fbpx

Privacy Policy – South Africa

SAIL BUSINESS SOLUTIONS AFRICA DATA PROCESSING AND PRIVACY POLICY

  1. DEFINITIONS

All capitalised terms herein or in any Schedule or attachment will have the meanings ascribed to such terms in this clause 1 or as otherwise defined in this Agreement.

1.1 “Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a Party.

1.2 “Agreement” means this Data Processing and Privacy Policy Agreement.

1.3 “Data Subject” means an individual or juristic entity which is the subject of Personal Data that may be Processed under this Agreement.

1.4 “Intellectual Property Rights” means:

1.4.1 all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights and these “intellectual property rights” include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models and rights in designs;

1.4.2 applications for registration, and the right to apply for registration, for any of these rights. and;

1.4.3 all other intellectual property rights and equivalent or similar forms of protection existing anywhere in the world.

1.5 “Personnel” means any person employed or contracted by the Parties or their approved sub-contractors relating to the provision of the Services.

1.6 “Operator” means a person who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party. With regards to this agreement, Operator will be:

SAIL Business Solutions Africa (Pty) Ltd
27 Villa di Castello, Katumba Road, Sunninghill, 2157
Johannesburg

1.7 “Personal Information” means all information relating to an identifiable, living natural person, including that which Operator (or any of its Affiliates or Personnel) processes in connection with its relationship with Responsible Party (including employees of Responsible Party Affiliates and of its sub-contractors) but excluding information that Operator processes as the Responsible Party.

1.8 “Process or Processing” means the collection, use, disclosure, transfer, storage, deletion, combination, or other use of Personal Information.

1.9 “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

1.10 “Previous Agreement/s” means any agreement/s previously concluded between the Parties or Responsible Party’s acceptance of Operator’s Standard Terms and Conditions.

1.11 “POPI” means the minimum standard as gazetted by the Republic of South Africa and set out in the Protection of Personal Information Act 4 of 2013 of (as amended).

1.12 “Services” mean Operator’s services and Deliverables, as described in Previous Agreements or Operator’s Standard Terms and Conditions including inter alia accounting, tax, payroll, human resources processing, advisory and statutory filing services.

1.13 “Third Party Software” means software developed by third parties which the Operator or the Client uses and on which the Operator provide the Services.

1.14 “Sub-Processor” means a third-party contractor to whom the Processing of Personal Data is subcontracted or outsourced by the Operator in accordance with the any agreements between the Parties.

1.15 “Supervisory Authority” means the Information Regulator as established in RSA, pursuant to the POPI Act.

1.16 “Territory” means any country where the Operator processes information on behalf of the Responsible Party.

1.17 “User or Users” means any Responsible Person and / or its Personnel and / or organisation and / or individual that utilises Operator’s Services.

  1. GENERAL PRIVACY TERMS

2.1 Registration. To create an account with the Operator and on Third Party Software, User’s must provide Operator and./or the Third Party Software with at least its email address and a password and agree to Operator’s Terms and Conditions of Use and this Agreement, which governs how Operator treats User’s information. User will provide additional information during the registration flow (for example, User’s company addresses and contacts, pay structures, journal codes, employee biographical information and salary information) to help User build User’s company and employee profiles and to provide User with Services. User understands that, by creating an account, Operator will be able to identify User by User’s profile on the Third Party Software. Operator may also ask for User’s credit card or bank details to retrieve applicable service fees.

2.2 Customer Service. When a User contacts Operator’s customer support services telephonically, by email, through social media or any other mechanism, Operator will have to access Users’ profile, company information, employee information and other contributions to Operator’s Services and collect the information Operator needs to categorize a User’s question, respond to it investigate in detail the issue raised. Operator also use this information to track potential problems and trends and customize Operator’s support responses to better serve Users. Operator does not use this information for advertising.

2.3 Cookies. Operator uses cookies to store a session identifier in order to correctly serve a User its data as well as improve a User’s experience, increase security, measure use and effectiveness of Operator’s Services. A User can control cookies through browser settings and other tools. By visiting Operator’s Services, a User consents to the placement of cookies in User’s browser in accordance with this agreement.

2.4 Information About Users Computer and Mobile Device. When Users visit or leave Operator’s website (whether as a Member or Visitor) by clicking a hyperlink Operator automatically receives the URL of the site from which a User came or the one to which a User is directed. Also, advertisers receive the URL of the page that a User is on when a User clicks an ad on or through Operator’s Services. Operator also receives the internet protocol (“IP”) address of a User’s computer or the proxy server that a User uses to access the web, a User’s computer operating system details, a User’s type of web browser, a User’s mobile device (including a User’s mobile device identifier provided by User’s mobile device operating system), User’s mobile operating system, and the name of User’s ISP or User’s mobile carrier. Operator may also receive location data passed to Operator from third-party services or GPS-enabled devices that User have set up, which Operator use to show User’s relevant information.

2.5  Communications. Operator communicates with Users through email, notices posted on Operator’s websites or apps and other means available through the Services, including mobile text messages and push notifications. Examples of these communications include:

2.5.1 welcome and engagement communications – informing Users about how to best use Operator’s Services, new features and updates about legislation;

2.5.2 service communications – these will cover service availability, security, and other issues about the functioning of Operator’s Services. and;

2.5.3 promotional communications – these include email and may contain promotional information directly or on behalf of Operator’s partners. These messages will be sent to Users based on User’s profile information and messaging preferences. User’s may change User’s email and contact preferences at any time by opting out of receiving emails.

2.7 Payroll and HR Processing. In order to provide the Services the Operator collects various pieces of physical data on the User and the User’s employees. The Operator will only process the information in order to provide the Services and will not sell this information to third parties. The Operator will take reasonable steps to secure this data. The Operator may need to provide this information to third parties in order to provide the Services including inter alia Third Party Software vendors, government departments (for example SARS or the Department of Labour), medical aids, provident funds, unions and/or bargaining councils. The Operator has no control over these parties and the manner in which they treat this info, but where possible the Operator will make sure appropriate controls are applied.

2.6 Third Party Software. The Operator is not a software developer and uses a number of Third Party Software systems to provide the Services. The Operator has no control over these parties and the manner in which they treat this info, but where possible the Operator will make sure appropriate controls are applied. Users may not be able to opt out of receiving service messages from Third Party Software where this is applied on the software. User acknowledges that any privacy policy operated by Third Party Software cannot be controlled by the Operator and the User may need to address any concerns directly with the Third Party Software provider.

Users agree the Operator may communicate directly with the User by email for all items relating to the Services and as covered by any agreement entered into between the Parties.

2.6 Testimonials and Advertisements. If User provides any testimonials about Operator’s goods or services or place advertisements, Operator may post those testimonials and examples of advertisements User placed in connection with Operator’s promotion of these services to third parties. Testimonials and advertisements may include User’s name and other personal information that User has provided.

2.7 External Links. The Operator’s website and Third Party Software are information portals and contain links to other Web sites. These sites however do not fall under any control of Operator and therefore Operator cannot be held responsible for the privacy practices or the contents of such other web sites.

2.8 Rights to Access, Correct, or Delete User Information, and Closing User Account. User can change User’s information on the Third Party Software at any time by editing User’s profile, deleting information that User has posted, or by giving Operator notice of termination. Where this is not possible Operator will take reasonable steps to communicate with the Third Party Software vendor to make the necessary changes to allow for this deletion. User has a right to:

2.8.1 access, modify, correct, or delete User’s personal information controlled by Operator regarding User’s profile;

2.8.2 change User’s information. and;

2.8.3 close User’s account.

  1. PROCESSING OF INFORMATION

3.1 Responsible Party hereby grants to Operator a non-exclusive licence to copy, reproduce, store, distribute, publish, export, adapt, edit and translate the Personal Information to the extent reasonably required for the performance of Operator’s obligations and the exercise of Operator’s rights under this Agreement.

3.2 Responsible Party also grants to Operator the right to sub-license these rights to its hosting, connectivity, necessary Third Party Software vendor and telecommunications organisations, subject to any express restrictions elsewhere in this Agreement.

3.3 Responsible Party warrants to Operator that the Personal Information when used by Operator in accordance with this Agreement will not infringe the Intellectual Property Rights or other legal rights of any person.

3.4 Responsible Party hereby confirms that as the Responsible Party they have an appropriate lawful basis to process personal information including transferring same to Operator for purposes of Processing the payroll and other legislative related services on behalf of Responsible Party.

3.5 Operator will comply with POPI and the Data Protection Standards of ISO 27001 in countries without data privacy legislation. If the law related to data protection in the territory conflicts and/or is more onerous than these provisions, Responsible Party shall in writing advise of such conflict and the Operator shall revert on the feasibility, if any, to comply with the Data Protection Legislation.

3.6 Without prejudice to the obligations set out in this clause 3, the Parties acknowledge and agree that each Party will remain solely responsible for complying with their respective obligations under POPI with regards to privacy and protection of personal information laws governing Responsible Party’s data in the Territory.

  1. SAFEGUARDING MEASURES

4.1 It is recorded that where this is in the Operator’s control, the Operator has implemented reasonable safeguards against the unauthorized access to, and destruction, loss, or alteration of, Responsible Party’s Confidential Information and Personal Information which at any time is in Operator’s possession or to which Operator may have access.

4.2 Operator warrants to Responsible Party that it shall maintain such reasonable safeguards for so long as it has any of Responsible Party’s Confidential Information in its possession or has access to such information.

  1. COMPLIANCE: SUB-PROCESSORS AND AFFILIATES

5.1 Operator shall procure that each of its Sub-processors and/or Affiliates contractually agree in writing that they will:

5.1.1 comply with this clause 5 and POPI;

5.1.2 not access, use or process Responsible Party’s data and/or personal information except to the extent reasonably necessary in performance of its obligations under this Agreement;

5.1.3 not perform any act that puts Responsible Party at risk of Responsible Party’s data and/or personal information being disclosed; and

5.1.5 take reasonable steps to prevent any unauthorised or unlawful access, accidental or unauthorised destruction, corruption, loss, alteration or disclosure or other prohibited processing of Responsible Party’s data and/or Personal Information.

  1. BREACHES AND NOTIFICATIONS

6.1 Operator will notify the Responsible Party, within a reasonable timeframe, after becoming aware of any Personal Information Breach impacting the Responsible Party and provide reasonable information in its possession to assist the Responsible Party to meet the Responsible Party‘s obligations to report a Personal Information Breach as required under POPI.

6.2 Operator may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by Operator.

  1. STORAGE OF HISTORY DATA

7.1 Subject to clause 7.2 below, legal jurisdictions will dictate how long Responsible Party’s data is retained within the Territory (each respective country), if there is no standard, a default period of 5 (five) years will be used to determine whether data should be destroyed.

7.2 On notice of termination of Responsible Party account, Responsible Party will have 30 days to download or export the data using one of many mechanisms such as reports, web services and business intelligence tools. After that 30-day period, Operator will have no obligation to maintain or provide Responsible Party the data and will thereafter delete or destroy all copies of Responsible Party’s data in Operator’s systems or otherwise in Operator’s possession or control, unless legally prohibited.

  1. LAW ENFORMENT REQUESTS AND DISCLOSURES

8.1 If the Operator or Sub-Processor receives any demand for disclosure of Personal Data by law, the Operator or Sub-Processor will promptly notify the Responsible Party, in writing, of the Legal Request (unless legally prohibited from doing so).

  1. CROSS BORDER DATA REPLICATION

9.1 It is specifically recorded that:

9.1.1 the Operator might perform replication of personal information to a data centre in the United Kingdom and/or the Republic of Ireland for the purposes of implementing adequate disaster recovery processes and other legitimate processing activities (note: this is inter alia a direct consequence of using Office 365);

9.1.2 Section 72 of POPI allows the transfer of personal information to a Sub-processor in a foreign country in circumstances where amongst others:

9.1.2.1 the Sub-processor is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection that are substantially similar to POPI and effectively uphold the principles as set out in POPI. or;

9.1.2.2 data subject consents to the transfer. or;

9.1.2.3 the transfer is necessary for the performance of a contract between the data subject and the Responsible Party or for the performance of a contract concluded in the interest of the data subject between the Responsible Party and a third party. or;

9.1.2.4 the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to the transfer.

9.1.3 The data centre to be used by the Operator in the United Kingdom and/or the Republic of Ireland will be subject to adequate laws that are substantially similar to POPI and effectively uphold the principles of lawful processing as set out in POPI. Accordingly, the Operator would comply with section 72 of POPI on the basis that the third-party recipient of the information (namely the data centre in the United Kingdom is subject to a law which provides an adequate protection level of protection. It will thus not be necessary for the Operator and/or the Responsible Party to obtain the consent of the data subject to transfer the personal information to the data centre.

9.2 Having regard to the above, the parties agree that Operator has taken steps to ensure compliance with its obligations as set out in POPI.

  1. CONFLICT

10.1 In the event that there is conflict between any Previous Agreement/s and this Agreement, the conditions of this agreement will apply.

  1. TERM

11.1 This Agreement will commence on the effective date and will continue until the termination in accordance with any Previous Agreement/s or specifications as per Operator’s Terms and Conditions of Use.

  1. COOPERATION WITH SUPERVISORY AUTHORITY

12.1 The Operator and the Responsible Party as applicable, shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.

  1. INFORMATION OFFICER

13.1 Service Provider contact for any issues in relation to this Agreement:

13.1.1 Risk Officer – Erin Snyman

13.2 Any questions or comments about this Agreement can be directed to Operator by contacting Operator on +27 87 551 3130 or by email to info@sailsolutions.co.uk.