Privacy & Data Protection

Data Protection Policy

At Numata, we are big supporters of data privacy and protection. This page explains our compliance with GDPR and POPIA legislation.

What Personal Information Do We Collect?

Personal Information is normally collected directly from our job applicants, potential employees and employees, a CLIENT or a potential CLIENT. We may also use other sources, subject to restrictions under applicable law, to assist in obtaining relevant Personal Information about you, including – Identification data – such as your name, surname, gender, photograph, date of birth, identification number, languages.

Contact details – such as home address, telephone, email addresses, and emergency contact details.

Employment details – such as employment history, performance and disciplinary records, grievance procedures, sickness/holiday records.

Educational and professional background – such as academic/professional qualifications, education, CV/resumé, reference letters and interview notes.

Spouse, beneficiary & dependents information, marital status.

Financial information – such as banking details, tax information, payroll information, salary, benefits, expenses, company allowances.

IT information – information required to provide access to our IT systems and networks such as IP addresses, log files, login information, software/hardware inventories.

Automatic Data Collection: We may also have access / collect Personal information that we collect automatically when you visit our website.

Third Party Data Collection: We may also collect information about you through our trusted third-party sources to assist us in providing product and service offerings to you, including

Recruitment information (including references and other information included in a CV or cover letter or as part of the application process).

Employment records (including job titles, work history, working hours, training records and professional memberships).

Purpose For Which The Information Is Being Collected.

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract, we have entered with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Is The Supply Of The Information Voluntary Or Mandatory?

Supplying of certain types of information is mandatory in terms of legislation and regulations.

Any Particular Law Authorising Or Requiring The Collection Of The Information.

If your Personal Information is collected in terms of a particular law authorising or requiring the collection of the information, we will take steps to ensure that you are aware of that.

CLIENT Personal Data: any personal data comprised within CLIENT Data.
Data Controller: has the meaning given to that term in the Data Protection Legislation.
Data Processor: has the meaning given to that term in the Data Protection Legislation.
Data Retention: We will keep your personal information for as long as is needed to carry out the purposes we’ve described, or as otherwise required by law.
Data Protection Legislation: (Respective to Local Applicable Law)

The Data Protection Act 2018 and thereafter unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then any successor legislation to the GDPR or the Data Protection Act 2018.

and,

The Protection of Personal Information Act, 4 of 2013 (known as POPI) section 14 of the South African Constitution also Section 32(1), as it provides that national legislation must be enacted to give effect to the right of access to information in reference to the Promotion of Access to Information Act, 2 of 2000 (PAIA).

As a Data Subject You Do Have The Following Rights:

RIGHT TO BE NOTIFIED:
The right to be notified that – Personal Information about you is being collected – And your Personal Information has been accessed or acquired by an unauthorised person.

RIGHT OF ACCESS:
The right to establish whether we hold Personal Information of you and to request access to your Personal Information.

Right To Correction, Destruction Or Deletion:

The right to request, where necessary, the correction, destruction or deletion of your Personal Information.

Right To Objection:

The right to object – on reasonable grounds relating to your particular situation to the processing of your Personal Information; to the processing of your Personal Information – at any time for purposes of direct marketing; or for purposes of direct marketing by means of unsolicited electronic communications.

Right With Regards To Automated Processing:

The right not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of your Personal Information intended to provide a profile of you.

Right To Complain:

The right to –submit a complaint to the Regulator regarding the alleged interference with the protection of the Personal Information of any Data Subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as; and to institute civil proceedings regarding the alleged interference with the protection of your Personal Information.

Complaint’s Process:

If you believe that this office has not replied to your access request or has not handled your Personal Information in a reasonable manner, please address your concerns first with our Information Officer. You may also choose to make a complaint to the Information Regulator.

  • Objection To The Process Of Personal Information

    REQUEST

  • Request For Correction Of Deletion Of Personal Information Or Destroying Of Record Of Personal Information

    REQUEST

Our Contact Particulars

Tel No: +27 87 231 0311 | +44 20 3890 5455 | +353 6 1548017
Email: compliance.info@numata.co

GDPR

Numata Business IT complies with all applicable requirements of the Data Protection Legislation and thus acknowledge that:

If NUMATA processes any personal data on a CLIENT's behalf when performing its obligations under any agreement, The CLIENT shall be deemed the data controller and NUMATA the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).

Personal data may be transferred or stored outside the EEA or where applicable the country where a CLIENT is located in order for NUMATA to carry out the Services and NUMATA's obligations under any agreement.

The CLIENT ensures that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to NUMATA for the duration and purposes of this agreement so that NUMATA may lawfully use, process and transfer the Personal Data in accordance with any agreement on CLIENT's behalf.

NUMATA shall, in relation to any Personal Data processed in connection with the performance of its obligations under any agreement:

  • Process Personal Data only on the written instructions from a CLIENT unless NUMATA is required by the laws of any member of the European Union or by the laws of the European Union applicable to NUMATA to process Personal Data (Applicable Laws). Where NUMATA is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, NUMATA shall promptly notify the CLIENT of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit NUMATA from so notifying the CLIENT;
  • Ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
  • Not to transfer any Personal Data outside of the EEA unless the following conditions are fulfilled:
    • The CLIENT or NUMATA has provided appropriate safeguards in relation to the transfer;
    • The data subject has enforceable rights and effective legal remedies;
    • NUMATA complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
    • NUMATA complies with reasonable instructions notified to it in advance by the CLIENT with respect to the processing of the Personal Data;
  • Notify the CLIENT without undue delay on becoming aware of a Personal Data breach;
    • At the written direction of the CLIENT, delete or return Personal Data and copies thereof to the CLIENT on termination of all agreement unless required by Applicable Law to store the Personal Data; and
    • Maintain complete and accurate records and information to demonstrate its compliance with legislation.

Should the CLIENT agree to NUMATA entering into an agreement with a third-party then NUMATA will enter into an agreement with the third-party processor incorporating terms which are substantially like those set out here. As between the CLIENT and NUMATA.

POPI and PAIA

In terms of section 18 of the POPIA Act, Data Subjects must be aware of certain information and rights in terms of the POPIA Act.

In terms of the POPIA Act we must have accurate and up to date information about you.
We typically collect personal information about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider.

We typically collect personal information of a CLIENT or a potential CLIENT through an application process

  • We may sometimes collect additional information from third parties.
  • We may also use your personal information in the following situations:
    • Where we need to protect your interests (or someone else’s interests).
    • Where it is needed in the public interest or for official purposes.
    • If your Personal Information is transferred outside the Republic of South Africa to third party service providers, we will take steps to ensure that your Personal Information receives the same level of protection as if it remained within the Republic.

Your Personal Information will be treated as prescribed by the 8 Conditions for the Lawful Processing of Personal Information in the POPIA Act. We may have to share your Personal Information with:

  • Service Providers - We may disclose the information we collect from you to third party vendors, technology and other service providers, contractors or agents who perform functions on our behalf, or are engaged with us. These service providers are allowed to access and use the information we make available to them only as needed to perform their functions and for no other purposes, subject to appropriate contractual restrictions and security measures.
  • In Response to Legal Process - We may disclose the information we collect from you in order to comply with the law, a legal proceeding, court order, or other legal process, such as in response to a court order or a subpoena.
  • To Protect Us and Others - We also may disclose the information we collect from you where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notification, or as evidence in litigation in which we are involved.
  • Legal Obligation - To carry out our obligation arising from current legislation and legal processes.