Revision Date: 23 June 2021
1.1. We at ViveTeen Wellness (Pty) Ltd (“Vive Teen” / “we” / “us”) respect the privacy of data subjects and are committed to keeping Personal Information secure and confidential.
- RESPONSIBLE PARTY
2.1. The legal entity that collects the relevant Personal Information or that determined the purpose for the processing of the Personal Information (alone or in conjunction with others) will be the responsible party for the Personal Information. We are responsible to ensure that Personal Information is processed in compliance with the conditions for lawful processing set out in POPIA.
Cortex Logic (Pty) Ltd, together with its subsidiaries
REGISTRATION NUMBER: 2014/102467/07
Vive Teen Wellness (Pty) Ltd
REGISTRATION NUMBER: 2021/421791/07
2.3. If the data subject have any questions or wish to complain about the processing of Personal Information, or if the data subject wishes to exercise any rights as a data subject, the data subject can contact the Information Commissioner at firstname.lastname@example.org.
- WHAT PERSONAL INFORMATION DO WE COLLECT
3.1. “Personal Information” is defined in POPIA and means information relating to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person. We “process” Personal Information if we collect, use, store, make available, destroy, update, disclose, receive or otherwise deal with the data subject’s Personal Information.
3.2. “Sensitive Personal Information” is defined in POPIA and mean Personal Information about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.
3.3. Depending on the type of business we conduct with the data subject or the relationship the data subject has with us, we may process the Personal Information and/or sensitive Personal Information, which may include inter alia:
- marital status
- physical / mental health
- medical history
- political opinions
- religious or philosophical beliefs
- sexual orientation
- language preference
- date of birth
- information relating to education, financial or employment history of a person
- identifying numbers such as identity or passport number, tax identification numbers or tax reference numbers
- e-mail address
- physical address
- telephone number
3.4. Where we need to process Sensitive Personal Information, we will do so in the ordinary course of our business, to offer or enhance our services, products and/or applications, for a legitimate purpose, and in accordance with applicable law.
3.5. Where we need to process the Personal Information of minors we will do so only to the extent that the law permits this. In the normal course of our business, a competent person such as a parent or guardian will consent to the processing of the Personal Information of the minor.
- FOR WHAT PURPOSE DO WE COLLECT PERSONAL INFORMATION
4.1. In order for us to provide clients with products, services and/or applications they have requested and to notify them of important changes to such products, services and/or applications, we may need to collect, use and disclose the Personal Information of application users and subscribers (and if applicable minors and/or the parents or guardians of such minors), of clients, their representatives, controlling persons of entities, business contacts, staff of clients and service providers. We collect and use Personal Information in order to conclude a contract with clients and to carry out the obligations in terms of that contract (including managing the account and complying with instructions and requests) and to provide or enhance the services we provide. We also process contact information so that we can report to clients and keep clients informed of the status of any instruction.
4.2. We may use Personal Information to pursue our legitimate interests such as to provide our products and services, to compile reports, to comply with requests for information from any internal or external auditor, or any regulatory or supervisory body, or to correspond with the data subject . If we require funding from an investor, bank or other financing institution or if a third party is investing in or considers investing in us or any of our affiliated entities then we may, in our legitimate interest, provide information to such investor, bank or other financing institution, to the extent permitted by law.
4.3. A data subject may refuse to provide us with Personal Information in which case it is likely that we will not be able to provide our relevant product, service and/or applications or the functionality/deliverability of such product, service and/or application may be impacted and/or would have to terminate our business relationship. The supply of certain items of Personal Information, especially those collected to comply with regulation, is legally mandatory.
4.4. We may further process Personal Information if it is compatible with the purpose for which it was collected, for instance to:
4.4.1. evaluate an application or subscription for products, services and/or applications;
4.4.2. evaluate a current and future need and to suggest further products, services and/or applications to the data subject;
4.4.3. evaluate and improve the effectiveness of our business and products, services, applications and other offerings;
4.4.4. conduct market research and provide the data subject with information about our products, services, applications and other offerings from time to time via email, telephone or other means (for example invites to events);
4.4.5. process the data subjects marketing preferences (where the data subject unsubscribed from certain direct marketing communications, keeping a record of the data subject’s information and request to ensure that we do not send such direct marketing to the data subject again);
4.4.6. for operational and further development purposes;
4.4.7. verify the data subject identity for security purposes;
4.4.8. meet legal and regulatory requirements or industry codes to which we may be subject, for example comply with a lawful request for information received from a local or foreign law enforcement agency, court, government or tax collection agency;
4.4.9. use in connection with legal proceedings;
4.4.10. conduct our internal audit (including security) functions which allow us to monitor our systems and processes. this protects us and the data subject from fraud, identity theft and unauthorised access;
4.4.11. conduct statistical and any operational, marketing, auditing, legal and record-keeping requirements;
4.4.12. detect and prevent any fraud and money laundering and/or in the interest of security and crime prevention (which includes ongoing due diligence and sanction screening against any sanction list we may determine in our sole discretion);
4.4.13. assess and resolve any complaint;
4.4.14. perform any risk analysis or for purposes of risk management to the data subject or our business in general;
4.4.15. record and/or monitor and have access to the data subject’s telephone calls (i.e. voice recordings), correspondence and electronic communications to/with us (or any of our employees, agents or contractors) in order to accurately carry out instructions and requests, to use as evidence and in the interests of crime prevention;
4.4.16. trace the data subject’s contact information through a tracing agent if uncontactable and/or to comply with any regulation or conduct standard relating to unclaimed assets;
4.4.17. provide the data subject access to any of our products, services, applications and other offerings; and
4.4.18. prevent or control the spread of any disease (e.g. Covid-19).
- HOW DO WE COLLECT PERSONAL INFORMATION
5.1. Directly from the data subject: We will not collect Personal Information without the data subject consent, except where it is required or permitted by law. We collect most of the Personal Information we process directly from the data subject or an authorised representative of the data subject, for example when an application form or client take-on form is completed or access to products, services, applications and other offerings are granted.
5.2. From third party sources: We also collect or process Personal Information we obtain from third party sources or sources in the public domain. This may include, but is not limited to:
5.2.1. affiliates or subsidiaries of Vive Teen;
5.2.2. client due diligence tools, and through identity verification and bank verification processes;
5.2.3. sanction screening tools (which may include any sanction list we may determine in our sole discretion);
5.2.4. collection of Personal Information by requesting information on source of funds or source of wealth,
5.2.5. credit and fraud checks;
5.2.6. consumer credit information as defined in the National Credit Act, Act No. 34 of 2005 from registered credit bureaux;
5.2.7. tracing agents;
5.2.8. Personal Information as required for the purposes of forensic investigations of whatsoever nature;
5.2.9. in the ordinary course business of providing access to and functionality of our products, services, applications and other offerings to the data subject.
5.3. During the course of our business relationship with a data subject and in the course of delivering a product, service, application and other offering to that data subject, we may obtain Personal Information from product providers on behalf of that data subject.
- WHO RECEIVES THE DATA SUBJECT R PERSONAL INFORMATION
6.2. We may, depending on the type of service, transfer Personal Information to: an auditor, a local or foreign regulator (including but not limited to the Financial Sector Conduct Authority, Reserve Bank, South African Revenue Services, the Financial Intelligence Centre), a tax administrator, a legal advisor, a financial intermediary appointed by the data subject, a forensic investigation service (internal or external), a service provider providing administrative support services or accounting services to the data subject or us or other third party service providers. We will ensure that such third parties are restricted by obligations of confidentiality to only use the Personal Information for the required purpose and that they will apply strict security measures to the Personal Information we share with them.
6.3. We will also share Personal Information for the purpose of client due diligence undertaken in compliance with relevant laws and regulations We may share Personal Information within the Vive Teen group of companies for purposes of enhanced products, services, applications and other offerings, including business intelligence.
- HOW WE SAFEGUARD THE DATA SUBJECT R INFORMATION
We are legally obliged to provide adequate protection for the Personal Information we hold and to stop unauthorised access and use of Personal Information. We will, on an ongoing basis, continue to review our security controls and related processes to ensure that Personal Information is secure.
Our security policies and procedures cover:
- physical security;
- computer and network security;
- access to personal information;
- secure communications;
- security in contracting out activities or functions;
- retention and disposal of Personal Information;
- acceptable usage of Personal Information;
- governance and regulatory issues;
- monitoring access and usage of Personal Information;
- investigating and reacting to security incidents.
When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure the security of Personal Information that we remain responsible for.
- THIRD PARTY COUNTRY TRANSFER
8.2. We may enter Personal Information into our systems and the systems of our service providers and operators that may use technology or services outside South Africa. Personal Information may also for cloud storage purposes or through the use of any of our websites, be transferred or processed outside of the Republic of South Africa.
8.3. We may also, in the course of providing a products, services, applications and other offerings to the data subject, engage with third party service providers outside the Republic of South Africa and then transfer Personal Information to them for purposes of providing the data subject with products, services, applications and other offerings or to comply with applicable law.
8.4. Recipients of Personal Information may be situated in countries which do not have data protection laws similar to the Republic of South Africa. We will, however, use all reasonable endeavours to ensure that the contracts entered into with such third parties contain the necessary appropriate safeguards if Personal Information is processed outside the Republic of South Africa or rely on other legally permitted safeguards.
9.1. We may contact the data subject from time to time to inform the data subject of similar products, services, applications and other offerings to the ones the data subject contracted for and that we think the data subject may be interested in. We may also provide the data subject with newsletters and market insights as part of our value-added client experience.
9.2. We share Personal Information with affiliates in the Vive Teen group of Companies (subject to applicable law and indicated marketing preferences) so that they may offer the data subject their products, services, applications and other offerings.
9.3. The data subject may object to us processing the data subject r Personal Information for marketing purposes. The data subject can unsubscribe from direct marketing by following the steps set out in the direct marketing received or contacting Vive Teen, as the case may be for the particular products, services, applications and other offerings.
- RIGHTS AS A DATA SUBJECT
10.1. The data subject has the right to have Personal Information processed in accordance with the conditions for the lawful processing of Personal Information as set out in POPIA. The data subject also has the rights as set out below which we need to make the data subject aware of.
Right of Access
10.2. In terms of section 23 of POPIA, data subjects are entitled to request us to:
10.2.1. confirm, free of charge, whether or not we hold Personal Information about the data subject; and
10.2.2. provide a record or a description of the Personal Information we hold, including information about the identity of all the third parties, or categories of third parties who have, or have had, access to the Personal Information.
10.3. The data subject will need to provide us with adequate proof of identity before we respond to a request. If the data subject requests a record, we will respond within a reasonable time. We may charge the fee under applicable law for providing copies of records to the data subject.
Right to request correction or deletion
10.4. The data subject may request us, in terms of section 24 of POPIA, to correct or delete Personal Information in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully. The data subject may also request us to destroy or delete a record of Personal Information about the data subject that we are no longer authorised to retain.
10.5. We will as soon as reasonably practicable correct, destroy or delete, as the case may be – unless we are required or entitled under applicable laws to keep the Personal Information and inform the data subject that we have done so.
10.6. If we do not believe that the Personal Information requires correction, we will provide the data subject with credible evidence in support of the Personal Information. If we cannot reach agreement with the data subject, the data subject may request us to attach to the Personal Information we hold the request for correction so that it can be read together.
Right to object to processing
10.7. Where we process Personal Information to protect the legitimate interest of the data subject or to pursue the legitimate interest of a third party to whom the Personal Information is supplied or our own legitimate interest, the data subject may object at any time to the processing of the Personal Information for these purposes, on reasonable grounds relating to the situation, unless applicable law provides for such processing.
10.8. The data subject may also object at any time to the processing of Personal Information for purposes of direct marketing or the receipt of direct marketing through unsolicited electronic communication.
Remedies for data subjects
10.9. The data subject has the right to complain to the Information Regulator (see below).
- HOW LONG DO WE RETAIN PERSONAL INFORMATION
11.1. We generally only keep Personal Information on our records for as long as we need it to provide the data subject with products, services, applications and other offerings and to meet legal requirements related to record-keeping.
11.2. We will keep Personal Information for as long as:
11.2.1. the law requires us to keep it;
11.2.2. a contract we have with the data subject requires us to keep it;
11.2.3. the data subject consented to us keeping it;
11.2.5. we require it for our lawful business purposes; and
11.2.6. require it for the development of products, services, applications and other offerings.
11.3. We may also keep Personal Information for historical, statistical or research purposes if appropriate safeguards are in place. We may keep Personal Information for longer if there is litigation or an investigation, or any legal or regulatory query.
11.4. If we have to keep Personal Information for longer periods than set out above (for example if it cannot be safely destructed), we will only process it for purposes of storage or for purposes of proof. We will also restrict access and processing of such Personal Information.
- SECURITY BREACHES
In the event of a security compromise where Personal Information has been accessed or acquired by an unauthorised person, we will notify the data subject directly as soon possible as provided for in POPIA.
- AUTOMATED DECISION MAKING
13.1. An automated decision is when Personal Information is analysed to form a profile of a person or category of persons to make a decision without human intervention. We do make automated decisions in the ordinary course of our business and in the provision of our products, services, applications and other offerings.
13.2. Where we make any automated decisions about the data subject, the data subject will have the right to query any decisions made and we will provide reasons for the decisions as far as reasonably possible.
- THE INFORMATION REGULATOR
14.1. The data subject may complain to the Information Regulator. Any person may submit a complaint to the Information Regulatory in the prescribed manner and form alleging interference with the protection of the Personal Information of a data subject. A data subject may also submit a complaint in respect of a determination of an adjudicator.
14.2. The address of the Information Regulator is as follows:
Attn: The Information Regulator (South Africa)
JD House, 27 Stiemens Street
P.O Box 31533
Complaints e-mail: complaints.IR@justice.gov.za
General enquiries e-mail: email@example.com