Privacy policy
Privacy policy
1. Introduction
Letsatsi Finance & Loan (Pty) Ltd (“Letsatsi”) is a financial service provider and national credit provider, whose primary business is that of a micro financier to personal clients. Letsatsi is committed to sound business practices in compliance with relevant legislation, which, for purposes of this Privacy Policy, includes the Protection of Personal Information Act 4 of 2013 (POPI) read with the Constitution of the Republic of South Africa.
2. Purpose, scope and objectives
2.1 This policy will set out the manner in which personal information of internal and external parties is collected, managed, stored, used and protected by Letsatsi. This policy applies to all employees of Letsatsi.
2.2 The objectives are to:
- process personal information lawfully in terms of legislation;
- provide a guideline as to the manner in which Letsatsi processes and protects personal information;
- adopt good practices in terms of processing of personal information;
- protect Letsatsi from the consequences of breaching its responsibilities;
- display the commitment of Letsatsi to uphold and respect information privacy.
3. Definitions
3.1 “personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
3.2 “processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including-
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information;
4. Type of information processed
4.1 Letsatsi may collect and process the following types of information:
- Company details, including registration number, contact details, VAT numbers, directors’ details
- Bank statements
- Payslips
- Name and surname
- Identity number (date of birth)
- Gender
- Contact details, including email address, telephone numbers, address
- Credit reports
- Employment information
- Client payment reports
- Employee data, including salary, disciplinary records, banking details, medical information, account numbers, tax information
- Settlement letters/invoices from creditors or suppliers
5. Lawful processing
Letsatsi undertakes to comply with the 8 conditions for the lawful processing of personal information:
5.1 Accountability
Letsatsi takes responsibility and remains accountable for personal information in our possession and processed by us. Letsatsi will ensure that the conditions for lawful processing are given effect to and complied with.
5.2 Processing limitation
5.2.1 Letsatsi undertakes to process personal information-
- Lawfully;
- In a reasonable manner that does not infringe the privacy of the data subject;
- In a manner that is adequate, relevant and not excessive.
5.2.2 Personal information will only be processed if-
- the data subject or a competent person, where the data subject is a child, consents thereto;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- processing complies with an obligation imposed by law;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
5.2.3 Personal information will be collected directly from the data subject, unless
- the information is contained in or derived from a public record or has deliberately been made public by the data subject;
- the data subject or a competent person, where the data subject is a child, has consented to the collection of the information from another source;
- collection of the information from another source would not prejudice a legitimate interest of the data subject;
- collection of the information from another source is necessary;
- to avoid prejudice to the maintenance of the law by any public body;
- to comply with an obligation imposed by law or to enforce legislation;
- for the conduct of proceedings, in any court or tribunal, that have commenced or are reasonably contemplated;
- in the interests of national security; or
- to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
- compliance would prejudice a lawful purpose of the collection; or
- compliance is not reasonably practicable in the circumstances of the particular case.
5.3 Purpose specification
5.3.1 Letsatsi will collect personal information for the following and related purposes:
- Affordability check
- Fraud check
- Credit qualification and risk
- Delivering of Services
- Complying with contracts
- Confirmation of employment
- Debt collection, including tracing in the event of default on payment
- Invoice and Quoting purposes
- Compliance with legislation
- Vetting of employees
- Communication with clients and suppliers
5.3.2 Once personal information, processed and stored by Letsatsi, has reached its expiry date or becomes in any way redundant, Letsatsi will destroy or delete the record of personal information in a manner that prevents its reconstruction in an intelligible form.
5.4 Further processing limitation
Letsatsi undertakes to carry out any further processing of personal information in accordance or compatible with the purpose for which it was collected originally.
5.5 Information quality
Letsatsi will take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
5.6 Openness
5.6.1 Letsatsi will maintain the documentation of all processing operations under its responsibility.
5.6.2 If personal information is collected, Letsatsi will take reasonably practicable steps to ensure that the data subject is aware of-
- the information being collected or the source from which it is collected;
- the name and address of the responsible party;
- the purpose for which the information is being collected;
- whether or not the supply of the information by that data subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorising or requiring the collection of the information;
- the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
- any further relevant information
5.7 Security safeguards
5.7.1 Letsatsi undertakes to secure the integrity and confidentiality of personal information in its possession or under its control. This is done by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.
5.7.2 Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, Letsatsi will notify, as soon as reasonably possible after the discovery of the compromise;
- the Regulator; and
- the data subject, unless the identity of such data subject cannot be established.
5.7.3 Letsatsi has put in place the following adequate safeguards to secure the integrity and confidentiality of personal information:
- Physical access security to the building
- Password protection on Loan Management systems
- Password protection on all computer logins
- Anti-virus on all computers
- Firewalls
5.8 Retention and destruction of data
5.8.1 Letsatsi undertakes to ensure that the retention, storage and destruction of data is in line with the requirements of the POPI Act as well as best practices – the specifics of which will be outlined in a separate Data Retention Policy.
5.8.2 The Data Retention Policy will address how employees may obtain, create (for example unique identifiers), store, transmit, protect and destroy or delete Personal Information.
5.8.3 Letsatsi will identify what Personal Information should be collected, where to store it and how to keep it secure. Retention periods will be assigned to the Personal Information when it is collected specifically with regard to those periods prescribed by FICA and FAIS legislation require and also how it will be destroyed.
5.8.4 Letsatsi will ensure that records that are captured, kept and maintained are only those which are relevent to purpose and are only for the length of time for which they are required. These records will be kept up to date and only used for the purpose for which they were gathered.
5.8.5 Letsatsi will take adequate measures to secure the retention and destruction of physical Personal Information records. Storage and deletion of electronic records will be handled in terms of the procedures specified in the Data Retention Policy to reduce the chances of data breaches taking place.
5.8.6 Personal information will only be retained for as long as necessary for the purpose it was collected and in line with regulations governing the duration information should be kept.
5.8.7 Letsatsi will destroy Personal Information as soon as reasonably possible after any legal justification to retain it in compliance with Section 14.
5.8.8 Letsatsi will retain and store Personal Information where required or authorised to do so, by law. Letsatsi will also retain Personal Information where it reasonably needs to for lawful purposes related to its functions or activities, such as contracts with clients that specify the terms of service or product offering.
5.8.9 Where a contract between Letsatsi and other parties require retaining a record, the contract must specify the retention requirement and applicable time periods.
5.8.10 If the data subject consents to the retention, consent must be voluntary, specific and informed; it must never be assumed. To be able to make an informed decision, the data subject will be informed why retention is required and for how long.
5.8.11 Letsatsi may reasonably retain records for historical, statistical or research purposes.
5.8.12 Safeguards will be put in place to prevent the records from being used for any other purpose. Where possible, Letsatsi will ‘de-identify’ the Personal Information. This entails destroying any information that:
- identifies the data subject;
- can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
- can be linked by a reasonably foreseeable method to other information that identifies the data subject.
5.8.13 Where Personal Information is used to make a decision about a data subject, such as, if the data subject qualifies for a particular product this Personal Information must be retained for any period required or prescribed by law or a code of conduct. Where no period is prescribed, Letsatsi will retain it for a period that will afford the data subject a reasonable opportunity to request access to the record, taking into account the intended use of the Personal Information.
5.8.14 Physical records containing Personal Information will be destroyed by means of shredding via a 3rd Party service.
5.8.15 Digital or electronic records, will be fully deleted and not accessible in a deleted items folder. Electronic Personal Information stored in a cloud or back-up will all be deleted or de-identified when they are no longer required to be retained. Access to Personal Information on servers or back-ups will be conservatively and responsibly managed.
5.9 Data subject participation
If you have any questions or concerns regarding this policy, your personal information held by Letsatsi, the correction or deletion of personal information or updating your personal information held by Letsatsi, you should contact Letsatsi by sending an email to the information officer, Chantal, at chantal@smitcompliance.com or the compliance department at compliance@letsatsifinance.co.za.
6. Collection of information
Letsatsi collects personal information in the following manners:
- Voluntary disclosure via multiple sources
- Telephonically
- Website forms
- Credit bureau systems
- Agents and brokers
- Credit applications
- Supplier applications
7. Disclosure of information
Where applicable, we may disclose your personal information to our service providers and partners who are involved in the delivery of products or services to you. We will ensure that they have taken reasonably practicable steps to comply with and process personal information in accordance with POPI.