“company” or “we” or “us” or “our” means Sourcefin (Pty) Ltd with registration number 2020/547484/07, a company duly incorporated in accordance with the laws of the Republic of South Africa;
“data subject” means the natural person and/or juristic person to whom the personal information relates;
“personal information” means the information as set out in section 1 of the POPI Act;
“policy” means this privacy policy, as amended from time to time;
“POPI Act” means the Protection of Personal Information Act, 4 of 2013.
PURPOSE
The company takes its data protection and information security responsibilities very seriously. The company recognises the importance of your privacy and understands your concerns regarding security of your personal information. We are committed to the effective management of all personal information that is provided to us or collected by us during the course of our business operations.
The purpose of this policy is to set out the generally accepted principles that apply to the collection, processing, retention, destruction, and sharing of personal information by the company in respect of its clients, potential clients, employees, consultants, suppliers, and potential suppliers.
PERSONAL INFORMATION COLLECTED BY THE COMPANY
The company may collect personal information from a variety of sources which includes, but is not limited to –
information we collect directly from you
personal details such as name inclusive of first name, middle name, and surname, date of birth, gender, identity number, passport number, and company registration number;
contact details such as phone number, email address, physical address, and postal address;
financial information such as bank confirmation letter, bank statements, financial statements, management accounts, VAT certificate, income tax certificate, and a letter of good standing;
information we collect from third-party sources.
The company will not process the following categories of personal information, unless legally required to do so –
race or ethnic origin;
political opinions;
religious or philosophical beliefs;
trade union memberships;
genetic or biometric data; and
sexual orientation.
POLICY PRINCIPLES
The personal information processed by the company is underpinned by the following 8 principles, which form the foundation of the company’s approach to privacy –
accountability
the company is responsible for complying with measures to give effect to the principles below, and to data protection legislation;
processing limitation
personal information should not be disclosed, made available or otherwise used for purposes other than those for which it was collected, without the consent of the data subject or as required by law;
purpose specification
the purpose for which personal information is collected should be specified;
further processing limitation
further processing of personal information must be compatible with the purpose for which the information was collected in principle 3;
information quality
personal information should be relevant for the purpose(s) for which it is used, and should be accurate, complete, and kept up-to-date;
transparency and openness
there should be a general policy of openness about developments, practices, and policies with respect to personal information. A data subject should readily be able to establish the existence and type of personal information, the main purpose(s) of use of the personal information, and the identity of the person responsible for its processing;
security safeguards
personal information should be protected by reasonable security safeguards against risks such as unauthorized access, destruction, use, or disclosure of data;
data subject rights
data subjects, at a minimum, and where required by applicable data protection legislation, have the right to –
obtain confirmation of whether or not the company has personal information relating to them;
object to the company processing their personal information, however the company may object if it has a compelling and lawful reason to continue processing the personal information;
receive copies of personal information relating to them;
have their personal information deleted or corrected;
complain to a regulatory authority or the company’s information officer or deputy information officer (set out in clause 8.1) should they be of the view that their personal information has been interfered.
THE COMPANY’S APPROACH
The company’s approach is linked to the data life cycle as illustrated below. The policy principles are mapped to the phases of the data cycle below –
collection
the volume of personal information collected should be limited to the personal information required for the purpose for which it was collected;
the company may collect personal information for the following purposes –
to perform credit checks, background verification, and other necessary assessments on data subjects in relation to the purchase order finance or invoice discounting application processes;
to perform credit checks, background verification, and other necessary assessments on data subjects in relation to the onboarding of a data subject to the company’s affiliate partner programme;
to provide data subjects with requested services;
to verify a data subject’s identity before the company renders its services to the data subject;
to reply to any queries/complaints or to process requests regarding personal information;
to market the company’s services;
to maintain records in accordance with applicable laws.
the company should only collect personal information from the data subject if it has a lawful basis for processing the personal information, such as –
the express, voluntary, and informed consent of the data subject
in circumstances where an individual submits an application to the company for and on behalf of a company (including its directors) to provide services, the individual warrants that he/she has the authority to submit the application for and on behalf of the particular company (including its directors or members);
in circumstances where an individual submits an application to the company for and on behalf of a company (including its directors) to provide services, the individual consents in his/her personal capacity, and for and on behalf of the applicable company and each of its directors for the company to collect, process, and use all data belonging to each relevant data subject;
an agreement between the company and the data subject which requires personal information to be processed;
a legal obligation; or
the processing protects a legitimate interest of the company.
the company must take reasonable steps to ensure that personal information that has been collected is complete, accurate, and not misleading;
processing
personal information must only be processed for the purpose that was stated at the time of the collection of the personal information;
in the event that the company uses the personal information for any other purpose, then the further processing must be aligned with the original purpose, or the consent of the data subject must be obtained before any further processing takes place;
sharing
personal information held by the company may be processed by third parties. These relationships shall be governed by a written data protection agreement, which provides for adequate protection of the personal information processed by the third party;
in circumstances where a third party has access to or processes the personal information of the company’s clients, employees, consultants, or suppliers, the company must determine the associated risks before entering into any agreement or sharing any personal information, by conducting a due diligence on the third party;
the company may not disclose personal information to third parties, for purposes other than for processing on behalf of the company, unless –
consent of the data subject has been obtained;
the company is under a legal obligation to disclose the information;
retention
the company will not retain a data subject’s personal information for longer than the period for which it is needed and in compliance with applicable law.
retention periods are determined based on –
legal obligations relating to minimum periods to retain information;
the purposes for which the company processes the information;
whether the company can achieve those purposes;
the amount, nature, and sensitivity of the information; and/or
the potential risk of harm from unauthorized use or disclosure of the information.
destruction the company must securely destroy or de-identify personal information that has reached the end of its retention period, and there is no longer a lawful basis, including a legitimate interest, to retain the information.
SECURITY SAFEGUARDS
The company shall take reasonable technical, physical, and organizational measures to ensure the integrity and confidentiality of personal information held by the company.
These measures serve to prevent –
loss of, damage to, or unauthorized destruction of personal information; and
unlawful access to or processing of personal information.
TRAINING
All persons who are exposed to and process personal information are obliged to be trained appropriately in respect of their obligations in terms of this policy.
All new employees will be required to complete data privacy training and all current employees will be required to complete refresher training annually.
CONTACT US
Should you have any queries regarding this policy or would like to enforce any rights you may have under data protection laws, please contact us at –
Physical address: 105 Corlett Drive, Birnam, Johannesburg
Email address: informationofficer@sourcefincoza
Attention: Marom Mishan (Information Officer) or Joshua Kadish (Deputy Information Officer)
Telephone number: 010 500 3753
We will endeavour to respond to any such requests as soon as is reasonably practicable. In some instances, Sourcefin may be able to charge a fee for responding to your request and shall advise you of this and any applicable amount prior to responding.
You have the right to lodge a complaint with the Information Regulator, the details of which are set out below (although we urge you to contact us to bring it to our attention first, using the details above, so that we can attempt to assist you and/or resolve any issue before it is escalated) –
Complaints email: POPIAComplaints@inforegulatorcoza
General enquires email: enquiries@inforegulatororgza
AMENDMENTS TO THIS POLICY
The company reserves the right to amend or update this policy from time to time.
COMPLIANCE WITH THIS POLICY
Compliance with this policy will be monitored on an ongoing basis. Any breach of or non-compliance with this policy must be communicated to either the information officer or deputy information officer.