POPI Policy / Privacy Statement

POPI POLICY / PRIVACY STATEMENT

You, as the Disclosing Party, hereby consent to and are bound by this POPI
Policy / Privacy Statement (“Privacy Statement”) of Suki Suki Naturals (Pty)
Ltd, 661 Willowgrove Road, Dainfern, Johannesburg, 2191 2014/009893/07
(“Recipient”) in relation to the processing by the Recipient of the personal
information of the Disclosing Party. This Privacy Statement is effective as of
the date of consent hereto or the effective date of any main agreement
incorporating the terms of this Privacy Statement by reference
(“Agreement”), whichever is earlier.

By using our website, you (the visitor) agree to allow third parties to process your IP address, in order to determine your location for the purpose of currency conversion. You also agree to have that currency stored in a session cookie in your browser (a temporary cookie which gets automatically removed when you close your browser). We do this in order for the selected currency to remain selected and consistent when browsing our website so that the prices can convert to your (the visitor) local currency.

 
DEFINITIONS
 
“Affiliate” means, with respect to any entity, any other entity Controlling,
Controlled by or under common Control with such entity, for only so long as
such Control exists;
 
“Associated Personnel” means any staff member, independent contractor,
agent or the like of the Recipient;
 
“Control” means the direct or indirect ownership of more than 50% of the
voting capital or similar right of ownership of an entity, or the legal power to
direct or cause the direction of the general management and policies of that
entity, whether through the ownership of voting capital, by contract or
otherwise. Controlled and Controlling shall be construed accordingly;
 
“Data Protection Laws and Regulations” means all mandatory laws and
regulations, including laws and regulations of RSA, applicable to the
Processing of Personal Information, including but not limited to, the POPI Act
and any amendment or replacement thereof;
 
“Data Subject” means the individual to whom Personal Information relates
as defined in section 1 of the POPI Act;
 

“Disclosing Party” means the natural or juristic person who consents to the
terms of this Privacy Statement or agrees to an Agreement incorporating the
terms of this Privacy Statement by reference, and for the purposes of this
Privacy Statement, is the Data Subject;
 
“Operator” means a person as defined in section 1 of the POPI Act;
 
“Personal Information” means information relating to an identifiable, living,
natural person, and where it is applicable, an identifiable, existing juristic
person, as defined in section 1 of the POPI Act;
 
“POPI Act” means the Protection of Personal Information Act 4 of 2013 as
may be amended from time to time;
 
“Processing” means processing as defined in section 1 of the POPI Act;
 
“Recipient” means the person which Processes Personal Information of the
Disclosing Party, as defined in the preamble above. For the purposes of this
Privacy Statement, the Recipient and/or Affiliates are the Responsible
Parties;
 
“RSA” means the Republic of South Africa;
 
“Responsible Party” means the person which determines the purpose and
means for which Personal Information is Processed, as defined in section 1 of
the POPI Act; and
 
“Supervisory Authority” means the Information Regulator as established in
RSA, pursuant to the POPI Act.
 
PROCESSING OF PERSONAL INFORMATION
 
• The Disclosing Party hereby consents to the Processing of their
Personal Information in accordance with this Privacy Statement.
 
• The Recipient shall comply with Data Protection Laws and Regulations.
 

• For the avoidance of doubt, Disclosing Party’s instructions to the
Recipient for the Processing of Personal Information must comply with
Data Protection Laws and Regulations. In addition, Disclosing Party
shall have sole responsibility for the accuracy, reliability, integrity,
quality, and legality of Personal Information, and the means by which
Disclosing Party acquired Personal Information, including providing any
required notices to, and obtaining any necessary consent from, its
employees, agents or third parties, if applicable.
 
• The Recipient will not sell, share, or rent Disclosing Party’s Personal
Information to any third party or use Disclosing Party’s phone number
for unsolicited messages, without the express consent of the Disclosing
Party. Any messages sent by the Recipient will only be pursuant to this
Agreement.
 
• It is expressly stated that the Recipient agrees and warrants:
 
• that the Processing of Personal Information shall be carried out in
accordance with the relevant provisions of the Data Protection Laws
and Regulations and does not violate the relevant provisions of the
POPI Act;
 
• that it shall throughout the duration of the Processing process the
Personal Information only on the Disclosing Party's behalf and in
accordance with the Data Protection Laws and Regulations; and
 
• that after assessment of the requirements of the Data Protection Laws
and Regulations, the security measures are appropriate to protect
Personal Information against accidental or unlawful destruction or
accidental loss, alteration, unauthorised disclosure or access to the
Personal Information, in particular where the Processing involves the
transmission of data over a network, and against all other unlawful
forms of processing, and that these measures ensure a level of security
appropriate to the risks presented by the Processing and the nature of
the Personal Information to be protected having regard to the state of
the art and the cost of their implementation.
 
• The Recipient shall keep the Personal Information of the Disclosing
Party confidential and shall only Process Personal Information on
behalf of and in accordance with Disclosing Party’s documented and
lawful instructions to:

 
• fulfil the purpose set out in the table at the end of this Privacy
Statement; and
 
• comply with other documented, reasonable instructions provided by
Disclosing Party (for example, via email) where such instructions are
consistent with the terms of the Privacy Statement. The Recipient will
not process Personal Information outside of RSA without first having
obtained Disclosing Party’s consent. Provided the Recipient has
sufficient legal framework under the Data Protection Laws and
Regulations to process Personal Information outside of the RSA, the
Disclosing Party’s consent shall not be unreasonably withheld in
respect of the Processing outside of the above two jurisdictions.
Disclosing Party takes full responsibility to keep the amount of Personal
Information provided to the Recipient to the minimum necessary for the
fulfilment of the purpose or otherwise as required by the Recipient. The
Recipient shall not be required to comply with or observe Disclosing
Party’s instructions if such instructions would violate Data Protection
Laws and Regulations.
 
SCOPE OF PROCESSING
 
The nature and purpose of Processing of Personal Information by the
Recipient is as set out in the table at the end of this Privacy Statement.
 
RIGHTS OF DATA SUBJECTS
 
• The Disclosing Party shall have the right to:
 
• access and rectify their Personal Information collected by the Recipient.
On the request of the Disclosing Party, the Recipient will provide such
access as is reasonably practicable and either allow the Disclosing
Party to rectify such information themselves or implement any
rectifications on behalf of the Disclosing Party;
 
• object to the Processing of their Personal Information if Processing is
not:
 
• with the Disclosing Party’s consent;

 
• protecting their legitimate interests;
 
• necessary for the proper performance of a public law duty by a public
body; or
 
• necessary for pursuing the legitimate interests of the Recipient or its
Affiliates,
 
unless Processing is otherwise permissible under the Data Protection Laws
and Regulations or this Privacy Statement;
 
• object to the Processing of their Personal Information for the purposes
of direct marketing other than as allowed by the Data Protection Laws
and Regulations; and
 
• lodge a complaint with the Supervisory Authority at IR@justice.gov.za .
 
ASSOCIATED PERSONNEL
 
Confidentiality
 
The Recipient shall ensure that its Associated Personnel engaged in the
Processing of Personal Information are informed of the confidential nature of
the Personal Information, have received appropriate training on their
responsibilities and have executed written confidentiality agreements or are
under general obligations of confidentiality towards the Recipient.
 
Reliability
 
The Recipient shall take commercially reasonable steps to ensure the
reliability of the Associated Personnel engaged in the Processing of Personal
Information.
 
Limitation of Access
 

The Recipient shall ensure that access to Personal Information is limited to
those Associated Personnel of the Recipient directly involved in the fulfilling
of the purpose.
 
OPERATORS
 
Appointment of Operators
 
Disclosing Party acknowledges and agrees that:
 
• the Recipient is entitled to retain its Affiliates as Operators; and
 
• subject to clause 6.2 below, the Recipient or any such Affiliate may
engage any third parties from time to time to process Personal
Information on their behalf and in connection with the fulfilment of the
purpose envisaged in Attachment 1 to this Privacy Statement.
 
Approval of Operators
 
Except as otherwise provided in this Privacy Statement, the Recipient shall
not provide any third party with access to Disclosing Party Personal
Information without the prior express approval of Disclosing Party. The
Recipient shall provide advanced written notice to the Disclosing Party should
it desire to provide a third-party access to Disclosing Party’s Personal
Information. Where approval has been granted by Disclosing Party in
accordance this section, the Recipient shall:
 
• undertake due diligence on the Operator; and
 
• enter into a written agreement with the Operator that ensures that the
Operator Processes the Personal Information in line with this Privacy
Statement and Data Protection Laws and Regulations; and
 
• Provide Disclosing Party with such information regarding the Operator
as Disclosing Party may reasonably require.
 

SECURITY MEASURES, NOTIFICATIONS REGARDING PERSONAL
INFORMATION, CERTIFICATIONS AND AUDITS, RECORDS
 
Security Measures
 
Taking into account the state of art, the costs of implementation and the
nature, scope, context and purposes of Processing as well as the risk of
varying likelihood and severity for the rights and freedoms of natural persons,
the Recipient shall implement appropriate organisational and technical
measures towards a level of security, appropriate to the risk (including risks
that are presented by Processing, in particular from accidental or unlawful
destruction, loss alteration, unauthorised disclosure of, or access to Personal
Information transmitted, stored or otherwise Processed), including but not
limited to:
 
• the encryption of Personal Information in transit;
 
• the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
 
• the ability to restore the availability and access to Personal Information
in a timely manner in the event of a physical and technical incident; and
 
• a process for regularly testing, assessing and evaluating the
effectiveness of technical and organizational measures for ensuring the
security of the Processing.
 
Notifications Regarding Personal Information Breach
 
• The Recipient will ensure that it and its Operators have in place
reasonable and appropriate security incident management policies and
procedures as required by the POPI Act, and shall notify Disclosing
Party without undue delay (but in any event within 24 hours) where
there are reasonable grounds to believe that there has been, or after
becoming aware of, the unlawful or accidental destruction, alteration or
damage or loss, unauthorized disclosure of, or access to Personal
Information, transmitted, stored or otherwise Processed by the
Recipient or Operators of which the Recipient becomes aware

(hereinafter, a “Personal Information Breach”), as required to assist
the Disclosing Party in ensuring compliance with its:
 
• obligations to notify the Supervisory Authority;
 
• obligations to communicate the Personal Information Breach to the
Recipient involved; and
 
• documentation obligation regarding the facts relating to the Personal
Information Breach, its effects, and the remedial action taken.
 
• The Recipient shall make reasonable efforts to identify the cause of
such Personal Information Breach and take those steps as it deems
necessary and reasonable in order to remediate the cause of such a
Personal Information Breach, to the extent that the remediation is within
the Recipient’s reasonable control.
 
Records
 
The Recipient shall maintain complete and accurate written records of the
Processing it undertakes on behalf of Disclosing Party in accordance with
Data Protection Laws and Regulations.
 
RETURN OF PERSONAL INFORMATION, COMMUNICATION
 
Return of Personal Information
 
Unless otherwise required by law, the Recipient and Operators, shall if
required in terms of Data Protection Laws and Regulations, upon termination
or expiry of the Agreement for whatever reason, either securely delete or
return all the Disclosing Party Personal Information to Disclosing Party in
accordance with the Agreement, or in the absence of a specific destruction
provision, the Recipient will ensure it follows its standard Personal
Information destruction practices. If the Recipient or its Affiliates are required
to retain a copy of the Personal Information by law, it shall retain that which is
required by applicable Data Protection Laws and Regulations for not longer
than is reasonably necessary.
 

COOPERATION WITH SUPERVISORY AUTHORITY
 
The Disclosing Party and the Recipient as applicable, shall cooperate, on
request, with the Supervisory Authority in the performance of its tasks.
 
CONFLICT
 
If this Privacy Statement is incorporated into and forms part of any other
Agreement, for matters not addressed under this Privacy Statement, the
terms of the Agreement apply to the extent of any inconsistency. With respect
to the rights and obligation of the parties to each other insofar as it pertains to
the Processing of Personal Information, in the event of a conflict between the
terms of the Agreement and this Privacy Statement, the terms of this Privacy
Statement will prevail to the extent of such inconsistency.

This table includes certain details of the Processing of Personal
Information as required by section 18 of the POPI Act.