processing...

Privacy Policy

  1. INTERPRETATION
    1. In this Policy, unless the context requires otherwise:-
      1. the singular shall import and include the plural and vice versa;
      2. words indicating one gender shall import and include the other genders;
      3. words indicating natural persons shall import and include artificial persons;
      4. the headnotes to this Policy are used for the sake of convenience only and shall not govern the interpretation of the clauses to which they relate.
    2. Unless such meaning is inconsistent with the context, the following terms shall, throughout this Policy, have the meanings respectively ascribed to them, namely:-
      1. “Act” means the Protection of Personal Information Act No. 4 of 2013, including the regulations promulgated therein, as amended from time to time;
      2. “Associated Company” means any entity and/or person affiliated or related to the Company, or which form part of the Company’s international corporate structure, and shall include the plural, where appropriate. “Associated Company” will specifically include but not be limited to: PayMate India Limited and PayMate Payments Services Provider LLC;
      3. “Consent” means any voluntary, specific and informed expression of will in terms of which permission is given to the processing of Personal Information, as ascribed to it in the Act;
      4. “Constitution” means the Constitution of the Republic of South Africa, 1996;
      5. “Company” means Dunomo (Proprietary) Limited, with registration number: 2023/660441/07 (ordinarily including all its directors, shareholders, officers, employees, associated or affiliated companies, branches, independent contractors, affiliates, representatives, successors, agents, and assigns) and is the party with whom the Data Subject interacts with and divulges their Personal Information to;
      6. “Company Associates” means such entities that provide joint services with Company, including banks and providers of payment gateways or such other vendors engaged by the Company to provide their services.
      7. “Data Subject” means any natural or juristic person who interacts with the Company in any manner and/or to whom the Personal Information in question relates, and shall further bear the meaning ascribed to it in the Act, and shall include the plural, where appropriate;
      8. “Information Officer” shall bear the meaning ascribed to it in the Act, and in terms of the Act, means the head of the Company, and is the individual responsible for ensuring the Company’s compliance with the Act;
      9. “Information Regulator” means the Information Regulator established in terms of section 39 of the Act;
      10. “Operator” means a person who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party, as ascribed to it in the Act;
      11. “Personal Information” shall bear the meaning ascribed to it in the Act;
      12. “Platform” means collectively Company’s websites, mobile sites, mobile applications that Data Subject may use to subscribe for the Services through this platform, to make or to receive payments to or from third parties or to make any settlement.
      13. “Policy” means this privacy policy for the Company, compiled in terms of the Act;
      14. “Processing” shall bear the meaning ascribed to it in the Act;
      15. “Responsible Party” shall bear the meaning ascribed to it in the Act, and shall in this Policy, mean the Company;
      16. “Special Personal Information” means the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or information about your criminal offences or convictions;
      17. “Unique Identifier” means any identifier that is assigned to a Data Subject and is used by a Responsible Party for the purposes of the operations of that Responsible Party and that uniquely identifies that Data Subject in relation to that Responsible Party, as ascribed to it in the Act.
    3. Certain terms of phrases applicable to this Policy have been defined throughout.
    4. If any provision in a definition is a substantive provision conferring any right or imposing any obligation on any party, then notwithstanding that it is only in the interpretation clause, effect shall be given to it as if it were a substantive provision in this Policy.
    5. The eiusdem generis rule shall not apply and accordingly, whenever a provision is followed by the word/s “including” or “includes” or “in particular” or “inter alia” (but to mention a few) and specific examples, such examples shall not be construed so as to limit the ambit of the provision concerned.
    6. Any reference to legislation is to that legislation as at the date of issuance of this Policy, as amended or replaced from time to time, and includes all regulations and schedules to such legislation.
    7. Insofar as there is a conflict in the interpretation of or application of this Policy and the Act, the Act shall prevail.
    8. This Policy does not purport to be exhaustive of or comprehensively deal with every procedure provided for in the Act.
  2. INTRODUCTION
    1. The right to privacy is a right as conferred by the Constitution and in terms of the provisions of the Act, the Promotion of Access to Information Act No 2 of 2002, Consumer Protection Act No 68 of 2008, Electronic Communications and Transactions Act No 25 of 2002 and other relevant legislation that have given effect to the right to privacy. This Policy is compiled in consideration of the provisions of relevant legislation that give effect to the right to privacy.
    2. The Company processes, including but not limited to, collects, uses and discloses Personal Information in order to perform its business functions and activities.
    3. The Company is firmly committed to protecting the privacy and confidentiality of Personal Information and ensuring that Personal Information is used appropriately, transparently, securely and in accordance with the applicable laws. This includes maintaining various physical, electronic and procedural safeguards to protect the Personal Information in its possession.
    4. This Policy aims to provide the Data Subjects of the Company with an understanding of what Personal Information is collected by the Company, the manner in which it is processed, the purpose of the processing of such information and to ensure compliance with the Act.
    5. The Company has appointed an Information Officer, who is responsible for overseeing questions in relation to the Privacy Policy. Please feel free to contact the Information Officer at info@dunomo.co.za or support@dunomo.co.za if you have any queries or concerns relating to this Privacy Policy or your rights under data protection legislation that is applicable to you. Requests in writing can also be addressed to the physical/postal address of the Company as set out in paragraph 3.2 below.
    6. By engaging with the Company, the Data Subject accepts and consents to the terms of this Policy. If there is concern by a Data Subject of any parts of this Policy insofar as it relates to the Data Subject’s Personal Information, the Data Subject must not engage with the Company, use its website or its products and services.
  3. NATURE OF BUSINESS AND CONTACT DETAILS
    1. Nature of Business:

      2. The Company is a payment services provider, primarily operating within the business-to-business (B2B) segment for enterprise and SMEs across supply chains. The Company’s platform provides a comprehensive digital workflow tied to payments which enable greater control and transparency along with better cash flows and an end-to-end reconciliation for a superior experience for enterprise and SMEs in closed-loop supply chains.

    2. Contact Details:

      Name of Company: Dunomo (Proprietary) Limited, with registration number: 2023/660441/07
      Information Officer: Ajay Adiseshan
      Deputy Information Officer: N.A
      Physical Address: C/O Pagel Schulenburg Incorporated
      Hampton House (Block H)
      Peter Place Office Park
      54 Peter Place
      Bryanston
      Postal Address: C/O Pagel Schulenburg Incorporated
      Hampton House (Block H)
      Peter Place Office Park
      54 Peter Place
      Bryanston
      Telephone Number: +91 2226616170
      Email Address: info@dunomo.co.za or support@dunomo.co.za
      Website Address: dunomo.co.za
    3. The Information officer may appoint, where it is deemed necessary, Deputy Information Officers as allowed in terms of Section 56 of the Act. This is in order to render the Company as effective as reasonably possible and to ensure fulfilment of its obligations and responsibilities as prescribed.
    4. The Company acts a Responsible Party under the Act and any consultants and/or suppliers to the Company may act as Operators.
  4. WHAT AND WHO DOES THIS POLICY APPLY TO?
    1. This Policy applies to processing by the Company or any processing on its behalf, and its successors-in-title, of the Personal Information relating to a Data Subject, being a user who accesses and/or uses the Company’s website or its services, or a provider of products and/or services to the Company, clients, suppliers, employees and other Data Subjects that engage with the Company.
    2. This Policy does not apply to the processing of Personal Information by other third parties relating to or by means of other parties' websites, products or services, such as websites linked to, from or advertised on the Company’s website or through its products and services, or sites which link to or advertise the Company’s website or its products, services and/or associated persons.
  5. GENERAL GUIDING PRINCIPLES
    The Company, when Processing Personal Information, will always be subject to, and act in accordance with, the guiding principles prescribed to it in terms of the Act:-
    1. Accountability:-
      1. The Company will ensure that the provisions of the Act, and the guiding principles outlined therein, as well as in this Policy, are complied with through the implementation of stringent procedures in this regard, in order for the Company, its Associated Companies, employees and persons acting on behalf of the Company to remain accountable in terms of the provisions of the Act.
      2. The Company will take the appropriate sanctions, if necessary, against those individuals and/or entities who, through their intentional or negligent actions and/or omissions, fail to comply with the principles and responsibilities outlined in this Policy and the Act.
    2. Processing Limitation:-
      1. The Company will ensure that Personal Information under its control is Processed:-
        1. in a fair, lawful and non-excessive manner;
        2. only with the informed Consent of the Data Subject;
        3. only for a specifically defined purpose.
      2. The Company will inform the Data Subject of the reasons for collecting their/its Personal Information and obtain written consent prior to processing Personal Information.
      3. The Company will not, under any circumstances, distribute or share Personal Information between separate legal entities, associated companies or any individuals that are not directly or indirectly involved with facilitating the purpose for which the information was collected.
      4. Where applicable, the Data Subject will be informed of the possibility that their Personal Information will be shared with other segments of the Company’s business and be provided with the reasons for doing so.
    3. Purpose Specification:-
      1. All of the Company’s business units and operations must be informed of the principle of transparency.
      2. The Company will only Process Personal Information for specific, explicitly defined and legitimate reasons. The Company will inform Data Subjects of these reasons prior to collecting or recording the Data Subject’s Personal Information.
    4. Further Processing Limitation:-
      1. Personal Information will not be Processed for a secondary purpose, unless that Processing is compatible with the original purpose.
      2. Where the Company seeks to Process Personal Information it holds for a secondary purpose, and such secondary purpose is not compatible with the original purpose, the Company will first obtain the Consent of the Data Subject to such further Processing.
      3. The above clause 5.4.2 will not limit or derogate the Company from making use of Personal Information in the enforcement of the rights granted to it by the laws of the Republic of South Africa.
    5. Information Quality:-
      1. The Company will take reasonable steps to ensure that all Personal Information collected is complete, accurate and not misleading.
      2. Where Personal Information is collected or received from third parties, the Company will take reasonable steps to confirm that the information is correct by verifying the accuracy of the information directly with the Data Subject or by way of independent sources.
    6. Openness:-
      1. The Company must notify the Data Subject of the processing of their Personal Information. The Data Subject must be able to view the Company’s name and address, be informed of the reason why it is collecting this information and what Personal Information is being collected. The Company does so through this Policy and/or through its engagement with a Data Subject.
      2. The Company will ensure that it establishes and maintains the appropriate facility for Data Subjects to:-
        1. enquire whether the Company holds Personal Information related to them/it;
        2. request access to related Personal Information;
        3. request the Company to update and/or correct related Personal Information; or
        4. make a complaint concerning the Processing of Personal Information.
    7. Security Safeguards:-
      1. The Company will implement appropriate and reasonable organisational and technical security measures.
      2. The Company will manage the security of its information technology (“IT”) systems to ensure that Personal Information is adequately protected through the implementation of security controls in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification and/or destruction.
      3. Security measures will be applied in a context-sensitive manner, wherein the greater the sensitivity of the information, the greater the security measures implemented in response thereto.
      4. The Company will continuously review its security controls which will include regular testing of protocols and measures put in place to combat potential cyber-attacks on the Company’s IT infrastructure.
      5. The Company will ensure that all paper and electronic records containing Personal Information are securely stored and made accessible only to authorised individuals.
      6. The Company’s Operators and third-party service providers will be required to abide by this Policy and the provisions of the Act.
    8. Data Subject Participation:-
      1. The Company will ensure that the appropriate facility is provided to Data Subjects who seek to enforce their rights as contemplated in this Policy or the Act, including the right to ask for any data that the Company holds about them and to request that the Company updates or destroys Personal Information that is incorrect, irrelevant, superfluous, misleading or unlawful; and to request the Company to destroy a record of Personal Information that is unnecessary for the business to keep.
      2. The Company has made a “Manual” and “Request Form” in terms of the Promotion of Access to Information Act, No. 2 of 2000 available on its website, which is to be used to guide the Data Subject on the procedure to be followed where a request for Personal Information is to be made.
  6. PERSONAL INFORMATION COLLECTED BY THE COMPANY
    The type and extent of Personal Information collected by the Company depends on the context and manner of the Data Subject’s interaction with the Company.
    1. Personal Information
      1. The Personal Information collected by the Company can include the following:
        1. name and identification documents, which in the case of a natural person includes their full name and Identity Document and/or Passport; and in the case of a juristic person includes the name of the entity, registration number and/or incorporation documents;
        2. contact details which include telephone numbers, email address, physical address, postal address, billing address, country of residence, nationality, country of birth or registration, and other similar contact data;
        3. payment / transaction data, which includes credit card numbers, the security codes associated with a Data Subject’s payment instrument and/or banking details, amounts transferred or requested, merchant information, information about funding instruments, device information, technical usage data, geolocation information and/or any other payment related information;
        4. financial information, which includes financial statements, bank statements, tax clearance certificates and VAT registration numbers;
        5. technical information, which includes internet protocol (IP) address, Device identification information, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, gallery and camera input for uploading KYC documentation and other technology on the devices used to access the website or to use the Company’s products and services or engage with the Company;
        6. marketing and communications information and preferences, which includes the Data Subject’s preferences in respect of receiving marketing information from the Company and its third parties and/or Company Associates, and the Data Subject’s communication preferences;
        7. information relating to the Data Subject’s supplier’s and/or vendors, which has been provided to the Data Subject by such supplier’s and/or vendors, for the purposes of the performance of the agreement(s) entered into between the Data Subject and such supplier’s and/or vendors. The Data Subject shall ensure that the supplier(s) and/or vendor(s) has provided the requisite prior written consent to share their personal information with the Company. We shall not be legally liable for any failure to take such consent on your part.
        8. Any additional information from or about the Data Subject when the Data Subject communicates and/or engages with the Company, contacts its customer support teams or responds to a survey.
    2. Special Personal Information
      1. In certain instances, Special Personal Information may be collected about a Data Subject. The processing of Special Personal Information requires higher levels of protection.
      2. The Company will generally not process Special Personal Information unless it is necessary for establishing, exercising or defending a right or obligation in law, for the fulfilment of the contract, where it has obtained the Data Subject’s consent to do so and/or where compliance with the specific provisions relating to processing of specific categories of Special Personal Information as set out in the Act has been met.
      3. On rare occasions, there may be other reasons for processing a Data Subject’s Special Personal Information, such as where the information has been deliberately made public by the Data Subject.
      4. Examples of situations in which the Company may process Special Personal Information include the following:
        1. information pertaining to your political persuasion as part of the Know-Your-Client (KYC) processes, customer due diligence (CDD) checks and/or compliance with any statutory obligations in this regard;
        2. relating to health, where necessary for the Company’s compliance with labour and employment-related legislation.
    3. Personal Information of Children
      1. The Company does not intend to and/or knowingly collect Personal Information from children through its website and/or any other means, and the Company seeks to promote its products and services for sale to adults and juristic persons within the context of their business operations.
      2. If a parent, guardian or any legally competent person becomes aware that their child (or any other person) has provided the Company with Personal Information of the child without their consent, they must contact the Company using the contact details of the Information Officer.
    4. Compulsory Personal Information and consequences of not sharing it with the Company
      1. The Company will only collect Personal Information that is required, however, in some instances, while it may not be compulsory to provide certain Personal Information to the Company, it may restrict the Company’s ability to fulfil a Data Subject’s mandate, to perform in terms of its contract with the Data Subject, or otherwise. In other instances, it is compulsory to provide Personal Information including, in compliance with the law. This will depend on the nature of a Data Subject’s engagement or relationship with the Company, and will be highlighted in each instance.
      2. Depending on the nature of a Data Subject’s engagement or relationship with the Company, the following may be Personal Information which is necessary:-
        1. Financial information (including bank account details, tax information);
        2. identification information of Data Subjects, for the purposes of registering for the Company’s services.
        3. Personal Information or identification information which the Data Subject provides to the Company about the other participants associated with any transaction facilitated by or concerning the Company, such as the payee/payer who is receiving or sending money to the Data Subject. This information may include details such as the participant's name, postal address, telephone number, and financial account information.
        4. names and registration numbers as contained in documents issued by the Companies and Intellectual Property Commission and the South African Revenue Service, or the equivalent authority where entities are incorporated in other jurisdictions;
        5. information which may be necessary to ensure the Company’s compliance with its KYC and CDD processes, and compliance with any statutory obligations in this regard.
      3. If Data Subjects do not agree to share the abovementioned compulsory Personal Information with the Company, then they will not be able to engage with the Company or make use of the Company’s services.
    5. Updating Personal Information
      1. The Company endeavours to maintain the accuracy and completeness of Data Subjects’ Personal Information, and to ensure all of the Data Subjects’ Personal Information is up to date.
      2. The Company must be informed when there is a change to a Data Subject’s Personal Information or if the Company has incomplete, inaccurate, misleading or out of date Personal Information as soon as reasonably possible to enable the Company to update the Personal Information. The Company will take all reasonable steps to confirm the identity of the Data Subject or the authority of the person requesting to make changes to the Personal Information.
  7. WAYS IN WHICH THE COMPANY COLLECTS PERSONAL INFORMATION
    1. Directly from the Data Subject
      1. The Company only collects information in compliance with the Act. It usually collects Personal Information directly from the Data Subject during the course of their/its relationship with the Company, unless it is unreasonable, impractical or lawfully permissible to do so. This includes:
        1. From dealings with the Company either in person, by telephone, letter, email;
        2. Upon visiting the Company’s website;
        3. When connecting with the Company via its social media pages;
        4. When making enquiries into the scope of the Company’s services;
        5. When requesting brochures or other information from the Company;
        6. When concluding an agreement with the Company;
        7. When necessary for the fulfilment of the Company’s statutory or regulatory obligations.
    2. Collection from a Third Party
      1. In some circumstances, the Company collects Personal Information about a Data Subject from a third party. This includes where a person or entity issues a mandate to the Company on the Data Subject’s behalf. Where this occurs, the Company will rely on the authority of the person or entity issuing the mandate to act on behalf of any person, which authority that person or entity warrants they/it have at the time of engaging the Company. Where a mandate is issued to the Company in terms of this paragraph, the person or entity acting on behalf of another person warrants that they/it have obtained the consent of the person, i.e. the Data Subject, to collect, use and share their Personal Information with the Company in line with terms of this Policy.
      2. The Company receives Personal Information from various third parties, including banking institutions and other financial services providers, recruitment agencies, suppliers of background checks services and publicly available sources.
      3. A Data Subject must immediately inform the Company if they/it become aware that their/its Personal Information has been provided to the Company by another person without their consent. Similarly, any third party acting on behalf of a Data Subject must immediately inform the Company if they/it did not obtain consent before providing the Personal Information to the Company.
    3. Cookies
      1. The Company uses cookies to enhance site navigation, analyse site usage, and assist in the Company’s marketing efforts. This includes targeted tracking purposes, which aims to improve the relevance of the advertisements that a visitor/user of the Company’s website views. For example, after the visitor/use accesses the Company’s website. They/it may be shown advertisements relating to its services or products on third parties’ websites.
      2. A user/visitor may disable the use of cookies by configuring their browser to refuse all cookies or to inform the user/visitor each time that a request to place a cookie is being made. However, please note that some parts of the Company’s website will not function properly if you refuse cookies and a user/visitor may not be able to access all of the features, functionality and/or services of the website.
      3. Third-Party Advertising and Analytics:
        1. The Company may allow certain Company Associates to deliver content and advertisements in connection with its services, and to provide anonymous site metrics and other analytics services.
        2. These third parties may use cookies, web beacons, and other technologies to collect Personal Information, such as the IP address, identifiers associated with the Data Subject’s device, other applications on the Data Subject’s device, the browsers used to access the Company’s services, webpages viewed, time spent on webpages, links clicked, and conversion information (e.g., transactions entered into). This Personal Information may be used by the Company and Company Associates to analyse and track usage of the Company’s services, determine the popularity of certain content, deliver advertising and content targeted to Data Subject’s interests, and better understand how Data Subjects utilise the Company’s services.
        3. Company Associates are bound by confidentiality obligations and applicable laws with respect to their use and collection of Personal Information. This Policy does not apply to, and the Company is not responsible for, third-party cookies, web beacons, or other tracking technologies, which are covered by such third parties’ privacy policies. For more information, the Company encourages all Data Subjects to check the privacy policies of these third parties to learn about their privacy practices.
        4. For details of how we use cookies, please review our cookie policy.
  8. THE PROCESSING OF PERSONAL INFORMATION
    1. The Company will only use your personal information when the law allows it to do so.
    2. The Company hereby undertakes to only process Personal Information where:-
      1. consent has been provided by the Data Subject to which the Personal Information relates, which consent is obtained by virtue of the contract with the Company, through agreement to the terms of this Policy and in other instances whereby consent will be specifically provided or requested;
      2. the Processing is necessary to provide the Company’s services to the Data Subject or to perform or conclude the contract which it has entered in to with the Data Subject;
      3. the Processing is undertaken in the furtherance of the Company’s business objectives;
      4. the Processing is necessary for the compliance with any obligations imposed onto the Company by any law of the Republic of South Africa and/or international law;
      5. the Processing is necessary for the legitimate and lawful interests of the Company and/or those of any third-party recipients, including Company Associates, Associated Company that assist in furthering the business objectives of the Company;
      6. the Processing of Personal Information is conducted in accordance with achieving a specific purpose, as required in terms of the Act.
    3. The Company may Process a Data Subject’s Personal Information for several purposes, all of which are context-specific depending on the type of engagement with the Company and a number have been mentioned throughout the Policy but also include:-
      1. client relations, which includes, providing information regarding requests about the Company’s services; completing and handling the rendering of products or services; handling requests, complaints and comments;
      2. to maintain and update the Company’s client, or potential client databases;
      3. any type of payment related Personal Information;
      4. complying with regulatory reporting and statutory obligations;
      5. fulfilling any contractual terms that the Company has to the Data Subject or any third party;
      6. to maintain and improve the website and to improve the experience of the Company’s website users, including by requesting feedback from the website users on the Company’s products and services and to facilitate the procurement of the Company’s products and services; to retain and make information available on the website;
      7. for business operations, which includes using Personal Information for business management activities;
      8. accounting, billing, reporting and auditing;
      9. authentication and identity checks;
      10. to resolve disputes; troubleshoot problems ;
      11. to promote safe service;
      12. to inform Data Subjects about online and offline offers, products, services, and updates
      13. data matching and dedupe, statistical and market analysis;
      14. advertising and marketing for the Company and Associated Company, its affiliates and third parties;
      15. where required by law and/or in connection with legal proceedings or disputes;
      16. for the furtherance of the legitimate interests of the Data Subject or in public interest;
      17. for other activities and/or purposes which are lawful, reasonable and adequate, relevant and not excessive in relation to the provision of the Company’s services and/or the use of the Company’s website, its business activities or such other purpose for which it was collected.
  9. FURTHER PROCESSING PERSONAL INFORMATION TO BE COMPATIBLE WITH PURPOSE OF COLLECTION

    10. The Company will only use Personal Information for the purposes for which it collected it, unless it reasonably considers it necessary to use it for another reason, and that the reason is compatible with the original purpose. If the Company needs to use Personal Information for an unrelated purpose, the Company will notify and explain the legal basis for this.

  10. SHARING OF PERSONAL INFORMATION
    1. The Company will not intentionally share Personal Information, whether for commercial gain or otherwise, other than with permission, as permitted by applicable law, where it necessary to administer the relationship with the Data Subject, where a legitimate interest exists for doing so and/or in the manner as set out in this Policy and/or the Act.
    2. The Data Subject agrees and gives permission for the Company to share their/its Personal Information under the following circumstances:
      1. with the Associated Companies, for the purposes of performing the Company’s services to the Data Subject;
      2. with the Company’s agents, advisers, business partners, suppliers and other third parties, or any other person or entity that has agreed to be bound by the Act and this Policy or similar terms, which offer the same level of protection as this Policy;
      3. with the Company’s banking institution and/or other financial institutions or support service providers, where the sharing of Personal information is necessary to effect any form of payment and/or transactions between Data Subjects and the Company;
      4. with the Company’s commercial partners only where sharing is strictly necessary and the Company has agreements in place with its commercial partners, and same is conducted pursuant to the mandate issued by the Data Subject to the Company and/or any agreement between the Data Subject and the Company;
      5. with service providers and Company Associates that perform services for or on behalf of the Company, including, payroll services, advisory services, marketing services, tax and accounting services, product or service fulfilment services, payments or transaction processing, data processing, enhancement and security services, fraud prevention, web hosting, analytic services, or other online functionality, subject to appropriate contractual terms protecting the confidentiality and use of such data.
      6. with the Company’s employees, suppliers, consultants, contractors and agents if and to the extent that they require such Personal Information in order to process it for the Company and/or in the provision of services for or to the Company. The Company will authorise any Personal Information processing done by a third party on its behalf, amongst other things, by entering into written agreements with those third parties governing the relationship with them and containing confidentiality; non-disclosure and data protection provisions;
      7. to enable the Company to enforce or apply any agreement that the Data Subject has with the Company;
      8. to protect the Company’s rights, property or safety or that of its clients, employees, contractors, suppliers, agents and any other third party;
      9. with governmental agencies and other regulatory or self-regulatory bodies, if required to do so by law or when the Company reasonably believes that such action is necessary to:
        1. comply with the law or with any legal process;
        2. protect and defend the rights, property or safety of the Company, or of its clients, employees, contractors, suppliers, agents or any third party;
        3. detect, prevent or manage actual or alleged fraud, security breaches, technical issues, or the abuse, misuse or unauthorised use of the Website and/or contraventions of this Privacy Policy; and/or
        4. protect the rights, property or safety of members of the public (if a Data Subject provides false or deceptive information or misrepresent themselves, the Company may proactively disclose such information to the appropriate regulatory bodies and/or commercial entities).
    3. The Company will require third-parties to respect the security of Personal Information and to treat it in accordance with the provisions of this Policy and the law. The Company only permits them to process your personal data for specified purposes and in accordance with the Company’s instructions. The Company will authorise any Personal Information by entering into written agreements governing the relationship and containing confidentiality, non-disclosure and data protection provisions. The Company may conduct audits on third party service providers from time to time to ensure their compliance with this Policy and the Act.
  11. STORAGE AND TRANSFER OF YOUR PERSONAL INFORMATION
    1. Personal Information is stored in the following ways:
      1. on the Company’s and/or the Associated Companies’ premises, in the form of hard copies;
      2. the premises of third-party service providers such as document storage service providers;
      3. the Company’s and/or the Associated Companies’ servers; or
      4. on the servers of the Company’s third-party service providers, such as IT systems or hosting service providers.
    2. In order to fulfil its business objections, contract with the Data Subject and to provide its services to the Data Subject, the Company is required to transfer Personal Information to its Associated Companies. The Associated Companies are located in jurisdictions other than South Africa, however:-
      1. the Associated Companies are subject to a law and binding corporate rules and/or agreement(s) which provide an adequate level of protection that effectively upholds the principles and conditions to lawful Processing, as contained within this Policy and the Act;
      2. the transfer of Personal Information to the Associated Companies is necessary for the performance of the services by the Company to the Data Subject;
        and by engaging with the Company, the Data Subject accepts and consents to the terms of such transfer of Personal Information to the Associated Companies. If there is concern by a Data Subject of any parts of this Policy insofar as it relates to the Data Subject’s Personal Information, the Data Subject must not engage with the Company, use its website or its products and services.
    3. In the event of the scenarios contemplated in clauses 11.1.2 and 11.1.4, the Company will ensure that it has entered into written agreements with those third-party service providers requiring them to secure the integrity and confidentiality of Personal Information in their possession by taking appropriate, reasonable, technical and organisational measures.
    4. From time to time, the Company and its service providers may need to transfer to and/or store Personal Information on servers in a jurisdiction other than where it was collected (i.e. outside of South Africa) and the Company hereby notifies the Data Subject that such jurisdiction may not have comparable data protection legislation.
    5. If the location to which Personal Information is transferred and/or is stored does not have substantially similar laws to those of South Africa, which provide for the protection of Personal Information, the Company will take reasonably practicable steps, including the imposition of appropriate contractual terms, to ensure that the Personal Information is adequately protected in that jurisdiction.
    6. Please contact the Company if you require further information as to the specific mechanisms used by the Company when transferring Personal Information outside of South Africa or to a jurisdiction that is different to the one in which the Company collected your Personal Information.
  12. UNIQUE IDENTIFIERS
    1. The Company makes use of Unique Identifiers to, inter alia, protect and identify Personal Information in the performance of the Company’s contract with the Data Subject.
    2. The processing of Unique Identifiers, at all times, will align with the intended purpose for processing at the time of collection.
    3. The Company may link the Unique Identifiers with information processed by other Responsible Parties, such as information obtained from the Data Subject’s bank.
  13. SECURITY
    1. The Company takes reasonable technical and organisational measures to secure the integrity of Personal Information and using accepted technological standards to prevent unauthorised access to or disclosure of Personal Information, and protect Personal Information from misuse, loss, alteration and destruction.
    2. The Company reviews its information collection, storage and processing practices, including physical and security measures (including, its cyber and technical measures) periodically, to ensure that it keeps abreast of good practice.
    3. The Company or the Associated Company creates a back-up of Data Subjects’ information for operational, business continuity and safety purposes and it has a back-up disaster recovery program.
    4. The Company has implemented policies and procedures to address actual and suspected data breaches and undertakes to notify the Data Subject concerned and the relevant regulatory authorities of breaches in instances within which the Company is legally required to do so and within the period in which such notification is necessary.
    5. In this clause, the Data Subject acknowledges that they/it know and accept that, notwithstanding anything contained in this Policy, the Company will not be liable for any loss, claim and/or damage from any unauthorised access, disclosure, misuse, loss, alteration or destruction of their/its Personal Information and/or Special Personal Information.
  14. RESTRICTION AND RETENTION OF PERSONAL INFORMATION
    1. The Company may retain Personal Information for as long as:-
      1. the Data Subject continues to engage with the Company; to provide products or services to the Company; accesses the Company’s website and content; or uses the products and/or services of the Company;
      2. until a Data Subject contacts the Company and requests the destruction of their/its Personal Information;
      3. the Data Subject accesses the Company’s website and content;
      4. the Data Subject uses the products and/or services of the Company;
      5. the Company is required or permitted by law, a code of conduct or a contract with the Data Subject to do so;
      6. the Company reasonably requires the Personal Information for lawful purposes related to the performance of its functions, activities or business objectives;
      7. the Company reasonably requires it for evidentiary purposes; or
      8. the Data Subject agrees to the Company retaining it for a specified further period.
    2. To determine the appropriate retention period for Personal Information, the Company will consider, among other things, the nature and sensitivity of the Personal Information, the potential risks or harm that may result from its unauthorised use or disclosure, the purposes for which it is processed and whether those purposes may be achieved through other means. The Company will always comply with applicable legal, regulatory, tax, accounting or other requirements as they pertain to the retention of Personal Information.
    3. Details of retention periods for different aspects of Personal Information are available upon request.
    4. Once the Company is no longer authorised to retain any Personal Information, it will securely delete and/or destroy, or de-identify the Personal Information in terms of applicable laws and regulations.
  15. MAINTENANCE OF PERSONAL INFORMATION
    1. Where required by law, the Company will take all reasonable steps to ensure that Personal Information is accurate, complete, not misleading and up to date.
    2. The Company also acknowledges that a Data Subject may have rights of access to, and the right to rectify, their/its Personal Information, and the rights to object to the processing of their/its Personal Information in certain circumstances.
    3. Any person or entity engaging with the Company is required to inform the Company if any of the Personal Information that it may have about them/it or about any entity or person on whose behalf the person or entity acts, is incorrect, incomplete, misleading or out of date, by notifying the Information Officer of the Company at the particulars set out at clause 3.2.
  16. INFORMATION OFFICERS
    1. The Company has appointed an Information Officer to assist the Company in its compliance with the Act.
    2. The Company’s Information Officer is responsible for registration with the Information Regulator.
  17. DIRECT MARKETING
    1. The Company processes Personal Information for the purpose of direct marketing by way of electronic communication. The Company will only send direct marketing materials if the Data Subject has specifically opted-in to receive these materials, or if the Data Subject is a client of the Company, and at all times in accordance with applicable laws.
    2. Anyone may opt out of receiving direct marketing communication from the Company at any time by requesting it (in any manner, whether telephonically, electronically, in writing or in person) to stop providing any direct marketing communication to them. Opt-out requests can be sent to the Information Officer of the Company at the particulars set out at clause 3.2 and/or using the opt-out preference options provided in the specific direct marketing communication concerned.
  18. COMPLAINT PROCEDURE
    1. The Company has also established an internal complaint procedure to be followed where any party believes that the Company is not acting in compliance the Act. In such instances, you are requested to complete and send the POPI Complaint Form attached hereto as Annexure “A” or to address your concerns in writing to the Information Officer of the Company at the at the particulars set out at clause 3.2.
    2. If you feel that the attempts by the Company to resolve the matter have been inadequate, you may lodge a complaint with the South African Information Regulator by accessing their website at www.justice.gov.za/inforeg.
  19. RIGHTS OF DATA SUBJECTS
    Under certain circumstances, the Data Subject has the following rights in law: -
    1. The Right to be Informed
      1. The Data Subject has the right to be notified that their/its Personal Information is being collected by the Company. The purpose of this Policy is to inform Data Subjects of this.
      2. If further processing or processing of Personal Information that does not fall within the scope of this Policy is required, the Company will inform the Data Subject of this and obtain their/its consent (where necessary).
      3. The Data Subject also has the right to be notified in any situation where the Company, on reasonable grounds, believes that the Personal Information of the Data Subject has been compromised, accessed and/or acquired by an unauthorised person.
    2. The Right to Access Personal Information
      1. The Company recognises that a Data Subject has the right to establish whether the Company holds Personal Information related to them/it, including the right to request access to that Personal Information.
      2. Data Subjects can make use of the “Request Form” compiled in terms of the Promotion of Access to Information Act, No. 2 of 2000, which can be accessed on the Company’s website.
    3. The Right to have Personal Information Corrected or Deleted
      1. The Data Subject has the right to request, where necessary, that their/its Personal Information must be corrected where such information held by the Company is not accurate or bears any defect;
      2. The Data Subject has the right to request, where necessary, that their/its Personal Information must be deleted where the Company is no longer authorised to retain such Personal Information.
    4. The Right to Object to the Processing of Personal Information
      1. The Data Subject has the Right, on reasonable grounds, to object to the Processing of their/its Personal Information;
      2. In such circumstances, the Company will give due consideration to the request and the requirements in this regard in terms of the Act. The Company may cease to use or disclose the Data Subject’s Personal Information and may, subject to any statutory and contractual record keeping requirements, approve the destruction of the Personal Information.
    5. The Right to Withdraw Consent
      1. The withdrawal of consent can only be made on condition that such withdrawal:-
        1. does not affect the processing of Personal Information before the withdrawal of the Data Subject’s consent;
        2. does not affect the processing of Personal Information if the processing is in compliance with an obligation imposed by law on the Company;
        3. does not affect the processing of Personal Information where such processing is necessary for the proper performance of a public law duty by a public body;
        4. does not affect the processing of Personal Information as required to finalise the performance of a contract in which the Data Subject concerned is a party; or
        5. does not affect the processing of Personal Information as required to protect the Data Subject’s legitimate interests or the Company’s own legitimate interests or the legitimate interests of a third party to whom the information is supplied.
      2. Withdrawal of consent may limit the Company’s ability to provide certain products and services to the Data Subject or the ability of a third party to provide certain products or services to the Data Subject, but will not affect the continued processing of Personal Information in instances in which consent is not required.
    6. The Right to Object to Direct Marketing
      1. The Data Subject has the right to object to the Processing of their/its Personal Information for purposes of direct marketing by means of unsolicited electronic communications;
      2. The Company will only send Data Subjects direct marketing materials if they/it have specifically opted-in to receive such materials, or if they/it are a client of the Company, at all times in accordance with applicable laws.
    7. The Right to Complain to the Information Regulator
      1. The Data Subject has the right to submit a complaint to the Information Regulator regarding the alleged infringement of any of the rights conferred onto them/it by the Constitution and/or the Act and to institute civil proceedings regarding the alleged non-compliance with the protection of their/its Personal Information.
  20. CHANGES TO THIS PRIVACY POLICY

    21. To the extent allowed by the law, this Policy may be amended and updated from time to time in the Company’s sole discretion, without notice, provided that if the Company does so, it will post the revised Policy on the Company website listed herein, and will take reasonably practicable steps to inform Data Subjects of the updated Policy. Accordingly, all Data Subjects are required to periodically check this Policy for changes. If a Data Subject continues to engage with the Company, provide products or services to the Company, or access or uses the Company website and/or products and services after amendments are made to this Policy, Data Subjects are deemed to have accepted the updated Policy.

  21. THIRD PARTY SITES
    1. This Policy does not apply to the websites of any other parties, or the applications, products or services such websites advertise and which may be linked to the Company website, or websites that link to or advertise on the Company’s website.
    2. The Company is not responsible for the privacy practices of such third-party websites, or for any claims, loss or damage arising from these.
    3. The Company advises all Data Subjects to read the privacy policy of each third-party website and decide whether they/it agree to their privacy practices and policies.
  22. CONSUMER PROTECTION ACT, PROTECTION OF PERSONAL INFORMATION AND OTHER LAWS
    1. If this Policy or any provision in this Policy is regulated by or subject to the Consumer Protection Act, No. 68 of 2008 (“the CPA”), the Act or any other laws, it is not intended that any provision of this Policy contravenes any provision of the CPA, the Act or any such other laws. Therefore, all provisions of this Policy must be treated as being qualified, to the extent necessary, to ensure that the provisions of the CPA, the Act and any other such laws are complied with.
    2. No provision of this Policy:
      1. does or purports to limit or exempt the Company from any liability (including, without limitation, for any loss directly or indirectly attributable to the Company’s gross negligence or wilful default or that of any other person acting for or controlled by the Company) to the extent that the law does not allow such a limitation or exemption;
      2. requires the Data Subject to assume risk or liability for the kind of liability or loss, to the extent that the law does not allow for such an assumption of risk or liability; or
      3. limits or excludes any warranties or obligations which are implied into this Policy by the CPA and the Act (to the extent applicable), or any other applicable laws, to the extent that the law does not allow them to be limited or excluded.
  23. GENERAL
    1. Data Subjects agree that this Policy, and any dispute of whatsoever relating to or arising out of this Policy, whether directly or indirectly is governed by South African law, without giving effect to any principle of conflict of laws.
    2. Data Subjects agree that the Company may, at any time, transfer, cede, delegate or assign any or all of its rights and obligations under this Policy. The Company will notify Data Subjects if it transfers, cedes, delegates or assigns any rights or obligations to a third-party, but it does not have to notify Data Subjects if it transfers, cedes, delegates or assigns any rights or obligations to any person which acquires all or part of the Company’s business and/or assets. The Company may, in certain instances, also sub-contract its obligations herein, and where it engages such sub-contractors, it will do so without the permission of Data Subjects and without notifying them.
    3. This Policy shall apply for the benefit of and be binding on each party’s successors and assigns.
    4. The Company’s failure to exercise or enforce any right or provision of this Policy shall not constitute a waiver of such a right or provision.
    5. Each Provision of this Policy, and each part of any provision, is severable from the others. As far as the law allows, if any provision (or part of a provision) of this Policy is found by a court or authority of competent jurisdiction to be illegal, invalid or unenforceable (including without limitation, because it is not consistent with the law of another jurisdiction), it must be treated as if it was not included in this Policy and the rest of this Policy will still be valid and enforceable.


ANNEXURE A

POPI COMPLAINT FORM


The Company is committed to safeguarding your privacy and the confidentiality of your Personal Information and are, at all times, bound by the provisions of the Protection of Personal Information Act, No.4 of 2013.

Please submit your complaint to the Information Officer:
Address to: The Information Officer of Dumono (Proprietary) Limited
Email Address:



Particulars of Complainant:
Full names:
Identity Number:
Postal Address:
Contact Number:
Email Address:
Details of Complaint:
 
 
 
 
Desired Outcome:
 
 
 
 
 
Signature Page:
Signature
Date

Nothing in this POPI Complaint Form and/or this Privacy Policy compiled in terms of the Protection of Personal Information Act, No. 4 of 2013 is intended to limit and/or derogate your rights to lodge a complaint with the Information Regulator of South Africa, situated at 33 Hoof Street Forum III, 3rd Floor, Braampark, Johannesburg. Email: inforreg@justice.go.za.