PAIA and POPIA Manual

Yotta Information Systems (Pty) Ltd

Registration Number: 2020/769355/07

(“Yotta" or the "company")

PAIA AND POPIA MANUAL

Prepared and published in accordance with Section 51 of the he Promotion of Access to Information Act 2 of 2000 (“PAIA”) and to address the requirements of the Protection of Personal Information Act 4 of 2013 (“POPIA”).

Introduction and purpose of manual

The purpose of this manual is:

  1. To facilitate the requests for access to records of the company as provided for in PAIA;
  2. To serve as a manual for the company, as required in terms of Section 51 of PAIA, to promote the access to information;
  3. To set out the responsibilities of the Information Officer whose responsibility it will be to ensure compliance with PAIA and POPIA; and
  4. To provide and outline of the type of records and the personal information the company holds and explains how to submit requests for access to these records in terms of PAIA.

PAIA provides that a person may only request information in terms of the Act, if the information is required for the exercise or the protection of a right.

PAIA gives effect to Section 32 of the Constitution, which provides that everyone has the right to access information held by a private body or public body, if the record or personal information held is required to exercise of protect a right.

PAIA, provides that a person requesting information must be given access to any record of a private body, if that record is required for the exercise or the protection of a right. However, such request has to comply with the procedural requirements and PAIA makes provision for the refusal of access to records.

INDEX

  1. The Company and company details [Section 51(1)(a)]
  2. Availability of this PAIA Manual
  3. The Act [Section 51(1)(b)]
  4. Availability of guides to PAIA and POPIA
  5. Applicable legislation [Section 51(1)(c)]
  6. Schedule of records [Section 51(1)(d)]
  7. Request for access to records
  8. Prescribed fees [Section 51(1)(f)]
  9. Grounds for refusal
  10. Remedies & Appeal
  11. Records that cannot be found or do not exist
  12. Appeal
  13. Protection of Personal Information Act (“POPIA”)
  14. Annexures

1. The Company and company details [Section 51(1)(a)]

  1. Yotta Information Systems (the "Company") is an ITC(Information, Telecommunications and Computing) provider and conducts business as an online retailer.
  2. Details:
    Registration Number 2020/769355/07
    Registered Address 414 Henry Crescent
    Sinoville
    Pretoria
    0182
    Postal Address 414 Henry Crescent
    Sinoville
    Pretoria
    0182
    Principal Address of Business Activities 414 Henry Crescent
    Sinoville
    Pretoria
    0182
    Telephone Number None
    Fax Number None
    Director Armand van der Walt
    Designated Information Officer Armand van der Walt
    Email Address of Information Officer sales@yotta.co.za
    Website https://www.yotta.co.za
  3. Requests shall be made in accordance with the prescribed procedures, at the rates provided. The forms and tariff are dealt with in paragraph 5 hereto.

2. Availability of this Manual

  1. This manual is published on the Company’s website ,or alternatively, a copy can be requested from the Company by sending a request for a copy to the Information Officer by email (see contact details above).
  2. This manual will also be available at the Company’s registered office situated at 414 Henry Crescent, Sinoville, Pretoria, 0182.

3. PAIA [Section 51(1)(b)]

  1. The Act grants a requester access to records of a private body, if the record is required for the exercise or protection of any rights. If a public body lodges a request, the public body must be acting in the public interest.
  2. Requests in terms of PAIA shall be made in accordance with the prescribed procedures, at the rates provided. The forms and tariff are dealt with in paragraphs 6 and 7 of the Act.
  3. Requesters are referred to the Guide in terms of Section 10 of PAIA which has been compiled by the South African Human Rights Commission, which will contain information for the purposes of exercising Constitutional Rights. The Guide is available from the SAHRC.
  4. The PAIA guide is available in all official South African languages at no cost, and any person may request a copy of the guide. A copy of the guide may be obtained by contacting the South African Human Rights Commission at:

The South African Human Rights Commission
PAIA Unit - The Research and Documentation Department
Private Bag X2700
Houghton
2041
Telephone: +27 (0) 11 877 3600
Facsimile: +27 (0) 11 403 0625
Website: www.sahrc.org.za

4. Availability of guides to the PAIA and POPI Acts

  1. In addition to the above, guides to PAIA and POPIA can be obtained from and queries directed to:

The Information Regulator (South Africa)
33 Hoofd Street, Forum III, 3rd Floor Braampark
P.O Box 31533, Braamfontein, Johannesburg, 2017
Mr Marks Thibela
Chief Executive Officer
Tel No. +27 (0) 10 023 5200, Cell No. +27 (0) 82 746 4173
Complaints email: complaints.IR@justice.gov.za
General enquiries email: inforeg@justice.gov.za
Website: https://www.justice.gov.za/inforeg/

5. Applicable legislation [PAIA Section 51(1)(c)]

  1. Where applicable to the Company’s business and operations, information is also available in terms of certain provisions of applicable legislation, which include but not limited to:
    • Basic Conditions of Employment Act 75 of 1997;
    • Broad Based Black Economic Empowerment Act 53 of 2003;
    • Companies Act 71 of 2008;
    • Compensation for Occupational Injuries and Health Diseases Act 130 of 1993;
    • Consumer Protection Act 68 of 2008;
    • Electronic Communication and Transactions Act 25 of 2002;
    • Income Tax Act 58 of 1962;
    • Labour Relations Act 66 of 1995;
    • National Credit Act 34 of 2005;
    • Occupational Health & Safety Act 85 of 1993;
    • Promotion of Access of Information Act 2 of 2000;
    • Protection of Personal Information Act 4 of 2013;
    • Skills Development Act 97 of 1998;
    • Skills Development Levies Act 9 of 1999;
    • Unemployment Insurance Act 4 of 2002;
    • Value Added Tax Act 89 of 1991;

6. Schedule of records [Section 51(1)(d)]

  1. The Company maintains certain records, which includes but are not limited to the categories listed below.
  2. Recording a category or document and/or record in this Manual does not imply that a request for access to such records would be successful. The accessibility of the documents and/or records may be subject to the grounds of refusal.

    Employees and personnel:

    • Any personal records provided to the Company employees
    • Employment contracts
    • Employment policies and procedures
    • Internal evaluation and disciplinary records
    • Occupational Health and Safety
    • Training schedules and material
    • Personnel files

    Company Secretarial:

    • Documents of Incorporation
    • Share registers and other statutory reports
    • Board meeting minutes

    Customer, prospective customer and user related records:

    • Customer contact details
    • Records generated by or within the Company pertaining to the customer, including transactional records
    • Information collected in terms of website cookie policy

    Financial & Banking and Tax Records

    • Accounting records, books and documents
    • Interim and annual financial reports
    • Details of auditors
    • Bank facilities and account details
    • Bank statements
    • Tax return
    • PAYE records
    • Skills Development Levies records

    Other records (Company related records):

    • Marketing records;
    • Insurance records;
    • Operational records;
    • Databases;
    • Information Technology;
    • Internal correspondence;
    • Product records;
    • Statutory records;
    • Internal Policies and Procedures;
    • Supplier information and records
  3. The Company does make certain information freely available by publication on its website which is available without a person having to request access.

7. Request for access to records

  1. In terms of Section 50 of PAIA, any person, who requires information for the exercise or protection of any rights, may request information from a private body.
  2. The categories of records and/or information which are held by the Company are listed above. A requester will not automatically be allowed access to these records and access to records may be refused in accordance with the Act. Form of request [PAIA Section 51(1)(e)]:
  3. The requester must comply with all the procedural requirements contained in PAIA and the request must be made on the correct form (Form C for private bodies can be found on www.justice.gov.za and/or www.sahrc.org.za).
  4. The completed prescribed request form must be addressed to the Head of the Company and/or the Information Officer of the Company and delivered (hand-delivered, posted or sent via email), together with the proof of payment of a request fee and a deposit, if applicable.

    A requester needs to provide sufficient details, and the prescribed form needs to contain sufficient information, to enable the Company to identify:
    • The record(s) requested;
    • The identity of the requester (and if an agent is lodging the request, proof of capacity);
    • Which form of access is required, if the request is granted;
    • The postal address or fax number of the requester within South Africa;
    • If the requester wishes to be informed of the decision relating to the request for access in any manner (in addition to written) the manner and particulars thereof;
    • The right which the requester is seeking to exercise or protect with an explanation of the reason the record is required to exercise or protect the right.
  5. The Company will not consider a request unless it is contained in the correct and prescribed Form C.
    Procedure:
  6. The Company will, within 30 days of receipt of the request, decide whether to grant or decline the request. Whatever decision is taken, the requester will be given notice of the decision in writing. If a request is refused, the notification will include the reasons for the refusal.
  7. The 30 day notice period may be extended if the request is for a large number of information, it is necessary due to the nature of the request and the amount of time required to gather the requested information. The requester will however be given notice of the extension prior to the 30 day period’s expiry.
  8. The Company will not process a request until the prescribed fees have been paid. Where a decision to grant a request has been taken, the record will not be disclosed until the necessary fees have been paid in full.

8. Prescribed fees [PAIA Section 51(1)(f)]

  1. Request Fee (not applicable to a personal requester)
    The requester needs to pay the request fee as prescribed by the Minister for Justice and Constitutional Development, before the request will be processed.
    This non-refundable fee is payable on submission of any request for access to any record. No fee is payable if the request is for personal records of the person requesting it.
  2. Deposit (not applicable to a personal requester)
    If the preparation of the record requested requires more than the prescribed hours (six), a deposit shall be paid (of not more than one third of the access fee which would be payable if the request were granted).
  3. Access Fee
    The requester needs to pay an access fee as prescribed by the Minister for Justice and Constitutional Development fee to enable the company to recover the cost of processing a request and giving access to records in terms of the Act. The access fee is payable prior to being granted access to the records.
  4. A request will not be processed until the prescribed fees have been paid and where a decision to grant a request has been taken, the record will not be disclosed until the necessary fees have been paid in full.
  5. A requestor may lodge an application with a court against the tender and/or payment of the request fee and/or deposit.

9. Grounds for refusal of request

The request may be declined in accordance with one of the prescribed grounds in terms of the Act, namely:

  1. Section 63 of PAIA stipulates that a request for access to a record must be refused if its disclosure would involve the unreasonable disclosure of personal information about a third party, including a deceased individual. However, Section 63(2) does provide exceptions to this.
  2. Section 64 of PAIA states that a request must be refused if it relates to records containing third party information pertaining to:
    1. Trade secrets;
    2. Financial, commercial, scientific or technical information where disclosure would be likely to cause harm to the commercial or financial interests of that third party; or
    3. Information, supplied in confidence by the third party, the disclosure of which could reasonably be expected to put the third party at a disadvantage in contractual or other negotiations, or prejudice the third party in commercial competition.
  3. Section 65 of PAIA prohibits disclosure of information if such disclosure would constitute a breach of any duty of confidentiality owed to a third party in terms of an agreement.
  4. In terms of Section 66 of PAIA, the Company must refuse disclosure of the record could reasonably be expected to compromise the safety of an individual or property.
  5. Section 67 of PAIA mandates the refusal of a request if the record is privileged from production in legal proceedings, unless the person entitled to the privilege has waived the privilege.
  6. Section 68 of PAIA pertains to records containing information about the Company itself and may refuse access to a record if the record:
    1. Contains trade secrets of the Company;
    2. Contains financial, commercial, scientific or technical information, the disclosure of which would be likely to cause harm to the commercial or financial interests of the Company;
    3. Contains information which, if disclosed, could reasonably be expected to put the Company at a disadvantage in contractual or other negotiations, or prejudicethe Company in commercial competition; or
    4. Consists of a computer program owned by the Company.
  7. Section 69 of PAIA prohibits the disclosure of information about research where disclosure is likely to expose the third party, the person conducting the research on behalf of the third party, or the subject matter of the research to serious disadvantage. Disclosure is discretionary if such research pertains to the Company itself.
  8. Notwithstanding any of the above-mentioned provisions, Section 70 of PAIA provides that a record must be disclosed if its disclosure would:
    1. Reveal evidence of a substantial contravention of or failure to comply with the law, imminent and serious public safety or environmental risk; and
    2. If the public interest in the disclosure clearly outweighs the harm.

10. Remedies & Appeal

The Company does not have internal appeal procedures regarding PAIA requests. As such, the decision made by the duly authorised persons is final. If a request is denied, the requestor is entitled to apply to a court with appropriate jurisdiction, or the Information Regulator, for relief.

11. Records that cannot be found or do not exist

If the Company has searched for a record and it is believed that the record either does not exist or cannot be found, the requester will be notified accordingly, which notification will include an explanation of the steps that were taken to attempt to locate the record. by way of an affidavit or affirmation. This will include the steps that were taken to try and locate the record.

12. Records and information relating to a third party

  1. If access is requested to a record that contains information about a third party, the Company must first contact such third party to inform him/her/it of the request to access the record and / or information and enquire if the third party consents to the Company providing the requester access to the record and / or information, as provided in Chapter 5 (Sections 71 to 73) - third party notification and intervention – of PAIA.
  2. If the third party does not consent, the Company will request the third party to provide the Company with reasons why he/she/it does not consent to provide the requester access.
  3. Upon receipt of the reasons for the support or denial of access, the Company’s Information Officer will consider these in determining whether access should be granted, or not.

13. POPIA

  1. Purpose of processing personal information
    The Company processes personal information for the following purposes:
    • Complying with legal and statutory obligations in terms of applicable legislation;
    • Staff administration, including management of employees;
    • Human resources purposes such as job applications and interviews with potential or prospective employees;
    • Keeping of accounts and records
    • Obtaining information necessary to provide the contractually agreed services and / or products to a customer;
    • Obtaining information necessary to provide customers with the purchased product(s);
    • Marketing and advertising purposes;
    • Monitoring, maintaining and managing the company’s contractual obligations with and to customers, clients, suppliers, service providers, employees, directors and other third parties;
    • Responding to enquiries and resolving complaints;
    • To fulfil obligations (contractual or in terms of legislation) to clients and / or customers; and
    • To comply with the Company’s delivery and return policy.
  2. Categories of Data Subjects
    The Company may possess records relating to personal information of the following data subjscts:
    • Clients / customers (natural persons and/or juristic persons);
    • Service providers;
    • Employees;
    • Directors;
    • Shareholders;
    • Visitors to the Company’s premises; and/or
    • Individuals who have indicated and interest in the Company’s products or services and / or who have completed the “contact us” fill in form on the Company’s website.
  3. Types of personal information being processed by the Company may include:
    • Client and / or customer’s (individual) details (such as name and surname; physical address; billing address; postal address; ID number; Tax related information; email address, telephone number, etc.);
    • Client and / or customer’s (juristic) details (such as name of entity, registration number, physical address, billing address, postal address, telephone number, email address, information of authorised representatives, etc.)
    • Employee and / or director’s details (such as name and surname, gender, age, national origin, email address, telephone number, education and qualification information, employment history, ID number, tax number, medical history, etc.)
    • Service providers’ details (such as name of entity, registration number, physical address, billing address, postal address, telephone number, email address, information of authorised representatives, tax related information, etc.)
  4. The Company may provide personal information to other recipients
    It is sometimes necessary for the Company to share personal information with other organisations and / or recipients. Where necessary or required, the Company shares personal information with:
    • Employees and / or directors and / or shareholders of the Company;
    • Regulatory and statutory bodies and government;
    • Service providers and suppliers;
    • Representatives of the Company;
    • Employment and recruitment agencies;
    • Banks or other financial institutions;
    • SARS;
    • Auditors;
    • CIPC.
  5. Cross border flow of personal information
    The Company may from time to time need to share personal information with third parties (suppliers and / or service providers) in other countries and transmit personal information transborder, which personal information may be stored in data servers hosted outside South Africa.
    The Company will endeavour to ensure that these third parties make all reasonable efforts to secure the personal information.
  6. General Description of Information Security Measures
    The Company makes use of technology and safeguarding measures to ensure the protection of personal information, such as:
    1. Organisational privacy policy;
    2. Firewalls and Anti-Virus software;
    3. Physical access control;
    4. Information Systems access control;
    5. Physical security of devices;
    6. Passwords
  7. Data subject’s rights
    In terms of Section 11(3) the data subject has the right to objection to the processing of personal information in accordance with Form 1 of the Regulations.
    In terms of Section 23(1) & (2) the data subject has the right to establish whether a responsible party holds personal information of data subject and to request access to his/her/its personal information, subject to the provisions of Section 23.
    In terms of Section 24 the data subject has the right to request, where necessary, the correction, destruction or deletion of his/her/its personal information in accordance with Form 2 of the Regulations.

14. Annexures

PAIA Form C: Request for Access to Record of Private Body

PAIA Prescribed fees

POPIA Form 1: Objection to the Processing of Personal Information

POPIA Form 2: Request for Correction or Deletion of Personal Information