Oceana has a long and proud tradition of conducting business with the highest level of integrity, in accordance with the highest ethical standards and in full compliance with all applicable laws, including the law known as the Protection of Personal Information Act, 4 of 2013, (POPIA), which regulates the Processing of Personal Information.
The Protection of Personal Information Policy has been developed at the direction of Oceana’s Board of Directors in order to provide clear guidance to all directors, employees and those who Process Personal Information on behalf of Oceana on how they are to Process Personal Information, thereby ensuring that all Personal Information Processed by Oceana is done in a lawful, transparent and consistent manner and in full compliance with all and any applicable data protection laws which may from time to time apply to its operations, including POPIA and the General Data Protection Regulation 2016/679 (GDPR) applicable in the EU (hereinafter referred collectively as the “Data protection laws”).
Oceana has adopted a zero tolerance stance in relation to any non-compliance with its policies, including this Policy and any violation of this Policy will result in swift corrective action, including possible termination of employment, and criminal and civil action.
|Consent||means in relation to POPIA, any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Information about them; and Explicit Consent means in relation to the GDPR, a higher standard of Consent that requires a very clear and specific statement rather than an action which is suggestive of Consent.|
|Data Privacy laws||means, for the purposes of this Policy, the European Union’s General Data Protection Regulation (“GDPR”) which applies in the EU, and the Protection of Personal Information Act, 14 of 2013 (POPIA) which applies in South Africa.|
|Data Subject||means, in relation to POPIA, any individual or legal entity, and means in relation to the GDPR, an individual. (Note - the GDPR does not apply to legal entities.)|
|Information Officer (IO)||means in relation to POPIA, a person who has been appointed as the organization’s Information Officer, being the organisation’s main representative on data protection and Processing matters, and Data Protection Officer (DPO) (GDPR) means in relation to the GDPR, a person who has been appointed as the organization’s Data Protection Officer, being the organisation’s main representative on data protection and Processing matters.|
|Operator||means, in relation to POPIA, any person who Processes Personal Information on behalf of a Responsible Party as a contractor or sub-contractor, in terms of a contract or mandate, without coming under the direct authority of the Responsible Party and Processor means, in relation to the GDPR, any person who Processes Personal Information on behalf of a Controller as a contractor or sub-contractor, in terms of a contract or mandate, without coming under the direct authority of the Controller.|
|Processing Notices||means a notice setting out the prescribed information that must be provided to Data Subjects before collecting his, her or its Personal Information, (also known as “section 18 notices”, “privacy notices” or “data protection notices”).|
means Personal Information relating to any identifiable, living, natural person, in the case of POPIA and the GDPR and an identifiable, existing juristic person, in the case of POPIA, including, but not limited to:
|Personnel||means Oceana directors, employees and any other person who may Process Personal Information on behalf of Oceana.|
|Processing, Process, Processed||means in relation to Personal Information, the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; merging, linking, as well as restriction, degradation, erasure or destruction of information; or sharing with, transfer and further Processing, including physical, manual and automatic means.|
|Purpose||means the underlying reason why a Responsible Party or Controller needs to Process a Data Subject’s Personal Information.|
|Responsible Party||means, in relation to POPIA, the person or legal entity who is Processing a Data Subject’s Personal Information; and Controller means, in relation to the GDPR, the person or legal entity who is Processing the Data Subject’s Personal Information;|
|Record||means any recorded information housing Personal Information Processed by Oceana, or its Personnel, regardless of form or medium, including any of the following: Writing on any material; information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means; book, map, plan, graph or drawing; photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced, in the possession or under the control of Oceana; whether or not it was created by Oceana and regardless of when it came into existence, and “Folder” for the purpose of this Policy includes any Folder, in paper or electronic format, that stores, houses or holds specific Records allocated thereto.|
THE PROTECTION OF PERSONAL INFORMATION ACT, 114 OF 2013 (POPIA), CAME INTO OPERATION ON 1 JULY 2020.
POPIA governs the Processing of Personal Information with the central aim of upholding a person’s right to privacy as provided for in the South African Constitution. POPIA achieves this by placing obligations on persons who request, collect, store, process and otherwise use Personal Information relating to another person, in order to protect such person from suffering potential damage or harm. More importantly POPIA seeks to achieve this by introducing penalties which will cater for instances of a breach of privacy of a person’s Personal Information.
GDPR – UK AND EU
The General Data Protection Regulation (“GDPR”) governs the processing of personal data belonging to individuals. The regulation was put into effect on May 25, 2018. The GDPR applies to any person or entity who Processes the personal data of EU citizens or residents, or who offer goods or services to EU citizens or residents regardless of whether the entity is situated in the EU.
PERSONAL INFORMATION PROCESSING PRINCIPLES AND CONDITIONS
The GDPR and POPIA embrace and adopt a core set of universal Processing principles, (known as conditions under POPIA) which have to be met by any person who Processes another’s Personal Information, which principles have informed Oceana’s approach to Processing Personal Information.
These principles are as follows:
- Lawfulness, fairness and transparency: Personal Information must be Processed lawfully, fairly and in a transparent manner.
- Purpose limitation: Personal Information must be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.
- Data minimization: The Processing of Personal Information must be limited to what is needed for the purpose, and to this end must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
- Accuracy: Personal Information Processed must be accurate and, where necessary, kept up to date; and every reasonable step must be taken to ensure that inaccurate Personal Information, having regard to the purposes for which it is Processed, is erased or rectified without delay.
- Storage limitation: Personal Information must be kept for no longer than is necessary for the purposes for which the Personal Information was Processed and may not be stored for longer periods unless there are reasons for such longer storage.
- Integrity and confidentiality and security: Personal Information must be Processed in a manner that ensures appropriate security of the Personal Information, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Furthermore Personal Information shall not be transferred to another country unless the person transferring the Personal Information ensures that the Data Subject is provided with the same rights and level of protection in relation to the Processing of its Personal Information in the receiving country as provided for and received under POPIA or the GDPR.
- Accountability: The person who is Processing the Personal Information, known as the Responsible Party, (POPIA) or Controller (GDPR) is responsible for compliance with the Data Processing laws and the principles and conditions for Processing, and such Responsible Party or Controller must be able to demonstrate compliance with the Data Processing laws including POPIA or the GDPR and these principles.
AREAS WHERE OCEANA PROCESSES PERSONAL INFORMATION
- Oceana is a fishing and commercial cold storage company which, inter alia, harvests and distributes a diverse range of marine resources in South Africa and overseas.
- Oceana in order to carry out its business and realise its objectives, does and will continue to make use of Personal Information which belongs to individuals and public and private entities, including employees and directors, service providers, customers and other third parties.
- The Processing of this Personal Information mostly takes place in South Africa.
- There will however be occasions where certain Oceana Processing activities take place in countries situated in the US and EU.
- In light of these Processing activities, Oceana as a law-abiding entity is obligated and will ensure that it and its Personnel, comply with POPIA, and where applicable with the GDPR, and the applicable Processing principles and conditions when carrying out is business.
In order to meet its POPIA obligations, Oceana has developed and placed on its websites the following informed and specific Processing notices which apply to the different Data Subject categories who it deals with:
- an HR Processing Notice, which applies to all employees – perspective and actual, all bursary or learnership beneficiaries- perspective or actual;
- a Procurement Processing Notice, which applies to all participants in the Oceana supply chain, including persons who provide goods and services to Oceana (service providers), persons or entities who purchase goods or services from Oceana (Customers), and / or other parties who Oceana may engage with and who make up the Oceana Procurement and supply chain, including Regulators;
- a Corporate Social Investment (CSI) Processing Notice, which applies to CSI beneficiaries, perspective or actual who Oceana may engage with;
- a Company Secretarial Processing Notice, which applies to directors, trustees, executives, committee members, shareholders and stakeholders who Oceana may engage with;
- OET Processing Notice, which applies to all Oceana Empowerment Trust Beneficiaries who Oceana may engage with;
- Security Processing Notice, which applies to any persons who come onto the Oceana sites, facilities and offices who Oceana may engage with;