Confluence South Africa Privacy Statement

Confluence Privacy Statement (South Africa)

 

Version dated August 25, 2020

Confluence Technologies Inc. and its subsidiaries (collectively “Confluence”, “we”, “us” and “our”) is committed to safeguarding the privacy of our clients (“you” and “your”).

Confluence is a “Processor” of your personal data. This is a legal term – it means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The concept of a “processor” does not change under the POPIA (defined below). You should read this notice, so that you know what we are doing with your personal data. Our use of your personal data is governed by the Licence Agreement with each data controller (i.e. your employer or the custodian of your personal data). Please refer to the privacy notice of your data controller on details of how data processors are permitted to use your data.

1.3 “Personal data” (hereafter referred to as “PI”) means any information that relates to an identifiable natural person and where applicable, an identifiable existing juristic person. Your name, address, any identifying number, contact details, IP address and job title are all examples of your personal data, if they identify you.

1.4 “PAPIA” means the Promotion of Access to Information Act, a South African data access to information law.

1.5 “POPIA” means the Protection of Personal Information Act, a South African data protection law.

1.6 The term “process” means any activity relating to PI, including, by way of example, collection, storage, use, consultation and transmission.

1.7 Security of PI – Confluence will take all reasonable steps or measures to keep your PI secure. To this end, Confluence has implemented appropriate and reasonable technology, policies and processes aimed at protecting the confidentiality and integrity of your PI. This includes but not limited to adequate secure access controls to all our systems and files.

2. WHAT TYPES OF PI WE COLLECT, WHERE WE GET IT FROM, THE PURPOSES FOR WHICH WE USE IT AND THE LEGAL BASIS WE RELY ON

2.1 In this Section 2 we have set out:
(a) the general categories of PI that we may process;
(b) the source of the PI that we may process;
(c) the purposes for which we may process PI; and
(d) the legal bases or reasons we rely on in order to process PI lawfully.

2.3 We may process PI within your account data. The account data may include your name and email address. The source of the account data is you or your employer. The account data may be processed for the purposes of providing our services and communicating with you. The legal basis for this processing is our legitimate interests, namely the proper administration of our services and business.

2.4 We may process information that you provide to us for the purpose of subscribing to our email blog and product notifications and/or newsletters (“notification data“). The notification data may be processed for the purposes of sending you requested relevant notifications and/or newsletters. The legal basis for this processing is consent. Please do not supply any other person’s PI to us, unless we prompt you to do so.

3. WHO WE SHARE YOUR PI WITH AND WHY?

3.1 We may disclose your PI to organizations in the same group as us for purposes of data processing or storage we may share your personal information with our affiliated or subsidiary companies (“Affiliated Companies”), including:

  • Confluence International Ltd (United Kingdom)
  • Confluence Vietnam Company Ltd (Vietnam)
  • StatPro Group Limited (United Kingdom)
    • StatPro Ltd. (United Kingdom)
    • Freedom Index Ltd (United Kingdom)
    • Delve Ltd. (United Kingdom)
    • StatPro Inc. (United States)
    • StatPro Canada Inc. (Canada)
    • StatPro France SARL (France)
    • StatPro Italia srl (Italy)
    • ECPI srl (Italy)
    • StatPro S.A. (Luxembourg)
    • StatPro (Deutschland)GmbH (Germany)
    • StatPro South Africa (Pty) Ltd (South Africa)
    • InfoVest Consulting (Pty) Ltd (South Africa)
    • StatPro Australia Pty Ltd (Australia)

3.2 We may disclose extracts of your PI to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

3.3 You authorise Confluence to engage its own affiliated companies, for the purposes of providing the Confluence service. In addition, you agree that Confluence may use sub-processors to fulfill its contractual obligations with the you or to provide certain services on its behalf.

3.4 In addition to the specific disclosures of PI set out in this Section 3, we may disclose your PI where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to seek to protect your vital interests or the vital interests of another natural person. We may also disclose your PI where we determine that such disclosure may be reasonably necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

4. INTERNATIONAL TRANSFERS OF YOUR PI

4.1 In this Section 4, we provide information about the circumstances in which your PI may be transferred to countries outside of South Africa.

4.2 The POPIA controls the transfer of PI from South Africa to foreign countries and prohibits this unless: (POPIA, section 71)

  • the person receiving the information is subject to similar laws;
  • subject has agreed to the transfer of information;
  • such transfer is part of the performance of a contract which the subject is a party; or
  • transfer is for the benefit of the subject and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given. (POPIA, section 72)

We may process PI in other countries to support ongoing business delivery. Some countries may not have similar privacy requirements; in which case we will seek to ensure that the receiving parties agree to adequate privacy principles before we share such information and at the very least one of the following will be ensured when transferring South African PI:

  • The country to which the PI will be sent affords an adequate or level of PI protection;
  • Recipients in the receiving country agree to treat information in accordance with the POPIA provisions;
  • Data subjects’ consent to the transfer of their PI
  • Transfer is necessary for performance of a contract between the person whose PI is being transferred and the responsible party.

Confluence will take measures to protect your PI no matter where we process or store it, following this privacy statement. By submitting your PI to Confluence, you hereby consent to this transfer and processing of your PI.

5. RETAINING AND DELETING PI

5.1 This Section 5 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of PI.

5.2 PI that we process for any purpose or purposes shall not be kept for longer than we determine is reasonably necessary for that purpose or those purposes.

5.3 We will retain your PI as follows: Confluence service account data will be retained while you are a client and user of Confluence services. Confluence account data will be removed from production systems within 30 days of service termination, as defined in the most current version of the Confluence License Agreement and Confluence Terms of Use. Offline backup copies of Confluence account data will be retained with restricted access and in encrypted format for a minimum of seven years.

5.4 Notwithstanding the other provisions of this Section 5, we may retain your PI where we determine such retention may be reasonably necessary for compliance with a legal obligation to which we may be subject, or in order to protect your vital interests or the vital interests of another natural person.

DIRECT MARKETING

For direct marketing purposes, we may share your personal information with our Affiliated Companies.

From time to time, we may contact you by email, post or SMS with information about products or services we believe you may be interested in.

You can then let us know at any time that you do not wish to receive marketing messages by sending an email to us at email confluence privacy. You can also unsubscribe from our marketing by clicking on the unsubscribe link in any marketing messages we send to you.

7. AMENDMENTS TO THIS POLICY

  • 7.1 We may update or amend this policy from time to time by publishing a new version on our website. This policy is available at Confluence privacy policy.

7.2 You should check this page occasionally to ensure you are happy with any changes to this policy.

7.3 We may notify you of changes to this policy by email or through a notification pop up message when you visit the website.

8 .YOUR PI RIGHTS

8.1 In this Section 8, we have summarised the rights that you have under the POPIA. Not all of the rights listed in this Section are engaged in all circumstances. On receipt of a rights request, we will assess whether the right you are seeking to exercise is engaged.

8.2 Everyone has the right to be informed if someone is collecting their PI, or if their PI has been accessed by an unauthorized person. In addition, they have the right of access to their PI and to require that PI be corrected or destroyed, or they may object to their PI being processed.

8.3 The POPIA does not apply to PI processed

  • in the course of a personal or household activity,
  • or where the processing authority is a public body involved in national security,
  • defence, public safety, anti-money laundering,
  • or the Cabinet or Executive Council of the Province
  • or as part of a judicial function.

8.4 PI can only be processed: (POPIA, Section 11)

  • with the consent of the “data subject”; or
  • if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
  • if it is required by law; or
  • if it protects a legitimate interest of the “data subject”; or
  • if it is necessary to pursue your legitimate interests or the interest of a third party to whom the PI is supplied.

8.5 Everyone has the right to object to having their PI processed. They have the right to withdraw their consent, or object if they can show legitimate grounds for their objection.

8.6 Confluence will only collect PI directly from the “data subject”, unless:

  • -this PI is contained in some public record or has been deliberately published by the data subject;
  • collecting the PI from another source does not prejudice the subject;
  • it is necessary for some public purpose; or to protect their own interests;
  • obtaining the PI directly from the subject would prejudice a lawful purpose or is not reasonably possible.

PI may only be collected for a specific, explicitly defined and lawful purpose and the data subject must be aware of the purpose for which the information is being collected. (POPIA, Section 13)

Once the PI is no longer needed for the specific purpose for which it was gathered, it must be disposed of (or the data subject must be “de-identified”).

PI may only be kept if it is allowed by law, or the information is needed to keep the record for lawful purpose or in accordance with the contract between Confluence and the data subject, or the data subject has consented to the data processor keeping the records. (section 14)

Confluence is entitled to keep records of PI for historical, statistical or research purposes if it has been “de-identified” and safeguards have been established to prevent the records being used for any other purposes.

Records must be destroyed in a way that prevents them from being reconstructed.
PI may only be used for the purpose which the data was collected. (POPIA, Section 15)
Documentation relating to PI and how it has been processed must be maintained as referred to in PAPIA section 14 or 51.

8.7 When PI is being collected, data subjects must be made aware of: (POPIA, Section 18)

  • the information that is being collected and if the PI is not being collected from the subject, the subject must be made aware of the source from which the PI is being collected;
  • the name and address of the person/organisation collecting the PI;
  • the purpose of the collection of the PI;
  • what period the PI will be retained for and assurance given that it will be destroyed by given date;
  • whether the supply of the PI by the subject is voluntary or mandatory;
  • the consequences of failure to provide the PI;
  • whether the PI is being collected in accordance with any law;
  • if it is intended for the PI to leave South Africa and what level of protection will be afforded to the PI after it has left South Africa.
  • who will be receiving the PI;
  • that the data subject has access to the PI and the right to rectify any details;
  • that the data subject has the right to object to the PI being processed (if such right exists);
  • that the data subject has the right to lodge a complaint to the Information Regulator (defined below). The contact details of the Information Regulator can be found here (POPIA, Section 18)

8.8 These requirements have to be met before the PI is collected directly from the subject, or soon as reasonably practicable. If additional information is collected from a subject for a different purpose, the same process must be followed.

This Section 8 must be read in conjunction with the POPIA which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

8.9 You have the right to ask us to confirm whether or not we process your PI and, where we do, access to the PI, together with certain additional information. That additional PI includes details of the purposes of the processing, the categories of PI concerned and the recipients of the PI. Providing rights and freedoms of others are not affected, we will supply to you a copy of your PI. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. Please email Confluence subject access request with your request. For further details, please refer to our PAIA Manual which can be found here.

8.10 To the extent that the legal basis for our processing of your PI is:

(a) consent; or

(b) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, and such processing is carried out by automated means, you have the right to receive your PI from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

8.11 If you consider that our processing of your PI infringes data protection laws or has resulted in a breach of your PI, you have a legal right to:

  • To contact us at the details outlined in Section 9, where we will instigate an urgent enquiry into your claim or
  • lodge a complaint with a supervisory authority responsible for data protection. You may do so with the Information Regulator

8.12 You may exercise any of your rights in relation to your PI by email or written notice to us.

9. How to Contact

If you have any questions regarding Confluence’s privacy practices, the use of your personal information, or about this Statement, please contact us at:

Confluence Technologies, Inc.
Nova Tower One
One Allegheny Square, Suite 800
Pittsburgh, PA 15222
Email: Confluence privacy
Phone: 412-802-8632

StaPro South Africa Pty Ltd.
2nd Floor,
Liesbeek House,
River Park,
Gloucester Road,
Mowbray,
Cape Town 7700
South Africa
Email: Confluence privacy
Phone: +27 21 443 2140