Data Privacy Policy for Third Parties, Employees and Job Applicants

This Update: 7 July 2022
Definitions

 

“Data Subjects” means, for purposes of this policy, Employees, job applicants (successful or unsuccessful) and third-party service providers;

 

“Electronic Communication” means any text, voice, sound or image message sent over an electronic communications network, which is stored in the network or in the recipient’s terminal equipment until collected by the recipient;
 

“Employees” means former and current indefinite and fixed term employees of Seed Analytics and includes interns;
 

“Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
 

information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
 

information relating to the education or the medical, financial, criminal or employment history of the person;
 

any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
 

the biometric information of the person;
 

the personal opinions, views or preferences of the person;
 

correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
 

the views or opinions of another individual about the person; and
 

the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
 

“POPIA” means the Protection of Personal Information Act, 4 of 2013;
 

“Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including—
 

the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, system testing or use;
 

dissemination by means of transmission, distribution or making available in any other form by electronic communications or other means; or
 

merging, linking, blocking, degradation, erasure or destruction;
 

and “Process” or “Processes” has a corresponding meaning;
 

“Responsible Party” means the person who, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information

Introduction

 

This policy relates to the Processing of Personal Information of the Data Subjects.
 

Seed Analytics is a Responsible Party for purposes of the Processing of Personal Information of the Data Subjects, as provided for by POPIA. 
 

Seed Analytics conforms to POPIA in terms of the collection, use and retention of Personal Information of the Data Subjects and this document sets out Seed Analytics’ policy in this regard.

Personal Information of the Data Subjects

 

Seed Analytics collects Personal Information directly from the Data Subjects when the Data Subjects voluntarily provide such information in the course and scope of the Data Subjects’ engagement with Seed Analytics. 
 

By voluntarily providing the Personal Information, the Data Subjects give consent to Seed Analytics to Process the Personal Information for the purpose for which it is provided.
 

Data Subjects must be given access to this policy by Seed Analytics at the initiation of collection of the Personal Information from the Data Subjects by Seed Analytics.
 

It should be noted that Seed Analytics collects the following Personal Information from the relevant Data Subjects:

Data Subject: Employees

Personal Information: Name, surname, date of birth, identity number, passport number, race, gender, disabilities, physical address, contact details, previous employment details, academic record,  salary information, banking and tax details, next of kin information, biometrics, pre-employment screening records, disciplinary, training, health and safety, and performance information.

Data Subject: Third Party Service Providers

Personal Information: Company name, registration number, physical address, contact details, insurance information, banking and tax details.

Data Subject: Job Applicants

Personal Information: Name, surname, race, gender, physical address, contact details, previous employment details, academic records, identity number, passport number, salary information, pre-employment screening records.

Should Seed Analytics collect and request Personal Information that is not listed above for the same purpose for which the listed Personal Information was provided, the Data Subject consents to the Processing of the additional Personal Information by Seed Analytics by providing the additional Personal Information to Seed Analytics

Lawful Processing of Personal Information by Seed Analytics

 

Personal Information may only be Processed by Seed Analytics for specific, explicitly defined and legitimate reasons, where after it must be destroyed or deleted. In this instance, it should be noted that Seed Analytics processes the Personal Information of the Data Subjects for the purposes as set out below:
 

Employees - for the following purposes:
 

onboarding;
 

payment of remuneration, recording bank account details, payslips and tax records;
 

receiving and storing of leave applications and records, sick leave and medical records, records and communications relating to injuries on duty and otherwise;
 

monitoring performance, conducting written performance assessments, dealing with promotions and demotions and the records of disciplinary processes;
 

obtaining, distributing and storing information relating to medical aid membership, medical aid claims, payment of medical aid subscriptions, membership of retirement funds, contributions to retirement funds and their administrators and retirement benefits;
 

arranging and facilitating training;
 

offboarding; and
 

the exchange of information of Employees in a business transfer or outsourcing transaction.
 

Third Party Service Providers - for purposes of vetting, onboarding and payment; and
 

Job Applicants - to process a job application, to conduct interviews, to contact references, and to perform pre-employment screening.
 

Personal information may not be Processed for a secondary purpose unless that Processing is compatible with the original purpose. Should Seed Analytics want to use existing Personal Information for any other purpose other than what the information was gathered for, confirmation will again be requested from the Data Subject. 
 

Should Seed Analytics, for example, keep the CV of an unsuccessful job applicant on record for future employment opportunities, this purpose will be compatible with the original purpose for which the Personal Information was collected and confirmation to use the existing Personal Information will not have to be requested from the job applicant.
 

Seed Analytics will take reasonable steps to ensure that the Personal Information collected is complete, accurate, not misleading and updated where necessary. It should be noted that by obtaining Personal Information directly from the Data Subject, accuracy is more probable. 
 

Should Seed Analytics Process the Personal Information of a person that does not fall within the definition of a Data Subject, the Data Custodian, as defined in the Seed Analytics Information Security Policy, will be obligated to ensure that the relevant person be advised of the specific Personal Information that will be collected, be advised of the purpose of the collection and Processing of his/her Personal Information and that the relevant person provides the required consent to Seed Analytics to process the Personal Information as advised.

The rights of Data Subjects

 

At the time of collecting the Personal Information, the Data Subject will - 
 

be informed by Seed Analytics of how the Personal Information will be used;
 

be given the contact details of a relevant Seed Analytics correspondent; and
 

be advised that should the Seed Analytics correspondent not be able to resolve an issue, or should the issue be of a serious nature, he/she will have the right to complain to the Information Regulator if misuse is suspected. The Information Regulator contact details are as follows: 
 

SALU Building, 316 Thabo Sehume Street, Pretoria
Tel: 012 406 4818
Fax: 086 500 3351
inforeg@justice.gov.za
https://inforegulator.org.za

 

The Data Subject has the right to access his/her Personal Information held by Seed Analytics and to be advised for what purpose it was gathered. To do this, the Data Subject should contact Seed Analytics at the contact details provided on the Seed Analytics website, provide Seed Analytics with a copy of his/her ID document to confirm his/her identity and specify what information is required
 

The Data Subject has the right to ask Seed Analytics to update, correct or delete his/her Personal Information. Seed Analytics will require a copy of the Data Subjects’ ID document to confirm his/her identity before making changes to Personal Information held in respect of the relevant Data Subject. 

Security

 

Seed Analytics shall take appropriate technical and organisational measures to ensure that all Personal Information communicated, including, without limitation, any digital communication or any Personal Information stored in digital form shall be secured against being accessed or read by unauthorised parties, using appropriate security safeguards, having due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations. 
 

Electronic documents containing Personal Information of Employees, Job Applicants and Third Party Service Providers are stored, as provided for in the Seed Analytics Information Security Policy.
 

All electronic documents containing Personal Information are only accessible by authorised users in accordance with the Information Security Policy.

Notification of a Personal Information Security Breach

 

Seed Analytics shall notify the Data Subject in writing, immediately, if possible, but as soon as reasonably possible after becoming aware of or suspecting any unauthorised or unlawful use, disclosure or processing of Personal Information, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the Operator’s information system - and comply with the following - 

take all necessary steps to mitigate the extent of the loss or compromise of Personal Information and to restore the integrity of the affected information systems as quickly as possible;
 

furnish the Data Subject with details of the nature and extent of the compromise, and if known, include details of the identity of the unauthorised person who may have accessed or acquired the Personal Information; 
 

provide the Data Subject with a report on its progress in resolving the compromise at reasonable intervals but at least once per week following the initial notification to the Data Subject, until such time as the compromise is resolved;
 

in consultation with the Data Subject and where required by law notify the South African Police Service; and/or the National Intelligence Agency; and 
 

only upon request by the Data Subject, or otherwise if required by law, notify the Information Regulator. Any such notification shall be in a form prescribed by the Information Regulator, as the case may be, if applicable, and contain such information as is specified by the Customer and or the Information Regulator. 
 

In this regard, Seed Analytics will follow the process as detailed in the Seed Analytics Incident Management Policy, which includes the process to be followed to conduct an incident investigation and review, as well as forensic investigations.

Disclosure required by law

 

In the event that Seed Analytics is required to disclose or Process any Personal Information required by law, regulation or court order, Seed Analytics –
 

will advise the Data Subject thereof prior to disclosure, if possible. If prior disclosure is not possible, Seed Analytics shall advise the Data Subject immediately after such disclosure;
 

will take such steps to limit the extent of the disclosure or Processing insofar as it reasonably practically and legally can;
 

will afford the Data Subject a reasonable opportunity, if possible and permitted, to intervene in the proceedings; and
 

will comply with the Data Subject’s requests as to the manner and terms of any such disclosure or Processing, if possible and permitted.

Transfer of Personal Information

 

Seed Analytics shall ensure that no Personal Information is transferred outside of the Republic of South Africa unless: 
 

the Data Subject provides its prior written consent to the transfer;
 

the recipient is subject to a law, code of conduct or contract which provides comparable protection for the Personal Information as the protections contained in this policy, including similar provisions relating to the further transfer of the Personal Information;
 

the transfer is necessary for the performance of a contract between the Data Subject and Seed Analytics; or
 

the transfer is for the benefit of the Data Subject and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were reasonably practicable to obtain such consent, the Data Subject would be likely to give it.

Retention and Destruction requirements

 

Seed Analytics shall ensure that all Personal Information is destroyed or deleted in a secure manner when the purpose specification has expired. The Personal Information shall, however, be retained for longer if:
 

the retention of the Personal Information is required or authorised by law. If there is no law or code of conduct prescribing the retention period, the Personal Information must be retained for a reasonable period to allow the Data Subject to request access to the Personal Information; 
 

retention of the Personal Information is required by a contract between the parties thereto;
 

the Data Subject consented to the retention of the Personal Information; and
 

for historical, statistical or research purposes if appropriate safeguards are in place to prevent its use for any other purpose.

European Union (“EU”) General Data Protection Regulation (“GDPR”)

 

The GDPR is a privacy and data protection law which came into effect on 25 May 2018 and applies to all countries in Europe. 
 

Seed Analytics is alert to the instances in which the Processing of Personal Information by Seed Analytics will fall within the ambit of the GDPR, which will currently only be if it is Processing the Personal Information of an EU member state citizen or temporary resident or if it offers goods or services in the EU.
 

While there is significant overlap between the GDPR and POPIA, the GDPR contains certain additional requirements above that required by POPIA which will need to be implemented to ensure full compliance. 
 

Additional requirements of the GDPR, include stricter conditions for valid consent; additional data subject rights pertaining to ‘the right to be forgotten’ and data portability; more stringent stipulations in the event of a data breach; and the requirement that data protection impact assessments be conducted.
 

Seed Analytics will comply with the additional requirements of the GDPR where necessary.

Direct Marketing

 

All Data Subjects have the right to object to their Personal Information being Processed for the purposes of direct marketing by Electronic Communication. 
 

Direct marketing is only permitted if the Data Subject has given consent for his or her Personal Information to be Processed for direct marketing purposes.
 

Seed Analytics is only allowed to approach a Data Subject for consent to receive direct marketing communications once, and as long as the Data Subject has not previously withheld consent.
 

The Data Subject’s consent to receive direct marketing communications must be requested by Seed Analytics in the manner and form prescribed by the regulations to POPIA.