A new word on everyone’s lips is POPIA, short for the Protection of Public Information Act. Its original deadline was a year ago, and has been extended to 30 June 2021.
Working with restaurant clients, which collect public information when recording Covid-compliant diner temperatures, names, email addresses, and cell phone numbers, it became clear to me that restaurants need to comply with the Act by 1 July, failing which they can face a Fine of up to R10 million.
It is hard to find any information about the Act as it pertains to restaurants specifically, most entries I found on Google being legal firms selling their services to guide businesses in general in becoming POPIA compliant.
What I have learnt about the POPIA so far is the following:
- All personal information about clients, suppliers, and employees is covered
- An Information Officer needs to be appointed
- Persons about whom information is already held or is collected regularly must give permission to supply the information and for it to be held
- Persons from whom data is collected must agree to receive marketing communication from the business sender
- The personal information collected must be kept in a safe space, and must be destroyed when it is no longer needed
- Employee contracts must be amended to give consent to the personal information being kept, and to not disclose personal information he/she has access to of other employees, suppliers, and clients
- Websites should have a Cookie notice and policy
- A POPIA Manual should be prepared.
- A Privacy Policy should be prepared, and communicated to all employees
I deal with Dineplan on behalf of those restaurant clients that subscribe to this very useful diner reservation system. The company collects diner information such as cellphone numbers and email addresses, and offers an sms marketing service to its restaurant clients, whereby short messages are sent to their clients, the clients having given permission to receive such messages.
Dineplan has prepared its detailed Privacy Policy in accordance with the Act. It is written in heavy legalese, but gives one a good idea of what such a Privacy Policy should contain. It follows below:
Dineplan Privacy Policy
Last revised on 27 May 2021
PROTECTION OF PERSONAL INFORMATION POLICY OF DINEPLAN (PTY) LTD IN COMPLIANCE WITH THE PROTECTION OF PERSONAL INFORMATTION ACT 4 OF 2013 AND THE EUROPEAN GENERAL DATA PROTECTION REGULATIONS
1. INTRODUCTION
The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPIA”).
The new General Data Protection Regulation (“GDPR”) exists for the purpose of the protection of data privacy for all EU (European Union) members. Simply put, this new law equates to South Africa’s Protection of Personal Information legislation.
A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions. Given the importance of privacy, Dineplan is committed to effectively managing personal information in accordance with POPIA’s and the GDPR’s provisions.
2. APPLICATION
The Policy applies to all Dineplan’s electronic platforms, any Data Subjects, who access and make use of the aforementioned electronic platforms and all the Personal information collected by Dineplan and owned by the Responsible party. The contents of this policy are also, where necessary, applicable to the Responsible party.
- Data Subject
This refers to the natural or juristic person to whom personal information relates, such as an individual client, customer or a company that makes use of Dineplan’s services. - Operator
An operator means an independent contractor who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. Dineplan acts as an operator for various responsible parties. - Responsible Party
The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, the Company to whom the Dineplan renders services to is the responsible party.
Dineplan collects and stores personal information on behalf of the Responsible party and processes same on their behalf. Dineplan is in compliance with the provisions of POPIA and the GDPR.
3. ACCOUNTABILITY
Dineplan will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, Dineplan will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.
4. COLLECTION OF PERSONAL INFORMATION
Dineplan collects the following personal information on behalf of the Responsible Party:
- Name;
- Telephone number;
- Email address;
- Booking history;
- Custom tags and notes.
Dineplan may require additional personal information in the future and will notify the data subject should they do so and amend the policy accordingly.
5. PROCESSING OF PERSONAL INFORMATION
Dineplan will ensure that personal information under its control is processed:
- in a fair, lawful and non-excessive manner, and
- only with the informed consent of the data subject, and
- only for a specifically defined purpose.
Dineplan processes personal information on behalf of the Responsible party for the purpose of online reservations; the online ordering platforms, ticketing, vouchers and for marketing purposes as determined by the Responsible party.
The Responsible party will be responsible for the processing of personal data where the data subjects contact them telephonically to make reservations.
Dineplan will under no circumstances distribute or share personal information between separate legal entities, associated organisations or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected. Where applicable, the data subject must be informed of the possibility that their personal information will be shared with other aspects of Dineplan’s business and be provided with the reasons for doing so.
6. RIGHTS OF DATA SUBJECTS
Dineplan will ensure that its clients and customers are made aware of the rights conferred upon them as data subjects. In addition of being recorded herein the data subjects will be notified of their rights in the Dineplan’s terms and conditions contained online.
Dineplan will ensure that it gives effect to the following seven rights.
- The Right to Access Personal InformationDineplan recognises that a data subject has the right to establish whether the company holds personal information related to him, her or it including the right to request access to that personal information. An example of a “Personal Information Request Form” can be found here.
- The Right to have Personal Information Corrected or DeletedThe data subject has the right to request, where necessary, that his, her or its personal information must be corrected or deleted where Dineplan is no longer authorised to retain the personal information.
- The Right to Object to the Processing of Personal InformationThe data subject has the right, on reasonable grounds, to object to the processing of his, her or its personal information. In such circumstances, Dineplan will give due consideration to the request and the requirements of POPIA.Dineplan may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.
- The Right to Object to Direct Marketing
The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications. - The Right to Complain
The data subject has the right to submit a complaint regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information. Dineplan will assist with the complaint procedure against the responsible party. A complaint form can be found here and Dineplan will use its best endeavours to assist in resolving the dispute as speedily as possible. - The Right to be Informed
The data subject has the right to be notified that his, her or its personal information is being collected by Dineplan. The data subject also has the right to be notified in any situation where Dineplan has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person. As an operator Dineplan will notify the responsible party immediately should they suspect a breach and / or unauthorised access to personal information.
7. RECORD
Dineplan keeps an appropriate record of all personal information.
Record means any recorded information, regardless of form or medium, including any of the following:
- writing of any material;
- information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- label, marking or other writing that identifies or describes anything of which it form part, or to which it is attached by any means;
- book, map, plan, graph or drawing;
- photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced
8. AGREEMENT TO BE BOUND AND CONSENT TO PROCESS
By making use of Dineplan’s services and accessing Dineplan’s electronic platforms, the Data Subject and Responsible parties:
- acknowledge that they have read and understood the policy and related provisions:
- agrees to be bound by this policy; and
- gives Dineplan consent to process and further process the required Personal Information for the required purpose, in accordance with this policy.
9. SECURITY OF PERSONAL INFORMATION
- Dineplan is committed to protecting personal information from misuse, loss, theft, unauthorized access, modification, or disclosure by using electronic and physical defenses.
- Dineplan will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction.
- Dineplan’s server is managed and stored with a third party, who is compliant with the provisions for storing and processing personal information. Third-party service providers will be required to enter into service level agreements with the Dineplan where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.
- Dineplan ensures that all electronic records comprising of personal information are securely stored and made accessible only to authorised individuals.
- All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal information.
- All existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.
- A data subject may request the correction or deletion of his, her or its personal information held by Dineplan. Dineplan will ensure that it provides a facility for data subjects who want to request the correction or deletion of their personal information.
- Employees and other persons acting on behalf of the organisation will under no circumstances:
- Process or have access to personal information where such processing or access is not a requirement to perform their respective work-related tasks or duties.
- Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets or smart phones. All personal information must be accessed and updated from the Dineplan’s central database or a dedicated server.
- Share personal information informally. In particular, personal information should never be sent by email, as this form of communication is not secure. Where access to personal information is required, this may be requested from the relevant line manager or the Information Officer.
- Transfer personal information outside of South Africa without the express permission.
- Employees and other persons acting on behalf of the Dineplan are responsible for:
- Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy.
- Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created.
- Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager will assist employees and where required, other persons acting on behalf of the Dineplan, with the sending or sharing of personal information to or with authorised external persons.
- Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons.
- Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.
- Ensuring that where personal information is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used.
- Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet.
- Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer.
- Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where an employee, or a person acting on behalf of Dineplan, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal information, he or she must immediately report to the appropriate person.
10. THIRD PARTY PROCESSING
Dineplan uses many third party services for the management and storage of data, for email and SMS communication and other tasks involving personal information. We have conducted due diligence and these third party processors are all fully compliant with the relevant provisions of POPIA and GDPR. Procedures and safeguarding measures are in place to secure, encrypt and maintain the integrity of the data.
11. RETENTION OF PERSONAL INFORMATION
Dineplan shall retain personal information for as long as it is necessary to fulfil the purpose for which it was collected where after it shall be deleted. The criteria Dineplan uses to determine retention periods includes whether:
- Dineplan is under contractual or other obligations to retain personal data;
- Personal information is needed to maintain business records.
12. DIRECT MARKETING
One can choose whether to receive marketing communications from Dineplan in respect of the Responsible party and for Dineplan.
Dineplan shall not avail your personal information to unaffiliated third parties for direct marketing purposes or otherwise make personal information commercially available to any third party, unless one has provided consent to it.
Should one wish to opt out of receiving such marketing, they will be given the option to do so, alternatively they can contact Dineplan.
Where Dineplan uses personal data for the purposes of their own marketing and not that of the Responsible party, they warrant that they are compliant with all appropriate provisions of the POPIA and the GDPR.
13. DISCIPLINARY ACTION
Where a POPI complaint or a POPI infringement investigation has been finalised, the Dineplan may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy. In the case of ignorance or minor negligence, the Dineplan will undertake to provide further awareness training to the employee. Any gross negligence or the wilful mismanagement of personal information, will be considered a serious form of misconduct for which Dineplan may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence. Examples of immediate actions that may be taken subsequent to an investigation include: A recommendation to commence with disciplinary action. A referral to appropriate law enforcement agencies for criminal investigation. Recovery of funds and assets in order to limit any prejudice or damages caused.
14. CHANGES TO POLICY
Dineplan may update this policy from time to time. In the event of an update, Dineplan shall post the revised version, with an updated revision date.
I will investigate the impact of the POPI Act on restaurants specifically when I find more information.
Chris von Ulmenstein, WhaleTales Blog: www.whaletalesblog.com www.chrisvonulmenstein.com/blog Tel +27 082 55 11 323 Twitter:@Ulmenstein Facebook: Chris von Ulmenstein, My Cape Town Guide/Mein Kapstadt Guide Instagram: @Chrissy_Ulmenstein @MyCapeTownGuide