PRIVACY PORTAL

PURPOSE AND OVERVIEW As a business, Xpatweb Travel, a division of Xpatweb is committed to the highest standards of professionalism, ethics and service delivery. We are committed to upholding every person’s constitutional right to privacy and ensuring that any personal information we process is completed in a lawful and transparent manner. We maintain a strict standard of confidentiality with our clients and never share personal information with third parties unless required by law or with the express consent of our clients. Any personal information processed by Xpatweb is processed in accordance with the provisions of the Protection of Personal Information Act 4 of 2013 (“POPI”), and, where applicable, the General Data Protection Regulation 2016/679 (“GDPR”). POPI Xpatweb has taken comprehensive steps to ensure that its staff process any personal information in accordance with the provisions of POPI. Personal information is defined in section 1 of POPI to mean: “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.” Depending on who determines the purpose of and means for processing personal information in a particular instance, Xpatweb acknowledges that it may be acting in the capacity of either a “responsible person” or “operator” as defined in section 1 of POPI. Where a client is also the “data subject” as defined in section 1 of POPI and has not mandated Xpatweb to process personal information on the client’s behalf, it is a determining factor which puts Xpatweb in the role of a responsible party. Where Xpatweb processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party, Xpatweb will be acting as an operator. Whether acting as a responsible party or operator, Xpatweb will process personal information in accordance with the applicable provisions of POPI. General Data Protection Regulation 2016/679 Xpatweb acknowledges that it offers its goods and/or services to persons domiciled in the European Union, and which compels that data processing activities for such persons are completed in accordance with GDPR. Depending on who determines the purpose of and conditions for processing personal information in a particular instance, Xpatweb acknowledges it may be acting in the capacity of either a “controller” or “processor” as defined. Where a client is also the “data subject” as defined in GDPR and has not mandated Xpatweb to process personal information on the client’s behalf, it is a determining factor which puts Xpatweb in the role of a controller. Where Xpatweb processes personal information for a controller in terms of a contract or mandate, Xpatweb will be acting as a processor. Whether acting as a controller or processor, Xpatweb will process data in respect of persons in the European Union in accordance with the applicable provisions of GDPR. PRIVACY AND DATA PROTECTION OBLIGATIONS Xpatweb acknowledges its privacy and data protection obligations and adheres to the highest standards possible to ensure legal and safe processing of data, including personal information. Xpatweb remains accountable to ensure compliance with POPI and/or GDPR, and that it has accordingly implemented measures and procedures which give effect to such compliance. In this regard, Xpatweb has registered its designated Information Officer with the Information Regulator established in terms of section 39 of POPI, as well as its Deputy Information Officers to whom the Information Officer has delegated its duties. Xpatweb further regularly trains its staff as to their obligations arising from POPI and GDPR, and general best practice insofar as privacy and data protection. Xpatweb also maintains an expert Information Technology team, who maintains its information security systems. In addition to this Policy, Xpatweb has published various other policies which assist in the enforcement of privacy and data protection measures by its staff. The measures and procedures implemented by Xpatweb, extend to the fulfilment of the following obligations insofar as privacy and data protection. The client or person whose data/personal information is processed is referred to as the “data subject”. Processing limitation
  • Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
  • Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
  • Personal information may only be processed if—
    • the data subject or a competent person where the data subject is a child consents to the processing;
    • processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
    • processing complies with an obligation imposed by law on Xpatweb;
    • processing protects a legitimate interest of the data subject;
    • processing is necessary for the proper performance of a public law duty by a public body; or
    • processing is necessary for pursuing the legitimate interests of Xpatweb or of a third party to whom the information is supplied.
  • The data subject or competent person may withdraw his, her or its consent, provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information will not be affected.
  • A data subject may object, at any time, to the processing of personal information—
    • on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
    • for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.
  • If a data subject has objected to the processing of personal information, Xpatweb may no longer process the personal information.
  • Personal information must be collected directly from the data subject, except if—
    • the information is contained in or derived from a public record or has deliberately been made public by the data subject;
    • the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
    • collection of the information from another source would not prejudice a legitimate interest of the data subject;
    • collection of the information from another source is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997;
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
      4. in the interests of national security; or
      5. to maintain the legitimate interests of Xpatweb or of a third party to whom the information is supplied;
    • compliance would prejudice a lawful purpose of the collection; or
    • compliance is not reasonably practicable in the circumstances of the particular case.
Purpose specification
  • Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Xpatweb.
  • Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
    • retention of the record is required or authorised by law;
    • Xpatweb reasonably requires the record for lawful purposes related to its functions or activities;
    • retention of the record is required by a contract between the parties thereto; or
    • the data subject or a competent person where the data subject is a child has consented to the retention of the record.
  • Records of personal information may be retained for historical, statistical or research purposes if Xpatweb has established appropriate safeguards against the records being used for any other purposes.
  • Xpatweb must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after Xpatweb is no longer authorised to retain the record.
Further processing
  • Further processing of personal information must be in accordance or compatible with the purpose for which it was collected.
Information quality
  • Xpatweb must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
Openness
    • Xpatweb must maintain the documentation of all processing operations under its responsibility.
    • If personal information is collected, Xpatweb must take reasonably practicable steps to ensure that the data subject is aware of—
      • the information being collected and where the information is not collected from the data subject, the source from which it is collected;
      • the name and address of Xpatweb;
      • the purpose for which the information is being collected;
      • whether or not the supply of the information by that data subject is voluntary or mandatory;
      • the consequences of failure to provide the information;
      • any particular law authorising or requiring the collection of the information;
      • the fact that, where applicable, Xpatweb intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
      • any further information such as the—
        1. recipient or category of recipients of the information;
        2. nature or category of the information;
        3. existence of the right of access to and the right to rectify the information collected;
        4. existence of the right to object to the processing of personal information; and
        5. right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
      • It is not necessary for Xpatweb to make the data subject aware of its data processing if—
        • the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
        • non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
        • non-compliance is necessary—
          1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
          2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997;
          3. for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
          4. in the interests of national security;
        • compliance would prejudice a lawful purpose of the collection;
        • compliance is not reasonably practicable in the circumstances of the particular case; or
        • the information will—
Security safeguards
      • Xpatweb must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
        • loss of, damage to or unauthorised destruction of personal information; and
        • unlawful access to or processing of personal information.
      • Xpatweb must take reasonable measures to—
        • identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
        • establish and maintain appropriate safeguards against the risks identified;
        • regularly verify that the safeguards are effectively implemented; and
        • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
      • The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
Acting as operator
    • Where Xpatweb acts as an operator, it must—
      • process such information only with the knowledge or authorisation of responsible party; and
      • treat personal information which comes to their knowledge as confidential and must not disclose it,
unless required by law or in the course of the proper performance of their duties.
      • A responsible party must, in terms of a written contract between the responsible party and Xpatweb (as the operator), ensure that Xpatweb establishes and maintains the security measures referred to POPI.
      • Xpatweb (as operator) must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Security compromises
      • Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, Xpatweb must notify—
        • the Regulator; and
        • the data subject, unless the identity of such data subject cannot be established.
      • The notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:
        • Mailed to the data subject’s last known physical or postal address;
        • sent by e-mail to the data subject’s last known e-mail address;
        • placed in a prominent position on the website of Xpatweb;
        • published in the news media; or
        • as may be directed by the Regulator.
      • The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
        • a description of the possible consequences of the security compromise;
        • a description of the measures that Xpatweb intends to take or has taken to address the security compromise;
        • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
        • if known to Xpatweb, the identity of the unauthorised person who may have accessed or acquired the personal information.
Data subject participation 
      • A data subject, having provided adequate proof of identity, has the right to—
        • request Xpatweb to confirm, free of charge, whether or not Xpatweb holds personal information about the data subject; and
        • request from Xpatweb the record or a description of the personal information about the data subject held by Xpatweb, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
      • If, in response to a request, personal information is communicated to a data subject, the data subject must be advised of the right to request the correction of information.
      • Xpatweb may or must refuse, as the case may be, to disclose any information requested to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act
      • A data subject may, in the prescribed manner, request Xpatweb to—
        • correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
        • destroy or delete a record of personal information about the data subject that Xpatweb is no longer authorised to retain.
      • On receipt of a request, Xpatweb must, as soon as reasonably practicable
        • correct the information;
        • destroy or delete the information;
        • provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
        • where agreement cannot be reached between Xpatweb and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
      • If Xpatweb has taken steps that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, Xpatweb must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
      • Xpatweb must notify a data subject, who has made a request, of the action taken as a result of the request.
Special personal information
      • Xpatweb may not process personal information concerning—
        • the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
        • the criminal behaviour of a data subject to the extent that such information relates to—
          1. the alleged commission by a data subject of any offence; or
          2. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
      • The prohibition on processing personal information does not apply if the—
        • processing is carried out with the consent of a data subject;
        • processing is necessary for the establishment, exercise or defence of a right or obligation in law;
        • processing is necessary to comply with an obligation of international public law;
        • processing is for historical, statistical or research purposes to the extent that—
          1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
          2. it appears to be impossible or would involve a disproportionate effort to ask for consent,
          3. and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
        • information has deliberately been made public by the data subject; or
        • provisions of sections 28 to 33 of POPI are, as the case may be, complied with.
      • The prohibition on processing personal information concerning a data subject’s race or ethnic origin does not apply if the processing is carried out to—
        • identify data subjects and only when this is essential for that purpose; and
        • comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.
Personal information of children
      • Xpatweb may not process personal information concerning a child.
      • The prohibition on processing personal information of children does not apply if the processing is—
        • carried out with the prior consent of a competent person;
        • necessary for the establishment, exercise or defence of a right or obligation in law;
        • necessary to comply with an obligation of international public law;
        • for historical, statistical or research purposes to the extent that—
          1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
          2. it appears to be impossible or would involve a disproportionate effort to ask for consent,
          3. and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
        • of personal information which has deliberately been made public by the child with the consent of a competent person.
Direct marketing
      • The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
        • has given his, her or its consent to the processing; or
        • is a customer of Xpatweb.
      • Xpatweb may approach a data subject—
        • whose consent is required; and
        • who has not previously withheld such consent,
only once in order to request the consent of that data subject.
      • The data subject’s consent must be requested in the prescribed manner and form.
      • Xpatweb may only process the personal information of a data subject who is a customer of Xpatweb –
        • if Xpatweb has obtained the contact details of the data subject in the context of the sale of a product or service;
        • for the purpose of direct marketing of Xpatweb’s own similar products or services; and
        • if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
          1. at the time when the information was collected; and
          2. on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
      • Any communication for the purpose of direct marketing must contain—
        • details of the identity of the sender or the person on whose behalf the communication has been sent; and
        • an address or other contact details to which the recipient may send a request that such communications cease.
Transfers of personal information outside Republic
      • Xpatweb in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—
        • the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that—
          1. effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
          2. includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
        • the data subject consents to the transfer;
        • the transfer is necessary for the performance of a contract between the data subject and Xpatweb, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
        • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Xpatweb and a third party; or
        • the transfer is for the benefit of the data subject, and—
          1. it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
          2. if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
      • For the purpose of this provision—
        • ‘‘binding corporate rules’’ means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
        • ‘‘group of undertakings’’ means a controlling undertaking and its controlled undertaking
CHANGES TO THIS NOTICE This Policy was last updated on 21 June 2021. Please note that we may amend this Policy from time to time. HOW TO CONTACT US If any person has questions about this Policy or believes Xpatweb has not adhered to it, or needs further information about Xpatweb’s privacy practices or wishes to give or withdraw consent, exercise preferences or access or correct the person’s personal information, please feel free to contact Xpatweb at: South Africa: 011 467 0810 International: +27 11 782 5289 Email: privacy@xpatweb.com INFORMATION REGULATOR Any person has the right to complain to the Information Regulator regarding any breach of the POPI provisions by Xpatweb, whose contact details are: Information Regulator Email: inforeg@justice.gov.za
Scroll to Top