MERIDIAN FINANCE DATA PROTECTION POLICY
INTRODUCTION AND PURPOSE
Meridian Finance is committed to processing personal data in accordance with its responsibilities under the Protection of Personal Information Act (POPIA) and may be subject to similar information protection dispensations in other jurisdictions. These data protection laws impose strict guidelines to secure an employee’s right to privacy with regard to their personal information.
Under these data protection principles, organizations are accountable for and must be able to demonstrate that any personal data they handle is:
Processed lawfully and transparently, and accessible to the data subject
Collected for specified, explicit, and legitimate purposes
Adequate, relevant, and limited to what is necessary
Accurate and kept up-to-date
Kept for no longer than is necessary where data subjects are identifiable
Processed securely and protected against unauthorized or accidental loss, destruction, or damage
Meridian Finance as a property finance origination broker (sole proprietorship), lawfully requires certain personal information about its employees, members, and member firms, training delegates and trainers, and needs to process personal information relating to such individuals and legal entities.
Meridian Finance is committed to protecting and safeguarding all personal information in its possession or under its control and to taking appropriate and reasonable measures (technological as well as organizational) to ensure the integrity and confidentiality thereof in respect of all its business activities in accordance with the law as well as ongoing risk assessments.
This Data Protection Policy is intended to:
Ensure that Meridian Finance complies with legal standards for the receipt, processing, and storing of personal data of individuals and legal entities and explain how this should be achieved
Ensure that Meridian Finance protects the rights of data subjects with respect of the privacy of personal information
Ensure that Meridian Finance provides a transparent system of personal information protection
Protect Meridian Finance against the risks and consequences of data breaches.
DEFINITIONS
Meridian Finance means L Vilonel T/A Meridian Finance as a sole proprietorship.
Information Officer means Lizette Vilonel as the person responsible for data protection within the Organisation
Data Subject means the person (individual or legal entity) to whom the data relates
Responsible party means the person/entity (either alone or jointly with others) who determines the purpose and manner in which the personal information of a data subject is to be processed
Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party
Personal information*
*For the purpose of this policy, reference to ‘personal information’ shall include ‘special personal information’ as described hereunder:
Means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person.
(b) information relating to the education or the medical, financial, criminal, or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other assignment to the person.
(d) the biometric information of the person.
(e) the personal opinions, views, or preferences of the person.
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person,
Special personal information Means –
a) the religious or philosophical beliefs, race or ethnic origin, political persuasion, health or sex life or biometric information of a data subject; or
((b) the criminal behavior of a data subject to the extent that such information relates to—
(i) the alleged commission by a data subject of any offense; or
(ii) any proceedings in respect of any offense allegedly committed by a data subject or the disposal of such proceedings.
Processing means any operation or activity or any set of operations, whether by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, or use.
(b) dissemination by means of transmission, distribution, or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure, or destruction of information.
De-identify means to delete any information that: identifies, or can be used/manipulated to identify, the data subject; or that can be linked to other information that identifies the data subject by a reasonably foreseeable method.
SCOPE
This policy applies to all personal information processed by Meridian Finance – whether by employees or by third-party Operators on its behalf. It will also apply to ancillary workers such as contractors, consultants, freelancers, etc. who may from time to time provide services to Meridian Finance and be exposed to personal information in its possession or under its control.
This policy shall be reviewed at least once annually.
GENERAL DATA PROTECTION PRINCIPLES
All personal data relating to data subjects and/or to Meridian Finance, shall be deemed confidential information and be handled as such.
The processing conditions for the lawful processing of personal information as required in terms of POPIA, will be complied with (see below par 6)
The only person/s entitled to access data covered by this policy will be those who need to access it for the execution of their direct work services or required outputs.
Under no circumstances will personal information be shared outside the scope of required work outputs, or informally. In the event of any doubt, an employee or Operator must first obtain authorization from a senior manager or the Information Officer before accessing confidential information where any work output requiring access is unusual or out of the ordinary.
Employees (when applicable) will receive induction and on-the-job training in relation to all security standards applicable to such employees’ service delivery and work outputs involving personal information of data subjects.
Employees shall keep all personal data secure by taking sensible practical precautions and complying with all rules, practices, and protocols. This pertains to both physical and digital security including the use of passwords, communications, device security, remote access, physical access control, authorization protocols, etc.
Meridian Finance will develop and implement an Incident Response Plan in case of a data breach or a security compromise. This must be communicated to relevant employees and Operators and must be strictly complied with.
THE RIGHTS OF DATA SUBJECTS
Data subjects have the right to know what personal information is held by Meridian Finance and for what purpose(s) it is processed.
Data subjects may request access to their personal information. They may also request amendments to or deletion of the information if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, and/or no longer authorized to be kept.
Data subjects may further object in the prescribed manner to the processing of their personal information (except where processing is based on an obligation in terms of the law, or to perform in terms of a contract to which the data subject is a party) or may withdraw consent previously given to process the information.
Data Subject Access requests must be referred to the Information Officer / Deputy Information Officer via email, who will be responsible for attending to the request timeously and to communicate with the data subject in this regard. The identity of the data subject must always be verified before granting access to the information.
Meridian Finance may in certain circumstances be legally obliged to disclose personal information to law enforcement or similar institutions, without the consent of the data subject. This will however only be done after verifying that the request is lawful and legitimate. Only the Information Officer will be authorized to furnish such information.
Data subjects may lodge a complaint with the Information Regulator it they are concerned about the security of their personal information or its processing by Meridian Finance. Data subjects are however encouraged to first contact the Information Officer to report their concerns to the organization directly, in terms of its relevant complaints procedure.
JUSTIFIED AND TRANSPARENT DATA PROCESSING
All processing of personal information by Meridian Finance and/or its Operators must be done in accordance with the processing principles and conditions as set out in the relevant privacy legislation, specifically POPIA in South Africa.
All personal information processed by Meridian Finance must be done on one of the following lawful bases: consent of the data subject, contractual obligation, legal obligation, performance of a public task or to protect the legitimate interests of the Organisation and/or the data subject. It must be clearly recorded on what basis any and all personal information is being processed and the Information Officer must implement and coordinate an appropriate system to facilitate this and must ensure that it is regularly reviewed and updated.
Meridian Finance's legitimate business interests must always be balanced against the data subject’s privacy rights.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal information. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and such revocation must be clearly and accurately reflected in the systems of Meridian Finance.
The lawful processing of personal information must also be done in accordance with eight specific processing conditions:
Accountability
Meridian Finance as the Responsible Party determines the purpose, means, and processing of the personal information and must put measures in place to ensure that all the processing conditions are complied with at the time of determining the purpose and means of processing and during the processing itself.
All employees (and Operators) shall continually be responsible for ensuring the safeguarding, protection, and avoidance of any unauthorized disclosure or breach of personal information in the execution of employment duties and services to Meridian Finance, or otherwise in the course of rendering services or being associated with Meridian Finance. Instructions and guidance in this regard may include this policy, departmental policies and procedures, instructions from management or from the Information Officer, training, and general communications.
Persons with particular responsibilities connected to data protection with Meridian Finance, are:
The Information Officer, who is responsible for assessing, overseeing, coordinating, and ensuring data security and compliance with POPIA; for arranging data protection training for employees; for reviewing and approving agreements with third-party Operators; for reporting to executive management about compliance with all technological and operational data protection standards and protocols; to advise of any risk of breach at the earliest opportunity; and to put measures in place to respond to any data breach or security compromise. The Information Officer may also initiate disciplinary proceedings against employees for breaches of rules and standards in this regard and must attend to all requests Internal or external) for access to personal information.
Minimality / Processing Limitation
Processing of personal information must be limited to lawful and justified processing (on one of the bases as set out above) in a reasonable manner, that does not unnecessarily infringe on the privacy of the data subject. Only the minimum amount of personal information that is necessary for the stated purpose, must be collected and processed.
There are also further specific limitations that apply to particular types of personal information/activities, such as cross-border transfer of information, direct marketing, automated decision-making, directories, special personal information, and information relating to children.
To comply with this condition, Meridian Finance will only collect and store information that is relevant and current. Unnecessary or outdated information will be destroyed.
Purpose Specification
Personal information must be collected for a specific, explicitly defined, and lawful purpose related to a legitimate function/activity of Meridian Finance and this purpose should generally be disclosed to the data subject.
Personal information should also not be retained for longer than is necessary for achieving the purpose for which the information was collected and processed unless certain exceptions apply. A retention, archiving, and destruction policy including a register, which will be kept by Meridian Finance to ensure that information is not kept longer than is necessary. This policy sets out what data must be retained, for how long and why.
All records containing personal information must be securely destroyed at the end of the retention period, or the information must be de-identified. Meridian Finance has implemented the following measures/protocols to comply with this condition:
A Retention, Archiving and Destruction Policy (RADP) is in place
A Retention, Archiving, and Destruction Register (RADR) is kept current
Employees (if any) will have access to their individual folders which will contain the RAD registers as well as details of all the personal information collected, archived, and destroyed by Meridian Finance.
Specific consent forms will be stored together with the individual employee folders (if applicable) which will be stored on Google Drive, and password protected.
Further processing limitation
Personal information that has been collected for a specific purpose, may not be processed further unless it is for a reason compatible with the original purpose, or if the data subject consent, or if specific circumstances exist that permit such further processing in terms of the law.
Information quality
Meridian must take reasonable steps to ensure that the personal information processed by it is complete, accurate, not misleading, and updated where necessary.
Personal information should therefore as far as possible be collected directly from the data subject unless certain exceptions apply for collecting it from a different source. Procedures to ensure that personal information is regularly reviewed and updated, should also be put in place, communicated to the relevant employees and Operators, and complied with.
Particular care should be taken that personal information is not unnecessarily duplicated and stored in different places, and that any updates are applied to all sets of the same information.
The measures implemented by Meridian Finance in respect of this condition include:
Personal password-protected folders have been opened.
All personal information will be stored in these folders and only the IO will have access to individual folders.
Hard copy information will be stored under lock and key.
3rd Party operators requiring personal information to execute their mandates, such as the Payroll Administrators and Provident Fund Administrators are required to sign the Operators Agreement of Meridian Finance.
Openness / Transparency
Whenever Meridian Finance collects personal information (except if one or more of the exclusions in s18 of POPIA apply), it must take reasonable steps to notify the data subject of certain details relating to the processing of this information:
The information collected and the source of the information (if not from the data subject directly)
The name and address of the Organisation
The purpose for which it is collected,
Whether the data subject is obliged to supply the information or if it is voluntary (e.g. what law if any prescribes, authorizes, or requires the collection of the information)
The consequences of failure to provide the information
If applicable, the responsible party intends to transfer the information trans-border and the level of protection afforded by the recipient
Any further information, such as the recipients of the information, its nature and category, and the right of the data subject to access and rectify the information collected, to object to the processing of the information, or to complain to the Regulator.
Meridian Finance complies with this condition by issuing specific and relevant Privacy Notices to data subjects when personal information is collected – such as job applicants, employees, members, training delegates, and trainers.
Provision must also be made in respect of handling requests for access to information by data subjects and/or third parties – internally or externally. The Information Officer handles all such requests under POPIA as well as PAIA (the Promotion of Access to Information Act) and may implement procedures, policies, and processes in this regard.
Security safeguards
Meridian Finance is legally obliged to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss of or damage to or unauthorized destruction, unlawful access to or processing of such personal information.
In order to do this, Meridian Finance will regularly conduct risk assessments to identify foreseeable internal/external risks and vulnerabilities to such personal information and will establish and maintain appropriate safeguards against these risks. Such safeguards include technological as well as organizational and physical measures and must have due regard to international best practices, specific industry standards, or applicable professional rules or regulations. These will be reviewed and updated on a regular basis and where applicable, communicated to relevant employees.
Meridian Finance will also ensure that any third-party Operators that process personal information on its behalf, subscribe to and comply with the same level of security and that these obligations are set out in a mandatory written agreement with each Operator.
Some of the pertinent security measures include:
Data classification, authorization, and access
Meridian Finance will design a data classification system to determine who may have access to various types of personal information and implement appropriate security measures to ensure that access to unauthorized persons is restricted and to avoid sharing of the information.
Paper- or other physical records are kept in a secure place where only authorized persons can view or access them.
Secure processing and storage
Security measures include using up-to-date software, secure (off-premises) storage, and having appropriate backup and recovery solutions in place for electronic data. Also, cyber security measures pertaining to password protocols, removable media use, data portability, device use and sharing, remote access, authorizations, encryption, email systems, and protecting against cyber-attacks of any kind.
Employees who work remotely must ensure that records are used and stored securely in a locked cabinet or drawer. (Where applicable)
Transferring personal information and communications
Personal information may not be transferred or sent to any person or entity not directly authorized to receive it. Employees (when applicable) must ensure that emails are not accidentally sent to non-authorized recipients, and that long email threads do not inadvertently disclose confidential or personal information.
IT protocols will also be developed and implemented to ensure the proper encryption so that personal information is sent in protected form to authorized recipients.
Sharing personal information
The sharing of personal information with another employee or company representative will depend on whether that person has a job-related need to know the information and provided that aspects such as cross-border restrictions (where applicable) are adhered to. It must also comply with the Privacy Notice provided to the data subject and, if required, where the consent of the data subject has been obtained.
Personal information may generally only be shared with third parties when certain safeguards and/or contractual arrangements have been put in place, in particular also containing provisions relating to data protection, and subject to the same restrictions as set out above.
Device security and acceptable use of personal information
When working with personal information, employees must ensure that their computer-/device screens are always locked when left unattended. Employees (when applicable) are also prohibited from saving personal information on their own computers/devices. Personal information may not be shared informally, and paper records should not be left lying around on desks and printers, or anywhere else.
Disposal of personal information
When personal information is deleted or de-identified, it must be done so that the data is not recoverable or re-identifiable. Office equipment must be professionally wiped when disposed of or no longer in use. Paper records must be shredded when no longer needed.
All information that is destroyed must be recorded on the RAD Register.
Data subject participation
Data subjects have the right to be involved in the processing of their personal information and have certain rights in this regard, as outlined in par 5 above.
Account numbers
Failure by the organization to appropriately protect account numbers of data subjects could constitute a criminal offense if it ought to have known/foreseen risks in this regard, but failed to take reasonable steps to address those risks.
Someone who knowingly or recklessly obtains, discloses, or procures the disclosure of an account number in an unauthorized manner, or who sells such a number, may also be guilty of a criminal offense.
Direct marketing
Marketing by electronic means to potential or existing customers is subject to strict privacy rules in terms of POPIA.
Prior consent from potential recipients must be explicitly obtained (in the prescribed manner) before marketing material (including emails, newsletters, and texts) may be sent to them and they may only be approached once for such consent. The option to withdraw consent, opt-out, or unsubscribe must also be very clearly indicated in each subsequent communication.
The limited exception for existing customers allows organizations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person if marketing similar products or services, and if giving the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.
Automated decision-making and profiling
Automated decision-making relates to automated decisions being taken without human oversight or intervention, such as adverse credit decisions being taken automatically, or other adverse decisions and activities such as algorithmic processing and information and result outputs.
This type of processing is prohibited under POPIA, but with some exceptions – such as when automated decision-making is governed by law or a code of conduct with suitable protections; or has been done in in connection with a contract according to the data subject’s request and appropriate protective measures have been taken.
These protective measures include an opportunity for the data subject to make representations; after the organization has provided him/her/it with sufficient information about the underlying logic of the automated processing.
TRANSFERRING PERSONAL INFORMATION TO A COUNTRY OUTSIDE OF SOUTH AFRICA
Meridian Finance will as far as possible ensure that the transfer of personal information to a recipient in a foreign country only takes place if there are adequate/similar levels of data protection in place – either by way of laws applicable to that country or in terms of Binding Corporate Rules or a binding Transborder data processing agreement.
The data subject may however nevertheless consent to the cross-border transfer of their personal information, or such a transfer may take place if it is necessary in connection with a contract between the organization and the data subject, or a contract concluded in the data subject’s interest or to their benefit.
The cross-border transfer of special personal information or personal information relating to children may however be subject to prior authorisation from the Information Regulator if the foreign country does not provide an adequate level of protection as required in terms of POPIA.
DATA BREACHES / SECURITY COMPROMISES
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person, Meridian Finance must notify the Regulator; and the affected data subject(s) (unless the identity of such data subject cannot be established, or it will impede a criminal investigation).
This notification and the response of Meridian Finance to a data breach will be dealt with in terms of the Incident Response Plan developed by the Information Officer.
The Information Officer is responsible for ensuring that all relevant employees (where applicable) and Operators are made aware of the contents of the Incident Response Plan.
DATA PROTECTION IMPACT ASSESSMENTS AND PRIVACY BY DESIGN
Meridian Finance is committed to making data protection and privacy of data subjects a priority in all aspects of its business activities. To this end, Meridian Finance's privacy strategy provides for continuous privacy- and data protection impact assessments as may be appropriate and for privacy considerations to form part of the development and implementation of all new projects, tools, programs, equipment, etc.
IMPLEMENTATION OF POLICY IN RESPECT OF EMPLOYEES
This data protection policy governs every employee of Meridian Finance during the course of his/her services to it, and to the extent applicable, after termination of employment. It is the responsibility of every employee to familiarise him/herself with the content of this policy and to remain up to date as to any changes to it issued.
To the extent that this policy sets out workplace rules and standards governing the employee in the course of his/her work and services to the company, these shall form part of the company’s Disciplinary Code and Procedure and is hereby also incorporated into it.
A breach of any rule in relation to the protection of personal data set out in this policy that constitutes misconduct shall be subject to disciplinary action and may lead to dismissal in appropriate circumstances.
The imposition of any disciplinary sanction or dismissal shall not preclude the Organisation from instituting civil proceedings against an employee who acted in breach of this policy where such breach has resulted in liability, loss, reputational damage, and/or other damages to the Organisation in the course of pursuing its commercial operations.
RELATED DOCUMENTS
This policy may be read together with other organizational policies and standards that deal with specific areas of the business, including:
Incident Response Plan
Privacy Notices to customers, clients, vendors, suppliers, applicants, members, etc
Operator Agreements