This privacy notice is part of your agreement with Compliance Online
1. Your privacy is important to us
At the core of our business practices we are committed to be transparent about the data we collect about you, how it is used and with whom it is shared.
This Privacy Notice applies when you use any of our Services (described below). We offer you choices about the data we collect, use and share in terms of this Privacy Notice.
During the course of our interactions, you share personal information with Compliance Online.
This notice tells you what to expect when we collect and use your information. It is part of our agreement with you, and we may need to update it periodically, but we will inform you when we do. You should read this notice along with the terms and conditions that apply to the products and services you use.
If you have any questions, please contact us at +27 21 863 0073 or via firstname.lastname@example.org.
Deputy Information Officer: email@example.com
2. To which services does this notice apply?
This Privacy Notice applies to services supplied on complianceonline.co.za, policypassport.com, and your communications with us, but excluding services that state they are offered under a different Privacy notice or Policy.
3. What personal information do we collect?
- Company and financial information of our clients in order to conclude a contract with them
- The personal information of users of our our services - this includes their:
- name and surname (so that we know who you are)
- identity or employee number (so that we can avoid duplications on our system)
- employment information (who your employer is and your position)
- e-mail addresses and telephone number (so that we can communicate with you)
- gender and race (we collect this in order to assist your employer to comply with B-BBEE legislation)
- training and test results
4. When and how do we process your personal information?
4.1 We process your personal information to fulfil aspects of our contract with you
4.2 We may process your personal information if it is in your legitimate interest or our legitimate interest
4.3 We may process your personal information when you give us your consent to do so
5. What about children’s information?
We do not knowingly collect personal information of children without the consent of a parent or guardian.
If you are younger than 18 years old, we will always ask for consent to process your personal information from your parents or guardian.
6. Do we share your information with others?
We only share your information with others we trust. This includes the following infrastructure providers and sub-processors:
- Amazon Web Services, Inc.
- Heroku, a Salesforce, Inc company
- Google, Inc.
- Twilio, Inc. (Sendgrid)
- Freshworks Inc.
- Microsoft Corporation
We never sell or share your information for marketing purposes with anyone.
7. Do we send your information to other countries?
Some of the service providers that we use are located in other countries, for example our cloud storage service providers are located in the European Union. If we send information to anyone who is located in a country that does not have the same level of protection of personal information as South Africa or the European Union, we require that they undertake to protect the personal information of our customers to the same level that we do.
We provide for appropriate safeguards by means of contracts between us and our foreign service providers. You can ask us for a copy of these safeguards at firstname.lastname@example.org.
8. How long do we keep your information?
We only keep your information for as long as we need to. We retain your information for record-keeping purposes. This ensures that you and your employer have continued access to the results. If you ever change employment and your new employer is also one of our clients, you may not have to repeat training that you have completed as we will have access to your full training history.
You can request to have your information deleted. However, we may not be able to comply with your request if we are under a legal obligation to retain the information. In some cases we may choose to retain certain information in anonymised or aggregated form.
If you choose to terminate your use of our services we may retain your personal data even after we have closed your account if reasonably necessary to comply with our legal obligations, meet regulatory requirements, maintain security, or fulfill your request to “unsubscribe” from further messages from us. We will retain depersonalised information after your account has been closed such as how you used our services or your financial information.
9. What do we do to protect your information against a breach?
We have taken reasonable steps to minimise the impact of a breach
We have implemented reasonable security measures based on the sensitivity of the information we hold, such as using HTTPS. These measures are in place to protect the information from being disclosed, from loss, misuse and unauthorised access, and from being altered or destroyed.
We regularly monitor our systems for possible vulnerabilities and security breaches, but no system is perfect and we cannot guarantee that we will never experience a breach of any of our physical, technical or managerial safeguards. If something should happen, we have taken steps to minimise the threat to your privacy. We will let you know of any breaches which affect your personal information and inform you how you can help minimise the impact.
You also have a role to play in keeping your information secure. For example, you should never share personal information with us in an email, because while our servers are protected, it is still possible that email can be intercepted. Instead, send your information using an encrypted communication method or phone us on +27 21 863 0073.
10. What are your rights when it comes to your personal information?
You have the right to be informed about the personal information we have, and what we do with it.
You have the right to:
- ask us what we know about you
- ask what information was sent to our suppliers, service providers or any other third party
- ask us to update, correct or delete any out-of-date or incorrect personal information we hold about you if it is no longer necessary to provide services to you
- receive all of the information we have about you and to transfer it to another service provider in machine readable form
- unsubscribe from any direct marketing communications we may send you
- object to the processing of your personal information.
You can request access to the information we hold about you or correct your personal information by contacting us at email@example.com.
It can take us up to 21 business days to respond to your request, because there are procedures that we need to follow. In certain cases, we may require proof of your identity, and sometimes changes to your information may be subject to additional requirements such as valid proof of residence.
11. Your rights in terms of the GDPR
If you are in the European Union, you have these rights in terms of the GDPR:
- The right to be informed about the collection and use of your personal information.
- The right to access your personal information. We may take one month to respond to your request and may charge a fee in some circumstances. We will let you know if this is the case.
- You have the right to have inaccurate personal information corrected or completed if it is incomplete. We may take one month to respond to your request and may refuse in certain circumstances.
- You have the right to have your personal information erased, also known as the ‘right to be forgotten’. We may take one month to respond to your request and may refuse in certain circumstances.
- You have the right to request that we restrict or suppress your personal information. We may take one month to respond to your request and may refuse in certain circumstances.
- You have the right to reuse your personal information for your own purposes across different services, also known as the right to data portability.
- You have the right to object to us processing your personal information in certain circumstances. We may take one month to respond to your request. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
- You have the right to complain to the Information Regulator.
- You have the right to object to automated decision-making and profiling.
- You may ask that a human review any automated decisions that we make about you, express your point of view about it and obtain an explanation of the decision. We may take one month to respond to your request.
If you want to exercise any of these rights, please contact us via firstname.lastname@example.org.