DATA RETENTION POLICY

Definitions:

“Data subject” (you, our client)
“Responsible party” (we, Black Pay (Pty) Ltd)
In terms of POPIA, records of personal information must not be retained any longer than is necessary for achieving the purpose (for as long as you are our client) for which the Information was collected or subsequently processed by Black Pay (Pty) Ltd

Unless:

• Retention of the record is required or authorised by law or
• Black Pay (Pty) Ltd reasonably requires the record for lawful purposes related to its functions or activities; or
• Retention of the record is required by a contract between the parties thereto; or
• The data subject or a competent person, where the data subject is a child, has
consented to the retention of the record.

Section 23 of the Financial Intelligence Centre Act 38 Of 2001 states that

An accountable institution must keep the records referred to in section 22 which relate to—

(a) The establishment of a business relationship, for at least five years from the date on which the business relationship is terminated;

(b) A transaction which is concluded, for at least five years from the date on which that transaction is concluded.

Notwithstanding these exceptions, records of personal information may be retained for periods in excess of these mentioned for historical, statistical, or research purposes if Black Pay (Pty) Ltd has established appropriate safeguards against the records being used for any other purposes.

If Black Pay (Pty) Ltd has used a record of personal information of a data subject to make a decision about the data subject, we must—

1. Retain the record for such period as may be required or prescribed by law (as according to the Legal Practitioners Act 22 of 2019 and the Financial Intelligence
Centre Act 38 of 2001)

When must Black Pay (Pty) Ltd destroy or delete a record of personal information or deidentify it:

As soon as reasonably practicable after we are no longer authorised to retain the record in terms of the above. The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form.

Black Pay (Pty) Ltd must restrict processing of personal information if —

1. Its accuracy is contested by the data subject, for a period enabling us to verify the accuracy of the information;
2. We no longer need the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;
3. The processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or
4. The data subject requests to transmit the personal data into another automated processing system.

The above personal information may, with the exception of storage, only be processed for:

• purposes of proof; or
• with the data subject’s consent; or
• with the consent of a competent person in respect of a child; or
• for the protection of the rights of another natural or legal person or if such
processing is in the public interest.

Where processing of personal information is restricted in accordance with the above, we must inform the data subject before lifting the restriction on processing.