PRIVACY POLICY RELATING TO –
· CUSTOMERS
· EMPLOYEES
· JOB APPLICANTS; AND
· THIRD-PARTY SERVICE PROVIDERS
1. Definitions
1.1 "Authorised Third Parties” means all third parties who Process the Personal Information of the Data Subjects on behalf of Mama Money or as part of any functions or duties which they carry out (whether contractual or otherwise) for Mama Money;
1.2 “Customer” means a customer of Mama Money that makes use of the Services in accordance with the terms and conditions that are accepted by the Customer when registering;
1.3 "Customer Data" means the data inputted and supporting documents provided by the Customer for the purpose of using the Services, which may include Personal Information;
1.4 “Data Subjects” means, for purposes of this policy, Customers, Employees, job applicants (successful or unsuccessful) and third-party service providers;
1.5 “Electronic Communication” means any text, voice, sound or image message sent over an electronic communications network, which is stored in the network or in the recipient’s terminal equipment until collected by the recipient;
1.6 “Employees” means former and current indefinite and fixed term employees of Mama Money and includes interns;
1.7 “Operator” means a person who Processes Personal Information for the Responsible Party in terms of a contract or mandate, without coming under the direct authority of the Responsible Party;
1.8 “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
1.8.1 information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
1.8.2 information relating to the education or the medical, financial, criminal or employment history of the person;
1.8.3 any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
1.8.4 the biometric information of the person;
1.8.5 the personal opinions, views or preferences of the person;
1.8.6 correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
1.8.7 the views or opinions of another individual about the person; and
1.8.8 the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
1.9 “POPIA” means the Protection of Personal Information Act, 4 of 2013;
1.10 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including—
1.10.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, system testing or use;
1.10.2 dissemination by means of transmission, distribution or making available in any other form by electronic communications or other means; or
1.10.3 merging, linking, blocking, degradation, erasure or destruction;
and “Process” or “Processes” has a corresponding meaning;
1.11 “Regulator” means the Information Regulator as defined in POPIA;
1.12 “Responsible Party” means the person who, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;
1.13 “Services” means low value money transfer services.
2. Introduction
2.1 This policy relates to the Processing of Personal Information of the Data Subjects.
2.2 In respect of Customers and if Mama Money Processes any Personal Information on the Customer's behalf when performing the Services, it is recorded that the Customer shall be the Responsible Party, as provided for by POPIA.
2.3 In respect of Employees, job applicants (successful or unsuccessful) and third-party service provider Data Subjects, Mama Money is a Responsible Party for purposes of the Processing of Personal Information, as provided for by POPIA.
2.4 Mama Money conforms to POPIA in terms of the collection, use and retention of Personal Information of the Data Subjects and this document sets out Mama Money’s policy in this regard.
3. Personal Information of the Data Subjects
3.1 Mama Money collects Personal Information directly from the Data Subjects when the Data Subjects voluntarily provide such information in the course and scope of the Data Subjects’ engagement with Mama Money.
3.2 By voluntarily providing the Personal Information, the Data Subjects give consent to Mama Money to Process the Personal Information for the purpose for which it is provided.
3.3 It should be noted that Mama Money collects the following Personal Information from the relevant Data Subjects:
Data Subject
Personal Information
Customers
Name, surname, date of birth, identity number/proof of identity number, gender, country of birth, residential address/proof of address, financial information (payslip / bank statements) and image.
Employees
Name, surname, date of birth, identity number, passport number, race, gender, disabilities, physical address, contact details, previous employment details, academic record, salary information, banking and tax details, next of kin information, biometrics, pre-employment screening records, disciplinary, training, health and safety, and performance information.
Third Party Service Providers
Company name, registration number, physical address, contact details, insurance information, banking and tax details.
Job applicants
Name, surname, race, gender, physical address, contact details, previous employment details, academic records, identity number, passport number, salary information, pre-employment screening records.
3.4 Should Mama Money collect and request Personal Information that is not listed in 3.3 above for the same purpose for which the listed Personal Information was provided, the Data Subject consents to the Processing of the additional Personal Information by Mama Money by providing the additional Personal Information to Mama Money
4. Lawful Processing of Personal Information by Mama Money
4.1 Personal Information may only be Processed by Mama Money for specific, explicitly defined and legitimate reasons, where after it must be destroyed or deleted. In this instance, it should be noted that Mama Money processes the Personal Information of the Data Subjects for the purposes as set out below:
4.1.1 Customers – to provide the Services in accordance with the the terms and conditions that are accepted by the Customer when registering for the Services and any lawful instructions reasonably given by the Customer from time to time;
4.1.2 Employees – for the following purposes:
4.1.2.1 onboarding;
4.1.2.2 payment of remuneration, recording bank account details, payslips and tax records;
4.1.2.3 receiving and storing of leave applications and records, sick leave and medical records, records and communications relating to injuries on duty and otherwise;
4.1.2.4 monitoring performance, conducting written performance assessments, dealing with promotions and demotions and the records of disciplinary processes;
4.1.2.5 obtaining, distributing and storing information relating to medical aid membership, medical aid claims, payment of medical aid subscriptions, membership of retirement funds, contributions to retirement funds and their administrators and retirement benefits;
4.1.2.6 arranging and facilitating training;
4.1.2.7 offboarding; and
4.1.2.8 the exchange of information of Employees in a business transfer or outsourcing transaction.
4.1.3 Third Party Service Providers – for purposes of vetting and onboarding; and
4.1.4 Job Applicants – to process a job application, to conduct interviews, to contact references, and to perform pre-employment screening.
4.2 Personal information may not be Processed for a secondary purpose unless that Processing is compatible with the original purpose. Should Mama Money want to use existing Personal Information for any other purpose other than what the information was gathered for, confirmation will again be requested from the Data Subject.
4.3 Mama Money will take reasonable steps to ensure that the Personal Information collected is complete, accurate, not misleading and updated where necessary. It should be noted that by obtaining Personal Information directly from the Data Subject, accuracy is more probable.
4.4 Should Mama Money Process the Personal Information of a person that does not fall within the definition of a Data Subject for purposes of this policy, the Deputy Information Officer will be obligated to ensure that the relevant person be advised of the specific Personal Information that will be collected, be advised of the purpose of the collection and Processing of his/her Personal Information and that the relevant person provides the required consent to Mama Money to process the Personal Information as advised.
4.5 Data Subjects should be aware that Mama Money makes use of Authorised Third Parties who may have access to their Personal Information and that such Authorised Third Parties are required to comply with the obligations relating to the collection, use and retention of Personal Information of the Data Subjects as set out in this policy.
5. The rights of Data Subjects
5.1 At the time of collecting the Personal Information, the Data Subject should be given access to this policy, which -
5.1.1 informs the Data Subject of how his/her Personal Information will be used;
5.1.2 sets out the contact details of the Deputy Information Officer, who is the responsible person at Mama Money for this purpose as gertkruger@mamamoney.co.za; and
5.1.3 be advised that should the Deputy Information Officer not be able to resolve an issue, or should the issue be of a serious nature, he/she will have the right to complain to the Information Regulator if misuse is suspected, as well as be provided with the contact details of the Information Regulator.
5.2 The Data Subject has the right to access his/her Personal Information held by Mama Money and to be advised for what purpose it was gathered. To do this, the Data Subject should contact Mama Money at the contact details provided in the PAIA Manual on the Mama Money website, provide Mama Money with a copy of his/her identity document to confirm his/her identity and specify what information is required
5.3 The Data Subject has the right to ask Mama Money to update, correct or delete his/her Personal Information. Mama Money will require a copy of the Data Subjects’ identity document to confirm his/her identity before making changes to Personal Information held in respect of the relevant Data Subject.
5.4 Mama Money shall under instruction and authority of the Customer, provide it with all assistance required for the Customer to discharge its duties as Responsible Party relating to a requirement by the Regulator (a) for the Customer as Responsible Party to submit an independent auditor’s report or other information relating to interference by the Responsible Party with the Personal Information of a Data Subject, (b) that the Customer is processing Personal Information in accordance with legislation, or (c) that the Customer is otherwise compliant with any other relevant legislation.
6. Security
6.1 Mama Money shall take appropriate technical and organisational measures to ensure that all Personal Information communicated, including, without limitation, any digital communication or any Personal Information stored in digital form shall be secured against being accessed or read by unauthorised parties, using appropriate security safeguards, having due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
6.2 In particular, Mama Money ensures that all Personal Information is stored in a secure location, as follows:
6.2.1 electronic documents containing Personal Information are stored securely within the Mama Money secure cloud infrastructure;
6.2.2 Security controls, such as encryption, firewalls, intrusion detection, vulnerability management, multi factor authentication and anti-malware software is used; and
6.2.3 All personal information is managed with restricted access, degrees of power, and separation of functions.
7. Notification of a Personal Information Security Breach
7.1 Mama Money shall notify the Data Subject in writing, immediately, if possible, but no later than 5 (five) days of Mama Money becoming aware of or suspecting any unauthorised or unlawful use, disclosure or processing of Personal Information and comply with the following –
7.1.1 take all necessary steps to mitigate the extent of the loss or compromise of Personal Information and to restore the integrity of the affected information systems as quickly as possible;
7.1.2 furnish the Data Subject with details of the nature and extent of the compromise, and if known, include details of the identity of the unauthorised person who may have accessed or acquired the Personal Information;
7.1.3 provide the Data Subject with a report on its progress in resolving the compromise at reasonable intervals but at least once per business day following the initial notification to the Data Subject, until such time as the compromise is resolved to the Data Subject's satisfaction;
7.1.4 in consultation with the Data Subject and where required by law notify the South African Police Service; and/or the National Intelligence Agency; and
7.1.5 only upon request by the Data Subject, or otherwise if required by law, notify the Regulator. Any such notification shall be in a form prescribed by the Regulator, as the case may be, if applicable, and contain such information as is specified by the Customer and or the Regulator.
8. Disclosure required by law
8.1 In the event that Mama Money is required to disclose or Process any Personal Information required by law, regulation or court order, Mama Money –
8.1.1 will advise the Data Subject thereof prior to disclosure, if possible. If prior disclosure is not possible, Mama Money shall advise the Data Subject immediately after such disclosure;
8.1.2 will take such steps to limit the extent of the disclosure or Processing insofar as it reasonably practically and legally can;
8.1.3 will afford the Data Subject a reasonable opportunity, if possible and permitted, to intervene in the proceedings; and
8.1.4 will comply with the Data Subject’s requests as to the manner and terms of any such disclosure or Processing, if possible and permitted.
8.2 In this regard, it should be noted that in the course of providing the Services, Mama Money is required to disclose Customer Data in accordance with the following:
8.2.1 Financial Intelligence Centre Act (“FICA”) – this act requires the collection and storage by Mama Money of specified documents (as listed in 3.3 above) that contains Personal Information of Data Subjects and the Financial Intelligence Centre may at any time request these documents from Mama Money with regard to a FICA audit or on any other grounds. By submitting the required Personal Information to Mama Money, the Customer agrees to the disclosure by Mama Money of the Customer Data for this purpose; and
8.2.2 South African Reserve Bank (“SARB”) – due to the fact that Mama Money is licensed as a category four authorised dealer in foreign exchange with limited authority with SARB, Mama Money is required to issue SARB with a report for every successfully completed money order and corresponding pay-out. This report includes Customer Data and by submitting the required Personal Information to Mama Money, the Customer agrees to the use by Mama Money of the Customer Data for SARB reporting as prescribed by law.
9. Transfer of Personal Information
9.1 Mama Money shall ensure that no Personal Information is transferred outside of the Republic of South Africa unless –
9.1.1 the Data Subject provides its prior written consent to the transfer;
9.1.2 the recipient is subject to a law, code of conduct or contract which provides comparable protection for the Personal Information as the protections contained in this policy, including similar provisions relating to the further transfer of the Personal Information;
9.1.3 the transfer is necessary for the performance of a contract between the Data Subject and Mama Money; or
9.1.4 the transfer is for the benefit of the Data Subject and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were reasonably practicable to obtain such consent, the Data Subject would be likely to give it.
10. Retention and Destruction requirements
10.1 Mama Money shall ensure that all Personal Information is destroyed or deleted in a secure manner when the purpose specification has expired. The Personal Information shall, however, be retained for longer if:
10.1.1 the retention of the Personal Information is required or authorised by law. If there is no law or code of conduct prescribing the retention period, the Personal Information must be retained for a reasonable period to allow the Data Subject to request access to the Personal Information;
10.1.2 retention of the Personal Information is required by a contract between the parties thereto;
10.1.3 the Data Subject consented to the retention of the Personal Information; and
10.1.4 for historical, statistical or research purposes if appropriate safeguards are in place to prevent its use for any other purpose.
11. Direct marketing
11.1 All Data Subjects have the right to object to their Personal Information being Processed for the purposes of direct marketing by Electronic Communication.
11.2 Direct marketing is only permitted if:
11.2.1 the Data Subject has given consent for his or her Personal Information to be Processed for direct marketing purposes; or
11.2.2 the Data Subject is an existing Customer of Mama Money and Mama Money has obtained his or her details through the sale of a service or where the marketing communication is for the purpose of directly marketing similar products or services of Mama Money and the Data Subject has been given the opportunity to object, free of charge and unnecessary formality, to the use of his or her Personal Information at the time of collection and on each occasion of direct marketing (unless consent has already been refused).
11.3 Mama Money is only allowed to approach a Data Subject for consent to receive direct marketing communications once, and as long as the Data Subject has not previously withheld consent.
11.4 The Data Subject’s consent to receive direct marketing communications must be requested by Mama Money in the manner and form prescribed by the regulations to POPIA.