1.1. KDC is a digital design and marketing agency.
1.2. KDC is located in Cape Town, South Africa.
1.3. Roger-Michael Raad has been duly appointed to be the Information Officer of KDC and is the person with whom to liaise in relation to the Protection of Personal Information Act 4 of 2013 (“the Act”).
2.1. This document sets out:
2.1.1. what personal information KDC processes,
2.1.2. why it collects this information and what it is used for,
2.1.3. how it stores that information and for how long; and
2.1.4. how you can contact KDC to ask them about your personal information.
2.2. You can find this document on KDC’s website located at https://knowndesign.co/ or you can request a copy of it from the Information Officer, using the details below.
3.1. The purpose of the Act is to ensure the protection of personal information which is processed by public and private institutions. It does this by:
3.1.1. introducing certain minimum requirements when it comes to the processing of personal information,
3.1.2. allowing for the creation of a regulator to enforce the various provisions of the Act;
3.1.3. allowing for codes of conduct to be issued that apply to all private and public bodies that process personal information;
3.1.4. protecting your rights as a data subject when it comes to receiving unsolicited electronic communications and where decisions relating to your personal information are made by an automated system; and
3.1.5. to regulate when and how your personal information may be sent outside the borders of South Africa.
4.1. In order to make sense of your rights in terms of this document, it is important that certain definitions contained in section 1 of the Act are explained:
4.1.1. Data subject: This is the person to whom the personal information relates.
4.1.2. Personal Information: This is extensively defined as follows:
188.8.131.52. Information relating to your race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth;
184.108.40.206. Information relating to your education or to your medical, financial, criminal or employment history;
220.127.116.11. Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assignment particular to you;
18.104.22.168. your biometric information;
22.214.171.124. your personal opinions, views or preferences of the person;
126.96.36.199. correspondence sent by you that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
188.8.131.52. the views or opinions of another individual about you; and
184.108.40.206. your name if it appears with other personal information relating to you or if the disclosure of your name itself would reveal information about you.
4.1.3. and divided into two categories of “personal information” which may generally be processed, as long as the minimum requirements of the Act are met, and “special personal information” which may not generally be processed unless specific exceptions apply as defined in the Act.
4.1.4. Processing: this includes any of the following actions in relation to personal information:
220.127.116.11. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
18.104.22.168. dissemination by means of transmission, distribution or making available in any other form; or
22.214.171.124. merging, linking, as well as restriction, degradation, erasure or destruction of information
4.1.5. Record: this refers to personal information in the possession or under the control of a responsible party (regardless of who created it or when it was created) which is in any of the following forms:
126.96.36.199. writing on any material;
188.8.131.52. information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
184.108.40.206. label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
220.127.116.11. book, map, plan, graph or drawing;
18.104.22.168. photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
4.1.6. Responsible party: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. In this case, KDC is the Responsible Party.
4.1.7. Operator: this is a person who processes personal information on behalf of a Responsible Party in terms of a contract or mandate.
4.1.8. Filing system: any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
5.1. Attention: Roger-Michael Raad
5.2. Postal Address: 101 West Side Studios
139 Buitengracht Street
5.3. Physical address: 101 West Side Studio
139 Buitengracht Street
5.4. Telephone: +27 21 462 7748
5.5. E-mail: firstname.lastname@example.org
6.1. PERSONAL INFORMATION BELONGING TO KDC’S CLIENTS WHO USE KDC’S SERVICES:
6.1.1. Personal information belonging to juristic persons:
22.214.171.124. bank account details;
126.96.36.199. company or close corporation registration number, business logo, business e-mail addresses, the physical and postal address, telephone number and location information, VAT number.
6.1.2. Personal information belonging to natural persons
188.8.131.52. Where clients are natural persons:
184.108.40.206.1. bank account details;
220.127.116.11.2. identity number, full name, business logo, e-mail addresses, the physical and postal address, telephone number and location information, VAT number.
18.104.22.168. Information belonging to natural persons who are representatives of juristic persons
22.214.171.124.1. South African identity number, full name, business e-mail address, place of employment, address of employer and personal and business telephone numbers
6.2. PERSONAL INFORMATION BELONGING TO EMPLOYEES OF KDC
6.2.1. information relating to the name race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical and/or mental health, well-being, disability, religion, belief, language and birth of employees;
6.2.2. information relating to the education, the medical, financial, criminal or employment history of employees;
6.2.3. South African identity number, personal e-mail address, physical address, personal telephone numbers, location information and online identifiers of employees;
6.2.4. private and confidential correspondence with employees; and
6.2.5. records of a personal information stored by employees in KDC’s physical or electronic filing system(s).
6.3. PERSONAL INFORMATION BELONGING TO THIRD PARTY SERVICE PROVIDERS OF KDC
6.3.1. bank account details;
6.3.2. company or close corporation registration number, South African identity number, business logo, business e-mail addresses, the physical and postal address, telephone number and location information, VAT numbers.
7.1. PERSONAL INFORMATION BELONGING TO CLIENTS OF KDC
7.1.1. KDC requires the information collected from its clients that are both natural and juristic persons to provide them with digital design and marketing services. KDC processes the information necessary to provide these services. KDC may make this information available to operators to ensure that the services are provided to the very best of KDC’s abilities and to the highest standards. All operators have signed documentation confirming that personal information received from KDC is to be used solely to the purpose for which it is given to them. Such operators are prohibited from further processing the personal information given to them and have confirmed that they have systems in place that make sure that they are compliant with the requirements of the Act.
7.1.2. THE PERSONAL INFORMATION SOUGHT BY KDC IS MANDATORY IN NATURE. SHOULD CLIENTS NOT PROVIDE THE PERSONAL INFORMATION SOUGHT, KDC WILL NOT BE ABLE TO PROVIDE ITS SERVICES.
7.2. PERSONAL INFORMATION BELONGING TO EMPLOYEES OF KDC
7.2.1. KDC is committed to good governance and compliance. No personal information in respect of any employees will be used for any other reason besides what it is provided for. Any staff database kept by KDC will be for the purpose of managing the employment relationship between KDC and its employees only. No personal information pertaining to any employee will be provided to any third person unless in accordance with the Act, any relevant Labour Law legislation or with the express consent of the employee.
7.3. PERSONAL INFORMATION BELONGING TO THIRD PARTY SERVICE PROVIDERS OF KDC
7.3.1. KDC requires the information collected from third party service providers that are both natural and juristic persons in order to do business with them. KDC takes its compliance obligations very seriously and requires the information processed in order to conclude agreements regarding the relationship between KDC and its service providers, many of whom may be operators as defined in the Act.
7.3.2. KDC processes the information necessary in order to provide these services and to conclude these agreements. KDC may make this information available to other operators to ensure that the services are provided to the very best of KDC’s abilities and to the highest standards for its clients. All operators and third-party service providers have signed documentation confirming that personal information received from KDC and its operators is to be used solely to the purpose for which it is given to them. Such operators and third parties are prohibited from further processing the personal information given to them and have confirmed that they have systems in place that make sure that they are compliant with the requirements of the Act.
7.3.3. THE PERSONAL INFORMATION SOUGHT BY KDC IS MANDATORY IN NATURE. SHOULD THIRD PARTIES AND OPERATORS NOT PROVIDE THE PERSONAL INFORMATION SOUGHT, KDC WILL NOT BE ABLE TO CONCLUDE AGREEMENTS WITH THEM AND THEREFORE NOT DO BUSINESS WITH THEM.
7.4. WHERE IS THE PERSONAL INFORMATION COLLECTED BY KDC STORED AND WHAT SECURITY MEASURES ARE IN PLACE?
7.4.1. Personal information is stored both electronically and in hard copy in KDC’s filing system(s).
7.4.2. Electronic information is encrypted and stored on a cloud based system. Personal information is not saved on any internal or external hard drives, smartphones, or laptops.
7.4.3. KDC has a physical security policy as well as a policy pertaining to the use of electronic data by employees which policies are internal and kept by the Information Officer. These policies are not available to the public save where KDC is forced to make same available in terms of law so as to protect the information held by KDC.
7.5. WHEN WILL KDC MAKE PERSONAL INFORMATION AVAILABLE TO THIRD PARTIES (OTHER THAN OPERATORS)
126.96.36.199. It is compelled to comply with legal and regulatory requirements or when it is otherwise allowed by law;
188.8.131.52. It is in the public interest;
184.108.40.206. KDC needs to do so to protect their rights.
7.5.2. KDC endeavours to take all reasonable steps to keep secure any information which they hold about an individual, and to keep this information accurate and up to date. If at any time, an individual discovers that information gathered about them is incorrect, they may contact KDC to have the information corrected. Where information has been disclosed to employees of KDC, KDC has agreements in place to ensure that compliance with confidentiality and privacy conditions.
7.5.3. KDC recognises the importance of protecting the privacy of information collected about individuals, in particular, information that can identify an individual (“personal information”).
8.1. KDC will not transmit personal information internationally, unless consent has been obtained, or it is necessary to perform our contractual obligations, and it benefits our clients or third party service providers. If personal information is transmitted internationally, we ensure that it is subject to data protection laws that are substantially similar to POPIA (e.g. European Union GDPR and other country specific information privacy protection laws).
9.1. COMPANIES ACT NO. 71 OF 2008, as amended:
The Companies Act as amended requires records must be kept “in written form, or other form or manner that allows that information to be converted into written form within a reasonable time.” Such as the following for an indefinite period:
9.1.1. Notice of Incorporation (Registration certificate);
9.1.2. Certificate of change of name (if any);
9.1.3. Memorandum of Incorporation and alterations or amendments;
9.1.5. Register of company secretary and auditors;
9.1.6. Regulated companies (companies to which chapter 5, part B, C and Takeover Regulations apply) register of disclosures of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued;
9.1.7. Security register and uncertificated securities register.
The following records for 7 years:
9.1.8. Notice and minutes of all shareholders meeting including Resolutions adopted and documents made available to holders of securities;
9.1.9. Copies of reports presented at the annual general meeting of the company;
9.1.10. Copies of annual financial statements;
9.1.11. Copies of accounting records;
9.1.12. Record of directors and past directors, after the director has retired from the company;
9.1.13. Written communication to holders of securities;
9.1.14. Minutes and resolutions of directors’ meetings, audit committee and directors’ committees.
9.2. CONSUMER PROTECTION ACT NO. 68 OF 2008, as amended:
The Consumer Protection Act seeks to protect the interests of Consumers and as such requires KDC as a service provider to retain and maintain the following records of consumers for a period of 3 years:
9.2.1. Full names, physical address, postal address and contact details;
9.2.2. ID number and registration number;
9.2.3. Contact details of public officer in case of a juristic person;
9.2.4. Service rendered;
9.2.5. Intermediary fee;
9.2.6. Cost to be recovered from the consumer;
9.2.7. Frequency of accounting to the consumer;
9.2.8. Amounts, sums, values, charges, fees, remuneration specified in monetary terms;
9.2.9. Disclosure in writing of a conflict of interest by the intermediary in relevance to goods or service to be provided;
9.2.10. Record of advice furnished to the consumer reflecting the basis on which the advice was given;
9.2.11. Written instruction sent by the intermediary to the consumer;
9.2.12. Conducting a promotional competition refer to Section 36(11) (b) and Regulation 11 of Promotional Competitions;
9.2.13. Documents in respect of Section 45 and Regulation 31 for Auctions.
9.3. COMPENSATION FOR OCCUPATIONAL INJURIES AND DISEASES ACT NO. 130 OF 1993:
Section 81(1) and (2) of the Compensation for Occupational Injuries and Diseases Act requires a retention period of 4 years for the documents mentioned below:
9.3.1. Register, record or reproduction of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees.
9.3.2. Section 20(2) documents with a required retention period of 3 years:
9.3.3. Health and safety committee recommendations made to an employer in terms of issues affecting the health of employees and of any report made to an inspector in terms of the recommendation;
9.3.4. Records of incidents reported at work.
9.4. BASIC CONDITIONS OF EMPLOYMENT ACT NO. 75 OF 1997:
The Basic Conditions of Employment Act requires a retention period of 3 years for the documents mentioned below:
9.4.1. Written particulars of an employee after termination of employment;
9.4.2. Employee’s name and occupation;
9.4.3. Time worked by each employee;
9.4.4. Remuneration paid to each employee;
9.4.5. Date of birth of any employee under the age of 18 years.
9.5. EMPLOYMENT EQUITY ACT NO. 55 OF 1998:
9.5.1. Section 26 and the General Administrative Regulations, 2014, requires a retention period of 3 years for the documents mentioned below:
9.5.2. Records in respect of the company’s workforce, employment equity plan and other records relevant to compliance with the Act;
9.6. UNEMPLOYMENT INSURANCE ACT NO. 63 OF 2002:
Section 56(2)(c) requires a retention period of 5 years, from the date of submission, for the documents mentioned below:
9.6.1. personal records of each of their current employees in terms of their names, identification number, monthly remuneration and address where the employee is employed.
9.7. SOUTH AFRICAN REVENUE SERIVICE (“SARS”):
KDC complies with its tax obligations in respect of SARS and retains/maintains records, which may contain personal information, in accordance with the relevant South African tax laws.
10. ACCESS TO AND CORRECTION OF INFORMATION
10.1. Clients, employees and third parties have the right to access the personal information KDC holds about them. Clients and other people whose data KDC holds also have the right to ask KDC to update, correct or delete their personal information on reasonable grounds. Once a client or such other person objects to the processing of their personal information, KDC may no longer process said personal information unless KDC is obliged to in terms of its contractual obligations. KDC will take all reasonable steps to confirm its clients’ identity before providing details of their personal information or making changes to their personal information;
10.2. All employees have a duty of confidentiality in relation to the Company and clients. Information on clients: Our clients’ right to confidentiality is protected in the Constitution and in terms of ECTA. Information may be given to a 3rd party if the client has consented in writing to that person receiving the information or if it is required by law.
10.3. If KDC duly and diligently searches for a record and it is believed that the record either does not exist or cannot be found, the client or requester will be notified accordingly. This notification will include the steps that were taken the attempt to locate the record.
11. DELETION AND DESTRUCTION OF INFORMATION
11.1. Clients, employees and third parties have the right to access the personal information KDC holds about them. Clients and other people whose data KDC holds also have the right to ask KDC to update, correct or delete their personal information on reasonable grounds. Once a client or such other person objects to the processing of their personal information, KDC may no longer process said personal information unless KDC is obliged to in terms of its contractual obligations. KDC will take all reasonable steps to confirm its clients’ identity before providing details of their personal information or making changes to their personal information.
12. FORM OF REQUEST
12.1. The requester must use the prescribed form to make the request for access to a record. This must be made to the information officer. This request must be made to the address, or electronic mail address of the information officer.
12.2. The requester must provide sufficient detail on the request form to enable the information officer to identify the record and the requester. The requester should also indicate which form of access is required. The requester should also indicate if he or she wishes to be informed in any other manner and state the necessary particulars to be so informed.
12.3. The requester must identify the right that he or she is seeking to exercise or protect and provide an explanation as to why the requested record is required for the exercise or protection of that right.
12.4. If a request is made on behalf of a person, the requester must submit proof of the capacity in which the requester is making the request to the satisfaction of the information officer.
12.5. The form in which a request to access personal information is made can be found in Annexure A at the end of this policy document.
12.6. The form in which a request to object, correct, delete/destroy personal information is made can be found in Annexure B at the end of this policy document.
13.1. The information officer must notify the requester (other than a personal requester) by notice, requiring the requester to pay the relevant fee before further processing the request. A personal requester does not pay such fee.
13.2. he requester may lodge an application to the court against the tender or payment of the request fee.
13.3. The information officer will then decide on the request and notify the requester in the required form.
13.4. If the request is granted then a further access fee must be paid for the search, reproduction, preparation and for any time that had exceeded the prescribed hours to search and prepare the record for disclosure.
14. AVAILABILITY OF THE MANUAL
14.1. The manual is available for inspection at the offices of KDC free of charge, a copy is made available on KDC’s website, alternatively a copy may be requested from KDC’s information officer.
15. AMENDMENTS TO THIS POLICY
15.1. Amendments to, or a review of this Policy, will take place on an ad hoc basis. Clients are advised to access KDC’s website periodically to keep abreast of any changes. Where material changes take place, these will be posted on our website. Unless otherwise stated, the current version of this Policy posted on our website shall supersede and replace all previous versions of this Policy.
Signed at: 10 August 2021 at 12:36
By: Roger-Michael Raad
TO VIEW OR DOWNLOAD ANNEXURE A AND ANNEXURE B, PLEASE CLICK HERE.