PROTECTION OF PERSONAL INFORMATION POLICY OF DINEPLAN (PTY) LTD IN COMPLIANCE WITH THE PROTECTION OF PERSONAL INFORMATTION ACT 4 OF 2013 AND THE EUROPEAN GENERAL DATA PROTECTION REGULATIONS
The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPIA”).
The new General Data Protection Regulation (“GDPR”) exists for the purpose of the protection of data privacy for all EU (European Union) members. Simply put, this new law equates to South Africa’s Protection of Personal Information legislation.
A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions. Given the importance of privacy, Dineplan is committed to effectively managing personal information in accordance with POPIA’s and the GDPR’s provisions.
Dineplan collects and stores personal information on behalf of the Responsible party and processes same on their behalf. Dineplan is in compliance with the provisions of POPIA and the GDPR.
Dineplan will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, Dineplan will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.
Dineplan collects the following personal information on behalf of the Responsible Party:
Dineplan may require additional personal information in the future and will notify the data subject should they do so and amend the policy accordingly.
Dineplan will ensure that personal information under its control is processed:
Dineplan processes personal information on behalf of the Responsible party for the purpose of online reservations; the online ordering platforms, ticketing, vouchers and for marketing purposes as determined by the Responsible party.
The Responsible party will be responsible for the processing of personal data where the data subjects contact them telephonically to make reservations.
Dineplan will not distribute or share personal information between separate legal entities, associated organisations or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected. Personal information may be shared in the following situations:
Where applicable, the data subject will be informed of the possibility that their personal information will be shared with other aspects of Dineplan’s business and be provided with the reasons for doing so.
Dineplan will ensure that its clients and customers are made aware of the rights conferred upon them as data subjects. In addition of being recorded herein the data subjects will be notified of their rights in the Dineplan’s terms and conditions contained online.
Dineplan will ensure that it gives effect to the following seven rights.
Dineplan recognises that a data subject has the right to establish whether the company holds personal information related to him, her or it including the right to request access to that personal information. An example of a “Personal Information Request Form” can be found here.
The data subject has the right to request, where necessary, that his, her or its personal information must be corrected or deleted where Dineplan is no longer authorised to retain the personal information.
The data subject has the right, on reasonable grounds, to object to the processing of his, her or its personal information. In such circumstances, Dineplan will give due consideration to the request and the requirements of POPIA.
Dineplan may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.
The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications.
The data subject has the right to submit a complaint regarding an alleged infringement of any of the rights protected under POPIA AND GDPR and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information. A complaint should be directed to the Responsible party directly, alternatively Dineplan will assist with the complaint procedure against the responsible party. A complaint form can be found here and Dineplan will use its best endeavours to assist in resolving the dispute as speedily as possible.
The data subject has the right to be notified that his, her or its personal information is being collected by Dineplan. The data subject also has the right to be notified in any situation where Dineplan has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person. As an operator Dineplan will notify the responsible party immediately should they suspect a breach and / or unauthorised access to personal information.
The data subject shall have the right to request a restriction of processing, instead of erasing the information, but will only be allowed in certain instances. Personal information will still be stored but cannot be processed.
Dineplan keeps an appropriate record of all personal information.
Record means any recorded information, regardless of form or medium, including any of the following:
By making use of Dineplan’s services and accessing Dineplan’s electronic platforms, the Data Subject and Responsible parties:
gives Dineplan consent to process and further process the required Personal Information for the required purpose, in accordance with this policy.
Dineplan uses many third party services for the management and storage of data, for email and SMS communication and other tasks involving personal information. Dineplan has conducted due diligence and these third party processors are all fully compliant with the relevant provisions of POPIA and GDPR. Procedures and safeguarding measures are in place to secure, encrypt and maintain the integrity of the data. All personal information is transferred to third parties via API (Application Programming Interface) using HTTPS (Hypertext Transfer Protocol Secure).
Dineplan shall retain personal information for as long as it is necessary to fulfil the purpose for which it was collected where after it shall be deleted. The criteria Dineplan uses to determine retention periods includes whether:
One can choose whether to receive marketing communications from Dineplan in respect of the Responsible party, where applicable, and for Dineplan.
Dineplan shall not avail your personal information to unaffiliated third parties for direct marketing purposes or otherwise make personal information commercially available to any third party, unless one has provided consent to it.
Should one wish to opt out of receiving such marketing, they will be given the option to do so, alternatively they can contact Dineplan directly at email@example.com.
Where Dineplan uses personal data for the purposes of their own marketing and not that of the Responsible party, they warrant that they are compliant with all appropriate provisions of the POPIA and the GDPR.
Where a POPI complaint or a POPI infringement investigation has been finalised, the Dineplan may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy. In the case of ignorance or minor negligence, the Dineplan will undertake to provide further awareness training to the employee. Any gross negligence or the wilful mismanagement of personal information, will be considered a serious form of misconduct for which Dineplan may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence. Examples of immediate actions that may be taken subsequent to an investigation include: A recommendation to commence with disciplinary action. A referral to appropriate law enforcement agencies for criminal investigation. Recovery of funds and assets in order to limit any prejudice or damages caused.
Dineplan may update this policy from time to time. In the event of an update, Dineplan shall post the revised version, with an updated revision date.