At Axnosis Group (“Axnosis”/ “we”/ “us” / “our”) [including our United Kingdom (“UK”) and South African subsidiaries] understand and appreciate that your personal information is important to you and that you may be concerned about disclosing it. Your privacy is just as important to us and we are committed to protecting and managing your information in a lawful manner. It is important that you understand how and for what purpose we process your information. If for any reason you think that your information is not processed in a legal or lawful way, or that your information is being used for a purpose other than originally intended, you can contact our Information Officer / Data Protection Officer.
Axnosis is committed to full compliance with the following Acts:
- In the UK: The Data Protection Act 2018, enforcing the UK’s implementation of the General Data Protection Regulation (“GDPR”). This is to ensure that all information is used fairly, lawfully, and transparently
- In South Africa:
- The Promotion of Access to Information Act 2 of 2000 (“PAIA”), which gives effect to section 32 of the Constitution, which provides that everyone has the right to access information held by the State, as well as information held by another person (such as a private company).
- The Protection of Personal Information Act 4 of 2013 (“POPIA”), which sets certain conditions for responsible parties (such as a private 2 company) to lawfully process the personal information of data subjects (both natural and juristic persons).
- On the one end, PAIA is an “access” law, all about freedom of Information. It allows individuals and organisations to ask for records that already exist, such as documents, pictures, and audio files. POPIA on the other end, is about privacy, i.e., the prevention of exposure of information.
These Acts are applicable to the collection, use, storage, and processing of personal information (or “data”) in respect of customers, employees, sub-contractors, and business partners (collectively referred to a “data subjects”).
- To ensure personal information (of a person or entity) is collected, processed, stored, and shared in a responsible manner.
- To prevent the negligent disclosure of personal information.
- To ensure the collection and processing of personal information is done for a specific, explicitly defined, and lawful purpose related to the function or activity of the responsible party.
- To legislate that personal information may generally only be captured, used, and stored with express and informed consent of the data subject.
What Constitutes Personal Information?
Personal information has a wide meaning and includes information that identifies and relates to organisations and legal persons (e.g., company contact details, directors’ details, correspondence of a confidential nature, etc.).
Personal information includes:
- Full names and surname.
- Date of birth.
- Identity number.
- Tax number.
- Phone numbers (Mobile / Landline).
- E-mail address.
- Physical address.
- Marital / Relationship status.
- Educational information.
- Financial – and banking details.
- Employment history.
- Gender / sex.
- Medical Aid details.
- Pension details.
Special Personal Information (“SPI”):
- Children information (under 18 years of age).
- Ethnic origin.
- Trade union affiliations.
- Political affiliations.
- Religious affiliations.
- Health status.
- Criminal record.
- ITC / TransUnion credit check / status
- Curriculum Vitae (“CV”).
- Biometric information.
- Sexual orientation.
- Physical or mental health.
- Personal opinions, views, or preferences.
- Correspondence sent by a person / entity that is implicitly or explicitly of a private or confidential nature and/or any further correspondence that would reveal the contents of the original correspondence.
- The views or opinions of another individual / entity about the person.
It is recognized that the stated Acts place a general prohibition on the processing of SPI, except in a few exceptional cases as defined in the law, e.g., parent or guardian consent is required to process personal information of a child.
This Privacy Statement applies to all Axnosis websites, domains, products, and services and those of our wholly owned subsidiaries. Personal information (i.e. “data”) concerning Axnosis and its customers, including outsourcing, business partners, employees, former employees (i.e. “data subject/s”) – collected and processed – is also governed by this Privacy Statement, except where the contract with a data subject defines different requirements which will take precedence over this Privacy Statement.
This privacy statement explains:
- Who we are and what we do?
- From where and what data is sourced?
- What are the purposes of the sourced data?
- How is data processed?
- Who has access to the data?
- Where is data stored and how is it protected / monitored?
- How is data transferred to a third party (if any)?
- How long is data retained and when deleted?
- What are the rights of data subjects?
- Data breach notification.
- Risk management.
- Complaints, objections, and data requests.
- Enquiries and contact details.
Who We Are and What We Do?
Axnosis consists of Information Technology companies in the UK and South Africa.
Our key focus is: The sale of Microsoft software products, as well as our inhouse software, which function as add-ons to the Microsoft products.
These constitute a wide range of products to help local and foreign enterprises to operate more efficiently and successfully. We sell the said products, complemented by installation and implementation thereof, as well as training therein.
From Where and What Data are Sourced?
Data is sourced from customers, being private companies (local and foreign) as well as South African State-Owned Enterprises (“SOE’s”). The data is sourced in the execution of signed contracts – or the submission of an online request / application. Note that a contract mandates that processing is necessary to perform actions for the conclusion or performance of a contract to which the data subject is a party.
Where data is not sourced by way of signed contracts, specific, customer or data subject consents are obtained in writing, in which explicit permission is granted to use his/her/its personal information. It is specifically noted that some meetings with customers, in the execution of contracts, are recorded (e.g., voice recordings, Zoom meetings, and/or MS Teams meetings). However, we provide participants with advance notice when any meeting is recorded.
Data varies per customer – and contract requirements, but includes inter alia:
- Policy documents, their financial information (financial statements, management accounts, budgets, cash flow forecasts, ledgers, debtors’ lists, creditors lists), statutory information; and
- Details of key board members of customers; and
- Employee information of customers (such as human resources information, pension information, medical aid information, salary information).
- Service Level Agreements (“SLA”), which contain information about suppliers or service providers.
Axnosis also sources data from its own employees and external sub-contractors, which includes personal information such as: Full names, identity numbers, race, gender, sex, age, details of driving licences, marital status, details of spouse (if married), physical and postal addresses, cell phone numbers, e-mail addresses, medical aid, and pension information, and banking details. The only SPI-type information sourced by Axnosis is CV’s, which is provided to us by the relevant data subject with his/her consent.
When we gather personal information of our own employees (or employment applicants, consultants, and sub-contractors), we realize that we may not make free and unlimited use thereof, being cognizant of our responsibility to have procedures in place with respect to such data which comply with relevant data protection and surveillance laws.
What Are the Purposes of the Sourced Data?
We source data for the following specific purposes:
- Data from private companies and SOE’s are used to set up, configure, and execute new software systems for these customers in execution of contracts.
- Data from employees and external sub-contractors are obtained in writing (by way of employment contracts and/or sub-contractor agreements) to use toward correct salary and pension payments, salary deductions, medical aid payments, PAYE deductions, etc.
In general, we source (and process) data for a variety of purposes, including, but not limited to, the following:
- To provide or manage any information, products, and/or services requested by customers, suppliers, or employees or any other relevant data subjects.
- Maintain customer, supplier, and employee records.
- For recruitment purposes.
- For employment purposes
- For general administration, financial, and tax purposes.
- For legal purposes.
- For contractual purposes
- For health and safety purposes.
- To monitor access, secure, and manage our premises and facilities
- To help us improve the quality of our products and services.
- To help us detect and prevent fraud.
- To identify other products and services which might be of interest to data subjects and to inform them about our products and services.
How is Data Processed?
Processing is defined as any operation, or activity, or any set of operations, concerning personal information, including:
- the collection, receipt, recording, organisation, collation, storage, updating or modification,
retrieval, alteration, consultation, or use.
- dissemination by means of transmission, distribution, or making available in any other form.
- merging, linking, as well as restriction, degradation, erasure, or destruction of information.
All processing of personal information must be done in accordance with the following eight key principles as outlined in the stated Acts:
- Accountability: The responsible party, is accountable for the processing of personal information according to principles below.
- Processing Limitation: Personal information must be processed in accordance with the relevant laws, so as not to intrude on the privacy of the person / entity whose information is being processed.
- Purpose Specification: All data must be collected for a specific purpose, which is properly defined, and for legitimate reasons. It may not be kept for longer than is necessary.
- Further Processing Limitation: No data may be processed beyond its initial purposes.
- Information Quality: Proper safeguards and steps must be in place to ensure that the data is complete, accurate, current, and not misleading in any way.
- Openness: Data may only be collected by a person or authorized representative who has given notice and disclosed the requirements, the purposes, and the reasons – to the person / entity concerned, having obtained their consent.
- Security Safeguards: Ensure appropriate technical and organisational measures have been taken to safeguard the integrity of the data and to safeguard it from unauthorized access.
- Data Subject Participation: Details of what data / information is collected must be made available to the data subject, free of charge. They must understand 7 what data is being collected, why, and that they have the right to request that it gets discarded after using the data for the initial purpose/s (within reason).
Specific to Axnosis:
It is important that you understand how and for what purpose we process your information. If for any reason you think that your information is not processed in a legal or lawful way, or that your information is being used for a purpose other than originally intended, you may contact our IO / DPO (see “Introduction” above). In the unlikely event that we want to use your personal information in a manner different from that stated at the time of collection, we shall notify you, and you will have, subject to legal and/or contractual provisions, a choice as to whether we can use your personal information in such a way, by providing written consent / refusal.
Data provided by private companies and SOE’s, are uploaded in their own Microsoft Dynamics databases. This requires that the data is converted into a different and specific format/s to be uploaded. Data is never changed, but only repackaged / reformatted. SLA’s concluded by Axnosis shall forthwith have provisions in place to ensure that consent is provided to collect, store, and disseminate this information.
The uploaded data is employed to populate the newly configured software system (and data base) of our customers, as required by them in terms of their contracts with us. Data in respect of employees and sub-contractors are housed in our HR and Payroll software, to facilitate salary payments, PAYE deductions, pension – and medical aid payments, and reimbursing of all business-related expenses.
It is important to note that all data processing is done in compliance with applicable laws (refer “Legislation” above), including appropriate notice and consent, along with required filings with data protection authorities (where required). We neither use any of the data for marketing – or recruitment purposes, nor would we ever sell, rent, or lease your personal information to other parties. However, we reserve the right to disclose your personal information as required by law and when we believe that disclosure is necessary to protect our rights, or the rights of others, or to comply with a judicial proceeding, court order, law enforcement or legal process. We also reserve our right to use or share your information to protect the rights or property of Axnosis, our customers, business partners, sub-contractors, or other affected parties, when we have reasonable grounds to believe that such rights or property have been or could be negatively affected.
Who Has Access to the Data?
Only the implementation team working on the developing and configuring of the new software system of a customer, has access to the data provided by the customer. The 8 relevant Project Manager is the one who monitors and ensures that only his/her team members have access rights to customer data provided under a specific contract.
Employee – and sub-contractors’ related data are only accessed by our HR Department and our directors.
Our commitment: Axnosis will always secure the integrity and confidentiality of personal information in our possession or under our control by taking appropriate, reasonable, technical, and organizational measures to prevent the: loss of, damage to, unauthorized destruction, and unlawful access to or processing of all personal information.
Where is Data Stored and How is it Protected / Monitored?
Data is received from customers in three ways:
(1) Via e-mails sent to the implementation team members.
(2) Customers transferring data directly via our Sharepoint site into a client-specific designated folder.
(3) Recorded meetings as indicated above.
All this data is then stored on Sharepoint and on the laptops and cell phones of our staff and sub-contractors. Sharepoint folders / files and all customer folders on laptops and cell phones are password protected, with password changes required once every quarter. Only implementation team members may have access to the Sharepoint folders / files of the customer/s applicable to them.
All data (on Sharepoint and laptops) are duplicated and stored in the cloud, which is also password protected, with quarterly changes in passwords being required. Our employees and external sub-contractors have all signed POPIA-related confidentiality agreements that are on file and included as appendixes to their employment – and sub-contractor agreements respectively.
Employee – and sub-contractors’ related data are stored in arch-lever files and kept in secure, lock-up metal cabinets under control of our HR department. All this data is scanned in and softcopies thereof are stored in the cloud as back-up, where all folders are password protected, requiring quarterly changes.
Note that all passwords are monitored by HR and implementation Project Managers and no third parties
have any knowledge of passwords except the relevant individuals using their own unique passwords. On top of this, we employ antivirus and antispyware on our internal systems as well as employees’ and sub-contractors’ laptops, to monitor any attempts to illegally access data.
How is Data Transferred to a Third Party (if any)?
We do not transfer personal information about a data subject to a third party (e.g., a sub-contractor, business partner, auditors, regulatory or governmental authorities, 9 etc.) domiciled locally or in a foreign jurisdiction unless:
(1) the data subject has granted written consent where there is no formal contract in place; and/or
(2) the transfer is necessary for the performance of a contract between the data subject and us; and/or
(3) the transfer is for the benefit of the data subject.
We recognize and respect the varying national laws and obligations and their impact on cross-border data transfers. When transferring personal information outside of the country of collection for the purposes identified above, Axnosis will do so in compliance with the applicable law.
How Long is Data Retained and When is it Deleted?
In respect of a software implementation project: The data is retained until at least the completion of the project, and for the duration of the maintenance contract, after which all data is deleted as stated below.
If there is no maintenance contract, all data is kept until at least the expiry of the customer satisfaction period, which is normally 3 (three) months post implementation, after the customer signs a “Satisfied / In Order” confirmation form (also called the “Cut-Over Document”) that the newly implemented software is according to the required specifications, that sufficient training has been completed, and all data has been correctly uploaded in the new system. When the customer signs said form, all data is deleted from Sharepoint, the cloud back-up, the laptops and cell phones of employees and sub-contractors. Where the customer does not sign, data is retained indefinitely, to safeguard us in the event of legal claims brought against us by a customer.
Where data is sourced from a customer apart from a signed contract, such data is obtained with the consent of the customer. The customer (or data subject) may request in writing that we delete all his/her data or personal information. Refer to next section.
Data of employees and sub-contractors are deleted upon the resignation of employees and the expiry of the sub-contractors’ agreements, respectively. This includes hardcopies and softcopies of the data.
Generally, we shall retain personal information only for as long as legally required or permitted and in accordance with our records and information management policies. Note that a deletion request cannot be honoured when Axnosis is required by law to keep that information. We respect your right to privacy and upon your request Axnosis will no longer use your personal information unless required to provide you services or as necessary to comply with our legal obligations, resolve complaints and disputes, and enforce our contractual agreements.
What are the Rights of Data Subjects?
- You have the right to remain private.
- You have the right to have your personal information / data remain private.
- You have the right to consult and engage privacy settings to ensure your personal information is protected
by adequate safeguards.
- You have the right to be protected by privacy settings configured by you for your online accounts and digital information.
- You have the right to opt out of the sale of your personal information to third parties without your knowledge and consent.
- You have the right to have your personal information deleted at your request.
- You have the right to be notified where, when, and how your data is being used, and for what purposes.
- Your personal data is yours and yours alone.
- You have the right to classify your data, e.g., Confidential; Restricted; Secret, or Public Information.
Specific: You have the right to have your personal information processed in accordance with the conditions for the lawful processing as prescribed by the relevant Acts, including the right:
- To be notified that: 1) personal information about him/her/it is being collected as provided for in terms of the Acts; or
2) his/her/its personal information has been accessed or acquired by an unauthorised person.
- To establish whether a responsible party holds personal information of the data subject and to request access to his/her/its personal information.
- To request, where necessary, the correction, destruction, or deletion of his/her/its personal information.
- To object, on reasonable grounds relating to his/her/its particular situation, to the processing of his/her/its personal information.
- To object to the processing of his/her/its personal information at any time for purposes of direct marketing or reasons listed in the Acts, e.g., direct marketing by means of unsolicited electronic communications except where consent is held or the data subject is a customer of the responsibly party.
- Not to be subject, under certain circumstances, to a decision which is made solely on the basis of the automated processing of his/her/its personal information intended to provide a profile of such person.
- To submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator.
- To institute civil proceedings regarding the alleged interference with the protection of his/her/its personal information.
Data Breach Notification
There is a general obligation to notify the data subject of any data breach. Where there are reasonable grounds to believe that a data subject’s personal information has been accessed or acquired by an unauthorised person, the responsible party (or any third party processing personal information under the authority of the responsible party) must notify the Information Regulator and the data subject of such breach, unless the identity of the data subject cannot be established. Notification to the data subject must
- Made as soon as reasonably possible after the discovery of the breach. In terms of GDPR (UK), breaches must be specifically reported to the supervisory authorities within seventy-two (72) hours of the discovery of the breach
- Sufficiently detailed; and
- In writing and communicated to the data subject by mail, email, and placement in a prominent position on the website of the responsible party, publication in the news media, or as may be directed by the Information Regulator.
We have set in place employee and sub-contractor training to ensure they are privacy aware employees throughout their employment – and sub-contractor agreements’ tenors respectively. All new employees hired, or new sub-contractors – and business partner agreements concluded, require that they are trained in respect of GDPR and POPIA. This is supplemented by annual awareness briefings, targeted training for high-risk populations, and periodic awareness messaging to all affected parties.
With regular privacy risk assessments, and in consultation with our auditors, we monitor emerging risk items and mitigate all identified weaknesses to constantly enhance our compliance capabilities.
Complaints, Objections, and Data Requests
Data may be requested by data subjects subject (customers, employees, subcontractors, and business partners) for purposes of confirmation, amendments, and/or deletion at any time. As a data subject, with cognizance of the exception clause under “Scope” above, you have the right to:
- Request that we provide you with a description of the personal information we hold about you, and to explain
why and how it is being processed (please complete Annexure A – hardcopy included below).
- Request that we consider your objections to the processing of your personal information
(please complete Annexure B – hardcopy included below).
- Lodge a complaint with the Information Regulator / Commissioner (please complete Annexure B above, which reflects their contact details).
- Procedure to request copies of personal information in terms of PAIA:
- Section 53 of the said Act prescribes that the requester must use the prescribed form (in our PAIA Manual) to make the request for access to a record.
- The request must be submitted in terms of the said Manual, which is available upon request from the Human Rights Commission or from Axnosis directly.
- The requester must pay the relevant fees as per #10 of the Manual.
- Note that there may be grounds for refusing access to information, i.e.:
- Protection of privacy of a third party who is a natural person.
- Protection of confidential information.
- Protection of safety of individuals, and protection of property
- Protection of information in legal proceedings. This includes requests after start of legal proceedings.
- Protection of commercial information (company and/or third party).
- Protection of research information (company and/or third party).
- The IO must respond to a PAIA request within thirty (30) days after receiving the request. The IO may request an extension for a period of no more than thirty (30) additional days for specific reasons, which include the request involving: 1) A large volume of documents; and / or 2) Consultation with other public or private entities required. Only one extension is allowed per PAIA request.
Axnosis is committed to resolve any complaints / objections / disputes you may have in relation to your privacy and our collection and use of your personal information. Where applicable, affected parties may also reach out to their national privacy authorities and ask for their support. We are committed to coordinate and collaborate with foreign regulators, such as EU, USA, and Australian privacy authorities.
We will treat your requests / complaints / objections / disputes confidentially. Our representative will contact you within a reasonable time after receipt of your completed form and e-mail to address your concerns and outline options regarding how they may be resolved. We shall aim to ensure that your complaint is resolved in a timely and appropriate manner.
Annexure A Personal Information Request Form
Annexure B Complaint Form
Access to our websites and Sharepoint data folders:
When you access our websites or data folders (when provided), you are responsible for complying with our terms and conditions in use on our websites and Sharepoint.
Liabilities and Warranties:
Everything on our websites and SharePoint folders are provided to you “as is” without warranty of any kind, either express or implied. You use our websites and Sharepoint folders (when provided) entirely at your own risk. Axnosis does not warrant that our data sites, or any material downloaded from our site, will be error-free, or free of viruses, or other harmful components. We also provide no warranties or representations as to the accuracy of the content on our websites. We assume no liability or responsibility for any errors or omissions in the content of our site, even though we have reasonable effort to ensure the accuracy and veracity of the content on our site. We also reserve our right to change, in our sole discretion, our site in any way or at any time, as we deem fit, without notice. We shall not be liable for any damages of any kind arising from your use of our site and any content therein.
Enquires and Contact Details