Intecon Data Privacy Policy and Security Arrangements Implemented

1. DEFINITIONS

1.1 In this Policy, the following terms shall bear the following meanings:

1.2 “Access to the NPS” means, firstly, access to the NPS granted by Intecon to an Intecon User who has concluded a User Agreement with Intecon. Access includes access to payment streams and NPS non-regulated services such as Account Verification Services. Secondly, access to the NPS is granted to Intecon once debits against the bank account nominated by the Intecon User are processed to recoup fees due and payable to Intecon. Thirdly, access to the NPS is granted to Intecon once payment instructions of Clients of Banks as Data Subjects are processed;

1.3 ”Applicable Law” means: (i) any statute, directive, order, enactment, regulation, by-law, ordinance, or subordinate legislation in force from time to time; (ii) any binding court order or judgement; (iii) any applicable industry code, guidance, policy, or standard enforceable by law; and (iv) any applicable direction, statement of practice, guidance, policy, rule, or order that is set out by a regulator (including the Regulator) that is binding on Intecon in the NPS;

1.4 “Data Subject” means any natural persons in respect of whom Personal Information relates and/or in respect of whom Personal Information is obtained, Processed, and stored on the Intecon centralised environment and ALLPS-i as part of the Services rendered as an authorised System Operator in the NPS;

1.5 “Intecon” means Information Technology Consultants (Pty) Ltd, Registration Number 1997/001713/07;

1.6 “Intecon Personnel” means all employees appointed by Intecon as employer in terms of an Intecon Employment Agreement and where each Intecon Employment Agreement contains and specifies all requirements to be met by both Intecon and the Intecon Personnel to comply with Applicable Law;

1.7 “Intecon Qualified Security Assessor” means the contractually-appointed entity who, on an annual basis, assists Intecon in obtaining the required compliance certification with the Payment Card Industry Data Security Standard (PCI DSS) as mandated by Visa, Mastercard, American Express, and other Card Associations;

1.8 “Intecon User Agreement” means the Agreement concluded between Intecon and a Intecon User;

1.9 “Intecon User” means an individual or entity who has concluded an Intecon User Agreement with Intecon and through which Agreement the Intecon User as a client of Intecon is granted access to the NPS using Intecon as System Operator or using Intecon as an Independent Sales Organisation (“ISO”) to render such Service as described and set out in this Policy;

1.10 “Maker of a Promissory Note” means any Client of a Bank who is a Data Subject and who has concluded an Agreement with Intecon and who has issued a Promissory Note payment instruction in favour of an Intecon User and Intecon;

1.11 “NPS” means the South African National Payment System within the geographical borders of the Republic of South Africa;

1.12 “Operator” means Intecon as Operator described in section 20 of POPIA;

1.13 “PASA” means the Payment Association of South Africa;
1.14 “Personal Information” shall have the meaning ascribed thereto in Chapter 1 of POPIA;

1.15 “Processing” or “Processed” shall have the meaning ascribed to it in Chapter 1 of POPIA;

1.16 “POPIA” means the Protection of Personal Information Act 4 of 2013, as amended;

1.17 “Policy” means this document reflecting and containing the Intecon Data Privacy Policy and associated Security Standards and other arrangementsimplemented. This Policy amplifies any Agreement where Intecon is a Contracting Party to such Intecon User Agreement;

1.18 “Regulator” means the appropriate Information Regulator as defined under POPIA or in the context of the NPS, the South African Reserve Bank (“SARB”) and PASA. PASA is the recognised Payment System Management Body as set out in the NPS Act, Act No. 78 of 1998 as amended;

1.19 “Responsible Person” means the applicable Responsible Person as set out in section 20 of POPIA and in terms of this Policy, either the Intecon User or Intecon, as the case may be;

1.20 “Security Standards” means, due to the requirements of the Regulator or the NPS Regulator, the changes to generally accepted information security practices, or specific threats identified by the Intecon Qualified Security Assessor;

1.21 “Services” means the Access to the NPS as set out in this Policy.

2. INTECON USER CLIENT AS RESPONSIBLE PERSON

2.1 The Intecon business operations is that of a PASA authorised System Operator in the NPS.

2.2 Intecon is further classified by the Card Associations as an ISO and Third-Party Processor for Card purchase transactions, registered as such with the Card Associations by Mercantile Bank, a division of Capitec Bank Limited and where Mercantile Bank is the Acquiring Bank of Intecon.

2.3 Intecon and First National Bank, a Division of FirstRand Bank Ltd, concluded an Agreement with regard to the issuing of FEZA VISA branded cards and the opening of eWallet bank accounts.

2.4 As such, Intecon renders Services to a Client of a Bank and to an Intecon User.

2.5 Where Intecon renders Services to an Intecon User, there is no direct interaction between Intecon and the Data Subject as a client of the Intecon User. As such, the Intecon User is the Responsible Person with regard to the Personal Information as set out in POPIA and the Intecon User must meet and comply with all requirements set out in POPIA.

2.6 Where clause 2.3 of this Policy applies, Intecon acts as Operator as described in section 20 of POPIA.

3. INTECON AS RESPONSIBLE PERSON

3.1 During the conclusion of the Intecon User Agreement, Intecon obtains Personal Information of the Intecon User through the supply, signing of, and the consent and authority supplied by the Intecon User to Intecon to debit the bank account specified by the Intecon User, allowing and mandating Intecon to recoup fees and charges payable to Intecon.

3.2 During the conclusion of the Intecon Agreement between Intecon and the Maker of a Promissory Note, Intecon obtains Personal Information of the Maker of the Promissory Note as Data Subject. The Personal Information is obtained through the Agreement, the issue and the supply of the Promissory Note payment instruction, and the consent and authority supplied by the Data Subject to Intecon to execute the Maker’s payment instruction, allowing Intecon to request a debit against the bank account specified by the Maker of the Promissory Note.

3.3 Where clauses 3.1 and 3.2 of this Policy applies, Intecon acts as the Responsible Person as described in section 20 of POPIA.

4. OBLIGATIONS OF INTECON WITH RESPECT TO PROCESSING OF PERSONAL INFORMATION

4.1 treat the Personal Information as strictly confidential in accordance with the provisions of this Policy;

4.2 only Process Personal Information in accordance with Applicable Laws, in terms of this Policy and in accordance with any reasonable instructions, requirements, or specific directions of the Intecon User or Data Subject; subject thereto that the Intecon User’s instructions or the Data Subject’s requirements or specific directions will not compromise the Intecon annual PCI-DSS certification, taking cognisance of the fact that Intecon processes authenticated card and PIN based payment instructions;

4.3 not disclose or otherwise make available the Personal Information to any third party other than NPS regulators who require access to such Personal Information strictly for Intecon to carry out its obligations under this Policy and as System Operator, and where no permission is required from the Intecon User or Data Subject to part with information to a NPS Regulator, a Paying Bank who hosts the bank account of a Data Subject, or the Intecon Acquiring Bank.

4.4 ensure that all Intecon Personnel having access to the Personal Information are bound by appropriate and legally binding confidentiality and non-use obligations in relation to the Personal Information on substantially the same terms and conditions as set forth in this Policy;

4.5 take appropriate, reasonable, technical, and organisational measures to ensure that the integrity of the Personal Information in its possession or under its control is secure and that such Personal Information is protected against unauthorised or unlawful Processing, accidental loss, destruction or damage, alteration, disclosure, or access by having regard to:

4.5.1 any requirement set forth in Applicable Law; stipulated in industry rules or in codes of conduct or by a professional body; and/or

4.5.2 generally accepted information security practices and procedures which apply to: (i) Intecon’s business; and (ii) to the Intecon User, as may be appropriate to discharge its obligations in terms of this Policy;

4.6 take appropriate, reasonable, technical, and organisational measures to ensure that the Personal Information in its possession or under its control remains immediately available to the Intecon User as and when it may be required;

4.7 comply with the specific requirements with regard to Personal Information as may be set forth in an instruction relating to the Services or any other specific directions or requirements of the Intecon User with regard to Personal Information;

4.8 conduct PCI-DSS audits as required to do so as a System Operator and conduct a PCI-DSS certification annually. Intecon will provide PASA and the Intecon Acquiring Bank with the results of its annual PCI-DSS certification;

4.9 take all necessary steps to:

4.9.1 implement and maintain appropriate safeguards against the risks identified by Intecon and/or the Intecon Qualified Security Assessor;

4.9.2 regularly verify that the safeguards that Intecon has in place have been effectively implemented or updated as required for PCI-DSS certification or as requested by the Intecon Qualified Security Assessor. The supply of Intecon’s annual PCI-DSS certification to PASA and the Intecon Acquiring Bank will constitute the required written report annually of having completed each such verification exercises; and

4.9.3 ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards as required for PCI-DSS certification or as requested by the Intecon Qualified Security Assessor.

4.10 agree to reasonable amendments to this clause from time to time, to the extent that data protection legislation or Applicable Laws generally require such amendments for the benefit of Data Subjects.

5. NOTIFICATION OF PERSONAL INFORMATION SECURITY BREACH

5.1 Intecon shall:

5.1.1 immediately notify the NPS Regulator and the Intecon Paying and Acquiring Banks in writing of Intecon becoming aware of or having reasonable grounds to believe that the Personal Information of a Data Subject stored on the Intecon centralised environment has been accessed or acquired by an unauthorised person and take all appropriate steps to limit the compromise of Personal Information and to restore the integrity of the affected information systems as quickly as possible;

5.1.2 as soon as reasonably possible thereafter, Intecon shall be required to engage with the NPS Regulator and the Intecon Paying and Acquiring Banks to discuss the security breach, to report all relevant facts relating to the compromise, and to communicate to the NPS Regulator and the Intecon Paying and Acquiring Banks on the steps to be taken to mitigate the extent of the compromise and loss experienced by the compromise;

5.1.3 provide the NPS Regulator and the Intecon Paying and Acquiring Banks with details of the Personal Information affected by the compromise, including but not limited to the identity of Data Subjects, the nature and extent of the compromise, and, where possible, details of the identity of the unauthorized person(s) who are known to, or who may reasonably be suspected of, having accessed or acquired the Personal Information;

5.1.4 immediately upon notifying the NPS Regulator and the Intecon Paying and Acquiring Banks as set forth in clause 5.1.1:

5.1.4.1 at its own cost, take all necessary steps as well as steps directed by the Intecon Paying and Acquiring Banks, PASA, or the SARB, to prevent and/or mitigate the continuation of the compromise, the repetition of a similar compromise, and mitigate the extent of the loss occasioned by the compromise of Personal Information;

5.1.4.2 implement all measures reasonably necessary to restore the integrity of Intecon’s information system(s);

5.1.4.3 provide the Intecon Paying and Acquiring Banks, PASA, or the SARB with a report on its progress in resolving the compromise at the intervals required by the Intecon Paying and Acquiring Banks, PASA, or the SARB following the initial notification, until such time as the compromise is resolved to the Intecon Paying and Acquiring Banks’, PASA’s, or the SARB’s satisfaction.

5.2 If required by law, notify the South African Police Service and/or the National Intelligence Agency and co-operate with the South African Police Service and/or the National Intelligence Agency in the investigation of the cause of the compromise and the prosecution of person(s) who may have gained or attempted to gain unauthorised access to, or acquired Personal Information from, Intecon.

5.3 Notify the Regulator and/or the Intecon User and/or the affected Data Subjects. Any such notification shall be in a form prescribed by the Regulator.

6. CO-OPERATION WITH THE INTECON USER AND A DATA SUBJECT

6.1 Intecon shall:

6.1.1 assist the Intecon User in complying with any requests for access to Personal Information received from the Intecon User or from a Data Subject whose Personal Information was obtained through this Policy;

6.1.2 under instruction and authority of the Intecon User, and at no extra cost to the Intecon User, provide the Intecon User with all assistance required for the Intecon User to discharge its duties relating to a requirement by the Regulator in instances where unauthorised access was gained to the Intecon centralised environment. It is, however, recorded that all Personal Information received from the Intecon User relating to Data Subjects are displayed in the ALLPS software and are accessible by the Intecon User’s Personnel. The requirement for Intecon to assist the Intecon User to discharge a requirement by the Regulator at no extra cost is not applicable when the compromise occurred due to the Intecon User’s Personnel;

6.1.3 Upon request from the Intecon User or a Data Subject, promptly return or destroy all Personal Information in the possession or control of Intecon, subject to any specific retention, destruction, and purging requirements on financial transactions processed as may be prescribed by the NPS Regulators on Intecon as System Operator; and

6.1.4 not Process the Personal Information other than in accordance with this Policy.

7. LAWFUL PROCESSING OF PERSONAL INFORMATION

7.1 In addition to, and without limiting any other provision of this Policy, Intecon agrees that it:

7.1.1 shall only Process the Personal Information of Data Subjects provided to it by the Intecon User, provided to it by the Intecon User’s Personnel, or provided to it by a Data Subject to allow Intecon to perform its obligations as set out in this Policy and to provide the Services;

7.1.2 shall not carry out any related or further Processing activities for any other reason whatsoever without the expressed written consent of the Intecon User or the Data Subject.

7.2 In addition to, and without limiting any other provision of this Policy, the Intecon User agrees that it and the Intecon User’s Personnel:

7.2.1 shall only Process the Personal Information of Data Subjects provided to it to allow for the products and services offered by the Intecon User to the Data Subject; and

7.2.2 if required to collect information from Data Subjects in terms of the Policy, to do so in a manner that does not infringe the privacy of the Data Subject, in accordance with any Applicable Law governing the collection of Personal Information from the Data Subject; and

7.2.3 shall immediately notify Intecon in writing of the Intecon User becoming aware of or having reasonable grounds to believe that the Personal Information of a Data Subject stored on the Intecon Centralised Environment has been accessed or acquired by an unauthorised person using their assigned log-on credentials for ALLPS-i allocated to the Intecon User and Intecon User’s Personnel, and to take all appropriate steps to cancel such access to ALLPS-i in order to limit Personal Information being compromised; and

7.2.4 ensure that all Intecon User’s Personnel who have access to the Personal Information are bound by appropriate and legally binding confidentiality and non-use obligations in relation to the Personal Information on substantially the same Terms and Conditions as set forth in this Policy.

8. DISCLOSURE REQUIRED BY LAW, REGULATION OR COURT ORDER

8.1 If Intecon is required to disclose any Personal Information pursuant to a requirement under Applicable Law, or if the supply of such Personal Information is required to enable a public body to properly perform a public law duty, Intecon:

8.1.1 will advise the Intecon User thereof prior to disclosure, if possible. If it is not possible to advise the Intecon User prior to disclosure, Intecon shall advise the Intecon User immediately after such disclosure;

8.1.2 will take such steps to limit the extent of the disclosure to the extent that it lawfully, reasonably, and practically can;

8.1.3 will afford the Intecon User a reasonable opportunity, if possible and permitted, to intervene in the proceedings; and

8.1.4 will comply with the Intecon User’s requests as to the manner and terms of any such disclosure, if possible and permitted.

9. SEPARATION, COMBINING OR MERGING OF PERSONAL INFORMATION

9.1 Unless otherwise specifically recorded in this Policy or any contract documents, Intecon shall not as itself, or via Intecon Personnel, Process, combine, or merge Personal Information provided by the Intecon User with any information (whether Personal Information or not) of another party.

9.2 It is, however, recorded that Intecon is obliged to supply statistical information to the NPS Regulators and to the Intecon Paying and Acquiring Banks on payment instructions processed either of a specific Intecon User or from Intecon Users as a collective.

10. TRANSFER OF PERSONAL INFORMATION OUTSIDE OF NPS

10.1 Intecon shall not transfer Personal Information provided to it by the Intecon User or Data Subject outside of the Republic of South Africa unless expressly authorised in writing by the Intecon User or Data Subject to do so.

10.2 Intecon agrees to comply strictly with the Intecon User’s instructions for cross-border transfers of any Personal Information, including as may be stipulated in this Policy.

11. RETENTION AND DESTRUCTION REQUIREMENTS

Intecon shall be required to comply with the retention and destruction policies of processing of financial transactions applicable to Intecon as a System Operator in the NPS. Intecon shall store all Personal Information that it Processes for the minimum time periods as are stipulated by the NPS Regulators and shall be required to destroy all Personal Information relating to the Data Subjects in compliance with the destruction time periods stipulated by the NPS Regulators.

12. TRANSMISSION OF DATA

Intecon shall ensure that all Personal Information communicated (including any digital communication or any Personal Information stored in digital form) shall be secured against being accessed or read by unauthorised parties by: (i) using appropriate security safeguards; and (ii) having due regard of generally accepted information security practices and procedures which may apply to it generally, or which may be required in terms of specific industry or professional rules and regulations.

13. INDEMNITY

Through publication of this Policy on www.intecon.co.za, www.allps.co.za and through the publication of this Policy in the ALLPS-i software solution made available to all Intecon Users, from the date of publication, the Parties as described in any Intecon User Agreement concluded, hereby fully indemnify and hold each other harmless from all losses, liabilities,
costs, expenses, fines, penalties, and damages arising from or attributable to a Party’s breach of its obligations set out in this Policy.

14. COUNTER SIGNED EXECUTION OF THIS POLICY

Any Parties to an Intecon Agreement may request, in writing, for this Policy to be recorded as a further Annexure to the existing Intecon Agreement, counter-signed and dated by both Parties.

15. APPOINTED SECURITY OFFICER

The Intecon appointed Security Officer is A de Swardt in his capacity as Managing Director.

16. CONTACT DETAILS

PO Box 101889, Moreleta Plaza, 0167
Tel: (012) 998 7979
Email: info@allps.co.za

Need Help Finding The Right Collection Solution?

Contact us to find out which payment and collection solution is best suited for your business.