• Send Money To
    Bangladesh-flag (1)
    Bangladesh
    flag-benin
    Benin
    flag-burkinafaso
    Burkina Faso
    flag-burundi
    Burundi
    flag-cameroon
    Cameroon
    flag-car
    Central African Republic
    flag-congo
    Congo Brazzaville
    flag-drc
    Congo DRC
    flag-swaziland
    Eswatini
    flag-ethiopia
    Ethiopia
    flag-gabon
    Gabon
    flag-gambia
    Gambia
    flag-ghana
    Ghana
    flag-guinea
    Guinea Conakry
    flag-guineab
    Guinea-Bissau
    flag-ivorycoast
    Côte d'Ivoire
    flag-kenya
    Kenya
    flag-liberia
    Liberia
    flag-madagascar
    Madagascar
    flag-malawi
    Malawi
    flag-mali
    Mali
    flag-morocco
    Morocco
    flag-mozambique
    Mozambique
    flag-niger
    Niger
    flag-nigeria
    Nigeria
    Pakistan
    Pakistan
    flag-rwanda
    Rwanda
    flag-senegal
    Senegal
    SOmaliaFlag
    Somalia
    flag-sierraleone
    Sierra Leone
    flag-southsudan
    South Sudan
    flag-tanzania
    Tanzania
    flag-togo
    Togo
    flag-uganda
    Uganda
    flag-zambia
    Zambia
    flag-zimbabwe
    Zimbabwe
  • How It Works
  • What We Offer
  • Wallet & Card
  • Support

POPI Protection and Processing of Personal Information Policy

  1. Introduction

  2. Scope

  3. Definitions

  4. Policy Application

  5. Guiding Principles for the Lawful Processing of Personal Information
     5.1 Accountability
     5.2 Processing Limitation
     5.3 Purpose Specification
     5.4 Further Processing Limitation
     5.5 Information Quality
     5.6 Openness
     5.7 Security Safeguards
     5.8 Data Subject Participation

  6. Rights of Data Subjects
     6.1 The Right to Know and Be Informed
     6.2 The Right to Access Personal Information
     6.3 The Right to Rectify or Erase
     6.4 The Right to Object
     6.5 The Right Not to Be Subjected to Automated Decision-Making
     6.6 The Right to Complain
     6.7 The Right to Submit Civil Proceedings

  7. Guiding Principles for Processing of Special Personal Information
     7.1 Authorisation: Religious or Philosophical Beliefs
     7.2 Authorisation: Race or Ethnic Origin
     7.3 Authorisation: Trade Union Membership
     7.4 Authorisation: Political Persuasion
     7.5 Authorisation: Health or Sex Life
     7.6 Authorisation: Criminal Behaviour or Biometric Information

  8. Guiding Principles for Processing Information of Children

  9. Prior Authorisation

  10. Direct Marketing (if applicable)

  11. Directories (if applicable)

  12. Automated Decision-Making (if applicable)

  13. Transfers of Personal Information Outside South Africa

  14. Specific Roles and Responsibilities (change according to size of organisation)
     14.1 Governing Body
     14.2 Information Officer
     14.3 Human Resources Department
     14.4 Information Technology Function
     14.5 Employees of Clicksendnow
     14.6 Operators

  15. Monitoring and Review of the Policy

1. Introduction

The Protection of Personal Information Act (POPI) is South Africa’s privacy law and introduces requirements for the processing of personal information. The Protection of Personal Information Act (POPIA) gives effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party, subject to justifiable limitations.

POPIA includes provision for justifiable limitations including:
● Balancing the right to privacy against other rights, particularly the right of access to information; and
● Protecting important interests, including the free flow of information within the Republic and across international borders.

2. Scope

The POPI Act applies to the processing of personal information which is entered into a record by a responsible party domiciled in South Africa.
The aim of the Protection and Processing of Personal Information Policy is to establish a framework and set out the guiding principles and the efforts of Clicksendnow to protect the personal information of, and to process personal information of, our clients, employees, service providers, and any other data subject in a lawful manner and ensure that the rights of the data subject are protected in accordance with the POPI Act.

3. Definitions

means a technique of personal identification that is based on physical, physiological or behavioral characterisation including but not limited to: fingerprint, face scanning, liveness analysis and voice recognition.

means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.

means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.

means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

means the person to whom the personal information relates.

in relation to the personal information of a data subject, means to delete any information that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘‘de-identified’’ has a corresponding meaning;

means to approach a data subject, either in person or electronic communication, like WhatsApp, Facebook, email, etc. for the direct or indirect purpose of—
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject;

means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or the recipient’s terminal equipment until it is collected by the recipient.

means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

means the comparison, whether manually or by means of any electronic or other devices, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, to produce or verify information that may be used to take any action in regard to an identifiable data subject.

of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;

means the Cabinet member responsible for the administration of justice.

means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

means a natural person or a juristic person.

means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignments to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

means prescribed by regulation or by a code of conduct.

means—
(a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
(b) a partnership which carries or has carried on any trade, business or profession; or
(c) any former or existing juristic person, but excludes a public body

means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information

means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice.

means—
(a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
(b) any other functionary or institution when—
(i) exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
(ii) exercising a public power or performing a public function in terms of any legislation

means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.

means any recorded information—
(a) regardless of form or medium, including any of the following:
(i) writing on any material;
(ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other devices, and any material subsequently derived from information so produced, recorded or stored;
(iii) label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
(iv) book, map, plan, graph or drawing;
(v) photograph, film, negative, tape or other devices in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced;
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence

in relation to personal information of a data subject, means to resurrect any de-identified information, that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject,
and ‘‘re-identified’’ has a corresponding meaning

means a public or private body or any other person which, alone or in conjunction with others determines the purpose of and means for processing personal information.

means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information.

means personal information as referred to in section 26 of POPIA.

means any identifier that is assigned to a data subject and is used by a responsible party for the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

4. Policy Application

This policy and its guiding principles apply to:
▪ The organisation’s governing body
▪ All branches, business units and divisions of the organisation
▪ All employees
▪ All contractors, marketing agents, brand ambassadors, suppliers and other persons acting on behalf of the organisation

Failure to adhere to the policy will result in disciplinary action. The policy’s guiding principles find application in all situations and must be read in conjunction with POPIA as well as the organisation’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).

POPIA does not apply in situations where the processing of personal information:
▪ is concluded in the course of purely personal or household activities, or
▪ where the personal information has been de-identified.

5. Guiding principles for the lawful processing of personal information

Clicksendnow is committed to the processing of personal information in accordance with its responsibilities under the Protection of Personal Information Act. Clicksendnow and its employees will act in accordance with the following principles or conditions:

5.1 Accountability

Failing to comply with POPIA could potentially damage the organisation’s reputation or expose the organisation to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.
Clicksendnow is obligated to ensure compliance with the conditions for lawful processing of information, as provided for in terms of the POPI Act, and the measures that Clicksendnow implement to give effect to the conditions throughout its engagement with its clients, employees and other stakeholders.
This policy shall set the principles for the protection and processing of personal information framework which shall include various measures, procedures and controls that shall give effect to this policy and shall ensure that all personal information processed by Clicksendnow is done so in a lawful manner and safeguarded.
Clicksendnow shall establish a function consisting of an Information Officer and Deputy Information Officer which is authorised and to whom the responsibility is delegated to encourage and ensure compliance with the POPI Act and Clicksendnow personal information risk management and compliance framework.

5.2 Processing limitation

Clicksendnow shall process personal information in a lawful and fair manner. Clicksendnow shall process information for a specific reason and only adequate, relevant information which is limited to the purposes for which they are processed. Furthermore, information under Clicksendnow’s control shall only be processed with the informed consent of the data subject or for one or more of the legitimate and justifiable reasons as provided for in the POPI Act:

  • Processing of personal information is necessary to perform in terms of the engagement or agreement with the data subject;

  • Processing complies with an obligation imposed by law on Clicksendnow;

  • Processing protects the legitimate interest of our data subject;

  • Processing is necessary to pursue the legitimate interests of Clicksendnow or a third party to whom we supply the personal information.

Clicksendnow shall inform its data subjects of the purpose or reasons for the collection of personal information and shall obtain informed consent from the data subject. Information shall be obtained directly from the data subject unless the data subject has consented to the collection of personal information from another party or if Clicksendnow can demonstrate a justifiable reason for collecting information from another source as provided for in the POPI Act, for example if:

  • The information is public record or public knowledge;

  • The collection from another source would not prejudice the legitimate interest of the data subject;

  • Collection from another source is necessary to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

  • To comply with an obligation imposed by law;

  • And other legitimate reasons mentioned in POPIA.

The data subject has the right to withdraw consent or object to the processing of personal information and is required to do so in the prescribed manner.
Clicksendnow shall further take special care to limit processing in respect of special information and shall in all such cases aim to comply with the conditions of Part B of the POPI Act.

5.3 Purpose specification

Clicksendnow shall collect personal information for a specific, explicitly defined and lawful purpose that relates to the function or the activity of our organisation. Clicksendnow shall endeavor to ensure that the data subject is aware of the purpose for the collection of information to enable the data subject to make an informed decision on whether or not to disclose the personal information to our organisation.
Clicksendnow may not retain personal information any longer than necessary for achieving the purpose for which we have collected or processed the information unless:

  • We are required by law to retain information for a longer period;

  • Retention is required for lawful purposes related to our functions or activities;

  • Retention is required in terms of a contract between the data subject and Clicksendnow;

  • In the case of a child’s personal information, a competent person has consented to the retention of the records.

Once the personal information has been retained for the period of time mentioned above, the POPI Act requires that Clicksendnow:

  • Destroy or delete the record; or

  • De-identify personal data to such an extent that it cannot be reconstructed in a clear form.

In circumstances where Clicksendnow is required to restrict the processing of personal data as prescribed by the POPI Act, we shall only process information for the following purposes and before lifting the restriction inform the data subject:

  • For storage purposes;

  • For purposes of proof;

  • With the consent of the data subject;

  • For the protection of another person’s rights; or

  • If such processing is in the public interest.

5.4 Further processing limitation

If Clicksendnow wants to process the personal information further or for additional purposes, it must be compatible or in line with the purpose for which it was collected.
To determine whether further processing is in accordance with the purpose for which it was initially collected, Clicksendnow shall consider the following:

  • The relationship between the purpose for which it wants to further process the information and the purpose for which the information was collected;

  • The nature of the information;

  • What is the consequence of further processing of information for the data subject;

  • The manner of how the information was collected; and

  • Our contractual obligations.

Thus, if Clicksendnow wants to process the information it holds further and the purpose is not compatible with the original purpose, we shall be required to obtain consent from the data subject or demonstrate a justifiable reason as provided for in the POPI Act for further processing personal information.

5.5 Information quality

Clicksendnow will take reasonably practicable steps to ensure that the personal information obtained from our data subjects or third parties is complete, accurate, not misleading and updated where necessary.
From time to time Clicksendnow shall request that data subjects update the personal information having regard to the purpose for which we collected the information. Any information obtained from a third party shall be verified with the data subject to ensure that the information is accurate.
Clicksendnow understands that personal information is sensitive and we shall implement reasonable measures to ensure that personal data is not modified or misused by an unauthorised person.

5.6 Openness

Clicksendnow is required to maintain documentation of all processing operations under its responsibility as referred to in terms of the Promotion of Access to Information Act.
Clicksendnow will take reasonable steps to ensure that the data subject knows that personal information is being collected, the source from which this is collected and the purpose for collection before the information is collected, including the below:

  • The name and address of the responsible party;

  • Whether the information is provided is mandatory or voluntary;

  • Consequences of failure to provide the information;

  • A law authorising or requiring the collection of information;

  • If applicable, whether the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded;

  • Recipients of the information;

  • Nature and category of the information;

  • The data subject’s right of access and the right to rectify the information collected;

  • The data subject’s right to object to the processing of personal information;

  • The right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator.

5.7 Security safeguards

Clicksendnow has the responsibility to secure the integrity and confidentiality of personal information in its possession or under its control and shall take reasonable and appropriate technical and organisational measures to prevent the loss, damage, unauthorized destruction of personal information and unlawful access to or processing of personal information.
Clicksendnow shall identify all reasonably foreseeable internal and external risks to personal data under its control and establish safeguards against those risks.
Clicksendnow will continuously review its security control measures and their effectiveness which will include regular testing of protocols and measures put in place to combat cyber-attacks on the organisation’s IT network. These safeguards will be updated subsequently in response to new risks or deficiencies in safeguards.
All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal information for which the organisation is responsible. All existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.
The organisation’s operators and third-party service providers will be required to enter into service level agreements with the organisation where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.
In the unfortunate event that the safeguards implemented were breached or if Clicksendnow has reasonable grounds to believe that the personal information has been accessed or acquired by an unauthorised person, Clicksendnow will be required to notify the Information Regulator and the data subject as soon as reasonably possible after the discovery was made.
More detailed information in respect of Security safeguards is detailed in the Information Processing Plan.

5.8 Data subject participation

A data subject has the right to request from Clicksendnow whether it holds personal information about the data subject and Clicksendnow shall provide confirmation free of charge. A data subject may further request records of personal information. Clicksendnow must first establish the identity of the data subject before disclosing the information and must respond to such a request within a reasonable time period and in a form that is generally understandable.
If there are grounds for refusal of access to records set out in PAIA, Clicksendnow may refuse access to the information, but information that does not fall within the ambit of the exclusion in terms of PAIA must be disclosed. Clicksendnow shall provide the data subject with reasons for refusing to provide access to information.
A data subject may request Clicksendnow to correct or delete personal information under the control or in possession of a responsible person if:

  • The personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

  • Delete a record or personal information about the data subject which the responsible party is no longer authorised to store or retain.

Clicksendnow has implemented a POPI information request policy and procedure in terms of which a data subject may make a request for information from Clicksendnow. Such document is available on request / published on Clicksendnow’s website.
Clicksendnow has implemented a complaints resolution policy and procedure which is available on request / published on its website.
Where applicable, the organisation will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.

6. Rights of data subjects

Where appropriate, Clicksendnow will ensure that its clients and customers are made aware of the rights conferred upon them as data subjects. Clicksendnow will ensure that it gives effect to the following rights of data subjects:

6.1 The right to know and be informed

The data subject has the right to know that personal information about him or her is being collected by Clicksendnow. The data subject further has the right to be notified that Clicksendnow has reasonable grounds to believe that his or her personal information has been accessed or acquired by an unauthorised person.

6.2 The right to access to personal information

The data subject has the right to establish whether Clicksendnow holds personal information of the data subject and has the right to request access thereto.

6.3 The right to rectify or erase

The data subject has the right to request, where necessary, that his, her or its personal information must be corrected, destroyed or deleted where the organisation is no longer authorised to retain the personal information.

6.4 The right to object

The data subject has the right to object on reasonable grounds to the processing of the data subject’s personal information. Furthermore, the data subject may also object to the processing of personal information for direct marketing by means of unsolicited electronic communications. In such circumstances, the organisation will give due consideration to the request and the requirements of POPIA. The organisation may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.

6.5 The right not to be subjected to automated decision

The data subject has the right to not be subject to a decision which is based solely on the basis of the automated processing of the data subject’s personal information which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree intended to provide a profile of such a person — for instance, for creditworthiness.

6.6 The right to complain

The data subject has the right to submit a complaint to the Information Regulator if it is of the opinion that there is an interference with the protection of personal information or in respect of a determination of an adjudicator, and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information.

6.7 The right to submit civil proceedings

A data subject may further institute civil proceedings regarding the alleged interference with the protection of the data subject’s personal information.

7. Guiding principles for processing of special personal information

Special personal information refers to a “personal religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject as well as criminal behaviour (such as alleged commission of an offence or pending proceedings in respect of the alleged offence).”

Clicksendnow recognises that certain information is considered special personal information and Clicksendnow is committed to processing such personal information in accordance with its responsibilities under the Protection of Personal Information Act. Clicksendnow and its employees shall refrain from collecting special personal information unless the—

● processing is carried out with the consent of a data subject
● processing is necessary for the establishment, exercise or defense of a right or obligation in law
● processing is necessary to comply with an obligation of international public law
● processing is for historical, statistical or research purposes to the extent that—
● the purpose serves a public interest and the processing is necessary for the purpose concerned
● it appears to be impossible or would involve a disproportionate effort to ask for consent
● and sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent
● information has deliberately been made public by the data subject

Clicksendnow shall take reasonable steps to implement security safeguards and control measures to ensure the integrity and confidentiality of special personal information in its possession or under its control.

7.1 Authorisation concerning data subject’s religious or philosophical beliefs

A data subjects religious or philosophical may not be processed unless the processing is carried out by:
● spiritual or religious organisations, or independent sections of those organisations if the information concerns data subjects belonging to those organisations or if it is necessary to achieve their aims and principles;
● institutions founded on religious or philosophical principles with respect to their members or employees or other persons belonging to the institution, if it is necessary to achieve their aims and principles; or
● other institutions: Provided that the processing is necessary to protect the spiritual welfare of the data subjects unless they have indicated that they object to the processing.

Spiritual or religious organisations may also process personal information concerning the religion or philosophy of life of family members of the data subjects if it maintains regular contact with those family members in connection with its aims and the family members have not objected.

Under no circumstances may personal information be supplied to a third party without the consent of the data subject.

Clicksendnow does/do not process special personal information concerning a data subject’s religious or philosophical beliefs.

7.2 Authorisation concerning data subject’s race or ethnic origin

A responsible party may process information about a data subject’s race or ethnic origin if the processing of the information is carried out to:
● To identify the data subject when it is essential for that purpose;
● Comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.

Clicksendnow does/do process special personal information concerning a data subject to comply with legislative requirements.

7.3 Authorisation concerning data subject’s trade union membership

It is not prohibited to process information of the data subject’s trade union membership if the information processing is done by the trade union to which the data subject belongs or the trade union federation to which the trade union belongs and if the processing is necessary to achieve the aims of the trade union or trade union federation.

The trade union or trade union federation may not without the consent of the data subject supply personal information to third parties.

Clicksendnow does /do not process special personal information concerning a data subject’s trade union membership but shall obtain prior consent should it be required to process such information in relation to the employment relationship with a data subject.

7.4 Authorisation concerning data subject’s political persuasion

Processing of personal information by or for an institution founded on political principles are allowed of:
● its members or employees or other persons belonging to the institution, if such processing is necessary to achieve the aims or principles of the institution; or
● a data subject if such processing is necessary for—
 ○ forming a political party;
 ○ participating in the activities of, or engaging in the recruitment of members for or canvassing supporters or voters for, a political party with the view to National or municipal elections, referendum or campaigning for a political party or cause.

No personal information may be supplied to third parties without the consent of the data subject.

Clicksendnow does /do not process special personal information concerning a data subject’s political persuasion.

7.5 Authorisation concerning data subject’s health or sex life

In general personal information of a data subject, health or sex life may not be processed. However, Section 32 of the POPI Act provides authorisation for the following persons:

● Medical professionals, healthcare institutions or facilities or social services:
If such processing of personal information about a data subjects health or sex life is necessary for the proper treatment and care of the data subject, or the administration of the institution or professional practice concerned.

● Insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations:
If the processing of the personal information by the aforementioned bodies is necessary for:
 ○ assessing the insured risk by the insurance company or covered by the medical scheme and the data subject has not objected to the processing;
 ○ the performance of an insurance or medical scheme agreement; or
 ○ the enforcement of any contractual rights and obligations;

● Schools
If such processing of personal information is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life.

● Public or private body managing the care of a child
If such processing is necessary for the performance of their lawful duties;

● Public body
If such processing is necessary in connection with the implementation of prison sentences or detention measures

● Administrative bodies, pension funds, employers or institutions working for them,
If such processing is necessary for the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject or the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.

The responsible parties may only process the information subject to an obligation of confidentiality whether by virtue of office, employment, the profession of a legal provision or in terms of a written agreement, even if no such obligation exists the responsible party is nonetheless obliged to treat information as confidential unless required by law or in terms of its duties to communicate to other parties who are authorised to process such information.

Inherited characteristics of a data subject may not be processed unless it is for medical purposes or processing of the information is necessary for historical, statistical or research activity.

Clicksendnow shall only process medical information in the context of an employment relationship to determine sick leave benefits, occupational health and safety and incapacity considerations.

7.6 Authorisation concerning data subject’s criminal behaviour or biometric information

Bodies that are charged by law with applying criminal law or responsible parties who have obtained information about the data subjects criminal behaviour or biometric information are permitted to process such information.

The processing of information concerning personnel in the service of the responsible party must take place in accordance with the rules established in compliance with labour legislation.

Clicksendnow shall only process information about a data subject’s criminal behaviour in an employment relationship context.

8. Guiding principles for processing information of children

Clicksendnow shall not process the personal information of a child unless carried out with the prior consent of a competent person.
A child “means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.”
A competent person “means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.”
Clicksendnow shall be authorised or able to process personal information of a child if:
● carried out with the prior consent of a competent person (for instance a guardian or parent);
● necessary for the establishment, exercise or defence of a right or obligation in law;
● necessary to comply with an obligation of international public law;
● for historical, statistical or research purposes to the extent that is in the public interest or if it appears to be impossible to ask for consent or involve disproportionate effort to do so and guarantees are provided to ensure that processing of this nature does not affect the individual privacy of the child to a disproportionate extent;
● personal information which has been made public by a competent person.

9. Prior Authorisation

Clicksendnow must obtain prior authorisation from the Information Regulator if the responsible party plans to:
● Process any unique identifier of data subjects for a purpose other than the one for which the identifier was specifically intended at the collection, and to link the information together with information processed by other responsible parties;
● process information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties;
● process information for the purposes of credit reporting; or
● transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

10. Direct marketing (if applicable)

Clicksendnow shall not process personal information of a data subject for the purposes of direct marketing by any form of electronic communication unless Clicksendnow has obtained consent from the data subject in the prescribed manner.
Furthermore, the POPI Act provides that Clicksendnow process personal information for the purpose of direct marketing if the data subject is a customer and subject to the following:
● The contact details of the data subject have been obtained in the context of the sale of a product or service;
● The purpose of direct marketing is to market Clicksendnow’s own or similar products or services;
● The data subject must be given a reasonable opportunity to object to the use of electronic details;
● The opportunity to object must be given at the time when the data was collected and on the occasion of each communication.

It is also a requirement that any communication for the purpose of direct marketing must contain the details of the sender (or on whose behalf the communication is sent) and contact details or an address to which the recipient may send a request to cease or stop receiving the communications.

11. Directories (if applicable)

A data subject who is a subscriber to a printed or electronic directory of subscribers which is available to the directors or any enquiry services must be informed free of charge before the data subject’s personal data is included in the directory of the purpose and further uses of the directory.
A Subscriber is defined as “any person who is a party to a contract with the provider of publicly available electronic communications services for the supply of such services.”
The POPI Act further requires that a data subject must also be given the option to object to the use of such information or to request verification, confirmation or withdrawal of such information if the data subject initially has not refused.

12. Automated decision-making (if applicable)

Section 71(1) of POPIA states “a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its creditworthiness, reliability, location, health, personal preferences or conduct.”
The aforementioned provision that a data subject may not be subject to a decision as stated in Section 71(1) will not apply if the decision:

● has been taken in connection with the conclusion or execution of a contract and the request of the data subject in terms of the contract has been met or measures have been taken to protect the data subject’s legitimate interest; or
● Was governed by a law or code of conduct in which appropriate measures for protection are specified

The measures referred to above must provide an opportunity for data subjects to make representations about the decision and the responsible party must provide the data subject with sufficient information about the logic of the automated processing of information.

13. Transfers of personal information outside South Africa (If Applicable)

Clicksendnow will not transfer personal information to a third party which is in a foreign country without the consent from the data subject and without ensuring that adequate levels of protection are provided by law, binding corporate rules and the binding agreement must uphold the conditions of lawful processing in terms of the POPI Act and provisions that are substantially similar to the provision relating to transborder information flow and the transfer is necessary for the performance of the conclusion of a contract. If it is not possible to obtain consent for the transfer and the data subject would have likely given the consent for the transfer of personal information Clicksendnow may transfer personal information outside South Africa but shall be required to demonstrate and record its reasons for the transfer.

14. Specific roles and responsibilities

14.1 Governing body

The governing body of Clicksendnow as the body with the highest level of authority is responsible to ensure that Clicksendnow maintains an effective POPI risk management and compliance programme or framework in terms of which it meets its legal obligations in terms of the POPI Act. Clicksendnow’s governing body shall remain accountable and must ensure that each entity meets its legal obligations in terms of POPIA. To ensure that Clicksendnow meets its obligations the governing body may delegate certain functions or responsibilities to the relevant departments or individuals within the organisation.

Clicksendnow governing body is required to be engaged with the development of a POPI Risk management and to assist the Information officer in ensuring that the framework is developed, maintained and monitored regularly. The governing body of Clicksendnow shall be required to approve the POPI framework or the risk management and Compliance Programme.
The governing body is responsible for ensuring that:
● An Information Officer, and where necessary, a Deputy Information Officer is appointed;
● All persons responsible for the processing of personal information on behalf of the organisation has received the necessary training, understand that personal information may only be processed with the knowledge and authorisation of the organisation as the responsible party; personal information should be treated as confidential and that failure to adhere to the policies, plan and procedures implemented by the organisation may lead to disciplinary action;
● The organisation implement procedures to ensure that data subjects may exercise their rights in terms of POPIA;
● The implementation of a monitoring plan to monitor compliance with the POPI Risk Management and Compliance Programme;
● A Review is conducted from time to time of how the organisation collects, holds, uses, shares, discloses, destroys and processes personal information and whether the organisation process personal information according to the conditions prescribed by the POPI Act

14.2 Information Officer

The role and responsibilities of the information officer are:
● encouragement and ensuring compliance, by Clicksendnow, with the conditions for the lawful processing of personal information;
● Ensure that a compliance framework is developed, implemented, monitored, reviewed and maintained;
● Ensure a personal information impact assessment is done to ensure that adequate measures and standards exist for the lawful processing of personal information;
● Development, monitoring and maintenance of the manual is made available as prescribed in section 14 and 51 of PAIA;
● Internal measures are developed together with adequate systems to process requests for information or access thereto and dealing with those requests made to Clicksendnow in relation to the Act;
● Review service level agreements entered into with operators, employees and other third parties which may have an impact on the personal information held by the organisation;
● Upon request provide copies of the manual to a person upon payment of the prescribed fee;
● Implementing the training plan for internal awareness training in relation to the provisions of the Act, regulations, codes of conduction and any directives, communications or guidelines obtained from the Regulator as well as training with regards to the internal mitigation measures implemented to address the risks associated with the processing of personal information;
● Monitor any request received from the Information Regulator and constructively engage with the Regulator in relation to requests received or ongoing investigations;
● Implementation of a monitoring plan and reporting to the governing body on the organisation complies with the provisions of POPIA;

14.3 Human Resources department:

The role and responsibilities in relation to the protection of personal information:
● Ensuring and encouraging employees to complete internal awareness training;
● Record and maintaining training registers;
● Assist Information officer and deputy information officer to explain and make available policies and procedures of Clicksendnow;
● Ensuring the safety measures for the office environment is adhered to.

14.4 Information technology function:

The IT Portfolio is the responsibility shall be designated to a director and shall be assisted by an operation and systems manager and a Hardware IT manager.
The roles and responsibilities in relation to the protection of personal information are as follows:
● Ensure that Clicksendnow IT infrastructure and data processing platforms comply with acceptable security standards;
● Monitoring, maintenance and repair of the IT infrastructure and networks;
● Providing technical support across the organisation and respond request from employees;
● Setting up computers and profiles for new employees;
● Reporting to the Information Officer on IT infrastructure and the information security;
● Assist to provide training or development of content for Information and data security.

14.5 Employees of Clicksendnow

All employees have a duty of confidentiality in relation to Clicksendnow, clients and any other stakeholders or data subjects. Our employees shall treat personal information as strictly confidential.
Personal information is disclosed to employees to enable an employee to fulfil his or her duties in terms of his or her position. Personal information shall be processed in terms of the guiding principles set out in this policy and shall not be disclosed to any third party unless:
● It is required in the everyday fulfilment of the duties of the employee’s position;
● The data subject has provided written consent;
● It is a requirement of law;
● Clicksendnow has instructed the employee to disclose the information.
Clicksendnow views any contravention of this policy very seriously and employees who are guilty of contravening the policy will be subject to disciplinary procedures, which may lead to the dismissal of any guilty party.

14.6 Operators

Clicksendnow may outsource certain services which may involve the processing of personal information to a third party services provider. Clicksendnow will remain responsible for the processing of personal information even if Clicksendnow has outsourced the processing function to an Operator.
An operator will only process personal information with the knowledge and authorisation of Clicksendnow and the information must be treated as confidential.
A written service level agreement shall govern the relationship between Clicksendnow and the operator.
The operator shall be required to establish and maintain security measures as required in the POPI Act.
The operator is required to notify Clicksendnow where there are reasonable grounds to believe that the personal information of a data subject was accessed or acquired by any unauthorised person.

15. Monitoring and review of the policy

The Information Officer shall be responsible to monitor compliance with the policy and Clicksendnow shall review the policy and all other mitigation measures implemented to give effect to this policy on an annual basis to ensure that it remains effective and applicable. Monitoring shall take place according to the POPI compliance monitoring plan.
An Information officer may further from time to time conduct a POPI review to review the personal information processed by Clicksendnow, how this personal information is used in other words how it is collected, recorded, stored, disseminated and destroyed.
Furthermore, the Information Officer shall review:
● The organisation data flow map;
● The purpose for gathering and processing personal information.
● The processing parameters are still adequately limited.
● That new data subjects are made aware of the processing of their personal information.
● The reasons for any further processing where information is received via a third party.
● Security measures implemented are adequate.

In performing the POPI Review and through the process of monitoring compliance the Information Officers and Deputy Information Officers may require information from various business units and managers to confirm compliance with the POPI Risk Management and compliance programme and to identify areas within the organisation’s operation that are most vulnerable or susceptible to the unlawful processing of personal information.
Information Officers will be permitted direct access to and have demonstrable support from line managers and the organisation’s governing body in performing their duties.

icon-whatsapp-green