POPI DATA PROTECTION POLICY AGREEMENT AND CONSENT
This POPI Data Protection Policy Agreement is effective as of: 21 October 2024 (“Effective Date”)
You, as the Disclosing Party, hereby consent to and are bound by this Data Protection Agreement (“Data Protection Policy”) of Occupational Insight (Pty) Ltd (Reg No. 2024/207496/07) with address/contact details supplied (“Recipient”) in relation to the processing by the Recipient of the personal information of the Disclosing Party. This Data Protection Policy is effective as of the date of consent hereto or the effective date of any main agreement incorporating the terms of this Data Protection Policy by reference (“Agreement”), whichever is earlier.
1 DEFINITIONS
1.1 “Affiliate” means, with respect to any entity, any other entity Controlling, Controlled by or under common Control with such entity, for only so long as such Control exists;
1.2 “Associated Personnel” means any staff member, independent contractor, agent or the like of the Recipient;
1.3 “Control” means the direct or indirect ownership of more than 50% of the voting capital or similar right of ownership of an entity, or the legal power to direct or cause the direction of the general management and policies of that entity, whether through the ownership of voting capital, by contract or otherwise. Controlled and Controlling shall be construed accordingly;
1.4 “Child” means a natural person under the age of 18 years as defined in section 1 of the POPI Act;
1.5 “Data Protection Laws and Regulations” means all mandatory laws and regulations, including laws and regulations of RSA, applicable to the Processing of Personal Information, including but not limited to, the POPI Act and any amendment or replacement thereof;
1.6 “Data Subject” means the individual to whom Personal Information relates as defined in section 1 of the POPI Act;
1.7 “Disclosing Party” means the natural or juristic person who consents to the terms of this Data Protection Policy or agrees to an Agreement incorporating the terms of this Data Protection Policy by reference, and for the purposes of this Data Protection Policy, is the Data Subject;
1.8 “Operator” means a person as defined in section 1 of the POPI Act;
1.9 “Competent Person” means a person as defined in section 1 of the POPI Act;
1.10 “Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information;
1.11 “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, as defined in section 1 of the POPI Act;
1.12 “POPI Act” means the Protection of Personal Information Act 4 of 2013 as may be amended from time to time;
1.13 “Processing” means processing as defined in section 1 of the POPI Act;
1.14 “Recipient” means the person which Processes Personal Information of the Disclosing Party, as defined in the preamble above. For the purposes of this Data Protection Policy, the Recipient and/or Affiliates are the Responsible Parties;
1.15 “RSA” means the Republic of South Africa;
1.16 “Responsible Party” means the person which determines the purpose and means for which Personal Information is Processed, as defined in section 1 of the POPI Act;
1.17 “Schedule” means the schedule of particulars which forms part of this agreement; and
1.18 “Supervisory Authority” means the Information Regulator as established in RSA, pursuant to the POPI Act.
2 PROCESSING OF PERSONAL INFORMATION
2.1 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Data Protection Policy.
2.2 Should the Disclosing Party be a child, a competent person in the form of a parent or legal guardian hereby consents to the Processing of the Disclosing Party’s Personal Information in accordance with this Data Protection Policy.
2.3 The Recipient shall comply with Data Protection Laws and Regulations.
2.4 The Disclosing Party confirms that where Personal Information of other individuals have been shared with the Recipient, the Disclosing Party hereby provides consent on their behalf to the collection, use and disclosure of their Personal Information in accordance with the laws and consent obtained and further warrant that they are duly authorised to provide consent on behalf of the other individual. To this end, the Disclosing Party indemnifies and holds the Recipient harmless in respect of any claims by any other person or individual on whose behalf the Disclosing Party has consented should the person or individual claim that the Disclosing Party was not so authorised to do so.
2.5 The Disclosing Party will not hold the Recipient responsible for any improper or unauthorised use of Personal Information that is beyond its reasonable control.
2.6 The Disclosing Party may withdraw consent to the processing of Personal Information at any time and must provide the Recipient with reasonable notice to this effect. Furthermore, the revocation of consent is not retroactive and will not affect disclosures or processing of Personal Information which may have already taken place prior the date of withdrawal.. Notice for withdrawal of consent must be sent to the recipient for attention of the CPD:CIO at info@occupationalinsight.co.za.
2.7 For the avoidance of doubt, Disclosing Party’s instructions to the Recipient for the Processing of Personal Information must comply with Data Protection Laws and Regulations. In addition, Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties, if applicable.
2.8 The Recipient will not sell, share, or rent Disclosing Party’s Personal Information to any third party or use Disclosing Party’s details for unsolicited correspondence, without the express consent of the Disclosing Party. Any correspondence sent by the Recipient will only be pursuant to this Agreement and the Career Services Agreement.
2.9 It is expressly stated that the Recipient agrees and warrants:
2.9.1 that the Processing of Personal Information shall be carried out in accordance with the relevant provisions of the Data Protection Laws and Regulations and does not violate the relevant provisions of the POPI Act;
2.9.2 that it shall throughout the duration of the Processing process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and
2.9.3 that after assessment of the requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to the Personal Information, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementation.
2.10 The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to:
2.10.1 fulfil the purpose set out in the table (Schedule A) at the end of this Data Protection Policy; and
2.10.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Data Protection Policy. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.
3 SCOPE OF PROCESSING
The nature and purpose of Processing of Personal Information by the Recipient is as set out in Schedule A at the end of this Data Protection Policy.
4 RIGHTS OF DATA SUBJECTS
4.1 The Disclosing Party shall have the right to:
4.1.1 request access to their Personal Information that the Recipient may have in its records. With any request for access to Personal Information, the Recipient will require the requesting party to provide Personal Information in order to verify identification and therefore the right to access the information.
4.1.2 request rectification or deletion of their Personal Information collected by the Recipient. On the written request of the Disclosing Party, the Recipient shall provide such access as is reasonably practicable and either allow the Disclosing Party to rectify or delete such information themselves or implement any rectifications or deletions on behalf of the Disclosing Party.
4.1.3 object to the Processing of their Personal Information if Processing is not:
4.1.3.1 with the Disclosing Party’s consent;
4.1.3.2 protecting their legitimate interests;
4.1.3.3 necessary for the proper performance of a public law duty by a public body; or
4.1.3.4 necessary for pursuing the legitimate interests of the Recipient or its Affiliates,
unless Processing is otherwise permissible under the Data Protection Laws and Regulations or this Data Protection Policy;
4.1.4 object to the Processing of their Personal Information for the purposes of direct marketing other than as allowed by the Data Protection Laws and Regulations; and
4.1.5 lodge a complaint with the Supervisory Authority at complaints.IR@justice.gov.za should any legal or reasonable request with respect to Personal Information not find due resolution.
5 ASSOCIATED PERSONNEL
5.1 Confidentiality
The Recipient shall ensure that its Associated Personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities and have executed written confidentiality agreements or are under general obligations of confidentiality towards the Recipient.
5.2 Reliability
The Recipient shall take commercially reasonable steps to ensure the reliability of the Associated Personnel engaged in the Processing of Personal Information.
5.3 Limitation of Access
The Recipient shall ensure that access to Personal Information is limited to those Associated Personnel of the Recipient directly involved in the fulfilling of the purpose.
6 OPERATORS
6.1 Appointment of Operators
Disclosing Party acknowledges and agrees that:
6.1.1 the Recipient is entitled to retain its Affiliates as Operators; and
6.1.2 subject to clause 6.2 below, the Recipient or any such Affiliate may engage any third parties from time to time to process Personal Information on their behalf and in connection with the fulfilment of the purpose envisaged in Schedule A of this Data Protection Policy.
6.2 Approval of Operators
Except as otherwise provided in this Data Protection Policy, the Recipient shall not provide any third party with access to Disclosing Party Personal Information without the prior express approval of Disclosing Party. The Recipient shall provide advanced written notice to the Disclosing Party should it desire to provide a third-party access to Disclosing Party’s Personal Information. Where approval has been granted by Disclosing Party in accordance this section, the Recipient shall:
6.2.1 undertake due diligence on the Operator; and
6.2.2 enter into a written agreement with the Operator that ensures that the Operator Processes the Personal Information in line with this Data Protection Policy and Data Protection Laws and Regulations; and
6.2.3 Provide Disclosing Party with such information regarding the Operator as Disclosing Party may reasonably require.
7 SECURITY MEASURES, NOTIFICATIONS REGARDING PERSONAL INFORMATION, CERTIFICATIONS AND AUDITS, RECORDS
7.1 Security Measures
Taking into account the state of art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Recipient shall implement appropriate organizational and technical measures towards a level of security, appropriate to the risk (including risks that are presented by Processing, in particular from accidental or unlawful destruction, loss alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise Processed), including but not limited to:
7.1.1 the encryption of Personal Information in transit;
7.1.1.1 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
7.1.1.2 the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical and technical incident; and
7.1.1.3 a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
7.1.2 the storage of Personal Information on devices with virus and firewall protection under the control of the registered CDP:CIO and is restricted to access by the CDP:CIO and/or official Associated Personnel only.
7.2 Notifications Regarding Personal Information Breach
7.2.1 The Recipient will ensure that it and its Operators have in place reasonable and appropriate security incident management policies and procedures as required by the POPI Act, and shall notify Disclosing Party without undue delay (but in any event within 24 hours) where there are reasonable grounds to believe that there has been, or after becoming aware of, the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to Personal Information, transmitted, stored or otherwise Processed by the Recipient or Operators of which the Recipient becomes aware (hereinafter, a “Personal Information Breach”), as required to assist the Disclosing Party in ensuring compliance with its:
7.2.1.1 obligations to notify the Supervisory Authority;
7.2.1.2 obligations to communicate the Personal Information Breach to the Recipient involved; and
7.2.1.3 documentation obligation regarding the facts relating to the Personal Information Breach, its effects, and the remedial action taken.
7.2.2 The Recipient shall make reasonable efforts to identify the cause of such Personal Information Breach and take those steps as it deems necessary and reasonable in order to remediate the cause of such a Personal Information Breach, to the extent that the remediation is within the Recipient’s reasonable control.
7.3 Records
The Recipient shall maintain complete and accurate written records of the Processing it undertakes on behalf of Disclosing Party in accordance with Data Protection Laws and Regulations and Associated Personnel’s professional code of ethics.
8 RETURN OF PERSONAL INFORMATION, COMMUNICATION
8.1 Return of Personal Information
Unless otherwise required by law, the Recipient and Operators, shall if required in terms of Data Protection Laws and Regulations, upon termination or expiry of the Agreement for whatever reason, either securely delete or return all the Disclosing Party Personal Information to Disclosing Party in accordance with the Agreement, or in the absence of a specific destruction provision, the Recipient will ensure it follows its standard Personal Information destruction practices. If the Recipient or its Affiliates are required to retain a copy of the Personal Information by law, it shall retain that which is required by applicable Data Protection Laws and Regulations for not longer than is reasonably necessary.
9 COOPERATION WITH SUPERVISORY AUTHORITY
The Disclosing Party and the Recipient as applicable, shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.
10 CONFLICT
If this Data Protection Policy is incorporated into and forms part of any other Agreement, for matters not addressed under this Data Protection Policy, the terms of the Agreement apply to the extent of any inconsistency. With respect to the rights and obligation of the parties to each other insofar as it pertains to the Processing of Personal Information, in the event of a conflict between the terms of the Agreement and this Data Protection Policy, the terms of this Data Protection Policy will prevail to the extent of such inconsistency.
11 SEVERABILITY
The invalidity or unenforceability of any provisions of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect.
The Disclosing Party, who warrants that he/she is duly authorised, hereby agrees to the POPI Data Protection Agreement and provides consent hereto by checking the tick box and clicking submit.
'Schedule A'
Nature and purpose of Processing Personal Information
This table includes certain details of the Processing of Personal Information as required by section 18 of the POPI Act. | |
Nature and purpose of Processing | a. What is the purpose of the collection, use and disclosure (the processing) of Personal Information? i. The Recipient will only use the Disclosing Party’s Personal Information for the rendering of professional career development information services to the Disclosing Party, and in a manner which is consistent with the purpose for which consent has been given, and for which laws and professional requirements, rules and policies in the RSA dictate. ii. In order to achieve informed consent, the purpose or reason for processing and storing of the Disclosing Party’s information by the Recipient is: • To render career and study information services to clients to enable them to make informed career and study choices and to access their desired career paths. • To provide holistic career guidance information services to individual and group clients. • To understand the client’s profile, career development needs and requirements in order to provide more direct career and study information services. • For the generation of reports and referrals for clients. • For the referral to and discussion of self-exploration activities, reports, resources and further information. • To fulfil the administrative responsibilities associated with the delivery of career development information services in RSA. • For the fulfilment of the Recipients contractual obligations to the Disclosing Party per the career services agreement. • For providing personalised communication. • For the Recipient’s Associated Personnel to comply fully with the requirements as set out by the professional designation of Career Development Practitioner: Career Information Officer (CDP:CIO) in the RSA. • For execution and fulfilment of the professional duties, requirements, responsibilities, reporting obligations and competencies of the registered CDP:CIO under the Competency Framework for Career Development Practitioners In South Africa, applicable laws and regulations along with professional body policies and requirements. • for a purpose that is ancillary to the above. b. Who is information collected from? i. Information is collected directly from clients through online or onsite career information sessions. ii. Information may also be collected from email correspondence, forms, checklists, recordings, transcripts, notes, website links, documents, reports, self-exploration activities, tasks and referred resources which the client is willing to share and discuss with the CDP:CIO during sessions. c. To whom will Personal Information be disclosed? All information provided to the Recipient and its Associated Personnel are: i. treated in strict professional confidence and is not shared with any third party under any circumstance, unless required by law or with the request of the Disclosing Party for fulfilling services on part of the CDP:CIO and/or official Associated Personnel. ii. under the control of the registered CDP:CIO who is accountable to a confidentiality agreement and operates under the terms of the Occupational Insight data protection policy, applicable laws of RSA and code of ethics for the professional designation. d. How long will Personal Information be retained? Personal Information is a critical enabler to the rendering of personalised career information services to clients. Retention is important for future follow-up sessions, for CDP:CIO/client reference during sessions, reporting and in maintaining the required administrative functions, duties and records for providing professional career information services. The period of Personal Information retention will be determined by: I. purposes of affording the Disclosing Party with a reasonable opportunity to request access to their records; and II. to maintain administrative records pertaining to the career development services rendered as required by the Recipient’s Associated Personnel professional code of ethics, duties, along with relevant rules, policies, and/or laws for career development information services in RSA. e. What consequences are there for not providing consent to Personal Information? I. The Personal Information supplied is central to the rendering of effective and tailored career information services to the Disclosing Party. Failure to provide Personal Information may entail that the Recipient is unable to fulfil its full processing purpose which may affect the scope, level and quality of services rendered. II. Consent is not mandatory and is completely voluntary. The Disclosing Party may withdraw consent at any time. III. Refusal of consent may limit the performance, applicability, and nature of services which can be rendered in terms of the career services agreement. |
Categories of third parties Personal Information may be shared with the following categories of third parties: | Personal Information is treated with care, respect and kept strictly confidential. The Recipient will not share Personal Information of the Disclosing Party with any third party, unless: • At the request of the Disclosing Party or in submitting referral information on its behalf. In such instances, Personal Information may be shared with the following categories of third parties: o Institutions of learning; o RSA Quality councils; o Study funding organisations; o Employers or recruitment organisations; o Professional bodies; o Career/study self-exploration sites or portals; o Auxiliary career development service providers; and o Registered professionals where the scope of services required by the client falls outside that of the CDP:CIO. • For purposes of complying with a legal request. |
Types of Personal Information to be Collected and Processed | • First name • Last name • Email address • Date of birth • ID number • Passport number • Phone number • Address or location • Text, audio, video or image files • Qualification information, records and/or history • Personal preferences linked to career and/or study options • Information on self-concept related to career and study options • Employment, work and study preferences • Information on career self-concept and personal needs • Employment information, records, profile and history • Full Curriculum Vitae (CV) • Copies of qualifications and/or certificates • Academic records, transcripts and/or reports • Self-exploration results, activities, assessments, resources or tasks • Reports from career portals, activities, or self-assessments • Audio and/or Visual Session recordings for client files, records and report generation • Auxiliary information to support the duties, purpose and activities |
