set out under Annexure “A”, any main agreement concluded as between the Operator and the Responsible Party and any specific instructions provided to it by the Responsible Party from time to time;

 

4.1.3 only disclose, transfer and / or hand over the Personal Information to those person(s) identified under Annexure “A” and when transferring the information, ensure that it has in place written arrangements which compel the identified party receiving the Personal Information to respect and maintain the confidentiality and security of the Personal Information and that said party has signed the POPIA onwards transmission notice attached hereto marked Annexure “B”;

 

4.1.4 save for the provisions housed under clause 4.1.3, treat the Personal Information as confidential and not disclose the Personal Information to any other person unless required by law and only once it has provided the Responsible Party with adequate warning of this requirement to disclose and the related details thereof, including the identity of the person who is to receive the Personal Information, the reason for the disclosure and confirmation that the person to whom the Personal Information is to be disclosed to, has signed the POPIA onwards transmission notice attached hereto marked Annexure “B”;

 

4.1.5 have in place appropriate technical and organisational measures to protect and safeguard the Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which in addition, provides a level of security appropriate to the risk represented by the processing and the nature of the Personal Information to be protected, and which safeguards comply with the requirements set out under the Act;

 

4.1.6 notify the Responsible Party immediately where it has reasonable grounds to believe that the Personal Information which has been provided to it has been lost, destroyed, or accessed or acquired by any unauthorised person;

 

4.1.7 process the Personal Information strictly in accordance with the Act’s processing conditions;

 

4.1.8 not use the Personal Information for any direct marketing or advertising, research or statistical purposes, unless expressly authorised to do as described under Annexure “A” and when conducting such activity ensure that this is done strictly in compliance with the requirements of the Act, especially those applicable to direct marketing detailed under Section 69 of the Act and the related Regulations;

 

4.1.9 not treat the Personal Information as its own, it expressly acknowledges that it has been tasked with processing the Personal Information in its capacity as an Operator, and that ownership of all the records housing the Personal Information and any records comprising such Personal Information pertaining to the Data Subject, will always remain with the Responsible Party;

 

4.1.10 not sell, alienate or otherwise part with the Personal Information or any of the records housing the Personal Information; and

 

4.1.11 ensure that any person acting under the authority of the Operator, including any employee or third party, shall be obligated to process the Personal Information only on instructions from the Operator and strictly in accordance with this Operator Agreement.

 

4.2 The Operator warrants that it has the legal authority to give and fulfil the abovementioned warranties and undertakings set out in this Operator Agreement.

 

4.3 The Responsible Party in order to ascertain compliance with the warranties and undertakings housed under this Operator Agreement, will have the right on reasonable notice and during regular business hours, to view and or audit, either by itself or through an independent agent, the Operator’s facilities, files, and any other data processing documentation or records needed for the required review, audit and/or independent or impartial inspection.

 

  1. LIABILITY OF THE OPERATOR AND THIRD-PARTY RIGHTS

 

5.1 Where the Operator breaches any provisions of this Operator Agreement, then in such an event, the Operator shall be liable for all and any damages it may have caused in consequence of said breach including patrimonial, non-patrimonial and punitive damages actually suffered by the Responsible Party and/or any third-party in consequence of said breach and the Operator hereby agrees to indemnify and hold the Responsible Party and/or any third-parties who may be or will be affected by such non-compliance, harmless against all and any liabilities, loss or damages, including pecuniary, non-pecuniary, and/or aggravated damages, which they may incur in consequence of such non-compliance, the Operator agreeing to pay to Responsible the Party and/or to such third-party all and any such damages on demand.

 

5.2 At the request of the Responsible Party, the Operator will provide the Responsible Party with evidence of financial resources sufficient to fulfil its responsibilities which are specifically set out this clause 5.1 and more generally, those set out under this Operator Agreement, which may include insurance coverage or other forms of collateral.

 

  1. APPLICABLE LAW

The laws of South Africa shall apply to this Operator Agreement, regardless of where the Personal Information is, will be, or was actually processed by the Operator or anyone acting on its behalf.

 

  1. TERMINATION

 

7.1 In the event that:

 

7.1.1 the processing of the Personal Information by the Operator has been completed in accordance with the mandate;

 

7.1.2 the processing of the Personal Information by the Operator has been temporarily suspended by the Responsible Party for longer than 1 (one) month for whatever reason;

 

7.1.3 the Operator is in breach of its obligations under this Operator Agreement and has failed when called upon to do so by the Responsible Party to rectify the breach;

 

7.1.4 the Operator is in substantial or persistent breach of any warranties or undertakings given by it under this Operator Agreement, notwithstanding that the Responsible Party has not given the Operator notice of such breach;

 

7.1.5 an application is filed for the placing of the Operator under business rescue, under administration, or winding up whether interim or final, which application is not dismissed within the applicable period for such dismissal under applicable law; or any equivalent event in any jurisdiction occurs,

 

then the Responsible Party without prejudice to any other rights, which it may have against the Operator, shall be entitled to terminate this Operator Agreement and where applicable any main Agreement with immediate effect.

 

7.2 The parties agree that the termination of this Operator Agreement and where applicable any main agreement at any time, in any circumstances and for whatever reason, does not exempt them from the rights and obligations set out under this Operator Agreement with regards to the processing of the Personal Information read together with the obligations under the Act.

 

7.3 In the event of the Operator Agreement and where applicable the main agreement being terminated whenever, and for whatsoever reason, the Operator undertakes:

 

7.3.1 to restore and/or transfer back to the Responsible Party all and any Personal Information which has been provided to the Operator for processing, whether some has been processed or not, and/or which has been processed, together with any related documentation, records and/or information, all of which documentation must without exception be returned to the Responsible Party within a period of 30 (thirty) days from date of service of the termination notice; and

 

7.3.2 to confirm in writing simultaneously when the transfer under clause 7.3.1 takes place, that all such Personal Information will be kept confidential as per the provisions of clause 4.1.3 and that it will not under any circumstances use the aforementioned information for whatsoever reason.

 

7.4 Notwithstanding termination of the Operator Agreement and where applicable to the main agreement, and notwithstanding reason therefor, the clauses 4, 5, 6 and 7.2 will survive any such termination.

 

  1. VARIATION

The parties may not modify the provisions of this Operator Agreement including the annexures unless such variation is reduced to writing and signed by the parties.

 

ANNEXURE A – MANDATE TO PROCESS

 

  1. DESCRIPTION OF THE PERSONAL DATA WHICH THE OPERATOR WILL PROCESS

 

1.1 Purpose(s) for which Personal Information is collected for:

 

1.1.1 to provide products and / or services as may from time to time be requested;

1.1.2 to provide products and / or services as required per agreement between Operator and Responsible Party;

1.1.3 details for contractual drafting purposes;

1.1.4 for invoicing and keeping record of clients and individual key client contact persons and liaison managers;

1.1.5 confirming, verifying and updating client details;

1.1.6 conducting market or customer satisfaction research;

1.1.7 providing communication in respect of the Organisation and regulatory matters that may affect clients or sub contractors; and

1.1.8 in connection with and to comply with environmental, legal and regulatory requirements or when it is otherwise allowed by law.

               

1.2 Description of the Personal Information belonging to the Data Subject(s) which the Operator has been asked to process in terms of this Operator Agreement:

 

1.2.1 title, full names, initials and identity number/ passport number of natural person;

1.2.2 registration name and number or juristic person;

1.2.3 information required to provide the services;

1.2.4 social marketing platform information;

1.2.5 tax numbers, contact number, property details, email addresses, fax numbers, web page details, postal addresses, physical addresses, banking details and BB-BEE information of clients, contractors or Government Institutions or subcontractors of clients, contractors, property owners or Government Institutions; and

1.2.6 any other information required to render services / goods / continue to perform in terms of the contract / agreement

 

1.3 The Processing of the Personal Information will be carried out over the periods set out in the agreement between the Responsible Party and the Operator.

 

1.4 The Processing of the Personal Information will be carried out at the locations set out in the agreement between the Responsible Party and the Operator.

1.4.1 In the event that Personnel Information will be transferred outside of the Republic of South Africa the Data Subjects will be notified

 

1.5 The Personal Information belonging to the abovementioned Data Subjects may only be disclosed to the following recipients or categories of recipients:

 

1.5.1 to our clients and subcontractors who are involved in the delivery of products or services

1.5.2 any other third parties as required to render services / goods / continue to perform in terms of the contract / agreement

1.5.3 where we have a duty or a right to disclose in terms of law or industry codes, where we believe it is necessary to protect our rights or to our auditors, legal advisors, etc.

 

1.6 The personal data transferred concerns the following categories of sensitive data (if applicable):

 

1.6.1 client and site specific information

1.6.2 tax numbers, contact number, property details, email addresses, fax numbers, web page details, postal addresses, physical addresses, banking details and BB-BEE information of clients, contractors or Government Institutions or subcontractors of clients, contractors, property owners or Government Institutions.

1.6.3  any other required to render services / goods / continue to perform in terms of the contract / agreement

 

2. SUB PROCESSORS OR OPERATORS

 

2.1 The Processing of the Personal Information will be carried out by the Operator and Sub-Operators or Processors as per individual project or administrative requirements.

 

2.2 Any modification to the above listing shall be agreed in writing between the Parties, through an Amendment to this Operator

 

2.3 The Operator will return the Personal Information to the Responsible Party after operational contract has ended.

 

2.4 Where the Operator is not required to return the Personal Information to the Responsible Party, then the Operator will retain the Personal Information for a period of 3 (three) years from the date of termination of the Agreement, and after such period it will delete / destroy the Personal Information

 

ANNEXURE B – ONWARDS TRANSMISSION NOTE

 

We,  the Operator acting on behalf of the Responsible Party, in response to your query and related request for certain Personal Information, identified below, have been given permission by the Responsible Party to provide you with said information.

 

Conditions and Terms attaching to onward transmission and subsequent processing of the requested Personal Information

 

  • You will keep the information private and confidential;
  • You may only use the information for the purpose described above and for no other purpose;
  • You will safeguard the information;
  • You will in particular ensure that the information is kept safe and secure from unlawful or unauthorised access, and you will ensure that the integrity of the information is not compromised or altered in any manner;
  • When using the information, you will comply with the processing conditions and provisions set out under a law known as the Protection of Personal Information Act, 4 of 2013,

 

and you agree to indemnify the Responsible Party, the Operator, and/or all and any third parties, including any affected Data Subject against all and any damages, expenses and/or costs and any legal claims and related costs and damages, which may be incurred or brought against by whomsoever as a result of your non-compliance with the above undertakings.

 

Furthermore, you acknowledge that the Responsible Party, the Operator, and/or all and any third parties, including third-parties, including any affected Data Subject may institute legal action against you under the provisions housed under the Act should you breach the abovementioned terms.