GREAT HEART PRIVACY NOTICE

Introduction

This privacy notice has been adopted as part of our Personal Information Protection Compliance Framework.

During your interactions with us, it may happen that we need to process some information about you which may constitute personal information for purposes of POPI, which may include
accessing it, storing it, merging it with other information, deleting or destroying it, and possibly sharing it with third parties. 

In terms of s18 of POPI we are required to bring to your attention certain matters relating your personal information, which we set out in this notice document. By interacting with us and providing your personal information to us, you acknowledge that you have read and understood this notice and have agreed to the contents hereof. You furthermore authorize us to take any of the actions described herein insofar as your personal information is concerned.

Definitions used in this Privacy Notice

Below is a list explaining some of the commonly used terms in this framework and the individual policies forming part hereof:

Data Subject

The person whose personal information is being processed by us or on our behalf. In this document also referred to as “you.”

Information Officer

The person internally tasked with ensuring compliance by the Responsible Party, whose duties may be delegated to one or more deputy information officers.

Information Regulator

The office established in terms of POPI to oversee the implementation of, and compliance with POPI.

PAIA

The Promotion of Access to Information Act 2 of 2000.

Personal Information

Any information that pertains to an identifiable Data Subject. POPI lists many examples. These include things like contact information, information about a person’s identity, health, religion, education, employment, biometric data, etc.

POPI

The Protection of Personal Information Act 4 of 2013.

Processing

The actions taken in respect of personal information by the responsible party or on their behalf. This includes most forms of interaction with the records containing such information, such as creating new records, transmitting information, storing it, updating it, and deleting or destroying it.

Operators

Third party service providers who process personal information on our behalf.

Responsible Party

The person who decides the reason and means by which personal info will be processed. In the context of this policy, we are the responsible party.

Special Personal Information

Certain types of personal information are classified as “special”, which means in most cases that their processing is restricted and subject to additional requirements. This includes information about children, a data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal record.

WHAT POPI REQUIRES OF US

This privacy notice has been developed with specific reference to our duties in terms of POPI and constitutes our commitment to uphold the following conditions:

Accountability

This condition makes it a requirement for all responsible parties to comply with the other seven conditions. In practice, this is mostly the responsibility of the information officer and his or her deputies. This includes:

Limitations on processing

This condition is aimed at ensuring that processing of personal information is as limited as possible, with reference to the purpose for which it is processed. It requires that:

Reasons for processing

This condition relates to the purpose for which personal information is being processed. In most cases, a responsible party must explain to the data subject, what their reason is for needing the information and what they are going to use it for.

Quality of information

A responsible party is required to take “reasonably practicable” steps to ensure that the information it processes is complete, accurate, not misleading and updated where necessary, with reference to the purpose for which the information is being processed. In other words, reasonable systems must be put in place to make it as simple and easy as possible to keep information accurate and up to date.

Notices and communication

This condition relates to communication and notifications to data subjects, which helps them to understand what their information is being used for and how to exercise their rights in respect of their information.

Security

A responsible party is required to take “appropriate, reasonable technical and organisational measures” to prevent loss, damage, unauthorized destruction, and unauthorized access to or
processing of personal information.

Where a responsible party allows information to be processed by an operator in its behalf, it is required to have a written contract with such operator, wherein the operator agrees to comply with the same security requirements as the responsible party. The Operator must furthermore notify the Responsible Party in the event of a suspected data breach.

In the event of a suspected data breach, a responsible party is required to notify the Information Regulator, as well as affected data subjects.

Participation

This condition relates to a data subject’s rights to access personal information about them and to request corrections, deletion, or destruction thereof. The manner in which information may be requested is actually not regulated by POPI, but by PAIA, which is why POPI requires responsible parties to prepare or update their PAIA manuals.

CONTACT INFORMATION

We have appointed an Information Officer in terms of s56 of POPI, read with s17 of PAIA. This Information Officer should be the first point of contact for any queries regarding this framework or any of the policies contained herein. The Information Officer’s details are as follows:

JOLIZE VAN WYK

Tel: +27 (0)82 92 4380
Email: jo@mlfwines.com

The Information Regulator

The Information Regulator’s office may be contacted for any queries regarding POPI in general, or to lodge formal documentation. According to the Information Regulator’s website, their contact details are as follows:
JD House
27 Stiemens Street Braamfontein,
Johannesburg
2001

Mr Marks Thibela
Chief Executive Officer
Cell No. +27 (0) 82 746 4173
Email: Mthibela@justice.gov.za
inforeg@justice.gov.za 

INFORMATION THAT WE PROCESS

We process various types of information relating to various data subjects, which will differ depending on your relationship with us. 

Please refer to Schedule 1 of this notice for a breakdown of the personal information commonly processed by us.

HOW WE PROCESS YOUR PERSONAL INFORMATION

We process personal information by way of digital and physical means. Certain information is processed only by digital means – especially if it was provided to us only in digital format or using one of our digital platforms – and is subject to the safeguards contained in our ICT Security Policy. Other information is captured manually by way of standard application forms. These records are kept in physical format and secured physically, in accordance with our Physical Information Security Policy. Such information is also captured digitally and stored on our digital infrastructure in accordance with the provisions of our ICT Security Policy.

REASONS FOR PROCESSING PERSONAL INFORMATION

The proper functioning of GREAT HEART as a WINE PRODUCTION ENTITY requires us to process certain personal information. This could be for any of the following reasons:

If requested personal information is not provided to us, we may not be able to properly fulfil the above-mentioned functions, which may result in the relevant interaction being interrupted, or our not engaging in such interaction at all, in our sole discretion. We accept no responsibility for any such interruptions if personal information was requested by us but not provided.

WHERE WE MAY OBTAIN PERSONAL INFORMATION FROM

In most cases, we will request your personal information directly from you. However, in some cases we may need to obtain it from third parties. This will be the case if you have authorized us to do so, or where the nature of our interaction with you reasonably requires us to do so. If we process your personal information on behalf of one of our customers or clients, then we do so because the said client or customer has warranted to us that they have obtained your authorization to share such information with us.

We may also be legally required to independently verify some of the information provided to us in terms of applicable anti-terrorism and anti-money laundering legislation (including, but not limited to, the Financial Intelligence Centre Act 38 of 2001, as amended), which may include our accessing government or public directories in order to obtain certain personal information about you.

In some cases, especially if you are an organisation, we may need to obtain personal information relating to third parties (such as your office bearers or employees) from you. You hereby warrant that you have the express and informed consent of such third parties to provide us with any such information and indemnify us against any liability to such third parties, or any other party, as a result of a lack of such authorization.

If you are a parent or legal guardian of person under the age of 18, you hereby consent to our processing the personal information of your children for the reasons set out above. If you are a person over the age of 18 whose parents previously consented to our processing of your personal information, such consent will remain valid after you turn 18, unless you explicitly revoke it.

Where we need to process information classified as “special” personal information (e.g., medical information or information relating to children) for any of the reasons specified above, you hereby consent to our processing of such special personal information.

SHARING PERSONAL INFORMATION WITH THIRD PARTIES

We may need to share your Personal Information with third parties. In general, this is limited to transmitting or storing such information through, or on, electronic communication and storage infrastructure administered by third party service providers, which is subject to reasonable security safeguards.

INFORMATION LEAVING THE COUNTRY

We may need to transmit your personal information to a location outside of the country, where it may be processed by third parties. This may, for example, happen while we are communicating with you while you are not in the country, in which case it happens at your behest and on your instruction. It may also happen where our backup infrastructure is located in or administered from another country. In such cases, the transmission and processing of such information is subject to the provisions of s72 of POPI, meaning that the third party to which we may transmit your information will either be subject to laws, or a contract with us, or corporate binding rules, which requires them to employ the same reasonable safeguards in respect of your personal information that we are required to comply with in terms of POPI.

RETENTION OF PERSONAL INFORMATION

In general, we only retain your personal information for the duration of our interactions with you and for a reasonable period thereafter, in order to facilitate further similar interactions. We are, however, in some cases legally required to keep certain information for specific periods of time, which usually does not exceed a period of 5 years. Please refer to Schedule 2 of this notice for instances where specific retention periods apply.

Information that we retain for marketing or statistical purposes may be retained indefinitely, provided that you have authorised us to use the information for marketing purposes or, in the case of use for statistical purposes, that the information has been anonymized.

INFORMATION SECURITY

As required by s19 of POPI, the confidentiality and integrity of any personal information processed by us is subject to reasonable technical and organisational safeguards to prevent loss, damage, destruction or unauthorised access, having due regard to generally accepted information security practices and procedures. We will notify you, and the Information Regulator, should we suspect that a data breach has occurred.

We are not liable to you, or any other person, for any harm, loss, damage, destruction, or unauthorized access that may occur despite our implementation of such reasonable safeguards.

YOUR RIGHTS

In terms of sections 23 and 24 of POPI, you have the right to access, and to request us to correct, any personal information retained by us, subject to the provisions of those sections. Please refer to our PAIA manual, for more information on the process to follow in this regard.

You furthermore have the right, in terms of section 11(3) of POPI, to object to our holding of your personal information. Please refer to our PAIA manual, for more information on the process to follow in this regard.

Should you wish to lodge a complaint, you may contact the office of the Information Regulator, whose contact details are included above.

SCHEDULE 1 – TYPES OF PERSONAL INFORMATION PROCESSED

Information type

Why we process it

Identifying and age information, e.g., name, surname, ID number

To identify the data subjects that we interact with or, in some cases, to contact persons related to them (such as next of kin) in the case of an emergency.

Contact information, e.g., telephone numbers, email addresses, etc.

To contact the data subject (or in some cases their next of kin), if necessary.

Educational and employment information

To assess suitability of job seekers.

Information relating to gender, nationality, and ethnicity of employees.

To report legally required statistics to the Department of Labour.

Financial information relating to our employees, clients / customers, or service providers.

To provide employment-related benefits or remuneration to our employees; or to screen potential employees; or to invoice clients or customers for services rendered; or to pay service providers.

Criminal history of potential employees

To screen potential employees before hiring them.

SCHEDULE 2 – SPECIFIC RETENTION PERIODS IN RESPECT OF CERTAIN INFORMATION

Information type

Retention period

Information relating to prospective employees

From application date to the date that a decision is made to hire or not and up to 1 year thereafter.

Employee records

For duration of employment and up to a maximum of 5 years thereafter.

Customer information

For the duration of our contract (Customer can edit or remove their account details at any time) and up to a maximum of 12 months thereafter, except for sales information / financial records (see below).

Service provider information

For the duration of our contract and up to a maximum of 3 years thereafter.

Financial records

As long as required in terms of relevant tax laws, as advised by our accountants.