Privacy & Security Policy
POPIA AND PAIA COMPLIANCE POLICY
1. INTRODUCTION
1.1 This policy intends to provide you with a holistic view and understanding of how to adhere to legislation to not infringe on private or public entities' rights and follow the correct procedures to respect and strengthen these rights.
1.2 In terms of Section 32 of the Constitution, every person is guaranteed the right to access information.
1.3 The purpose of the Protection of Personal Information Act 4 of 2013(POPIA) is to protect the right to privacy in terms of section 14 of the Constitution, which includes protection against the unlawful processing of personal information by public and private bodies. In this context, the word processing means handling personal information belonging to a person, including collection, usage, storage, dissemination, modification, or destruction. Accordingly, POPIA sets out requirements and strict guidelines for the processing of personal information. This applies to every natural or juristic person processing records and data of any kind, which constitutes personal information of an identifiable, living natural person or juristic person.
1.4 The purpose of the Promotion of Access to Information Act 2 of 2000 enhance and strengthen every individual, including a juristic person or natural person's right to access information held by the state or any other person in order to assist him or her to exercise or protect his or her rights.
2. DEFINITIONS
"Data Subject" means the person to whom the personal information relates;
"Processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including – The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use; Dissemination by means of transmission, distribution or making available in any other form; or Merging, linking, as well as restriction, degradation, erasure, or destruction of information.
"Personal Information" - information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –
a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and the birth of the person;
b) information relating to the education or the medical, financial, criminal, or employment history of the person;
c) identifying number, symbol, e-mail address, physical address, telephone number, or another particular assignment to the person;
d) the blood type or any other biometric information of the person;
e) the personal opinions, views, or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
"Responsible Party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means of personal processing information, the agent/agency;
3. GENERAL
In general, a responsible party processes their clients' personal information but can only attend to processing a Data Subject personal information upon obtaining consent from the Data Subject to do so.
Every public and private entity processes personal information and therefore needs to comply with the POPI Act.
The PAIA refers to a request to access information like records, decisions, and information from an entity, private or public, that can strengthen the requesters right to information.
4. CONDITIONS FOR PROCESSING DATA POLICY
NFM INSIGHTS (PTY) LTD must:
4.1 Ensure that the conditions set out in the act and all the measures that affect such conditions are complied with at the time of processing, during the processing, and after the processing of data.
4.2 Process personal information lawfully, in a reasonable manner that does not infringe the Data Subject's privacy. Personal information may only be processed given the reason it is reasonable, relevant, and not excessive.
4.3 Collect Personal information for a specific, explicitly defined lawful purpose related to a function or activity of the Responsible Party and may not be retained longer than is necessary to achieve the specific purpose unless the Responsible Party has authorisation to do so.
4.4 Process the information compatible with the initial purpose it was collected.
4.5 Take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading, and updated where necessary.
4.6 Maintain documentation of all processing operations. To ensure that the Data Subject is aware of the purpose for data processing, the contact details of the Responsible Party, whether providing data is voluntary or mandatory, the consequences when failing to provide the data, the possibility of data being transferred to a third party, and applicable legislation.
4.7 Secure the integrity and confidentiality of personal information.
4.8 Correct or delete the data information after being requested to do so by the Data Subject.
5. RIGHTS OF A DATA SUBJECT
Before processing personal data, a Data Subject must provide consent that personal data may be processed for a specific purpose. The Data Subject is not obliged to consent to personal data being processed, and the Data Subject has the following rights:
5.1 To be notified that personal information is being collected and or an authorised person is accessing personal information.
5.2 To establish if a responsible party holds access to personal information and request access thereto.
5.3 To request correction, destruction, or deletion of personal information.
5.4 To object to the processing of personal information.
5.5 Not to be subject to a decision that is based on automated processing.
5.6 To submit a complaint to the Regulator if and when they feel their rights are being infringed.
5.7 To institute civil proceedings regarding an alleged interference with the protection of personal information.
6. CONSEQUENCES OF NON-COMPLIANCE
As a Responsible Party, we have to adhere to the POPIA requirements. Should we not comply, and a Data Subject feels that their rights have been infringed or that personal data has been unlawfully processed, then a complaint can be lodged at the Regulator. Suppose the Regulator feels that personal data was unlawfully processed, that the Responsible Party did not reasonably protect the Data Subject's personal data, or that the Responsible Party did not fully comply with the POPIA requirements. In that case, this may result in prosecution, with possible imprisonment or a fine of up to 10 million Rand for the Responsible Party.
7. RESPONSIBILITIES AND CONSEQUENCES
Any person who obtains personal data on behalf of NFM INSIGHTS (PTY) LTD shall be responsible for ensuring that they obtain the necessary consent from the Data Subject to process the data for a specific reason and for a specific time. Should this information be shared with a third party, the person responsible for sharing this information must convey this to the Data Subject. The responsible party must provide the Data Subject with the third party's contact details, the reason for sharing the personal data, and the time in which the data will be processed. If the Data Subject requests that the data be deleted, amended, or updated, the person receiving this request will be responsible for adhering to this request after first obtaining the correct identification of the Data Subject. Employees who fail to adhere to this policy will be subject to disciplinary proceedings in terms of either the grievance and disciplinary procedure of NFM INSIGHTS (PTY) LTD.
8. POLICY AMENDMENTS
NFM INSIGHTS (PTY) LTD’s management team may, from time to time, amend, supplement, modify or alter this policy. This policy was last updated on 10/12/2025.