1. Introduction

The FAIS Act provides for the protection of personal information of clients; and The Protection of Personal Information Act, 2013 (POPIA) provides for 8 data protection information principles to apply with to ensure the protection of all data that relates to companies, employees and clients. The Promotion of Access to Information Act, 2 of 2000 (PAIA) provides for access to such information and in which instances it may be refused.

2. Purpose

Data privacy and data protection is important to The Spirit Group of Companies (“the Group”), and this Policy sets out the POPIA principles in line with existing FAIS requirements to ensure the safekeeping of all data by the Group. This Policy applies to all data obtained via products, services, websites and events offered and operated by The Group or by any other means.

3. Definitions

Information: Means any Data relating to the Data Subject and include reference to personal information.
Data Subject: Means the person to whom the personal information relates and can include clients, staff, providers/suppliers and/or company information.
Processing: Any use by any means of a Data Subject’s information.

4. The 8 POPIA Principles

Principle 1: Accountability: The Group must appoint an Information Officer (IO) who will be responsible for ensuring that the 8 POPIA information principles are implemented and enforced in the Group. A Deputy Information Officer (DIO) will assist be appointed to assist the IO with the implementation and enforcements.
Principle 2: Processing Limitation: Only necessary information should be collected, directly from the person to whom the Personal Information relates and with their consent and the processing should be for a lawful purpose.
Principle 3: Purpose specification: Personal Information should be collected for a specific purpose and the Data Subject must be made aware of the purpose for which it was collected.
Principle 4: Further processing limitation: Further processing of Personal Information must be compatible with the purpose for which the information was collected (Principle 3).
Principle 5: Information quality: Reasonable steps must be taken to ensure that all information collected is accurate, complete, not misleading and up to date in accordance with the purpose for which it was collected (Principle 3).
Principle 6: Openness: The Party collecting the information must be transparent and inform the applicable regulator if it is going to process the information and ensure that the Data Subject has been made aware that his/her information is going to be collected.
Principle 7: Security Safeguards: The integrity of the information under the control of a party, must be secured through technical and operational measures.
Principle 8: Data Subject Participation: Data Subjects have the right (free of charge) to request confirmation from the party that holds their information on the details they hold and may request for it to be amended/deleted.

5. Practical Implications of the POPIA Data Protection Principles

5.1. Appointment of the Information Officer

The Group has appointed an IO, namely Ryan Magee, the Group Director of Operations. He will be responsible for ensuring that the Group has been properly informed and trained on ensuring the safekeeping and protection of information and that the required processes are implemented to ensure compliance with the POPIA act. The IO can be contacted at: +21 21 657 8370 or emailed at: ryan.magee@spiritinvest.com.

5.2. Information purpose

The type of information the Group collects will depend on the purpose for which the Data is collected and used. The Group will collect the necessary information from Data Subjects for various purposes, including the following:

5.3. Access to Information

Data Subjects have the right to request a copy of the information that the Group holds on them or their business. Should a Data Subject wish to obtain any such information, the Data Subject may request it by contacting the IO on the details provided above.

The Group will not disclose or share information relating to any Data Subject, unless: it is specifically agreed with the Data Subject; it is already publicly available or in the interests of the public; required in terms of Law or if the Group believes in good faith that the Law requires disclosure thereof.

This Policy (in terms of the Promotion of Access to Information Act, 2 of 2000) sets out below the process for access by third parties to a Data Subject’s information kept by the Group, and the instances in which it may be refused.

5.4. Collection of Information

General: The Group collects information in various ways, such as directly from individuals in the case where signing an agreement/mandate/application form for a financial product, registering an account, or signing up for an electronic letter or communication), from employers, publicly available information, through cookies, and/or similar technology. Where possible, The Group must inform Data Subjects which information they are legally required to provide, and which information is optional. With the Data Subject’s consent, The Group may supplement the information with other information received from other companies and/or organizations such as the South African Revenue Services (SARS) in order to enable The Group to render suitable and proper services to Data Subjects.

Client Supplied Information: The Data Subject may be required to provide some personal information such as their name, address, phone number, email address, and/or certain additional categories of information as a result of using/ receiving financial services, purchasing financial products, and using websites and related services. The Group will keep this information in a contact database for future reference, as needed.

Marketing: The Group may use certain information provided by Data Subjects to offer them further services that The Group believes may be of interest to them or for market research purposes. These services are subject to prior consent being obtained from Data Subjects. If a Data Subject no longer wishes to receive further services or offers from the company, IT may unsubscribe from the services or contact the Information Officer at the contact details provided above.

Usage and Web Server Logs: The Group’s websites may track information about a Data Subject’s usage and visits on the website. This information may be stored in usage or web server logs, which are records of the activities on The Group’s services, products and/or sites. The Group’s servers automatically capture and save such information electronically. Some examples of the information that may collected include the Data Subject’s: unique Internet protocol address; name of the Data Subject’s the unique Internet Service Provider; The city, province/state, and country from which a Data Subject accesses the Group’s website(s); the browser application or computer used; the number of links clicked within the site; the date and time of visits to the site; the web page from which the Data Subject arrived on the company site; the pages viewed on the site; certain searches/queries conducted on the site via the company’s services, products and/or websites; the information collected in usage or web server logs helps The Group to administer the services, products and sites, analyse its usage, protect the product and/or website and content from inappropriate use and improve the user's experience.

Cookies: In order to offer and provide a customised and personal service through The Group’s products and websites, the company may use cookies to store and help track information about the Data Subject. A cookie is a small text file sent to the Data Subject’s device that the company uses to store limited information about the Data Subject’s use of the services, products or website. The company uses cookies to provide the Data Subject with certain functionality (such as to enable access to secure log-in areas and to save the Data Subject having to re-enter information into product, services or website forms) and to personalize the company’s services, products or website content. Without cookies, this functionality would be unavailable.

5.5. Retaining of Information

The Group may retain personal information for purposes of reporting, administration, monitoring its website or to communicate with Data Subjects. Information may be retained only to serve the purpose of collecting the information and be deleted/destroyed once the purposes has been fulfilled, subject to subject to other regulatory requirements where information is to be kept for a specific prescribed period. Information and records of a personal nature of Clients and/or Employees will be stored for a period of 5 years before being destroyed.

5.6. Correcting/ Amending/ Updating/ Deletion of Information

Data Subjects are required to inform The Group should there be any changes to the information kept by the company. A Data Subject may request The Group to correct, amend, update or delete its information at any time when applying or making use of any financial products or services of the company, by contacting the IO at the contact details provided above. The FSP will take all reasonable steps to confirm the Data Subject’s identity before making changes to information.

5.7. Information Security

The Group shall apply the following measure to ensure security of Personal information: