Apply Now
Apply Now

Privacy Policy

1. Definitions

1.1. “applicable law” means the common law and statutory law applicable in the Republic of South Africa including any present or future constitution, decree, judgment, legislation, measure requirement, order, ordinance, regulation, statute, treaty, directive, rule, guideline, practice, concession or request issued by any relevant authority, government body, agency, or department or any central bank or other fiscal, monetary, regulatory, self-regulatory or other authority or agency which is applicable to this policy;

1.2. “company” or “we” or “us” or “our” means Sourcefin (Pty) Ltd with registration number 2020/547484/07, a company duly incorporated in accordance with the laws of the Republic of South Africa;

1.3. “data subject” means the natural or juristic person to whom the personal information relates;

1.4. “information officer” means the company’s information officer or any deputy information officer appointed in terms of the POPI Act, as identified in the “contact us” section of this policy;

1.5. “information regulator” means the information regulator established in terms of section 39 of the POPI Act;

1.6. “personal information” means the information as set out in section 1 of the POPI Act;

1.7. “policy” means this privacy policy, as amended from time to time;

1.8. “POPI Act” means the Protection of Personal Information Act, 4 of 2013;

1.9. “process” or “processing” means any operation or activity, whether automated or not, concerning personal information, including the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination, distribution, merging, linking, restriction, degradation, erasure or destruction of personal information, as defined in section 1 of the POPI Act.

2. Purpose

2.1. The company takes its data protection and information security responsibilities very seriously. The company recognises the importance of your privacy and understands your concerns regarding security of your personal information. We are committed to the effective management of all personal information that is provided to us or collected by us during the course of our business operations.

2.2. The purpose of this policy is to set out the generally accepted principles that apply to the collection, processing, retention, destruction and sharing of personal information by the company in respect of its clients, potential clients, employees, consultants, suppliers and potential suppliers.

3. Personal information collected by the company

3.1. The company may collect personal information from a variety of sources which includes, but is not limited to –

3.1.1. information we collect directly from you;

3.1.1.1. personal details such as name inclusive of first name, middle name and surname, date of birth, gender, identity number, passport number, company name and company registration number;

3.1.1.2. contact details such as phone number, email address, physical address and postal address;

3.1.1.3. financial information such as bank confirmation letter, bank statements, financial statements, management accounts, VAT certificate, income tax certificate and a letter of good standing;

3.1.1.4. survey responses such as feedback, preferences and any other personal information provided through surveys. This may include information related to your satisfaction with our products or services;

3.1.2. information we collect from the way in which you interact with our website;

3.1.3. information we collect from third party sources.

3.2. The company will not process the following categories of personal information, unless legally required to do so –

3.2.1. race or ethnic origin;

3.2.2. political opinions;

3.2.3. religious or philosophical beliefs;

3.2.4. trade union memberships;

3.2.5. genetic or biometric data; and

3.2.6. sexual orientation.

4. Policy principles

The personal information processed by the company is underpinned by the following 8 principles, which form the foundation of the company’s approach to privacy –

4.1. Accountability

the company is responsible for complying with measures to give effect to the principles below, and to data protection legislation;

4.2. Processing limitation

personal information should not be disclosed, made available or otherwise used for purposes other than those for which it was collected, without the consent of the data subject or as required by law;

4.3. Purpose specification

the purpose for which personal information is collected should be specified;

4.4. Further processing limitation

further processing of personal information must be compatible with the purpose for which the information was collected under the purpose specification principle above;

4.5. Information quality

personal information should be relevant for the purpose(s) for which it is used, and should be accurate, complete and kept up-to-date;

4.6. Transparency and openness

there should be a general policy of openness about developments, practices and policies with respect to personal information. A data subject should readily be able to establish the existence and type of personal information, the main purpose(s) of use of the personal information and the identity of the person responsible for its processing;

4.7. Security safeguards

personal information should be protected by reasonable security safeguards against risks such as unauthorised access, destruction, use or disclosure of data;

4.8. Data subject rights

data subjects, at a minimum, and where required by applicable data protection legislation, have the right to –

4.8.1. obtain confirmation of whether or not the company has personal information relating to them;

4.8.2. object to the company processing their personal information, however, the company may object if it has a compelling and lawful reason to continue processing the personal information;

4.8.3. receive copies of personal information relating to them;

4.8.4. have their personal information deleted or corrected;

4.8.5. withdraw any consent previously given for the processing of their personal information, where such processing is based on consent (subject to legal or contractual restrictions and reasonable notice);

4.8.6. be informed, on request and where reasonably practicable, of the identity of all third parties who have, or have had, access to their personal information;

4.8.7. complain to a regulatory authority or the company’s information officer or deputy information officer (set out in the “contact us” section of this policy) should they be of the view that their personal information has been compromised.

5. The company’s approach

The company’s approach is linked to the data life cycle as illustrated below. The policy principles are mapped to the phases of the data cycle below –

Data Lifecycle

5.1. Collection

5.1.1. the volume of personal information collected should be limited to the personal information required for the purpose for which it was collected;

5.1.2. the company should only collect personal information from the data subject if it has a lawful basis for processing the personal information, such as –

5.1.2.1. the express, voluntary and informed consent of the data subject;

5.1.2.2. an agreement between the company and the data subject which requires personal information to be processed;

5.1.2.3. a legal obligation; or

5.1.2.4. the processing protects a legitimate interest of the company.

5.1.3. the company must take reasonable steps to ensure that personal information that has been collected is complete, accurate and not misleading;

5.2. Processing

5.2.1. personal information must only be processed for the purpose that was stated at the time of the collection of the personal information;

5.2.2. in the event that the company uses the personal information for any other purpose, then the further processing must be aligned with the original purpose, or the consent of the data subject must be obtained before any further processing takes place;

5.3. Sharing

5.3.1. personal information held by the company may be processed by third parties. These relationships shall be governed by a written data protection agreement, which provides for adequate protection of the personal information processed by the third party;

5.3.2. in circumstances where a third party has access to or processes the personal information of the company’s clients, employees, consultants or suppliers, the company must determine the associated risks before entering into any agreement or sharing any personal information, by conducting a due diligence on the third party;

5.3.3. the company may not disclose personal information to third parties, for purposes other than for processing on behalf of the company, unless –

5.3.3.1. consent of the data subject has been obtained;

5.3.3.2. the company is under a legal obligation to disclose the information;

5.3.4. by submitting an application or otherwise engaging with the company, the data subject expressly authorises the company to obtain, verify and share the data subject’s and, where applicable, the data subject’s company’s personal and credit-related information with registered credit bureaus and relevant third parties for the purposes of credit checks, affordability assessments and identity verification, in compliance with applicable laws;

5.3.5. by engaging with the company, the data subject consents to the recording and storage of all communications and interactions with the company’s representatives for quality assurance, training and record-keeping purposes;

5.4. Retention

5.4.1. the company will not retain a data subject’s personal information for longer than the period for which it is needed and in compliance with applicable law;

5.4.2. retention periods are determined based on –

5.4.2.1. legal obligations relating to minimum periods to retain information;

5.4.2.2. the purposes for which the company processes the information;

5.4.2.3. whether the company can achieve those purposes;

5.4.2.4. the amount, nature and sensitivity of the information;

5.4.2.5. the potential risk of harm from unauthorised use or disclosure of the information;

5.4.3. where minimum retention periods are imposed by law, the company shall retain the relevant personal information for at least the period required by the applicable law;

5.5. Destruction

the company must securely destroy or de-identify personal information that has reached the end of its retention period, and there is no longer a lawful basis, including a legitimate interest, to retain the information.

6. Direct marketing

6.1. The company will not process the personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail, unless the data subject has given their consent to the processing or is, subject to the requirements of section 69(3) of the POPI Act, an existing customer of the company.

6.2. Every electronic direct marketing communication sent by the company will identify the company as the sender and contain a clear, simple and free mechanism by which the data subject can opt out of receiving further direct marketing communications.

7. Transfer of personal information

The data subject acknowledges and consents to the company transferring its/his/her personal information outside the Republic of South Africa. Any such transfer will only take place where one or more of the conditions set out in section 72 of the POPI Act are met.

8. Security safeguards

8.1. The company shall take reasonable technical, physical and organisational measures to ensure the integrity and confidentiality of personal information held by the company.

8.2. These measures serve to prevent –

8.2.1. loss of, damage to or unauthorised destruction of personal information; and

8.2.2. unlawful access to or processing of personal information.

8.3. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the company shall, in accordance with section 22 of the POPI Act, notify the information regulator and the affected data subject as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the company’s information systems.

8.4. The notification to the affected data subject shall be in writing and shall provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, in the manner contemplated by section 22 of the POPI Act.

9. Training

9.1. All persons who are exposed to and process personal information are obliged to be trained appropriately in respect of their obligations in terms of this policy.

9.2. All new employees will be required to complete data privacy training, and all current employees will be required to complete refresher training annually.

10. Contact us

10.1. Should you have any queries regarding this policy or would like to enforce any rights you may have under data protection laws, please contact us at –

Physical address: 105 Corlett Drive, Birnam, Johannesburg, 2196
Email address: informationofficer@sourcefin.co.za
Attention: Marom Mishan (Information Officer) or Joshua Kadish (Deputy Information Officer)
Telephone number: 010 500 3753

10.2. We will endeavour to respond to any such requests as soon as is reasonably practicable. In some instances, Sourcefin may be able to charge a fee for responding to your request and shall advise you of this and any applicable amount prior to responding.

10.3. You have the right to lodge a complaint with the information regulator, the details of which are set out below (although we urge you to contact us to bring it to our attention first, using the details above, so that we can attempt to assist you and/or resolve any issue before it is escalated) –

Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal address: PO Box 31533, Braamfontein, Johannesburg, 2017
Telephone number: 010 023 5200
Complaints email: POPIAComplaints@inforegulator.co.za
General enquiries email: enquiries@inforegulator.org.za

11. Amendments to this policy

The company reserves the right to amend or update this policy from time to time.

12. Compliance with this policy

Compliance with this policy will be monitored on an ongoing basis. Any breach of or non-compliance with this policy must be communicated to either the information officer or deputy information officer.