Protection of personal information policy
PART 1: GENERAL PRINCIPLES FOR PROCESSING PERSONAL INFORMATION
1. INTRODUCTION
1.1. Von Seidels Intellectual Property Attorneys (“Von Seidels” / “we” / “us” / “our” / “the firm”) is a law firm providing legal services in the field of intellectual property to both local and foreign clients.
1.2. Our Head Office is located in Cape Town, South Africa at 4 East Park, Central Park on Park Lane, Century City, 7441, South Africa.
1.3. This Policy details the way in which we, as a Responsible Party, Process Personal Information of our clients and employees in compliance with the Protection of Personal Information Act No. 4 of 2013 (“the POPI Act”).
1.4. The objective of this Policy is to detail the measures that we have taken and provisions that we have made to align our practices with the requirements of the POPI Act.
2. DEFINITIONS (AS PER SECTION 1 OF THE POPI ACT)
2.1. “Data Subject” means any person to whom Personal Information relates and in this Policy, includes the legal guardian of a minor Data Subject;
2.2. “Filing System” means any structured set of Personal Information, whether centralised, decentralised or dispersed on a functional or geographic basis, which is accessible according to specific criteria;
2.3. “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including:
2.3.1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
2.3.2. information relating to the education or the medical, financial, criminal or employment history of the person;
2.3.3. any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
2.3.4. the biometric information of the person;
2.3.5. the personal opinions, views or preferences of the person;
2.3.6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
2.3.7. the view or opinions of another individual about the person;
2.3.8. the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
2.4. “Policy” means (this) Protection of Personal Information Policy and its annexures.
2.5. “Process” or “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
2.5.1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
2.5.2. dissemination by means of transmission, distribution or making available in any other form; or
2.5.3. merging, linking, as well as restriction, degradation, erasure or destruction of information.
2.6. “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information.
2.7. “Special Personal Information” is Personal Information concerning –
2.7.1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or
2.7.2. the criminal behaviour of a Data Subject to the extent that such information relates to the alleged commission of any offence by a Data Subject; or any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.
3. APPLICATION
3.1. The POPI Act applies to the Processing of Personal Information which is:
3.1.1. entered in a record by or for a Responsible Party by making use of automated or non-automated means (the latter requiring that the recorded Personal Information forms or is intended to form a part of a Filing System when Processed); and,
3.1.2. where the Responsible Party is either domiciled in South Africa or makes use of automated or non-automated means in South Africa (other than simply forwarding Personal Information through South Africa).
4. INFORMATION OFFICER AND DEPUTY INFORMATION OFFICER
4.1. As managing partner of Von Seidels and in accordance with section 1 of the Act read with section 1 of the Promotion of Access to Information Act 2 of 2000, the firm’s Information Officer is:
Bastiaan Koster
4.2. In terms of the POPI Act, the Information Officer’s responsibilities include:
4.2.1. the encouragement of compliance, by Von Seidels, our partners and employees, with the conditions for the lawful Processing of Personal Information;
4.2.2. dealing with requests made to Von Seidels pursuant to the POPI Act;
4.2.3. working with the Information Regulator in relation to investigations conducted pursuant to Chapter 6 of the POPI Act;
4.2.4. otherwise ensuring compliance by Von Seidels with the provisions of the POPI Act; and,
4.2.5. as may otherwise be prescribed.
4.3. The Information Officer’s duties will be taken up once registered as such with the Information Regulator.
4.4. The Information Officer hereby delegates all powers and duties conferred upon the Information Officer in terms of the POPI Act to the following Deputy Information Officer:
Erik van der Vyver (Partner and Head of IT)
4.5. This delegation does not prohibit the Information Officer from exercising the power concerned or performing the duty concerned himself and may at any time be withdrawn or amended in writing by the Information Officer.
5. PROCESSING OF PERSONAL INFORMATION
5.1. As Responsible Party, we Process the Personal Information of the following groups of Data Subjects: employees and clients.
5.2. We Process the Personal Information of clients as set out in our “Protection of Personal Information Policy for Clients”.
5.3. We Process the Personal Information of employees as set out in our “Protection of Personal Information Policy for Employees”.
5.4. We implement the security safeguards set out in our “Security Safeguards” document.
6. PURPOSE OF PROCESSING PERSONAL INFORMATION
6.1. Von Seidels collects and Processes and retains Personal Information of clients and employees for the sole purpose of performing its law firm and employment duties.
7. PRINCIPLES FOR PROCESSING OF PERSONAL INFORMATION
7.1. As a Responsible Party, we adhere to industry standards and the conditions for Processing Personal Information set out in the POPI Act. Accordingly, we Process Personal Information –
7.1.1. lawfully and in a reasonable manner that does not infringe the privacy of Data Subjects;
7.1.2. that is adequate, relevant and not excessive given the purpose for which it is being Processed;
7.1.3. acquired directly from the Data Subject or with the Data Subject’s consent;
7.1.4. as required to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party;
7.1.5. for pursuing and protecting the legitimate interests of the Responsible Party, the Data Subject or a third party to whom the information is supplied; and,
7.1.6. as required by law.
PART 2: PROTECTION OF PERSONAL INFORMATION OF CLIENTS
- Introduction
1.1. This policy details the way in which we process personal information of our clients in compliance with the Protection of Personal Information Act No. 4 of 2013 (the “POPI Act”).
2. Notification
2.1. This policy serves as a notification to you, our client, relating to the processing of your personal information necessary to carry out actions for the conclusion or performance of a contract of service to which you are party as one of our clients or to comply with any obligations imposed on us by law.
2.2. We, Von Seidels Intellectual Property Attorneys, are the party responsible for the collection and processing of your personal information.
2.3. Our Head Office is located in Cape Town, South Africa at 4 East Park, Central Park on Park Lane, Century City, 7441, South Africa.
2.4. Our Information Officer is Bastiaan Koster and our Deputy Information Officer is Erik van der Vyver.
2.5. You can direct any enquiries regarding your personal information to us at privacy@vonseidels.com.
3. Processing of your personal information
3.1. Name, address and contact information
3.1.1. We collect, process and store your name, address and contact information which we obtain directly from you for the purpose of identifying and contacting you in course of our representation of or work with you.
3.1.2. If we file applications for registered IP rights for you and need to list you as an applicant, inventor or designer in these applications, we might ask for your nationality so that we can advise you of any implications this might have on your applications.
3.1.2.1. In filing these applications, we may be required to share your name, address and nationality with the relevant IP offices of the countries in which you instruct us to file these applications.
3.1.2.2. If you instruct us to file such applications in foreign territories, this may require us to provide this personal information to trusted agents that we work with in the relevant foreign territories, who may then provide this personal information to their respective IP office.
3.1.2.3. Often, as a part of the application or registration process, this personal information will be published in local journals or registers for access by any interested member of the public in association with information relevant to the associated IP right.
3.1.2.4. We ask our trusted agents to process your personal information in a manner that is consistent with this policy. We are not always sure and cannot influence how IP offices of foreign jurisdictions process this personal information.
3.1.3. We may be unable to represent or work with you if you do not provide us with this personal information.
3.2. For South African clients, we collect a VAT registration number if applicable.
3.2.1. We collect this personal information directly from you, only if you are VAT registered, so that we can include this number on our invoices to you.
3.3. If you pay money into our trust bank account, we are also required, in terms of the Financial Intelligence Centre Act No. 38, 2001, to request FICA documentation from you.
3.3.1. If you are a natural person, we require proof of physical address and a copy of an ID document.
3.3.2. If you represent a company, we require a copy of the Company Registration Certificate (CoR 14.3 or CK1) and copies of ID documents of each director of the company.
3.3.3. If you represent a trust, we require a copy of the Trust Deed Certificate and copies of the ID documents of each Trustee of the trust.
3.3.4. If you do not provide us with this personal information, we will not be able to accept payments into our trust account from you. In some cases, this means we will be unable to represent or work with you.
3.4. In some circumstances, we might have to refund money to you. In these circumstances we might ask you for your bank account details in order to effect the refund. If you do not provide us with this personal information, we will be unable to refund you.
3.5. In some cases, if your invoices go unpaid for more than 120 days, we might mark you as a ‘bad payer’ in our internal company databases. This might mean that we cease further work for you while your account remains unpaid or that we request upfront payment for any future work.
3.6. We do not process special personal information (as defined in the Act) relating to clients.
- Personal information that we might collect from you for other entities
4.1. In some cases, our work with our clients requires us to collect and process personal information of other entities. For example, if we file patent or registered design applications for our clients, we may be required to collect and process personal information of inventors or designers, as the case may be. In other cases, we might act as a local agent for entities that our clients represent. In these circumstances we may be required to collect and process personal information of these entities and possibly personal information of associated inventors or designers.
4.2. Such personal information might include name, address contact information and nationality and the points set out above in clauses 3.1.1, 3.1.2 and 3.1.3 are applicable in these circumstances.
4.3. We will collect this personal information from you, our client, on the understanding that you have advised the relevant entity or entities of our need to collect and process this personal information. We ask that you inform the relevant entity or entities of the collection and processing of the personal information on our behalf.
- Justification
5.1. The processing of your personal information as set out above is necessary to carry out actions for the conclusion or performance of a contract to which you are party as one of our clients. In some cases, the processing is necessary for us to comply with obligations imposed on us by law.
- Storage and retention of this personal information
6.1. All of the above personal information is stored in our locally hosted databases, which are secured and accessible only by qualified staff members of Von Seidels.
6.2. We maintain this personal information indefinitely for purposes of proof, but restrict processing of the personal information by closing any relevant files when we no longer need the personal information for achieving the purpose for which it was collected.
- Communications
7.1. Any communication by email between us, or between us and inventors or applicants, if any, is archived by our email management service and might be linked in our databases to the relevant case to which the communication relates.
7.2. Any communication by courier, post or facsimile is digitised and stored in our locally hosted databases and might be linked in our databases to the relevant case to which the communication relates. Originals are archived locally.
7.3. Communications relating to independent, confidential legal advice provided at our clients’ request by our professionals in their capacity as professional legal advisers is exempt from search and seizure by the Information Regulator in terms of the Act.
- Direct marketing
8.1. Occasionally we might process your personal information for the purpose of direct marketing by means of electronic communication, such as email.
8.2. Our justification for doing so is that you are a client of ours, we have obtained your contact details in the course of providing our services to you and that the direct marketing will be for your benefit and for the purpose of marketing of our own similar services to you.
8.3. We will provide you with reasonable opportunity to object to such use of your contact information at the time of collecting the contact information and on the occasion of each such direct marketing communication with you (if you have not previously refused such use).
- Security safeguards
9.1. We use industry standard safeguards to protect your personal information. Please refer to Part 3 of this Privacy Policy.
- Transborder information flows
10.1. We might transfer your personal information to a third party who is in a foreign country for the reason set out in 3.1.2.2.
10.2. We will only initiate such transfers if it is necessary for the performance of a contract between us or for the implementation of a pre-contractual measures taken in response to your request (e.g. for the purpose of obtaining cost estimates or conducting conflict checks).
- Your right to participation
11.1. You, or any of the entities that you represent, can request us to confirm, free of charge, whether or not we hold personal information about you or the relevant entities.
11.2. You can also request from us the record or a description of the personal information about you or the relevant entities held by us, including information about the identity of any third parties, or categories of third parties, who have, or have had, access to the information.
11.2.1. This information will be provided to you within a reasonable time, at a prescribed fee (if any), in a reasonable manner and format and in a form that is generally understandable.
11.3. Such requests can be directed to the Information Officer, at privacy@vonseidels.com, and we might ask you to adequately prove your identity to us.
11.4. You may also request us to correct or delete personal information about you in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully. Such a request should be made on Form 2 and sent to the Information Officer.
11.5. You may also request us to destroy or delete a record of personal information about you that we are no longer authorised to retain. Such a request should be made and sent to the Information Officer.
11.6. We ask that you direct any complaints regarding us processing your personal information to us. However, you also have the right to lodge a complaint to the Information Regulator, whose contact details are as follows:
The Information Regulator (South Africa)
JD House
27 Stiemens Street
Braamfontein, Johannesburg
2001
Complaints email: complaints.IR@justice.gov.za
General enquiries email: inforeg@justice.gov.za.
PART 3: SECURITY SAFEGUARDS FOR THE PROTECTION OF PERSONAL INFORMATION
- Introduction
1.1. This document sets out security measures aimed at preserving the quality, integrity and confidentiality of personal information that we, Von Seidels Intellectual Property Attorneys, have in place in compliance with the Protection of Personal Information Act No. 4 of 2013.
2. Security safeguards
2.1. In line with the reasonably foreseeable risks identified and described in the VS ISO Risk and Opportunities Register various physical and technical safeguards have been implemented and are maintained against such risks including the loss of, damage to or unauthorised access, destruction or processing of personal information.
2.2. These safeguards, processes and systems include:
2.2.1. physical access control into the Von Seidels offices via a security access control system, alarm system and CCTV monitoring;
2.2.2. physical access control to the server room including locked doors and security gates and network security access required to access the servers electronically;
2.2.3. maintaining a clean desk policy;
2.2.4. securing physical files;
2.2.5. secure (file 13) disposal of hard copies of confidential information;
2.2.6. the use of identity and access management technologies to control access to computer systems on which information is processed and stored;
2.2.7. requiring all employees to comply with internal information security policies and keeping information secure and confidential;
2.2.8. requiring all employees to complete training about information security;
2.2.9. creating awareness and reminding employees of information security on a regular basis;
2.2.10. informing employees of any new possible threats/risks; and
2.2.11. monitoring and regularly reviewing our practise against our own policies and against industry best practice.
- Information security
3.1. The following, more specific technical security processes and systems are in use:
3.1.1. Network password policy and general information security guidelines;
3.1.2. Data loss prevention and end-point protection system including anti-virus and malware protection and monitoring;
3.1.3. Network security and management of authorised access and monitoring incoming and outgoing traffic via industry standard firewall;
3.1.4. Private VPN tunnel connecting employees working remotely to the VS network via IPSec protocol (which includes network authentication and multiple security layers);
3.1.5. 2 Factor Authentication on production system (Patricia);
3.1.6. Security policies enabled and applicable in respect of corporate data accessed via mobile devices;
3.1.7. Digital security certification and data encryption where appropriate including SSL email encryption;
3.1.8. Local and off-site network backup encryption;
3.1.9. CAdditional SMIME encryption and signing certificates for email communication between VS employees and specific clients upon request;
3.1.10. Ongoing monitoring, logs and maintaining incident and/or error reports.
4. Procedures for when we detect a breach
4.1. Intervention. Notify the Information Officer and/or Deputy Information Officer of the breach. Interventions may include immediate password change, suspension of a user account, shutdown and/or isolation of a workstation/system and/or service, depending on the circumstances.
4.2. Assessment. Establish the extent of the breach and determine whether personal information was accessed/lost which includes checking server/firewall/system security logs;
4.3. Remedy. Take the necessary measures to remedy the breach which may vary significantly depending on the specific circumstances. Such remedy may also include the services of third party consultants. As an example, when a spam outbreak is detected, check and ensure that the smtp firewall rule for Microsoft Exchange only allows specific traffic (e.g. Mimecast and Microsoft 365);
4.4. Notification. We will notify the Information Regulator where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.
4.4.1. Such notification will be made as soon as reasonably possible after the discovery of the compromise.
4.4.2. We will also notify any data subjects deemed to be affected by such a compromise in writing, either by way of email to the data subject’s last known email address or by placing a notification in a prominent position on our website.
4.4.3. The notification to the data subject shall contain a description of the possible consequences of the compromise, a description of the measures that we have taken or intend to take to address the compromise and, if known, the identity of the unauthorised person who may have accessed or acquired the personal information.
4.5. Prevention. Create awareness and put additional measures (if applicable under the circumstances) in place to prevent similar breach/es. These preventative measures may also include the services of third party consultants.