Privacy Policy |
Issue Date: 30 May 2024 Issue Number: 0007 |
POPIA and GDPR | Revision Period: 12 Months |
Ref: EBMS-23 |
Table of Contents
- Introduction
- Meaning of terms used in this Privacy Policy:
- Privacy guidelines for client and service provider individuals
- Rights of the Data subject
- Security of Personal Information
- Other information
- Privacy concerns
- Variations to the Privacy Policy
- Responsibilities of the Information Security Officer
- How to contact us “contact us”
- Cookies Policy
Information Security Management Requirements for GDPR and POPI Act: Further to and in support of this privacy policy Passport 360 has well-documented Information security management policies and procedures which contains IT security elements and responsibilities.
- Introduction
Passport 360 respects your privacy and is committed to protecting your personal information.
For the purposes of applicable data protection laws, we are the data processor.
This Privacy Policy applies to all personal information collected by us, or submitted to us, whether offline or online, including personal information collected or submitted through our websites (our Websites) and any mobile sites, applications, widgets and other mobile interactive features (collectively, our Apps), through our official social media pages that we control (our Social Media Pages) as well as through HTML-formatted email messages that we send to you (collectively, including the Social Media Pages, Apps and Websites, the Sites).
This Privacy Policy describes how we deal with information we collect and demonstrates our commitment to the protection of your privacy. By visiting the Sites and otherwise providing personal information to us, you are accepting and consenting to the practices described in this Privacy Policy. If you do not agree with any of the terms of this Privacy Policy, please do not use the Sites or submit any personal information to us.
Where your employer has contracted with us to process your personal information via the Passport 360 Web Application, for the purposes of compliance to the Mine Health and Safety Act, Occupational Health and Safety Act and/or Basic Conditions of Employment Act. We will process your information on behalf of our client (The data controller and responsible party) for this legitimate purpose only, as specified by the data controller and in accordance with our contractual agreement with them.
The purpose of this policy is to enable Passport 360 to comply with:
- a) Protection of Personal Information Act, 2013 (hereinafter POPIA Act)
- b) General Data Protection Regulation (hereinafter GDPR)
- c) Adhere to both Legislative requirements.
- Meaning of terms used in this Privacy Policy:
Personal information means any information about you (including information forming part of a database), by which you may be identified directly or indirectly, whether on its own or in combination with other information, whether true or not, and which is submitted to and/or collected by us in an accessible form.
Data subject: The person to whom personal information relates;
POPIA: Refers to the Protection of Personal Information Act 4 of 2013;
GDPR: Refers to the General Data Protection Regulation (EU) 2016/679
Processing: any operation or activity or any set of operations, whether by automatic means, concerning personal information, including:
1) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use.
2) dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restriction, degradation, erasure or destruction of information.
Responsible party: means a public or private body or any other person which, alone or in conjunction with others determines the purpose of and means for processing personal information.
Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person (including information forming part of a database), by which a person may be identified directly or indirectly, whether on its own or in combination with other information, whether true or not, and which is submitted to and/or collected by us in an accessible form.
Sensitive information means personal information about things such as your membership of professional associations, race, ethnic origin, religion, sexual orientation, biometric information and occupational health information.
- Privacy guidelines for client and service provider individuals
We process data for employment purposes and compliance under the Mine Health and Safety Act and Occupational Health and Safety Act, on behalf of our clients who are the Data Controllers.
The legal basis for processing your personal information under POPIA (South Africa) are as follows:
- To conclude or perform in terms of a contract – Your employer may be legally required to process your PI in compliance with the requirements of the Mine Health and Safety Act in order to carry out its obligations to its client, who in this case would be the Data controller.
- To Comply with an obligation imposed by Law – We may process your data on behalf of your employer and the Data controller for the purpose of compliance with the Mine Health and Safety Act and Occupational Health and Safety Act or
- If the Data subject consents to the processing
3.1. What kinds of personal information do we collect and hold on behalf of Clients (the Data controllers)?
We collect and hold:
(a) your contact details, such as office address, home address, telephone numbers, emergency contact details and email address;
(b) your personal details, such as date and place of birth, gender, qualifications, education (including transcripts), training records, operator licenses, legal appointment letters, the languages you speak and your background;
(c) your employment information and history, recommendation and reference letters, time and attendance and clocking information (including in some instances location)
(d) information you make available on the Sites;
(e) sensitive information, such as any ethnicity, criminal record or medical information to the extent that it is relevant to our functions and responsibilities
(f) Safety compliance and risk management information
3.2. How do we collect your personal information?
Personal information is collected in a number of ways, including:
Through the Sites: We may collect personal information from the Site, such as when you visit, use or register on our Websites, Apps or Social Media Pages, join (or request to join), or when you complete a survey;
From you: We may collect personal information from you when you contact, do business or interact with us by phone or email, apply for, enrol in or register for a program or activity, or enter into a competition;
From third parties: We may receive your personal information from other sources, such as your employer (for example when your employer uploads your information on to the system), your employer’s client, regulators and government and statutory bodies.
3.3. What would happen if we did not collect your personal information?
Your employer and or the Data Controller are collecting your personal information for employment purposes and as required for statutory purposes. We are processing your data on behalf of your employer and or on behalf of the Data Controller for the purposes of legal compliance with the Mine Health and Safety Act and Occupational Health and Safety Act and/or Basic Conditions of Employment Act.
Should your information fail to be processed your company may not meet the Health and Safety compliance requirements of the client’s work site which may result in site access being denied to you, this may impact your employer’s ability to deliver on their contractual obligations to their client.
3.4. How we use your personal information
We will not collect or use your personal information unless it is lawful for us to do so. We collect and process personal information for the following purposes:
(a) processing and displaying relevant information required by clients to meet their Mine Health and Safety Act and Occupational Health and Safety Act and/or Basic Conditions of Employment Act Occupational Health and Safety and or Mine Health and Safety obligations and duty of care to all workers entering their work sites.
(b) if applicable, fulfilling orders or requests for information, products or services (with your consent, if required);
(c) if applicable, sending subscription renewals,
(d) for promotional and marketing purposes, including communicating information about our products and services (with your consent, if required);
(e) communicating to individuals in the system on behalf of the Data Controller (through message, email, SMS and push notifications);
(f) monitoring, moderating and improving our Sites;
(g) fulfilling our contractual and other regulatory obligations;
(h) organising and hosting training and events (including with third parties);
(i) providing products and services, or information relating to such products and services (with your consent, if required);
(j) assessing or improving our products and services, as well as for training and quality purposes, including building profiles, monitoring, recording and analysing online interactions and communications between you and us;
(k) providing information to third parties as authorised or required by law or a court or tribunal
We have a legitimate interest in using your information in these ways. It is also fundamental to the nature of the service we provide.
In some cases, it will be lawful for the us as the data processor and the data controller (our client) to collect and use your personal information, for example where it is necessary as part of our, or a third party’s statutory or public function or because the law permits or requires us to.
In addition to the specific circumstances above, we will only use your personal information with your consent (if required under applicable data protection laws) when we process your personal information to send you carefully selected marketing materials about our products and services (or those of our third-party partners) by email, text or push notification, depending on your account or operating system settings. You have the right to opt out of receiving such direct marketing at any time.
If at any time you wish to stop receiving direct marketing messages from us, the easiest way to do so (for electronic messages) is to use the unsubscribe feature in the marketing message you have received. You can also let us know by contacting us using the contact details set out in the “contact us” section. In your request, please indicate that you wish to stop receiving marketing communications from us.
Our Sites may contain hyperlinks to websites operated by third parties. We are not responsible for the content of such websites, or the way those websites handle any personal information you provide. In some cases, we may use a third-party service provider to process payments made through the Sites. In these cases, your personal information may be collected by this third party and not by us and will be subject to the third party’s privacy policy, rather than this Privacy Policy. We have no control over, and are not responsible for, this third party’s use or disclosure of your personal information.
3.5 Use and disclosure of personal information
We do not use your personal information or disclose it to another organisation unless:
(a) it is reasonably necessary for one of the purposes described above;
(b) having regard to the nature of the information or the circumstances of collection we believe you would expect us to use the information or make the disclosure;
(c) required or authorised by law or court or tribunal;
(d) it is necessary to protect the rights, property, health or personal safety of a member, the public or our interests, and it is unreasonable or impracticable to obtain your consent;
(e) the disclosure is necessary to assist any entity, body or person to locate a person who has been reported missing;
(f) the assets and operations of our business are transferred to another party as a going concern;
(g) it is necessary to obtain third party services as directed by our client the data controller, for example to carry out data analysis or provide information processing services (where use of your information by third parties is strictly controlled);
(h) it is for one of the purposes expressly permitted under applicable data protection and privacy laws; or
(i) you have provided your consent.
To suppress or limit our use of your personal information that has been previously provided to us, please email or write to us using the contact information listed below in the “contact us” section.
We will not sell your personal information to third parties.
Overseas disclosures
Your personal data is stored in the country where it is collected and is hosted on Microsoft Azure Cloud services within the country. Your data will not be transferred outside of the country where it is processed without you consent to do so and in compliance with POPIA and GDPR.
Staff and service providers
All service providers that have access to personal information held by us are required to keep the information confidential and not to make use of it for any purpose other than to provide services in accordance with their engagement. We will take all steps that are reasonably necessary to ensure your personal information is treated securely and in accordance with this Privacy Policy as well as applicable data protection laws. Any supplier processing data on behalf of Passport 360, need to evidence their compliance to the POPIA act or GDPR during the on-boarding phase and must be verified annually.
All staff members sign confidentiality and NDAs as part of their employment contract which is mandatory for any employee that accesses the Passport 360 web application. All staff are exposed to privacy training as part of the onboarding process and refresher training once per annum.
Staff credentials are managed via Azure active directory and all actions are tracked within the Passport 360 system. Furthermore, Personal information is classified, tagged and tracked using Azure compliance manager across Microsoft Azure and Microsoft 365 to ensure data policies are adhered to by all internal users.
All user login IDs are audited at least twice yearly, and all inactive logon IDs are revoked. Each individual’s logon access is directly linked to their employment status and is automatically revoked on termination. The Company Human Resources Department notifies the Security Officer or appropriate personnel upon the departure of all employees and contractors, at which time login IDs are revoked.
3.6 Access and correction of personal information
Individuals may request access to their personal information unless we are permitted by law to withhold that information. Individuals may also request the correction of any personal information which is inaccurate. Any requests for access or correction of your personal information should be made in writing to our Privacy Officer / Data Protection Officer.
We will in most cases provide an individual with access to their personal information. To the extent permitted by law, there are some exceptions where this access may be denied, namely where:
(a) providing access may have an unreasonable impact on the privacy of other individuals;
(b) providing access would be unlawful or would be likely to prejudice one or more enforcement related activities conducted in relation to local law by, or on behalf of, us or an enforcement body;
(c) providing access would reveal our intentions in relation to negotiations with the individual in such a way as to prejudice those negotiations;
(d) we have reason to suspect that unlawful activity, or misconduct of a serious nature, relating to our functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
(e) giving access would reveal evaluative information generated by us in connection with a commercially sensitive decision-making process;
(f) we reasonably believe that giving access would pose a serious threat to the life, physical or mental health or safety of any individual, or to public health or public safety;
(g) the request for access is frivolous or vexatious; or
(h) where we are otherwise permitted by applicable data protection and privacy laws to do so.
To request access and seek the correction of personal information held by us, please email, call or write to us using the contact information listed below in the “contact us” section.
We will endeavour to respond to any access or correction request within 20 working days of receipt.
- 4. Rights of the Data subject pertaining to Passport 360
4.1 Residence in South Africa
If you are a resident in South Africa, you have the following rights in relation to your personal information (where applicable):
- Objection to the use of personal information
- Notification if information is being used for something other than what was consented for
- Establishing whether the responsible party holds information
- Request that information can be corrected, destructed
- Request that we delete personal information that we process about you, we are not obliged to do so if we/the data controller/your employer need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims
- Refuse processing for direct marketing by unsolicited electronic communications
- Lodge a complaint with the Information Regulator
- Institute civil proceedings (Sec 99)
- Correct Personal Information that is inaccurate, irrelevant, excessive, incomplete, misleading or obtained unlawfully.
To make a request to exercise any of these rights in relation to your personal information, please email, call or write to us using the contact information listed below in the “contact us” section.
4.2 Residents in the European Economic Area
If you are a resident in the European Economic Area, you have the following rights in relation to your personal information (where applicable):
(a) Access. You have the right to request a copy of the personal information we are processing about you. For your own privacy and security, at our discretion we may require you to prove your identity before providing the requested information.
(b) Rectification. You have the right to have incomplete or inaccurate personal information that we process about you rectified.
(c) Deletion. You have the right to request that we delete personal information that we process about you, except we are not obliged to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
(d) Restriction. You have the right to restrict our processing of your personal information where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.
(e) Portability. You have the right to obtain personal information we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) personal information which you have provided to us, and (b) if we are processing that data on the basis of your consent or to perform a contract with you.
(f) Objection. Where the legal justification for our processing of your personal information is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
(g) Withdrawing Consent. If you have consented to our processing of your personal information, you have the right to withdraw your consent at any time, free of charge. This includes cases where you wish to opt out from marketing messages that you receive from us.
To make a request to exercise any of these rights in relation to your personal information, please email, call or write to us using the contact information listed below in the “contact us” section.
- 5. Security of Personal Information
We use reasonable organisational, technical and administrative measures and security safeguards to protect, as is reasonable in the circumstances, the personal information we hold from misuse, loss, interference and/or unauthorised/unlawful access, processing or destruction, use, disclosure or alteration of information under our control. Including but not limited to implementing appropriate security measures, governed by an enterprise data management framework that is regularly reviewed against best-practice and maintaining policies and procedures to establish information security principles across the business. Where practicable, we implement measures to require organisations to whom disclosure is made to comply with applicable data protection and privacy laws.
All personal data stored within the Passport 360 web application is de-identified and securely stored on Microsoft Azure cloud, it is encrypted at rest and in transit. PI is stored in a de-identified manner and contained in secure blob storage. All personal data is classified and tagged which allows for compliance tracking and monitoring using the latest cloud security tools via Microsoft Azure.
If a third party (such as your employer) accesses your personal information via our secured web application their user is authenticated, and we take reasonable steps to ensure that the information is held securely and used only for the purpose of providing the relevant service or activity. Sensitive personal information is only accessible to users with specific system user rights allocated by the data controller/responsible party in order the carry out its legal obligation under the relevant Health and Safety legislation.
If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem using the contact information listed below in the “contact us” section.
In the event of a data breach occurring the Data protection officer will report the breach to the information regulator and the affected data subjects in writing as soon as reasonably possible after the discovery of the compromise.
- 6. Other information
6.1. What other information do we collect?
The Sites may collect other information that may or may not be personal information. Other information includes information that does not reveal your identity, such as:
(a) browser and device information;
(b) server log file information;
(c) App usage data;
(d) demographic information;
(e) location information;
(f) aggregated information.
6.2 How do we collect other information?
Through your use of an App: When you download and use an App, we and our service providers may track and collect App usage data, such as the date and time the App on your device accesses our servers and what information and files have been downloaded to the App based on your device number.
6.3 How do we use other information?
Please note that we may use and disclose such other information which is not personal information for any purpose, except where we are required to do otherwise under applicable law; for example, if we are required to treat that information as personal information under applicable law.
In some instances, we may combine other information with personal information. If other information can be combined with personal information or can be used to build a profile of an individual (in a way which could be reasonably used to identify that individual), such other information will be treated by us as personal information.
- 7. Privacy concerns
If you would like any further information about our handling of personal information or to make a complaint about our handling of your personal information, please lodge a written complaint addressed to our Privacy Officer using the contact details below. Once we receive your complaint, we will respond to you within a reasonable period of time, usually within 20 working days.
If you are unsatisfied with the outcome of your complaint, you may contact us further to advise of your concerns and, if we are unable to reach a satisfactory resolution, you may wish to take your complaint to the local data protection authority.
- 8. Variations to the Privacy Policy
We reserve the right to modify this Privacy Policy at any time by publishing an updated version of this Privacy Policy on our Website and taking any further action as required by law, after which, your continued use of the Website or your provision of any further personal information will indicate your acknowledgement to the modified terms of this Privacy Policy.
If there are any conflicts between the English and foreign language translation versions of this Privacy Policy, the English version will prevail.
- Responsibilities of the Information Security Officer:
Passport 360 has formally appointed a Data Protection Officer who has the following authority and responsibilities:
- Ensure compliance with POPIA and GDPR,
- Develop and maintain the Security Policies
- Periodic awareness training takes place
- Ensuring that Internal and External Privacy Notices are published.
- Handling data subject access requests
- Assess the privacy requirements and responsibilities of information processing service providers or operators in terms of sections 20 and 21 of POPIA.
- Function as the GDPR Data Protection Officer (DPO)
- 10. How to contact us “contact us”
Privacy Officer / Data Protection Officer
Passport 360 (Pty) Ltd
19 Wild Fig Office Park
Cranberry street
Honeydew
E: info@passport360.co.za or support@passport360.com
- 11. Cookies Policy
We store a unique cookie after successful authentication. This cookie is not transferable and can only be utilised on the device it was created on. This cookie does not store any personal or identifiable user data. No additional cookies are stored.