The Protection of Personal Information Act No. 4 of 2013
(“POPIA”/ “POPI”)

CARPE DIEM MEDIA PRIVACY POLICY

  1. Organisation
    1. Organisation – Carpe Diem Media 2002/002907/07
    2. Scope of policy – This policy applies to the business of the organisation wherever it is conducted, but based at the registered office. It applies to directors, paid staff, customers and suppliers. This policy describes the types of personal information that we may collect about you, the purposes for which we use the information, the circumstances in which we may share the information and the steps that we take to safeguard the information to protect your privacy.
    3. Policy operational date –
    4. Date approved by Information Officer-
    5. Next policy review date –
  2. Introduction
    1. Purpose of policy – The purpose of this policy is to enable the organisation to:
      • comply with the law in respect of the data it holds about individuals;
      • follow good practice;
      • protect the organisation’ staff and other individuals
      • protect the organisation from the consequences of a breach of its responsibilities.
    2. Personal information – This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (hereinafter POPI Act).
    3. Policy statement – The organisation will:
      • comply with both the law and good practice
      • respect individuals’ rights
      • be open and honest with individuals whose data is held
      • provide training and support for staff who handle personal data, so that they can act confidently and consistently
    4. The organisation recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
      • keeping information securely in the right hands, and
      • retention of good quality information.
    5. Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, the organisation will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
    6. Key risks – The organisation has identified the following potential key risks, which this policy is designed to address:
      • Breach of confidentiality (information being given out inappropriately)
      • Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
      • Failure to offer choice about data use when appropriate
      • Breach of security by allowing unauthorised access
      • Harm to individuals if personal data is not up to date
      • Data Operator contracts
  3. Information Officer Responsibilities
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and Chapter 5, Part B.
    2. Information Officer Responsibilities – The Information Officer has the following responsibilities:
      • Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:
      • Reviewing the POPI Act and periodic updates as published
      • Ensuring that POPI Act induction training takes place for all staff
      • Ensuring that periodic communication awareness on POPI Act responsibilities takes place
      • Ensuring that Privacy Notices for internal and external purposes are developed and published
      • Handling data subject access requests
      • Approving unusual or controversial disclosures of personal data
      • Approving contracts with Data Operators
      • Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information
      • Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are in place
      • Handling all aspects of relationship with the Regulator as foreseen in the POPI Act
      • Provide direction to any Deputy Information Officer if and when appointed
    3. Appointment – The appointment of the organisation Information Officer will be authorised by the Designated Head. Consideration will be given an annual basis of the re-appointment or replacement of the Information Officer; the need for any Deputy to assist the Information Officer.
  4. Processing Limitation
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.
    2. Processing Limitation – The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).
    3. Forms of consent – The organisation undertakes to gain written consent where appropriate; alternatively, a recording must be kept of verbal consent.
    4. Nature of Personal Information – The organisation has used the Data Inventory to identify all instances of personal information in the organisation.
  5. Purpose specification
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 3.
    2. Purpose specification – The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to the following stipulation (Retention periods).
    3. Retention periods – The organisation will establish retention periods for at least the following categories of data:
      • Directors
      • Staff
      • Customers
      • Suppliers
    4. Use of Cookies where applicable – Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser to enable our systems to recognise your browser and to automatically collect information from your computer such as your IP address and other details about your computer which are automatically collected by our web server, operating system and browser type, for system administration and to report aggregate information to us. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual. The “Help” menu on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. Additionally, you can disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-on’s settings or visiting the website of its manufacturer. However, because cookies allow you to take advantage of some of the Company’s essential features, we recommend that you leave them turned on. If you do leave cookies turned on, be sure to sign off when you finish using a shared computer.
  6. Further processing limitation
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.
    2. Further processing limitation – The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, section 15.
  7. Information quality
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5. The organisation will comply with all of the aspects of Condition 5, section 16.
    2. Accuracy – The organisation will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
      • Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
      • Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
      • Staff who keeps more detailed information about individuals will be given additional guidance on accuracy in record keeping.
    3. Updating – The organisation will review all personal information on an annual. Should your personal information change, please inform us and provide us with updates to your personal information as soon as reasonably possible to enable us to update your personal information.
    4. Archiving – All Personal Information which you provide to the Company will be held and/ or stored securely for the purpose of collection. Your Personal Information will be stored electronically in a database. Where appropriate, some information may be retained in hard copy. In either event, storage will be secure and audited regularly regarding the safety and the security of the information.
    5. Where data is stored electronically outside the borders of South Africa, such is done only in countries that have similar privacy laws to our own or where such facilities are bound contractually to no lesser regulations than those imposed by POPI.
    6. Once this information is no longer required, due to the fact that the purpose has been served, such Personal Information will be safely and securely archived for a period of 7 years, as per the requirements of the Companies Act, 71 of 2008, or longer, should this be required by any other law applicable in South Africa. Thereafter, all your Personal Information will be permanently destroyed. Information about our members is an important part of our business and we do not sell it to others. The Company shares customer information only as described below.
    7. Third Party Service Providers: We employ other companies and individuals to perform functions on our behalf. Examples include sending postal mail and e-mail, removing repetitive information from customer lists, analysing data, and providing marketing services. Third party service providers have access to personal information needed to perform their functions, but may not use it for other purposes. Further, they must process the personal information in accordance with this privacy policy and as permitted by South African data protection legislation.
    8. Business Transfers: As we continue to develop our business, we might sell or buy or subsidiaries or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing privacy policy (unless, of course, the customer consents otherwise). Also, in the unlikely event that the Company or substantially all of its assets are acquired, personal information will of course be one of the transferred assets.
    9. Protection of the Company and others: We release account and other personal information when we believe that such a release is appropriate to comply with the law; enforce or apply our customer or other agreements; or protect the rights, property or safety of the Company, our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. Obviously, however, this does not include selling, sharing or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this privacy policy. With your consent, other than as set out above, you will receive notice when information about you might go to third parties and you will have an opportunity to choose not to share the information.
  8. Openness
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6.
    2. Openness – In line with Conditions 6 and 8 of the Act, the organisation is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
      • for what purpose it is being processed;
      • what types of disclosure are likely; and
      • How to exercise their rights in relation to the data.
    3. Procedure – Data Subjects will generally be informed in the following ways:
      • Policies
      • Privacy Notice
      • Consent Forms
    4. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
  9. Security Safeguards
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7, and section 19 to 22. This section of the policy only addresses security issues relating to personal information. It does not cover security of the building, business continuity or any other aspect of security.
    2. Specific risks – The organisation has identified the following risks:
      • Staff with access to personal information could misuse it.
      • Staff may be tricked into giving away information, either about customers / member or colleagues, especially over the phone, through “social engineering”.
    3. Setting security levels – Access to information on the main the organisation computer system will be controlled by function.
    4. Security measures – The organisation will ensure that all necessary controls are in place in terms of access to personal information.
    5. Business continuity – The organisation will ensure that adequate steps are taken to provide business continuity in the event of an emergency.
  10. Data Subject participation
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8, sections 23 to 25.
    2. Responsibility – Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.
    3. Procedure for making request – Subject access requests must be in writing. All staff is required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay.
    4. Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA), as defined in the organisation PAIA Manual.
    5. Provision for verifying identity – Where the individual making a subject access request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information.
    6. Charging – Fees for access to personal information will be handled in compliance with the PAIA Act.
    7. Procedure for granting access – Procedures for access to personal information will be handled in compliance with the PAIA Act, as defined in the organisation PAIA Manual.
    8. Data Subject’s rights – You have the right to request a copy of the personal information we hold about you or to object to the processing of personal information held about you. To do this, contact us at the numbers/addresses listed earlier and specify what information you would like. We will take all reasonable steps to confirm your identity before providing details of your personal information. We make use of a variety of mediums for marketing purposes, which include, but is not limited to text messages, phone calls and E-mail communication, to the numbers and addressed provided by you, with you consent.
    9. You can always choose not to provide information. If you do not want to receive e-mail or other electronic communications and mail from us, unsubscribe in your terms and conditions or let us know in writing if you don’t want to receive these offers. However, please note, if you do not want to receive legal notices from us, such as this privacy policy, those notices will still govern your use of the Company services and products and it is your responsibility to review them for changes.
    10. You have the right to ask us to update, correct or delete your personal information. You may do this by contacting us at the numbers/addresses provided earlier. We will take all reasonable steps to confirm your identity before making changes to personal information we may hold about you. We would appreciate it if you would keep your personal information accurate. Please update your information by contacting us at the numbers/addresses provided earlier whenever your details change.
  11. Processing of Special Personal Information
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26 to 33.
    2. Processing of Special Personal Information – The organisation has the policy of adhering to the process of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.
    3. Special personal information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences.
    4. Unless a general authorisation, alternatively a specific authorisation relating to the different types of special personal information applies, a responsible party is prohibited from processing special personal information.
  12. Processing of Personal Information of Children
    1. The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35.
    2. Processing of Personal Information of Children – The organisation has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 individuals, so an age check is required for all personal information records.
    3. General authorisation concerning personal information of children only applies where under-18 are involved.
  13. Information Security
    1. You input your credit/debit card information directly on the payment gateway portal and the organisation does not receive any credit/debit card information during order processing.
    2. It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off and log off when finished using a shared computer.
  14. Subscriptions and newsletters
    1. By subscribing to any of our Newsletter, you give the organisation permission to send marketing emails, which includes special offers and new product information, from us and our partnering businesses, to the email address that you have provided and registered with. Please note that you are at liberty to unsubscribe at any time.
  15. eBooks
    1. Our eReader is based on Verrso digital reader, which can be downloaded on Google Play. When you use the Verrso eReader, you agree that your data may be collected by and transmitted to Verrso via the eReader.
    2. Verrso / Google Play may collect, receive, use and share this data, but only in accordance with Verrso and Google Play’s Privacy Policies contained in the Privacy Policy on the Verrso App and at https://policies.google.com/privacy as amended from time to time.
    3. Data, in this clause 15.1, means any information relating to a registered user including all information that could be used to identify, locate, or contact an individual, and data relating to a registered user’s use of the relevant Reader Application, which Google Play / Verrso indicates it may collect in accordance with its Privacy Policy identified above.
  16. Trips and functions
    1. When you book a function or trip with us you consent to some of your personal information to be provided on a need-to-know basis to our third party service providers and associates. As functions and trips are sometimes organised with assistance from third party service providers who assist us to interact with you via our website, email or any other method, for the arranging, booking and paying of trips or functions, and thus need to know your personal information in order to assist us to communicate with you properly and efficiently.
    2. Our function and trip associates may collect, receive, use and share this data, but only in accordance with their Privacy Policies as amended from time to time.
    3. Our Boat Cruises which include but are not limited to #NetGirls, #NetMatrieks and #NetStudente is organised and booked through MSC. MSC may collect, receive, use and share this data, but only in accordance with their Privacy Policies contained in the Privacy Policy on their websites at https://www.msccruises.co.za/privacy as amended from time to time.
    4. Whilst we will do all things reasonably necessary to protect your rights of privacy, we cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of your personal information, whilst in our possession, made by third parties who are not subject to our control, unless such disclosure is as a result of our gross negligence.
  17. Prior Authorisation
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.
    2. Direct Marketing, Directories and Automated Decision Making – The organisation undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.
    3. Opting in – Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
    4. Electronic contact – Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
  18. Trans-border information flows
    1. Scope – The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 9.
    2. Trans border information flows – The organisation will ensure that the POPI Act Chapter 9, section 72 is fully complied with.
    3. Compliance with section 72 will be achieved through the use of the necessary contractual commitments from the relevant third parties.
  19. Staff training & acceptance of responsibilities
    1. Scope – The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.
    2. Documentation – Information for staff is contained in this policy document and other materials made available by the Information Officer.
    3. Induction – The Information Officer will ensure that all staff that has access to any kind of personal information will have their responsibilities outlined during their induction procedures.
    4. Continuing training – The organisation will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervisions.
    5. Procedure for staff signifying acceptance of policy – The organisation will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.
  20. Protection Of Personal Information
    1. We strive to keep the personal information of our customers confidential and have taken steps to comply with the Protection of Personal Information Act. If you have any questions or concerns relating to your privacy or our use of your personal information, please contact us via email on [email protected]
  21. Policy review
    1. Responsibility – The Information Officer is responsible for an annual review to be completed prior to the policy anniversary date.
    2. Procedure – The Information Officer will ensure relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.