Energy Drive is an organisation that complies with the laws of South Africa and recognises that a person’s constitutional right to privacy is of the utmost importance, therefore the protection of Personal Information is vital for sustainability and growth of our business.
The purpose of this policy is to incorporate the requirements of the Protection of Personal Information Act No.4 of 2013 (hereafter called this Act) into the everyday operations of Energy Drive and to ensure that these requirements are documented and implemented in Energy Drive.
This policy is applicable to all employees in Energy Drive, which includes all Group Companies, Affiliates and Subsidiaries.
Energy Drive and its employees shall adhere to this policy in the handling of all Personal Information received from, but not limited to natural persons, employees, clients, suppliers, agents, representatives, and business partners to ensure compliance with this Act, applicable regulations and other rules relating to the protection of Personal Information.
Energy Drive, represented by the Information Officer confirms that we have familiarized ourselves with the content of this Act, applicable regulations and other rules relating to the protection of Personal Information, and will strive to always adhere to these requirements.
6.1 “Data Subject” means the person to whom Personal Information relates;
6.2 “Direct Marketing” means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
6.2.1 Promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or
6.2.2 Requesting the Data Subject to make a donation of any kind for any reason.
6.3 “Electronic Communication” means any text, voice, sound or image message sent over an Electronic Communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
6.4 “Energy Drive” means Energy Drive or registration number 2010/003802/07
6.5 “Filing System” means any structured set of Personal Information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
6.6 “Information Officer” of, or in relation to, a:
6.6.1 Public Body means an Information Officer or deputy Information Officer as contemplated in terms of Section 1 or 17 of this Act; or
6.6.2 Private body means the head (or appointed person) of a Private Body as contemplated in Section 1 of the Promotion of Access to Information Act.
6.7 “Operator” means a person who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party;
6.8 “person” means a natural person or juristic person.
6.9 “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
6.9.1 Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
6.9.2 Information relating to the education or the medical, financial, criminal or employment history of the person;
6.9.3 Any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person;
6.9.4 The biometric information of the person;
6.9.5 The personal opinions, views or preferences of the person;
6.9.6 Correspondence sent by the person that would reveal the contents of the original correspondence if the message is of a personal or confidential nature;
6.9.7 The views or opinions of another individual about the person; and
6.9.8 The name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
6.10 “Private Body” means:
6.10.1 A natural person who carries or has carried on any business or profession, but only in such capacity; or
6.10.2 A partnership which carries or has carried on any trade, business or profession; or
6.10.3 Any former or existing juristic person but excludes a Public Body.
6.11 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
6.11.1 The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
6.11.2 Dissemination by means of transmission, distribution or making available in any other form; or
6.11.3 Merging, linking, as well as restriction, degradation, erasure or destruction of information.
6.12 “Public Body” means:
6.12.1 Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
6.12.2 Any other functionary or institution when;
6.12.3 Exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
6.12.4 Exercising a public power or performing a public function in terms of any legislation.
6.13 “Public Record” means a Record that is accessible in the public domain and which is in the possession of or under the control of a Public Body, whether or not it was created by that Public Body.
6.14 “Record” means any recorded information regardless of form or medium, including any of the following:
6.14.1 Writing on any material;
6.14.2 Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
6.14.3 Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
6.14.4 Book, map, plan, graph, or drawing;
6.14.5 Photograph, film, negative, tape or other device in which one or more visuals images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
6.14.6 In the possession or under the control of a Responsible Party; and regardless of when it came into existence.
6.15 “Re-identify” in relation to Personal Information of a Data Subject, means to resurrect any information that has been de-identified, that:
6.15.1 Identifies the Data Subject;
6.15.2 Can be used or manipulated by a reasonably foreseeable method to identify the Data Subject; or
6.15.3 Can be linked by a reasonably foreseeable method to other information that identifies the Data Subject, and ‘re-identified” has a corresponding meaning.
6.16 “Responsible Party” means a public or Private Body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information.
6.17 “Special Personal Information” means Personal Information as referred to in Section 26 of this Act.
6.18 “this Act” means the Protection of Personal Information Act, No. 4 of 2013.
6.19 “Unique Identifier” means any identifier that is assigned to a Data Subject and is used by a Responsible Party for the purposes of the operations of that Responsible Party and that uniquely identifies that Data Subject in relation to that Responsible Party.
Energy Drive and its employees are committed to the following principles:
7.1 To give effect to the constitutional right to privacy, by safeguarding Personal Information when processed by Energy Drive, subject to justifiable limitations;
7.2 To regulate the manner in which Personal Information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful Processing of Personal Information;
7.3 To be transparent in its standard operating procedures that govern the Processing of Personal Information;
7.4 To comply with the applicable legal and regulatory requirements regarding the Processing of Personal Information;
7.5 To collect Personal Information through lawful and fair means and to process Personal Information in a manner compatible with the purpose for which it was collected;
7.6 Where required by law and according to local requirements, to inform Data Subjects when Personal Information is collected about them;
7.7 Where required by law, regulations or guidelines, to obtain a Data Subject’s consent prior to Processing his/her/its Personal Information;
7.8 To strive to keep Personal Information accurate, complete, up-to-date and reliable for its intended use;
7.9 To strive to develop reasonable security safeguards against risks, losses, unauthorised access, destruction, use, modification or disclosure of Personal Information;
7.10 To strive to provide Data Subjects with the opportunity to access the Personal Information relating to them and, where applicable, to comply with requests to correct, amend or rectify the Personal Information where incomplete, inaccurate or not compliant with the standard operating procedures;
7.11 To only share Personal Information, such as permitting access, transmission or publication, with third parties (either within or outside Energy Drive), only if reasonable assurance can be provided that the recipient of such information will apply suitable privacy and security protection to the Personal Information;
7.12 To comply with any restrictions and requirements that apply to the Transborder Information Flow Policy.
8.1 Personal information collected by Energy Drive and/or any of its representatives, will be collected directly from the Data Subject, unless:
8.1.1 The information is contained or derived from a Public Record or has deliberately been made public by the Data Subject; or
8.1.2 The Data Subject or a competent person where the Data Subject is a child, has consented to the collection of the information from another source; or
8.1.3 Collection of the information from another source would not prejudice the legitimate interests of the Data Subject; or
8.1.4 Collection of the information from another source is necessary:
220.127.116.11 To avoid prejudice to the maintenance of the law by any Public Body, including the prevention, detection, investigation, prosecution and punishment of offences; or
18.104.22.168 To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; or
22.214.171.124 for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
126.96.36.199 In the interest of national security; or
188.8.131.52 To maintain the legitimate interests of Energy Drive or of a third party to whom the information is supplied; or
184.108.40.206 Compliance would prejudice a lawful purpose of the collection; or
220.127.116.11 Compliance is not reasonably practicable in the circumstances of the particular case.
8.2 Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Energy Drive.
8.3 Steps will be taken to ensure that the Data Subject is aware of the purpose of the collection of the information.
8.4 Energy Drive will take reasonably practicable steps to ensure that the Personal Information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which the Personal Information is collected and further processed.
8.5 Where Personal Information is collected from a Data Subject, Energy Drive will take reasonably practicable steps to ensure that the Data Subject is aware of:
8.5.1 The information being collected and where the information is not collected from the Data Subject, the source from which it is collected;
8.5.2 The name and address of Energy Drive;
8.5.3 The purpose for which the information is being collected;
8.5.4 Whether or not the supply of the information by the Data Subject is voluntary or mandatory;
8.5.5 The consequences of failure to provide the information;
8.5.6 Any particular law authorising or requiring the collection of the information;
8.5.7 The fact that, where applicable, Energy Drive intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisations;
8.5.8 Any further information such as the:
8.5.9 Recipient or category of recipients of the information;
8.5.10 Nature or category of the information;
8.5.11 Existence of the right of access to and the right to rectify the information collected;
8.5.12 Existence of the right to object to the Processing of Personal Information which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable Processing in respect of the Data Subject to be reasonable.
8.6 The steps referred to in clause 8.5 must be taken:
8.6.1 If the Personal Information is collected directly from the Data Subject, prior to the information being collected, unless the Data Subject is already aware of the information as referred to in clause 8.5; or
8.6.2 In any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
8.7 It will not be necessary for Energy Drive to comply with clause 8.5 if:
8.7.1 The Data Subject or a competent person if the Data Subject is a child has provided consent for the non-compliance; or
8.7.2 Non-compliance would not prejudice the legitimate interests of the Data Subject; or
8.7.3 Non-compliance is necessary:
18.104.22.168 To avoid prejudice to the maintenance of the law by any Public Body, including the prevention, detection, investigation, prosecution and punishment of offences; or
22.214.171.124 To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; or
126.96.36.199 For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
188.8.131.52 In the interest of national security:
184.108.40.206.1 Compliance would prejudice a lawful purpose of the collection; or
220.127.116.11.2 Compliance is not reasonably practicable in the circumstances of the particular case.
8.8 The information will:
8.8.1 Not be used in a form in which the Data Subject may be identified; or
8.8.2 Be used for historical, statistical or research purposes.
9.1 Personal information will only be processed lawfully and in a reasonable manner that does not infringe the privacy of the Data Subject.
9.2 Personal information may only be processed if:
9.2.1 given the purpose for which it was processed, it is adequate, relevant and not excessive;
9.2.2 the Data Subject or a competent person where the Data Subject is a child consents to the Processing;
9.2.3 Processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party;
9.2.4 Processing complies with an obligation imposed by law on Energy Drive;
9.2.5 Processing protects a legitimate interest of the Data Subject;
9.2.6 Processing is necessary for the proper performance of a public law duty by a Public Body; or
9.2.7 Processing is necessary for pursuing the legitimate interest of Energy Drive or of a third party to whom the information is supplied.
9.3 If Energy Drive appoints or authorises an Operator to process any Personal Information on its behalf or for any reason, it will implement necessary agreements to ensure that the Operator or anyone Processing Personal Information on behalf of Energy Drive or an Operator, must:
9.3.1 Process such information only with the knowledge or authorisation of Energy Drive; and
9.3.2 Treat Personal Information which comes to his/her/its knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of his/her/its duties.
9.4 Energy Drive must maintain documentation of all Processing operations under its responsibility.
10.1 Energy Drive must ensure that the further Processing of Personal Information be compatible with the purpose for which it was collected.
10.2 To assess whether further Processing is compatible with the purpose of collection, Energy Drive will take account:
10.2.1 The relationship between the purpose of the intended further Processing and the purpose for which the information was collected; and
10.2.2 The nature of the information concerned; and
10.2.3 The consequences of the intended further Processing for the Data Subject; and
10.2.4 The manner in which the information has been collected; and
10.2.5 Any contractual rights and obligations between the parties.
10.3 The further Processing of Personal Information will not be incompatible with the purpose of collection if:
10.3.1 The Data Subject or competent person where the Data Subject is a child, has consented to the further Processing of the information; or
10.3.2 The information is available in or derived from a Public Record or has deliberately been made public by the Data Subject; or
10.3.3 Further Processing is necessary:
10.3.3.1 To avoid prejudice to the maintenance of the law by any Public Body, including the prevention, detection, investigation, prosecution, and punishment of offences; or
10.3.3.2 To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; or
10.3.3.3 For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
10.3.3.3.1 In the interest of national security, the further Processing of the information is necessary to prevent or mitigate a serious and imminent threat to
10.3.3.3.1.1 Public health or public safety; or
10.3.3.3.1.2 The life or health of a Data Subject or other individual(s); or
10.3.3.3.1.3 The information is used for historical, statistical or research purposes and Energy Drive ensures that the further Processing is carried out solely for such purposes and will not be published in an identifiable form.
11.1 Records of Personal Information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless –
11.1.1 The retention of a Record is required or authorised by law; or
11.1.2 Energy Drive reasonably requires a Record for lawful purposes related to its functions or activities; or
11.1.3 Retention of a Record is required by a contract between the parties thereto; or
11.1.4 The Data Subject or a competent person where the Data Subject is a child has consented to the retention of a Record.
11.2 Information collected or processed initially for the purposes of historical, statistical or research value, may be retained for a period longer than contemplated in clause 11, providing Energy Drive has appropriate measures in place to safeguard these records against uses other than what it was intended for initially.
11.3 Energy Drive will destroy or delete a Record of Personal Information or de-identify it as soon as reasonably practical after Energy Drive is no longer authorised to retain a Record.
11.4 The de-identifying or deletion of a Record of Personal Information must be done in a manner that prevents its reconstruction in an intelligible/understandable form.
11.5 In the event that Energy Drive uses a Record of Personal Information of a Data Subject to make a decision about the Data Subject, it must –
11.5.1 Retain the Record for such period as may be required or prescribed by law or a code of conduct; or
11.5.2 If there is no law or code of conduct prescribing a retention period, retain the Record for a period which will afford the Data Subject a reasonable opportunity, taking all considerations relating to the use of the Personal Information into account, to request access to the Record.
11.6 Energy Drive will restrict the Processing of Personal Information if –
11.6.1 Its accuracy is contested by the Data Subject, for a period enabling Energy Drive to verify the accuracy of the information; or
11.6.2 Energy Drive no longer needs the Personal Information for achieving the purpose for which it was collected or subsequently processed, but it has to be maintained for purposes of proof; or
11.6.3 The Processing is unlawful and the Data Subject opposes its destruction or deletion and requests the restriction of its use instead; or
11.6.4 The Data Subject requests to transmit the personal data into another automated Processing system.
11.7 Personal information that has been restricted may only be processed for purposes of proof, or with the Data Subject’s consent, or with the consent of a competent person where the Data Subject is a child, or for the protection of the rights of another natural or legal person or if such Processing is in the public interest.
11.8 Where Personal Information is restricted, Energy Drive will inform the Data Subject before lifting the restriction.
12.1 Energy Drive will secure the integrity and confidentiality of Personal Information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent –
12.1.1 Loss of, damage to or unauthorised destruction of Personal Information; and
12.1.2 Unlawful access to or Processing of Personal Information.
12.2 Energy Drive will take responsible measures to –
12.2.1 Identify all reasonably foreseeable internal and external risks to Personal Information in its possession or under its control;
12.2.2 Establish and maintain appropriate safeguards against the risks identified;
12.2.3 Regularly verify that the safeguards are effectively implemented; and
12.2.4 Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
12.3 Energy Drive will have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
12.4 Energy Drive will, in terms of a written contract between Energy Drive and the Operator, ensure that the Operator which processes Personal Information for Energy Drive, establishes and maintain the security measures as referred to in this clause 12.
12.5 The Operator will inform Energy Drive immediately where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.
13.1 Where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person, Energy Drive will notify –
13.1.1 The Information Regulator; and
13.1.2 The Data Subject, unless the identity of such Data Subject cannot be established.
13.2 The notification of a breach will be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of Energy Drive’s information system.
13.3 Energy Drive will only delay notification of the Data Subject if a Public Body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the Public Body concerned.
13.4 The notification to a Data Subject will be in writing and communicated to the Data Subject in at least one of the following ways:
13.4.1 Posted to the Data Subject’s last known physical or postal address; or
13.4.2 Sent by e-mail to the Data Subject’s last known e-mail address; or
13.4.3 Placed in a prominent position on the website of Energy Drive; or
13.4.4 Published in the news media.
13.5 The notification will provide sufficient information to allow the Data Subject to take protective measures against the potential consequences of the compromise, including–
13.5.1 A description of the possible consequences of the security compromise;
13.5.2 A description of the measures that Energy Drive intends to take or has taken to address the security compromise;
13.5.3 A recommendation with regard to the measures to be taken by the Data Subject to mitigate the possible adverse effects of the security compromise; and
13.5.4 If known to Energy Drive, the identity of the unauthorised person who may have accessed or acquired the Personal Information.
14.1 The Data Subject or competent person where the Data Subject is a child, may withdraw his, her or its consent to procure and process his, her or its Personal Information, at any time, providing that the lawfulness of the Processing of the Personal Information before such withdrawal or the Processing of Personal Information in terms of clause 9 is not affected.
14.2 A Data Subject may object, at any time, to the Processing of Personal Information–
14.2.1 In terms of clause 9, in writing, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such Processing; or
14.2.2 For purposes of Direct Marketing other than Direct Marketing by means of unsolicited Electronic Communications.
14.3 A Data Subject, having provided adequate proof of identity, has the right to –
14.3.1 Request Energy Drive to confirm, free of charge, whether or not Energy Drive holds Personal Information about the Data Subject; and
14.3.2 Request from Energy Drive a Record or a description of the Personal Information about the Data Subject held by Energy Drive, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information –
18.104.22.168 Within a reasonable time;
22.214.171.124 At a prescribed fee as determined by the Information Officer;
126.96.36.199 In a reasonable manner and format; and
188.8.131.52 In a form that is generally understandable.
14.4 A Data Subject may, in the prescribed manner, request Energy Drive to –
14.4.1 Correct or delete Personal Information about the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
14.4.2 Destroy or delete a Record of Personal Information about the Data Subject that Energy Drive is no longer authorised to retain.
14.5 Upon receipt of a request referred to in clause 14.3, Energy Drive will, as soon as reasonably practicable –
14.5.1 Correct the information;
14.5.2 Destroy or delete the information;
14.5.3 Provide the Data Subject, to his, her or its satisfaction, with credible evidence in support of the information; or
14.5.4 Where an agreement cannot be reached between Energy Drive and the Data Subject, and if the Data Subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
14.6 Energy Drive will inform the Data Subject, who made a request as set out in clause 14.3, of the action taken as a result of the request.
15.1 Energy Drive will respond promptly when the Data Subjects request notification of purpose of use, disclosure, correction, addition or deletion of details, and suspension of use or elimination relating to Personal Information held by Energy Drive.
16.1 Each employee of Energy Drive will be responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents and appropriate related documents and processes.
16.2 Managers and responsible employees will be trained according to their functions in legal requirements, policies and guidelines that govern the protection of Personal Information in Energy Drive. Energy Drive will conduct periodic reviews and audits, where appropriate, to demonstrate compliance with privacy law and its policies, the Act and any applicable regulations. Employees who violate the guidelines and standard operating procedures of this policy may be subject to disciplinary action being taken against him/her.
17.1 The point of contact for requests, disclosures, questions, complaints and any other inquiries relating to the handling, collection, Processing or Re-identifying of Personal Information shall be directed to the Information Officer or Deputy Information Officer(s) as referred to in the Information Officer Policy.
18.1 Each department will establish appropriate privacy standard operating procedures that are consistent with this policy, local customs and practices as well as legal and regulatory requirements.
19.1 Appointment of Information Officer
The Information Officer in terms of Energy Drive’s structure will be the Chief Financial Officer.
19.2 Registration as Information Officer
The Information Officer shall ensure that he/she is registered with the Regulator within the prescribed manner and timeframe, as being the Information Officer of Energy Drive.
19.3 Duties and Responsibilities of the Information Officer
The Information Officer’s responsibilities include:
a) The encouragement of compliance with the conditions and stipulations of this policy for the lawful Processing of Personal Information.
b) Dealing with requests made to Energy Drive pursuant to this policy.
c) Working with the Regulator in relation to investigations conducted regarding the prior authorisation for Processing, in relation to Energy Drive.
d) Ensuring compliance by Energy Drive with Energy Drive’s policies regarding the protection of Personal Information and the provisions of the Act.
19.4 Designations and Delegation of Deputy Information Officer(s)
a) The Information Officer may appoint any number of Deputy Information Officers as is necessary to perform the duties of the Information Officer as set out above. The Information Officer has control over every Deputy Information Officer(s) appointed.
b) The Information Officer may delegate, in writing, his/her power of duty conferred or imposed by this policy, to a Deputy Information Officer(s). In his/her decision to delegate power of duty, the Information Officer must give due consideration to the need to render Energy Drive as accessible as reasonably possible for requests of its records.
c) The Deputy Information Officer’s duties must only be exercised or performed subject to any conditions set by the Information Officer. The delegation of power does not prohibit the Information Officer from performing these duties himself/herself. The Information Officer may at any time withdraw or amend, in writing, the delegation of power of duty.
d) Any right or privilege acquired, or any obligation or liability incurred as a result of the delegation of power, is not affected by any subsequent withdrawal or amendment of that delegation.
19.5 Deputy Information Officer(s)
Name and Surname
20.1 Energy Drive will not process Personal Information, concerning –
20.1.1 The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or
20.1.2 The criminal behaviour of a Data Subject to the extent that such information relates to –
184.108.40.206 The alleged commission by a Data Subject of any offence; or
220.127.116.11 Any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.
21.1 The prohibition on Processing of Special Personal Information, as referred to in clause 20 of this policy, does not apply if -
21.1.1 Processing is carried out with the consent of the Data Subject; or
21.1.2 Processing is necessary for the establishment, exercise or defence of a right or obligation in law; or
21.1.3 Processing is for historical, statistical or research purposes to the extent that –
18.104.22.168 The purpose serves a public interest and the Processing is necessary for the purpose concerned; or
22.214.171.124 It appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided to ensure that the Processing does not adversely affect the individual privacy of the Data Subject to a disproportionate extent; or
126.96.36.199 Information has deliberately been made public by the Data Subject.
21.1.4 It is required with regards to the OHS act or part of the medical requirements of our clients.
22.1 Refer to clause 20 and apply same general principles.
22.2 Authorisation Concerning Data Subject’s Health or Sex Life
a) The prohibition on Processing Personal Information concerning a Data Subject’s health or sex life, as referred to in this section regarding the Prohibition on the Processing of Special Personal Information, does not apply to the Processing by –
a. Medical professionals, healthcare institutions or facilities or social services, if such Processing is necessary for the proper treatment and care of the Data Subject, or for the administration of the institution or professional practice concerned;
b. Insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such Processing is necessary for–
i. Assessing the risk to be insured by the insurance company or covered by the medical scheme and the Data Subject has not objected to the Processing; or
ii. The performance of an insurance or medical scheme agreement; or
iii. The enforcement of any contractual rights and obligations;
c. Schools, if such Processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life;
d. Any public or Private Body managing the care of a child if such Processing is necessary for the performance of their lawful duties;
e. Any Public Body, if such Processing is necessary in connection with the implementation of prison sentences or detention measures; or
f. Administrative bodies, pension funds, employers or institutions working for them, if such Processing is necessary for –
i. The implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the Data Subject; or
ii. The reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.
b) In cases referred to in clause 22.2 a), the information may only be processed by Energy Drive subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between Energy Drive and the Data Subject.
c) Where Energy Drive is permitted to process information concerning a Data Subject’s health or sex life in terms of this policy and is not subject to an obligation of confidentiality as referred to in clause 22.2 a), it must treat the information as confidential, unless Energy Drive is required by law or in connection with its duties to communicate the information to other parties who are authorised to process such information in accordance with this section.
d) Personal information concerning inherited characteristics may not be processed in respect of a Data Subject from whom the information concerned has been obtained, unless –
a. A serious medical interest prevails; or
b. The Processing is necessary for historical, statistical or research activity.
23.1 Prohibition on the Processing of Personal Information of Children
a) Energy Drive may not process any Personal Information of children, unless as allowed for in terms of this policy.
23.2 General Authorisation Concerning Personal Information of Children
a) The Processing of Personal Information of children will only be allowed in the following circumstances:
a. If it is carried out with the prior consent of a competent person;
b. If it is necessary for the establishment, exercise or defence of a right or obligation in law;
c. If it is necessary to comply with an obligation of international public law;
d. If it is for historical, statistical or research purposes to the extent that –
i. The purpose serves a public interest and the Processing is necessary for the purpose concerned; or
ii. It appears to be impossible or would involve disproportionate effort to ask for consent; or
iii. sufficient guarantees are provided for to ensure that the Processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
iv. Where the Personal Information has deliberately been made public by the child with the consent of a competent person.
24.1 Processing Subject to Prior Authorisation
a) Energy Drive must obtain prior authorisation from the Regulator, prior to any Processing if Energy Drive plans to –
a. Process Unique Identifiers of Data Subjects –
i. For a purpose other than the one for which the identifier was specifically intended at collection; and
ii. With the aim of linking the information together with information processed by other responsible parties;
b. Process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
c. Process information for the purpose of credit reporting; or
d. Transfer Special Personal Information or the Personal Information of children to a third party in a foreign country that does not provide an adequate level of protection for the Processing of Personal Information.
b) Energy Drive will only have to obtain the prior authorisation once and not each time that Personal Information is received or processed, except where the Processing departs from that which has been authorised by the Regulator.
25.1 Energy Drive must notify the Regulator when Processing Personal Information that is subject to prior authorisation.
25.2 Energy Drive may not carry out information Processing that has been notified to the Regulator until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conduct.
26.1 Transfer of Personal Information outside the Republic
26.2 Energy Drive may not transfer Personal Information about a Data Subject to a third party who is in a foreign country unless –
26.2.1 The third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that –
188.8.131.52 Effectively upholds principles for reasonable Processing of the information that are substantially similar to the conditions for the lawful Processing of Personal Information relating to a Data Subject who is a natural person, and where applicable, a juristic person; and
184.108.40.206 Includes provisions that are substantially similar to this policy, relating to the further transfer of Personal Information from the recipient to third parties who are in a foreign country;
26.2.2 The Data Subject consents to the transfer;
26.2.3 The transfer is necessary for the performance of a contract between the Data Subject and Energy Drive, or for the implementation of pre-contractual measures taken in response to the Data Subject’s request;
26.2.4 The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between Energy Drive and a third party; or
26.2.5 The transfer is for the benefit of the Data Subject, and –
220.127.116.11 It is not reasonably practicable to obtain the consent of the Data Subject to that transfer; and
18.104.22.168 If it were reasonably practicable to obtain such consent, the Data Subject would be likely to give it.
27.1.1 The purpose of this section is to ensure that necessary records and documents of Energy Drive are adequately protected and maintained to ensure that records that are no longer needed by Energy Drive or are of no value, are discarded at the proper time; and
27.1.2 To assist employees of Energy Drive in understanding their obligations in retaining documents.
27.2.1 This section applies to all documents which are collected, processed or stored by Energy Drive and includes but is not limited to documents in paper and electronic format, for example, e- mail, web and text files, PDF documents etc.
27.3.1 Any employee found to have violated this section may be subject to disciplinary action, up to and including termination of employment.
27.4 Guidelines for the Retention of documents
27.4.1 Energy Drive may suspend the destruction of any Record or document due to pending or reasonably foreseeable litigation, audits, government investigations or similar
proceedings. Employees will be notified of applicable documents where the destruction has been suspended to which they have access to.
27.4.2 All documentation and Personal Information that is being stored by Energy Drive must be stored and guarded in compliance with this policy.
27.4.3 The documentation and information listed in the schedule below may not contain all the records and documents processed and in the possession of Energy Drive and should merely be used as a guideline.
27.4.4 If a document and/or information is no longer required to be stored in accordance with this policy and relevant legislation, it should be deleted and destroyed in accordance with the Data Destruction section.
27.4.5 The Information Officer should be consulted where there is uncertainty regarding the retention and destruction of documents and/or information.
28.1.1 The purpose of this section is to provide guidance to Energy Drive’s employees regarding the destruction of documentation. All forms of computer equipment, digital storage media and printed or handwritten material must be disposed of securely when no longer required. Secure disposal maintains our data security and supports compliance with Energy Drive policies and procedures.
28.1.2 Energy Drive realises that electronic devices and media can hold vast amounts of information, some of which can linger indefinitely and sees compliance of this policy as of the utmost importance in order to ensure that restricted data and/or Personal Information does not find its way into unauthorised hands.
28.2.1 This section aims to protect restricted data and Personal Information and applies to all users of Energy Drive’s network including Director(s), Manager(s), administrative personal, other employees, contractors, visitors and third parties. The section applies to all information systems owned by Energy Drive and includes personal computers, Macs, laptops, mobile phones, handheld computers, servers and external or removable storage devices. The Policy also applies to printed materials.
28.3 Secure disposal
28.3.1 In determining whether a document and/or information should be stored or disposed of, each employee should first refer to the Data Retention section and in the event of any uncertainties, to the Information Officer of Energy Drive.
28.3.2 Under no circumstances should paper documents or removable media (CD’s, DVD’s, discs, etc.) containing personal or confidential information be simply binned or deposited in refuse tips.
28.3.3 Energy Drive will ensure that all electrical waste, electronic equipment and data on disk drives be physically removed and destructed in such a way that the data will by no means be able to be virtually retrieved.
28.3.4 Employees must ensure that all paper documents that should be disposed of, be shredded locally within the department and then be recycled. Where local shredding is not possible, bulk quantities of restricted paper waste must be held in waste sacks. These will be collected and disposed of by an employee instructed to do so by the Information Officer.
28.3.5 In the event that a third party is used for data destruction purposes, this third party must also comply with the regulations as stipulated in this policy and any other applicable legislation
28.4.1 The amendments have been compiled with the objective of guiding Energy Drive to become compliant with the stipulations of the Protection of Personal Information Act, No 4 of 2013.
All stakeholders are required to be committed to and to share the responsibilities to successfully give effect to this policy.
CEO- EnergyDrive Systems
Type of document and Minimum Retention Required:
Annual Financial Statements including annual accounts, directors, and auditors report - 15 Years
Books of accounting recording information required by the Companies Act No.71 of 2008 - 15 Years
Branch Register - 5 Years
Certificate of change of name - Indefinite
Certificate of incorporation - Indefinite
Certificate to commence business - Indefinite
Director’s attendance register - 15 Years
Index of members - 15 Years
Memorandum and articles of association - Indefinite
Minute book, CM25 and CM26, as well as resolutions passed at the general/class meetings - Indefinite
Microfilm image of any original Record reproduced directly by the camera - Indefinite
Proxy forms - 3 Years
Proxy forms used at court convened meetings - 3 Years
Register of allotments – after a person ceased to be a member - 15 Years
Register of directors and certain officers - 15 Years
Register of director’s shareholding - 15 Years
Register of Members - 15 Years
Register of mortgages and debentures and fixed assets - 15 Years
29.2 Personnel Records
Employee’s employment contract - 3 Years
Time worked by employee - 3 Years
Remuneration to be paid to each employee - 3 Years
Date of birth of any employee under 18 years of age - N/A
Employee deduction authorisation - 3 Years
Garnishments - 3 Years
Employee disciplinary Record - 3 Years
Employee count records - 3 Years
29.3 Health and Safety
Register, records or reproduction of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees compensated for disablement caused by occupational injuries or diseases sustained or contracted by employees in the course of their employment, or for death sustained by these injuries at their place of work. - 4 Years
A health and safety committee shall keep Record of each recommendation made to an employer in terms of issues affecting the health of employees and of any report made to an inspector in terms of the recommendation. - 3 Years
Records of incidents reported at work. - 3 Years
Records of assessment and air monitoring, and the asbestos inventory. - N/A
Medical surveillance records - 40 Years
Records of risk assessment and air monitoring results - 40 Years
Medical surveillance records - 40 Years
Records of assessment and air monitoring - 30 Years
All records of assessments and noise monitoring - 40 Years
29.4 Credit Agreements
Enquiries - 2 Years
Payment profile - 5 Years
Adverse information - 1 Years
Civil court judgements - The earlier of 5 years or until the judgement is rescinded by a court or abandoned
Administration orders - The earlier of 10 years or until the order is rescinded by a court
Sequestrations - The earlier of 10 years or the order is rescinded by a court
Liquidations - Unlimited
Rehabilitation orders - 5 Years
29.5 Electronic Communication
Personal information and the purpose for which the data was collected must be kept by the person who electronically requests, collects, collates processes, or stores the information - As long as the information is used and at least 1 year thereafter
A Record of any third party to whom the information was disclosed - As long as information is used and at least 1 year thereafter
All personal data that has become obsolete - Destroy
Employment Record – all non-hired applicants (including all applications and resumes – whether solicited or unsolicited, results of post-offer, pre- employment physicals, results of background investigations, if any, related correspondence. - 3 Years