PRIVACY POLICY
CAUTION
Please note that it is not the intention that this addendum supplants any existing privacy policy may have, rather it supplements it
PURPOSE
As explained in the original communication distributed by SATSA on my behalf, vetting such policies that members may have would have been too time consuming and expensive, hence the concept of the (4) addendums, i.e. to supplement in each case existing polices and contracts that members may have in place.
The purpose of the addendums is not to be used as an alternative to the policy or contract to which it is envisaged and intended to be an addendum, thus supplementing an existing document.
However any member that does not have such an existing document is free to approach me about such a template, the prices of which have been reduced (As is the case with these addendums) due to Covid-19 and the depressed state of the tourism.
The content is aimed at (succinctly) addressing the privacy issues (vis a vis clients/the public) introduced by the Protection of Personal Information Act (4/2013)(‘POPI’).
CONTENT
LEGISLATION There are many statutes addressing privacy, such being the following: Electronic Communications and Transactions Act, Act 25 of 2002 (‘ECTA’), the Promotion of Access to Information Act, Act number 2 of 2000 (‘PAIA’), the Consumer Protection Act, Act 68 of 2008 (‘CPA’) and the Protection of Personal Information Act, Act 4 of 2013 [‘POPIA’]) and, in the case of residents of the European Community (‘the EC’), the General Data Protection Regulations of 2018 (‘the GDPR’). However this addendum will focus in the main on privacy aspects of the CPA, POPIA and GDPR which is collectively referred to herein as ‘the Privacy Legislation’).
DEFINITONS Words and phrases used in this document are intended to and must be interpreted to have the meaning as ascribed to it in the Privacy Legislation.
CONSENT & PROCESSING You are, by using our Website deemed to grant us your ‘express voluntary specific and informed’ consent to ‘process’ and ‘further process’ your ‘personal information’ (such as your name, surname, address) and where applicable your ‘special personal information’ (such as religious beliefs, race, political persuasion, health and biometric information )(collectively referred to herein as ‘your Information’) for the purposes of any business you may now or in future transact with us and to disclose your Information to any of the parties we engage to provide of products and services to you (‘the Third Parties’).
PROCESSING
The primary reason we collect and share your Information is so that we can provide you with the services and/or products you have requested.
The secondary reason is so that we can (1) improve our service to you; (2) customize our service where requested, required or where it is appropriate to do so; (3) advise you of any changes (e.g. in your itinerary) or specials from time to time; (4) Analytics (Profiling): we do this ourselves or by utilizing the services of third parties. This entails using your Information to ascertain trading patterns. An example we may determine which websites you have come from/are going to; the browser you may be using; the identity of your device and your IP address. However identifying elements will be removed (or as provided for in the POPIA, ‘de-identified’) and encryption will be implemented to protect your Information (See also ‘Cookies’ below).
When we engage Third Parties in the service delivery process, we have to share your Information with them but it will only be to such Third Parties as have been disclosed to you and pertaining to the services and/or products you have requested. We will also ensure that such Third Parties are compliant with the Privacy Legislation or the equivalent in their country.
RIGHTS afforded you in the Privacy Legislation – We respect and will honour these rights – these RIGHTS are:
- Subject to certain exceptions (see ‘Exceptions’ below) we always have to obtain your Information from you personally
- We are not allowed to process your Information unless we have your ‘informed, specific and voluntary consent’
- We are obliged to advise you of the purpose for which we will be processing and Third Parties with whom we will be sharing your Information.
- You can call upon us at any time to do one or more of the following regarding your Information: amend; update; delete. We are obliged in the case of the latter to provide you with proof that we have done so.
- Direct marketing (See below): we are obliged to obtain your consent and to advise you each time of your right to ‘opt out’/’unsubscribe’
- You are entitled to enquire at any time about the steps we’ve taken to ensure that our safeguards pertaining to the protection of your Information meet the requirements of the Privacy Legislation.
- You may require of us to restrict the processing of your Information
- You can lodge complaints: (1) via the relevant section of our website; (2) with our Information Officer (see our website) and/or (3) with the POPIA Information Regulator.
- You are entitled and we are obliged to inform you when our security has been breached (POPIA: ‘as soon as reasonably possible’ and GDPR: within 72 hours)
- EXCEPTIONS i.e. when we do not require your consent for ‘processing’:
- You (the ‘data subject’) have made your Information public;
- Your Information is a matter of public record, i.e. it is ‘in the public domain and under the control of a public body;’
- We are complying with an obligation imposed by law;
- It involves compliance with court proceedings
- It involves national security
- It is being used for historic, statistical or research purposes provided it is in the public interest or obtaining your consent is difficult
- It is for use in any form of journalism, provided such activity is governed by a code of conduct that has adequate safeguards – a balance must be struck between your right to privacy and the freedom of expression
- You Information has been ‘de-identified’ i.e. so that the identities of the parties cannot be determined (also sometimes referred to as ‘pseudonynimisation’)
- We are doing so in pursuit of a legitimate interest of ours or the Third Party to whom it is being disclosed
- STORAGE
- Your Information will not be stored longer than is reasonably required for us to complete the purposes for which is being processed
- However we may retain your Information for longer periods if required for e.g. taxation purposes or if you have requested us to do and have provided us with the requisite consent. The latter may be the case when you are a repeat customer and retaining some of your personal preferences such as twin/double bed and meal preferences will assist us in providing you with a more efficient service for future bookings.
- DIRECT MARKETING (‘DM‘)
- DM is defined as ‘approach(ing) a person, either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the person’
- ‘Electronic communication’ is defined as ‘communication by means of electronic transmission, including by telephone, fax, sms, wireless computer access, email or any similar technology or device’
- DM may only be addressed to you if you are our customer, we’ve obtained your ‘consent’ specifically or it was obtained in the process of a sale of goods and/or services and at the time of the sale*
- The DM must pertain to goods and/or services that originate from us and are similar to those in the previous sale*
- Each DM must provide you with the opportunity to opt out/unsubscribe and doing so must be at our expense.
- The purpose is not only to keep you informed but to link it to preferences
- Note that DM does not mean or relate to your existing booking
- We are furthermore required to only approach you with DM within the timeframes specified in the CPA.
- COOKIES
- Cookies are used to achieve two goals. The first is to provide us with the capability to personalize information for certain segments of our customer base. Secondly, in some instances, cookies are used to allow us the opportunity to associate individual customers with their information profiles.
- A cookie is a series of data characters that, when programmed into a website, is placed by the web server into the browser’s application folder on your computer. Once placed onto your machine, the cookie will allow the website to “recognize” you as a unique individual.
- ‘Yes’, cookies can be removed from your hard drive. Also, depending on what type of web browser and what browser version you are using, you may be able to change the properties on your cookie file so that cookies are not used or saved. Please check with your browser provider for more information on removing cookies.
- You can also prevent your browser from accepting new cookies.
- As with ‘processing’ we require your ‘consent’ prior to implementing Cookies on our website, unless doing so is strictly necessary for carrying out our basic functions in complying with the services we’ve undertaken to provide you with. You will be deemed to have given such ‘consent’ by using our website but we will always provide you with an ‘Opt out’ option.
- SECURITY
- We have carried out a data protection impact assessment which entailed a ‘systematic and extensive evaluation of our processes and current safeguards’
- This assessment addressed amongst others how and when we process your Information and when such processing may present (internal and external) security risks including the origin, nature, likelihood (foresee ability) and severity (extent) of such risk.
- Based on the report by the experts who carried out this assessment, we have implemented ‘appropriate, reasonable and organizational measures‘ to (1) ‘ensure the integrity and confidentiality’ of the Information; (2) ‘prevent the loss of, damage to or unauthorized destruction or access to or processing’ of your Information; (3) anticipate and identify the aforesaid risks; (4) maintain, monitor and update these safeguards on an ongoing basis
- These measures will meet the most stringent of ‘generally accepted information security practices’ and/or ‘specific industry or professional rules and regulations’
- These measures include amongst others encryption; controlling privileges of users; destroying your Information when no longer required; regular audits; back-ups; emergency incident strategies.
- We will carry out regular data protection impact assessments on an ongoing basis.