Privacy Policy

PRIVACY AND CONSENT NOTICE

Consent to Process Personal Information in terms of the Protection of Information Act, 2013 (POPIA) (EMAIL, WEBSITE AND SOCIAL MEDIA PRIVACY NOTICE)

1.INTRODUCTION

The Protection of Personal Information Act, 2013 (POPIA) gives effect to the constitutional right to data privacy in terms of Section 14 of the Bill of Rights of the Constitution.

The responsible use of the HARMONY website and related resources in respect of data privacy is important to HARMONY.

1. POPIA regulates and controls the processing, including the collection, use, and transfer of a person’s personal information.
2. In terms of POPIA, a person (Responsible Party) has a legal duty to process (collect, use, transfer and destroy) another’s (Data Subject) personal information (Personal Information) in a lawful, legitimate and responsible manner and in accordance with the provisions and the 8 processing conditions set out under POPIA.
3. Unless the processing is –
   1. necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party; or
   2. required and complies with an obligation imposed by law on either the Data Subject or the Responsible Party; or
   3. necessary to protect the legitimate interest(s) of the Data Subject or the Responsible Party; or
   4. necessary for the proper performance of a public law duty by a public body; or
   5. necessary for pursuing the Data Subject or the Responsible Party’s legitimate interests, or that of a third party to whom the Personal Information is supplied
   6. all processing of a Data Subject’s Personal Information must be done with the Data Subject’s permission– i.e. the Data Subject has to consent to the processing of its Personal Information
4. Harmony does and will from time to time process Personal Information which belongs or is held by a Data Subject
5. Following this, in order to comply with POPIA, HARMONY in its capacity as the Responsible Party, requires the Data Subject’s permission to process the Data Subject’s Personal Information

2. POPIA DEFINITIONS AND INTERPRETATION

1. This Informed Consent Notice explains and sets out
   1. what Personal Information belonging to the Data Subject will be processed by HARMONY
   2. why HARMONY needs the Data Subject’s Personal Information
   3. what HARMONY will be doing with the Data Subject’s Personal Information
   4. who HARMONY will share the Data Subject’s Personal Information with
   5. what HARMONY will do with the Data Subject’s Personal Information once the purpose for the processing comes to an end
2. In order to understand the implications of this document and the objectives of POPIA, the reader is to take note of the following explanatory notes and POPIA definitions which will be used throughout this Informed Consent Notice and which may be used in the interpretation of this document
   1. “biometrics” means a technique of personal identification that is based on physical, physiological or behavioural characterisation including fingerprinting, blood typing, DNA analysis, retinal scanning and voice recognition; HARMONY may from time to time make use of the Data Subject’s Biometrics for security access control and related identification procedures
   2. “child” means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him-or herself
      
      Harmony will from time to time have to process Personal Information of a child who may belong to a Data Subject, for amongst other reasons employment and benefit related purposes, which use will require the competent person’s consent as defined below.
   3. “competent person” means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child
   4. “consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information
      
      All Personal Information which the Data Subject provides to Harmony will be subject to this Informed Consent Notice and when by providing Harmony with the Data Subject’s Personal Information, the Data Subject gives, Harmony the Data Subject’s implied consent to use the Data Subject’s Personal Information in accordance with this Informed Consent Notice.
   5. “Data Subject” means the person who will provide Harmony or its Operator(s) with Personal Information and who consents when providing such Personal Information, to Harmony’s use thereof in accordance with this Informed Consent Notice
      
      A Data Subject will include the reader of this notice who will be providing Harmony with Business’ or Personal Information and which the Data Subject by virtue of providing such Personal Information to Harmony , give Harmony the required consent to use the Personal Information, in accordance with this Informed Consent Notice.
   6. “Operator” means a natural person or a juristic person who processes a Data Subject’s Personal Information on behalf of Harmony in terms of a contract or mandate, without coming under the direct authority of Harmony; Harmony will, in order to pursue and protect its legitimate interests and in many cases to protect the Data Subject, under a written contract, ask Operators to process certain categories of the Data Subject’s Personal Information on its behalf including but not limited to
      • Relevant Industry Associations (e.g. South African Minerals Council)
      • Organised Employee Representatives (e.g. NUM, AMCU Solidarity and UASA)
      • Payroll service providers
      • Core Benefits Providers
      • Medical Cover providers
      • Retirement Funding Providers
      • Auditors, Legal Practitioners
      • Government and Provincial Departments (e.g. Department of Labour, SARS, Department of Health and Department of Minerals and Energy)
   7. “person” means a natural person or a juristic person
   8. “Personal Information” means information relating to any identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, namely the Data Subject, including, but not limited to:
      1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person
         
         Harmony will need to process race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birthdates of all potential and actual employees for security, employment and benefit related purposes.
         
         Harmony will need to process race, gender, pregnancy, marital status, national, ethnic or social origin, colour, age, physical or mental health, well-being, disability, language and birthdates of all potential and actual sole proprietors and individual service providers who intend or do provide products and services to Harmony for security, business and contractual, related purposes.
         
         Harmony will need to process race, gender, marital status, national, ethnic or social origin, colour, age, language and birthdates of persons who ask Harmony for information or in order for Harmony to reply to any query or request made by such person.
         
      2. information relating to the education or the medical, financial, criminal or employment history of the person
         
         Harmony will need to process information relating to the education, medical, financial, criminal and employment history of all potential and actual employees for security, employment and benefit related purposes.
         
         Harmony will need to process information relating to the financial, criminal and employment history of all potential and actual sole proprietors and individual service providers who intend or do provide products and services to Harmony for security, business and contractual related purposes or who apply for any form of funding or assistance.
         
         Harmony will need to process information relating to the financial and criminal history of all potential and actual service providers who are legal entities, who intend or do provide products and services to Harmony for security, business and contractual related purposes.
         
      3. any identifying number, symbol, e- mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; Harmony will need to process all Data Subjects’ identity or registration numbers, e-mail address, physical and postal address, telephone and contact numbers, location information, and other required identifiers pertaining to a Data Subject from time to time for security, employment, business, marketing, promotional and contractual related purposes or in order for Harmony to attend to a person’s request, or enquiry for information, including any person or Data subject who applies for funding or assistance of any kind
         
      4. the biometric information of the person; Harmony may from time to time make use of a Data Subject’s Biometrics for security access control, employment, contractual and related identification procedures
         
      5. the personal opinions, views or preferences of the person; Harmony may from time to time make use of personal opinions, views or preferences of a Data Subject for business, sponsorship, funding, marketing, and promotional, security, employment, and / or contractual purposes
         
      6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence
         
         Harmony may from time to time make use of private or confidential correspondence received from a Data Subject for business, investigative and / or security purposes as well as for employment, or contractual purposes.
         
      7. the views or opinions of another individual about the person; and Harmony may from time to time make use of views or opinions of another individual about the Data Subject for business, marketing, promotional, security, employment, or contractual purposes
         
      8. the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person
   9. “processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
      1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
      2. dissemination by means of transmission, distribution or making available in any other form; or
      3. merging, linking, as well as restriction, degradation, erasure or destruction of information
      4. sharing with, transfer and further processing, to and with such information
   10. “record” means any recorded information
       1. Regardless of form or medium, including any of the following
          1. Writing on any material
          2. information produced, recorded or stored by means of any tape- recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored
          3. label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means
          4. book, map, plan, graph or drawing
          5. photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced
       2. in the possession or under the control of a responsible party
       3. whether or not it was created by a responsible party; and
       4. regardless of when it came into existence
          
          All Personal Information processed by HARMONY and its Operators will be housed under a record.
   11. “responsible party” means HARMONY including, executives, management, HR practitioners, ER practitioner, payroll department, IS department, health department, safety department, internal auditors, legal practitioner and compliance and risk officers, company secretary, and all other employees and Operators who need to process a Data Subject’s personal Information for HARMONY business purposes
   12. “Special Personal information” includes any information relating to an individual’s: Ethnicity, Gender, Religious or other beliefs, Political opinions, Membership of a trade union, Sexual orientation, Medical history, Offences committed or alleged to have been committed by that individual, Biometric details, and Children’s details

Harmony and its Operators will from time to time process Special Personal Information pertaining to a Data Subject for business, security, employment, and contractual purposes

3. APPLICATION OF THIS INFORMED CONSENT NOTICE

This Informed Consent Notice will apply to Harmony, and to the Data Subject, and / or the Data Subject’s Personal Information which is processed or may be processed by Harmony including any processing of the Data Subject’s Personal Information by any Operators duly appointed by Harmony

4. PURPOSE FOR THE COLLECTION

1. In order for Harmony to pursue its business objectives and strategies, Harmony needs to process Personal Information for which such Personal Information will be used for a number of legitimate purposes, including, inter alia, the following:
   1. for the purposes of complying with a variety of lawful obligations, including but not limited to:
      • Administrative laws
      • Company laws
      • Corporate governance codes
      • Communication laws
      • Environmental laws
      • Financial and Tax laws
      • Health and Safety laws
      • Labour and Employment laws
      • Medical Aid laws
      • Pension fund laws
   2. for the purposes of carrying out actions for the conclusion and performance of a contract as between Harmony and the Data Subject;
   3. for the purposes of protecting you/the Data Subject’s and/or Harmony’s legitimate interest (s) including the performance of risk assessments and risk profiles;
   4. where required by law or company policy receiving from or providing to any credit bureau or credit provider or credit association information about the Data Subject’s credit record, including personal information about any judgement or default history;
   5. for the purposes of any proposed or actual merger, acquisition or any form of sale of some or all Harmony’s assets, providing the Data Subject’s Personal Information to third parties in connection with the evaluation of the transaction and related due diligence procedures;
   6. for the purposes of making contact with the Data Subject and attending to the Data Subject’s enquiries and requests;
   7. for academic research and statistical analysis purposes, including data analysis, testing, research;
   8. for the purposes of pursuing the Data Subject’s and / or Harmony’s legitimate interests, or that of a third party to whom the Personal Information is supplied;
   9. for the purposes of performing internal operations, including management of employees, employee wellness programmes, the performance of all required HR and ER functions, call centres and enquiries, attending to all financial matters including budgeting, planning, invoicing, facilitating and making payments, and generally providing commercial support, where needed, requested or required;
   10. for the purpose of preventing fraud and abuse of Harmony processes, systems, procedures and operations, including conducting internal and external investigations and disciplinary enquiries and hearings.
2. the Data Subject agrees that Harmony may use all the Personal Information provided to Harmony which is required by Harmony for the purposes of pursuing its business objectives and strategies.
3. Harmony in turn undertakes that it will only use the Data Subject’s Personal Information for the aforementioned purposes and for no other, unless with the Data Subject’s prior permission.

5. CONSEQUENCES OF WITHHOLDING CONSENT OR PERSONAL INFORMATION

Should the Data Subject refuse to provide Harmony with the Personal Information required by Harmony for the purposes indicated above, and do not provide the required consent to process the aforementioned Personal Information, Harmony will be unable to engage with the Data Subject or enter into any agreement or relationship with the Data Subject.

6. STORAGE, RETENTION AND DESTRUCTION OF PERSONAL INFORMATION

1. The Data Subject’s electronic Personal Information will be stored in a centralised data base, which, for operational reasons, will be accessible to all within Harmony on a need to know and business basis, save that where appropriate, some of the Data Subject’s Personal Information may be retained in hard copy.
   
2. All Personal Information which the Data Subject provide to Harmony will be held and / or stored securely.
   
   In this regard Harmony undertakes to conduct regular audits regarding the safety and the security of the Data Subject’s Personal Information.
   
3. Once the Data Subject’s Personal Information is no longer required due to the fact that the purpose for which the Personal Information was held has come to an end and expired, such Personal Information will be safely and securely archived for a period of 7 years, as per the requirements of the Companies Act, 2008 or longer should this be required by any other law applicable in South Africa (e.g. health records are to be retained for 40 years as per the Mine Health and Safety Act, 1996). Harmony thereafter will ensure that such Personal Information is permanently destroyed in a secure manner.

7. ACCESS BY OTHERS AND CROSS BORDER TRANSFER

1. Harmony may from time to time have to disclose the Data Subject’s Personal Information to other parties, including its group companies or subsidiaries, joint venture companies, or third party service providers, regulators and or governmental officials, overseas service providers and related companies or agents. Such disclosure will always be subject to an agreement which will be concluded as between Harmony and the party to whom it is disclosing the Data Subject’s Personal Information to, which contractually obliges the recipient of your Personal Information to comply with strict confidentiality and data security conditions.
2. Where Personal Information and related data is transferred to a country which is situated outside the borders of South Africa, the Data Subject’s Personal Information will only be transferred to those countries which have similar data privacy laws in place or where the recipient of the Personal Information is bound contractually to a no lesser set of obligations that those imposed by POPIA.

8. RIGHT TO OBJECT AND COMPLAIN

The Data Subject is encouraged to make immediate contact with the Harmony Information Officer at any time if not comfortable or satisfied with the manner in which Harmony is processing the Data Subject’s Personal Information. On receipt of the Data Subject’s objection, Harmony will place a hold on any further processing until the cause of the objection has been resolved.

If the Data Subject is not satisfied with such process, the Data Subject has the right to lodge a complaint with the South African Information Regulator:

33 Hoofd Street, Forum III, 3rd Floor Braampark South Africa
e-mail: inforeg@justice.gov.za

9. ACCURACY OF INFORMATION AND RESPONSIBILITY POPIA

requires that all the Data Subject’s Personal Information and related details as supplied, are complete, accurate and up- to-date.

Whilst Harmony will always use its best endeavours to ensure that the Data Subject’s Personal Information is reliable, it will be the Data Subject’s responsibility to advise Harmony of any changes to the Data Subject’s Personal Information, as and when these may occur.

10. BREACH OF PERSONAL INFORMATION

An information security compromise (data breach) involving personal information, could lead to the accidental or unlawful use, destruction, loss, alteration or disclosure of that data.

Where data subjects or any other Harmony stakeholder becomes aware of a data breach or potential data breach, such incident must immediately be reported to the Harmony Information Officer (as per the details provided) or an e-mail must be sent to popia@harmony.co.za.

Harmony will inform the Regulator as soon as reasonably possible after becoming aware of a security compromise. Harmony will also communicate such compromise with Data Subjects, especially where the exposure presents a high-risk to them.

In accordance with the Harmony Incident Response Plan, an investigation will be conducted to establish the cause of such breach and ensure that remedial action is effected to prevent similar future incidents.

11. ACCESS TO INFORMATION BY THE DATA SUBJECT

The Data Subject has the right at any time to ask HARMONY to provide the Data Subject with details of the Personal Information which Harmony holds on the Data Subject’s behalf; and/or the purpose for which it has been used provided.

Such request must be made using the standard Section 51 Harmony PAIA process, which procedure can be accessed by downloading and completing the standard request for information form, housed under the Harmony Section 51 PAIA Manual which can be found on the Harmony website at: www.harmony. co.za

12. AMENDMENTS

1. HARMONY reserves the right to amend this Informed Consent Notice from time to time.
2. The Data Subject is requested to please check the Harmony website periodically to be informed of any changes.
3. The rights and obligations of the parties under this Informed Consent Notice will be binding on, and will be of benefit to, each of the parties’ successors in title and / or assigns where applicable, i.e. in the case of a sale or transfer of business by the Data Subject to another.

13.DECLARATION AND INFORMED CONSENT

1. I/ the Data Subject confirm that my / the Data Subject’s Personal Information, provided is accurate, up-to-date, not misleading and is complete in all respects, save where same may change and then in such an event, I/ the Data Subject undertake to advise Harmony or its Operator (s) of these changes.
2. I, / the Data Subject, in providing the required Personal Information to Harmony and / or to its Operator, consent and give Harmony permission to process and further process my /the Data Subject’s Personal Information as and where required and acknowledge that I/ the Data Subject understand the purposes for which the Personal Information is required and for which it will be used.
3. Furthermore, should any of the Personal Information which has been provided by myself concern or pertain to a legal entity whom I represent, I confirm that I have the necessary authority to act on behalf of such legal entity/ Data Subject and that I have the right to provide the Personal Information and / or the required consent to use said Personal Information, on behalf of the aforementioned legal entity.
4. Should any of the Personal Information belong to any of my dependants and/or beneficiaries who are under age, I in my capacity as their legal guardian and competent person give Harmony the appropriate permission to process their Personal Information for the purposes for which these details were given.