1. Definitions

In this Policy, unless the context indicates a contrary intention, the following words and expressions bear the meanings assigned to them and cognate expressions bear ,brcorresponding meanings –


  • Act” means the Protection of Personal Information Act, Act No. 4 of 2013 (as amended);
  • "Company" means MHH Olivier T/A Royal Game Guest House with registration number 501015005084, a sole proprietorship in the Republic of South Africa;
  • data subject” means the person to whom personal information relates;
  • "Directors" means directors of the Company appointed to the Board;
  • Employee/s/ Contractor/s” means any person, including a contractor, who works for the Company and who receives, or is entitled to receive, any remuneration; and any other person who in any manner assists in carrying on or conducting the business of the Company;
  • Information Officer” means the designated compliance officer appointed by the Company to address compliance with the Act, from time to time;
  • "this Policy" means this Protection of Personal Information (“POPI”) policy and any addendum thereto as may be amended by the Company and signed by the parties from time to time;
  • “Responsible Party/Employee” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal


2. Introduction

This policy describes the Company's guidelines with regard to:-


  • Use personal information in the office;
  • Access to and disclosure of personal information sent or received by employees or contractors of the Company with use of the Company email system;
  • The processing of personal information; and
  • How to protect the Company from the risks of breach of security and/or unauthorized access to personal


3. Applicability

This policy applies to all Employees and/or Contractors of the Company.


4. Information Officer

  • The Company duly appoints Andrew Allen Young as its Information Officer from 19/06/2021
  • All Employees and/or Contractors may refer any queries, concerns or information of potential or actual breaches of personal information to the Information


5. Information Officer Responsibilities

  • To encouragement compliance, by the Company and employees alike, with the conditions for the lawful processing of personal information;
  • To handle requests made to the Company pursuant to this Act;
  • To work with the Regulator (established in terms of the Act) in relation to investigations conducted pursuant to Chapter 6 of the Act in relation to the Company; and
  • To ensure compliance by the Company with the provisions of POPI; and as may be prescribed.


6. Understanding What Is Meant By The Term “Personal Information”

  • Personal information refers to a wide array of data belonging to a natural or juristic person, including but not limited to:


  • Identity and/or passport number;
  • Date of birth and age;
  • Phone number/s (including cellular phone number);
  • Email address/es;
  • Physical address;
  • Postal address;
  • Age, Gender, Race and Ethnicity;
  • Photos, voice recordings, video footage (also CCTV), biometric data;
  • Marital/Relationship status and Family relations;
  • Criminal record;
  • Private correspondence;
  • Religious or philosophical beliefs including personal and political opinions;
  • Employment history and salary information;
  • Financial information;
  • Education information;
  • Medical history including, blood type, and
  • Membership to organisations/unions.


  • The scope of the Act seems narrowed by the definition of personal information, but this is not the One must remember that the types of personal information listed by the Act as set out in the list above is not a closed list of personal information to which the Act will apply. Information not listed above may still be deemed personal information.


7. Processing of Personal Information

  • The Company is fully compliant with the Act and has invested a lot of resources to ensure that the Employees and/or Contractors understand how to handle a client’s personal All Employees and/or Contractors must follow the following guidelines when dealing with data subject’s personal information:
  • The personal information requested must only be used for lawful purposes;
  • The personal information must be processed for a purpose which is adequate, relevant and not excessive
  • The personal information may only be collected with the data subject’s consent. The burden of proof rests with the Employees and/or Contractors, to prove that the information was obtained with the data subject’s
  • The Company and Employees and/or Contractors may only collect personal information that is necessary for a specific purpose;
  • Personal information must not be retained longer than necessary, except if it is required by law or is for a lawful purpose related to the Company’s functions or activities or it is agreed upon in terms of contractual agreement; and
  • The personal information in the Company’s records should be updated as and when the data subject provides new or updated personal


8. Processing Limitations

  • No Employees and/or Contractors may use the data subject’s personal information in any way that may be seen as revealing special information deemed to be insulting, disruptive, or offensive by other persons, or harmful to
  • The scope of processing special personal information is further limited by the Act and thereby the Company forbidding any of the following actions:


  • Collection of personal information of minors;
  • Collection of personal information regarding the data subject’s religious or philosophical beliefs;
  • Collection of personal information identifying the data subject’s trade union membership or political opinions;
  • Collection of personal information related to the data subject’s sexual life, health, or biometric details;
  • Collection of personal information revealing race or ethnic origin;
  • Collection of personal information revealing criminal record
  • Unless processing is carried out with the consent of the data subject referred to in clause 2:
  • processing must be necessary for the establishment, exercise or defence of a right or obligation in law;
  • processing must be necessary to comply with an obligation of international public law;
  • processing must be for historical, statistical or research purposes to the extent that:
  • the purpose serves a public interest and the processing is necessary for the purpose concerned;
  • it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
  • the information must have deliberately been made public by the data subject; or
  • prior authorisation must have been


9. De-Identifing Personal Information

  • The Company has a responsibility to ensure that information that is outdated or no longer needed, is discarded in manner that will no longer identify the data The process will be called de-identifying information.
  • De-identifying means to delete any information that identifies the data subject’s personal information which can be used or manipulated by a reasonably foreseeable method to identify the data subject or can be linked by a reasonably foreseeable method to other information that identifies the data subject.
  • Archived information records are stored securely on or offsite and a certificate of destruction will be obtained for each archived file/ batch of personal information
  • It is imperative that each and every Employee and/or Contractor takes all the necessary precautions to ensure the abovementioned protocols are adhered to. Should the Company receive any complaints of failure to protect the data subject’s information, the claim must be disproved before the Information The consequence thereof is that the Employees and/or Contractors tasked with handling the specific information will be found guilty of contravening this policy, the penalty thereof could lead to a written warning.
  • The Company’s complaints policy that should be followed in the event of a compliant is as follows:
  • The complaint must be reported to the Information Officer immediately;
  • The Information Officer must report the complaint to the Director(s);
  • The Employees and/or Contractors implicated must furnish the Information Officer with written representations of the Employees and/or Contractors) statement under oath;
  • The Information Officer will liaise with the Regulator for any further developments regarding the


10.     The Data Subject’s Right To Access To Personal Information

  • The owner of personal information can request that the Company provide them with the record, or a description of the personal information, the identity of any third party who may have access or had access to their personal
  • The Company has created a request form which must be completed by the data subject requesting the abovementioned access to information. The request form is marked annexure B.



11.     Forbidden Uses Of Data Subject’s Personal Information

  • The Employee or Contractor may not use the Company’s access to any data subject’s personal information for personal gain on any such purposes as soliciting or proselytizing for commercial ventures, religious or personal causes or outside organizations or other similar, non-job-related solicitations. If the Company discovers that any Employee or Contractor misusing the information available in the Company’s systems, that particular Employee and/or Contractor will be subject to disciplinary action, which may include
  • Should and Employee or Contractor be suspected of contravening this policy, the Company may at its sole discretion access any device which the Employee or Contractor uses to conduct business to investigate the matter furth


12. Company’s Right To Access Information

  • The Company respects the individual privacy of its Employees and/or Contractors. However, Employee and/or Contractor privacy does not extend to the Employee’s and/or Contractor’s work-related conduct or to the use of Company provided equipment or
  • The electronic mail system has been installed by the Company to facilitate business communications. Although each Employee and/or Contractor has an individual password to access this system, it belongs to the Company and the contents of e-mail communications are accessible at all times by the Company management for any business purpose. These systems may be subject to periodic unannounced inspections and should be treated like other shared filing systems. All system passwords and encryption keys must be available to the Company management and the designated IT personnel, and the Employee and/or Contractor may not use passwords that are unknown to their supervisor or the designated IT personnel or install encryption programs without turning over encryption keys to their supervisor your designated IT personnel. All e-mail messages are Company records. The contents of e-mail, properly obtained for legitimate business purposes, may be disclosed within the Company without the Employee’s and/or Contractor’s permission.
  • Therefore, the Employee and/or Contractor should not assume that messages or telephone calls are confidential. Back-up copies of e-mail may be maintained and referenced for business and legal reasons.


13. Breach Of Security/Unauthorised Access To Information

  • Should the Company experience any security breach, it is required, by law, to notify the Regulator; and the data subject(s) whose information have been affected by the breach, unless the identity of such data subject(s) cannot be 
  • Therefore, the Employee and/or Contractor should report any known or suspected breach of information to the appointed Information Officer. 
  • Failure to report the aforementioned breach will subject the Employee and/or Contractor in transgression to disciplinary action, which may include 
  • The Company has established a complaints process to deal with allegations of leaked information. This will be addressed by the Compliance


14. Corporate Policy Guideline


  • The Company provides access to its server and e-mail access is intended to be for business reasons only. The Company encourages the use of the server and e-mail because they make communication more efficient and effective. However, the server and e-mail are Company property, and their purpose is to facilitate Company Every Employee and/or Contractor has a responsibility to maintain and enhance the Company's public image and to use Company e-mail and access to the server in a productive manner. To ensure that all Employees and/or Contractors are responsible, the following guidelines have been established for using e-mail and the server. Any improper use of the server or e-mail is not acceptable and will not be permitted.
  • The Employee and/or Contractor acknowledges that:-
  • The Company may be held vicariously liable for the acts of its Employees and/or Contractors, even where the Company is not at fault, for any damages caused by the Employee’s and/or Contractor’s conduct;
  • Employees and/or Contractors may not make representations to third parties or the public beyond the scope of their normal responsibilities or actual authority;
  • Methods other than email must be used to communicate special personal information.



  • The Company acknowledges that Employees and/or Contractors need reasonable access to data subjects’ personal information in order to fulfill their
  • The Employees and/or Contractors may not process the Employee’s and/or Contractors’s personal without obtaining the requisite consent, following the protocols discussed in this policy and in the Act.



  • Where an employee is uncertain as to the content of this policy or requests further clarification of issues which are addressed in this policy they are required to contact the Compliance Officer for


15. Possible Offences

  • The Employee and/or Contractor must note that should they fail to adhere to this policy, they may be disclipined and/or dismissed and may face action bought by the Information Regulator which mat see them liable to face a fine or