- Introduction
- Astus together with its affiliates and subsidiaries (together, “Astus“, “we“, or “us” or “Astus Group“) have issued this External Data Privacy Policy (this “Policy“) to set out the personal information that we collect and process about you, the purposes of the processing, and the rights that you have in connection with such personal information and its collection and proce
- Our approach is to ensures that Astus has implemented this board-approved Policy for the Group and that each company within the Astus Group agrees to and adopts the principles herein.
- We respect the privacy rights of our staff and are committed to handling personal information responsibly and in accordance with applicable law.
- If you have any questions regarding this Policy, the applicable law, or have any comments or questions about this Policy, please contact us at the contact details in section 11
- Who does this policy apply to?
- This Policy applies to our clients, service providers and suppliers (collectively referred to as “you“, “your“).
- This Policy does not apply to Astus employees and staff. Please refer to the Internal Data Privacy Policy.
- This Policy applies where we process your personal information in any form – whether oral, electronic or written.
- what type of Personal Information do We Process?
- Most of the personal information we process is information that you knowingly provide to us i.e. we collect personal information directly from you. However, in some instances, we process personal information that we are able to infer about you based on other information you provide to us or on our interactions with you, or personal information about you that we receive from a third party using a process that we have told you about. For example, we may contract with third parties to support us to do credit and background and reference checks.
- A list of our service providers can be obtained on request from our information officer.
- We process the following personal information of yours for the following purposes:
| Categories of personal information processed by us | Purpose of processing |
| Clients | |
| Identity Information: Company name, registration number, registered address | To enter into the contract with the client and to provide the services to the client |
| Contact Information: Contact information of a representative of the client and records of correspondence with the representative of the client | To send notices and information regarding the contract or legal proceedings; To follow up as part of our customer service; and To send direct marketing |
| CCTV: Information captured on security systems, including CCTV and key card entry systems | To prevent and detect crime; To protect the health and safety of our clients and staff; and To manage and protect our property and the property of our staff, clients and other visitors. |
| Biometric Personal Information: your biometrics | To provide access to the property |
| Information from Screenings: Where permitted by law the personal information from screening including COVID-19 screenings | To protect the health and safety of our clients and staff; and To comply with applicable health and safety laws. |
| Service providers or suppliers | |
| Identity Information: Company name, registration number, registered address | To enter into the contract with the supplier or service provider |
| Contact Information: Contact information of a representative of the service provider or supplier and records of correspondence with the representative of the service provider or supplier | To send notices and information regarding the contract or legal proceedings; To send direct marketing |
| Financial Information: Bank account details; taxpayer information | To perform under the contract and make payment to the service provider or supplier |
| Criminal Record (where permissible and in accordance with applicable law) | To decide on your suitability for employment |
| CCTV: Information captured on security systems, including CCTV and key card entry systems | To prevent and detect crime; To protect the health and safety of our clients and staff; and To manage and protect our property and the property of our staff, clients and other visitors. |
| Biometric Personal Information: your biometrics | To provide access to the property |
| Information from Screenings: Where permitted by law the results of drug and alcohol testing, screening, health certifications; COVID-19 screenings; | To protect the health and safety of our clients and staff; and To comply with applicable health and safety laws. |
- Unless otherwise stated, all information we request from you is obligatory. If you do not provide and/or allow us to process all the obligatory information as requested, we will not be able to keep complete information about you, thus affecting our ability to accomplish the above stated purposes.
- Special Personal Information
- There may be limited instances in which the personal information that you provide to us or we collect is considered “Special Personal Information” under applicable data protection legislation
- Special Personal Information includes, among other things, any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, information about your health, gender and sexual orientation, as well as criminal behaviour related to the alleged commission by you of any offence; or (ii) any proceedings in respect of any offence allegedly committed by you or the disposal of such proceedings.
- As a general rule, we make every attempt to limit the collection and processing of Special Personal Information about you, unless authorized by law or where necessary to comply with applicable law
- However, in some circumstances, we may need to collect, or request on a voluntary disclosure basis, Special Personal Information for legitimate business-related purposes including: to comply with B-BBEE legislation, and for government reporting obligations; or information about your health to provide work-related accommoda
- lawful basis for processing
- There are 6 available legal (lawful) basis for using your personal information. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect
- Personal Information
- The basis on which we rely for the purposes above are –
- Legitimate Interests: In most cases, we process your personal information in line with our legitimate business interests, which interest is not overridden by your data protection interests or fundamental rights and free
- Contract: We will also process your personal information to the extent it is necessary to conclude or perform under the contract we have with you.
- Legal Obligation: We have certain legal obligations which require us to process your personal information. This includes processing for tax purposes and ‘KYC’ purposes.
- Consent: In certain limited instance, we will only process your personal information with your prior consent.
- Special Personal Information
- We may process your special personal information on the following basis:
- Consent: In certain instance, we will only process your special personal information with your prior consent.
- Legal Obligation: We have certain legal obligations which requires us to process your special personal information. We will do so in line with this policy and for government reporting.
- If you have questions about, or need further information concerning, the legal basis on which we collect and process your personal information, please contact us using the contact details provided in section 11
- We may process your special personal information on the following basis:
- The basis on which we rely for the purposes above are –
- automated decision making
- An automated decision takes place when an electronic system uses personal information to make a decision without human intervention.
- We do not envisage that any decisions will be taken about you using automated means, and we will notify you by updating this notice if this position changes.
- Any use of automated decision making will not have a significant impact on you and will only be used if we have a lawful basis for doing so in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a
- Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
- data retention
- We keep records of your personal information no longer than necessary for the purpose for which we obtained them and for any other permitted compatible purposes, including compliance with legal obligations in the field of employment law.
- The Data Retention, Storage and Disposal Policy sets out the applicable minimum retention periods required by local laws. We use this policy to establish the retention time periods for various categories of records that contain your personal information.
- If you wish to understand more about the retention periods applicable to your personal information, contacting our Information Officer (see section 11 below).
- sharing or transferring your Personal Information
- General
In order to carry out the purposes outlined above, information about you will be disclosed for the purposes set out above to other third parties. When we share your personal information, we require that all third-party recipients treat your personal information as confidential and in conformity with this Policy.
- Centralized Data Processing Activities
- Like most businesses, we have centralized certain aspects of our data processing and administration in accordance with applicable data protection laws and any other applicable laws in order to allow us to better manage our business. That centralization may result in the transfer of personal information from one country to another or from one entity in the Group to another entity in the Group.
- If one entity in the Astus Group disclose the personal information it holds about you to any other entity in the Astus Group, those entities must first have agreed to be bound by this Policy with respect to their processing of your personal information as well as be bound by the Astus Binding Corporate Rules.
- Third Party Service Providers
- Like many businesses, from time to time, we outsource the processing of certain functions and/or information to third parties.
- When we do outsource the processing of your personal information to third parties or provide your personal information to third party service providers, we oblige those third parties to:
- enter into a written contract with us;
- protect your personal information in accordance with the terms and conditions of this Policy;
- treat the personal information and confidential and not share or transfer your personal information to any other entity without our express written permission;
- adopt appropriate security measures; and
- only use your personal information for the purposes of fulfilling their obligations to us.
- A full list of our current service providers is available on request from our Information Officer.
- Business Transfers
As we continue to develop our business, we may buy or sell the business or certain assets. In such transactions, contracts with you is generally one of the transferred business assets. We may share your personal information with any prospective or actual third-party buyers (and their advisors) in respect of such business transfers.
- Legal Requirements
- We reserve the right to disclose any personal information we have concerning you if we are compelled to do so by a court of law or requested to do so by a governmental entity or if we determine it is necessary or desirable to comply with the law or to protect our legitimate interests in accordance with applicable laws.
- We also reserve the right to retain personal information collected and to process such personal information to comply with accounting, tax rules, regulations and any specific record retention laws.
- Transfers outside of the applicable jurisdiction
- Should your personal information move outside of South Africa, the European Economic Area or another jurisdiction that restricts the international transfer of personal information, we use GDPR and locally-compliant mechanisms to require that the same level of data protection be applied in the jurisdiction where the data is being processed.
- We also ensure that model data protection clauses are in force in any relevant legal contracts and agreements (including agreements between Group companies) to ensure that your personal information is treated by third parties in a way that is consistent with and which respects all applicable local and national laws.
- what are your rights and duties?
- As a data subject, you have a number of rights including –
- Access Rights: You have the right to access your personal information in many circumstances. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Right to Rectification: You can require us to have inaccurate personal information corrected.
- Right to Erasure: You can require us to erase personal information in certain circumstances where there is no lawful basis for us to retain such personal information. Please note, however, that in some instances we must retain your personal information for certain periods of time as required by law. We will do so in accordance with our Data Retention, Storage and Disposal Policy. You can request a copy of this policy from our Information Officer.
- Right to Restrict: You can require us to restrict our processing of your personal information in certain circumstances.
- Right to Portability: You can require us to port (or transfer) your personal information to a third party.
- Right to Withdraw Consent: You can withdraw any consents to processing that you have given us and prevent further processing if there is no other legitimate ground upon which we can process your personal data
- Right to Complain: You can raise a complaint about our processing with the data protection regulator in your jurisdiction, or with our Information Officer.
- Your Duty
- Duty to inform us of changes to your personal information: It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
- As a data subject, you have a number of rights including –
- data security
- The personal information we collect from you is stored by us and/or our service providers on databases protected through a combination of physical and electronic access controls, firewall technology and other appropriate administrative, technical, personnel and physical security measures.
- Nevertheless, such security measures cannot prevent all loss, misuse or alteration of personal information and we are not responsible for any damages or liabilities relating to any such incidents to the fullest extent permitted by applicable law and other applicable laws.
- Where required under law, we will notify you of any such loss, misuse or alteration of personal information that may affect you, so that you can take the appropriate actions for the due protection of your rights.
- We expect you to contribute to the security culture of our Group by following appropriate security policies and procedures, completing assigned trainings and reporting suspected incidents to relevant incident response contacts promptly.
- Changes to this Policy
At our discretion and as necessary, we may amend this Policy from time to time. To assist you, this Policy has an effective date set out at the beginning of this document. We will notify you when updates are made to this Policy.
- Request for Access to Personal Information/Questions or Complaints
- If you have any questions about this Policy, or any concerns or complaints with regard to the administration of the Policy, or if you would like to submit a request for access to the personal information that we maintain about you, please contact our Information Officer by any of the following means –
- [email protected]
- +27 83 792 9172
- You have the right to complain to the Regulator in your jurisdiction, in particular in the state of your usual place of residence, place of work or the place of alleged infringement, if you believe that the processing of your personal data is in breach of the applicable Data Privacy Laws. We have provided a list below of some regulatory authorities which may be applicable to the majority of our clients and suppliers:
- If you have any questions about this Policy, or any concerns or complaints with regard to the administration of the Policy, or if you would like to submit a request for access to the personal information that we maintain about you, please contact our Information Officer by any of the following means –
| Regulatory Authority | Contact information | |
| South Africa | Information Regulator | www.justice.gov.za/inforeg/contact.html |
