This Privacy Notice applies to personal information that Just Brands Africa (PTY) Ltd, Reg. 2013/228381/07, may process in regard to any or all of the services contemplated by this policy directly, or through its subsidiary SOCOTECH (PTY) Ltd, Reg. 2020/724125/07, or contracted third party affiliates which will be collected through this website: https://lms.topic.co.za ('website').
The Just Brands Africa (PTY) is committed to deal responsibly with your personal information. Just Brands Africa (PTY) provide you with this privacy notice in order for you to make an informed decision about whether you want to use our website or not and/ or provide your personal information. The use of the website is of your own volition and the provision of any personal information.
Please note that by using our website you implicitly consent to this privacy notice and should you provide any personal information then you will be asked to make your consent explicit.

If you do not consent to this privacy notice you must stop using our website.

1. Purpose
This Privacy Policy applies to personal information that Just Brands Africa (PTY) Ltd, Reg. 2013/228381/07, (‘Just Brands Africa’ or ‘Company’) may process in regard to any or all of the services contemplated by this notice directly, through and to the benefit of the platform TOPIC, or contracted third party affiliates which will be collected.
This policy also serves to protect the Company from compliance risks associated with the protection of personal information which includes:

1. Breaches of confidentiality;
2. Failing to offer choice to Data subjects to choose how and for what purpose their information is used for;
3. Reputational damage;

The policy also demonstrates the Company’s commitment to protecting the privacy rights of Data subjects.

2. Scope
This document applies to the Company’s Board of Directors, all employees, contractors, suppliers, clients, persons acting on behalf of the company and all potential and existing Data subjects.

3. Introduction
The Protection of Personal Information Act, 4 of 2013 (‘POPIA’) requires the Company to inform Data subjects as to how their personal information is used, collected, disclosed and destroyed.

The Company is committed to compliance with POPIA and other applicable legislation, protecting the privacy of Data subjects and ensuring that their personal information is used appropriately, transparently and securely.

This policy is made available on the Company’s website topic.co.za and should be read in conjunction with the Company’s Website Privacy Notice.

4. Definitions
4.1 Personal Information
Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an existing, identifiable juristic person and may include but is not limited to:

1. information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic- or social- origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; ;
2. information relating to the education or the medical, financial, criminal or employment history of the person;
3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
4. the biometric information of the person;
5. the personal opinions, views or preferences of the person;
6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
7. information regarded as confidential business information;
8. the views or opinions of another individual about the person; and
9. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

4.2. Data subject

This refers to the natural or juristic person to whom personal information relates, such as employees, clients, delegates, sub-contractors or a company that supplies the Company with goods or services.

4.3. Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

4.4. Processing

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1. the collection, receipt, capturing, collation, storage, updating, retrieval, alteration or use;
2. dissemination by means of transmission, distribution or making available in any other form; or
3. merging, linking, erasure or destruction of information.

4.5. Processing of children's personal information

A child will be understand stood as a natural person under the age of 18 years of age. A competent person would be someone who is either the child's parent, adoptive or biological, or legal guardian who can act on behalf of the child.
The Company will process data of children is only if:

1. it is carried out with the prior consent of a competent person;
2. it is necessary for the establishment, exercise or defence of a right or obligation in law;
3. it is necessary to comply with an obligation of international public law;
4. it is for historical, statistical or research purposes; or
5. it is of personal information which has deliberately been made public by the child with the consent of a competent person.

5. Rights of data subjects
The Company will ensure that it makes Data subjects aware of their rights as appropriate and specifically with regards to the following:
5.1. The right to access personal information

Data subjects have the right to establish whether the Company holds personal information related to them, including the right to request access to that personal information.

5.2. The right to have personal information corrected or deleted

Data subjects also have the right to ask the Company to update, correct or delete their personal information on reasonable grounds.

5.3. The right to object to the processing of personal information

Data subjects have the right on reasonable grounds, to object to the processing of their personal information.
The Company will consider such requests and the requirements of POPIA and may cease to process such personal information and may, subject to statutory and contractual record keeping requirements, also destroy the personal information.

5.4. The right to object to direct marketing

Data subjects have the right to object to their personal information being used for the purposes of direct marketing by means of unsolicited electronic communications.

5.5. The right to complain to the Information Regulator

Data subjects have the right to submit a complaint to the Information Regulator regarding infringements of any of their rights protected under POPIA and to institute civil proceedings against alleged non-compliance with the protection of their personal information.

5.6. The right to be informed

Data subjects have the right to be informed that their personal information is being collected by the Company and should also be notified in any situation where the Company reasonably believe that the personal information of data subjects has been accessed by unauthorised person/s.

6. General principles
All employees and persons acting on behalf of the Company will be subject to the following guiding principles:
6.1. Accountability

Compliance failure could damage the reputation of the company and its shareholder, the Company. The Company could also be exposed to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.

The Company will take appropriate steps including disciplinary action against individuals who through intentional or negligent actions and/or omissions fail to comply with this policy.

6.2. Processing limitation

The Company collects personal information directly from Data subjects only as pertains to business requirements. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Just Brands Africa (PTY) Ltd will inform Data subjects as to what information is mandatory or deemed optional, as far as possible.

Personal information will only be used for the purpose for which it was collected, intended and as agreed. This may include:

1. Registering delegates on training courses;
2. Issuing certificates to delegates upon successful completion of training courses;
3. Issuing tax certificates to subcontractors;
4. Recruitment activities of students and employees;
5. Record keeping and payment of employees;
6. Administration of employment benefits;
7. Recording and payment of suppliers;
8. Confirming, verifying and updating client information;
9. For registration purposes with statutory bodies (CIPC, SARS) and institutions (banks);
10. Contractual obligations;
11. In connection with legal proceedings;
12. In connection with and to comply with legal and regulatory requirements or when allowed by law;
13. For audit and reporting purposes; and
14. Marketing activities as provided in POPIA and the Consumer Protection Act 68 of 2008 ('CPA').

According to Section 10 of POPIA, personal information may only be processed if the purpose for which it is processed, is adequate, relevant and not excessive. Certain conditions must be met for the Company to process personal information as in Section 11 of POPIA. These are listed below:

1. Data subjects consent to the processing – consent is obtained during early stages of the relationship.
2. Processing is necessary – personal information is required to facilitate the provision of services to the Data subject or for the conclusion of a contract to which the Data subject is a party.
3. The Company is under obligation by law.
4. The legitimate interest of the Data subject is protected – it is in their best interest to provide the personal information.
5. Processing is in the best interest of the Company – in order to provide our services to the Data subject.

6.3. Further processing limitation

Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. Where the secondary purpose is not compatible with the original purpose, the Company will first obtain additional consent from the Data subject.

6.4. Information quality

The Company will take reasonable steps to ensure that all personal information is complete, accurate and not misleading. Where personal information is collected from third parties, the Company will take reasonable steps to ensure that the information is correct by verifying the accuracy of the information directly with the Data subject or by way of independent sources.

6.5. Security safeguards

Section 19 of POPIA requires the adequate protection of personal information that is held by the Company. The Company will continuously review security controls and processes to prevent unauthorised access and use of personal information.
The following procedures are in place to ensure that personal information are secure:

1. This policy is available from the Company’s website and Intranet;
2. Employees will be trained on this policy and POPIA;
3. All product marketing activities using email addresses derived from leads capturing or enrolment data, unsolicited proposals and letter campaigns must be distributed through the ClickDimensions marketing platform to ensure subscription consent compliance. Marketing mail mergers from personal individual inboxes are not allowed.
4. Reputable Just Brands Africa (PTY) Ltds must be used for the purchase or acquisition of databases for marketing purposes. In addition, databases may only be acquired if the provider can provide certification of assurances that they have obtained permission from prospects/customers to on-sell their information and that they accept legal liability for any misrepresentation thereof.
5. Redundant hardcopies of personal information are stored in locked bins until it is securely destroyed by our Just Brands Africa (PTY) Ltd;
6. Archived personal information are destroyed according to legislative retention periods;
7. The Company’s internal server hard drives are protected by firewalls; and
8. The backup of electronic files and data are managed and regulated through a service
9. level agreement entered into with a reputable service provider.

7. Specific duties and responsibilities
7.1. Board of Directors

The Company’s Board of Directors is ultimately accountable for ensuring that the Company meets its obligations under POPIA. The Board of Directors may however delegate some of its responsibilities to management or other capable individuals.

7.2. Chief Executive Officer

The Chief Executive Officer is by virtue of the position, appointed automatically as Information Officer in terms of the Promotion of Access to Information Act and POPIA and may authorise any person in the Company to act as the Information Officer of the Company. The CEO however retains the responsibility and accountability for any powers or the functions authorised to that person and has the right to amend and/or withdraw any of these powers, duties and responsibilities.

7.3. The Company’s Information Officer is responsible for the following:

1. Taking steps to ensure the Company’s reasonable compliance to POPIA;
2. Reviewing the Company’s information protection procedures and policies;
3. Ensuring that the Company makes it convenient for Data subjects to communicate with the Company regarding their personal information;
4. Encourage compliance with the lawful processing of personal information;
5. Ensure that employees and persons acting on behalf of the Company are aware of the risks associated with the processing of personal information;
6. Ensure that employees are trained in the processing of personal information;
7. Address employees’ POPIA related questions;
8. Address POPIA related requests and complaints made by the Company’s Data subjects; and
9. Act as contact point for the Information Regulator on issues pertaining to the processing of personal information.

7.4. The Company’s Executive Manager in charge of Information Technology is responsible for:

1. Ensuring that the Company’s IT infrastructure and any other devices used for processing personal information meet acceptable security standards;
2. Ensuring that servers containing personal information are sited in a secure location;
3. Ensuring that all electronically stored information is backed-up and tested on a regular basis;
4. Ensuring that all back-ups are protected from unauthorised access, accidental deletion and malicious hacking attempts;
5. Ensuring that information being transferred electronically is encrypted;
6. Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software;
7. Performing regular IT audits to ensure that the security of the Company’s hardware and software systems are functioning properly;
8. Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by unauthorised persons; and
9. Performing a proper due diligence review prior to contracting with third party providers to process personal information on the Company’s behalf.

7.5. Employees and other persons acting on behalf of the Company are responsible for:

1. Keeping all personal information that they come into contact with secure by taking precautions and complying with this policy;
2. Ensuring that personal information is kept in as few places as is necessary;
3. Ensuring that personal information is encrypted prior to sharing the information electronically;
4. Ensuring that all devices such as computers, flash drives, etc. are password protected and never left unattended (refer to the Company’s Electronic Communications policy);
5. Ensure that computer screens and other devices are switched off when not in use;
6. Ensure that removable storage devices such as external drives that contain personal information are locked away securely when not being used;
7. Ensure that where personal information is stored on paper, that such hard copies are kept in a secure place where unauthorised persons are not able to access it;
8. Ensure that where personal information has been printed out, that the printouts are not left unattended where unauthorised individuals could see them;
9. Take reasonable steps to ensure that personal information is stored only for as long as it is needed or required;
10. Undergo POPIA awareness training from time to time.
11. Employees and other persons acting on behalf of the company will under not circumstances:
12. Process personal information where it is not a requirement to perform their workrelated duties;
13. Save copies of personal information directly to their own private computers or mobile devices; and
14. Share personal information informally.

8. Data breach procedure
8.1. Reporting a possible breach

Any employee who becomes aware of a possible breach of Personal Information must immediately inform their line manager and the Information Officer and/or the Deputy Information Officers.

The employee must ensure to retain any evidence they have in relation to the breach and provide a written statement setting out any relevant information relating to the suspected data breach using the Data Breach Record.

The employee must ensure to retain any evidence they have in relation to the breach and provide a written statement setting out any relevant information relating to the suspected data breach using the Data Breach Record.

8.2. Response plan

The Company’s CEO,the Information Officer, or designated deputy Information Officer will assemble a team to investigate, manage and respond to the data breach.

The breach team will then:

1. Make an urgent preliminary assessment of what data have been lost, why and how.
2. Take immediate steps to contain the breach and recover any lost data.
3. Undertake a full and detailed assessment of the breach.
4. Record the breach in the company’s data breach register.
5. Notify the Information Regulator, if necessary.
6. Notify affected data subjects, if necessary.
7. Put in place any measures to address it and to mitigate its possible adverse effects and to prevent further breaches.

9. Data breach register

The company will maintain a register of all personal data breaches regardless of whether or not it is notifiable to the Information Regulator. The register will include a record of:

1. The facts relating to the breach including the cause, what happened and what personal data were effected;
2. the effects of the breach; and
3. the remedial actions Just Brands Africa (PTY) Ltd have taken.

10. Notification to the Information Regulator

Not all personal data breaches have to be notified to the Information Regulator. The breach will only have to be notified if it is likely to result in a risk to the rights and freedoms of data subjects and this will be assessed by the company on a case-by-case basis.

11. Notifications to data subjects

The data breach team will consider several factors in determining the notifications to individuals affected by the data breach including but not limited to:

1. Contractual obligations;
2. Risk of identity theft or fraud because of the type of information lost such as contact details, bank information or identity numbers;
3. Risk of physical harm;
4. Risk of hurt, humiliation or damage to reputation if the information includes medical or disciplinary records; and
5. Number of data subjects affected.

Affected individuals must be notified without unreasonable delay, unless such notification will impair a criminal investigation. Notices must be in plain language and include basic information such as what happened, type of information involved, steps being taken, steps individuals should take and contact information.

12. Disciplinary action

The Company may recommend appropriate legal or disciplinary action to be taken against any employee found to be implicated in any non-compliant activity outlined within this policy.

Any gross negligence or intentional mismanagement of personal information will be considered a serious form of misconduct under the Company’s Disciplinary code and may lead to dismissal.

Examples of actions that may be taken subsequent to an investigation include:

1. A recommendation to commence with disciplinary action
2. A referral to law enforcement agencies for criminal investigation
3. Risk of physical harm;
4. Risk of hurt, humiliation or damage to reputation if the information includes medical or disciplinary records; and
5. Recovery of funds in order to limit any damages caused.

How to contact us
Information Officer:

Francois van Louw

E: francois@jbafrica.com

T: +27 73 102 4961

Deputy Information Officers:

Nicholas Manuel

E: nick@jbafrica.com

T: +27 76 546 7153

E: info@topic.co.za

T: 021-879-5803