How BLYDEX collects, uses, and protects your personal information in line with POPIA.
Version: 5
Document date: 01/04/2026
Compiled by:
Data Privacy Policy
Policy Owner
The “Owner” of this Policy is the Company Information Officer.
Definition - Data Privacy
As referred to under the Protection of Personal Information Act 4 of 2013, hereinafter referred to as “the Act”:-“Data Privacy is the Constitutional rights and obligations of Data Subjects (individuals and judicial persons) under the Act, with respect to the fair and lawful processing (collection, use, retention, and disclosure) of Personal Information”.
Definition - External Instructing Parties
External Instructing Parties (hereinafter referred to as External Parties) will refer to any External Parties that enters into a relationship with the Company where the Company will have to process Personal Information on behalf of any external Responsible Party or an operator in terms of a contract or mandate without being under the direct control of such Responsible Party in terms of Section 20 of POPIA. (i.e Banks, Correspondents, etc.)
Preamble
BLYDEX (Pty) Ltd. (hereinafter referred to as “the Company” recognises the Constitutional Privacy Rights of all Data Subjects, subject to any applicable legal requirements regarding the processing of personal information.
The Company’s underwriting of the general governing principles of Data Privacy will also be contained in an official Company Data Privacy Statement that will be made visible to all interested parties at its operational premises and Web Site as may be appropriate.
The Company also recognises the importance of client privacy and the sensitivity of the personal information concerning any individual or judicial person that may be contained on the Company information systems.
The Company is therefore committed to safeguarding the privacy of all personal information in its possession or under its control concerning any individual or judicial person as may be required under all current and applicable legislation and to subscribe to all individual Privacy Rights as will be set out according to this Data Privacy Policy.
Scope of the policy
The policy will be effective to cover all permanent and temporary employees, associates, correspondents, third-party contractors and operators, consultants and any other external entities of the Company that may have access to or gain access to any personal information of Data Subjects contained on the information systems of the Company.
Management subscription
The management of the Company subscribes to the goals and principles of Data Privacy in line with relevant legislation and its business strategy and objectives.
The relationship of the Company with its personnel, clients and associates is based on mutual integrity and trust and it is therefore committed to maintaining this trust by protecting the privacy and security of personal information and data disclosed and received from any Data Subject or Data Owner at all times and to the best of its ability.
As part of this commitment, the Company will subscribe in all relevant respects to the following:-
Protection of Personal Information Act No.4 of 2013.
Promotion of Access to Information Act 2000.
Applicable guidelines and controls as per the SA National Standard (ISO/SANS 27001/2 & 22301).
Generally Accepted Privacy Principles (G.A.P.P), consisting of the following:-
Management - the Company defines documents, communicates, and assigns accountability for its privacy policies and procedures.
Notice - the Company provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
Choice and Consent - the Company describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information;
Collection - the Company collects personal information only for the purposes identified in the notice.
Use and Retention - the Company limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent and retains the information for only as long as necessary to fulfil the stated purposes!
Access - the Company provides individuals with convenient access to their personal information for review and updates;
Disclosure (to third parties) - the Company discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual;
Security (for privacy) - the Company protects personal information against unauthorised access (both physical and logical);
Quality - the Company maintains accurate, complete and relevant personal information for the purposes identified in the notice;
Monitoring and Enforcement - the Company monitors compliance with its Data Privacy policy and procedures and has procedures to address privacy-related complaints disputes and transgressions.
Objectives
In order to create effective and visible guidelines for the Company, its employees and any associated third-party alliances or subcontractors, this policy has been specifically designed to meet the required compliance standards regarding the following aspects:-
Management of Data Privacy within the structure of the Company;
To manage and maintain data processing facilities that are accessed, processed, communicated to, or managed by external parties;
To ensure that all data and personal information receives an appropriate level of protection that will be addressed in a separate, supporting Information and Cyber Security Policy;
To ensure that employees, contractors, and third-party users of the Company information facilities understand their responsibilities and are suitable for the roles they perform or are considered for to reduce the risk of theft, fraud or misuse of facilities;
To ensure that employees, contractors, and third-party users of the Company information facilities are aware of personal information and data security, security threats and concerns, their responsibilities and liabilities and are equipped to support the organisational Data Privacy Policy of the Company in the course of their normal work and to reduce the risk of human error;
To ensure that employees, contractors and third-party users of the Company exit the employment or change employment in accordance with applicable policies;
To prevent unauthorised physical access and/or damage to, or interference with the premises, data or personal information related to the Company, which could lead to a data breach that will be addressed in a separate, supporting Access Control Policy;
To ensure the correct and secure operation of all data and information processing facilities within the Company;
To implement and maintain the appropriate level of data and information security and service delivery agreements;
To minimise the risk of system failures;
To protect the integrity of software data and personal information;
To maintain the integrity and availability of back-up of data, information, and related processing facilities;
To ensure the protection of data and personal information in any networks related to the Company, as well as protection of the supporting infrastructure;
To prevent unauthorised disclosure, modification, removal or destruction of any removable assets and media under the control of the Company, containing personal information;
To ensure the security of electronic commerce services (where/when applicable) and their secure use within the Company;
To detect unauthorised data and information processing activities within the Company;
To ensure proper, authorised user access and to prevent unauthorised access and the compromise or theft of data and information of the Company;
To prevent unauthorised user access and the compromise or theft of personal information or data from data / information processing facilities related to the operations and functions of the Company;
To prevent unauthorised access to networked services when applicable;
To prevent unauthorised access to the Company operating systems;
To prevent unauthorised access to data and personal information held in any application systems within the Company;
To ensure data and information security if mobile computing and teleworking facilities are employed by the Company that will be addressed in a supporting, separate Mobile Device Policy;
To ensure that security is an integral part of all relevant data and information systems in use by the Company;
To prevent errors, loss, unauthorised modification or misuse of data and personal information in applications within the Company;
To protect the confidentiality, authenticity or integrity of data and personal information within the Company by effective cryptographic means when required.
To ensure the security of system files.
To maintain the security of application software, data, and information within the Company.
To reduce risks resulting from exploitation of published technical vulnerabilities that will be addressed in a separate, supporting Technological Risk Policy.
To ensure that any breach in information and data security events and weaknesses associated with information systems within the Company are communicated in a manner allowing timely corrective action to be taken and that will be addressed in a separate, supporting Information Security Breach Policy and Report procedures;
To counteract interruptions to business activities and to protect critical business processes within the Company from the effects of major failures of data and information systems or disasters and to ensure their timely resumption by way of a properly implemented Business Continuity and Disaster Recovery Plan;
To avoid violations of any law, statutory, regulatory or contractual obligations and of any security requirements;
To ensure compliance of systems used by the Company within its organisational security policies and standards and
To maximise the effectiveness of, and to minimise interference to or from any information and data systems audit processes.
Management control and enforcement
Information Officer and Deputy Information Officers
In order to comply with legislation and to facilitate and manage the outcomes of the declared intent of the management of the Company regarding this policy, the Information Officer for the Company will be the Chief Executive Officer or a duly authorised person of the Company according to the requirements as defined under Sec. 1 of the Protection of Personal Information Act No.4 of 2013 and read together with the prescriptions of Sec.1 of the Promotion of Access to Information Act 2000.
The Information Officer will be duly registered with the Information Regulator as is required by the applicable legislation and will report to the Senior Management, or Board of Directors of the Company as may be applicable.
The Company will also designate where necessary, an appropriate number of Deputy Information Officers as described under Sec. 56 of the Protection of Personal Information Act No.4 of 2013, read together with the prescriptions of Sec. 17 of the Promotion of Access to Information Act 2000.
The Deputy Information Officers will also be duly registered with the Information Regulator as is required, reporting directly to the Information Officer of the Company and will in conjunction with the Information Officer and any other designated individuals constitute the official Information Management Committee (hereafter also referred to as the “IMC”) of the Company, which will be communicated as such to all Company employees and other relevant parties.
The role and responsibilities of the Information Officer and by delegation also the Deputy Information Officer/(s) will be included in a formalised and documented job description for assessment and regulatory purposes and also to facilitate compliance to Sec. 55 of the Protection of Personal Information Act No.4 of 2013.
The officers will perform in their respective capacities immediately after appointment and will officially take up their duties in terms of this Act after their subsequent registration with the Information Regulator.
Compliance Operational Structure
An appropriate structure for the effective management of compliance of the Company has been signed off by Senior Management and attached to this policy.
H/R Security- (“Joiners / Movers & Leavers”)
The Company acknowledge the importance of regulating the movement of personnel in the Company organisational structure and will apply the related ISO 27001 control framework in the H/R Department Policies and Procedures to maintain the security of information processing, control of access to processing premises and information systems and dealing with any violations of the related policies and S.O.P’s requirements
Individual Privacy Rights
The Company will manage personal information in compliance with the Act and will also comply in all relevant circumstances with any other Acts that may have reference and application.
All Data Subjects engaging the services of the Company must be properly advised of their privacy rights prior to any processing of their personal information is initiated.
Individual Privacy Rights, subject to certain provisions under the Act, are summarised as follows:-
a) Data Subjects are to be notified that:-
Individual personal information is being collected, or
Individual personal information has been accessed or acquired by an unauthorised person.
b) Data Subjects will have the right to:-
1)Establish whether the Company is holding any of a subject’s personal information and to request access to this information.
2)Request, where necessary, the correction, destruction, or deletion of this information.
3)Object, on reasonable grounds related to a subject’s personal situation, to the processing of such subject’s personal information.
Object to the processing of personal information at any time for purposes of direct marketing.
Not have personal information processed for purposes of direct marketing by means of unsolicited electronic communication, subject to certain exceptions.
Not be subject, under certain circumstances, to decisions based solely based on the automated processing of personal information intended to provide a profile of the data subject (also referred to as “profiling”).
Submit a complaint to the Regulator regarding any alleged interference with the protection of personal information, or the determination of an adjudicator.
Institute civil proceedings regarding the alleged interference with the protection of the data subject’s personal information.
Collection of Personal Information
Personal information will be collected for the purposes of serving the business and related needs of Data Subjects as set out in a written processing notification, to: -
Understand, advise and assist the Data Subject/s with specific or ongoing business needs.
Ensure the recorded information is kept accurate and up to date.
Comply with any legal requirements that may be applicable.
Types of Personal Information that may be collected
All Personal information as defined under the Act.
The Company will follow reasonable and prudent business practices to legally collect, use and disclose a Data Subject’s personal information only for the purpose of providing the Data Subject with any required business services and will not collect any personal information without the Data Subject’s consent, or that may be excessive to the purpose that it is required for.
Collection process when processing Personal Information
The Company’s collection procedures will be guided by the following:-
Collection of personal information will only be by lawful and fair means.
Directed individual requests for a Data Subject’s relevant sensitive personal information from a particular organisation or business, such as medical professionals or financial institutions, will only be made after obtaining the written consent thereto from the Data Subject.
Wherever possible, personal information will only be collected directly from a Data Subject.
Data Subject consent will be required at the start of mandates or during representation procedures if prior consent was not already obtained.
Consent will primarily be required in writing, but verbal or implied consent may be accepted as may be necessary to further a Data Subject’s business needs.
A Company Privacy Statement will be published on the Company website and will also serve as a supportive notice of the purposes for which the Company collect, use, or disclose a Data Subject’s personal information or business contact information.
Dependent on the business services provided, with a Data Subject’s consent, the Company may obtain this relevant information from whatever resource necessary and applicable, including, but not limited to: -
The Data Subject personally;
Medical professionals;
Public registries such as the Deeds Office, Department of Internal Affairs, Receiver of Revenue, or whichever registry may be of essence;
Financial institutions (for example to verify financial information);
Credit bureaux;
Data Subject’s employer (for example, employment evidence for confirmation of income, etc.);
Motor vehicle and driver licensing authorities;
Law enforcement, if relevant;
Investigators.
Consent
The Company’s guidelines with regards to consent will be as follows;-
The Company’s general practice will be to primarily request a Data Subject’s written or alternatively express oral consent, which may be given in person or over the telephone if the Data Subject’s identity can be properly authenticated.
If a Data Subject volunteer to provide relevant personal information verbally, in writing, or via the Company website, it may be assumed that the Data Subject is also consenting to the collection, use and disclosure of personal information as described in the Company Privacy Statement.
When a Data Subject initiates contact with the Company, it may be determined that consent has been implied for the Company to collect, use and disclose personal information in a reasonable and lawful manner.
In some situations, the Company will require express consent in writing, by the provision of a letter, application form, electronic signature, or other document authorising certain activities.
As a basic rule, the Company will handle all personal information confidentially and will substantiate the legal authority to collect, use and disclose personal information in these circumstances when required.
Note must, however, be taken that there are certain circumstances where the Company is required or permitted by law, to collect, use and disclose personal information without Data Subject consent.
Personal information of a Data Subject may only be disclosed without the Data Subject’s consent under written authorisation from the Company CIO, or other mandated members of the IMC under certain circumstances, when: -
the Company is required or authorised by law to do so, for example if a court issues a subpoena;
the use of the information is necessary to respond to an emergency that threatens the life, health, or security of an individual or the public;
it is necessary to establish or collect any fees owed to the Company; or
if the information is already publicly known.
Use or application of Data Subject Personal Information
The Company’s accepted practice will subscribe to the following:-
Personal information will only be used or applied for the purposes intended, to provide business advice and services to a Data Subject and to administer the Company’s core business incidental to providing business services, such as client billing;
With Data Subject permission, the Company may send further information about the Company’s other extended business services, or about new developments in the business environment, to a Data Subject – (NB: The Data Subject may at any time withdraw any prior consent by notifying the Company accordingly, and the Company will be committed to terminate any further transmission of information immediately);
The Company will not disclose or sell any Data Subject personal information or business contact information to any third party to enable them to market their products and services without express prior written consent from any Data Subject.
Release of Data Subject Personal Information
The Company will only release personal information of a Data Subject to serve specific needs of the Data Subject, while providing required business services.
With Data Subject consent, the Company may provide information to:-
Company staff and agents who use the information for the reasonable business purpose of providing the Data Subject with required business services;
A third-party contracted to provide administrative services to the Company (like Correspondents, computer back-up services or archival file storage) on condition that the third-party has agreed to comply with the Company’s Data Privacy and Information Security policy requirements and any other applicable privacy laws;
Professionals employed by the Company, such as consultants and subject-matter experts.
Interaction with External Instructing Parties (External Party)
In the event where the Company will have to process Personal Information of any Data Subject on behalf of any External Party in any foreign jurisdiction outside of the South African border jurisdiction in an on-going execution of the original instruction(s) received from the External Party for the processing of the relevant information, the Company will revert back to the External Party in order to obtain specific further authorisation from the External Party prior to proceeding with the processing of the information in the related foreign jurisdiction(s) and subjected to any regulatory requirement in that jurisdiction.
Due cognisance will also be retained in terms of the requirements under POPIA Section 72 with regards to processing of Personal Information outside of the South African border jurisdiction.
Regulatory requests for access to External Instructing Party related Personal Information (External Party)
In the event where the Company receives a request from any Regulatory Authority for access to Personal Information of Data Subjects related to any External Party, the Company will also share the request for approval as due notification to the External Party prior to granting the required access.
It is accepted that the Company as a defined operator under POPIA for the External Party will ultimately be obliged to grant access to the related Personal Information in terms of the Regulatory request, but as a result of the relationship between the Company and the External Party as intended under Section 20 of POPIA, the Company will have to notify the External Party of such request(s).
The relevant protocols under PAIA Section 51 will also be adhered to, unless a related Court Order from a competent jurisdiction is served on the Company to grant access.
Accuracy of information
The Company will always endeavour to ensure the accuracy and relevance of any personal information on its information systems, while a Data Subject will have the right to request access and any necessary correction of own personal information that is held on the Company information systems.
It will be a basic requirement that a Data Subject must provide the Company with accurate and up-to-date personal and business contact information for the purposes of providing the Data Subject with required business services and to maintain contact with the Data Subject.
If during the course of the professional relationship between the Company and a Data Subject, any of the Data Subject’s information should change, it will be required from the Data Subject to inform the Company as soon as possible, in order to enable the Company to make any necessary changes as soon as reasonably possible.
The above requirements must be clearly conveyed to all Data Subjects entering into a relationship with the Company at the start of the relationship and put into writing as far as possible to avoid any possible dispute thereof in future.
Protection of Personal Information
To protect all Data Subject personal information under control of the Company, the Company will: -
Endorse the principles for the processing of personal information as described under the Act;
Include all the necessary controls and protocols to mitigate all known and reasonably foreseeable threats to personal information in Company possession or under Company control;
Introduce properly monitored applicable screening and awareness training interventions for Company employees and where necessary any third-party service providers or operators, to maximise the safety levels for processing of personal information and minimising the threats of data breaches and loss of personal information;
Maintain strong management and control protocols over any third-party service providers or contractors with regards to the proper protection and processing of personal information;
Implement and maintain an effective Information Security Management System (ISMS) with due regard to generally accepted Standards and Principles;
Not collect, use, or disclose personal information for any purpose other than those specified as per prior consent, or which are reasonably evident.
Only disclose personal information to those persons who have a need to access personal information for the purposes stated in the Company Privacy Statement or any subsequent notice to process and which will also be specified in the Data Subject consent to process personal information.
Keep Data Subject personal information only for as long as it is needed to fulfil the stated purpose or as may be required by any other applicable or related legislation;
Securely and effectively dispose of redundant personal information of Data Subjects on the Company’s information systems as soon as possible after the fulfilment of the originally stated purposes, unless prohibited by the requirements of any other applicable legislation;
Maintain Data Subject personal information in as accurate, complete, and up-to-date format as possible;
Keep all personal information physically secure, (for example, in locked or secure offices, rooms and/or filing cabinets as may be applicable);
Implement and maintain any reasonably expected and applicable technological safeguards such as passwords or encryption for sensitive personal information on information systems, in storage, in transit, or located on any mobile devices.
Data Security Breaches
Data Security Breaches will be managed by way of the prescribed Company protocols according to requirements under POPIA Section 22.
Access to Personal Information
A Data Subject may request access to own personal information that the Company may have, or control at any reasonable time.
The request must be in writing and directed to the Company Chief Information Officer (CIO), or other dedicated Deputy Information Officer (DIO) that will be properly identified and communicated to all interested parties from time to time.
NOTE: It will be an absolute pre-condition that the identity of any Data Subject requesting access to personal information will be established properly and beyond any reasonable doubt before any access to any personal information will be allowed. (Also refer to the Company PAIA Sec.51 Manual for the prescribed process in instances where there are reasonable grounds to refuse access to personal information).
The Company may also charge a reasonable fee for retrieval and copying of personal information and if the retrieval or copying or the request from the Data Subject is extensive, prior notice of such fee must be provided to the Data Subject prior to retrieval and copying.
Grounds for denial of access to Personal Information
There are exceptions to the Data Subject right to access of personal information: -
a) By law, the Company must deny access when: -
A Data Subject’s file contains personal information on a third-party and the information cannot be severed to maintain the privacy of the third-party information.
Required or authorised by law (for example, when a record containing personal information about a Data Subject is subject to a claim of legal professional privilege by one of the Company’s clients).
b) The Company has the right to deny access to personal information and may deny access when a Data Subject’s information relates to existing or anticipated legal proceedings against the Data Subject, including unpaid bills to the Company.
In instances where the Company denies a Data Subject’s request for access to, or refuse a request to correct information, the Company will issue an explanation and the reason/s for the refusal.
The Company will however, attempt in all cases to mediate a resolution if possible, but failing this, the Data Subject must also be advised of the alternative option to revert to the processes as provided for under the Promotion of Access to Information Act (PAIA) and reflected in the Company Sec.51 PAIA Manual that can be accessed on the Company website or obtained at the Company’s physical business premises.
Communications by E-mail
The Company’s view of this communication medium is that e-mails cannot be regarded as a secure, confidential method of communicating with the Company with regard to confidential and personal information.
NB: The Company will investigate viable and more secure alternatives to the of use e-mail to convey personal or confidential information and will in the interim also endeavour to obtain as far as may be reasonably possible, the Data Subject’s expressed authorisation for this form of communication and thereby accepting all the inherent risks associated with this type of communication.
The Company will draft and implement a specific E-mail policy to also address and manage this aspect properly, the prescriptions of which will have to be followed scrupulously in all respects, even where the Data Subject consents to this format of communication.
Third Party Management
All third-party agreements with the Company will make provision for the clauses and conditions necessary for these parties to comply with POPIA Section 21 information security requirements in terms of this Policy and the remedial procedures to enforce these requirements.
The strict compliance of third parties to the conditions contained in the relevant agreements will be monitored by the Information Officer or delegated Deputy Information Officer/(s) of the Company as part of their job description and any violations reported to the Information Management Committee for assessment and remedial actions where appropriate.
Dealing with the public media
Only Senior Management or designated representatives of the Company will be authorised to make any presentation, comment, statement, or direct contact with the public media regarding any matter whatsoever regarding any Information Security incident, client information or any business issues directly related to the organisation and/or its operations.
Any employee, contractor, or associated third party that is found in violation of this ruling will be subjected to the applicable sanctions in accordance with the Company Disciplinary Code and/or any other related policy governance as may be applicable.
Non-adherence to the policy requirements
The Company will enforce adherence to the requirements of this policy in a very strict manner to comply with the requirements of the Act and to maximise the protection of the privacy and personal information of data subjects.
Any Company employee found to be in breach of the policy requirements will be subject to the relevant Disciplinary procedures of the Company and if any activities related to such breach may be uncovered during these procedures that are also in violation of any other legislation, (i.e Anti-Corruption legislation), the Company will also proceed with criminal charges or other legal processes that may become relevant.
In any instances where third-parties or operators under contract to the Company is found to be involved, or implicated, any further interaction with the affected parties will be suspended immediately pending an investigation into the matter and the contractual conditions contained in the relevant contracts may be invoked and where necessary or applicable, any legal or criminal processes must be initiated as soon as may be reasonably possible.
Supporting Data Privacy Policies, Procedures and Guidance
Supporting Data Privacy related policies and other procedural guidance documentation for the principles listed above can be referenced and will be made available in the Company Policies library.
Internal References
The following contains a list regarding the above, but is not limited to:-
Protection of Personal Information Act 4 of 2013;
Promotion of Access to Information Act. 2000;
Company POPIA/PAIA Section 51 Manual;
Prevention and Combating of Corrupt Activities Act 2004 (Act No. 12 of 2004);
Companies Act No 7 of 2008;
King III/IV Code of Governance Principles;
Generally Accepted Privacy Principles (G.A.P.P);
Company Business Continuation and Disaster Recovery Plan;
Company Personnel Policy and Disciplinary Code;
Company E-mail Policy and procedures;
Company Acceptable Use Policy and procedures;
Company Remote working facilities Policy;
Company Media Policy;
Company Password Policy;
Company Confidentiality agreements: Employees, Third Parties and Contractors;
Company Protection of Personal Information Agreements: Employees, Third Parties and Contractors;
Company Non- Disclosure agreements;
Company Third Party Service- and Service Level Agreements;
Company Records Management Policy & S.O.P’s;
Company Records Retention Schedule;
Company Records Destruction Policy & Procedures;
Company Access Control Policy;
Company Information Security Breach Policy & Reporting;
Company H/R Legal Compliance Awareness Training Policy;
Company Information and Cyber Security Policy;
Company Technological Risk Policy;
Company Mobile Device Policy;
Company Prevention of Fraud and Corruption Policy;
Company Video Surveillance Policy;
Company Privacy Statement.
Review of the policy
This policy will be reviewed at least once every financial year and appropriate changes will be made should these be required because of any changes in legislation or when prompted by changes in the operational environment of the Company, anytime during the financial year.
The Company will have the responsibility to inform all employees and stakeholders of the Company immediately of any such changes that may be applicable.
The Revision History and Version Control of this policy will be appropriately recorded for auditing and compliance purposes.
The Company Privacy Statement as published on the Company website will also be altered accordingly to reflect any changes to the policy where applicable.
Effective Date
The policy shall take effect on the date of acceptance and sign–off by Company Senior Management.
Management Acceptance
The Senior Management of BLYDEX (Pty) Ltd. hereby accepts this Data Privacy Policy for integration and implementation into the Company’s Data Privacy Management structure.
_________________
Soren Burkal Nielsen
Managing Director/Information Officer
09/04/2026
Revision History
Version Control