Data Privacy Policy

The purpose of this policy is to help us achieve our data protection and data security by:

  • Notifying our employees of the types of personal information that we may hold about them, our customers, suppliers and other third parties and what we do with that information.
  • Setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring Employees understand our rules and legal standards.
  • Clarifying the responsibilities and duties of Employees in respect of data protection and data security.

All Employees have a personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The responsible Data protection officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.

Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Employees or customer personal data without authorization or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.


1. Data protection laws means all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force.

2. Data subject means the individual to whom the personal data relates to. Personal data means any information that related to an individual who can be identified from that information.

3. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.

4. Personal data refers to all types of:

  • Personal information
  • “any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”;

  • Sensitive personal information
  • “personal information about an individual’s race, ethnic origin, marital status, age, colour, religious/philosophical/political affiliations, health, education genetic or sexual life, legal proceedings, government issued identifiers and other information specifically established to be kept classified”;

  • Privileged information
  • “any and all forms of information which, under the Rules of Court and other pertinent laws, constitute privileged communication, such as, but not limited to, information which a person authorized to practice medicine, surgery or obstetrics may have acquired in attending to a patient in a professional capacity”.


The Company collects, uses, processes, stores and retains personal data when reasonable and necessary to perform its business processes effectively, safely and efficiently and in accordance with corporate policies.

In general, the Company may be using your data for any of the following purposes:

  • To comply with the Company’s obligations under local law and as required by government organizations and/or agencies.
  • To comply with legal and regulatory requirements or obligations; and,
  • To perform such other processing or disclosure that may be required under law or regulations.


  • To grant access to the Company premises for the performance of individual’s duties and obligations;
  • To manage security at the workplace;
  • To process employee salaries and benefits;
  • To execute employee development, communications, health and engagement programs and organizational planning and management;
  • To provide assistance in case of emergency, and to account for employees during emergencies and/or crises;
  • To grant access to the Company’s IT systems and infrastructure, consistent with IT policies and procedures;
  • To provide access to services, privileges or job opportunities offered by affiliates and subsidiaries of the Company;
  • To process requirements for work purposes, including travel, certification, appointments, and the like;
  • To conduct internal investigations in relation to security incidents, disciplinary proceedings and other analogous circumstances;
  • To conduct appropriate due diligence checks;
  • To evaluate your proposal including your manpower, technical and operational capacity;
  • To assess the practicability of your proposal and process your accreditation;
  • To communicate the result of your proposal and to execute a letter of award together with the contract;
  • To perform any other action as may be necessary to implement the terms and conditions of our contract; and,
  • To perform other processes related to or in connection with our business, including those processing or disclosure that may be required under law or regulations.


  • To respond to specific complaints, enquiries, requests or to provide requested information;
  • Allows us to personalize the site for the user and view how and when specific users visit the site, helping us to improve the site. The use of cookies is an industry standard. Cookies are stored on your computer and are used only to view information on your hard drive that was put there by a cookie from this site. If you do not wish to receive cookies you may set your web browser to prevent them;


The types of personal data that the Company will collect from you depends on the particular purpose and/or position for which you are submitting an application. The common type of data collected by the Company generally includes the following:

  • Basic personal information such as name, home address, contact details and contact details for your next of kin address, social media accounts (if any);
  • Recruitment (including your application or curriculum vitae, references received and details of your qualifications);
  • Sensitive personal information such as birth date, marital status, age, religion, nationality, gender, dependents, health information, education, employment history, pay records and government identification numbers, as well as biometric information such as full-face photographs, fingerprints, and other similar images; and
  • Privileged information such as medical records, court records (if applicable), performance and any disciplinary matters, grievances complaints or concerns in which you are involved.


The Company collects personal data when you:

  • accomplish company forms;
  • submit to the Company your resume and other employment requirements;
  • disclose personal data through phone calls, email, SMS or verbal communication with Company personnel;
  • The Company may also acquire personal data through third parties, such as:
  • Job-search platforms
  • Head-hunters
  • Universities and professional organizations
  • Accredited hospitals or clinics
  • Agencies and contractors
  • Other companies (such as former employers and affiliates)
  • Accept a job offer;
  • Avail of benefits; and
  • Participate in Company processes and activities.


1. Employees are primarily responsible for ensuring that all personal data submitted are accurate, complete and up-to-date. From time to time, the Company may request updated data from the employees.

2. The Company takes all reasonable steps to make sure that the personal data the Company collects, generates, uses or discloses are accurate, complete, and up-to-date, such as:

  • Periodic reviews and audits of systems, processes and data;
  • Verification with the concerned employees and third parties.


As a general rule, the Company is not allowed to share your data with any third party except in limited circumstances as noted below:

You authorize company to disclose your information to accredited/affiliated third parties or independent/non-affiliated third parties, whether local or foreign in the following circumstances:

  • As necessary for the proper execution of processes related to the declared purpose;
  • The use or disclosure is reasonably necessary, required or authorized by or under law.


The Company strictly enforces its Policy. It has implemented technological, organizational and physical security measures to protect personal data from loss, misuse, unauthorized modification, unauthorized or accidental access or disclosure, alteration or destruction. The Company uses safeguards such as the following:

  • Use of secured servers and firewalls, encryption on computing devices.
  • Restricted access only for qualified and authorized personnel e.g. only people who are authorized to use the information can access it; where possible, personal data is pseudonymized or encrypted; information is accurate and suitable for the purpose for which it is processed; and authorized persons can access information if they need it for authorized purposes.
  • Strict implementation of information security policies e.g. Personal information must not be transferred to any person to process (e.g. while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist;
  • Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency Employees, trainees, homeworkers and fixed-term Employees and any volunteers.


The personal data is stored in both local and off-shore facilities, such as data centres (on premise and cloud) and document storage facilities. Data collected will be retained in accordance with the following retention standards, unless you request your data to be deleted in our database immediately. Once deleted, the data will be completely removed from all the storage location.

  • If the data subject has an existing contract and transaction with the Company, information will be retained all throughout the contract period and 15 years after its completion or termination.
  • If the data subject has no existing contract but has existing transaction with the Company, information will be retained during the transaction and 15 years after its fulfilment.
  • If the data subject has no existing contract and transaction with the Company, information will be retained for a retention period of 2 years.


From time to time, itFINSOL (Pty) Limited may be necessary for the Company to change this Policy. If we change our Policy, we will post the revised version here and will take effect immediately, so we suggest that you check here periodically for the most up-to-date version of our Privacy Policy. Rest assured, however, that any changes will not be retroactively applied and will not alter how we handle previously collected personal data without obtaining your consent, unless required by law.

As data subjects, you have the following rights:

  • Right to be informed;
  • Right to object;
  • Right to access;
  • Right to rectify or Correct erroneous data;
  • Right to erase or Block;
  • Right to secure Data Portability
  • Right to be indemnified for damages
  • Right to file a complaint

The Company’s decisions to provide such access or consider any request for correction, erasure and objection to process your personal data as it appears in our records are always subject to any exceptions under applicable and relevant laws.


Some of the processing that the Employer carries out may result in risks to privacy. Where processing would result in a high risk to Employees rights and freedoms, the Employer will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.


If we discover that there has been a breach of Employees personal data that poses a risk to the rights and freedoms of individuals, we will report it to the concerned department within 72 hours of discovery.

We will record all data breaches regardless of their effect.

If the breach is likely to result in an elevated risk to your rights and freedoms, we will tell the affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures to be taken.