AutoCity Privacy Policy:
1. OBJECTIVE OF THIS DOCUMENT
1.1. AutoCity is devoted to the safeguarding and protection of your personal data.
1.2. This privacy policy details our collection and usage of your personal data during and after your engagement with us, in line with the mandates of section 18 of the Protection of Personal Information Act, 2013 (“POPIA”).
1.3. AutoCity functions as a “responsible party”, meaning we decide how and where to store and use your personal data. We are obliged under data protection laws to ensure you are aware of the information mentioned in this privacy notice.
1.4. This policy applies to current and former clients, present and past employees, present directors, and independent contractors of AutoCity (“Data Subjects”). We may update this policy whenever required, providing you with an updated copy as quickly as reasonably possible.
1.5. Please read and keep a copy of this notice, and any other privacy notices we may provide on specific occasions when we are collecting or processing your personal data. This is to ensure that you understand our data practices and your rights under POPIA.
1.6. This policy should be read alongside our PAIA manual and any other contract(s) we may have with you periodically. Our PAIA manual can be found on our website or is available upon request from our Information Officers.
2. DATA PROTECTION PRINCIPLES
2.1. AutoCity adheres to the mandates of POPIA. This implies that your personal data in our custody will be: handled lawfully, fairly, and transparently;collected for valid, explicitly stated purposes and not used contrary to those purposes;restricted to the purposes we’ve disclosed to you;accurate and updated as required;stored only as long as needed for the disclosed purposes; andsecured adequately.
3. TYPES OF DATA WE COLLECT ABOUT YOU
3.1. Personal data refers to any data relating to an individual or an entity that enables identification. It does not include data where identification elements have been removed (anonymous data).
3.2. There are categories of personal data that are more sensitive and demand higher levels of protection, such as data related to health or sexual orientation, or data about criminal convictions.
3.3. Depending on how you interact with our websites, we may gather: log data;data inferred from your interactions with our products and services;device data (for instance, the device type, your access method, browser or operating system, and your IP address); andgeographical data.
3.4. We might combine any additional information about you that is publicly or commercially available with the data we’ve collected or received from you in other ways.
3.5. For a comprehensive list of personal data that we might collect, store, and use about you, please refer to our PAIA manual.
4. HOW DO WE COLLECT YOUR PERSONAL DATA?
4.1. We collect personal data about Data Subjects directly from the subjects themselves. We might also gather additional data from third parties, which may include previous employers, credit reference agencies, or other background check agencies.
4.2. We might also collect personal data from trustees or administrators of pension arrangements.
4.3. We might use cookies, web beacons, and other technologies to gather data when you use our websites.
5. HOW WILL WE UTILIZE YOUR DATA?
5.1. We’ll only use your personal data when the law permits us to. Most commonly, we use your personal data in the following situations: when we need to fulfil the contract we have with you;when we must comply with a legal requirement;when it’s necessary for legitimate interests pursued by us or a third party, and your interests and fundamental rights do not override those interests; andwe might also use your personal data in the following situations, which are likely to be rare:when we need to protect your legitimate interests (or someone else’s interests); andwhen it’s needed for the proper performance of a public law duty.
5.2. Situations in which we will use your personal data: We require all the categories of information listed above primarily to execute our contract with you and comply with legal obligations. In some cases, we might use your personal data to pursue legitimate interests, as long as your interests and fundamental rights do not override these interests. Specific situations where we will process your personal data are as follows: to deliver a service you’ve requested from AutoCity;communication with Data Subjects;improving our services;conducting research and preparing research reports;providing support services to Data Subjects;preparing aggregated and anonymised reports;managing accounts, receiving services, and processing payments;assessing the suitability of job applicants for employment;meeting legal obligations concerning employment equity and complying with other applicable laws;sourcing, securing, and managing group insurance schemes for the benefit of Data Subjects and their families;coordinating with trustees or administrators of retirement and/or medical aid arrangements and any other benefit providers;administering the contract we have with you;business management and planning, including accounting and auditing;dealing with legal disputes involving you, other data subjects, directors, and independent contractors;preventing fraud;monitoring your use of our information and communication systems to ensure compliance with our IT policies;ensuring network and information security, preventing unauthorized access to our computer and electronic communication systems, and preventing malicious software distribution;conducting data analytics studies to review and better understand customer retention and attrition rates;employment equity monitoring (directors and independent contractors). Some of the grounds for processing above may overlap, and there might be several grounds justifying our use of your personal data.
5.3 If you fail to provide personal data: If you do not provide certain data when asked, we might not be able to fulfil our contract with you (such as providing you with a benefit), or we might be prevented from complying with our legal obligations.
5.4 Change of purpose: We’ll only use your personal data for the purposes for which we collected it, unless we reasonably think that we need to use it for a different reason and that reason is compatible with the initial purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
5.5 Please note that we might process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6. HOW WE HANDLE SPECIFICALLY SENSITIVE PERSONAL DATA?
6.1 “Special categories” of particularly sensitive personal data, such as information about health, racial or ethnic origin, sexual orientation or trade union membership, necessitate heightened protection. We need additional justification to collect, store, and use this type of personal data. We may process special categories of personal data under the following conditions: in exceptional cases, with your explicit written consent; where we need to fulfil our legal obligations or exercise rights related to the services we provide you; and where it’s required for the establishment, exercise, or defence of a legal right or obligation.
6.2 In fewer instances, we may process this type of data when you have made it publicly available.
6.3 Circumstances in which we will use your special personal data: We will generally avoid processing highly sensitive personal data about you unless necessary for performing or exercising obligations or rights concerning the law or our contract with you.
6.4 Do we need your consent? We do not require your consent if we use special categories of your personal data according to our written policy to fulfil our legal obligations or exercise specific legal rights. In rare cases, we may ask for your written consent to process certain particularly sensitive data. If so, we will provide full details about the requested information and why we need it, so you can make an informed decision about whether you wish to consent. It’s important to note that agreeing to any request for consent from us is not a condition of your contract with us.
6.5 Information about criminal convictions: We may only use information relating to criminal convictions where allowed by law. Typically, this would be where such processing is needed to fulfil our obligations, provided it aligns with our internal privacy policy.
6.6 We will only gather information about criminal convictions if it is relevant to the role and where we are legally permitted to do so.
7. DATA SHARING
7.1 We may need to share your data with third parties, including third-party service providers and other entities within our group. If we do, we ensure a similar level of protection for your personal data.
7.2 We require third parties to respect your data’s security and treat it according to the law.
7.3 Why might we share your personal data with third parties? We will share your personal data with third parties when required by law, necessary to manage our relationship with you, or where we have a legitimate interest in doing so.
7.4 Which third-party service providers process my personal data?
“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. Depending on the nature of the personal data, we may supply information or records to the following categories of recipients: companies within our group; business partners; statutory oversight bodies, regulators or judicial commissions of inquiry requesting data; any court, administrative or judicial forum, arbitration requesting data or discovery according to the applicable rules, and anyone making a successful application for access according to the law; companies providing services to us or acting on our behalf may have access to your data; and third parties where you provide consent.
7.5 How secure is my information with third-party service providers and other entities in our group? We share your personal data with other entities in our group for regular reporting activities on company performance, business reorganisation or group restructuring exercises, system maintenance support, and data hosting.
7.6 Transferring information outside the country: We may transfer your personal data to places outside our country and store it there, where our suppliers might process it. If that happens, your personal data will only be transferred to locations where adequate protection measures are in place to secure your data and rights, in compliance with relevant data protection laws and regulations.
7.7 When we transfer your personal data to other countries, we will protect it as described in this privacy policy and comply with applicable legal requirements providing adequate protection for the transfer of personal data to countries outside of the EEA (European Economic Area) or the country where you are located.
7.8 The legal mechanisms that provide for the secure transfer of your personal data to countries outside the EEA or your country include: entering into data transfer agreements with recipients which contain standard contractual clauses approved by the European Commission or the relevant data protection authority; certifying that the recipient is subject to a legal framework deemed to provide an adequate level of protection by the European Commission or the relevant data protection authority; or ensuring that the recipient has adopted Binding Corporate Rules for data protection.
8. DATA SECURITY
8.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know.
8.2 They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
8.3 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
9. DATA RETENTION
9.1 We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
9.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
9.3 In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
10. YOUR RIGHTS IN CONNECTION WITH PERSONAL DATA
10.1 Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to access, correct, update, or request deletion of your personal data.
10.2 You also have the right to object to the processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data. If we have collected and processed your personal data with your consent, you can withdraw your consent at any time.
10.3 You have the right to complain to a data protection authority about our collection and use of your personal data.
10.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
10.5 We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
10.6 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
11. THIRD-PARTY LINKS
11.1 This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
12. COOKIES
12.1 You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.
13. CHANGES TO OUR PRIVACY POLICY
13.1 Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.
14. CONTACT US
14.1 Should you have any questions, concerns or complaints about this Privacy Policy, or if you would like to exercise any of your rights in relation to your personal data, please feel free to contact us.
14.2 We appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance. The date of the last update to this privacy policy is 9 June 2023. Please note that this sample privacy policy may not suit every business model. It is meant as a general guide and may not cover all possible legal obligations. We recommend consulting with a lawyer or a professional privacy consultant to ensure your privacy policy is compliant with all applicable laws and regulations.
