Privacy Policy

This Privacy Policy explains how we obtain, use and disclose your personal information, in accordance with the requirements of the Protection of Personal Information Act No 4 of 2013.

At Herold Gie and Broadhead Inc., we are committed to protecting your privacy and to ensure that your personal information is collected and used properly, lawfully and transparently.

1. DEFINITIONS

In this Policy (as defined below), unless the context requires otherwise, the following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings–

1.1 “Child” means any natural person under the age of 18 (eighteen) years;

1.2 “Company” means Herold Gie and Broadhead Inc., with registration number: 1985/000891/21, and having its registered address at Wembley 3, 80 McKenzie Street, Cape Town, Western Cape, 8001;

1.3 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information under the control of or in the possession of the Company;

1.4 “Data Subject” has the meaning ascribed thereto under POPIA;

1.5 “Employee(s)” means any employee of the Company;

1.6 “Government” means the Government of the Republic of South Africa;

1.7 “Operator” means a person or entity who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party;

1.8 “PAIA” means the Promotion of Access to Information Act, No 2 of 2000;

1.9 “Personal Information” has the meaning ascribed thereto under POPIA and specifically includes any form of information that can be used to identify a Data Subject;

1.10 “Policy” means this Website Privacy Policy;

1.11 “POPIA” means the Protection of Personal Information Act No. 4 of 2013;

1.12 “Processing” has the meaning ascribed thereto under POPIA. “Process” has a corresponding meaning;

1.13 “Regulator” means the Information Regulator established in terms of POPIA;

1.14 “Responsible Party” means a public or private body or any other person which alone or in conjunction with others determines the purpose of and means for Processing Personal Information;

1.15 “Special Personal Information” means Personal Information concerning a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, biometric information or criminal behaviour; and

1.16 “Third Party” means any independent contractor, agent, consultant, sub-contractor or other representative of the Company.

2. PURPOSE OF THIS POLICY

2.1 The purpose of this Policy is to inform Data Subjects about how the Company Processes their Personal Information.

2.2 The Company in its capacity as Responsible Party and/or Operator where applicable shall observe and comply with its obligations under POPIA as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

2.3 This Policy applies to Personal Information collected by the Company in connection with the services which the Company provides. This includes information collected directly from you as a Data Subject as well as information the Company collects indirectly through its service providers who collect your information on its behalf.

2.4 This Privacy Policy does not apply to the information practices of Third Party companies with whom the Company may engage in relation to its business operations (including, without limitation, their websites platforms and/or applications) that the Company does not own or control; or individuals that the Company does not manage or employ. These Third Party sites may have their own privacy policies and terms and conditions and the Company encourages you, as the Data Subject, to read them before using them.

3. PROCESS OF COLLECTING PERSONAL INFORMATION

3.1 The Company collects Personal Information directly from Data Subjects as and when required for a defined purpose, unless an exception is applicable (such as, for example, where the Data Subject has made the Personal Information public, or the Personal Information is contained in or derived from a public record).

3.2 The Company will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects the Data Subject’s privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect the Data Subject in question.

3.3 The Company often collects Personal Information directly from the Data Subject and/or in some cases from Third Parties. Where the Company obtains Personal Information from Third Parties the Company will ensure that it obtains the consent of the Data Subject to do so or will only Process the Personal Information without the Data Subject’s consent where the Company is permitted to do so in terms of clause 3.1 above or the applicable law.

4. LAWFUL PROCESSING OF PERSONAL INFORMATION

4.1 Where the Company is the Responsible Party, it will only Process a Data Subject’s Personal Information (other than for Special Personal Information) where –

4.1.1 consent of the Data Subject (or a competent person, where the Data Subject is a Child) is obtained;

4.1.2 Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party;

4.1.3 Processing complies with an obligation imposed by law on the Company;

4.1.4 Processing protects a legitimate interest of the Data Subject;

4.1.5 Processing is necessary to pursue the legitimate interests of the Company or of a Third Party to whom the information is supplied.

4.2 The Company will only Process Personal Information where one of the legal bases referred to in paragraph 4.1 above are present.

4.3 The Company will make clear to the Data Subject the manner and reason for which the Personal Information will be Processed.

4.4 Where the Company is relying on the consent of the Data Subject as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to the Company Processing of the Personal Information at any time. Such withdrawal or objection by the Data Subject shall not affect the lawfulness of any Processing carried out prior to the withdrawal of consent or objections, nor any Processing justified by any other legal ground provided under POPIA.

4.5 If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information, the Company will ensure that the Personal Information is no longer Processed.

5. RIGHTS OF DATA SUBJECTS

5.1 Data Subjects have the right to know what Personal Information the Company has about the Data Subject, to correct it and to opt out of any marketing, as detailed below.

5.2 Data Subjects have the right to:

5.2.1 enquire with the Company as to what Personal Information is held by the Company about the Data Subject;

5.2.2 enquire with the Company what Personal Information was sent to the Company’s suppliers, service providers or any other Third Party;

5.2.3 request the Company to update, correct or delete any out-of-date or incorrect Personal Information held by the Company about the Data Subject;

5.2.4 unsubscribe from any direct marketing communications that the Company may send to the Data Subject; and

5.2.5 object to the processing of the Data Subject’s Personal Information.

5.3 Should the Data Subject require the Company to delete all Personal Information held by the Company about the Data Subject, the Company reserves the right to terminate all agreements that the Data Subject has with the Company, as the Company cannot maintain its relationship with the Data Subject without having some of the Data Subject’s Personal Information.

5.4 The Company also reserves the right to refuse to delete a Data Subject’s Personal Information if the Company is required by law to keep it or if the Company requires it to protect its rights.

6. STORAGE AND PROCESSING OF PERSONAL INFORMATION BY THE COMPANY AND THIRD PARTY SERVICE PROVIDERS

6.1 The Company may store the Data Subject’s Personal Information in hardcopy format and/or in electronic format using the Company’s own secure on-site servers or other internally hosted technology. The Data Subject’s Personal Information may also be stored by Third Parties, via cloud services or other technology, with whom the Company has contracted with, to support the Company’s operations

6.2 The Company’s Third Party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

6.3 The Company will ensure that such Third Party service providers will Process the Personal Information in accordance with the provisions of this Policy and all other relevant internal policies and procedures and POPIA.

6.4 The Company will ensure that such Third Party service providers do not use or have access to the Personal Information of the Data Subject except for the purposes specified by the Company, and the Company requires such parties to employ at least the same level of security that the Company uses to protect the personal data of the Data Subject.

6.5 Personal Information may be Processed in South Africa or another country where the Company, its affiliates and their Third Party service providers maintain servers and facilities and the Company will take steps including by way of contracts to ensure that Personal Information continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under applicable law, including POPIA.

7. RETENTION OF PERSONAL INFORMATION

7.1 The Company may keep records of the Personal Information, correspondence, or comments it has collected in an electronic or hardcopy file format.

7.2 In terms of POPIA, the Company may not retain Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or Processed and is required to delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as it is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances –

7.2.1 where the retention of the record is required or authorised by law or by any Government authority;

7.2.2 the Company requires the record to fulfil its lawful functions or activities;

7.2.3 retention of the record is required by a contract between the parties thereto;

7.2.4 the Data Subject (or competent person, where the Data Subject is a Child) has consented to such longer retention; or

7.2.5 the record is retained for historical, research, archival or statistical purposes provided safeguards are put in place to prevent use for any other purpose. Accordingly, the Company will, subject to the exceptions noted in this Policy, retain Personal Information for as long as necessary to fulfil the purposes for which that Personal Information was collected and/or as permitted or required by applicable law.

7.3 Where the Company retains Personal Information for longer periods for statistical, historical, archival or research purposes, the Company will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and applicable laws.

7.4 Once the purpose for which the Personal Information was initially collected and Processed no longer applies or becomes obsolete, the Company will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that a person cannot re-identify such Personal Information. In instances where the Company de-identify the Data Subject’s Personal Information, the Company may use such de-identified information indefinitely.

8. SAFE-KEEPING OF PERSONAL INFORMATION

8.1 The Company shall preserve the security of Personal Information and prevent its alteration, loss and damage, or access by non-authorised third parties.

8.2 The Company will ensure the security and integrity of Personal Information in its possession or under its control with appropriate, reasonable technical and organisational measures to prevent loss, unlawful access and unauthorised destruction of Personal Information.

8.3 The Company has implemented physical, organisational, contractual and technological security measures (having regard to generally accepted information security practices or industry specific requirements or professional rules) to keep all Personal Information secure, including measures protecting any Personal Information from loss or theft, and unauthorised access, disclosure, copying, use or modification. Further, THE COMPANY maintains and regularly verifies that the security measures are effective and regularly updates same in response to new risks.

9. INFORMATION DISCLOSURE

9.1 Notwithstanding anything to the contrary in this Policy, the Company reserves the right to disclose any Personal Information about a Data Subject if the Company is required to do so by law, and/or if the Company believe that such action is necessary to:

9.1.1 fulfil a Government request;

9.1.2 conform with the requirements of the law or legal process;

9.1.3 protect or defend the Company’s legal rights or property, its website, or other users; or

9.1.4 in an emergency to protect the health and safety of its website’s users or the general public.

10. BREACHES OF PERSONAL INFORMATION

10.1 A Data Breach refers to any incident in terms of which reasonable grounds exist to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.

10.2 A Data Breach can happen for many reasons, which include: (a) loss or theft of data or equipment on which Personal Information is stored; (b) inappropriate access controls allowing unauthorised use; (c) equipment failure; (d) human error; (e) unforeseen circumstances, such as a fire or flood; (f) deliberate attacks on systems, such as hacking, viruses or phishing scams; or (g) alteration of Personal Information without permission and loss of availability of Personal Information.

10.3 The Company will address any Data Breach in accordance with the terms of POPIA.

10.4 The Company will notify the Regulator and the affected Data Subject (unless the applicable law or a Government authority requires that the Company delays notification to the Data Subject) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of the Personal Information of the Data Subject.

10.5 The Company will provide such notification as soon as reasonably possible after it has become aware of any Data Breach in respect of the Personal Information of the Data Subject.

10.6 Where the Company acts as an ‘Operator’ for purposes of POPIA and where any Data Breach affects the data of the Data Subject whose information the Company Processes as an Operator, the Company shall (in terms of POPIA) notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of the relevant Data Subject has been accessed or acquired by any unauthorised person.

11. PROVISION OF PERSONAL INFORMATION TO THIRD PARTY SERVICE PROVIDERS

11.1 The Company may disclose Personal Information to Third Parties and will enter into written agreements with such Third Parties to ensure that they Process Personal Information in accordance with the provisions of this Policy and POPIA.

11.2 The Company notes that such Third Parties may assist the Company with the purposes listed in paragraph 5.3 above – for example, Third Parties may be used, inter alia,

11.2.1 for data storage;

11.2.2 to assist the Company with auditing processes (external auditors);

11.2.3 for providing outsourced services to the Company, including in respect of its (i) legal, (ii) data storage requirements and (iii) upskilling of its Employees;

11.2.4 to notify the Data Subjects of any pertinent information concerning THE COMPANY.

11.3 The Company will disclose Personal Information with the consent of the Data Subject or if the Company is permitted to do so without such consent in accordance with applicable laws.

11.4 The Company may send Personal Information to a foreign jurisdiction outside of the Republic of South Africa including for Processing and storage by Third Parties.

11.5 When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa including to any cloud, data centre or server located outside of the South Africa, the Company will obtain the necessary consent to transfer the Personal Information to such foreign jurisdiction or may transfer the Personal Information where the Company is permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under POPIA.

11.6 Processing of Personal Information in a foreign jurisdiction and to the extent such Processing does occur, may be subject to the laws of the country in which the Personal Information is held and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

12. USE OF TECHNOLOGIES

12.1 Various technologies may be used on the Company’s website in order to make it more user-friendly, effective and secure. Such technologies may lead to data being collected automatically by the Company. Examples of such technologies are as follows:

12.1.1 The Company’s website uses cookies, which are small text files sent by a web server to store on a web browser. They are used to ensure websites function properly, store user preferences when needed and collect anonymous statistics on website usage.

12.1.2 The Company’s website may also contain electronic image requests (called a single-pixel gif or web beacon requests) that allows the Company to count page views and to access cookies. Any electronic image viewed as part of a web page can act as a web beacon. The Company’s web beacons do not collect, gather, monitor or share any of the Data Subject’s Personal Information. The Company merely uses them to compile anonymous information about its website.

12.1.3 A visit to the Company’s website results in data that is transmitted from the Data Subject’s browser to the Company’s server being automatically collected and stored by the Company or by third parties on behalf of the Company. This data can include, in particular, the following:

• the visitor’s IP address
• the date and time of the visit
• the referral URL (the site from which the visitor has come)
• the pages visited on our website
• information about the browser used (browser type and version, operating system, etc).

12.1.4 The Company’s website also uses a special form of cookie that is the so-called flash cookie. In contrast to normal cookies, these cookies are not created and saved by the browser but are governed by the Adobe Flash plug-in. These can contain more information than normal cookies and cannot be deleted or disabled via the web browser; this is only possible using tools such as the Adobe Flash Player website.

12.1.5 Web analytics is the term given to a method for collecting and assessing the behaviour of visitors to websites and (mobile) applications. This includes the analysis of traffic patterns in order, for example, to determine the frequency of visits to certain parts of a website or (mobile) application, or to find out what information and services our visitors are most interested in. For these purposes, the Company primarily makes use of click-stream data and the other techniques listed above. Web analytics are carried out by the Company and/or other selected parties.

12.1.6 When a Data Subject visits the Company’s website, the Company may collect information, such as the Data Subject’s IP address, the name of the Data Subject’s ISP (Internet Service Provider), the Data Subject’s browser, the website from which the Data Subject visits the Company, the pages on the Company’s website that the Data Subject visits and in what sequence, the date and length of the Data Subject’s visit, and other information concerning the Data Subject’s computer’s operating system, language settings, and broad demographic information. This information is aggregated and anonymous data and does not identify the Data Subject specifically. However, the Data Subject acknowledges that this data may be able to be used to identify the Data Subject if it is aggregated with other Personal Information that the Data Subject supplies to the Company. This information is not shared with third parties and is used only within the Company on a need-to-know basis. Any individually identifiable information related to this data will never be used in any way different to that stated above, without the Data Subject’s explicit permission.

12.2 The Data Subject may also provide additional information to the Company on a voluntary basis (optional information). This includes content or products that the Data Subject decides to upload or download from the Company’s website or when the Data Subject enters competitions, takes advantage of promotions, responds to surveys, orders certain additional goods or services, or otherwise uses the optional features and functionality of the Company’s website.

12.3 The Data Subject may refuse to accept cookies by activating the setting on its browser which allows it to refuse the setting of cookies. However, if selected this setting may prevent the Data Subject from accessing certain parts of the website. Unless a browser setting is adjusted so that it will refuse cookies, the system will issue cookies when one logs on to the website. If a “cookie” is accepted or there is a failure to deny the use of “cookies”, the Data Subject agrees that it is the Data Subject’s Personal Information collected using “cookies” and may be used (subject to the provisions of this Policy). Where the Data Subject either rejects or declines cookies, the Data Subject may not be able to fully experience the interactive features of the website.

13. CHANGES TO THIS POLICY

13.1 The Company reserves the right to make amendments to this Policy from time to time and will use reasonable efforts to notify the Data Subject of such amendments.

13.2 The current version of this Policy will govern the respective rights and obligations between the Data Subject and the Company each time that the Data Subject accesses and uses the Company’s site.

14. DATA SUBJECT ACCESS REQUESTS

14.1 All Data Subjects are entitled to request information from the Company pertaining to the Data Subject’s Personal Information that is held by the Company.

14.2 All requests for information should be made in writing by the Data Subject to the Company. the Company will furnish the Data Subject with the requested information within 21 (twenty-one) days from the date of receipt of the written request by the Company.

14.3 Prior to furnishing the Data Subject with the requested information, the Company will first have to verify the identity of the Data Subject.

15. POLICY REVIEW

The Company has pledged to adhere to the fundamental principles of Data Protection and considers the privacy policy as being binding in nature. These procedures will be reviewed annually and may also be reviewed in the light of new legislation or incident that may occur related to this policy. The Company will not restrict your rights granted in accordance with this privacy policy without your explicit consent.

16. CONTACT DETAILS

16.1 If you have any queries about this notice; you need further information about our privacy practices; wish to withdraw consent; exercise preferences or access or correct your personal information, please contact us at the numbers/addresses listed on our website.

16.2 Our Information Officer contact details are:

Name: Tanya Roodman

Address: 3 Wembley, 80 McKenzie Street, Cape Town, 8001, South Africa

Tel: 021-464 4700

Email: troodman@heroldgie.co.za