1. PERSONAL DATA PROTECTION RESPONSIBILITIES
1.1 We are committed to safeguarding the privacy of our StatPro clients.
1.2 StatPro Ltd. (“StatPro”, “we”, “us” and “our”) is a “Processor” of your (“you”, and “your”) personal data. This is a legal term – it means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The concept of a “processor” does not change under the POPIA (defined below). You should read this notice, so that you know what we are doing with your personal data. Our use of your personal data is governed by the Licence Agreement with each data controller (i.e. your employer or the custodian of your personal data). Please refer to the privacy notice of your data controller on details of how data processors are permitted to use your data.
1.3 “Personal data” (hereafter referred to as “PI”) means any information that relates to an identifiable natural person and where applicable, an identifiable existing juristic person. Your name, address, any identifying number, contact details, IP address and job title are all examples of your personal data, if they identify you.
1.4 “PAPIA” means the Promotion of Access to Information Act, a South African data access to information law.
1.5 “POPIA” means the Protection of Personal Information Act, a South African data protection law.
1.6 The term “process” means any activity relating to PI, including, by way of example, collection, storage, use, consultation and transmission.
1.7 Security of PI – StatPro will take all reasonable steps or measures to keep your PI secure. To this end, StatPro has implemented appropriate and reasonable technology, policies and processes aimed at protecting the confidentiality and integrity of your PI. This includes but not limited to adequate secure access controls to all our systems and files.
2. WHAT TYPES OF PI WE COLLECT, WHERE WE GET IT FROM, THE PURPOSES FOR WHICH WE USE IT AND THE LEGAL BASIS WE RELY ON
2.1 In this Section 2 we have set out:
(a) the general categories of PI that we may process;
(b) the source of the PI that we may process;
(c) the purposes for which we may process PI; and
(d) the legal bases or reasons we rely on in order to process PI lawfully.
2.3 We may process PI within your StatPro account data (“account data“). The account data may include your name and email address. The source of the account data is you or your employer. The account data may be processed for the purposes of providing our StatPro services and communicating with you. The legal basis for this processing is our legitimate interests, namely the proper administration of our StatPro services and business.
2.4 We may process information that you provide to us for the purpose of subscribing to our email blog and product notifications and/or newsletters (“notification data“). The notification data may be processed for the purposes of sending you requested relevant notifications and/or newsletters. The legal basis for this processing is consent. Please do not supply any other person’s PI to us, unless we prompt you to do so.
3. WHO WE SHARE YOUR PI WITH AND WHY?
3.1 We may disclose your PI to Confluence Technologies, Inc. (“Confluence”), our parent company, and Confluence’s EU/EEA and non-EU/EEA affiliates and subsidiaries including Confluence International Limited, StatPro Canada Inc., StatPro Italia Srl, StatPro Australia Pty Ltd, StatPro Limited, StatPro South Africa (Pty) Ltd, and StatPro Inc., insofar as we determine it may be reasonably necessary for the purposes, and on the legal bases, set out in this policy.
3.2 We may disclose extracts of your PI to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
3.3 You authorise StatPro to engage its own affiliated companies, for the purposes of providing the StatPro service. In addition, you agree that StatPro may use sub-processors to fulfill its contractual obligations with the you or to provide certain services on its behalf.
3.4 In addition to the specific disclosures of PI set out in this Section 3, we may disclose your PI where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to seek to protect your vital interests or the vital interests of another natural person. We may also disclose your PI where we determine that such disclosure may be reasonably necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
4. INTERNATIONAL TRANSFERS OF YOUR PI
4.1 In this Section 4, we provide information about the circumstances in which your PI may be transferred to countries outside of South Africa.
4.2 The POPIA controls the transfer of PI from South Africa to foreign countries and prohibits this unless: (POPIA, section 71)
– the person receiving the information is subject to similar laws;
-subject has agreed to the transfer of information;
-such transfer is part of the performance of a contract which the subject is a party; or
-transfer is for the benefit of the subject and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given. (POPIA, section 72)
We may process PI in other countries to support ongoing business delivery. Some countries may not have similar privacy requirements; in which case we will seek to ensure that the receiving parties agree to adequate privacy principles before we share such information and at the very least one of the following will be ensured when transferring South African PI:
-The country to which the PI will be sent affords an adequate or level of PI protection;
-Recipients in the receiving country agree to treat information in accordance with the POPIA provisions;
-Data subjects’ consent to the transfer of their PI
-Transfer is necessary for performance of a contract between the person whose PI is being transferred and the responsible party.
StatPro will take measures to protect your PI no matter where we process or store it, following this privacy statement. By submitting your PI to StatPro, you hereby consent to this transfer and processing of your PI.
5. RETAINING AND DELETING PI
5.1 This Section 5 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of PI.
5.2 PI that we process for any purpose or purposes shall not be kept for longer than we determine is reasonably necessary for that purpose or those purposes.
5.4 Notwithstanding the other provisions of this Section 5, we may retain your PI where we determine such retention may be reasonably necessary for compliance with a legal obligation to which we may be subject, or in order to protect your vital interests or the vital interests of another natural person.
6. STATPRO DIRECT MARKETING
6.1 We, Confluence, and Confluence’s affiliates and subsidiaries may make use of your PI to market to you where you have provided your express consent. To view or update your preferences, click the “email preferences” link at the bottom of any of our emails or contact [email protected].
6.2 Our direct marketing may include information about:
(a) new product releases;
(b) event invitations;
(c) news and content; and
(d) blog notifications.
6.3 We may from time to time send you service communications (rather than direct marketing communications) providing information about the functionality of new releases, updates and fixes that are provided as part of the services subscribed for. These are provided in our legitimate interest of keeping you informed as a user of the services about changes made to the service subscribed to.
6.4 If you would like to receive direct marketing from us, Confluence, and Confluence’s affiliates and subsidiaries, please visit StatPro’s “subscribe” web page.
6.5 If you have previously asked to receive marketing communications and wish to opt out of doing so, please visit StatPro’s “unsubscribe” web page.
7. AMENDMENTS TO THIS POLICY
7.1 We may update or amend this policy from time to time by publishing a new version on our website. This policy is available at https://www.statpro.com/privacy-policy/
7.2 You should check this page occasionally to ensure you are happy with any changes to this policy.
7.3 We may notify you of changes to this policy by email or through a notification pop up message when you visit the website.
8 .YOUR PI RIGHTS
8.1 In this Section 8, we have summarised the rights that you have under the POPIA. Not all of the rights listed in this Section are engaged in all circumstances. On receipt of a rights request, we will assess whether the right you are seeking to exercise is engaged.
8.2 Everyone has the right to be informed if someone is collecting their PI, or if their PI has been accessed by an unauthorized person. In addition, they have the right of access to their PI and to require that PI be corrected or destroyed, or they may object to their PI being processed.
8.3 The POPIA does not apply to PI processed
-in the course of a personal or household activity,
-or where the processing authority is a public body involved in national security, defence, public safety, anti-money laundering,
-or the Cabinet or Executive Council of the Province
-or as part of a judicial function.
8.4 PI can only be processed: (POPIA, Section 11)
-with the consent of the “data subject”; or
-if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
-if it is required by law; or
-if it protects a legitimate interest of the “data subject”; or
-if it is necessary to pursue your legitimate interests or the interest of a third party to whom the PI is supplied.
8.5 Everyone has the right to object to having their PI processed. They have the right to withdraw their consent, or object if they can show legitimate grounds for their objection.
8.6 StatPro will only collect PI directly from the “data subject”, unless:
-this PI is contained in some public record or has been deliberately published by the data subject;
-collecting the PI from another source does not prejudice the subject;
-it is necessary for some public purpose; or to protect their own interests;
-obtaining the PI directly from the subject would prejudice a lawful purpose or is not reasonably possible.
PI may only be collected for a specific, explicitly defined and lawful purpose and the data subject must be aware of the purpose for which the information is being collected. (POPIA, Section 13)
Once the PI is no longer needed for the specific purpose for which it was gathered, it must be disposed of (or the data subject must be “de-identified”).
PI may only be kept if it is allowed by law, or the information is needed to keep the record for lawful purpose or in accordance with the contract between StatPro and the data subject, or the data subject has consented to the data processor keeping the records. (section 14)
StatPro is entitled to keep records of PI for historical, statistical or research purposes if it has been “de-identified” and safeguards have been established to prevent the records being used for any other purposes.
Records must be destroyed in a way that prevents them from being reconstructed.
PI may only be used for the purpose which the data was collected. (POPIA, Section 15)
Documentation relating to PI and how it has been processed must be maintained as referred to in PAPIA section 14 or 51.
8.7 When PI is being collected, data subjects must be made aware of: (POPIA, Section 18)
-the information that is being collected and if the PI is not being collected from the subject, the subject must be made aware of the source from which the PI is being collected;
-the name and address of the person/organisation collecting the PI;
-the purpose of the collection of the PI;
-what period the PI will be retained for and assurance given that it will be destroyed by given date;
-whether the supply of the PI by the subject is voluntary or mandatory;
-the consequences of failure to provide the PI;
-whether the PI is being collected in accordance with any law;
-if it is intended for the PI to leave South Africa and what level of protection will be afforded to the PI after it has left South Africa.
-who will be receiving the PI;
-that the data subject has access to the PI and the right to rectify any details;
-that the data subject has the right to object to the PI being processed (if such right exists);
-that the data subject has the right to lodge a complaint to the Information Regulator (defined below). The contact details of the Information Regulator can be found here (POPIA, Section 18)
8.8 These requirements have to be met before the PI is collected directly from the subject, or soon as reasonably practicable. If additional information is collected from a subject for a different purpose, the same process must be followed.
This Section 8 must be read in conjunction with the POPIA which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013
8.9 You have the right to ask us to confirm whether or not we process your PI and, where we do, access to the PI, together with certain additional information. That additional PI includes details of the purposes of the processing, the categories of PI concerned and the recipients of the PI. Providing rights and freedoms of others are not affected, we will supply to you a copy of your PI. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. Please email [email protected] with your request. For further details, please refer to StatPro’s PAIA Manual which can be found here.
8.10 To the extent that the legal basis for our processing of your PI is:
(a) consent; or
(b) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, and such processing is carried out by automated means, you have the right to receive your PI from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
8.11 If you consider that our processing of your PI infringes data protection laws or has resulted in a breach of your PI, you have a legal right to:
-To contact us at the details outlined in Section 9, where we will instigate an urgent enquiry into your claim or
-lodge a complaint with a supervisory authority responsible for data protection. You may do so with the Information Regulator
8.12 You may exercise any of your rights in relation to your PI by email or written notice to us.
9. OUR DETAILS
9.2 StatPro Limited registered office is, 2nd Floor, Liesbeek House, Liesbeek Parkway, Gloucester Road, Mowbray, Cape Town 7700
9.3 Our principal place of business is at StatPro Limited, 2nd Floor, Liesbeek House, Liesbeek Parkway, Gloucester Road, Mowbray, Cape Town 7700
9.4 You can contact our data protection officer:
(a) by post, to the postal address given above;
(b) using our website contact us form;
(c) by telephone, on the contact number published on our website from time to time;
(d) or by email, using [email protected]