This policy forms part of the policy owner’s internal business processes and procedures.
Any reference to the “organisation” shall be interpreted to include the “policy owner”.
The organisation’s governing body, its employees, volunteers, contractors, suppliers and any other persons acting on behalf of the organisation are required to familiarise themselves with the policy’s requirements and undertake to comply with the stated processes and procedures.
Risk owners and control owners are responsible for overseeing and maintaining control procedures and activities.
The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPIA”).
POPIA aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner.
Through the provision of quality goods and services, the organisation is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of clients, customers, employees and other stakeholders.
A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.
Given the importance of privacy, the organisation is committed to effectively managing personal information in accordance with POPIA’s provisions.
Commercially, Red Rabbit is a provider of property inspection software to rental agents. Under the definition of POPI, these rental agents will be the responsible parties, as they determine the purpose for and means by which personal information will be collected from the data subject (a tenant). As such, Red Rabbit is responsible to process personal information received as part of its property management software service in compliance with the POPI Act.
Red Rabbit is a responsible party when it is processing personal information of its staff, contractors and other stakeholders and will meet all processing requirements in respect of such information.
The aim of the Protection of personal information policy is to establish a framework and set out the guiding principles and the efforts of Red Rabbit to process personal information of our clients, employees and any other stakeholder in a lawful manner and ensure that the rights of the data subject are protected in accordance with the POPI Act.
The policy is applicable to all employees of Red Rabbit and staff members shall receive training with regards to the Protection of personal information policy. Failure to adhere to the policy will result in disciplinary action.
3.1) Personal information
Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:
race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
information relating to the education or the medical, financial, criminal or employment history of the person;
any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignments to the person;
the biometric information of the person;
the personal opinions, views or preferences of the person;
correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
the views or opinions of another individual about the person;
the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
3.2) Data Subject
This refers to the natural or juristic person to whom personal information relates, such as an individual client, customer or a company that supplies the organisation with products or other goods.
3.3) Responsible Party
The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, the organisation is the responsible party.
An operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, a third-party service provider that has contracted with the organisation to shred documents containing personal information. When dealing with an operator, it is considered good practice for a responsible party to include an indemnity clause.
3.5) Information Officer
The Information Officer is responsible for ensuring the organisation’s compliance with POPIA.
Where no Information Officer is appointed, the head of the organisation will be responsible for performing the Information Officer’s duties.
Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer.
The act of processing information includes any activity or any set of operations, whether or not by automatic means, concerning personal information and includes:
the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
dissemination by means of transmission, distribution, or making available in any other form; or
merging, linking, as well as any restriction, degradation, erasure, or destruction of information.
Means any recorded information, regardless of form or medium, including:
Writing on any material;
Information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or another device, and any material subsequently derived from information so produced, recorded, or stored;
Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
Book, map, plan, graph, or drawing;
Photograph, film, negative, tape, or other devices in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.
3.8) Filing System
This means any structured set of personal information, whether centralised, decentralised, or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
3.9) Unique Identifier
This means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
This means to delete any information that identifies a data subject or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.
In relation to personal information of a data subject, means to resurrect any information that has been de-identified that identifies the data subject, or can be used or manipulated by a reasonably foreseeable method to identify the data subject.
Means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
3.13) Direct marketing
Means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
Requesting the data subject to make a donation of any kind for any reason.
Means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
4. Policy Purpose
The purpose of this policy is to protect the organisation from the compliance risks associated with the protection of personal information which includes:
Breaches of confidentiality. For instance, the organisation could suffer a loss in revenue when it is found that the personal information of data subjects has been shared or disclosed inappropriately.
Failing to offer choice. For instance, all data subjects should be free to choose how and for what purpose the organisation uses information relating to them.
Reputational damage. For instance, the organisation could suffer a decline in shareholder value following an adverse event such as a computer hacker deleting the personal information held by the organisation.
This policy demonstrates the organisation’s commitment to protecting the privacy rights of data subjects in the following manner:
Through stating desired behavior and directing compliance with the provisions of POPIA and best practices.
By cultivating an organisational culture that recognises privacy as a valuable human right.
By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.
By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the organisation.
By assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary, Deputy Information Officers in order to protect the interests of the organisation and data subjects.
By raising awareness through training and providing guidance to individuals who process personal information so that they can act confidently and consistently.
5. Policy Application
This policy and its guiding principles applies to:
The organisation’s governing body
All branches, business units, and divisions of the organisation
All employees and volunteers
All contractors, suppliers, and other persons acting on behalf of the organisation
The policy’s guiding principles find application in all situations and must be read in conjunction with POPIA as well as the organisation’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).
The legal duty to comply with POPIA’s provisions is activated in any situation where there is:
Processing of personal information entered into a record by or for a responsible person who is domiciled in South Africa.
POPIA does not apply in situations where the processing of personal information:
is concluded in the course of purely personal or household activities, or
where the personal information has been de-identified.
6. General Provisions applicable to RedRabbit website and software
6.1) User-Provided Information
The Application obtains the information you provide when you signup and register to use the Application. Your company has to register as a RedRabbit client to be able to use any of the software features. The registered company can create users for it’s a profile on RedRabbit and will be required to enter the information of these users.
When you register with us and use the Application, you generally provide (a) your name, email address, user name, password, and other registration information; (b) transaction-related information, such as when you make purchases, respond to any offers, or download or use applications from us; (c) information you provide us when you contact us for help; (d) banking information for purchase and use of the Application that we will use to set up the debit order, and; (e) information you enter into our system when using the Application, such as contact information and project management information.
We may also use the information you provided us to contact you from time to time to provide you with important information, required notices, and marketing promotions.
6.2) User Data
Any information entered into the system during normal use is owned by you the customer and you are free to remove any of this information at any time. Our backup procedures may cause your data to remain in the logs for up to 60 days after deletion.
We will never share or distribute any of the information you enter into the system with any third parties without your consent.
The data you enter into the system can be accessed by certain authorized personnel to be able to support you better. An example would be when you create a data backup of the inspections on your mobile device using the ‘backup’ feature which can help the development team to support and debug the Application.
Automatically Collected Information
In addition, the Application may collect certain information automatically, including, but not limited to, the type of device you use, your devices unique device ID, the IP address of your device, your operating system, the type of Internet browsers you use, and information about the way you use the Application.
Does the Application collect precise real time location information of the device?
This Application does not collect precise information about the location of your device.
Do third parties see and/or have access to information obtained by the Application?
Only aggregated, anonymized data is periodically transmitted to external services to help us improve the Application and our service. We will not share your information with third parties without your consent.
We may disclose User Provided and Automatically Collected Information:
as required by law, such as to comply with a subpoena, or similar legal process;
when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.
if RedRabbit Solutions (Pty) Ltd is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of this information, as well as any choices you may have regarding this information.
What are my opt-out rights?
You can stop all collection of information by the removing all your data and then uninstalling the Application from any mobile devices. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network. To terminate your subscription with us for the desktop portal, simply email us and request a termination.
Data Retention Policy, Managing Your Information
We will retain User Provided data for as long as you use the Application and for a reasonable time thereafter. We will retain Automatically Collected information for up to 24 months and thereafter may store it in aggregate. If you would like us to delete User Provided Data that you have provided via the Application, please contact us at firstname.lastname@example.org and we will respond in a reasonable time. Please note that some or all of the User Provided Data may be required in order for the Application to function properly.
We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Application. Please be aware that, although we endeavor to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches.
7. Rights of data subjects
7.1) The Right to Access Personal Information
The organisation recognises that a data subject has the right to establish whether the organisation holds personal information related to him, her or it including the right to request access to that personal information.
7.2) The Right to have Personal information Corrected or Deleted
The data subject has the right to request, where necessary, that his, her or its personal information must be corrected or deleted where the organisation is no longer authorised to retain the personal information. Please contact Red Rabbit directly for assistance with this process.
7.3) The Right to Object to the Processing of Personal Information
The data subject has the right, on reasonable grounds, to object to the processing of his, her or its personal information.
In such circumstances, the organisation will give due consideration to the request and the requirements of POPIA. The organisation may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.
Please contact RedRabbit directly for assistance with this process.
7.4) The Right to Object to Direct Marketing
The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications.
Please contact Red Rabbit directly for assistance with this process.
7.5) The Right to Complain to the Information Regulator
The data subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information.
To lodge a complaint with Red Rabbit, please complete the “POPI Complaint Form” that can be found under Annexure B and submit to our offices
7.6) The Right to be Informed
The data subject has the right to be notified that his, her or its personal information is being collected by the organisation.
The data subject also has the right to be notified in any situation where the organisation has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.
Please contact Red Rabbit directly for assistance with this process.
8. General Guiding Principals
All employees and persons acting on behalf of the organisation will at all times be subject to, and act in accordance with, the following guiding principles:
Failing to comply with POPIA could potentially damage the organisation’s reputation or expose the organisation to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.
The organisation will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, the organisation will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.
8.2) Processing Limitation
The organisation will ensure that personal information under its control is processed:
in a fair, lawful and non-excessive manner, and
only for a specifically defined purpose.
The organisation will under no circumstances distribute or share personal information between separate legal entities, associated organisations (such as subsidiary companies) or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected.
8.3) Purpose Specification
All of the organisation’s business units and operations must be informed by the principle of transparency.
The organisation will process personal information only for specific, explicitly defined and legitimate reasons.
8.4) Further Processing Limitation
Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. Therefore, where the organisation seeks to process personal information it holds for a purpose other than the original purpose for which it was originally collected, and where this secondary purpose is not compatible with the original purpose, the organisation will first obtain additional consent from the data subject.
8.5) Information Quality
The organisation will take reasonable steps to ensure that all personal information collected is complete, accurate and not misleading.
The more important it is that the personal information be accurate (for example, the beneficiary details of a life insurance policy are of the utmost importance), the greater the effort the organisation will put into ensuring its accuracy.
8.6) Open Communication
The organisation will take reasonable steps to notify data subjects that their personal information is being collected including the purpose for which it is being collected and processed.
The organisation will ensure that it establishes and maintains a “contact us” facility, for instance via its website or through an electronic helpdesk, for data subjects who want to:
Enquire whether the organisation holds related personal information, or
Request access to related personal information, or
Request the organisation to update or correct related personal information, or
Make a complaint concerning the processing of personal information.
8.7) Security Safeguards
The organisation will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction.
Security measures also need to be applied in a context-sensitive manner. For example, the more sensitive the personal information, such as medical information or credit card details, the greater the security required.
The organisation will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the organisation’s IT network.
The organisation will ensure that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals.
All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal information for which the organisation is responsible.
All existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.
The organisation’s operators and third-party service providers will be required to enter into service level agreements with the organisation where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.
8.8) Data Subject Participation
A data subject may request the correction or deletion of his, her or its personal information held by the organisation.
The organisation will ensure that it provides a facility for data subjects who want to request the correction of deletion of their personal information.
Where applicable, the organisation will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.
9. Request to access personal information procedure
Data subjects have the right to:
Request what personal information the organisation holds about them and why.
Request access to their personal information.
Be informed how to keep their personal information up to date.
Access to information requests can be made by email, addressed to the Information Officer. The Information Officer will provide the data subject with a “Personal Information Request Form”.
Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against the organisation’s PAIA Policy.
The Information Officer will process all requests within a reasonable time.
10. POPI Complaints Procedure
Data subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. The organisation takes all complaints very seriously and will address all POPI related complaints in accordance with the following procedure:
POPI complaints must be submitted to the organisation in writing. Where so required, the Information Officer will provide the data subject with a “POPI Complaint Form”.
Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 1 working day.
The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days.
The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner. In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA.
The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the organisation’s data subjects.
Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with the organisation’s governing body where after the affected data subjects and the Information Regulator will be informed of this breach.
The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to the organisation’s governing body within 7 working days of receipt of the complaint. In all instances, the organisation will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.
The Information Officer’s response to the data subject may comprise any of the following:
A suggested remedy for the complaint,
A dismissal of the complaint and the reasons as to why it was dismissed,
An apology (if applicable) and any disciplinary action that has been taken against any employees involved.
Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to complain to the Information Regulator.
The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPI related complaints.
11. Information Officers
The Information Officer appointed to RedRabbit is Hein Hanekom.
If you have any questions regarding privacy while using the Application, or have questions about our practices, please contact us via email at email@example.com.