1. Policy Statement
WR360 processes personal information of employees, clients and other data subjects. The company must comply with the Protection of Personal Information Act No. 4 of 2013 (POPIA) and the Promotion of Access to Information Act No. 2 of 2000 (PAIA).
WR360 commits to protecting privacy and ensuring personal information is used appropriately, transparently, securely and lawfully. This policy clarifies how WR360 handles personal information and the rights of data subjects.
2. Objectives
- Ensure legislative compliance with POPIA and PAIA regarding all collected personal information
- Inform employees and clients about information usage, disclosure and destruction
- Ensure personal information is used only for the purpose for which it was collected
- Prevent unauthorised access and use of personal information
3. Definitions
Processing means collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination, merging, linking, erasure or destruction.
PAIA — Promotion of Access to Information Act No. 2 of 2000
POPIA — Protection of Personal Information Act No. 4 of 2013
Regulator — The Information Regulator established under POPIA
4. Collection of Personal Information
WR360 collects information based on need and processes it for that purpose only. Parties are informed which information is mandatory versus optional, and the consequences of non-disclosure.
Information is processed lawfully and reasonably without infringing privacy. Consent is obtained when required. Processing occurs for:
- Contract conclusion or performance
- Legal obligation compliance
- Data subject legitimate interest protection
- Company or authorised third-party legitimate interests
Examples of collected personal information include:
- Race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, birth
- Education, medical, financial, criminal or employment history
- Banking and account information
- Contact information
- Identifying numbers, symbols, email address, telephone number, location and online identifiers
- Personal opinions, views, preferences, performance appraisals and correspondence
WR360 does not process special personal information without complying with POPIA provisions. Special information concerns religious or philosophical beliefs, race, ethnic origin, political persuasion, health, sex life or criminal behaviour.
Collection of employee information
Employees include potential, past and existing staff. Independent contractors receive equal treatment. New employee and contractor information is required for system processing, record-keeping and position suitability assessment.
Employee information is used for:
- Department of Labour submissions
- Receiver of Revenue submissions
- Audit and record-keeping
- Legal proceedings
- Legal and regulatory compliance
- Administrative functions
- Disciplinary action or conduct and capacity issues
- Employment benefits administration
- Pre- and post-employment checks and screening
- Other notified relevant purposes
Collection of client and supplier information
Clients include potential, past and existing clients. Suppliers are vendors contracting for products or services, once-off or recurring.
Collected client and supplier information includes:
- Identity number, name, surname, address and postal code
- Business and postal address
- Contact information
- Banking details
- Company registration number
- Full legal entity name
- Tax and VAT number
- Account-responsible person details
WR360 collects client information for marketing purposes to ensure product and service relevance.
Use of client and supplier information: Information is used only for its collection purpose and as agreed, including product and service provision, accounts and service communication, supplier payment and service communication, details confirmation, verification and updating, audit and record-keeping, legal proceedings, and legal and regulatory compliance.
Disclosure of personal information: WR360 may share employee and client or supplier information with authorised third parties, or obtain information from them, for the stated purposes. Disclosure occurs where there is a duty or right under legislation or law, or when necessary to protect organisational rights or data subject interests.
5. Safeguarding of Personal Information and Consent
WR360 regularly reviews security controls and processes to ensure information security. The company takes appropriate technical and organisational measures preventing loss, damage, unauthorised destruction, unlawful access or processing through:
- Internal and external risk identification
- Appropriate safeguard establishment and maintenance
- Regular safeguard verification and implementation review
- Safeguard updates
- Implementation of generally accepted information security practices
Information Officer
Name: Andre Rossouw
Telephone: 041 581 0435
Postal address: WR360, First Floor, 254 Walmer Boulevard, South End, Gqeberha, 6070
Physical address: WR360, First Floor, 254 Walmer Boulevard, South End, Gqeberha, 6070
Information Officer responsibilities include:
- Compliance framework development, implementation, monitoring and maintenance
- Manual development, monitoring, maintenance and availability per PAIA Section 51
- Internal measures and systems development for information requests and access
- Staff awareness sessions regarding Act provisions, regulations, codes of conduct and Regulator information
Employment contracts contain relevant consent clauses for employee information use and storage. Suppliers and third-party service providers sign service level agreements guaranteeing POPIA commitment. Client and supplier consent is obtained at sign-on, appointment or contracting.
6. Direct Marketing
The company ensures:
- No personal information is processed for direct marketing via electronic communication without data subject consent or existing customer status
- Unconsenting data subjects are approached once in the prescribed manner requesting consent
- Direct marketing concerns only WR360’s similar products and services, with data subjects given reasonable objection opportunity at information collection time
- Direct marketing communications contain sender identity details and contact information for communication cessation requests
7. Transfer of Information Outside of South Africa
WR360 will not transfer personal information to foreign third parties unless:
- The third party is subject to law, binding corporate rules or agreement providing adequate personal information protection and effective reasonable processing principles
- The data subject consents to the transfer
- Transfer is necessary for contract performance between the data subject and the company
- Transfer is necessary for contract conclusion or performance in the data subject’s interest between the company and a third party
- Transfer benefits the data subject and obtaining consent is impractical, though the data subject would likely consent if practical
8. Security Breaches
WR360 assesses the nature and extent of any breach detected on systems containing personal information to determine if information has been compromised. Affected parties are notified if information is compromised, provided organisational identification of the data subject is possible. Website publication or Information Regulator-prescribed methods are considered otherwise.
Notification is provided via email, registered mail or the organisational website, and includes:
- A description of the possible breach consequences
- The measures taken to address the breach
- Recommendations for data subjects to mitigate adverse effects
- Identification of the party responsible for the breach
WR360 notifies the Regulator of any breach or personal information compromise and cooperates with Regulator recommendations.
Breach procedures:
- The Information Officer oversees the investigation
- The Information Officer reports to the Information Regulator within 3 working days of the breach
- The Information Officer reports to the affected data subject within 3 working days, reasonably and practically, of the breach
- Timeframes are guidelines; the merits may require earlier or later reporting
9. Access and Correction of Personal Information
Employees and clients may request access to personal information held by WR360. They may request information updating, correction or deletion on reasonable grounds by contacting the Information Officer or registered office.
Objecting employees or clients may prevent WR360 from processing their personal information. Processing failure consequences must be outlined before objection confirmation. Objection reasons must be provided.
Registered Office
Name: WR360 (Pty) Ltd.
Telephone: 041 581 0435
Postal address: First Floor, 254 Walmer Boulevard, South End, Gqeberha, 6000
Physical address: First Floor, 254 Walmer Boulevard, South End, Gqeberha, 6000
Email: engage@wr360.co.za
10. Information Disclosure to Third Parties
The WR360 website discloses personal information when legally required or when necessary to:
- Conform to law or comply with legal process
- Protect and defend WR360 or website visitor rights or property
- Identify violators of law, legal notices or third-party rights
- Cooperate in investigations of unlawful activity
WR360 may share personal information with affiliates and business partners to improve products, services and offers, requiring them to honour this policy and POPIA provisions. Explicit consent is obtained before sharing, with opt-out availability.
WR360 maintains a strict policy of not selling or renting email addresses or personal information.
11. Retention of Records
WR360 retains information as legally prescribed, including:
- Companies Act No. 71 of 2008 and Companies Amendment Act No. 3 of 2011: hard copies of certain documents retained for 5 years — including company-required documents, accounts, books, writings, records and information; notices and minutes of all meetings including adopted resolutions; copies of reports presented at annual general meetings; and copies of annual financial statements and accounting records required by the Act
- Basic Conditions of Employment Act No. 75 of 1997: staff records retained for no less than 3 years
12. Amendments to this Policy
Policy amendments occur subject to WR360 discretion and legislative changes. Such changes are brought to the attention of employees and clients where applicable.
13. Requests for Information
Under POPIA
Objection to processing: Data subjects wishing to object to personal information processing per POPIA Section 11(3)(a) must submit a written objection to the responsible party.
Correction or deletion request: Data subjects requesting personal information correction or deletion, or record destruction or deletion, per POPIA Section 24(1) must submit a written request.
Processing consent request: Responsible parties processing personal information for direct marketing via electronic communication must obtain written data subject consent.
Complaint submission: Complaints per POPIA Section 74(1), or complaints by responsible parties or data subjects per POPIA Section 72(2), must be submitted to the Information Regulator.
Under PAIA
Access request: PAIA Section 18(1) or Section 53(1) record access requests must use prescribed Form 2 from Annexure A to the 2021 Promotion of Access to Information Regulations. Outdated forms such as Form A are non-compliant and may result in regulatory action. Download prescribed Form 2
PAIA Section 51 Manual: All requests must comply with the organisation’s PAIA Section 51 Manual provisions.