Privacy Policy in terms of the Protection of Personal information Act 

For 

Halfway Group

Incorporating the operating entities as per Annexure A of the Policy 

1. Introduction 

The right to privacy is a basic human right entrenched in the South African Constitution. The importance of the right to privacy is further entrenched with the enactment of the Protection of Personal Information Act 4 of 2013 (“POPIA”). 

POPIA is a comprehensive set of data protection legislation enacted in South Africa. POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests.  POPIA further seeks to regulate every step of the processing of personal information from how personal information must be handled when it is collected until the time it is destroyed.

Given the importance of privacy, the Halfway Group is fully committed to protecting your privacy to ensure that your personal information is collected and processed properly, lawfully, and transparently.

2. Definitions

• Biometrics 

Means a technique of personal identification that is based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition.

• Child

A natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.

• Competent person

any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.

• Consent 

Any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.

• Data Subject

This refers to the natural or juristic person to whom personal information relates, such as an individual client, customer or a company that supplies the organisation with products or other goods.

• De-Identify

This means to delete any information that identifies a data subject, or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the Data Subject.

• Direct marketing

to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –

1. promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or

2. requesting the Data Subject to make a donation of any kind for any reason.

• Electronic communication

Any text, voice, sound, or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.

• Information Officer 

The Information Officer is responsible for ensuring the organisation’s compliance with POPIA. Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer.

• Operator

A person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

• Personal Information

Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to —

1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person;

2. information relating to the education or the medical, financial, criminal or employment history of the person;

3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;

4. the biometric information of the person;

5. the personal opinions, views, or preferences of the person;

6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

7. the views or opinions of another individual about the person; and

8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

• Processing

Any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:

1. Collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

2. dissemination by means of transmission, distribution or making available in any other form;

3. merging, linking, as well as restriction, degradation, erasure, or destruction of information.

• Responsible Party

A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

• Record 

Means any recorded information, regardless of form or medium, including:

1. Writing on any material;

2. Information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;

3. Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;

4. Book, map, plan, graph or drawing;

5. Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.

3. Purpose

This Policy explains how the Halfway Group obtain, use, and disclose personal information, in accordance with the requirements of the Protection of Personal Information Act (“POPIA”).

The Halfway Group aims to ensure that the most updated version of this policy is always made available and assessable to you. To do this, we will ensure that the latest version of this policy is available for download on our website and/or made available on request. 

4. Contact Details 

General information:

Name of Body:    Halfway Group Holdings (PTY) LTD

Registration number:   2015/274007/07

Physical Address:   31 Stevens Road, Park Rynie, 4182

Telephone number:   039 978 7500

Website:    www.halfwaygroup.co.za 

The Information Regulator South Africa

Physical Address:  SALU Building, 316 Thabo Sehume Street, Pretoria 4180

Email Address:    inforreg@justice.gov.za 

Website:   www.justice.gov.za/inforeg/index.html 

5. Scope 

The Scope of this policy include entities in the Halfway Group as provided for in Annexure A. Refer to Annexure A for specific contact details for entities and Information Officers within the Halfway Group. The following entities are expressly excluded from the ambit of this policy: 

• Entities which the Halfway Group holds a minority interest; and

• Entities which are dormant    

6. Why we process your information? 

We collect and process your personal information mainly to provide you with our products and services, and as required by, tax and other legislation. 

We use your personal information to do the following:  

• Identify you or to verify that you are an authorised user for security purposes. 

• Process your requests or instructions. 

• To be able to sell you our products and services.

• Manage the goods and services you purchased from us. 

• Comply with the laws of South Africa. 

• Detect and prevent fraud, money laundering and other malpractice.

• For audit and record keeping purposes 

• Offer other products and services to you. 

7. What Personal Information we process? 

1. Specific Personal Information processed 

We will use your personal information only for the purposes for which it was collected and agreed with you. We will ensure that your personal information is adequate, relevant, and not excessive.  In most instances we collect information directly from you. If information is obtained from a third-party source, we will obtain your express consent to do so.  Where possible, we will inform you what information you are required to provide to us and what information is optional. 

The Halfway Group processes information about the following categories of Data Subjects, including but not limited to: 

2. Information is automatically collected.

When you use any of our digital channels like websites and apps, we receive, and store information generated by your activities (usage data gathered by Cookies) and other information that is automatically collected from your browser or mobile device. Most of this data is generally not personally identifiable. However, some of this data, either alone or when linked with other information, may allow your identity to be discovered. We treat this combined data as personal information, and we protect it accordingly. 

• Cookies are small text files that are created when you view a website. They gather usage data which includes information about the sites you visited, the number of times you visit, the date, time and length of your visit, which products or services you viewed and which areas of the site you visited. We may assign you one or more unique identifiers to help keep track of your future visits.  

• Other information automatically collected may include your IP (Internet protocol) address, browser type and version, preferred language, geographic location, wireless or Bluetooth technology on your device, operating system, and computer platform.

3. Information collected through online advertising.

We use internal and external service providers to help us deliver our banner advertisements and other online communications. 

To understand which types of offers, promotions and advertising are most appealing to our customers, these service providers may collect and use some of your personal information. This information is aggregated and cannot be linked to you. 

• Data aggregation is any process in which information is gathered and expressed in a summary form using specific variables such as age, profession, income and interests.   

• These service providers show our ads on sites on the Internet, and they use the information stored in Cookies based on your prior visits to our website. If you don’t want your personal information to be used in this way, you can opt out of the use of Cookies, by visiting any of the following sites: 

• Google at http://www.google.com/policies/privacy/ads/  

• Network Advertising Initiative at http://www.networkadvertising.org/managing/opt_out.asp  

8. Who do we share your personal information with?

In order to provide our products and services to you, we may share your personal information with: 

• Service providers who are involved in the delivery of products or services to you. We have agreements in place to ensure that they comply with the privacy requirements as required by the Protection of Personal Information Act.

• Entities within the Group. We only do this, in instances where we have received your express consent to do so.

• Insurers, intermediaries, administrators, and Underwriting Managers. 

• Provident Funds and their Trustees and Principal Officers.

• Medical aid companies.

• Recruitment organisations that may collect information on our behalf. 

• Regulators and Law Enforcement Agencies.

• Motor Licencing Bureau.

• Original Equipment Manufacturers (OEMs).

• Banks and other financing Institutions.

• The South African Revenue Service (SARS).

We will also disclose your personal information to fulfil legal obligations that we may have.

9. Information security 

We take every reasonable precaution to protect your personal information (including information about your activities) from theft, unauthorised access and disruption of services. 

Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, and availability. We regularly test our website, data centres, systems, and other assets for security vulnerabilities.

Our security policies and procedures cover:

• Physical and environmental security controls.

• Network security.

• Protection from viruses and other malware.

• Restricted access and password control to personal information.

• Secure communications (email encryption).

• Secure remote working (VPN access only to the networks).

• Acceptable usage of IT equipment and mobile devices (Exit and entry procedures for staff).

• Clean Desk Policy.

• Lockable cabinets for physical storage of records with restricted access.

• IT disaster recovery and backup procedures.

• Training and awareness initiatives.

• Retention and disposal of information (Shred it).

• Cyber Security Incident Response.

• Active monitoring and review of the IT and business environment.

When we contract with third parties, we impose appropriate security, privacy, and confidentiality obligations on them to ensure that personal information that we remain responsible for, is kept secure. We will ensure that anyone to whom we pass your personal information agrees to treat your information with the same level of protection as we are obliged to.

10. Planned transborder flows of information.

The Halfway Group make use of hosted services provided by third parties. These operations may be hosted in various countries resulting in the transfer of personal information. 

In general, we try as far as possible to ensure that these service providers are located in jurisdictions with strong data protection legislation, such as the European Union or the United Kingdom. Where this is not possible, data protection requirements are enforced by means of contractual agreement. 

11. Duration for which personal information will be kept.

We will only retain your personal information for a period necessary to achieve the intended purpose unless – 

• Retention is required or authorised by law.

• Retention is required by the Halfway Group for lawful purposes related to its function or activities.

• Retention is required by a contract between the parties.

• You have consented to the retention of the record.

• Retention is required for historical, statistical and research purposes.

We will ensure in the aforementioned scenarios that appropriate safeguards against the records being used for any other are purpose are in place. 

12. Deletion or destruction of personal information

We will ensure that personal information is deleted, destroyed and de-identified as soon as reasonably practicable after the Halfway Group is no longer authorised to retain the personal information. 

We will ensure that the destruction or deletion of the personal information is done in a manner that prevents its reconstruction in an intelligible form.  

13. Notification of Data Breaches

Every attempt has been made to ensure that your personal information is safe and secure. In the event of a data or security breach which affects you, we are under a legal obligation to notify you as well as any impacted entity of this breach together with the measures we will be taking to mitigate any losses or damages. 

Depending on the nature and severity of the breach, we will use the following communication channels to notify you of the breach: 

• Telephone call.

• Email. 

• SMS.

• Media release. 

Notification of breach (1st notification) will be issued within 24 hours of detection of the breach.

14. Information Quality

We take all reasonable steps to ensure that your personal information is complete, accurate, not misleading and updated where necessary. Please make sure that we always have your latest contact details.

15. Rights of Data Subjects 

Where appropriate, the Halfway Group will ensure that its customers, directors, employees, and service providers are made aware of the rights conferred upon them as data subjects.

Where you are required to fill or complete any forms in relation to a request for access, amendment, objection, and deletion of record of your personal information, the Halfway Group will render such reasonable assistance as necessary free of charge to enable you to complete the required forms. 

1. The Right to access Personal Information.

The Halfway Group recognises that you have a right to establish whether the Halfway Group holds personal information related to you including the right to request access to that personal information.

If you wish to request access to your personal information, you must submit a request to the Information Officer or Deputy Information Officer of Entity within the Halfway Group to which the request pertains by completing Annexure B, the “Personal Information Request Form”. 

2. The Right to Object to the Processing of Personal Information

You have a right, on reasonable grounds, to object to the processing of your personal information.

If you wish to object to processing of your personal information, you must submit a request to the Information Officer or Deputy Information Officer of the entity within the Halfway Group to which the request pertains by completing Annexure C.

In such circumstances, the Information Officer or Deputy Information Officer of the entity within the Halfway Group will give due consideration to the request and the requirements of POPIA. The Entity may cease to use or disclose your personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of your personal information.

3. The Right to have Personal Information Corrected or Deleted

You have the right to request, where necessary, that your personal information must be corrected or deleted where the Halfway Group is no longer authorised to retain the personal information.

If you wish to request a correction or deletion of your personal information or the destruction or deletion of a record of your personal information, you must submit a request to the Information Officer or Deputy Information Officer of the entity within the Halfway Group to which the request pertains by completing Annexure D. 

4. The Right to change your marketing preferences. 

We like to keep our customers informed of the latest products and services offered by us and our service providers. When you buy a new product or service from us, we will ask you what your marketing preferences are. 

If you do not want to receive marketing from us, you can change your preference by using the “opt out” function or the “unsubscribe option”, alternatively you can contact the Information Officer of the Entity within the Halfway Group. Contact details for the relevant Information Officer can be found on Annexure A of this policy. 

Remember that even if you choose not to receive marketing from us, we will still send you communications about your current (product/vehicle etc.).

16. Request access to personal information procedure

You may ask us to access, change or remove your personal information from our records. Where legislation allows, we may charge an administrative fee, but we will always inform you of any cost before performing your request.

Any of the aforementioned requests, can be made via email, on the applicable form mentioned above. The email must be addressed to the Information Officer of the Entity within the Halfway Group to which your request pertains to.  Contact details for the relevant Information Officer can be found on Annexure A of this document. 

Once the completed form has been received, the Information Officer will verify the identity of the Data Subject prior to handing over any personal information.

The Information Officer will endeavour to process all requests within a reasonable time.

17. Complaints

You may submit a complaint to the Entity within the Halfway Group to which your complaint pertains to. You may address your complaint via email using the requisite Annexure E. Your complaint must be addressed to the Information Officer of the Entity within the Halfway Group. Contact details for the relevant Information Officer can be found on Annexure A of this policy.

You have the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of your personal information.

In addition, where we are unable to resolve your complaint, to your satisfaction you also have the right to lodge a complaint with the Information Regulator. You may do so, by submitting the completed Annexure F to the Information Regulator. The details for the Information Regulator can be found in Section 4 of this document. 

18. Duties of Information Officers

This policy refers to the term Information Officer and Deputy Information Officer interchangeably. The Information Officer or Deputy Information Officer is a person/s appointed by the entity to ensure compliance with the POPI Act within the entity. A high-level summary of their duties are as follows: 

• Development of internal measures to process a request for access to information.

• Monitoring of data security & safeguards.

• Implementation of POPIA requirements within the entity.

• Training and awareness.

• Responding to and action of requests from Data Subjects. 

• Work with the Information Regulator on investigations.

• Reporting and notification of security breaches.

• Make available copies of the Promotion of Access to Information Manual to customers.

For the purposes of this policy, the Information Officer/Deputy Information Officer is only responsible for the duties listed above in relation to the entity for which s/he has been appointed and therefore only assumes responsibility for the personal information within that Entity.  

In addition, it is specifically recorded that the Information Officer for Halfway Group Holdings (PTY) LTD is only responsible for personal information held in relation to the company secretarial function for this company.

19. Conclusion 

We reserve the right to amend this Policy from time to time, and you agree that you will review the terms of this Policy whenever you visit our website for any such amendments. 

This Policy will be governed by and construed and interpreted in accordance with the laws of the Republic of South Africa. 

Please ensure that you have read and understood the terms and conditions of this Policy before you provide us with your personal information.

20. Policy Review 

The Policy will undergo a full review on, at least, an annual basis. 

If during the ordinary course of business, the Halfway Group acquires and/or incorporates another business, Annexure A will be updated separately by the Company Secretary, with amendment ratified by the Board at the next appropriate meeting or at least on an annual basis. 

Annexure A