Privacy policy

Introduction


The Pasta Factory (Pty) Ltd ("the Pasta Factory") is committed to processing data in accordance with its responsibilities under The Protection of Personal Information Act (“POPIA”) and needs to gather and use certain information about data subjects.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must processed (in other words collected, handled, stored or destroyed) to meet legal obligations.

This data protection policy ensures that the Pasta Factory:

  • Identifies, manages and mitigates against risks through a POPIA compliant risk management framework; 

  • Protects the rights of staff, customers and partners; 

  • Is open about how it stores and processes data subject’s personal information; 

  • Protects he Pasta Factory from breaches of confidentiality, reputation damage if unauthorised access to personal information is obtained. 


POPIA requires all companies, including he Pasta Factory, who process personal information, to implement and ensure appropriate safeguards and measures. 
The provisions contained within POPIA apply regardless of whether data is stored electronically, on paper or on other materials. 


POPIA sets out 8 conditions of lawful processing to be complied with. The conditions are as follows:

Accountability
The Pasta Factory must ensure all conditions of lawful processing are complied with at the time the personal information is first processed.

Processing Limitation
The Pasta Factory can only process data if necessary, lawful, by consent (where appropriate), adequate, relevant, not excessive and obtained directly from data subject.

Purpose Specification
The Pasta Factory can only process data collected for a specific purpose and retain only for as long as it necessary.

Further Processing
The Pasta Factory can only process a data subjects’ personal information for activities other than for the original purpose if accordance or compatible with the original purpose for which it was collected.

Information Quality
The Pasta Factory must ensure the personal information it has access is kept update to date, accurate and not misleading.

Openness
The Pasta factory must have accurate recording practices of all processing activities. This includes documenting processing notifications and consent obtained from data subjects.

Security Safeguards
The Pasta factory must implement the necessary controls and measures to prevent loss, damage, unauthorised and unlawful access to any personal information it is processing.

Data Subject Participation
The Pasta factory must ensure measures are implemented to allow data subjects to correct, amend and understand the extent to which its personal information is being processed.

Scope and Application
This policy applies to all employees, directors and officers. All of these people must implement the requirements of this policy.

Roles and Responsibilities
Each employee who processes personal information must ensure the personal information is handled appropriately and in terms with the procedures set hereunder and in terms of the 8 conditions of lawful processing.

Information Officer
The Information Officer and appointed deputies (if any) are accountable for the implementation of various policy provisions and controls within the company. The Pasta Factory must ensure its Information Officer is registered with the Information regulator.

The Information Officer is responsible for:

  • Regular measure, review and monitor the Pasta Factory’s policy compliance
  • Assisting the Information Regulator with any investigations and data access requests in relation to the Pasta Factory processing activities;
  • Determining and managing awareness, permissions and preferences in relation to processing activities such as marketing communications, special personal information etc;
  • Ensuring lawful, fair and transparent processing and complying with any other associated data privacy legislation or regulation.
  • Basic privacy training of the requirements and processes under this policy to all new employees, non-employees and to existing employees and non-employees.


Data Processing and Management
The Pasta Factory recognises the importance of safeguarding personal information as a business asset and integral to the Pasta Factory's economic activity.

This means that personal information of data subjects must be collected, stored, accessed, used, archived and disposed of in accordance with this policy and any other local regulations. To this extent, the Pasta Factory will ensure that;

  • Personal information is processed on one of the following lawful bases: consent, contract, public interest or legitimate interest.
  • When consent is specifically required, the Pasta Factory will ensure that the data subject is provided with the necessary information to give informed consent to the processing activities that the Pasta Factory performs. Consent shall be recorded and stored.
  • Any special information or information relating to a minor that is processed by the Pasta Factory will only be done subject to consent being obtained from the data subject.
  • Where communications are sent to individuals based on their consent, the option for the data subject to revoke their consent will be made clearly available and systems should be in place to ensure such revocation is reflected accurately.
  • No data will be collected or processed than what is necessary for the identified processing activities.
  • The Pasta Factory will ensure records are created in a limited way and to the extent necessary to support the functions and activities of the Pasta Factory’s business or comply with company’s legal obligations.
  • personal information is kept for no longer than necessary, the Pasta Factory will implement processes for each area in which personal data is processed and review this process annually.
  • When personal data is deleted this should be done safely such that the data is irrecoverable.
  • Appropriate back-up and disaster recovery solutions shall be in place.
  • The Pasta Factory shall take reasonable steps to ensure personal data is accurate and kept up to date.
  • Appropriate documentation and inventories of personal data processing are maintained, and the accuracy and quality of personal data are maintained across the data lifecycle.
  • Ensure the necessary processes are implemented to include security safeguards aimed at ensuring protection of personal data against unauthorised access, disclosure, modification or deletion or loss.
  • Ensure confidentiality, integrity, availability and resilience of the systems and processes where personal data are processed during the data lifecycle. Measures that are developed will be tested regularly to ensure the effectiveness thereof.
  • Establish and implement appropriate incident management procedures for privacy incidents, including breach of confidential personal data.
  • In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Pasta Factory shall promptly assess the risk and possible infringement to data subjects’ rights and freedoms and if appropriate report this breach to the Information Regulator.
  • If the Pasta Factory requires the services of an operator, it will ensure that the appropriate thresholds of compliance are abided by within the operator’s systems by way of agreement such as (but not limited to) implementing standard data privacy protection clauses into suppler and vendor agreement that may need to process data subject’s personal information on our behalf.