We are currently unpacking this space.
Our site is currently being built. It won’t take long, we promise. Thank you for your patience!
THE PROTECTION OF PERSONAL INFORMATION ACT NO.4 of 2013 (“POPIA”)
PKG Group Policy on the Protection and Processing of Information
1. Definitions
1.1. “Business” means the business of the Company, which involves groups manufacturing
companies, and which PKG Group provides centralised service to, which includes all matters
reasonably connected thereto, including matters relating to legal and corporate governance;
1.2. “the Company” means PKG Group a company registered in the Republic of South Africa with
registration number: 2011/103845/07;
1.3. “Information” means “personal information” and “special personal information” as defined
in POPIA.
1.4. “Information Officer” means the person described in clause 13;
1.5. “Information Regulator” means the information regulator as that term is defined in Section
39 of POPIA;
1.6. “Operator” means a Person who Processes Information on behalf of the Company in terms
of a contract or mandate, without coming under the direct authority of the Company and
may include, without limitation, the Company’s attorneys, auditors and its related and/or
inter-related companies as that term is defined in Section 2 of the Companies Act No. 71 of
2008;
1.7. “Person” means a person defined in POPIA, and “Persons” will have a corresponding
meaning;
1.8. “Policy” means this policy and any amendments made to it from time to time;
1.9. “POPIA” means the Protection of Personal Information Act No. 4 of 2013;
1.10. “Process” and “Processing” means anything that is done by the Company in relation to its
Stakeholder’s Information, whether or not by automated means, including the collection,
receipt, recording, organisation, collation, storage, updating or modification, retrieval,
alteration, consultation, use, dissemination, distribution, merging, linking, restriction,
degradation, erasure and/or destruction of Information;
1.11. “Stakeholder” means any Person whose Information the Company Processes, and this may
include Information pertaining to the Company’s employees, candidates for employment,
customers, suppliers, officers, business associates, partners, and the like.
2. Background to POPIA
2.1. POPIA is South Africa’s primary data protection law.
2.2. The purpose of POPIA is to promote the protection of Information that is Processed by any
Person, by prescribing certain minimum requirements for the Processing of Information.
2.3. These minimum requirements must be met in order for a Person to Process Information and
include those requirements set forth in clause 4 of this Policy.
2.4. It is the policy of the Company that it will comply with the minimum requirements set forth
in clause 4 of this Policy at all times.
3. Purpose of this Policy
3.1. From time to time in the conduct of its Business, the Company will come into possession of
and will concomitantly Process the Information of its Stakeholders.
3.2. The purpose of this Policy is to record how the Company will Process the Information of its
Stakeholders and, in doing so, comply with the minimum requirements set forth in clause 4
of this Policy.
4. Minimum Requirements for Processing Information
In order for the Company to Process Information in a manner which is consistent with POPIA,
the Company must:
4.1. Process the Information lawfully and in a reasonable manner that does not infringe the right
to privacy of the Person whose Information is being Processed;
4.2. Process the Information for a specific, explicitly defined and lawful purpose related to a
function or activity of the Company;
4.3. Process the Information only if, given the purpose for which it is Processed, it is adequate,
relevant and not excessive and if:
4.3.1. the Person whose Information will be Processed has consented to its Information being
Processed;
4.3.2. it is necessary to Process the Information to carry out actions for the conclusion or
performance of a contract to which the Person whose Information will be Processed is a party;
or
4.3.3. it is necessary to Process the Information to comply with an obligation imposed by law on
the Company or to protect a legitimate interest of the Company and/or the Person whose
Information will be Processed;
4.4. take reasonable steps to ensure that the Person whose Information will be Processed is aware
of the Information that will be Processed, the source from which that Information will be
collected and the purpose for which that Information will be Processed;
4.5. take reasonable steps to ensure that the Information that is Processed is complete, accurate,
not misleading and updated where necessary;
4.6. take reasonable technical and organisational measures to secure the integrity and
confidentiality of Information that is Processed so as to prevent the loss, damage or
unauthorised destruction of Information and the unlawful access to or Processing of
Information; and
4.7. take reasonable steps to ensure that the Person whose Information will be Processed is aware
of its rights in and to their Information.
5. The Purpose for Processing
5.1 The Company will Process Information for the purpose for which it is received by the
Company, save that the Company will by means of the awareness and consent measures
contemplated in this Policy, where appropriate and permissible, seek and obtain from its Stakeholders consent to a particular qualitatively and quantitatively circumscribed purpose
which will facilitate the Processing by the Company of the Information.
5.2 Pursuant to clause 5.1, the Company will seek and obtain from its Stakeholders consent for
the Company collecting Information from its Stakeholders and where necessary from any
other source for the purpose of the Company conducting and furthering its business interests
in general, and including, without limitation, for the purpose of executing any rights and
obligations that it may have in relation to a Stakeholder or any matter in respect of which a
Stakeholder and/or the Information applies, and the maintenance of reasonable, accurate and
complete historical record keeping.
6. Source of Information
6.1. The Company will only Process Information that it receives directly from a Stakeholder, save
where:
6.1.1. the Information is public record or has deliberately been made public by the Stakeholder;
6.1.2. the Stakeholder has consented to the collection by the Company of the Information from
another source;
6.1.3. the collection of Information from a source other than the Stakeholder would not prejudice
a legitimate interest of the Stakeholder, is necessary to maintain or comply with an obligation
imposed on the Company by law or to maintain the legitimate interests of the Company or
the Information will be used for legal proceedings;
6.1.4. it is not reasonably practicable in the circumstances of the particular case to collect the
Information directly from a Stakeholder, or to do so would prejudice a lawful purpose of the
collection, or
6.1.5. it has received the consent of a Stakeholder to Process Information about that Stakeholder
that it receives from another source,
in which event it may Process Information about a Stakeholder that it receives from another
source.
7. Awareness and Consent
7.1 The Company is required to ensure that its Stakeholders are aware of the purpose for which
their Information is being Processed, the manner in which it will be Processed and their rights
in respect thereof. The Company will do this by:
7.1.1 publishing a copy of this Policy on its website.
7.1.2 making a copy of this Policy available for inspection at its principal place of business at
1 Lanner Road New Germany Kwazulu-Natal;
7.1.3 using bona fide endeavours to communicate the existence of this Policy to those of its
Stakeholders whose Information the Company has Processed prior to the date referred to in
Section 114(1) of POPIA;
7.1.4 referring to this Policy in its recruitment and/or job advertisements;
7.1.5 incorporating this Policy by reference into, inter alia, the following documents:
7.1.5.1 employment agreements;
7.1.5.2 standard terms and conditions of trading;
7.1.5.3 credit applications;
7.1.5.4 quotations; and
7.1.5.5 any other contracts or agreements that the Company may enter into with its Stakeholders.
7.2 The Company will, where it is necessary or appropriate to do so, obtain the written consent
of its Stakeholders to Process their Information in accordance with POPIA, inter alia, by:
7.2.1 requesting its Stakeholders to consent to the Processing by the Company of their Information;
7.2.2 requiring applicable Stakeholders to sign any one or more of the documents contemplated
in clause 7.1.5 of this Policy.
7.3 The Company will, by the measure set forth in this policy, and such other reasonable aligned
measures as are appropriate, pursue a policy of acquiring positive consent from its
Stakeholders in terms of which they approve of the use of their information for a widened
reasonable purpose, use and processing, and further processing.
7.4 In addition to the other measures contemplated in this policy, the Company will transmit to
its Stakeholders appropriate communications by which means it will inform its Stakeholders
of the provisions of this Policy and other related policies and by which means Stakeholders
will be requested to provide affirmative consent, and where appropriate and permissible,
implied and/or tacit consent to the said widened reasonable purpose, use and processing,
and further processing referred to in this policy.
7.5 The Company will in addition to the measures contemplated above, cause to be displayed
upon its stationery (where practicable and appropriate) and upon its website, an assortment
of appropriate communications in terms of which it informs Stakeholders of the existence of
this policy and the fact that the Company will process personal information in accordance
with the tenets contained in this policy.
7.6 The Company will catalogue and store the record of consents that it obtains from its
Stakeholders.
8 Retention and safeguarding of Information
8.1 The Company is required to store, retain and secure the integrity and confidentiality of its
Stakeholders’ Information by taking appropriate, reasonable technical and organisational
measures to prevent the loss, damage or unauthorised destruction of their Information and
to prevent any person from unlawfully accessing their Information.
8.2 The Company will accordingly secure the integrity and confidentiality of its Stakeholders’
Information, inter alia, by ensuring that:
8.2.1 Information that is in printed form is dealt with only by those representatives of the Company
who need to deal with that Information;
8.2.2 Information that is in printed form is stored in a secure cabinet or facility when it is not being
Processed;
8.2.3 all employees and officers of the Company who have access to or Process Information keep
their workstations tidy and free of Information which is not then being Processed to ensure
that any Information that is visible at workstations, and is not being Processed, is not
disseminated other than in accordance with the provisions of this Policy;
8.2.4 all Information in electronic form is stored in a database that is protected from unauthorised
access by appropriate hardware and software;
8.2.5 any hardware on which Information is stored is secure and password protected;
8.2.6 employees and officers of the Company will ensure that Information is not displayed upon
their computer hardware when they are not themselves Processing that Information on such
hardware;
8.2.7 where any device on which Information is stored is lost or stolen, the Information Officer is
immediately notified and will use reasonable endeavours to attempt to recover and/or delete
any Information stored upon that device.
8.3 The Company will review the Information that it Processes and stores from time to time and
will destroy and/or delete any Information of its Stakeholders that is no longer required for
the purpose in clause 5 of this Policy, or that it is no longer authorised or obliged to retain.
8.4 In the event that it comes to the attention of the Company that its Stakeholders’ Information
has been accessed, acquired, or Processed by any unauthorised person:
8.4.1 the Information Officer will notify the applicable Stakeholder or Stakeholders and the
Information Regulator as soon as reasonably possible; and
8.4.2 the Company will comply with such directions as the Information Regulator may prescribe.
9 Disclosure of Information
9.1 The Company will not hold its Stakeholders’ Information as its own and will make no claim to
ownership thereof, unless a Stakeholder agrees otherwise.
9.2 The Company will only disclose its Stakeholders’ Information to those of its employees and
officers who need to know for the purpose described in clause 5 above and will not disclose
Information to any third party unless the consent of the applicable Stakeholder to do so has
been obtained.
9.3 Notwithstanding the provisions of clause 9.2 of this Policy, the Company may disclose its
Stakeholders’ Information without first obtaining consent:
9.3.1 if the Company deems it appropriate to disclose that Information to an Operator for the
purpose in clause 5 of this Policy; and/or
9.3.2 if the Company is required by any applicable law or any applicable regulator to disclose that
Information.
9.4 The Company will not transfer the Information of any of its Stakeholders to any third party in
any country in which the Company operates, other than South Africa, unless:
9.4.1 the Company has obtained the consent of the affected Stakeholder to do so;
9.4.2 the third party has agreed to Process that Information on substantially the same terms as
those recorded in this Policy and/or in any agreement entered into between the Company
and the Stakeholder;
9.4.3 the transfer is necessary for the conclusion or performance of a contract between the
Stakeholder and the Company;
9.4.4 the transfer is necessary for the conclusion or performance of a contract concluded in the
interest of the Stakeholder between the Company and a third party; or
9.4.5 the transfer is for the benefit of the Stakeholder, and it is not reasonably practicable to obtain
the consent of the Stakeholder to that transfer or, if it were reasonably practicable to obtain
such consent, the Stakeholder would, in the Company’s view, likely give it.
10 Information Quality
10.1 The Company is required to take reasonably practicable steps to ensure that the Information
of its Stakeholders that it Processes is complete, accurate, not misleading and updated where
necessary.
10.2 The Company will accordingly ask its Stakeholders to verify the completeness and accuracy
of the Information provided by them from time to time.
11 Unsolicited Information
In the event that a Stakeholder makes Information available to the Company which is
gratuitous and/or not required for the purpose referred to in clause 5, this Policy (save in
respect of this clause 11) will not apply, and the Company will use its bona fide efforts to
secure that Information, and proceed to delete, erase or destroy that Information as soon as
practicable after its receipt.
12 Stakeholder Participation and Rights in and to its Information
12.1 Each Stakeholder, after having provided adequate proof of identity to the Company, has the
right to:
12.1.1 request that the Company confirms, free of charge, whether or not it holds Information
about that Stakeholder.
12.1.2 request the record of or a description of the Information that the Company holds about
that Stakeholder;
12.1.3 request that the Company correct or delete any Information in its possession or under its
control about the Stakeholder that is inaccurate, irrelevant, excessive, out of date, incomplete
or misleading, or to destroy or delete a record of any Information about it that the Company
is no longer authorised to retain;
12.1.4 withdraw its consent for the Company to Process its Information at any time, but the
withdrawal of consent will not affect:
12.1.4.1 the Processing of its Information before the withdrawal of consent;
12.1.4.2 the Processing of any of its Information that is required by the Company to comply with law
and/or finalise the performance of any agreement that it has entered into with the
Stakeholder concerned.
12.2 Should any Stakeholder wish to exercise any of the rights referred to above, it can do so by
contacting the Information Officer who can be contacted in the manner described in clause
13 of this Policy, and the Information Officer will give effect to the Stakeholder’s request or
withdrawal.
13 Information Officer
13.1 The Company will appoint an Information Officer.
13.2 The name and contact details of the Information Officer can be obtained by visiting the
Company’s website, or by sending an email to the following email address:
informationofficer@pkg.co.za
13.3 The Information Officer will be responsible for, inter alia:
13.3.1 ensuring that the Company Processes the Information of its Stakeholders in a lawful and
reasonable manner that does not unreasonably infringe its Stakeholders’ right to privacy;
13.3.2 providing regular training and support to the employees and officers of the Company who
have access to or Process Information, so that they can do so lawfully and in terms of this
Policy;
13.3.3 creating awareness about the provisions of this Policy, including by way of the mechanisms
contemplated in clause 7 of this Policy; and
13.3.4 ensuring that it applies due diligence in the monitoring of developments in relation to the
law pertaining to protection of Information, and in amending and/or updating the Company’s
approach to such protection, including by way of updating and/or amending this Policy.
13.4 The Information Officer will be trained appropriately to give effect to this Policy, and will
address any reasonable queries or concerns that any Stakeholders may have regarding this
Policy or the Processing of their Information as contemplated in it.
14 Information Regulator
In the event that any of the Company’s Stakeholders has any queries or concerns that cannot
be addressed by the Information Officer, the Stakeholder has the right to contact the
Information Regulator. The Information Regulator’s details are as follows:
• Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Postal address: P.O Box 31533, Braamfontein, Johannesburg, 2017
• Email address: complaints.IR@justice.gov.za and inforeg@justice.gov.za.
15 Status of Policy
This Policy has been adopted by and will apply to the Company.
16 Amendments
The Company may alter or amend this Policy or any part thereof at any time. The Company
will use reasonable endeavours not to change this Policy too often, and to bring to its
Stakeholders’ attention any material changes to it, but its Stakeholders will be required to
ensure that they keep up to date with the latest version of the Policy that is available on the
Company’s website and at the Company’s principal place of business.