POPI
Data Privacy Policy
1. Subject Matter and Scope
The data privacy policy and security standards set forth below (“DPP”) is incorporated into the Services Agreement (“the Agreement”) for the purpose of ensuring any PI (as defined below) collected or utilized by the Breakpoint group of companies (“Breakpoint”) is handled in a manner that is secure and otherwise in accordance with the terms contained herein and applicable laws and regulations, specifically the Protection of Personal Information Act, 4 of 2013 (as amended) (“POPI”).
2. Personal Information
2.1 “PI” or “Personal Information,” means “personal information” as defined in POPI and shall include but not be limited to any medium or form of any kind pertaining to an identified or identifiable natural person or household; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address, or other identification number, e-mail address, telephone number, financial profile, credit card information, driver’s license number, or other information that can be reasonably linked to a particular person, computer, or device (e.g., information collected via tracking technologies, such as an IP address), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
2.2 Processing for the purposes of this DPP shall include collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, disseminating or otherwise making available, combining, restricting, erasing or destroying PI.
2.3 The client discloses PI to Breakpoint solely and exclusively for its performance of the Services on the client’s behalf and Breakpoint shall only process the PI for the limited and specific purpose(s) described in the DPP and at the client’s written instructions, and for no other purpose, unless required to do so by statutory provisions or a court order (in which case Breakpoint shall immediately notify the client before doing so, unless prohibited from informing the client by law).
2.4 Breakpoint is prohibited from: (i) selling PI; (ii) retaining, using, or disclosing PI for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the PI outside of the Agreement between the client and Breakpoint.
2.5 Breakpoint acknowledges and confirms that PI is not disclosed as consideration for any Services that is provided to the client under the Agreement. Breakpoint must not sell any PI, and certifies that it understands the rules, requirements, and definitions of POPI, and all restrictions in this DPP. Breakpoint agrees to refrain from taking any action that would cause any transfers of PI to or from Breakpoint to qualify as a sale of personal information under POPI.
2.6 Breakpoint shall immediately notify the client if, in Breakpoint’s opinion, the client’s instruction infringes any applicable data protection laws and regulations.
2.7 Breakpoint shall treat all PI as strictly confidential and it shall inform all its employees, agents and/or approved subcontractors engaged in processing the PI of the confidential nature of the PI, and ensure that all such persons or parties have signed an appropriate confidentiality agreement to maintain the confidence of the PI.
2.8 To the extent that Breakpoint receives, maintains, processes or otherwise has access to PI in connection with the services provided to the client under the Agreement, Breakpoint acknowledges and agrees that it is responsible for maintaining appropriate organizational and security measures to protect such PI. Breakpoint shall protect and secure such PI in accordance with all applicable privacy and data protection laws, including but not limited to POPI.
2.9 In the event that Breakpoint becomes aware that it has received the client’s Confidential Information or PI that was not intended for receipt by Breakpoint or authorized to be received by Breakpoint under the Agreement, Breakpoint shall (i) promptly notify the client, and (ii) unless otherwise instructed in writing, retain the information until Breakpoint is contacted by the client with instructions on what to do with such information.
3. Confidentiality
3.1 The client hereby authorizes the collection, use, storage and processing of PI by Breakpoint where the need arises.
3.2 Each Party shall only provide, collect, use, store or process PI:
3.2.1 in compliance with POPI;
3.2.2 as is necessary for the purposes of the Agreement; and
3.2.3 in accordance with the lawful and reasonable instructions of the party providing the PI.
3.3 The client and Breakpoint shall both comply with the security and information protection obligations equivalent to those imposed on them in terms of POPI and other applicable data protection legislation, and failing such legislation, they shall take, implement and maintain all such technical and organizational security procedures and measures necessary or appropriate to preserve the security and confidentiality of the PI in its possession and to protect such PI against unauthorised or unlawful disclosure, access or processing, accidental loss, destruction or damage.
3.4 If Breakpoint processes any personal data on the client’s behalf when performing its obligations under the Agreement, the parties record their intention that the client shall be the data controller and Breakpoint shall be a data processor and in any such case:
3.4.1 The client shall ensure that it is entitled to transfer the relevant PI to Breakpoint so that Breakpoint may lawfully use, process and transfer the PI in accordance with this DPP on the client’s behalf;
3.4.2 The client shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation;
3.4.3 Breakpoint shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the client from time to time; and
3.4.4 each party shall take appropriate technical and organizational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.
4. Security Incident Response
4.1 Notification Timing: Breakpoint will communicate any security incident related to Breakpoint services and/or PI to the client immediately after discovery thereof and will provide immediate feedback about any impact this incident may/will have on the client or PI. Breakpoint will give its best effort to notify the client of the security incident immediately after detecting such incident. An incident for the purposes of this DPP shall also include:
4.1.1 Any temporary or permanent, accidental or unlawful, unavailability, loss, destruction, unauthorized disclosure of or access to, theft, or compromise of PI; and
4.1.2 Any breach of the security and/or confidentiality obligations set out in this DPP.
5. Processing PI
5.1 Compliance with Law: To the extent applicable, Breakpoint shall assist the client in its obligations to respond to requests of an individual who’s PI is being processed under the Agreement and who wishes to exercise any of their rights under POPI, including (but not limited to): (i) right of access; (ii) right to data portability; (iii) right to erasure; (iv) right to rectification; (v) right to object to automated decision-making; or (vi) right to object to processing.
5.2 Delete/Destroy: Breakpoint shall securely delete/destroy or return all PI and overwrite physical drives used for its storage at any time upon the client’s request or, in the absence of the client’s request, after it has fulfilled the purpose of the Agreement and destroy or return any existing copies of the same to the client.
6. Cookies
6.1 Breakpoint may store or retrieve information on the client’s browser, in the form of cookies, in order to provide a more personalized web experience, including Strictly Necessary cookies, Analytics cookies, Functional cookies and Targeting cookies.
7. Backup
7.1 Breakpoint shall implement such measures that it deems necessary to restore the integrity of its computer systems in the event of a hardware/software failure or physical disaster; and provide a measure of protection against human error or the inadvertent deletion of important files.
8. Liability
8.1 Breakpoint will not be responsible for any direct, indirect, special, incidental or consequential damage or any other damages whatsoever and howsoever caused, arising out of or in connection with the use of Breakpoint’s services, website or web portals or in reliance on the information available on the website or web portals, including but not limited to, any loss of use, lost data, lost business profits, business interruption, personal injury, or any other pecuniary loss, whether the action is in contract, delict (including negligence) or other delictual action.
8.2 Breakpoint shall follow its archiving procedures for PI as may be notified to the client from time to time, as such document may be amended by the client in its sole discretion from time to time. In the event of any loss or damage to PI, the client’s sole and exclusive remedy shall be for Breakpoint to use reasonable commercial endeavors to restore the lost or damaged data from the latest back-up of such data maintained by Breakpoint. Breakpoint shall not be responsible for any loss, destruction, alteration or disclosure of data caused by any third party.