TERMS OF SUPPLY CHAIN PARTNER GROUP PROTECTION OF PERSONAL INFORMATION POLICY SUMMARY

MARCH 2021

 

GENERAL

The Supply Chain Partner group of companies and its associates deliver services in several territories on three continents, with a constantly expanding network of customers and business partners throughout the world. As a general rule, SCP companies and associates keep customer and business partner information confidential. SCP companies and associates use restrictive employee policies and technical systems to protect personal information and confidential data. SCP companies and associates will only use business partner information to conclude business relationships (refer also the SCP business code). SCP companies and associates will use only customer information to process a request from a customer, initiate or deliver services, for statistical or research purposes, and for reporting required by the laws of a relevant territory. SCP retains all rights to non-personal and non-confidential information owned by SCP companies and associates, as well as its own intellectual property.

 

1          SOUTH AFRICA

1.1       Personal Information is protected by the right to privacy. Chapter 2 of the South African Constitution (Act 108 of 1996) enshrines the right to privacy, which ranks together with such rights as the right to life, equality, and freedom of religion, belief and opinion.  

Supplychain Services (Proprietary) Limited, trading as Supply Chain Partner (SCP”\) is a South African company which processes personal information within the territory and is therefore required to comply with the Protection of Personal Information Act 4 of 2013 (Popi) other applicable laws dealing with data protection or privacy of personal information. The date for implementation of Popi is 30 June 2021, but it has already been adopted by major companies in the territory. SCP is a “responsible party” under Popi – any person, alone or in conjunction with others, that determines the purpose and means for processing personal information.

1.2       Personal information is defined as information relating to a living person or existing legal entity, including but not limited to:–

1.2.1    information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; 

1.2.2    information relating to the education or the medical, financial, criminal or employment history of the person; 

1.2.3    any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;

1.2.4    the biometric information of the person[1];

1.2.5    the personal views opinions, views or preferences of the person; 

1.2.6    correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

1.2.7    the views or opinions of another individual about the person; and

1.2.8   the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person”

1.3       SCP will:

1.3.1    only process personal information for the purposes of performing its obligations under a contractual agreement or as authorised by the customer in writing;

1.3.2    take all reasonable steps to ensure that personal information is stored or recorded accurately and not altered or amended except as directed by the customer; and

1.3.3    not disclose personal information except:

1.3.3.1 to SCP’s employees to the extent necessary to perform its contractual obligations to the customer under an agreement;

1.3.3.2 as required by law; or

1.3.3.3 with the customer’s prior written consent (consent must be voluntary, specific and informed). The customer will agree that by using SCP’s website, registering, or applying online for any SCP marketing information or services, or contacting SCP electronically, the customer provides SCP with express written permission to share personal information within the SCP group of companies, in the ordinary course of SCP’s business, including for purposes of providing the customer with relevant services. However, the customer has the right to revoke this consent in writing at any time. The customer should confirm that personal information provided is complete, accurate, true, and relevant.

1.4       Notice and Customer Rights

The customer has the right to know what personal information SCP holds about the customer. The customer may send a request for personal information to SCP’s website…… SCP will take all reasonable steps to confirm the customer’s identity before providing details of personal information to that customer. The customer has the right to ask SCP to update, correct or delete personal information. Where SCP cannot delete personal information, SCP will take steps to make it anonymous. The customer agrees that SCP may keep personal information until the customer asks SCP to delete or destroy it.

 When collecting personal information from data subjects (if applicable), SCP will:-

1.4.1    inform the data subject that their personal information is being collected for or on behalf of SCP;

1.4.2    direct the data subject to SCP’s privacy policy.

If a compliant by the customer is not reasonably resolved by SCP, the customer has the right to lodge a complaint with the Information Regulator (South Africa).

1.5       Cross-border transfers 

SCP will not transfer personal information to, or allow access or retrieval of personal information by, any recipient located outside of South Africa without the customer’s prior written authorisation. A transfer of personal information will comply with Popi and other relevant laws dealing with data protection or privacy and will be dependent on the territory of transfer having the same level of protection of personal information as South Africa.

The information request form in electronic format to be submitted by the customer will request that the customer agree that SCP may transfer personal information outside South Africa for storage, hosting or processing purposes.

1.6        Security of personal information

SCP will take reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised destruction and unlawful access or processing through the identification and safeguarding against reasonably foreseeable internal and external risks to personal information. 

Where there are reasonable grounds to believe that personal information has been lost, damaged, accessed or acquired by any unauthorised person or that there has been a compromise of SCP’s security measures, ie a data breach, SCP will:-

1.6.1       immediately notify the customer and promptly provide full details of the data breach;

1.6.2       investigate and remedy the data breach; and

1.6.3       notify the Information Regulator or data subjects.

1.7       Retention and destruction 

SCP has implemented retention and destruction policies and procedures for personal information that are required under Popi and other applicable data protection laws. Except as required by law or agreement between the Parties, SCP will return or destroy personal information:-

1.7.1    when it is no longer required for purposes of a contractual agreement;

1.7.2    on termination of a contractual agreement for any reason;

1.7.3    if required by law; or

1.7.4    at the customer’s request at any time. 

1.8       Indemnity

The customer indemnifies SCP companies against any loss or damage, direct or indirect, that the customer may suffer because of any unauthorised use the customer’s personal information. The customer will not hold the SCP group of companies, SCP, its directors, employees or agents responsible for any breach of security unless this is due to the negligence or willful intention of such company, directors, employees, or agents.

Information on SCP’s website is intended for information purposes and provided “as is” without any warranty, representation, condition, undertaking, or terms of any kind, express or implied, statutory or otherwise, including, without limitation, the warranties of merchantability, non-infringement of intellectual property, professional advice, fitness for a particular purpose or suitability of the information, software or services;

The accuracy or completeness of the information, text, graphics, links or other items contained in the SCP website are not warranted in any way; and SCP shall not be liable for any indirect or consequential losses, expenses, or damages incurred by the customer, including but not limited to loss of business opportunities or loss of data, whether within the contemplation of the parties or not.

 

2          EUROPEAN UNION

2.1       The SCP group of companies and associates are required to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data of European Union subjects.

A SCP company or associate may be a data processor or a data controller of personal data. If a data controller or processor of personal information is based outside the EU, the GDPR will apply if the controller or processor handles the personal information of a data subject in the EU.

2.2       “Personal Information” generally has the same meaning as personal data or personal identifiable information (PII). Personal Information includes any information relating to an identified or identifiable natural person. This means any individual who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, online identifiers, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Popi’s definitions for personal information and data subject are broader than the GDPR, which applies to natural persons only. Popi applies to natural and juristic persons).

2.3       The SCP or associate company will:

2.3.1    only process personal information for the purposes of performing its obligations under a contractual agreement or as authorised by the customer in writing;

2.3.2    take all reasonable steps to ensure that personal information is stored or recorded accurately and not altered or amended except as directed by the customer; and

2.3.3    not disclose personal information except:

2.3.3.1 to SCP company or associate employees to the extent necessary to perform its obligations to the customer under a contractual agreement;

2.3.3.2 as required by law; or

2.3.3.3 with the customer’s prior written consent (consent must be voluntary, specific and informed). The customer will agree that by using SCP’s website, registering, or applying online for any SCP marketing information or services, or contacting SCP electronically, the customer provides SCP with express written permission to share personal information within the SCP group of companies, in the ordinary course of SCP’s business, including for purposes of providing the customer with relevant services. However, the customer has the right to revoke this consent in writing at any time. When submitting the information request electronic form in the contacts section of the website, the customer authorises SCP to obtain and use personal information in order to respond to the request for information.

The customer should confirm that personal information provided is complete, accurate, true, and relevant. 

2.4       Notice and Customer Rights

The customer has the right to ask SCP associate to update, correct or delete personal information. Where the SCP associate cannot delete personal information, the SCP associate will take steps to make it anonymous. The customer agrees that the SCP associate may keep personal information until the customer asks the SCP associate to delete or destroy it.

When collecting personal information from data subjects (if applicable), the SCP associate will:-

2.4.1    inform the data subject that their personal information is being collected for or on behalf of the SCP associate;

2.4.2    direct the data subject to SCP’s privacy policy.

2.5       Security of Personal Information

The SCP company or associate will take reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised destruction and unlawful access or processing through the identification and safeguarding against reasonably foreseeable internal and external risks to personal information.

The SCP company or associate will implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, SCP company or associate shall take account in particular of the risks in particular from a personal data breach.

2.6       Cross-border transfers 

The SCP company or associate may not transfer or authorise the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the customer. If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the SCP company or associate shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

The information request electronic form submitted by the customer will request the customer to agree that SCP may transfer personal information outside the EU and/or EEA for storage, hosting or processing purposes.

2.7       Retention and Destruction

SCP has implemented retention and destruction policies and procedures for personal information that are required under Popi and other applicable data protection laws. Except as required by law or agreement between the Parties, SCP will return or destroy personal information:-

1.7.1    when it is no longer required for purposes of a contractual agreement;

1.7.2    on termination of a contractual agreement for any reason;

1.7.3    if required by law; or

1.7.4       at the customer’s request at any time. 

1.8       Indemnity

The liability of SCP associate will be limited to the specific losses defined in the GDPR to the maximum equivalent monetary value of the direct loss sustained by a data subject. Liability for any Indirect losses, loss of profit, loss of revenue, loss of business, contracts or anticipated savings; and any special, indirect or consequential loss or damages of any nature.

Biometric information includes physical physiological or behavioral characterization, DNA, retinal scanning and voice recognition.