- Our PoPI Principles
- Our Approach to PoPI
- Data Breaches
- Data Subject Rights
- What We Have Done
- Contact Person/s
- Changes to this Statement
- Document Classification
The Protection of Personal Information Act (PoPI) is South Africa’s equivalent of the EU GDPR, and officially commenced on 1 July 2021. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons).
The Act applies to anyone who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making such personal information available. The Act will also relate to records which you already have in your possession.
The purpose of this public corporate statement is to highlight and demonstrate to our customers the measures we have put in place to ensure compliance with PoPI where we hold or process personal data on your behalf.
2. Our PoPI Principles
- We will process personal data fairly and lawfully.
- We will only process personal data for the lawful reasons we say we do.
- We will ensure we hold relevant and accurate data and keep it up to date wherever possible.
- We will not store or hold personal data for longer than is necessary to fulfil our contractual obligations with our customers.
- We will keep all personal data secure using modern, best practice techniques and technologies.
- We will ensure personal data is not transferred to countries outside of South Africa without adequate safeguards in place.
- We do not conduct business with children and do not knowingly hold or process children’s personal data.
3. Our Approach to PoPI
Personal information can only be processed:
- with the consent of the “data subject”; or
- if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
- it is required by law; or
- it protects a legitimate interest of the “data subject”; or
- it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.
You have the right to object to having your personal information processed. You can withdraw your consent, or you can object if you can show legitimate grounds for your objection.
A Responsible Party has to collect personal information directly from the “data subject”, unless:
- This information is contained in some public record or has been deliberately published by the data subject.
- collecting the information from another source does not prejudice the subject;
- it is necessary for some public purpose; or to protect your own interests;
- obtaining the information directly from the subject would prejudice a lawful purpose or is not reasonably possible.
- A data processor for our customers (the data controller).
- A data controller of our customer and supplier contact information which we hold and process to fulfil our contracts, manage customer requests and help people who come to our website.
- A data controller for our employees, holding and processing their personal information.
As part of our preparation process for PoPI, we continue to review and update all of our internal processes, procedures, policies, documentation and systems. We will be complying with PoPI as a data processor and controller and we have been working with our suppliers and third party vendors to ensure that collectively we can meet our obligations and your requirements.
Throughout our journey to PoPI compliance we have been working closely with independent experts and advisors to ensure we have the expertise needed to comply with the regulation. We view PoPI as a continual project which will require monitoring, improvement and management over time.
At Lumi we treat information security with the utmost importance and we are already aligned with a number of industry best practice standards that concentrate on cyber security such as ISO/IEC 27001 and PCI-DSS.
With regards to our customers, third party suppliers or vendors and any sub-processors - We have been working closely with all parties to ensure their compliance too. Contracts and agreements have been reviewed and we ensure that the necessary organisational and technical controls, policies and procedures are in place so that we are satisfied with the confidentiality, integrity and availability of your data.
4. Data Breaches
A ‘data breach’ is not defined in PoPI, but it generally refers to the access or acquisition of personal information by an unauthorised person. Where a data breach occurs, there exists an obligation on the responsible party to report the breach to (i) the Information Regulator; and (ii) the affected data subject (subject to certain limitations).
The notification must be made in writing as soon as reasonably possible after the discovery of the data breach. The notification must provide the data subject with sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach.
Non-compliance with the obligation to notify is a breach of PoPI and may, upon conviction of certain offences, lead to imprisonment, a fine, or both. To the extent that there are notification or other obligation in contract, an organisation must ensure adherence thereto to avoid a contractual breach.
In the event of a data breach, we would aim to provide our customer with the following;
- A description of the nature of the breach.
- Contact information for the person responsible for data protection.
- Any likely consequences or risks of the breach.
- Measures taken and proposed to limit any harmful effects or risks to individuals.
5. Data Subject Rights
Everyone has the right to be informed if someone is collecting their personal information, or if their personal information has been accessed by an unauthorised person. In addition, they have the right of access to their personal information and to require that personal information be corrected or destroyed, or they may object to their personal information being processed.. Lumi is committed to working closely with its customers on whose behalf we hold and process data. Through this collaboration we can best determine how to manage;
- Handling data access requests
- Retention periods
- Rectifying data
- Secure erasure/destruction of data
- Data portability requests
6. What We Have Done
As mentioned above, we now treat PoPI as an everyday part of Lumi life. In this section we’ve included some of the measures we have already taken or continue to take and the work we have completed on our road to compliance.
- We have reviewed and amended contracts in place with customers, suppliers, any sub-processors and third party vendors. As mentioned above, we work closely with these bodies to ensure they meet their PoPI obligations too.
- We have assessed our legal bases for holding and processing data to ensure it is processed lawfully, fairly and transparently.
- We continue to regularly review and update our processes, procedures and policies.
- Our staff are briefed, trained and awareness continues to grow. All of our employees are increasingly aware of their corporate responsibilities and new employees are trained as part of the induction process.
- We have completed, and continue to receive, data privacy impact assessments and welcome any customer to contact us with their own.
- The technology we use to carry out our business evolves continually, and we regularly review and analyse our platforms to ensure they meet required standards we commit to.
- We have appointed an Information Officer and a Deputy Information Officer, as required by PoPI.
- As systems change and update all the time, we continue to audit the information which flows through Lumi and map the data to identify what personally identifiable information we hold and process, and where.
- We are improving our cyber security and are implementing an ISMS to accredited ISO/IEC 27001 certification.
- We are much clearer about getting consent with those who can visit our website or those who request help through channels such as our support function or live chat team.
- As a business-to-business organisation, we were not required to re-permission our marketing base, however we have looked at those who had not been active for over a year and asked for them to re-consent.
7. Contact Person/s
Information Officer, South Africa:
Deputy Information Officer, South Africa:
9. Changes to this Statement
To keep you updated on how we comply with legislation, we may update this statement from time to time, which will always be published here on our website.
10. Document Classification
This Lumi document has been classified as ‘Public’. This means that Lumi has deemed that the information contained herein is freely available outside of the business or is intended for public use.