Data Protection Policy

  1. INTRODUCTION

1.1 Berndt and La Vita Incorporated (“BLV”) is a law practice registered at the Legal Practice Council under practice number 13300. During its engagement with its clients and suppliers, BLV will process personal information. This policy sets out how such personal information is processed and stored in accordance with the conditions set down in the Protection of Personal Information Act 2 of 2013 (“POPI” or “POPIA”).

1.2 This Data Protection Policy explains how BLV complies and implements the 8 conditions laid down in POPI. It also elaborates on the duties of the Information Officer, on how BLV adopted a POPI legal framework, why BLV collects and processes personal information and to whom it may disclose personal information. It is an integral part of our Privacy Terms and must be read together with our Data Protection Policy and our POPI Declaration.

 

  1. General rules relating to Personal Information

2.1 Personal Information shall at all times be:

  1. processed fairly and lawfully;
  2. obtained only for specific lawful purposes;
  3. adequate, relevant and not excessive;
  4. accurate, and kept up to date;
  5. held for no longer than necessary for the purpose it was obtained for;
  6. processed in accordance with the rights of data subjects;
  7. be protected in appropriate ways, methodologies and procedures and according to suitable methods, both organisationally and technologically;
  8. not be disclosed or transferred or exported illegally.

  1. BLV and the 8 POPI Conditions

3.1 Condition 1: Accountability

BLV has appointed an Information Officer who is responsible for ensuring that the information protection principles within POPI and the controls that are in place to enforce them are complied with.

3.2 Condition 2: Processing Limitation

BLV provides a strict context for processing personal information. It undertakes to ensure that the information that is processes abides by the principals of:

3.2.1     being proportionate to the purpose of delivering the services;

3.2.2     lawfulness;

3.2.3     minimality of information collected;

3.2.4     consent;

3.2.5     justification and;

3.2.6     objection.

3.3 Condition 3: Purpose Specification

BLV only collects personal information for a lawful and specific purpose. Record retention is no longer than 7 years after the purpose for which the personal information was collected is complete, unless required otherwise by law. The personal information is thereafter destroyed, deleted or de-identified as soon as reasonably practical.

3.4 Condition 4: Further processing limitation

BLV does not further process personal information unless such processing is compatible with the purpose for which the information was collected in principle 3 or by consent from the data subject, or the responsible party has warranted that it obtained adequate consent.

3.5 Condition 5: Information quality

BLV takes reasonable practical steps to ensure that the personal information that has been collected is complete, accurate, not misleading and up to date, where necessary.

3.6 Condition 6: Openness

BLV is transparent about the collection of personal information and takes reasonably practicable steps to ensure that the data subject has been made aware that his or her or its personal information is going to be collected.

3.7 Condition 7: Security Safeguards

BLV ensures that the integrity of the personal information in its control is secured through technical and organisational measures.

3.8 Condition 8: Data Subject Participation

BLV, as a responsible party, has implemented a system whereby data subjects may produce a report confirming whether it holds personal information about the data subject, and he or she may also request a description of such information.

  1. The Information Officer

The Information Officer of BLV is:

Audrey Berndt

Email: audrey@blvlaw.co.za 

The Information Officer shall:

  1. be registered at the Information Regulator’s office;
  2. is responsible for compliance with all technological and operational data protection standards and protocols, and advise of any risk of breach at the earliest opportunity with a view to avoiding any risk or breach, or limiting any damage resulting from it;
  3. ensure that all operational and technological data protection standards are complied with;
  4. arrange data protection training and provide advice and guidance to all employees;
  5. is entitled and has authorisation to initiate disciplinary proceedings against any employee who at any time breaches any technological and/or organisational and/or operational data protection standard, rule, custom, instruction, policy, practice and/or protocol (verbal, in writing or otherwise) (“Rules”);
  6. review and approve any contracts or agreements with third parties to the extent that they may handle or process data subject information;
  7. attend to requests from individuals and entities to access data BLV holds about them “data subject requests”).

  1. BLV Employees and Data Subject Personal Information

5.1 All personal information shall be deemed confidential information and shall be handled as such.

5.2 The only persons entitled to access personal information will be those who need to access it for the execution of their direct work services or required outputs.

5.3 Under no circumstances will personal information be shared outside the scope of required work outputs. In the event of any doubt, an employee shall be entitled to access confidential information only after obtaining authorisation from the Information Officer.

5.4 Employees received induction and training on all security standards applicable to such employee’s duties involving personal information of data subjects.

5.5 Employees shall keep all data secure by taking sensible practical precautions and complying with all the Rules.

  1. BLV Data Storage and Security Safeguards

6.1 Paper

6.1.1 Where data is stored on paper, it will always be kept in a secure place where an unauthorised person cannot access or see it. This also applies to data stored electronically which has been printed out for a specific reason.

6.1.2 Hard copies of documents containing personal information is kept in a locked drawer, safe or cabinet.

6.1.3 Employees ensure that paper and print outs are not left in places where unauthorised persons can see them, e.g. on a printer, and all unwanted paper is shredded.

6.2 Electronic data

6.2.1 Where data is stored electronically, it is protected from unauthorised access, accidental deletion or any risk of exposure to malicious hacking attempts:

6.2.1.1 All emails, attachments and metadata is stored in a Bit-locker-encrypted Azure storage;

6.2.1.2 BLV uses Office 365 and benefits from Microsoft’s highest levels of security.

6.2.2 Data is protected by strong passwords that are changed regularly and never shared between employees;

6.2.3 Data is backed up frequently in accordance with backup protocols. Such backups are tested regularly in line with BLV’s standard backup procedures and protocols under the direction of the Information Officer.

6.3 BLV takes reasonable measures to ensure the security and integrity of information submitted to or collected from a data subject, but cannot under any circumstances be held liable for any loss or other damage sustained by you as a result of unlawful access to or dissemination of any personal information by a third party.

6.4 BLV ensures that all systems services and equipment used for processing and/or storing data adhere to internationally acceptable standards of security and data safeguarding, and is regularly updated to continue to comply with such standards;

6.5 BLV implements password protocols, data access protocols, data sign-on procedures, password safeguarding protocols, sign-on and sign-off procedures, log-on and log-off procedures; the description of accessories, applications and equipment that may be used under any circumstance.

  1. Cross-Border Data Transfers

7.1 In order to be able to fulfil its obligations to you or in the operation of its legitimate business, it may be necessary for BLV to transfer Personal Information to a third party outside of South Africa. In the event of such cross-border transfer, BLV undertakes to ensure that such country has adequate privacy laws in place and that binding corporate rules, or binding agreement that provides an adequate level of protection are in place.

  1. Data Subject Access Requests

8.1 Individuals and entities who are the subject of personal information held by BLV are entitled to:

8.1.1. enquire about what information is held about them and the purpose for holding it;

8.1.2 enquire how to gain access to their own personal information;

8.1.3 be informed of any special measures BLV uses to keep such data up to date.

8.2 Data subject requests shall be address to the Information Officer and sent electronically.

8.3 The identity of a person making a data subject request will always be verified before handing over any information requested.

  1. Contact

Please contact the Information Officer with any questions or concerns about the operation of this Data Protection Policy.