TERMS AND CONDITIONS EFFECTIVE 1 JULY 2021
(PLEASE READ OUR WEBSITE(S) TERMS AND CONDITIONS OF USE BEFORE CONTINUING TO BROWSE OR ORDER / USE SERVICES ON OUR WEBSITE(S).
THE USE OF OUR WEBSITE(S) IS GOVERNED BY THE TERMS AND CONDITIONS STIPULATED BELOW. BY USING ANY OF OUR WEBSITE(S) YOU AGREE TO BE BOUND BY ALL TERMS AND CONDITIONS, INCLUDING ANY PRIVACY STATEMENTS (WHICH ARE DEEMED TO BE INCORPORATED IN THE TERMS AND CONDITIONS) THAT APPEAR ON THIS AND/OUR WEBSITE(S) INCLUDING ANY AMENDMENTS THERETO.
IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS AND CONDITIONS YOU MUST IMMEDIATELY CEASE BROWSING OUR WEBSITE(S).
This Agreement (“Terms”) sets out the terms and conditions that govern your use of Ace Digihub (Pty) Ltd products and services (such as website services), as well as any other services and/or goods offered by Ace Digihub (Pty) Ltd We hope that you find this information helpful.
By agreeing to these Terms, you also consent to the following policies applicable to, and accessible on, our websites:
and such other URLs that we may indicate from time to time (“Website(s)”), which are incorporated by reference into these Terms: Privacy Policy, POPI Website Policy, Website Terms of Use, and any other policy as is made available on our Website(s) from time to time (“Policies”).If your service and/or product is being paid for by a third party (such as a subsidiary/related company), then you will be bound by all provisions in these Terms (including payment provisions), however, we may enter into a separate agreement with the aforesaid to govern payment for the services and/or goods on your behalf, as well as to govern the receipt of certain information in relation to your completion of the services and/or goods.
1. Introduction
1.1 Our website(s) can be accessed at www.acemec.market (the “Website”) and is owned and operated by Ace Digihub (Pty) Ltd (“Acemec Marketplace”, “we”, “us” and “our”).
1.2 These Website Terms and Conditions (“Terms and Conditions”) govern the ordering, sale, and delivery of services and/or goods and the use of our Websites(s).
1.3 These Terms and Conditions are binding and enforceable against every person that accesses or uses our Website(s) (“you”, “your” or “user”), including without limitation each user who registers as contemplated below (“registered user”). By using our Website(s) and by clicking on the “Register Now/Sign Up” button on our Websites, as may be applicable, you acknowledge that you have read and agree to be bound by these Terms and Conditions.
1.4 ACEMEC MARKETPLACE allows approved third-party service providers to list and sell their services on our Website(s) (each a “Third Party Seller”). Certain terms in these Terms and Conditions only apply to purchases from Third Party Sellers, and others only apply to purchases from ACEMEC MARKETPLACE. This will be made clear in the relevant clause(s).
2. Important Notice
2.1 These Terms and Conditions apply to users who are consumers for purposes of the Consumer Protection Act, 68 of 2008 (the “CPA”).
2.2 Further, these Terms and Conditions sets out the Protection of Personal Information Act, 4 of 2013 compliance measures (“POPI”).
2.3 These Terms and Conditions contain provisions that appear in similar text and style to this clause and which –
1. may limit the risk or liability of ACEMEC MARKETPLACE or a third party; and/or
2. may create risk or liability for the user; and/or
3. may compel the user to indemnify ACEMEC MARKETPLACE or a third party; and/or
4. serves as an acknowledgement, by the user, of a fact.
2.4 Your attention is drawn to these Terms and Conditions because they are important and should be carefully noted.
2.5 If there is any provision in these Terms and Conditions that you do not understand, it is your responsibility to ask ACEMEC MARKETPLACE to explain it to you before you accept the Terms and Conditions or continue using our Website(s).
2.6 Nothing in these Terms and Conditions is intended or must be understood to unlawfully restrict, limit, or avoid any right or obligation, as the case may be, created for either you or ACEMEC MARKETPLACE in terms of the law.
2.7 ACEMEC MARKETPLACE permits the use of our Website(s) subject to the Terms and Conditions. BY USING OUR WEBSITE(S) IN ANY WAY, YOU SHALL BE DEEMED TO HAVE ACCEPTED ALL THE TERMS AND CONDITIONS UNCONDITIONALLY. You must not use our Website(s) if you do not agree to the Terms and Conditions.
3 Refunds
3.1 This policy applies to the return of goods and/or services, bought from us, ACEMEC MARKETPLACE (“ACEMEC MARKETPLACE”) by you (“the consumer”).
3.2 ACEMEC MARKETPLACE does not provide refunds unless in accordance with the applicable legal provisions and/or instead offers the consumer with credit on his/her account to be used on any future service requirements as provided for by ACEMEC MARKETPLACE.
3.3 All refunds are subject to internal Anti-money laundering protocols.
3.4 All refunds may be subject to incidental costs (e.g., bank charges etc), which will be withheld from the refund amount.
3.5 ACEMEC MARKETPLACE reserves the right to determine the value of such credit.
3.6 You must ensure that you present your original tax invoice or other proof of purchase when returning services and/or goods.
3.7 Where the services and/or goods in question are not defective or where you do not have a statutory right to return goods, ACEMEC MARKETPLACE may, in its sole and absolute discretion, elect to accept returns and replace the services and/or goods in question or refund the consumer. Where ACEMEC MARKETPLACE does so, this is done so in good faith. It is not an admission of liability, nor should it be taken as an acknowledgement that the ACEMEC MARKETPLACE will accept similar returns on the same basis in the future.
3.8 ACEMEC MARKETPLACE is only bound to accept the return of services and/or goods when it is required to do so in terms of the relevant law, including in terms of the Consumer Protection Act 68 of 2008. In any other case,
3.9 ACEMEC MARKETPLACE:
3.9.1 does so in its sole and absolute discretion in each instance; and
3.9.2 may, in its sole and absolute discretion, elect whether to replace the services and/or goods or refund the consumer.
3.10. Collection or acceptance of refunded/returned services and/or goods by ACEMEC MARKETPLACE, even where the consumer believes it has a statutory right to return goods, does not constitute acceptance of liability by the ACEMEC MARKETPLACE.
4 Returns for unsafe or defective goods.
4.1 If within 6 months of the delivery of goods to you, you find that the goods are faulty, not commercially acceptable, or unsuitable for the purpose generally intended, you may contact us to arrange for the goods to be collected to ascertain if they are in fact unsafe and/or defective.
4.1.1 If:
4.1.1.1. the goods are unsafe and/or defective then, without paying a penalty fee and at the expense of ACEMEC MARKETPLACE, you may request, at your choice, that the goods be repaired or replaced or that you be given a refund;
4.1.1.2. the goods are not found to be unsafe and/or defective then you will be liable for the costs associated with collecting and inspecting the goods.
4.2 ACEMEC MARKETPLACE reserves the right to send the returned goods for technical assessment prior to repairing, replacing, or refunding them.
4.3 If you choose to repair the goods in question during the 6-month period contemplated above, such repairs will carry a further warranty of 3 months from the date of repair.
4.4 In the event of the goods being unsatisfactorily repaired or if any further failure or defect is discovered within 3 months from the date of repair, you will be entitled to request the ACEMEC MARKETPLACE to either replace the goods or refund you the money paid for the goods.
4.5 In relation to the quality or durability of goods, please note that they will not be considered defective if:
4.5.1 the consumer has been expressly informed that particular goods were offered in a specific condition; and
4.5.2 the consumer has expressly agreed to accept the goods in that condition, or knowingly acted in a manner consistent with accepting the goods in that condition
4.6 Returns for goods and/or services purchased as a result of direct marketing
4.6.1 ACEMEC MARKETPLACE will accept returns of services and/or goods purchased as a result of direct marketing by ACEMEC MARKETPLACE, provided that you notify the ACEMEC MARKETPLACE of your intention to return the services and/or goods within 5 business days after the services and/or goods were delivered to you and you return the services and/or goods, at your risk and expense, to us within 10 business days from the date on which the goods were delivered to you.
4.7 ACEMEC MARKETPLACE will accept returns:
4.7.1 where you were not given a reasonable opportunity to examine or inspect goods and/or services prior to delivery and you reject the goods and/or services on the basis that they are not of the type or quality reasonably contemplated or do not conform with the agreed specifications in the case of custom-made or special-order goods;
4.7.2 where goods and/or services that you ordered have been mixed with goods and/or services that you did not order (and in this case you may return all of the goods or only those that differ from what you ordered);
4.7.3 where the goods and/or services ordered are not suitable for their intended specified purpose (provided that the specified purpose was communicated to us and we agreed to supply the goods and/or services on that basis); and
4.7.4 provided that in all cases the goods are returned to us within 10 business days after delivery.
4.8 In all instances relating to the return of goods and/or services, ACEMEC MARKETPLACE may impose a reasonable charge
4.8.1 the goods and/or services, are not in their original condition – i.e., damaged packaging, partially consumed and/or that are not in a saleable condition;
4.8.2 the goods and/or services, returned in boxes or packaging that have been re-marked, damaged, or defaced in any way, including price stickers; or
4.8.3 documentation was received, or work started on a specific service;
4.8.4 the goods and/or services, have been depleted or consumed in excess of the amount reasonably necessary to determine that the goods were unacceptable.
4.9 Notwithstanding the provisions above, no returns will be accepted if:
4.9.1 the return is prohibited for public health reasons;
4.9.2 where the consumer had a change of heart;
4.9.3 the product and/or service was specifically created for the consumer;
4.9.4 any other public regulation prohibits the return of the goods for whatever reason;
4.9.5 the goods and/or services, have been altered contrary to ACEMEC MARKETPLACE’ or the manufacturer’s instructions after leaving our control
4.9.6 the goods and/or services, have been partially or entirely disassembled; or
4.9.7 he goods and/or services, have been permanently installed, affixed, attached, joined, or added to, blended, or combined with, or embedded within, other goods
Notwithstanding the above, kindly note that all refunds will be processed within 30 days from receiving the required documentation from the Client.
5 Conclusion of sales and availability of stock
5.1 Registered users may place orders for services and/or goods, which ACEMEC MARKETPLACE or the Third-Party Seller may accept or reject. Whether or not ACEMEC MARKETPLACE or the Third-Party Seller accepts an order depends on the availability of services and/or goods, correctness of the information relating to the services and/or goods (including without limitation the price) and receipt of payment or payment authorisation by ACEMEC MARKETPLACE for the services and/or goods.
5.2 NOTE: ACEMEC MARKETPLACE or the Third-Party Seller will indicate the acceptance of your order by delivering the services and/or goods by electronic means to you or allowing you to collect them by electronic means, and only at that point will an agreement of sale between you and ACEMEC MARKETPLACE or the Third-Party Seller come into effect (the “Sale”). This is regardless of any communication from ACEMEC MARKETPLACE stating that your order or payment has been confirmed. ACEMEC MARKETPLACE will indicate the rejection of your order (by ACEMEC MARKETPLACE itself or the Third-Party Seller) by cancelling it and, as soon as possible thereafter, crediting the amount to your profile or refunding you for any amount already paid, where applicable.
5.3 Prior to delivery or your collection of the services and/or goods, you may cancel an order at any time provided you do so before receiving a dispatch or delivery notice. After delivery or your collection of the services and/or Goods, you may return the services and/or Goods only in accordance with the Returns Policy.
5.4 You acknowledge that stock of all services and/or goods on offer are limited and that pricing may change at any time without notice to you. In the case of services and/or goods for sale by ACEMEC MARKETPLACE, ACEMEC MARKETPLACE will take all reasonable efforts to monitor stock levels and ensure that when stock is no longer available, that offers thereof are discontinued on our Website(s). However, we cannot guarantee the availability of stock. When services and/or goods are no longer available after you have placed an order, ACEMEC MARKETPLACE will notify you and you will be entitled to a credit, or a refund of any amount already paid by you for such services and/or Goods.
5.5 In the case of services and/or Goods for sale by a Third-Party Seller, ACEMEC MARKETPLACE relies on inventory information supplied by the relevant Third-Party Seller and ACEMEC MARKETPLACE accordingly bears no liability for any inaccuracies in the information supplied to it. Consequently, should you order any services and/or Goods from a Third-Party Seller which are in fact sold-out, any resulting dispute should be resolved as set out in these Terms and Conditions.
5.6 Certain services and/or Goods may not be purchased for resale. Should we suspect that any such services and/or Goods are being purchased for sale, we are entitled to cancel your order immediately on notice to you. If you like to resell our services and/or products, feel free to contact us.
6 Errors
6.1 The information contained on our website(s) and the services provided by any employee, subcontractor, agent and/or representative of ACEMEC MARKETPLACE is presented “as is” and may include technical or legislative inaccuracies, typographical errors or errors pertaining to any applicable industry related requirements. ACEMEC MARKETPLACE reserves the right to make additions, deletions, or modifications to the information or to the services provided at any time without any prior notification.
6.2 We shall take all reasonable efforts to accurately reflect the description, availability, purchase price and delivery charges of services and/or Goods on our Website(s). However, should there be any errors of whatsoever nature on our Website(s) (which are not due to our gross negligence), we shall not be liable for any loss, claim or expense relating to a transaction based on any error, save – in the case of any incorrect price – to the extent of refunding you for any amount already paid, or otherwise as set out in the Returns Policy.
6.3 ACEMEC MARKETPLACE shall not be bound by any incorrect information regarding our services and/or Goods displayed on any third-party websites.
7 Privacy policy
7.1 We respect your privacy and will take reasonable measures to protect it in accordance with POPI.
7.2 All calls made to a ACEMEC MARKETPLACE designated telephone number are recorded for security and quality reasons. The aforesaid remains subject to our Privacy and POPI policies.
7.3 Should you decide to register as a user on our Website(s), we may require you to provide us with personal information which includes but is not limited to –
7.3.1 Your full name and surname;
7.3.2 Company details;
7.3.3 your email address;
7.3.4 your physical address;
7.3.5 your mobile number; and
7.3.6 your Identification and/or Passport number, etc.
7.4 Should your personal information change, please inform us and provide us with updates to your personal information as soon as reasonably possible to enable us to update your personal information.
7.5 You may choose to provide additional personal information to us, in which event you agree to provide accurate and current information, and not to impersonate or misrepresent any person or entity or falsely state or otherwise misrepresent your affiliation with anyone or anything.
7.6 Subject to the below and your consent, the purpose of gathering/processing and storing your personal information is as follows:
7.6.1. Complete the requisite registration forms in relation to the services on offer;
7.6.2. Complete searches on government databases to confirm and/or complete services on offer;
7.6.3. To maintain a database of all client provided information to allow for access during service delivery and to meet our legal obligations with regards to information retention.
7.6.4. in relation to the ordering, the sale and delivery of services and/or Goods;
7.6.5. to contact you regarding current or new service and/or Goods or any other service and/or Goods offered by us or any of our divisions, affiliates and/or partners (if you have Opted In to receive such communication);
7.6.6. to inform you of new features, special offers and promotional competitions offered by us or any of our divisions, affiliates and/or partners (if you have Opted In to receive such communication); and
7.6.7. to improve our service and/or Goods selection and your experience on our Website(s) by, for example, monitoring your browsing habits or tracking your sales on our Website(s); or
7.6.8. disclose your personal information to any third party other than as set out below:
7.6.9. to our employees and/or third-party service providers who assist us to interact with you via our Website(s), email, or any other method, for the ordering of service and/or Goods or when delivering service and/or Goods to you, and thus need to know your personal information in order to assist us to communicate with you properly and efficiently;
7.6.10. to our divisions, affiliates and/or partners (including their employees and/or third-party service providers) in order for them to interact directly with you via email or any other method for purposes of sending you marketing material regarding any current or new service and/or goods, new features, special offers or promotional items offered by them (if you have Opted In to receive such communication);
7.6.11. to law enforcement, government officials, fraud detection agencies or other third parties when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report or support the investigation into suspected illegal activity, or to investigate violations of these Terms and Conditions;
7.6.12. to our service providers (under contract with us) who help with parts of our business operations (fraud prevention, marketing, specialised services, technology services etc). However, our contracts dictate that these service providers may only use your information in connection with the services they perform for us and not for their own benefit;
7.6.13. to our suppliers in order for them to liaise directly with you regarding any defective service and/or Goods you have purchased which requires their involvement; and
7.6.14. to any Third-Party Seller for purposes of sending you an invoice for any service and/or Goods purchased from such Third-Party Seller.
7.7 We are entitled to use or disclose your personal information if such use or disclosure is required in order to comply with any applicable law, subpoena, an order of the court or legal process served on us, or to protect and defend our rights or property. In the event of fraudulent online payment, ACEMEC MARKETPLACE is entitled to disclose relevant personal information for criminal investigation purposes or in line with any other legal obligation for disclosure of the personal information which may be required of it.
7.8 We will ensure that all our employees, third-party service providers, divisions, affiliates, and partners (including their employees and third-party service providers) having access to your personal information are bound by appropriate and legally binding confidentiality obligations in relation to your personal information.
7.9 Ratings and Reviews: When you provide a rating, testimonial, or review of a service and/or Goods, you consent to us using the rating, testimonial, or review as we deem fit, including without limitation on our Website(s), in newsletters or other marketing material. The details that will appear next to that rating or review is your First Name and Last Name, your Service / Goods, and Date of rating / review / testimonial. If you do not agree to this, please inform us immediately or alternatively kindly do not put any ratings or reviews on our Website(s). Notwithstanding, we encourage all clients to submit their reviews and ratings regarding our services as without feedback we will not be able to meet the constant changing client needs. Kindly note, that we will not display any of your contact details, with a rating or review.
7.10 We will –
7.10.1 treat your personal information as strictly confidential, save where we are entitled to share it as set out in this policy;
7.10.2 take appropriate technical and organisational measures to ensure that your personal information is kept secure and is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access;
7.10.3 provide you with access to your personal information to view and/or update personal details;
7.10.4 promptly notify you if we become aware of any unauthorised use, disclosure, or processing of your personal information;
7.10.5 provide you with reasonable evidence of our compliance with our obligations under this policy on reasonable notice and request; and
7.10.6 upon your request, promptly return or destroy any and all of your personal information in our possession or control, save for that which we are legally obliged to retain.
7.11 We will not retain your personal information longer than the period for which it was originally needed, unless we are required by law to do so, or you consent to us retaining such information for a longer period.
7.12 ACEMEC MARKETPLACE undertakes never to sell or make your personal information available to any third party other than as provided for in this policy.
7.13 Whilst we will do all things reasonably necessary to protect your rights of privacy, we cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of your personal information, whilst in our possession, made by third parties who are not subject to our control, unless such disclosure is as a result of our gross negligence.
7.14 If you disclose your personal information to a third party, such as an entity which operates a website or service linked to our Website(s) or anyone other than ACEMEC MARKETPLACE, ACEMEC MARKETPLACE SHALL NOT BE LIABLE FOR ANY LOSS OR DAMAGE, HOWSOEVER ARISING, SUFFERED BY YOU AS A RESULT OF THE DISCLOSURE OF SUCH INFORMATION TO THE THIRD PARTY. This is because we do not regulate or control how that third party uses your personal information. You should always ensure that you read the privacy policy of any third party.
8 Changes to these Terms and Conditions
8.1 ACEMEC MARKETPLACE may, in its sole discretion, change any of these Terms and Conditions at any time. It is your responsibility to regularly check these Terms and Conditions and make sure that you are satisfied with the changes. Should you not be satisfied, you must not place any further orders on, or in any other way use, our Website(s).
8.2 Any such change will only apply to your use of our Website(s) AFTER the change is displayed on our Website(s). If you use our Website(s) after such amended Terms and Conditions have been displayed on our Website(s), you will be deemed to have read and accepted such changes.
9 Electronic communications
9.1 When you visit our Website(s) or send emails to us, you will be requested to provided consent to receive communications from us or any of our divisions, affiliates, or partners electronically in accordance with our privacy policy.
9.2 Consent can be revoked at any time by providing us with written notice, further;
9.3 The “unsubscribe” feature on our communication can be utilised.
10 Ownership and copyright
10.1 The contents of the Website(s) and/or, including any material, information, data, software, icons, text, graphics, layouts, images, sound clips, advertisements, video clips, trade names, logos, trademarks, designs, and service marks which are displayed on or incorporated in our Website(s) and/or (“Website Content”) are protected by law, including but not limited to copyright and trademark law. our Website(s) Content is the property of ACEMEC MARKETPLACE, its advertisers and/or sponsors and/or is licensed to ACEMEC MARKETPLACE.
10.2 You will not acquire any right, title, or interest in or to our Website(s) or our Website(s) Content.
10.3 Any use, distribution or reproduction of our Website(s) Content is prohibited unless expressly authorised in terms of these Terms and Conditions or otherwise provided for in law.
10.4 Where any of our Website(s) Content has been licensed to ACEMEC MARKETPLACE or belongs to any third party, your rights of use will also be subject to any terms and conditions which that licensor or third party imposes from time to time, and you agree to comply with such third-party terms and conditions.
11 Disclaimer
11.1 The use of our Website(s) is entirely at your own risk and you assume full responsibility for any risk or loss resulting from use of our Website(s) or reliance on any information on our Website(s).
11.2 Whilst ACEMEC MARKETPLACE takes reasonable measures to ensure that the content of our Website(s) is accurate and complete, ACEMEC MARKETPLACE makes no representations or warranties, whether express or implied, as to the quality, timeliness, operation, integrity, availability, or functionality of our Website(s) or as to the accuracy, completeness, or reliability of any information on our Website(s). If any such representations or warranties are made by ACEMEC MARKETPLACE representatives, ACEMEC MARKETPLACE shall not be bound thereby.
11.3 ACEMEC MARKETPLACE rejects liability for any damage, loss, or expenses, whether direct, indirect, or consequential in nature, arising out of or in connection with your access to or use of our Website(s) and/or any content therein unless otherwise provided by law.
11.4 Any views or statements made or expressed on our Website(s) are not necessarily the views of ACEMEC MARKETPLACE, its directors, employees and/or agents.
11.5 The views, opinions, discussions, recommendations, comments, teachings, findings, advice, criticism and/or any actions taken relating to the purchase, transfer of any of the above related services and/or products are those of ACEMEC MARKETPLACE only and do not reflect nor do they represent that any official legislation, regulations, policies, or positions are fully complied with.
11.6 Although ACEMEC MARKETPLACE, its employee, subcontractors, agent and/or representatives always strive to provide information on the background, procedures, advantages, and the responsibilities of the various parties involved relating to this service, we do not warrant the accuracy, effectiveness, and regulatory compliance of any service and/or product provided by ACEMEC MARKETPLACE has provided, is in the process of providing or will provide in the future.
11.7 In addition to the disclaimers contained elsewhere in these Terms and Conditions, ACEMEC MARKETPLACE also makes no warranty or representation, whether express or implied, that the information or files available on our Website(s) are free of viruses, spyware, malware, trojans, destructive materials or any other data or code which is able to corrupt, destroy, compromise, disrupt, disable, harm, jeopardise or otherwise impede in any manner the operation, stability, security functionality or content of your computer system, computer network, hardware or software in any way. You accept all risk associated with the existence of such viruses, destructive materials or any other data or code which is able to corrupt, compromise, jeopardise, disrupt, disable, harm, or otherwise impede in any manner the operation or content of a computer system, computer network, any handset or mobile device, or your hardware or software, save where such risks arise due to the gross negligence or wilful misconduct of ACEMEC MARKETPLACE, its employees, agents, or authorised representatives. ACEMEC MARKETPLACE thus disclaims all liability for any damage, loss or liability of any nature whatsoever arising out of or in connection with your access to or use of our Website(s).
12 Linking to third party websites
12.1 Our Website(s) may contain links or references to other websites (“Third Party Websites”) which are outside of our control, including those of advertisers. These Terms and Conditions do not apply to those Third-Party Websites and ACEMEC MARKETPLACE is not responsible for the practices and/or privacy policies of those Third-Party Websites or the “cookies” that those sites may use.
12.2 Notwithstanding the fact that our Website(s) may refer to or provide links to Third Party Websites, your use of such Third-Party Websites is entirely at your own risk and we are not responsible for any loss, expense, claim or damage, whether direct, indirect, or consequential, arising from your use of such Third-Party Websites or your reliance on any information contained therein.
13 Limitation of liability
13.1 ACEMEC MARKETPLACE cannot be held liable for any inaccurate information published on our Website(s) and/or any incorrect prices displayed on our Website(s), save where such liability arises from the gross negligence or wilful misconduct of ACEMEC MARKETPLACE, its employees, agents, or authorised representatives. You are encouraged to contact us to report any possible malfunctions or errors.
13.2 ACEMEC MARKETPLACE SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL LOSS OR DAMAGES WHICH MIGHT ARISE FROM YOUR USE OF, OR RELIANCE UPON, OUR WEBSITE(S) OR THE CONTENT CONTAINED IN OUR WEBSITE(S); OR YOUR INABILITY TO USE OUR WEBSITE(S), AND/OR UNLAWFUL ACTIVITY ON OUR WEBSITE(S) AND/OR ANY LINKED THIRD-PARTY WEBSITE.
13.3 YOU HEREBY INDEMNIFY ACEMEC MARKETPLACE AGAINST ANY LOSS, CLAIM OR DAMAGE WHICH MAY BE SUFFERED BY YOURSELF OR ANY THIRD PARTY ARISING IN ANY WAY FROM YOUR USE OF OUR WEBSITE(S) AND/OR ANY LINKED THIRD-PARTY WEBSITE.
13.4 YOU HEREBY INDEMNIFY ACEMEC MARKETPLACE AGAINST ANY LOSS, CLAIM OR DAMAGE WHICH MAY BE SUFFERED BY YOURSELF OR ANY THIRD PARTY ARISING IN ANY WAY FROM YOUR USE OF CONSULTATIONS OFFERED BY ACEMEC MARKETPLACE BEING IT TELEPHONIC, FACE TO FACE OR PER ELECTRONIC COMMUNICATION.
14 Availability and termination
14.1 We will use reasonable endeavours to maintain the availability of our Website(s), except during scheduled maintenance periods, and are entitled to discontinue providing our Website(s) or any part thereof with or without notice to you.
14.2 ACEMEC MARKETPLACE may in its sole discretion terminate, suspend, and modify our Website(s), with or without notice to you. You agree that ACEMEC MARKETPLACE will not be liable to you in the event that it chooses to suspend, modify, or terminate our Website(s) other than for processing any orders made by you prior to such time, to the extent possible.
14.3 If you fail to comply with your obligations under these Terms and Conditions, including any incident involving payment of the price of an order for any Goods and/or Services, this may (in our sole discretion with or without notice to you) lead to a suspension and/or termination of your access to our Website(s) without any prejudice to any claims for damages or otherwise that we may have against you.
14.4 ACEMEC MARKETPLACE is entitled, for purposes of preventing suspected fraud and/or where it suspects that you are abusing our Website(s), to blacklist you on its database (including suspending or terminating your access to our Website(s)), refuse to accept or process payment on any order, and/or to cancel any order concluded between you and ACEMEC MARKETPLACE, in whole or in part, on notice to you. ACEMEC MARKETPLACE shall only be liable to refund monies already paid by you (see ACEMEC MARKETPLACE Returns Policy in this regard) and accepts no other liability which may arise as a result of such blacklisting and/or refusal to process any order.
14.5 At any time, you can choose to stop using our Website(s), with notice to ACEMEC MARKETPLACE.
15 Governing law and jurisdiction
15.1 These Terms and Conditions and our relationship and/or any dispute arising from or in connection with these Terms and Conditions shall be governed and interpreted in accordance with the laws of the Republic of South Africa. Your continued use of our Website(s) will constitute your consent and submission to the jurisdiction of the South African courts regarding all proceedings, transactions, applications, or the like instituted by either party against the other, arising from any of these Terms and Conditions.
15.2 IN THE EVENT OF ANY DISPUTE ARISING BETWEEN YOU AND ACEMEC MARKETPLACE, BY YOUR ACCEPTANCE OF THESE TERMS AND CONDITIONS YOU CONSENT TO THE EXCLUSIVE JURISDICTION OF THE REGIONAL COURT, BELLVILLE, CAPE TOWN OF THE REPUBLIC OF SOUTH AFRICA NOTWITHSTANDING THAT THE QUANTUM IN THE ACTION OR PROCEEDINGS MAY OTHERWISE FALL BELOW THE MONETARY JURISDICTION OF THAT COURT.
15.3 Nothing in this clause or the Terms and Conditions limits your right to approach any court, tribunal, or forum of competent jurisdiction.
16 Notices
16.1 ACEMEC MARKETPLACE hereby selects:
Randburg
as its address for the service of all formal notices and legal processes in connection with these Terms and Conditions (“legal address”). ACEMEC MARKETPLACE may change this address from time to time by updating these Terms and Conditions.
16.2 You hereby select the delivery address specified with your order as your legal address, but you may change it to any other physical address by giving ACEMEC MARKETPLACE not less than 7 days’ notice in writing.
16.3 Notices must be sent either by hand, prepaid registered post, or email and must be in English. All notices sent –
16.3.1 by hand will be deemed to have been received on the date of delivery;
16.3.2 by prepaid registered post, will be deemed to have been received when we sign acknowledge of such registered delivery notice.
16.3.3 by email will be deemed to have been on the date indicated in the “Read Receipt” notification. ALL EMAIL COMMUNICATIONS BETWEEN YOU AND US MUST MAKE USE OF THE “READ RECEIPT” FUNCTION to serve as proof that an email has been received.
17 Information
17.1 For the purposes of the ECT Act, ACEMEC MARKETPLACE information is as follows, which should be read in conjunction with its product descriptions and other terms and conditions contained on our Website(s):
17.1.1 Full name: ACEMEC MARKETPLACE, a private company registered in South Africa with registration number 2026/077451/07.
17.1.2 Main business: Online Marketplace
17.1.3 The physical address for receipt of legal service (also postal):
17.1.4 Office bearers: Patrick Kgaswe
17.1.5 Phone number: 014 523 3677
17.1.6 Email address: info@acemec.market
17.1.7 PAIA: The manual published in terms of section 51 of the Promotion of Access to Information Act 2000 may be downloaded from our website.
18 General
18.1 ACEMEC MARKETPLACE may, in its sole discretion, at any time and for any reason and without prior written notice, suspend or terminate the operation of our Website(s) or the user’s right to use our Website(s) or any of its contents subject to us processing any orders then already made by you.
18.1.1 You may not cede, assign, or otherwise transfer your rights and obligations in terms of these Terms and Conditions to any third party.
18.1.2 Any failure on the part of you or ACEMEC MARKETPLACE to enforce any right in terms hereof shall not constitute a waiver of that right.
18.1.3 If any term or condition contained herein is declared invalid, the remaining terms and conditions will remain in full force and effect.
18.1.4 No variation, addition, deletion, or agreed cancellation of the Terms and Conditions will be of any force or effect unless in writing and accepted by or on behalf of the parties hereto.
18.1.5 No indulgence, extension of time, relaxation, or latitude which any party may show grant or allow to the other shall constitute a waiver by the grantor of any of the grantor’s rights and the grantor shall not thereby be prejudiced or stopped from exercising any of its rights against the grantee which may have arisen in the past or which might arise in the future.
18.1.6 These Terms and Conditions contain the whole agreement between you and ACEMEC MARKETPLACE’, and no other warranty or undertaking is valid unless contained in this document between the parties.
18.1.7 In the event that you need to contact ACEMEC MARKETPLACE for purposes related to these Terms and Conditions, please use the following: Email: info@acemec.market
— END —
Website Privacy Terms & Protection of Personal Information (“POPI”) Policy
Our Website: www.acemec.market
Our Email Address: info@acemec.market
Last updated: 1 July 2021
Whereas the Company respects the privacy of all personal data and private information collected, processed, and stored. As such, we undertake to handle all personal information received and processed with due care and provide the necessary security to safeguard all information held by us. Our internal system similarly allows us to proactively react should there be a breach of any kind, alternatively our privacy practices and POPI policy dictates that we report any material breach to the Regulator.
Cookies:
The Company uses cookies, pixels, and other technologies (collectively referred to as “cookies”) to recognize your browser or device, learn more about your company or industry, and provide you with essential features and services, as well as for additional purposes, including:
i. Recognizing you when you sign-up to use our services. This allows us to provide each user or data subject with customized features and services, if applicable.
ii. Conducting research and diagnostics to improve the Company’s website content, products, and services.
iii. Preventing fraudulent activity.
iv. Improving security.
v. Delivering content, including ads, relevant to your interests.
vi. Reporting. This allows us to measure and analyse the performance of our services.
You can manage browser cookies through your browser setting. The “Help” feature on most browsers will tell you how to prevent your browser from accepting new cookies; how to have the browser notify you when you receive a new cookie; how to disable cookies; and when cookies will expire. If you disable all cookies on your browser, the Company, nor any of its third parties, will transfer cookies to your browser. If you do this, however, you may have to manually adjust some preferences every time you visit a site, and some features and services may not work.
Website Privacy & POPI:
Your privacy is important to the Company. This policy explains the Company’s privacy practices and the choices you have about the way your personal information will be dealt with. All practices are in line with the Company’s SOP and the provisions of POPI.
vii. Personal information is collected only when knowingly and voluntarily submitted.
viii. Personal information is only used for the purpose for which it was collected and/or submitted or such secondary purposes that are related to the primary purpose.
ix. In addition to where you have consented to the disclosure of your personal information, personal information may be disclosed in special situations where the Company has reason to believe that doing so is necessary to identity or act against anyone damaging or interfering with our rights or property, users, or anyone else that could be harmed by such activities.
x. The Company may engage third parties to provide you with goods or services on our behalf and in such circumstances may disclose your personal information to such parties in order to provide such goods and services.
Information security on our website:
xi. Any information that you upload on our website will be stored on a secure server and be used for limited purposes such as future communications (which you are always entitled to un-subscribe to).
xii. The Company will not disclose, sell, rent, or disseminate your personal information to third parties without your consent unless the Company is compelled to do so by law. The Company may do so if you have granted consent thereto.
xiii. While all reasonable efforts are taken to ensure that your personal information is protected as it travels over the internet, the Company cannot guarantee the absolute security of any information you exchange with us due to reason beyond our control.
xiv. The Company may use cookies and web beacons to facilitate improvement of our website. However, neither cookies nor web beacons collect personal information such as the user’s name or email address. You may reject cookies, as most browsers permit individuals to decline same.
PROTECTION OF PERSONAL INFORMATION & BREACH PROTOCOL
1. INTRODUCTION:
The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPI Act”).
The POPI Act aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner. Through the provision of quality goods and services, the organization is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of clients, customers, employees, and other stakeholders.
A person’s right to privacy entails having control over his or her personal information, being able to conduct her or her affairs relatively free from unwanted intrusions. Given the importance of privacy, the organisation is committed to effectively managing personal information in accordance with the POPI Act’s provisions.
2. DEFINITIONS:
2.1. Personal Information: personal information is any information that can be used to reveal a person’s identity. Personal Information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including but not limited to information concerning:
2.1.1. Race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, and birth of person;
2.1.2. Information relating to the education or medical, financial, criminal or employment history of the person;
2.1.3. Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
2.1.4. Biometric information of the person;
2.1.5. The personal opinions, views, or preferences of the person;
2.1.6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
2.1.7. The views or opinions of another individual about the person;
2.1.8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
2.2. Data Subject: this refers to the natural or juristic person to whom personal information relates, such as an individual client, customer, or a company that suppliers the organization with products or other goods.
2.3. Responsible Party: the responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, the organization is the responsible party.
2.4. Operator: means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, a third-party service provider that has contracted with the organization to shred documents containing personal information. When dealing with an operator. It is considered good practice for a responsible party to include an indemnity clause.
2.5. Information Officer: the information officer is responsible for ensuring the organization’s compliance with the POPI Act. Where no information officer is appointed, the head of the organization will be responsible for fulfilling the information officer’s duties. Once appointed, the information officer must be registered with the South African Information Regulator established under the POPI Act prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer.
2.6. Processing: the act of processing information includes any activity or any set of operations, whether by automatic means, concerning personal information and includes:
2.6.1. The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
2.6.2. Dissemination by means of transmission, distribution or making available in any other form; or
2.6.3. Merging, linking, as well as any restriction, degradation, erasure, or destruction of information.
2.7. Record: means any recorded information, regardless of form or medium, including:
2.7.1. Writing on any material;
2.7.2. Information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
2.7.3. Label, marking or other writing which identifies or describes anything of which it forms part, or to which it is attached by any means;
2.7.4. Book, map, plan, graph or drawing;
2.7.5. Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.
2.8. Filing System: means any structed set of personal information, whether centralized, decentralized or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
2.9. Unique Identifier: means any Identifier that is assigned to a data subject and is used by a responsible party for the purposed of the operations of the responsible party and that uniquely identifies that data subject in relation to that responsible party.
2.10. De-Identify: means to delete any information that identifies a data subject, or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.
2.11. Re-Identity: means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
2.12. Direct Marketing: means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
2.12.1. Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
2.12.2. Requesting the data subject to make a donation of any kind for any reason.
2.13. Biometrics: means a technique of personal identification that is based on physical, physiological, or behavioural characterization including blood tying, fingerprinting, DNA analysis, retinal scanning, and voice recognition.
3. POLICY PURPOSE:
3.1. The purpose of this policy is to protect the organization from the compliance risks associated with the POPI Act which includes:
3.1.1. Breaches of confidentiality. For instance, the organization could suffer loss in revenue where it is found that the personal information of data subjects has been shared or disclosed inappropriately.
3.1.2. Failing to offer choice. For instance, all data subjects should be free to choose how and for what purpose the organization uses information relating to them.
3.1.3. Reputational damage. For instance, the organization could suffer a decline in shareholder value following an adverse event such as a computer hacker deleting the personal information held by an organization.
3.2. This policy demonstrates the organization’s commitment to protecting the privacy rights of data subjects in the following manner:
3.2.1. Through stating desired behaviour and directing compliance with the provisions of the POPI Act and best practice.
3.2.2. By cultivating an organizational culture that recognizes privacy as a valuable human right.
3.2.3. By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.
3.2.4. By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the organization.
3.2.5. By assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary, Deputy Information officers, to protect the interests of the organization and data subjects.
4. POLICY APPLICATION
4.1. This policy and its guiding principles applies to:
4.1.1. The organization’s governing body;
4.1.2. All branches, business units and divisions of the organization;
4.1.3. All employees and volunteers;
4.1.4. All contractors, suppliers and other persons acting on behalf of the organization.
4.2. The policy’s guiding principles find application in all situations and must be read in conjunction with the POPI Act, as well as any other applicable documentation (PAIA Manual).
4.3. The legal duty to comply with the POPI Act is activated in any situation where there is: a processing of personal information entered into a record by or for a responsible party who is domiciled in South Africa.
4.4. The POPI Act does not apply in situations where the processing of personal information:
4.4.1. Is concluded in the course of purely personal or household activities; or
4.4.2. Where the personal information has been de-identified.
5. RIGHTS OF DATA SUBJECTS
Where appropriate, the organization will ensure that its clients and customers are made aware of the rights conferred upon them as data subjects. The organization will ensure that it gives effect to the following rights:
5.1. The right to access of personal information
5.1.1. The organization recognizes that a data subject has the right to establish whether the organization holds personal information related to him, her, or it including the right to request access to that personal information.
5.2. The Right to have Personal Information Corrected or Deleted
The data subject has the right to request, where necessary, that his, her or its personal information must be corrected or deleted where the organisation is no longer authorised to retain the personal information.
5.3. The Right to Object to the Processing of Personal Information
The data subject has the right, on reasonable grounds, to object to the processing of his, her or its personal information. In such circumstances, the organization will give due consideration to the request and the requirements of POPIA. The organization may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.
5.4. The Right to Object to Direct Marketing
The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications.
5.5. The Right to Complain to the Information Regulator
The data subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information.
5.6. The Right to be Informed
The data subject has the right to be notified that his, her or its personal information is being collected by the organisation. The data subject also has the right to be notified in any situation where the organization has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.
6. GENERAL GUIDING PRINCIPLES
All employees and persons acting on behalf of the organisation will at all times be subject to, and act in accordance with, the following guiding principles:
6.1. Accountability
Failing to comply with the POPI Act could potentially damage the organisation’s reputation or expose the organisation to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility. The organisation will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, the organisation will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.
6.2. Processing Limitation
The organisation will ensure that personal information under its control is processed:
▪ in a fair, lawful, and non-excessive manner;
▪ only with the informed consent of the data subject; and
▪ only for a specifically defined purpose.
The organisation will inform the data subject of the reasons for collecting his, her or its personal information and obtain written consent prior to processing personal information. Alternatively, where services or transactions are concluded over the telephone or electronic video feed, the organisation will maintain a voice recording of the stated purpose for collecting the personal information followed by the data subject’s subsequent consent.
The organisation will under no circumstances distribute or share personal information between separate legal entities, associated organisations (such as subsidiary companies) or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected. Where applicable, the data subject must be informed of the possibility that their personal information will be shared with other aspects of the organisation’s business and be provided with the reasons for doing so.
6.3. Purpose Specification
All the organisation’s business units and operations must be informed by the principle of transparency. The organisation will process personal information only for specific, explicitly defined, and legitimate reasons. The organisation will inform data subjects of these reasons prior to collecting or recording the data subject’s personal information.
6.4. Further Processing Limitation
Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. Therefore, where the organisation seeks to process personal information it holds for a purpose other than the original purpose for which it was originally collected, and where this secondary purpose is not compatible with the original purpose, the organisation will first obtain additional consent from the data subject.
6.5. Information Quality
The organisation will take reasonable steps to ensure that all personal information collected is complete, accurate and not misleading. The more important it is that the personal information be accurate (for example, the beneficiary details of a life insurance policy are of the utmost importance), the greater the effort the organisation will put into ensuring its accuracy. Where personal information is collected or received from third parties, the organisation will take reasonable steps to confirm that the information is correct by verifying the accuracy of the information directly with the data subject or by way of independent sources.
6.6. Open Communication
The organisation will take reasonable steps to ensure that data subjects are notified (are at all times aware) that their personal information is being collected including the purpose for which it is being collected and processed. The organisation will ensure that it establishes and maintains a “contact us” facility, for instance via its website or through an electronic helpdesk, for data subjects who want to:
▪ Enquire whether the organisation holds related personal information;
▪ Request access to related personal information;
▪ Request the organisation to update or correct related personal information; or
▪ Make a complaint concerning the processing of personal information.
6.7. Security Safeguards
6.7.1. The organisation will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented to minimise the risk of loss, unauthorised access, disclosure, interference, modification, or destruction. Security measures also need to be applied in a context-sensitive manner. For example, the more sensitive the personal information, such as medical information or credit card details, the greater the security required.
6.7.2. The organisation will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the organisation’s IT network. The organisation will ensure that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals.
6.7.3. All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal information for which the organisation is responsible. All existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.
6.7.4. The organisation’s operators and third-party service providers will be required to enter into service level agreements with the organisation where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.
6.8. Data Subject Participation
A data subject may request the correction or deletion of his, her or its personal information held by the organisation. The organisation will ensure that it provides a facility for data subjects who want to request the correction of deletion of their personal information. Where applicable, the organisation will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.
7. INFORMATION OFFICER
7.1. The organisation will appoint an Information Officer and where necessary, a Deputy Information Officer to assist the Information Officer. The organisation’s Information Officer is responsible for ensuring compliance with POPIA.
7.2. Where no Information Officer is appointed, the head of the organisation will assume the role of the Information Officer. Consideration will be given on an annual basis to the re-appointment or replacement of the Information Officer and the re-appointment or replacement of any Deputy Information Officers.
7.3. Once appointed, the organisation will register the Information Officer with the South African Information Regulator established under POPIA prior to performing his or her duties.
8. SPECIFIC DUTIES AND RESPONSIBILITIES
8.1. Governing Body/Board of Directors
The organisation’s governing body cannot delegate its accountability and is ultimately answerable for ensuring that the organisation meets its legal obligations in terms of POPIA. The governing body may however delegate some of its responsibilities in terms of POPIA to management or other capable individuals.
The governing body is responsible for ensuring that:
8.1.1. The organisation appoints an Information Officer, and where necessary, a Deputy Information Officer.
8.1.2. All persons responsible for the processing of personal information on behalf of the organisation:
8.1.2.1. are appropriately trained and supervised to do so;
8.1.2.2. understand that they are contractually obligated to protect the personal information they come into contact with; and
8.1.2.3. are aware that a wilful or negligent breach of this policy’s processes and procedures may lead to disciplinary action being taken against them.
8.1.3. Data subjects who want to make enquires about their personal information are made aware of the procedure that needs to be followed should they wish to do so.
8.1.4. The scheduling of a periodic POPI Audit in order to accurately assess and review the ways in which the organisation collects, holds, uses, shares, discloses, destroys, and processes personal information.
8.2. Information officer
The organisation’s Information Officer is responsible for:
8.2.1. Taking steps to ensure the organisation’s reasonable compliance with the provision of POPIA.
8.2.2. Keeping the governing body updated about the organisation’s information protection responsibilities under POPIA. For instance, in the case of a security breach, the Information Officer must inform and advise the governing body of their obligations pursuant to POPIA.
8.2.3. Continually analysing privacy regulations and aligning them with the organisation’s personal information processing procedures. This will include reviewing the organisation’s information protection procedures and related policies.
8.2.4. Ensuring that POPI Audits are scheduled and conducted on a regular basis.
8.2.5. Ensuring that the organisation makes it convenient for data subjects who want to update their personal information or submit POPI related complaints to the organisation. For instance, maintaining a “contact us” facility on the organisation’s website.
8.2.6. Approving any contracts entered with operators, employees and other third parties which may have an impact on the personal information held by the organisation. This will include overseeing the amendment of the organisation’s employment contracts and other service level agreements.
8.2.7. Encouraging compliance with the conditions required for the lawful processing of personal information.
8.2.8. Ensuring that employees and other persons acting on behalf of the organisation are fully aware of the risks associated with the processing of personal information and that they remain informed about the organisation’s security controls.
8.2.9. Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of the organisation.
8.2.10. Addressing employees’ POPIA related questions.
8.2.11. Addressing all POPIA related requests and complaints made by the organisation’s data subjects.
8.2.12. Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, regarding any other matter.
The Deputy Information Officer will assist the Information Officer in performing his or her duties.
8.3. IT Manager / IT Support
The organisation’s IT Manager or IT Support is responsible for:
8.3.1. Ensuring that the organisation’s IT infrastructure, filing systems and any other devices used for processing personal information meet acceptable security standards.
8.3.2. Ensuring that all electronically held personal information is kept only on designated drives and servers and uploaded only to approved cloud computing services.
8.3.3. Ensuring that servers containing personal information are sited in a secure location, away from the general office space.
8.3.4. Ensuring that all electronically stored personal information is backed-up and tested on a regular basis.
8.3.5. Ensuring that all back-ups containing personal information are protected from unauthorised access, accidental deletion, and malicious shacking attempts.
8.3.6. Ensuring that personal information being transferred electronically is encrypted.
8.3.7. Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software.
8.3.8. Performing regular IT audits to ensure that the security of the organisation’s hardware and software systems are functioning properly.
8.3.9. Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by any unauthorised persons.
8.3.10. Performing a proper due diligence review prior to contracting with operators or any other third-party service providers to process personal information on the organisation’s behalf. For instance, cloud computing services.
8.4. Marketing & Communications Manager / Team
The organisation’s Marketing & Communication Manager / Team is responsible for:
8.4.1. Approving and maintaining the protection of personal information statements and disclaimers that are displayed on the organisation’s website, including those attached to communications such as emails and electronic newsletters.
8.4.2. Addressing any personal information protection queries from journalists or media outlets such as newspapers.
8.4.3. Where necessary, working with persons acting on behalf of the organisation to ensure that any outsourced marketing initiatives comply with POPIA.
8.5. Employees and other persons acting on behalf of the Organisation
8.5.1. Employees and other persons acting on behalf of the organisation will, during the course of the performance of their services, gain access to and become acquainted with the personal information of certain clients, suppliers, and other employees.
8.5.2. Employees and other persons acting on behalf of the organisation are required to treat personal information as a confidential business asset and to respect the privacy of data subjects.
8.5.3. Employees and other persons acting on behalf of the organisation may not directly or indirectly, utilise, disclose, or make public in any manner to any person or third party, either within the organisation or externally, any personal information, unless such information is already publicly known, or the disclosure is necessary in order for the employee or person to perform his or her duties.
8.5.4. Employees and other persons acting on behalf of the organisation must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to the protection of a data subject’s personal information.
8.5.5. Employees and other persons acting on behalf of the organisation will only process personal information where:
8.5.5.1. The data subject, or a competent person where the data subject is a child, consents to the processing; or
8.5.5.2. The processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; or
8.5.5.3. The processing complies with an obligation imposed by law on the responsible party; or
8.5.5.4. The processing protects a legitimate interest of the data subject; or
8.5.5.5. The processing is necessary for pursuing the legitimate interests of the organisation or of a third party to whom the information is supplied.
8.5.6. Furthermore, personal information will only be processed where the data subject:
8.5.6.1. Clearly understands why and for what purpose his, her or its personal information is being collected; and
8.5.6.2. Has granted the organisation with explicit written or verbally recorded consent to process his, her or its personal information.
8.5.7. Employees and other persons acting on behalf of the organisation will consequently, prior to processing any personal information, obtain a specific and informed expression of will from the data subject, in terms of which permission is given for the processing of personal information.
8.5.8. Informed consent is therefore when the data subject clearly understands for what purpose his, her or its personal information is needed and who it will be shared with.
8.5.9. Consent can be obtained in written form which includes any appropriate electronic medium that is accurately and readily reducible to printed form. Alternatively, the organisation will keep a voice recording of the data subject’s consent in instances where transactions are concluded telephonically or via electronic video feed.
8.5.10. Consent to process a data subject’s personal information will be obtained directly from the data subject, except where:
8.5.10.1. the personal information has been made public;
8.5.10.2. where valid consent has been given to a third party; or
8.5.10.3. the information is necessary for effective law enforcement.
8.5.11. Employees and other persons acting on behalf of the organisation will under no circumstances:
8.5.11.1. Process or have access to personal information where such processing or access is not a requirement to perform their respective work-related tasks or duties.
8.5.11.2. Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets or smart phones. All personal information must be accessed and updated from the organisation’s central database or a dedicated server.
8.5.11.3. Share personal information informally. In particular, personal information should never be sent by email, as this form of communication is not secure. Where access to personal information is required, this may be requested from the relevant line manager or the Information Officer.
8.5.11.4. Transfer personal information outside of South Africa without the express permission from the Information Officer.
8.5.12. Employees and other persons acting on behalf of the organisation are responsible for:
8.5.12.1. Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy.
8.5.12.2. Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created.
8.5.12.3. Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager will assist employees and where required, other persons acting on behalf of the organisation, with the sending or sharing of personal information to or with authorised external persons.
8.5.12.4. Ensuring that all computers, laptops, and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons.
8.5.12.5. Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.
8.5.12.6. Ensuring that where personal information is stored on removable storage medias such as external drives, CDs, or DVDs that these are kept locked away securely when not being used.
8.5.12.7. Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet.
8.5.12.8. Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer.
8.5.12.9. Taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, confirming a data subject’s contact details when the client or customer phones or communicates via email. Where a data subject’s information is found to be out of date, authorisation must first be obtained from the relevant line manager or the Information Officer to update the information accordingly.
8.5.12.10. Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, authorisation must first be obtained from the relevant line manager or the Information Officer to delete or dispose of the personal information in the appropriate manner.
8.5.12.11. Undergoing POPI Awareness training from time to time.
8.5.13. Where an employee, or a person acting on behalf of the organisation, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction, or the unsanctioned disclosure of personal information, he or she must immediately report this event or suspicion to the Information Officer or the Deputy Information Officer.
9. POPI AUDIT
9.1. The organisation’s Information Officer will schedule periodic POPI Audits.
9.2. The purpose of the POPI Audit is to:
9.2.1. Identify the processes used to collect, record, store, disseminate and destroy personal information.
9.2.2. Determine the flow of personal information throughout the organisation. For instance, the organisation’s various business units, divisions, branches, and other associated organisations.
9.2.3. Redefine the purpose for gathering and processing personal information.
9.2.4. Ensure that the processing parameters are still adequately limited.
9.2.5. Ensure that new data subjects are made aware of the processing of their personal information.
9.2.6. Re-establish the rationale for any further processing where information is received via a third party.
9.2.7. Verify the quality and security of personal information.
9.2.8. Monitor the extend of compliance with POPIA and this policy.
9.2.9. Monitor the effectiveness of internal controls established to manage the organisation’s POPI related compliance risk.
9.3. In performing the POPI Audit, Information Officers will liaise with line managers in order to identify areas within in the organisation’s operation that are most vulnerable or susceptible to the unlawful processing of personal information. Information Officers will be permitted direct access to and have demonstrable support from line managers and the organisation’s governing body in performing their duties.
10. REQUEST TO ACCES PERSONAL INFORMATION
10.1. Data subjects have the right to:
10.1.1. Request what personal information the organisation holds about them and why.
10.1.2. Request access to their personal information.
10.1.3. Be informed how to keep their personal information up to date.
10.2. Access to information requests can be made by email, addressed to the Information Officer. The Information Officer will provide the data subject with a “Personal Information Request Form”.
10.3. Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against the organisation’s PAIA Policy.
10.4. The Information Officer will process all requests within a reasonable time.
11. POPI COMPLAINTS PROCEDURE
11.1. Data subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. The organisation takes all complaints very seriously and will address all POPI related complaints in accordance with the following procedure:
11.1.1. POPI complaints must be submitted to the organisation in writing. Where so required, the Information Officer will provide the data subject with a “POPI Complaint Form”.
11.1.2. Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 1 working day.
11.1.3. The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days.
11.1.4. The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner. In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA.
11.1.5. The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the organisation’s data subjects.
11.1.6. Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with the organisation’s governing body where after the affected data subjects and the Information Regulator will be informed of this breach.
11.1.7. The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to the organisation’s governing body within 7 working days of receipt of the complaint. In all instances, the organisation will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.
11.1.8. The Information Officer’s response to the data subject may comprise any of the following:
11.1.8.1. A suggested remedy for the complaint,
11.1.8.2. A dismissal of the complaint and the reasons as to why it was dismissed, or
11.1.8.3. An apology (if applicable) and any disciplinary action that has been taken against any employees involved.
11.1.9. Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to complain to the Information Regulator.
11.1.10. The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPI related complaints.
12. PERSONAL DATA BREACH PROTOCOL
12.1. For the purposes of this section, a personal data breach is any attempt at, or occurrence of, unauthorized acquisition, exposure, disclosure, use, modification, or destruction of personal and/or sensitive data as described in this policy. The breach protocol is meant to address security incidents involving any and all personal data held, collected, processed and/or stored by the Organisation, including personal data under the control or responsibility of an affiliated business or third party.
12.2. The Organisation shall ensure that, inter alia, all personal data breaches are reported to the Regulator, investigated, and contained within the Organisation or by the Organisation and in terms of this policy.
12.3. The following is an indication of the timelines necessary herein and to be followed by the Organisation and/or its Information Officer when responding to, investigating, and reporting on any personal data breach within the Organisation:
12.3.1. Initial response to discovering personal data breach, or potential breach:
12.3.1.1. Identifying personal data breach or potential breach;
12.3.1.2. Involvement of Information Officer, IT/Server Department and any necessary and/or applicable parties;
12.3.1.3. Involvement of compliance department, legal department or similar (if applicable to the Organisation).
12.3.2. Immediate Response (0–1 Business Day):
12.3.2.1. Containment
12.3.2.2. Opening of Incident Report or POPI Breach report;
12.3.2.3. Escalation to the relevant individuals or authorative body(ies);
12.3.2.4. Activation of initial response plan and/or containment plan.
12.3.3. Continuing Response (0-15+ days)
12.3.3.1. Analysis and Planning (both in terms of closure of the pending breach and initiation of any plans regarding prospective breaches or the avoidance thereof);
12.3.3.2. Investigation;
12.3.3.3. Mitigation and Correction;
12.3.3.4. Notification;
12.3.3.5. Closing of Incident Report or POPI Breach report;
12.3.3.6. Final reporting (Information Officer, Regulator and Data Subjects).
12.4. Initial Response: the Organisation must take proactive steps to ensure that any personal data breach or potential breach is identified as soon as reasonably possible. Once identified, the Organisation, through its IT department and Information Officer, must bring the personal data breach or potential breach to the attention of the necessary parties who will be responsible for containing the personal data breach or potential breach.
12.5. Immediate Response: the Organisation, its IT department and the Information Officer must, when a breach is discovered, conduct containment activities to stop additional information from being lost or disclosed, or to reduce the number of persons to whom personal information may reach. The Organisation may, over its areas of responsibility or collaboratively, take steps to attempt having lost/stolen/inappropriately disclosed information returned or destroyed. For instance, area managers may attempt to contain and control an incident by suspending certain activities or locking and securing areas of record storage; Human Resources may suspend employees as appropriate to prevent compromising behaviour; and the Information IT Department may shut down particular applications or third-party connections, reconfigure firewalls, change computer access codes, or change physical access codes.
12.6. If applicable, staff members closest to the incident will determine the extent of the breach or potential breach by identifying all information (and systems) affected and take action to stop the exposure. This may include:
12.6.1. Securing or disconnecting affected systems;
12.6.2. Securing affected records or documentation;
12.6.3. Halting affected business processes;
12.6.4. Pausing any processes that may rely on exposed information or that may have given rise to the incident (as necessary to prevent further use/exposure/etc)
This would most typically occur in instances of electronic system intrusion, exposed physical (e.g., medical) files or records or similar situations.
12.7. If an active cyber-insurance policy exists or the need is otherwise determined, the Organisation or its Information Officer may contact contracted third parties (cyber-insurance vendors or affiliates) for breach response services and resources to include forensics, investigation and response consulting, notification, and call center services. Though recommended to occur as soon as possible after discovery, this can occur at any point as more information is obtained or the need is otherwise determined.
12.8. All documentation, investigation and initial and/or containment reports must be kept throughout the personal data breach protocol procedure and included in any report from the Information Officer to the Regulator in terms of section 22 of the POPI Act.
12.9. As more information is gathered, responsible staff will assess each personal data breach or potential breach to determine appropriate handling. This may involve the development and use of internal procedures by individual departments. For instance, while a minor and low risk incident may be assigned to and investigated by competent technicians within a department, the department may require that technician to escalate to management any incident that may damage the Organisation. The manager, in turn, may escalate the incident to the director, VP, or other level (subject to the Organisation’s internal structure and/or organogram).
12.10. This may also involve activating alternate plans – for instance, Data Recovery Plans and/or any applicable alternative.
12.11. Additionally, responsible departments will assess each personal data breach to determine which parties should be included in communications and/or the further reporting of the personal data breach incident. For instance, the Organisation or Information Officer may grant certain access and permissions pertaining to cases to include area managers, directors, and vice-presidents unless circumstances exist that would preclude sharing information – for instance, if a conflict of interest exists; if sharing the information could compromise an investigation; or if the responsible manager (or a friend or family member of the responsible manager) is involved as an affected party, as a subject, or in other ways.
12.12. Continued response and reporting to the Regulator: all efforts, including but not limited to the initial reporting; the containment and any containment plans; any further planning and proposed corrections; and/or record of any correspondence or notice sent to any of the Organisation’s affected data subjects must be kept and form a material part of the final incident report submitted to the Regulator in terms of section 22 of the POPI Act.
12.13. After containment of the personal data breach and implementation of any necessary containment plan; interim plan or relief; correction plan; data recovery plan; and/or similar plan implemented in response to the personal data breach, the Organisation’s Information Officer must prepare a written report to submit to the Regulator.
12.14. The aforementioned written report must contain all necessary and material information pertaining to the personal data breach, including but not limited, any supporting documentation, investigation outcomes and/or improvement plans. The report must indicate whether the breach was low, moderate, or high risk and the extent of the personal data breach, including but not limited to any actual damages suffered; any damage or injury to affected data subjects; and any potential or further threat created by the personal data breach.
12.15. The Information Officer must further notify all affected data subjects of the personal data breach as soon as reasonably possible after discovery of the personal data breach, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the breach and to restore the integrity of the Organisation’s information system. The notification must be done in writing and communicated to the data subject in one of the following ways:
12.15.1. Mailed to the data subject’s last known physical or postal address;
12.15.2. Sent by email to the data subject’s last known email address;
12.15.3. Placed in a prominent position on the website of the Organisation;
12.15.4. Published in the news or media; or
12.15.5. As may be directed by the Regulator.
12.16. The notification must provide the affected data subjects with sufficient information to allow the data subject to take protective measures against the personal data breach, including –
12.16.1. A description of the possible consequences of the breach;
12.16.2. A description of the measures that the Organisation intends to take of has taken to address the personal data breach and/or security compromise;
12.16.3. A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the personal data breach; and
12.16.4. The identity of the unauthorised person or entity who may have accessed or acquired personal information, if known to the Organisation.
12.17. The Regulator may direct an Organisation to publicise, in any manner specified, the fact of any personal data breach or compromise to the integrity of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the breach.
13. DISCIPLINARY ACTION
13.1. Where a POPI complaint or a POPI infringement investigation has been finalised, the organisation may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.
13.2. In the case of ignorance or minor negligence, the organisation will undertake to provide further awareness training to the employee.
13.3. Any gross negligence or the wilful mismanagement of personal information, will be considered a serious form of misconduct for which the organisation may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence.
13.4. Examples of immediate actions that may be taken subsequent to an investigation include:
13.4.1. A recommendation to commence with disciplinary action.
13.4.2. A referral to appropriate law enforcement agencies for criminal investigation.
13.4.3. Recovery of funds and assets in order to limit any prejudice or damages caused.
