1 About ZeniZeni
Zenizeni Sustainable Finance (Pty) Limited (“ZeniZeni”) is an advisory services firm focused on support clients in the finance and financing sectors address the critical sustainability issues that they face.
2 Purpose of this Policy
The South African Protection of Personal Information Act 4 of 2013 (“POPI”) gives effect to the constitutional right to privacy, regulates the manner in which personal information may be processed and provides rights and remedies to protect personal information.
2.1 As an employer as well as service provider, the collection and processing of personal information is directly aligned to the execution of ZeniZeni’s business purpose.
2.2 This Policy provides for what must and must not be done at ZeniZeni as regards personal information to which ZeniZeni becomes privy. The Policy in addition provides procedural guidelines, where appropriate, outlining how the Policy is to be implemented.
2.3 This POPI Policy must be adhered to by all key individuals including directors, employees and service providers.
3 Principles
3.1 The primary purpose of the POPI Act is to regulate the collection and processing of personal information in a manner that will safeguard such information against unauthorised access and usage.
3.2 The purpose of this POPI Policy is to establish the requirements and conditions for the collection, distribution and retention of personal information, in line with the prescripts of the POPI Act and the Promotion of Access to Information Act 2 of 2000 (“PAIA”).
3.3 This Policy articulates the parameters in the collection, processing, storage, distribution and destruction of personal information by ZeniZeni as aligned to the POPI Act. In addition, this Policy sets out how ZeniZeni deals with data subjects’ personal information as well as the purposes for which personal information will be used. This Policy is made
ZeniZeni: POPI and Privacy Policy Page 4 of 15
available on ZeniZeni’s website (www.zenizeni.com) and by request from our Information Officer, whose details are provided below.
4 Definitions
4.1 “consent” – any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
4.2 “data subject” – a person to whom the personal information relates. This will include directors, employees, consultants, and clients as well as prospective clients of ZeniZeni and persons and/or organisations who supply goods or services to ZeniZeni as well as any persons or organisations which communicate and/or conclude any agreement and business with ZeniZeni.
4.3 “person” – a natural or juristic person.
4.4 “personal information” – any information in any form (including electronic and paper-based files) relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person. This can include, but is not be limited to information relating to the race, sex, pregnancy, marital status, national, ethic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of a person. It also includes information relating to the education, medical, identifying and biometric information of an individual.
4.5 “processing” – any activity, automated or manual, concerning personal information. Such activity may include, but is not limited to, collection, receipt, recording, organisation, storage, collation, retrieval, alteration, updating, distribution, dissemination by means of transmission, erasure or destruction of personal information.
4.6 “special personal information” – this is very sensitive personal information that requires stringent protection. Special personal information includes, but is not limited to, religious beliefs, political affiliations, race and ethnic origin, health, sex life and biometric information;
4.7 “secondary personal information” – this is personal information relating to third parties provided to ZeniZeni by its clients or prospective clients for the purposes of the provision of advertising and marketing services, including but not limited to, competitions, direct marketing, newsletters, lead generation and digital marketing.
ZeniZeni: POPI and Privacy Policy Page 5 of 15
5 Collection of personal information
5.1 ZeniZeni collects and receives personal information directly and indirectly from data subjects through various sources.
5.2 Information is collected and processed by ZeniZeni as follows:
5.2.1 directly from the data subject;
5.2.2 from clients or prospective clients who may seek ZeniZeni’s assistance and/or services;
5.2.3 from ZeniZeni’s suppliers and service providers;
5.2.4 from ZeniZeni’s own records relating to its previous provision of assistance or responses to the data subject’s request for services.
5.3 ZeniZeni will not collect personal information regarding a child except when the consent of the child’s parent or guardian is given;
5.4 ZeniZeni will not collect personal information regarding an individual's religious or philosophical beliefs, trade union membership, political opinions, health or sexual life unless permitted by law or with consent from the data subject.
6 Purpose specification
6.1 POPI requires that the data subject be informed of the purpose or reason for the collection of her/his data so that they may either give consent or refuse it. The purpose for which personal information is collected should be specified at the time the information is being collected. In addition, any further use of the collected personal information should be compatible with the initial purpose of collection.
6.2 ZeniZeni needs to collect and process personal information for the following purposes:
6.2.1 assessing, processing and entering into employee agreements and consultant agreements. The terms of our employment contracts, independent contractor agreements, employment policies, job adverts and applications will contain further detail;
6.2.2 training and assessment purposes;
ZeniZeni: POPI and Privacy Policy Page 6 of 15
6.2.3 confirming and verifying a prospective client’s, employee’s or consultant’s credit worthiness, suitability, criminal record and identity;
6.2.4 assessing, entering into agreements with and payment of suppliers and service providers.
6.2.5 confirming and verifying a person’s identity;
6.2.6 arranging of travel for employees or contractors;
6.2.7 providing personalised communication;
6.2.8 providing services to clients, including analytics, strategy and such other services as ZeniZeni may offer from time to time.
6.2.9 audit and record-keeping purposes;
6.2.10 in connection with legal proceedings including debt collection;
6.2.11 in connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law; and/or
6.2.12 for a purpose that is ancillary to the above and for any other purpose for which consent is provided by the data subject.
6.3 This purpose will be explained to the data subject when the information is collected who may then decide whether to grant ZeniZeni consent to collect and process personal information or not.
6.4 In the event that ZeniZeni seeks to use the information for another purpose which is different to the purpose for which the information was collected initially, then ZeniZeni will contact the data subject to obtain the data subject’s consent for further processing.
7 Processing limitation and sharing of personal data
7.1 ZeniZeni will ensure that the personal information collected from data subjects will be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
ZeniZeni: POPI and Privacy Policy Page 7 of 15
7.2 Furthermore, information will be collected directly from the data subject by ZeniZeni or third parties authorised by ZeniZeni only after consent from the data subject concerned.
7.3 ZeniZeni will not process a data subject’s personal information without consent unless:
7.3.1 it is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
7.3.2 the processing complies with an obligation imposed on ZeniZeni by law;
7.3.3 the processing protects a legitimate interest of the data subject;
7.3.4 the processing is in the public interest;
7.3.5 the processing is necessary for pursuing ZeniZeni’s legitimate interests or the legitimate interests of a third party to whom the information is supplied.
7.4 ZeniZeni may act as a data processor on behalf of someone else. In that event, the data controller will have the responsibility to obtain consent for our processing of data. We will act only on the instructions of the data controller and do nothing else with the data outside of the consent.
8 Consent
8.1 Unless one of the additional conditions listed in paragraph 7.3 above applies, ZeniZeni will not collect or process personal information without the consent of the data subject. Consent is normally sought explicitly by ZeniZeni, however, there are also some actions and behaviour that may amount to consent. This includes signing an agreement or application or ticking a tick box on a form whether physical or online.
8.2 No person is compelled to consent to ZeniZeni’s collection or processing of their personal information, however, a refusal to consent may result in a restriction of that person’s participation in activities and opportunities coordinated by ZeniZeni. Data subjects will be advised of the consequences of not giving consent to ZeniZeni for the collection and processing of their personal information as required by law. Data subjects will be made aware that failure to give written consent will result in the data subject’s record being invalid and not subject to any performance on the part of ZeniZeni.
8.3 The procedure undertaken is that data subjects will be informed of the purpose for which information is being collected and thereafter prompted to give consent to having the information collected and processed. Once consent has been
ZeniZeni: POPI and Privacy Policy Page 8 of 15
granted to ZeniZeni the information will be collected and may only be used for the purpose for which the consent was obtained and purpose which are compatible with that initial purpose.
8.4 In the event that ZeniZeni seeks to process a data subject’s information for a different purpose to that which consent has been granted, additional consent will be sought for further processing.
8.5 The data subject may withdraw or revoke his/her consent at any time. This withdrawal of consent must be communicated to the Information Officer in writing with reasonable notice. The withdrawal of consent is subject to the terms and conditions of any contract that is in place. Should the withdrawal of consent result in the interference of legal obligations, then the withdrawal will only be effective if ZeniZeni agrees to same in writing. ZeniZeni will inform the data subject of the consequences of the withdrawal where it will result in ZeniZeni being unable to provide the requested information and/or services and/or financial or other benefits. The revocation of consent is not retroactive and will not affect disclosures of personal information that have already been made.
9 Disclosure and/or distribution of personal information
9.1 ZeniZeni will only use a data subject’s personal information for business purposes and in a manner, which is consistent with the purpose for which consent has been given.
9.2 In the case of personal information being collected indirectly or distributed to third parties, it will be used in line with the purpose for which the information was collected. No personal information will be disclosed or distributed to third parties unless the disclosure or distribution satisfies any of the conditions listed in paragraph 7.3 above, or prior consent or approval has been given by the data subject.
9.3 ZeniZeni may also identify personal information and use it for research, surveys and communication in order to improve ZeniZeni’s offering. This will work solely to improve ZeniZeni’s operations and broader reach and is not information which can be directly attributed to one person in particular.
9.4 ZeniZeni may nevertheless disclose data subjects’ personal information where it is required to do so in terms of applicable legislation, or where it may be necessary in order to protect ZeniZeni’s rights.
9.5 In the event that ZeniZeni does share personal information with a third party, it shall take all reasonable steps to ensure that the third party treats the information in a manner which is consistent with this Policy.
10 Retention of personal information
ZeniZeni: POPI and Privacy Policy Page 9 of 15
10.1 Where ZeniZeni collects personal information for a specific purpose, it will not keep it for longer than is necessary to fulfil that purpose, unless:
10.1.1 further retention is required by law;
10.1.2 ZeniZeni reasonably requires it taking into account the nature of the information and the purpose consented to;
10.1.3 retention is required by a contract between the parties; and/or
10.1.4 the data subject consents to further retention.
10.2 Once the purposes for collection have been fulfilled, the personal information may be destroyed in accordance with POPI.
10.3 In order to protect information from accidental or malicious destruction, when ZeniZeni deletes information from its servers it may not immediately delete residual copies from its servers or remove information from its backup systems. Copies of correspondence that may contain personal information is stored in archives for record-keeping and back-up purposes only.
10.4 Where the law requires ZeniZeni to keep personal information post its use for a specified period of time, all personal information will be kept securely for the duration specified by law.
11 Safeguards, security and incident management
11.1 ZeniZeni strives to ensure the security, integrity and privacy of personal information submitted.
11.2 While no data transmission over the Internet can be guaranteed to be totally secure, ZeniZeni will endeavour to take all reasonable steps to protect personal information submitted to it or via its online services.
11.3 The following methods of protection are in place to ensure that personal information disclosed to ZeniZeni is protected:
11.3.1 ZeniZeni stores client data on an external cloud service (Microsoft One Drive) which has in in transit and at rest encryption;
11.3.2 Password protection is active on computers and mobile phones that may contain personal information thereby limiting access to authorised ZeniZeni personnel only;
ZeniZeni: POPI and Privacy Policy Page 10 of 15
11.3.3 The hard drives on ZeniZeni’s laptops are protected using security and anti-virus software (McAfee);
11.3.4 Physical security measures are in place such as the limitation of access to the building and no-one is allowed to enter the premises without authorisation;
11.3.5 Each manager is responsible for ensuring that the employees under his or her authority take note of the policies on the implementation and maintenance of document management;
12 Third Parties
12.1 ZeniZeni makes use of Asana, a project management software service, developed and owned by Asana, Inc. located at 1550 Bryant Street, Suite 200, San Francisco, CA 94103.
12.1.1 If you are a client, supplier or employee you hereby consent to the following information being used on Asana for the purposes of project management, team engagement, communication and information sharing including research, project information (including client data) and reports.
12.1.2 Asana is the data processor, however, ZeniZeni remains the responsible person in respect of your personal information used on their service. Their services are in line with international data privacy laws. You can read their privacy policy here: https://asana.com/terms#privacy-policy.
12.2 ZeniZeni makes use of Microsoft Outlook, an email service, developed and owned by Microsoft Corporation located at One Microsoft Way, Redmond, WA 98052-7329, USA.
12.2.1 If you are a client, supplier or employee you hereby consent to the following information being used on Microsoft outlook for the purposes of communication and information sharing including research, project information (including client data) and reports.
12.2.2 Microsoft Outlook is the data processor, however, ZeniZeni remains the responsible person in respect of your personal information used on their service. Their services are in line with international data privacy laws. You can read their privacy policy here: https://www.microsoft.com/en-us/licensing/product-licensing/products?rtc=1.
12.3 ZeniZeni makes use of VAConnect, a virtual assistant service, located at 33 Syverwater Villas, Cape Town, South Africa.
12.3.1 If you are a client, supplier or employee you hereby consent to the following information being used through VAConnect for the purposes of ZeniZeni’s administrative processes including booking of travel and accommodation and client, supplier and employee liaisons.
ZeniZeni: POPI and Privacy Policy Page 11 of 15
12.3.2 VAConnect is the data processor, however, ZeniZeni remains the responsible person in respect of your personal information used on their service. Their services are in line with South African data laws. You can read their terms of use and data provisions here: https://vaconnect.co.za/tscs/.
12.4 ZeniZeni’s employees are obliged to respect the confidentiality of any personal information held by ZeniZeni;
12.5 Third parties who provide these services are obligated to respect the confidentiality of any personal information;
12.6 ZeniZeni’s Administrator, whose contact details are provided below, is responsible for the encouragement of compliance with POPI;
12.7 ZeniZeni will review and update its security measures in accordance with future legislation and technological advances.
13 Accountability
13.1 The management and Information Officer of ZeniZeni are responsible for administering and overseeing the implementation of this Policy and any applicable supporting guidelines and procedures.
13.2 ZeniZeni remains responsible for all personal information collected and stored. This includes all and any information collected directly from a data subject and from any other source or authorised third parties.
14 Data subject’s access to and correction of personal information
14.1 Data subjects have the right to be informed whether ZeniZeni holds their personal information and to view any such personal information that ZeniZeni may hold. Furthermore, data subjects have the right to be informed as to how that information was collected and to whom their personal information has been disclosed.
14.2 Data subjects may at any time, request disclosed information by contacting ZeniZeni’s Administrator.
14.3 Information requested will be provided to a data subject within a reasonable time.
14.4 Data subjects are entitled to, at any time, inform ZeniZeni of any changes to their personal information in the possession of ZeniZeni. Upon receipt of any changes to personal information, ZeniZeni will, within a reasonable period, update the personal information. ZeniZeni relies largely on data subjects to ensure that their personal information is correct.
ZeniZeni: POPI and Privacy Policy Page 12 of 15
14.5 Data subjects have the right to ask ZeniZeni to amend or delete their personal information on reasonable grounds.
14.6 Data subjects may be prompted periodically by a representative to update the personal information that ZeniZeni holds. Failure to reply to the prompts to update personal information will result in the assumption that all information that is on ZeniZeni’s systems is accurate.
15 Violations
Violations of this Policy and of POPI will be dealt with by the Information Regulator. A data subject who has a complaint against ZeniZeni either concerning its conduct or this Policy, may refer a complaint to the Information Regulator in terms of sections 63(3) and 74 of POPI.
16 Effective date
This Policy is effective as of 1st May 2020.
17 Queries and objections:
The details of ZeniZeni’s Administrator are as follows:
Name: Malango Mughogho
Telephone number: +27760258382
Email address: malango@zenizenicom
Physical address and Postal address: 7 Green Park, 445 Corlett Drive, Corlett Gardens, Johannesburg 2090, South Africa.
Website: www.zenizeni.com
All questions and queries relating to personal information must be directed to the Administration Officer using the contact information listed above. The Information Regulator has issued the following useful forms for applications for information and granting forms of consent which may be useful for you: http://www.justice.gov.za/inforeg/docs/InfoRegSA-RegulationsDraft-Aug2017.pdf
18 Amendments to this Policy
18.1 ZeniZeni will amend this policy periodically.
18.2 Data subjects are advised to check ZeniZeni’s website periodically to ascertain whether any changes have been made.
ZeniZeni: POPI and Privacy Policy Page 13 of 15
POPI consent form for ZeniZeni
CONSENT AND ACKNOWLEDGMENTS IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (POPI)
1 Introduction
1.1 The Protection of Personal Information Act (POPI) aims to give effect to the constitutional right to privacy by balancing the right to privacy against that of access to information. POPI requires that personal information pertaining to individuals be processed lawfully and in a reasonable manner that does not infringe on the right to privacy.
1.2 ZeniZeni’s POPI Policy and this consent form sets out how personal information will be collected, used and protected by ZeniZeni as required by POPI. The use of the words “the individual” for the purposes of this document shall be a reference to any individual communicating with ZeniZeni and/or concluding any agreement, registration or application, with the inclusion of each individual referred to or included in terms of such agreement, registration or application.
2 What is personal information?
2.1 The personal information that ZeniZeni requires relates to names and surnames, birth dates, identity numbers, passport numbers, demographic information, education information, occupation information, health information, addresses, memberships, and personal and work email and contact details.
2.2 In addition, the particular mandate and operations of ZeniZeni may result in the processing of special personal information, which may be highly sensitive information relating to religious beliefs, political affiliations, race and ethnic origin, health, sex life and biometric information. Where information constitutes such special personal information, or is reasonably likely to include special personal information, this will be drawn to the data subject’s attention and processing will occur in strict compliance with POPI.
3 What is the purpose of the collection, use and disclosure (the processing) of personal information?
3.1 ZeniZeni is legally permitted to collect, use and disclose personal information for the following purposes:
3.1.1 assessing, processing and entering into employee agreements;
3.1.2 training and assessment purposes;
3.1.3 confirming and verifying a prospective clients’ credit worthiness, suitability as a client and identity;
3.1.4 assessing, entering into agreements with and payment of suppliers and service providers;
3.1.5 confirming and verifying a person’s identity;
3.1.6 providing personalised communication;
3.1.7 providing advertising, marketing and media services to clients including customer relationship management, content creation, web development, production services, animation, competitions, direct marketing, lead generation, digital media, analytics, strategy and such other services as ZeniZeni may offer from time to time;
3.1.8 audit and record-keeping purposes;
3.1.9 in connection with legal proceedings including debt collection;
3.1.10 in connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law; and/or
3.1.11 for a purpose that is ancillary to the above and for any other purpose for which consent is provided by the data subject;
3.2 ZeniZeni will not process personal information for a purpose other than those which are identified above without obtaining consent to further processing beforehand.
4 What is ‘processing’?
POPI provides that the term “processing’’ covers any operation or activity, whether or not by automatic means, concerning personal information. Such activity may include, but is not limited to, collection, receipt, recording,
ZeniZeni: POPI and Privacy Policy Page 14 of 15
organisation, storage, collation, retrieval, alteration, updating, distribution, dissemination by means of transmission, erasure or destruction of personal information.
5 How will ZeniZeni process personal information?
5.1 ZeniZeni will only collect personal information for the purposes stated above. Information will be collected in the following manner:
5.1.1 directly from the data subject;
5.1.2 from clients or prospective clients’ who may seek ZeniZeni’s assistance and/or services;
5.1.3 from ZeniZeni’s own records relating to its previous provision of assistance or responses to the data subject’s request for services; and/or
5.1.4 from a relevant public or equivalent entity.
6 To whom will personal information be disclosed?
6.1 The personal information may be disclosed to service providers such as professional bodies who operate across the borders of this country (trans-border flow of information) where personal information must be sent in order to provide the information and/or services and/or benefits requested or applied for.
6.2 In addition, personal information may be disclosed in compliance with ZeniZeni’s legal obligations, or where it may be necessary in order to protect ZeniZeni’s rights.
6.3 In the event that ZeniZeni does disclose personal information, it shall take all reasonable steps to ensure that the information is protected by the recipient.
6.4 In the event of another party/other parties acquiring all of or a portion of ZeniZeni’s mandate or functions, personal information will be disclosed to that party, but they will be equally obliged to protect personal information in terms of POPI.
7 Consent and Permission to process personal information
7.1 I hereby provide authorisation to ZeniZeni to process the personal information provided for the purpose stated, which purpose has been fully explained to me.
7.2 I understand that withholding of or failure to disclose personal information will result in ZeniZeni’s records being incomplete and may negate any performance on the part of ZeniZeni.
7.3 Where I shared personal information of individuals other than myself with ZeniZeni I hereby provide consent on their behalf to the collection, use and disclosure of their personal information in accordance with this consent provided and I warrant that I am authorised to give this consent on their behalf.
7.4 To this end, I indemnify and hold ZeniZeni harmless in respect of any claims by any other person on whose behalf I have consented, against ZeniZeni should they claim that I was not so authorised.
7.5 I understand that in terms of POPI and other laws of the country, there are instances where my express consent is not necessary in order to permit the processing of personal information, which may be related to police investigations, litigation or where personal information is publicly available. I will not hold ZeniZeni responsible for any improper or unauthorised use of personal information that is beyond its reasonable control.
8 Rights regarding the processing of personal information
8.1 The individual may withdraw consent to the processing of personal information at any time, and should they wish to do so, must provide ZeniZeni’s Information Officer with reasonable written notice to this effect. Please note that withdrawal of consent is still subject to the terms and conditions of any contract that is in place. Should the withdrawal of consent result in the interference of legal obligations, then such withdrawal will only be effective if ZeniZeni agrees to same in writing. ZeniZeni specifically draws attention to the fact that the withdrawal of consent may result in it being unable to provide the requested information and/or services and/or financial or other benefits. Further, please note that the revocation of consent is not retroactive and will not affect disclosures of personal information that have already been made.
8.2 An individual has the right to ask ZeniZeni to amend or delete their personal information on reasonable grounds.
8.3 In order to withdraw consent, or otherwise request an amendment or deletion of personal information, please contact the Administrator at admin@zenizeni.com.
ZeniZeni: POPI and Privacy Policy Page 15 of 15
8.4 Where personal information has changed in any respect, the individual is encouraged to notify ZeniZeni so that our records may be updated. ZeniZeni will largely rely on the individual to ensure that personal information is correct and accurate.
8.5 The individual has the right to access any personal information that ZeniZeni may have in its possession and is entitled to request the identity of any third parties which have received and/or processed such personal information, as well as the details of how that information was collected. Requested information will be provided within a reasonable time but may be declined on reasonable and/or legal grounds.
9 Requesting access and lodging of complaints
9.1 Please submit any requests for access to personal information in writing to ZeniZeni’s Administrator at admin@zenizeni.com.
9.2 With any request for access to personal information, ZeniZeni will require the individual to provide personal information in order to verify identification and therefore the right to access the information.
9.3 There may be a reasonable charge for providing copies of the information requested.
9.4 If any request has not been addressed to satisfaction a complaint may be lodged at the office of the Information Regulator.