Protection of Personal Information (POPI) Policy

A General Processing of Personal Information

1. Preamble

Metacom (Pty) Ltd is an organisation that complies with the laws of South Africa and recognises that a person’s constitutional right to privacy is of the upmost importance, therefore the protection of personal information is vital for sustainability and growth of our business.

2. Purpose

The purpose of this policy is to incorporate the requirements of the Protection of Personal Information Act No.4 of 2013 (hereafter called “this Act”) into the everyday operations of Metacom (Pty) Ltd and to ensure that these requirements are documented and implemented in Metacom (Pty) Ltd.

3. Scope

This policy is applicable to all employees and independent contractors in Metacom (Pty) Ltd.

4. Objectives

Metacom (Pty) Ltd and its employees shall adhere to this policy in the handling of all personal information received from, but not limited to natural persons, employees, clients, suppliers, agents, representatives and business partners to ensure compliance with this Act, applicable regulations and other rules relating to the protection of personal information.

5. Management Declaration

Metacom (Pty) Ltd, represented by the Information Officer confirms that we have familiarised ourselves with the content of this Act, applicable regulations and other rules relating to the protection of personal information, and will strive to adhere to these requirements at all times.

6. Important Definitions

“automatic calling machine”: means a machine that is able to do automated calls without human intervention;

“binding corporate rules”: means personal information processing policies, within a group of undertakings, which are adhered to by Metacom (Pty) Ltd or operation within that group of undertakings when transferring personal information to a business or operator within that same group of undertakings in a foreign country;

“data subject”: means the person to whom personal information relates;

“direct marketing”: means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –

a) Promoting or offering to supply, in the ordinary course of business, any goods or service to the data subject; or

b) Requesting the data subject to make a donation of any kind for any reason.

“electronic communication”: means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.

“filing system”: means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

“group undertakings”: means a controlling undertaking and its controlled undertakings;

“information officer”: of, or in relation to, a –

a) Public body means an information officer or deputy information officer as contemplated in terms of Section 1 or 17 of this Act; or

b) Private body means the head of a private body as contemplated in Section 1 of the Promotion of Access to Information Act.

“operator”: means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

“person”: means a natural person or a juristic person.

“personal information”: means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –

a) Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

b) Information relating to the education or the medical, financial, criminal or employment history of the person;

c) Any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person;

d) The biometric information of the person;

e) The personal opinions, views or preferences of the person;

f) Correspondence sent by the person that would reveal the contents of the original correspondence if the message is of a personal or confidential nature;

g) The views or opinions of another individual about the person; and

h) The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

“private body”: means –

a) A natural person who carries or has carried on any business or profession, but only in such capacity;

b) A partnership which carries or has carried on any trade, business or profession; or

c) Any former or existing juristic person, but excludes a public body.  

“processing”: means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –

a) The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

b) Dissemination by means of transmission, distribution or making available in any other form; or

c) Merging, linking, as well as restriction, degradation, erasure or destruction of information.

“Promotion of Access to Information Act”: means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).

“public body”: means –

a) Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or

b) Any other functionary or institution when –

I. Exercising a power or performing a duty in terms of the Constitution or provincial constitution; or
II. Exercising a public power or performing a public function in terms of any legislation.

“public record”: means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.

“record”: means any recorded information –

a) Regardless of form or medium, including any of the following:

I. Writing on any material;
II. Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
III. Label marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
IV. Book, map, plan, graph, or drawing;
V. Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
b) In the possession or under the control of a responsible party; and
c) Regardless of when it came into existence.

“regulator”:  means the Information Regulator established in terms of Section 39.

“re-identify”: in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that –

a) Identifies the data subject;

b) Can be used or manipulated by a reasonably foreseeable method to identify the data subject; or

c) Can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘re-identified” has a corresponding meaning.

“responsible party”: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

“restriction”: means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information;

“special personal information”: means personal information as referred to in Section 26 of this Act.

“this Act”: means the Protection of Personal Information Act, No. 4 of 2013.

“unique identifier”: means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

7. Metacom (Pty) Ltd’s key principles in adhering to the requirements of the protection of personal information  

Metacom (Pty) Ltd’s and its employees are committed to the following principles:

  • To give effect to the constitutional right to privacy, by safeguarding personal information when processed by Metacom (Pty) Ltd, subject to justifiable limitations;
  • To regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
  • To be transparent in its standard operating procedures that govern the processing of personal information;
  • To comply with the applicable legal and regulatory requirements regarding the processing of personal information;
  • To collect personal information through lawful and fair means and to process personal information in a manner compatible with the purpose for which it was collected;
  • Where required by law and according to local requirements, to inform data subjects when personal information is collected about them;
  • Where required by law, regulations or guidelines, to obtain a data subject’s consent prior to processing his/her/its personal information;
  • To strive to keep personal information accurate, complete, up-to-date and reliable for its intended use;
  • To strive to develop reasonable security safeguards against risks, losses, unauthorised access, destruction, use, modification or disclosure of personal information;
  • To strive to provide data subjects with the opportunity to access the personal information relating to them and, where applicable, to comply with requests to correct, amend or rectify the personal information where incomplete, inaccurate or not compliant with the standard operating procedures;
  • To only share personal information, such as permitting access, transmission or publication, with third parties (either within or outside Metacom (Pty) Ltd), only if reasonable assurance can be provided that the recipient of such information will apply suitable privacy and security protection to the personal information;
  • To comply with any restrictions and requirements that applies to the trans-border information flow rules.

8. Procurement of Personal Information

8.1 Personal information collected by Metacom (Pty) Ltd and/or any of its representatives, will be collected directly from the data subject, unless –

a) The information is contained or derived from a public record or has deliberately been made public by the data subject;

b) The data subject or a competent person where the data subject is a child, has consented to the collection of the information from another source;

c) Collection of the information from another source would not prejudice a legitimate interest of the data subject;

d) Collection of the information from another source is necessary –

I. To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
II. To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
III. For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
IV. In the interest of national security; or
V. To maintain the legitimate interests of Metacom (Pty) Ltd or of a third party to whom the information is supplied;

e) Compliance would prejudice a lawful purpose of the collection; or

f) Compliance is not reasonably practicable in the circumstances of the particular case.

8.2 Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Metacom (Pty) Ltd.

8.3 Steps will be taken to ensure that the data subject is aware of the purpose of the collection of the information.

8.4 Metacom (Pty) Ltd will take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which the personal information is collected and further processed.

8.5 Where personal information is collected form a data subject, Metacom (Pty) Ltd will take reasonably practicable steps to ensure that the data subject is aware of –

a) The information being collected and where the information is not collected from the data subject, the source from which it is collected;

b) The name and address of Metacom (Pty) Ltd;

c) The purpose for which the information is being collected;

d) Whether or not the supply of the information by the data subject is voluntary or mandatory;

e) The consequences of failure to provide the information;

f) Any particular law authorising or requiring the collection of the information;

g) The fact that, where applicable, Metacom (Pty) Ltd intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisations;

h) Any further information such as the –

I. Recipient or category of recipients of the information;
II. Nature or category of the information;
III. Existence of the right of access to and the right to rectify the information collected;
IV. Existence of the right to object to the processing of personal information ;
Which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

8.6 The steps referred to in clause 8.5 must be taken –

a) If the personal information is collected directly from the data subject, prior to the information being collected, unless the data subject is already aware of the information as referred to in clause 8.5;

b) In any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

8.7 It will not be necessary for Metacom (Pty) Ltd to comply with clause 8.5 if –

a) The data subject or a competent person if the data subject is a child has provided consent for the non-compliance;

b) Non-compliance would not prejudice the legitimate interests of the data subject;

c) Non-compliance is necessary –

I. To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
II. To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
III. For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
IV. In the interest of national security.

d) Compliance would prejudice a lawful purpose of the collection;

e) Compliance is not reasonably practicable in the circumstances of the particular case; or

f) The information will –

I. Not be used in a form in which the data subject may be identified; or
II. Be used for historical, statistical or research purposes.

9. Processing of Personal Information

9.1 Personal information will only be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject.

9.2 Personal information may only be processed if –

a) given the purpose for which it was processed, it is adequate, relevant and not excessive;

b) the data subject or a competent person where the data subject is a child consents to the processing;

c) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;

d) processing complies with an obligation imposed by law on Metacom (Pty) Ltd;

e) processing protects a legitimate interest of the data subject;

f) processing is necessary for the proper performance of a public law duty by a public body; or

g) processing is necessary for pursuing the legitimate interest of Metacom (Pty) Ltd or of a third party to whom the information is supplied.

9.3 In the event that Metacom (Pty) Ltd appoints or authorises an operator to process any   personal information on its behalf or for any reason, it will implement necessary agreements to ensure that the operator or anyone processing personal information on behalf of Metacom (Pty) Ltd or an operator, must –

a) Process such information only with the knowledge or authorisation of Metacom (Pty) Ltd; and

b) Treat personal information which comes to his/her/its knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of his/her/its duties.

9.4 Metacom (Pty) Ltd must maintain the documentation of all processing operations under its responsibility.

10. Further Processing of Personal Information

10.1 Metacom (Pty) Ltd must ensure that the further processing of personal information be compatible with the purpose for which it was collected.

10.2 To assess whether further processing is compatible with the purpose of collection,

Metacom (Pty) Ltd will take account of –

a) The relationship between the purpose of the intended further processing and the purpose for which the information was collected;

b) The nature of the information concerned;

c) The consequences of the intended further processing for the data subject;

d) The manner in which the information has been collected; and

e) Any contractual rights and obligations between the parties.

10.3 The further processing of personal information will not be incompatible with the purpose of collection if –

a) The data subject or competent person where the data subject is a child, has consented to the further processing of the information;

b) The information is available in or derived from a public record or has deliberately been made public by the data subject;

c) Further processing is necessary –

I. To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
II. To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
III. For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
IV. In the interest of national security;

d) The further processing of the information is necessary to prevent or mitigate a serious and imminent threat to –

I. Public health or public safety; or
II. The life or health of a data subject or other individual(s);

e) The information is used for historical, statistical or research purposes and Metacom (Pty) Ltd ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form.

11. Retention and Restriction of Records

11.1 Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless –

a) The retention of a record is required or authorised by law;

b) Metacom (Pty) Ltd reasonably requires a record for lawful purposes related to its functions or activities;

c) Retention of a record is required by a contract between the parties thereto; or

d) The data subject or a competent person where the data subject is a child has consented to the retention of a record.

11.2 Information collected or processed initially for the purposes of historical, statistical or research value, may be retained for a period longer than contemplated in clause 11.1, providing Metacom (Pty) Ltd has appropriate measures in place to safeguard these records against uses other than what it was intended for initially.

11.3 Metacom (Pty) Ltd will destroy or delete a record of personal information or de-identify it as soon as reasonably practicably after Metacom (Pty) Ltd is no longer authorised to retain a record.

11.4 The de-identifying or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible/understandable form.

11.5 In the event that Metacom (Pty) Ltd uses a record of personal information of a data subject to make a decision about the data subject, it must –

a) Retain the record for such period as may be required or prescribed by law or a code of conduct; or

b) If there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.

11.6 Metacom (Pty) Ltd will restrict the processing of personal information if –

a) Its accuracy is contested by the data subject, for a period enabling Metacom (Pty) Ltd to verify the accuracy of the information;

b) Metacom (Pty) Ltd no longer needs the personal information for achieving the purpose for which it was collected or subsequently processed, but it has to be maintained for purposes of proof;

c) The processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or

d) The data subject requests to transmit the personal data into another automated processing system.

11.7 Personal information that has been restricted may only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person where the data subject is a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.

11.8 Where personal information is restricted, Metacom (Pty) Ltd will inform the data subject before lifting the restriction.

12. Security Safeguards

12.1 Metacom (Pty) Ltd will secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent –

a) Loss of, damage to or unauthorised destruction of personal information; and

b) Unlawful access to or processing of personal information.

12.2 Metacom (Pty) Ltd will take responsible measures to –

a) Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

b) Establish and maintain appropriate safeguards against the risks identified;

c) Regularly verify that the safeguards are effectively implemented; and

d) Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

12.3 Metacom (Pty) Ltd will have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

12.4 Metacom (Pty) Ltd will, in terms of a written contract between Metacom (Pty) Ltd and the operator, ensure that the operator which processes personal information for Metacom (Pty) Ltd, establishes and maintain the security measures as referred to in clause 12.1 – 12.3.  

The operator will inform Metacom (Pty) Ltd immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

13. Security Compromises

13.1 Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, Metacom (Pty) Ltd will notify –

a) The Information Regulator; and

b) The data subject, unless the identity of such data subject cannot be established.

13.2 The notification of a breach will be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of Metacom (Pty) Ltd’s information system.

13.3 Metacom (Pty) Ltd will only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.

13.4 The notification to a data subject will be in writing and communicated to the data subject in at least one of the following ways:

a) Posted to the data subject’s last known physical or postal address; or

b) Sent by e-mail to the data subject’s last known e-mail address; or

c) Placed in a prominent position on the website of Metacom (Pty) Ltd; or

d) Published in the news media.

13.5 The notification will provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including–

a) A description of the possible consequences of the security compromise;

b) A description of the measures that Metacom (Pty) Ltd intends to take or has taken to address the security compromise;

c) A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and

d) If known to Metacom (Pty) Ltd, the identity of the unauthorised person who may have accessed or acquired the personal information.

14. Rights of the Data Subject

14.1 The data subject or competent person where the data subject is a child, may withdraw his, her or its consent to procure and process his, her or its personal information, at any time, providing that the lawfulness of the processing of the personal information before such withdrawal or the processing of personal information.

14.2 A data subject may object, at any time, to the processing of personal information–

a) In writing, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or

b) For purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.

14.3 A data subject, having provided adequate proof of identity, has the right to –

a) Request Metacom (Pty) Ltd to confirm, free of charge, whether or not Metacom (Pty) Ltd holds personal information about the data subject; and

b) Request from Metacom (Pty) Ltd a record or a description of the personal information about the data subject held by Metacom (Pty) Ltd, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information –

I. Within a reasonable time;
II. At a prescribed fee as determined by the Information Officer;
III. In a reasonable manner and format; and
IV. In a form that is generally understandable.

14.4 A data subject may, in the prescribed manner, request Metacom (Pty) Ltd to –

a) Correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

b) Destroy or delete a record of personal information about the data subject that Metacom (Pty) Ltd is no longer authorised to retain.

14.5 Upon receipt of a request referred to in clause 14.4, Metacom (Pty) Ltd will, as soon as reasonably practicable –

a) Correct the information;

b) Destroy or delete the information;

c) Provide the data subject, to his, her or its satisfaction, with credible evidence in support of the information; or

d) Where an agreement cannot be reached between Metacom (Pty) Ltd and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

14.6 Metacom (Pty) Ltd will inform the data subject, who made a request as set out in clause 14.5, of the action taken as a result of the request.

15. Request for Disclosure

Metacom (Pty) Ltd will respond promptly when the data subjects request notification of purpose of use, disclosure, correction, addition or deletion of details, and suspension of use or elimination relating to personal information held by Metacom (Pty) Ltd.

16. Monitoring and Enforcement

Each employee of Metacom (Pty) Ltd will be responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedure, notices, consents and appropriate related documents and processes.  

Managers and responsible employees will be trained according to their functions in legal requirements, policies and guidelines that govern the protection of personal information in Metacom (Pty) Ltd.  Metacom (Pty) Ltd will conduct periodic reviews and audits, where appropriate, to demonstrate compliance with privacy law and its policies, this Act and any applicable regulations.  Employees who violate the guidelines and standard operating procedures of this policy may be subject to disciplinary action being taken against him/her.

17. Point of Contact

The point of contact for requests, disclosures, questions, complaints and any other inquiries relating to the handling, collection, processing or re-identifying of personal information shall be directed to the Information Officer or Deputy Information Officer.

Contact details of the Information Officer:

Zayaan Clarke
021 531 9900
zayaan.clarke@metacom.net

Contact details of the Deputy Information Officer:

Tarry Daniels
021 531 9900
tarryn.daniels@metacom.net

18. Standard Operating Procedures

Each department will establish appropriate privacy standard operating procedures that are consistent with this policy, local customs and practices as well as legal and regulatory requirements.

B Duties and Responsibilities of Information Officer & Deputy Information Officer

1. Appointment of Information Officer

The Information Officer in terms of Metacom (Pty) Ltd’s structure will be the HR Manager.

2. Registration as Information Officer

The Information Officer shall ensure that he/she is registered with the Regulator within the prescribed manner and timeframe, as being the Information Officer of Metacom (Pty) Ltd.

3. Duties and Responsibilities of the Information Officer

The Information Officer’s responsibilities include:

a) The encouragement of compliance with the conditions and stipulations of this Act for the lawful processing of personal information.

b) Dealing with requests made to Metacom (Pty) Ltd pursuant to this Act.

c) Working with the Regulator in relation to investigations conducted regarding the prior authorisation for processing, in relation to Metacom (Pty) Ltd.

d) Ensuring compliance by Metacom (Pty) Ltd with Metacom (Pty) Ltd’s policies regarding the protection of personal information and the provisions of this Act.

4. Designations and Delegation of Deputy Information Officer

4.1 The Information Officer may appoint any number of Deputy Information Officers as is necessary to perform the duties of the Information Officer as set out above. The Information Officer has control over every Deputy Information Officer(s) appointed.  

4.2 The Information Officer may delegate, in writing, his/her power of duty conferred or imposed by this Act, to a Deputy Information Officer(s).  In his/her decision to delegate power of duty, the Information Officer must give due consideration to the need to render Metacom (Pty) Ltd as accessible as reasonably possible for requests of its records.

4.3 The Deputy Information Officer’s duties must only be exercised or performed subject to any conditions set by the Information Officer.  The delegation of power does not prohibit the Information Officer from performing these duties himself/herself.  The Information Officer may at any time withdraw or amend, in writing, the delegation of power of duty.

4.4 Any right or privilege acquired, or any obligation or liability incurred as a result of the delegation of power, is not affected by any subsequent withdrawal or amendment of that delegation.

C Prohibition on the Processing of Special Personal Information

1. Prohibition on Processing of Special Personal Information

Metacom (Pty) Ltd will not process personal information, concerning –

a) The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

b) The criminal behaviour of a data subject to the extent that such information relates to –

I. The alleged commission by a data subject of any offence; or
II. Any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

2. General Authorisation Concerning Special Personal Information

The prohibition on processing of special personal information, as referred to in clause 1 of this policy, does not apply if -

a) Processing is carried out with the consent of the data subject; or  

b) Processing is necessary for the establishment, exercise or defence of a right or obligation in law; or

c) Processing is for historical, statistical or research purposes to the extent that –

I. The purpose serves a public interest and the processing is necessary for the purpose concerned; or
II. It appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent; or

d) Information has deliberately been made public by the data subject.

D Prohibition on the Processing of Special Personal Information Regarding Data Subject’s Criminal Behaviour or Biometric Information

1. Authorisation Concerning Data Subject’s Criminal Behaviour or Biometric Information

1.1 The prohibition on processing personal information concerning a data subject’s criminal behaviour or biometric information,  does not apply if the processing is carried out by bodies charged by law with applying criminal law or where Metacom (Pty) Ltd obtained that information in accordance with the law.

1.2 The processing of information regarding personnel in the service of Metacom (Pty) Ltd must take place in accordance with the rules established in compliance with labour legislation.

E Processing Subject to Prior Authorisation

1. Processing Subject to Prior Authorisation

1.1 Metacom (Pty) Ltd must obtain prior authorisation from the Regulator, prior to any processing if Metacom (Pty) Ltd plans to –

a) Process unique identifiers of data subjects –

I. For a purpose other than the one for which the identifier was specifically intended at collection; and
II. With the aim of linking the information together with information processed by other responsible parties;

b) Process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;

c) Process information for the purpose of credit reporting; or

d) Transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

1.2 Metacom (Pty) Ltd will only have to obtain the prior authorisation once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised by the Regulator.

2. Metacom (Pty) Ltd to Notify the Regulator if Processing is Subject to Prior Authorisation

2.1 Metacom (Pty) Ltd must notify the Regulator when processing personal information referred to in clause 1.1 of this policy.

2.2 Metacom (Pty) Ltd may not carry out information processing that has been notified to the Regulator until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted.