The purpose of this policy is to promote the protection of personal information that is processed by Priority Performance Projects, in compliance with the Protection of Personal Information Act of 2013.
Priority Performance Projects ("the Company"), and by extension all of its subsidiaries and brands, including but not limited to BuildRSA, OWL and the OWL Mobile Application, is committed to protecting the privacy and security of all data subjects’ personal information in accordance with relevant legislation and international best practice. This Data Privacy Policy outlines how the Company collects, uses, discloses, and safeguards the personal information of our clients, employees, and partners in compliance with South African law, specifically the Protection of Personal Information Act, 2013 (POPIA) and the Promotion of Access to Information Act, 2000 (PAIA). Our goal is to handle personal information transparently, responsibly and securely.
Personal Information: Any information relating to an identifiable, living natural person, and where applicable, an identifiable, existing juristic person. This includes details such as names, contact information, identification numbers, financial data and more.
Data Subject: The person to whom personal information relates. This could be clients, employees, or any individual whose personal data we process.
Processing: Any operation or activity concerning personal information, including collection, storage, use, dissemination and destruction. This means anything we do with personal data, from gathering it to deleting it.
Responsible Party: The Company, which determines the purpose and means of processing personal information. This means we are accountable for how and why personal data is processed.
The Company collects personal information to provide and improve our services, comply with relevant South African legislation and or for various other legitimate purposes. The types of personal information we collect may include the following, depending on the intended purpose, as well as whether the data subject is an employee or stakeholder, and only after consent has been granted either by opting in, or capturing by the data subject on any medium:
I. Identification details: Such as name, ID number, passport number.
II. Contact information: Including email address, phone number, and physical addressIII. Employment or Academic details: Such as job title, academic record or institution information and work history.
IV. Financial information: Including bank details and payment information.
We may collect personal information directly from data subjects or through third parties with the necessary consent.
We process personal information based on the following legal grounds:
I. Consent: The data subject has given clear permission for us to process their personal information for a specific purpose.
II. Contractual Necessity: Processing is necessary to fulfil a contract we have with the data subject, or because they have asked us to take specific steps before entering into a contract.
III. Legal Obligation: Processing is necessary for us to comply with the law (not including contractual obligations).
IV. Legitimate Interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided these are not overridden by the data subject’s own rights and interests.
We use personal information for the following purposes:
I. Service Provision: To provide and manage our services effectively.
II. Communication: To communicate with clients, employees, and partners regarding our services, updates, and other relevant information.
III. Legal Compliance: To comply with legal and regulatory requirements.
IV. Service Improvement: To improve our services and develop new offerings.
We ensure that personal information is used only for the purpose for which it was collected and any compatible purposes.
We may share personal information with the following persons or entities, depending on the purpose:
I. Service Providers: Who perform services on our behalf, such as ISP’s, auditors, and attorneys and other legal advisors.
II. Government Agencies: Law enforcement (including SAPS, the Hawks, Interpol and or the SSA) or other government bodies when required by law or by way of court order.
III. Third Parties: Other parties when we have the data subject's consent or when it is necessary for the purposes mentioned above.
We take reasonable and accepted measures that the third parties handle the personal information with the same level of protection we commit to but cannot fully guarantee the integrity and safety of personal information once it has been disseminated.
The Company implements appropriate technical and organizational measures to protect the data subject’s personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
I. Data Encryption: Encrypting data both in transit and at rest to prevent unauthorised access by third parties and malicious attacks.
II.Access Controls: Restricting access to personal information to authorized personnel only, based on their role.
III. Regular Security Assessments: Conducting regular security assessments and audits to identify and address vulnerabilities.
IV. Employee Training: Providing regular training to employees on data protection and security practices.
Data subjects that engage with the Company and or any of its brands, including AGA or Build RSA, have the following rights under POPIA:
I. ACCESS: The right to request access to personal information held by the Company. Data subjects can ask us what personal information we hold about them and receive a copy of it.
II. CORRECTION: The right to request correction of inaccurate or incomplete personal information. If the information we have is incorrect or outdated, data subjects can ask us to correct it.
III. DELETION: The right to request deletion of personal information under certain circumstances, such as when the information is no longer needed for the purpose it was collected.
IV. OBJECTION: The right to object to the processing of personal information based on legitimate interests. If data subjects believe their rights outweigh our legitimate interests, they can object.
V. PORTABILITY: The right to request the transfer of personal information to another party in a structured, commonly used, and machine-readable format.
To exercise these rights, data subjects can contact our Information Officer at the contact details provided below and will be required to complete the requisite forms in order for the Company to execute their request(s).
In compliance with PAIA, we have developed a PAIA Manual that outlines the procedure for requesting access to information. The PAIA Manual includes:
I. REQUEST PROCEDURE: How to make a formal request for information.
II. FEES: Any fees associated with making a request.
III. ACCESS TO INFORMATION: Types of information available and how it can be accessed.
The PAIA Manual is available on our website or can be requested from our Information Officer.
I. UPDATES: This Data Privacy Policy may be updated periodically to reflect changes in our practices or legal requirements. We will notify data subjects of significant changes through our website or direct communication where necessary.
II. COMPLAINTS AND ENQUIRIES: If you have any questions or complaints about our data privacy practices or this policy, please contact our Information Officer. If you are not satisfied with the response, you have the right to lodge a complaint with the Information Regulator of South Africa.