This Notice explains how we obtain, use and disclose your personal information, as is required by the Protection of Personal Information Act (“POPIA”).
This Statement is not intended to reproduce laws or regulations but rather to set out guidelines for our conduct in any operations which involve the Processing of your Personal Information when you use our website.
Group1 Auto (“Group1”), including its holding company, subsidiaries and associate companies.
Scope of policy:
This policy applies to the business of Group1 Auto wherever it is conducted, but based at the registered office. It applies to all staff.
Policy operational date:
01 July 2021
Policy prepared by:
Policy Review Date:
Annual and/or as determined by legislation
As per Section 14 of the Constitution of the Republic of South Africa, 1996, everyone has the right to privacy which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. At Group1 Auto, we are committed to protecting the privacy of our clients, suppliers, and staff members and ensuring that their personal information is collected and used properly, lawfully, and transparently. We have therefore developed and adopted a governance policy which relates specifically to the collecting, recording, use and removal of the personal information collected from our clients as well as the distribution or sharing of any such information.
Purpose of policy:
The objective of this document is to formally document the company’s commitment to the POPIA and ensure that our employees fully understand what is expected of them in terms of our governance framework as it applies to the protection of our employees, our customers’, and policyholders’ personal information as defined in the POPIA.
The purpose of this policy is to enable Group1 Auto to:
- Comply with the law in respect of the data it holds about individuals
- Follow good practice
- Protect Group1 Auto’s staff, our clients and other individuals
- Protect the organisation from the consequences of a breach of its responsibilities
This policy applies to information relating to identifiable living individuals, and where applicable an identifiable, existing juristic person.
In terms of Group1 Auto, the responsible party, represents its customers, employees and suppliers that have personal information (PI) to protect.
Personal information includes pieces of information like names and telephone numbers.
Ordinary personal information (PI) includes:
- Information about gender, marital status, age, language;
- ID numbers, any identifying number (like a passport number or employee number);
- Email addresses, physical addresses, telephone numbers, social media handles (e.g. a Facebook account name);
- Information about where a person is (e.g., GPS co-ordinates tracked by a cell phone);
- Private communications;
- Personal opinions (which includes one’s opinion about someone else);
- Preferences or idiosyncrasies; and
- Information that one may say something about a person noted for example on a sanctions list.
Group1 Auto will:
- Comply with both the law and good practice
- Respect individuals’ rights
- Be open and honest with individuals whose data is held
- Provide training and support for staff who handle personal data, so that they can act confidently and consistently
Group1 Auto recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
- Keeping information securely in the right hands, and
- Retention of good quality information
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Group1 Auto will seek to give individuals as much choice as possible and reasonable over what data is held and how it is used.
Group1 Auto has identified the following potential key risks, which this policy is designed to address:
- Breach of confidentiality (information being given out inappropriately)
- Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
- Failure to offer choice about data use when appropriate
- Breach of security by allowing unauthorised access
- Harm to individuals if personal data is not up to date
- Data Operator contracts
Information Officer Responsibilities:
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and Chapter 5, Part B.
Responsible party to ensure conditions of lawful processing
Marlene Hamiltonis the Information Officer of our company, and it is his/ her responsibility to ensure that the conditions and requirements detailed in this policy are complied with.
- All instructions given by the Information Officer must be obeyed.
- The Information Officer has the authority to call for disciplinary action where necessary.
- The requirements in this document are added to and become part of the conditions of employment of every employee. Any non-compliance with this policy by any employee will result in disciplinary action.
- All Employees, clients and suppliers may refer any queries, concerns, or information of potential or actual breaches of personal information to the Information Officer.
The Information Officer has the following responsibilities:
Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:
- Reviewing the POPI Act and periodic updates as published
- Ensuring that POPI Act induction training takes place for all staff
- Ensuring that periodic communication awareness on POPI Act responsibilities takes place
- Ensuring that Privacy Notices for internal and external purposes are developed and published
- Handling data subject access requests
- Approving unusual or controversial disclosures of personal data
- Approving contracts with Data Operators
- Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information
- Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are in place
- Handling all aspects of the relationship with the Regulator as foreseen in the POPI Act
- Provide direction to any Deputy Information Officer if and when appointed
- Dealing with requests made to Group1 for access to Personal Information held by us and liaising with local regulators
- Providing training to our employees
The appointment of the Group1 Auto Information Officer was authorised by the Designated Head.
Consideration will be given on an annual basis of the re-appointment or replacement of the Information Officer and the need for any Deputy to assist the Information Officer.
Should you wish to raise any questions, concerns, possible violations, and reportable conditions, please contact our Information Officer at:
Address: 1 Jan Celliers Road, Stellenbosch Central, Stellenbocsh, 7600
Contact number: 021 887 6900
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.
This condition restricts the scope of processing of personal information by requiring compliance with these conditions:
- lawfulness of the processing of all personal information;
- the requirement relating to consent, justification, and the lodging of objections; and
- The collection of personal information directly from the data subject.
We will only obtain personal information (PI) that is adequate, relevant, and not excessive taking the purpose for which it will be processed into account. In addition, the personal information should be accurate, complete, and kept up to date.
Group1 Auto undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).
We cannot process personal information if:
- its accuracy is contested by our employees, clients, customers, or policyholders. In this event, we have to first verify the accuracy of the information and have confirmed its accuracy and if still contested, our information officer must be informed who will give instructions.
- we no longer need the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof.
- the processing is unlawful, and our employees, customers, or policyholders oppose its destruction or deletion and requests the restriction of its use instead, or
- our employees, customers or policyholders request to transmit the personal data into another automated processing system.
- The personal information referred to in clause (b) may, with the exception of storage, only be processed for purposes of proof, or with that person’s consent, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.
Where the processing of personal information is restricted pursuant to clause (b), we must inform that person before lifting the restriction on processing.
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant, and not excessive. In this sense, in respect of:
- Policyholders – it must only relate directly to the information required to finance a vehicle, purchase a vehicle, or enter into an insurance contract for which we are licensed.
- Our employees – it must only relate to the information legally and commercially necessary to enter into an appropriate contract.
- Our customers – it must only relate to the information legally and commercially necessary to receive payment and to provide a certificate of competence as required by the Financial Services Conduct Authority.
Forms of consent, justification and objection:
Group1 Auto undertakes to gain written consent where appropriate; alternatively, a recording must be kept of verbal consent.
- Personal information may only be processed if the processing:
- is necessary to carry out actions for the conclusion or performance of a contract to which our employees, customers or policyholders are party,
- complies with an obligation imposed by law on us,
- protects a legitimate interest of our employees, customers, or policyholders, is necessary for pursuing our legitimate interests or of a third party to whom we supply the information and that we have on file proof of our employees, customers, or policyholders’ consent.
- Our employees, customers or policyholders may withdraw that consent at any time provided that such withdrawal does not impact on our compliance with any regulation or law.
- Our employees, customers or policyholders may object, at any time, to the processing of personal information on reasonable grounds unless legislation provides for such processing. Nevertheless, we have to point out to our employees, customers, or policyholders that it could affect the contract for which the personal information was collected.
- If our employees, customers, or policyholders object to the processing of personal information we may no longer process the personal information. In this respect, our Information Officer must be informed who will provide the employee with instructions.
- Under no circumstances may the information be collected or processed unless a specific instruction is obtained from our Information Officer where the information pertains to:
- a child,
- the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, sexual orientation or biometric information of a person; or
- the criminal behaviour of a person to the extent that such information relates to the alleged commission of any offence or any proceedings in respect of any offence allegedly committed unless necessary for the purpose of entering into a contract with that person and where that person has given explicit permission to collect that information.
Collection directly from our employees, customers, or policyholders
- We have to collect personal information directly from our employees, customers, or policyholders unless:
- the information is contained in or derived from a public record or has deliberately been made public by our employees, customers, or policyholders,
- the collection of the information from another source would not prejudice the legitimate interest of our employees, customers, or policyholders,
- the collection of the information from another source is necessary to avoid prejudice to the maintenance of the law by the prevention, detection, investigation, prosecution, and punishment of offences,
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of income tax,
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated,
- in the interests of national security; or
- to maintain our legitimate interests or of a third party to whom the information is supplied; or
- compliance would prejudice a lawful purpose of the collection; or
- compliance is not reasonably practicable in the circumstances of the particular case.
Group1 Auto undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to legislative stipulation.
Specific Purpose collection
Personal information can only be collected for a specific, explicitly defined, and lawful purpose in respect of employees, customers, or policyholders as noted under the heading MINIMALITY above.
Record retention and restriction
- Subject otherwise to clauses (ii) and (iii) below, we cannot retain records of personal information any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless
- retention of the record is required or authorised by law,
- we reasonably require the record for lawful purposes related to our functions or activities, or
- retention of the record is required by a contract between us.
- We are allowed to retain records of personal information for periods in excess of those contemplated in clause (a) under the MINIMALITY heading for historical, statistical or research purposes if we have established appropriate safeguards against the records being used for any other purposes. In this respect, our Information Officer must be consulted prior to the continued storage being effected.
- If we have used a record of personal information of employees, customers, or policyholders to make a decision about that person, we must:
- retain the record for such period as may be required or prescribed by law or a code of conduct; or
- if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford that person a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
- All employees are hereby instructed to destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after we are no longer authorised to retain the record in terms of the clauses noted under the MINIMALITY heading above.
- The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.
Further Processing Limitation:
Group1 Auto undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, section 15.
- Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of clause 5.
- To assess whether further processing is compatible with the purpose of collection, we must take account of:
- the relationship between the purpose of the intended further processing and the purpose for which the information has been collected,
- the nature of the information concerned,
- the consequences of the intended further processing for our employees, customers, or policyholders,
- the manner in which the information has been collected, and
- any contractual rights and obligations between us.
- The further processing of personal information is not incompatible with the purpose of collection if:
- our employees, customers or policyholders have consented to the further processing of the information,
- the information is available in or derived from a public record or has deliberately been made public by that person,
- further processing is necessary.
- to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution, and punishment of offences,
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in the South African Revenue Service Act,
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
- in the interests of national security.
- further processing of the information is necessary to prevent or mitigate a serious and imminent threat to
- public health or public safety; or
- the life or health of our employee, customer, policyholder, or another individual; or
- the information is used for historical, statistical or research purposes and we ensure that further processing is carried out solely for such purposes and will not be published in an identifiable form.
- the further processing of the information is in accordance with an exemption granted in terms of POPIA.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5.
Group1 Auto will comply with all of the aspects of Condition 5, section 16.
Group1 Auto will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
- systems will be designed, where possible, to encourage and facilitate the entry of accurate data.
- Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
- Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
- Staff who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
Group1 Auto will review all personal information on an annual basis or as required by legislation.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6.
In line with Conditions 6 and 8 of the Act, Group1 Auto is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
- for what purpose it is being processed;
- what types of disclosure are likely; and
- how to exercise their rights in relation to the data.
Data subjects will generally be informed in the following ways:
- Staff: through this policy
- Customer and other interested parties: through the Group1 Auto privacy notice.
Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
- When we collect personal information, we must take reasonably practical steps to ensure that our employee, customer, or policyholder is aware of:
- the information being collected and where the information is not collected from that person, the source from which it is collected,
- our name and address,
- the purpose for which the information is being collected,
- whether or not the supply of the information by that person is voluntary or mandatory,
- the consequences of failure to provide the information,
- any particular law authorising or requiring the collection of the information,
- the existence of the right to object to the processing of personal information as referred to in clause (c) under the MINIMALITY heading,
- the right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of that person to be reasonable. The Information Regulator’s contact details are:
Tel: 012 406 4818
Fax: 086 500 3351
- The steps referred to in clause (i) above must be taken:
- if the personal information is collected directly from our employee, customer or policyholder before the information is collected, unless that person is already aware of the information referred to in that clause; or
- in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
- It is not necessary for us to comply with clause (i) above if:
- that person has provided consent for the non-compliance,
- non-compliance would not prejudice the legitimate interests of that person,
- non-compliance is necessary:
- to avoid prejudice to the maintenance of the law including the prevention, detection, investigation, prosecution, and punishment of offences,
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in the South African Revenue Service Act, 1997,
- for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
- in the interests of national security.
- compliance would prejudice a lawful purpose of the collection,
- compliance is not reasonably practicable in the circumstances of the particular case,
- the information will not be used in a form in which that person may be identified; or
- the information is to be used for historical, statistical or research purposes.
- Group1 Auto reserves the right to exercise any appropriate form of legal action against any party which may cause us harm and/or damages by way of non-compliance with this Statement. Parties also risk statutory penalties.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7, section 19 to 22.
This section of the policy only addresses security issues relating to personal information. It does not cover the security of the building, business continuity or any other aspect of security.
Group1 Auto has identified the following risks:
- Staff with access to personal information could misuse it.
- Staff may be tricked into giving away information, either about customers/member or colleagues, especially over the phone, through “social engineering”.
Access to information on the main Group1 Auto computer system will be controlled by function.
Group1 Auto has identified security levels required for each record held which contains Personal Information.
- We secure the integrity and confidentiality of personal information in our possession or under our control by taking appropriate, reasonable technical and organisational measures to prevent loss of damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information.
- to give effect to the responsibilities in the clause wherein we must maintain the documentation of all processing operations under our responsibility, our Information officer in conjunction with our IT specialists continually assess all reasonably foreseeable internal and external risks to personal information in our possession or under our control which includes:
- establishing and maintaining appropriate safeguards against the risks identified,
- regularly verifying that the safeguards are effectively implemented; and
- ensuring that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
- It is the responsibility of every employee to warn our Information Officer when the safeguards in place may not be appropriate in given circumstances.
- Each and every employee must have due regard to the generally accepted information security practices and procedures which may apply to us generally or be required in terms of our specific industry or professional rules and regulations.
Group1 Auto will ensure that adequate steps are taken to provide business continuity in the event of an emergency.
Data Subject Participation:
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8, sections 23-25.
Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.
Procedure for making requests:
Subject access requests must be in writing. All staff are required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay.
Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA).
Provision for verifying identity:Where the individual making a subject access request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information.
Procedure for granting access:
Procedures for access to personal information will be handled in compliance with the Promotion of Access to Information Act (PAIA).
Processing of Special Personal Information:
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26 to 33.
Processing of Special Personal Information:
Group1 Auto has the policy of adhering to the process of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.
Special personal information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences.
Unless a general authorisation, alternatively a specific authorisation relating to the different types of special personal information applies, a responsible party is prohibited from processing special personal information.
Processing of Personal Information of Children:
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35.
Processing of Personal Information of Children:
Group1 Auto has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 individuals, so an age check is required for all personal information records.
General authorisation concerning the personal information of children only applies where under-18s are involved.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 6.
Group1 Auto has the policy of adhering to the process of Prior Authorisation in terms of sections 57 to 59.
Direct Marketing, Directories and Automated Decision Making:
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.
Direct Marketing, Directories and Automated Decision Making:
Group1 Auto undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt-in.
Group1 Auto has the policy of sharing lists (or carrying out joint or reciprocal mailings) only on an occasional and tightly-controlled basis. Details will only be used for any of these purposes where the Data Subject has been informed of this possibility, along with an option to opt-out, and has not exercised this option.
Group1 Auto undertakes to obtain external lists only where it can be guaranteed that the list is up to date and those on the list have been given an opportunity to opt-out.
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
Trans-border Information Flows:
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 9.
Trans-border Information Flows:
Group1 Auto will ensure that the POPI Act Chapter 9, section 72 is fully complied with.
Compliance with section 72 will be achieved through the use of the necessary contractual commitments from the relevant third parties.
Further information on these rights can be found at the Information Regulator’s website at https://www.justice.gov.za/inforeg.
Staff training and acceptance of responsibilities:
The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.
Information for staff is contained in this policy document and other materials made available by the Information Officer.
The Group1 Auto Information Officer will ensure that all staff who have access to any kind of personal information will have their responsibilities outlined during their induction procedures.
Group1 Auto will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervision.
Procedure for staff signifying acceptance of policy:
Group1 Auto will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.
The Group1 Auto Information Officer is responsible for an annual review to be completed prior to the policy anniversary date.
The Group1 Auto Information Officer will ensure relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.
APPENDIX A: Group1 AUTO CUSTOMER PRIVACY NOTICE CONTENTS
We respect the privacy of everyone who visits this website. As a result, we would like to inform you regarding the way we would use your Personal Information. We recommend you to read this Customer Privacy Notice and Consent so that you understand our approach towards the use of your Personal Information.
By submitting your Personal Information to us, you will be treated as having given your permission – where necessary and appropriate – for disclosures referred to in this policy.
By using this website, you acknowledge that you have reviewed the terms of this Customer Privacy Notice and Consent to Use of Personal Information (the “Customer Privacy Notice and Consent”) and agree that we may collect, use and transfer your Personal Information in accordance therewith.
If you do not agree with these terms, you may choose not to use our site, and please do not provide any Personal Information through this site. This Customer Privacy Notice and Consent forms part of our Site Terms and Conditions of Use and such shall be governed by and construed in accordance with the laws of South Africa.
This Notice explains how we obtain, use and disclose your personal information, as is required by the Protection of Personal Information Act No 4 of 2013 (POPI Act). At Group1 Auto we are committed to protecting your privacy and to ensure that your Personal Information is collected and used properly, lawfully and openly.
The information we collect:
Collection of Personal Information:
We collect and process your Personal Information mainly to provide you with access to our services and products, to help us improve our offerings to you and for certain other purposes explained below. The type of information we collect will depend on the purpose for which it is collected and used. We will only collect information that we need for that purpose. We collect information directly from you where you provide us with your personal details, for example when you purchase a product or services from us or when you submit enquiries to us or contact us. Where possible, we will inform you what information you are required to provide to us and what information is optional.
Examples of information we collect from you are:
- email address
- telephone/ cell number
- user-generated content, posts and other content you submit to our website
We also collect information about you from other sources as explained below.
With your consent, we may also supplement the information that you provide to us with information we receive from other companies in our industry in order to offer you a more consistent and personalized experience in your interactions with Group1 Auto.
Collection of Non-Personal Information:
We may automatically collect non-Personal Information about you such as the type of internet browsers you use or the website from which you linked to our website. We may also aggregate details that you have submitted to the site (for example, the products or services you are interested in). You cannot be identified from this information and it is only used to assist us in providing an effective service on this website. We may from time-to-time supply third parties with this non-personal or aggregated data for uses in connection with this website.
We use the term “cookies” to refer to cookies and other similar technologies covered by the POPI Act on privacy in electronic communications.
What is a cookie?
Cookies are small data files that your browser places on your computer or device. Cookies help your browser navigate a website and the cookies themselves cannot collect any information stored on your computer or your files. When a server uses a web browser to read cookies, they can help a website deliver a more user-friendly service. To protect your privacy, your browser only gives a website access to the cookies it has already sent to you.
How are third-party cookies used?
How do I reject and delete cookies?
How we use your information:
We will use your Personal and Non-Personal Information only for the purposes for which it was collected or agreed with you, for example:
- Analyse the effectiveness of our advertisements, competitions and promotions
- Collect information about the device you are using to view the site, such as your IP address or the type of Internet browser or operating system you are using and link this to your Personal Information so as to ensure that the site presents the best web experience for you
- Evaluate the use of the site, products and services
- For audit and record-keeping purposes
- For market research purposes
- For monitoring and auditing site usage
- Help speed up your future activities and experience on the site. For example, a site can recognise that you have provided your Personal Information and will not request the same information a second time.
- In connection with legal proceedings
- Make the site easier to use and to better tailor the site and our products to your interests and needs
- Offer you the opportunity to take part in competitions or promotions
- Personalise your website experience, as well as evaluate (anonymously and in the aggregate) statistics on website activity, such as what time you visited it, whether you’ve visited it before and what site referred you to it
- Suggest products or services (including those of relevant third parties) which we think may be of interest to you
- To assist with business development
- To carry out our obligations arising from any contracts entered into between you and us
- To conduct market or customer satisfaction research or for statistical analysis
- To confirm and verify your identity or to verify that you are an authorised customer for security purposes
- To contact you regarding products and services which may be of interest to you, provided you have given us consent to do so or you have previously requested a product or service from us and the communication is relevant or related to that prior request and made within any timeframes established by applicable laws.
- To notify you about changes to our service
- To respond to your queries or comments
- We will also use your Personal Information to comply with legal and regulatory requirements or industry codes to which we subscribe or which apply to us, or when it is otherwise allowed by law.
- Where we collect Personal Information for a specific purpose, we will not keep it for longer than is necessary to fulfil that purpose, unless we have to keep it for legitimate business or legal reasons. In order to protect information from accidental or malicious destruction, when we delete information from our services we may not immediately delete residual copies from our servers or remove information from our backup systems.
- You can opt-out of receiving communications from us at any time. Any direct marketing communications that we send to you will provide you with the information and means necessary to opt-out.
Disclosure of Personal Information:
We may disclose your Personal Information to our business partners who are involved in the delivery of products or services to you. We have agreements in place to ensure that they comply with these privacy terms.
We may share your Personal Information with, and obtain information about you from:
- Third parties for the purposes listed above;
- Other companies in our industry when we believe it will enhance the services and products we can offer to you, but only where you have not objected to such sharing;
- Other third parties from whom you have chosen to receive marketing information.
We may also disclose your information:
- Where we have a duty or a right to disclose in terms of law or industry codes;
- Where we believe it is necessary to protect our rights.
Personal Information Security:
We are legally obliged to provide adequate protection for the Personal Information we hold and to stop unauthorised access and use of personal information. We will, on an ongoing basis, continue to review our security controls and related processes to ensure that your Personal Information is secure.
Our security policies and procedures cover:
- Acceptable usage of personal information;
- Access to personal information;
- Computer and network security;
- Governance and regulatory issues;
- Investigating and reacting to security incidents.
- Monitoring access and usage of personal information;
- Physical security;
- Retention and disposal of information;
- Secure communications;
- Security in contracting out activities or functions;
When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that Personal Information that we remain responsible for, is kept secure. We will ensure that anyone to whom we pass your Personal Information agrees to treat your information with the same level of protection as we are obliged to.
Access to your Personal Information:
You have the right to request a copy of the Personal Information we hold about you. To do this, simply contact us at the numbers/ addresses listed on our home page and specify what information you would like. We will take all reasonable steps to confirm your identity before providing details of your personal information.
Correction of your Personal Information:
You have the right to ask us to update, correct or delete your personal information. We will take all reasonable steps to confirm your identity before making changes to Personal Information we may hold about you. We would appreciate it if you would take the necessary steps to keep your Personal Information accurate and up-to-date by notifying us of any changes we need to be aware of.
For the purposes of this Statement, the following definitions apply –
- “Consent” means an informed, unconditional, specific and voluntary expression of will in terms of which permission is given for the Processing of Personal Information;
- “Contractual Performance” – means we must Process your Personal Information in order to be able to provide you with one of our products or services;
- “Data Subject” means the natural or juristic person to whom Personal Information relates;
- “Dealerships” means a juristic entity duly operating as a Group1 Auto dealership in South Africa.;
- “Employee” means any such person as defined in the Labour Relations Act 66 of 1995, under the employ of Group1 Auto, and any other such person who may conduct work for or on behalf of Group1 Auto on a once off or ongoing basis, as the case may be;
- “Information Officer” means the person/s designated by Group1 Auto to direct compliance with POPI within Group1 Auto;
- “Information Regulator” means the body established in terms of section 39 of POPI;
- “IS/IT Systems” means collectively and individually –
- Group1 Auto’s IS/IT infrastructures, telecommunications systems and all its components; and
- Devices as well as the applications running on and services provided via such Devices, including e-mail, voicemail, internet and intranet;
- “Legal Obligation” – means we are required by law to Process your Personal Information;
- “Legitimate Interests” – means where Processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights;
- “Operator” means any person who Processes Personal Information for or on behalf of Group1 Auto in terms of a contract or mandate concluded between Group1 Auto and such person;
- “Personal Information” means information relating to an identifiable, living, natural person, and where applicable, an identi, an identifiable, existing juristic person, and includes the meaning given to it in the POPI;
- “POPI” means the Protection of Personal Information Act, 4 of 2013
Changes to this notice:
Please note that we may amend this notice from time to time. Please check our website periodically to inform yourself of any changes.
How to contact us:
If you have any queries about this notice or believe we have not adhered to it, or need further information about our privacy practices or wish to give or withdraw consent, exercise preferences or access or correct your personal information, please contact us at the numbers/ addresses listed on our website.