1 INTRODUCTION
1.1 This Privacy Policy (“Policy”) describes how the Cash-In-Transit Association of South Africa (“CITASA”, “we” or “us”) collects, uses, and shares your personal information when you –
1.1.1 become a member of CITASA (“Member”);
1.1.2 visit the CITASA website at www.citasa-sa.co.za);
1.1.3 engage with us as a supplier or stakeholder; and
1.1.4 are employed as an employee or appointed as a contractor to CITASA or apply for a position at CITASA.
(together “you” or “data subject”).
1.2 This Policy must, as is appropriate, be read together with any other documents or agreements between CITASA and you (the “Agreements”).
2 WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL INFORMATION?
2.1 CITASA is the ‘responsible party’ (i.e., the organisation responsible) for the personal information that is collected from you and used for the purposes of data privacy laws, principles and regulations which may apply to you, including the Protection of Personal Information Act (“POPIA”) and any other data protection laws (collectively, “Data Privacy Law”).
2.2 In certain instances, CITASA and a Member may be “joint responsible parties” of certain personal information which is shared by the Member(s) with CITASA in order to achieve the objectives set out in the CITASA Constitution.
2.3 This Policy does not apply to the processing of personal information by other third parties (including Members) relating to or by means of other parties’ websites, products, or services, such as websites linked to, from or advertised on our website or through our products and services, or sites which link to or advertise our website or our products and services. We are not responsible for the privacy practices of such third parties (including Members) or third-party websites, or for any claims, loss or damage arising from these.
3 WHAT PERSONAL INFORMATION DO WE COLLECT?
We collect the following personal information from you –
3.1 Members
3.1.1 Identification information: Organisation/entity name, registration number, registered address.
3.1.2 Contact information: Organisation/entity representative’s name, email address, cell phone number.
3.1.3 Financial information: Tax information.
3.1.4 Incidents: Information relating to heist incidents affecting the Member which at times includes information pertaining to the criminal behaviour and a record of those persons involved in the incident.
3.1.5 Correspondence: All correspondence between Member and CITASA.
3.1.6 Other: Any personal information which Member voluntarily discloses or submits to CITASA.
3.2 CITASA website visitors or users
3.2.1 When you visit CITASA website, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. We refer to this automatically-collected information as “Device Information”.
3.2.2 We collect Device Information using the following technologies –
3.2.2.1 “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
3.2.2.2 “Log files” track actions occurring on the website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
3.2.2.3 “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the website.
3.2.2.4 Your geographic location information based on your mobile network operator’s tower details, GPS (Global Positioning System) and/or WIFI communications network location.
3.2.2.5 Information that you provide to us and/or allow the website to access.
3.3 Suppliers and Stakeholders
3.3.1 Identification information: Organisation/entity name, registration number, registered address.
3.3.2 Contact information: organisation/entity representative’s name, email address, cell phone number.
3.3.3 Correspondence: All correspondence between you and CITASA.
3.3.4 Other: Any personal information, with particular reference to information relating to incidents, which you voluntarily disclose or submit to CITASA and which may include tax and banking information.
3.4 Employees and prospective employees
3.4.1 Biographic information: Your full name, gender, date of birth, identity number or passport number (as applicable), photograph, nationality, marital status.
3.4.2 Contact information: Your home and postal address, telephone number, email address.
3.4.3 Employment history and information: Your current job title, details of your employment history including employer’s names and details, your performance information (including management metrics, appraisals, feedback), any disciplinary records, salary expectations.
3.4.4 Education records: Your academic records, proof of qualification.
3.4.5 Criminal record (where permissible and in accordance with applicable law).
3.4.6 CCTV: Information captured on security systems, including CCTV and key token entry systems.
3.4.7 Third party personal information: Your emergency contact’s personal information (including full name, telephone number, email address), your employer’s contact details (if listed as a contactable reference).
3.4.8 Financial information: Your bank account details, taxpayer information.
3.4.9 Health, medical and biometric personal information: Information about any critical medical health issues and medication (if applicable to such conditions), any information about your special needs and physical limitations.
3.4.10 Information from screenings: Where permitted by law the results of drug and alcohol testing, screening, health certifications, COVID-19 screenings.
3.4.11 Policy information: Your acknowledgements regarding our policies, including this Policy.
3.4.12 Access information and security passes: Key token entry systems.
3.4.13 IT information and correspondence: Information required to provide access to our IT systems and networks such as IP addresses, log files and login information, voicemails, emails, correspondence and other work product and communications created, stored or transmitted by an employee using our computer or communications equipment.
3.4.14 Other personal information: This may include information you provide through internal surveys, choose to include on your intranet profile or post on our notice boards or intranet, such as photographs, birthdays or biographical details.
3.4.15 Exit information: Date of resignation or termination, reason for resignation or termination, and information relating to administering termination of employment (e.g., references).
3.5 There may be instances in which the personal information that you provide to us or which we collect constitutes personal information of someone other than yourself. Where you provide a third party’s personal information to us, you warrant that the information is accurate and that you have the necessary consent to share the personal information with us, unless you have another lawful basis for sharing the personal information with us.
3.6 When we talk about “personal information” in this Policy, we are talking both about all the above listed personal information.
4 HOW DO WE COLLECT YOUR PERSONAL INFORMATION?
4.1 Most of the personal information we process about you is information that you knowingly provide to us (i.e., personal information that you provide directly to us). However, in some instances, we process personal information that we are able to infer about you based on other information you provide to us (such as supporting documents) or on our interactions with you, or personal information about you that we receive from a third party using a process that we have told you about.
4.2 Unless otherwise stated, all of the information we request from you is obligatory. If you do not provide and/or allow us to process all the obligatory information as requested, we will not be able to keep complete information about you, thus affecting our ability to accomplish the stated purposes.
5 HOW WE USE YOUR PERSONAL INFORMATION (PURPOSE AND LAWFUL BASIS)?
We process the above listed personal information for the following reasons –
5.1 Members
5.1.1 We use the Member personal information for the following purposes –
5.1.1.1 onboard you as a member and communicate with you regarding this process;
5.1.1.2 to enter into and perform in terms of any Agreement we have with you;
5.1.1.3 to comply with our legal obligations;
5.1.1.4 process membership fees; and
5.1.1.5 communicate with you and other members regarding incidents and any of the objectives set out in the CITASA Constitution.
5.1.2 Our lawful basis for processing Member information is –
5.1.2.1 Contract: We process your personal information to the extent it is necessary to conclude or perform under the agreement we have with you.
5.1.2.2 Legal obligation: We have certain legal obligations which require us to process your personal information.
5.2 CITASA website visitors or users
5.2.1 We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimise our website.
5.2.2 Our lawful basis for processing your Device Information is –
5.2.2.1 Consent: When we use cookies, we will process your Device Information with your prior consent.
5.2.2.2 Our legitimate interests: We process your Device Information in line with our legitimate business interests, which interests are not overridden by your data protection interests or fundamental rights and freedoms.
5.3 Suppliers and Stakeholders
5.3.1 We use the supplier and stakeholder personal information for the following purposes –
5.3.1.1 to enter into and perform in terms of any Agreement we have with you
5.3.1.2 to communicate with you; and
5.3.1.3 to comply with our legal obligations.
5.3.2 Our lawful basis for processing your personal information is –
5.3.2.1 Contract: We process your personal information to the extent it is necessary to conclude or perform under the agreement we have with you.
5.3.2.2 Legal obligation: We have certain legal obligations which require us to process your personal information.
5.4 Employees and prospective employees
5.4.1 In respect of your biographic information, contact information, employment history, educational records: To evaluate applications for employment and to decide on your suitability for employment; to manage all aspects of the employment relationship (including, but not limited to, payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, disciplinary and grievance processes and other general administrative and human resource-related processes)
5.4.2 In respect of your criminal record and CCTV: To assess your suitability for employment, to prevent and detect crime, to protect the health and safety of our customers and employees, to manage and protect our property and the property of our employees, clients and other visitors.
5.4.3 In respect of third party personal information: To notifying your emergency contact in the event of an emergency; to contact beneficiaries in the event in respect of benefits; to contact your references as part of the recruitment process
5.4.4 In respect of your financial information: To manage payroll and facilitate payment to you and to comply with applicable tax and employment laws.
5.4.5 In respect of your health and biometric information (including facial recognition): To monitor the period of time worked, attendance at the office, maintain sickness records and occupational health programs.
5.4.6 In respect of information from screenings: To protect the health and safety of our clients and employees and to comply with applicable health and safety laws.
5.4.7 In respect of policy information: To ensure that you read and understand the policies applicable to the workplace.
5.4.8 In respect of access information and security passes: To provide you access to the premises and to monitor which employees are on premises for the purpose of safety and security.
5.4.9 In respect of IT information and correspondence: To protect the safety and security of CITASA, its members, employees and property; to assess work performance and whether facilities are being used in accordance with acceptable use policies in effect.
5.4.10 In respect of any other personal information: To conduct employee opinion surveys and to promote your profile within CITASA.
5.4.11 In respect of exit information: To administer termination of employment and provide and maintain references.
5.4.12 If you are a staff member, we may need to collect information about your race, ethnic origins, gender, and disabilities for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws, or we may process information about your health to provide work-related accommodations, health and insurance benefits to you and your dependents, or to manage absences from work.
5.5 Our lawful basis for processing personal information is –
5.5.1 Contract: We will also process your personal information to the extent that it is necessary to conclude or perform under the contract we have with you.
5.5.2 Legal obligation: As an employer, we have certain legal obligations which require us to process your personal information. This includes processing for tax purposes and employment equity legislation.
5.5.3 Consent: In certain instances, we will only process your personal information with your consent.
5.5.4 Legitimate interests: In all other instances, we process your personal information in line with our legitimate business interests in employing you as an employee, which interest is not overridden by your data protection interests or fundamental rights and freedoms.
6 SHARING YOUR PERSONAL INFORMATION
6.1 We share your personal information –
6.1.1 with third party service providers that help us use your personal information for the purposes as described above. Service providers include: our professional advisors (e.g., legal, financial, risk management and others); bankers; auditors; our insurers and insurance brokers; our payroll provider; and our IT service providers.
6.1.2 in respect of Members, suppliers, or stakeholders’ personal information, we may share your personal information with other members of CITASA and law enforcement if such sharing is aligned with our objectives or in terms of laws.
6.1.3 to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
6.1.4 In respect of CITASA website users, with Google Analytics to help us understand how our visitors use the website — you can read more about how Google uses your personal information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
7 INTERNATIONAL DATA TRANSFERS
7.1 CITASA may transfer your personal information to countries other than South Africa, among other things for the purposes of storing that information. The country in which the information is stored may not have data protection laws similar to those of South Africa.
8 SECURITY SAFEGUARDS
8.1 Our website is scanned from time to time for security weaknesses and known vulnerabilities in order to make your visit to our website as safe as possible. We also use regular malware scanning. Your personal information is held on secured networks and is only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential.
8.2 Our computer systems and network are protected by firewalls with geo-location blocking which enables us to restrict access only to users with the requisite authorisation. Additionally, the use of multi-factor authenticated virtual private network connections enable us to monitor and control remote access requests.
8.3 Nevertheless, such security measures cannot prevent all loss, misuse or alteration of personal information and we are not responsible for any damages or liabilities relating to any such incidents to the fullest extent permitted by applicable law and other applicable laws. Where required under law, we will notify you of any such loss, misuse or alteration of personal information that may affect you, so that you can take the appropriate actions for the due protection of your rights.
9 DIRECT MARKETING
9.1 We may process your personal information for the purpose of direct marketing if (i) you have specifically consented (or “opted in”) to receive such communication; or (ii) you are a Member of CITASA. You can, at any time, opt-out or reject such communication.
10 YOUR RIGHTS
10.1 In terms of Data Privacy Laws, you have certain rights including, without limitation –
10.1.1 Access rights: You have the right to request a copy of any record (or in the absence of a record) a description of your personal information held by us.
10.1.2 Right to rectification: You can require us to have inaccurate personal information corrected.
10.1.3 Right to object: You have the right to object to the processing of your personal information at any time, on reasonable grounds relating to your particular situation, unless the processing is required by law.
10.1.4 Right to erasure: You can require us to erase personal information in certain circumstances where there is no lawful basis for us to retain such personal information.
Please note, however, that in some instances we must retain your personal information for certain periods of time as required by law.
10.1.5 Right to restrict: You can require us to restrict our processing of your personal information in certain circumstances.
10.1.6 Right to withdraw consent: You can withdraw any consents to processing that you have given us and prevent further processing if there is no other legitimate ground upon which we can process your personal information.
10.1.7 Right to complain: You can raise a complaint about our processing with the data protection regulator in your jurisdiction, or with our Information Officer.
10.1.8 Reject cookies: You can reject the use of cookies by changing your browser settings or clicking “reject” when you first enter our website.
10.2 You also have a duty to inform us of changes to your personal information: It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
11 DATA RETENTION
11.1 We keep records of your personal information no longer than is necessary for the purpose for which we obtained them and for any other permitted compatible purposes.
11.2 The prohibition listed above will not apply in the following circumstances –
11.2.1 where the retention of the record is required or authorised by law;
11.2.2 CITASA requires the record to fulfil its lawful functions or activities;
11.2.3 retention of the record is required by a contract between the parties thereto;
11.2.4 you (or competent person, where you are a child) has consented to such longer retention; or
11.2.5 the record is retained for historical, research or statistical purposes provided safeguards are put in place to prevent use for any other purpose.
12 CHANGES
12.1 We may update this Policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. To assist you, this Policy has an effective date set out at the end of this document. The latest version of this Policy will be stored on the CITASA website.
13 MINORS
13.1 The website and CITASA’s services are not intended for individuals under the age of 18. We will not knowingly process the personal information of people under the age of 18 without express consent from a parent or guardian to do so.
14 CONTACT US
14.1 For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us –
14.1.1 Responsible party: Cash-In-Transit Association of South Africa
14.1.2 Registered address: 2 Bruton Road, Block A, Nicol on Main Office Park, Bryanston, Johannesburg, 2191
14.1.3 Information Officer: Grant Clark
14.1.4 Information Officer’s contact information: 010 300 0991
15 RIGHT TO COMPLAIN
15.1 You have the right to complain to the relevant regulator, if you believe that the processing of your personal information by us is in breach of applicable Data Privacy Laws, with the contact information of the South African Information Regulator being provided below:
15.1.1 JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
15.1.2 www.justice.gov.za/inforeg/contact.html
15.1.3 POPIAComplaints.IR@justice.gov.za
This Policy is effective as of 1 April 2022.