1. DEFINITIONS
All capitalised terms herein or in any Schedule or attachment will have the meanings ascribed to such terms in this clause 1 or as otherwise defined in this Agreement.
1.1 “Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a Party.
1.2 “Agreement” means this Data Processing and Privacy Policy Agreement.
1.3 “Data Subject” means an individual or juristic entity which is the subject of Personal Data that may be Processed under this Agreement.
1.4 “Intellectual Property Rights” means:
1.4.1 all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights and these “intellectual property rights” include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models and rights in designs;
1.4.2 applications for registration, and the right to apply for registration, for any of these rights. and;
1.4.3 all other intellectual property rights and equivalent or similar forms of protection existing anywhere in the world.
1.5 “Papyrus Application” means the computer software and related documentation comprising the private labelled payroll processing service marketed by Operator as Papyrus, including but not limited to any modifications or additions provided by Operator during the term of this Agreement and made available by Operator at www.Papyrus.co.za.
1.6 “Personnel” means any person employed or contracted by the Parties or their approved sub-contractors relating to the provision of the Services.
1.7 “Operator” means a person who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party. With regards to this agreement, Operator's registered address is:
1.7.1 Where the Local Country of Residence is South Africa:
Parity Software CC
3 Torwood Heights
50 Stella Road
La Sandra
7310 Somerset West
Western Cape
South Africa
1.8 “Personal Information” means all information relating to an identifiable, living natural person, including that which Operator (or any of its Affiliates or Personnel) processes in connection with its relationship with Responsible Party (including employees of Responsible Party Affiliates and of its sub-contractors) but excluding information that Operator processes as the Responsible Party.
1.9 “Process or Processing” means the collection, use, disclosure, transfer, storage, deletion, combination, or other use of Personal Information.
1.10 “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
1.11 “Previous Agreement/s” means any agreement/s previously concluded between the Parties or Responsible Party’s acceptance of Operator’s Terms and Conditions of Use at www.papyrus.co.za.
1.12 “POPI” means the minimum standard as gazetted by the Republic of South Africa and set out in the Protection of Personal Information Act 4 of 2013 of (as amended). This may be references at POPIA
1.13 “Services” mean Operator’s services and Deliverables, as described in Previous Agreements or Operator’s Terms and Conditions of Use.
1.14 “Sub-Processor” means a third-party contractor to whom the Processing of Personal Data is subcontracted or outsourced by the Operator in accordance with the any agreements between the Parties.
1.15 “Supervisory Authority” means the Information Regulator as established in RSA, pursuant to the POPI Act.
1.16 “Territory” means any country where the Operator processes information on behalf of the Responsible Party.
1.17 “User or Users” means any Responsible Person and / or its Personnel and / or organisation and / or individual that utilises Operator’s Services.
2. GENERAL PRIVACY TERMS
2.1 Registration. To create an account on the Papyrus Application, User’s must provide Operator with at least its email address and a password and agree to Operator’s Terms and Conditions of Use and this Agreement, which governs how Operator treats User’s information. User will provide additional information during the registration flow (for example, User’s company addresses and contacts, pay structures, journal codes, employee biographical information and salary information) to help User build User’s company and employee profiles and to provide User with Services. User understands that, by creating an account, Operator a will be able to identify User by User’s profile on the Papyrus Application. Operator may also ask for User’s credit card or bank details to retrieve applicable service fees.
2.2 Customer Service. When a User contacts Operator’s customer support services telephonically or through Operator’s online Help Center, Operator will have to access Users’ profile, company information, employee information and other contributions to Operator’s Services and collect the information Operator needs to categorize a User’s question, respond to it, and, if applicable, investigate any breach of Operator’s Terms and Conditions of Use and or this agreement. Operator also use this information to track potential problems and trends and customize Operator’s support responses to better serve Users. Operator does not use this information for advertising.
2.3 Cookies. Operator uses cookies to store a session identifier in order to correctly serve a User its data as well as improve a User’s experience, increase security, measure use and effectiveness of Operator’s Services. A User can control cookies through browser settings and other tools. By visiting Operator’s Services, a User consents to the placement of cookies in User’s browser in accordance with this agreement.
2.4 Information About Users Computer and Mobile Device. When Users visit or leave Operator’s Services (whether as a Member or Visitor) by clicking a hyperlink Operator automatically receives the URL of the site from which a User came or the one to which a User is directed. Also, advertisers receive the URL of the page that a User is on when a User clicks an ad on or through Operator’s Services. Operator also receives the internet protocol (“IP”) address of a User’s computer or the proxy server that a User uses to access the web, a User’s computer operating system details, a User’s type of web browser, a User’s mobile device (including a User’s mobile device identifier provided by User’s mobile device operating system), User’s mobile operating system (if a User is accessing the Papyrus Application using a mobile device), and the name of User’s ISP or User’s mobile carrier. Operator may also receive location data passed to Operator from third-party services or GPS-enabled devices that User have set up, which Operator use to show User’s relevant information.
2.5 Papyrus Communications. Operator communicates with Users through email, notices posted on Operator’s websites or apps and other means available through the Services, including mobile text messages and push notifications. Examples of these communications include:
2.5.1 welcome and engagement communications – informing Users about how to best use Operator’s Services, new features and updates about legislation;
2.5.2 service communications – these will cover service availability, security, and other issues about the functioning of Operator’s Services. and;
2.5.3 promotional communications – these include email and may contain promotional information directly or on behalf of Operator’s partners. These messages will be sent to Users based on User’s profile information and messaging preferences. User’s may change User’s email and contact preferences at any time by signing into User’s account and opting out of receiving emails.
Users cannot opt out of receiving service messages from Operator. User agrees that Operator may provide notices to Users in the following ways:
2.5.4 a banner notice on the Service. or;
2.5.5 an email sent to an address User provided. or;
2.5.6 through other means including mobile number, telephone, or mail. User agrees to keep User’s contact information up to date.
2.6 Testimonials and Advertisements. If User provides any testimonials about Operator’s goods or services or place advertisements, Operator may post those testimonials and examples of advertisements User placed in connection with Operator’s promotion of these services to third parties. Testimonials and advertisements may include User’s name and other personal information that User has provided.
2.7 External Links. The Papyrus Application is an information portal, it contains links to other Web sites. These sites however do not fall under any control of Operator and therefore Operator cannot be held responsible for the privacy practices or the contents of such other web sites.
2.8 Rights to Access, Correct, or Delete User Information, and Closing User Account. User can change User’s information on the Papyrus Application at any time by editing User’s profile, deleting information that User has posted, or by giving Operator notice of termination. User has a right to:
2.8.1 access, modify, correct, or delete User’s personal information controlled by Operator regarding User’s profile;
2.8.2 change User’s information. and;
2.8.3 close User’s account.
3. PROCESSING OF INFORMATION
3.1 Responsible Party hereby grants to Operator a non-exclusive licence to copy, reproduce, store, distribute, publish, export, adapt, edit and translate the Personal Information to the extent reasonably required for the performance of Operator’s obligations and the exercise of Operator’s rights under this Agreement.
3.2 Responsible Party also grants to Operator the right to sub-license these rights to its hosting, connectivity and telecommunications organisations, subject to any express restrictions elsewhere in this Agreement.
3.3 Responsible Party warrants to Operator that the Personal Information when used by Operator in accordance with this Agreement will not infringe the Intellectual Property Rights or other legal rights of any person.
3.4 Responsible Party hereby confirms that as the Responsible Party they have an appropriate lawful basis to process personal information including transferring same to Operator for purposes of Processing the payroll and other legislative related services on behalf of Responsible Party.
3.5 Operator will comply with POPI and the Data Protection Standards of ISO 27001 in countries without data privacy legislation. If the law related to data protection in the territory conflicts and/or is more onerous than these provisions, Responsible Party shall in writing advise of such conflict and the Service Provider shall revert on the feasibility, if any, to comply with the Data Protection Legislation.
3.6 Without prejudice to the obligations set out in this clause 3, the Parties acknowledge and agree that each Party will remain solely responsible for complying with their respective obligations under POPI with regards to privacy and protection of personal information laws governing Responsible Party’s data in the Territory.
4. SAFEGUARDING MEASURES
4.1 It is recorded that Service Provider has an ISO/IEC 27001:2013 certification and as such Operator has implemented appropriate safeguards against the unauthorized access to, and destruction, loss, or alteration of, Responsible Party’s Confidential Information and Personal Information which at any time is in Operator’s possession or to which Operator may have access.
4.2 Operator warrants to Responsible Party that it shall maintain such safeguards for so long as it has any of Responsible Party’s Confidential Information in its possession or has access to such information.
5. COMPLIANCE: SUB-PROCESSORS AND AFFILIATES
5.1 Operator shall procure that each of its Sub-processors and/or Affiliates contractually agree in writing that they will:
5.1.1 comply with this clause 5 and POPI;
5.1.2 not access, use or process Responsible Party’s data and/or personal information except to the extent reasonably necessary in performance of its obligations under this Agreement;
5.1.3 not perform any act that puts Responsible Party at risk of Responsible Party’s data and/or personal information being disclosed;
5.1.4 implement appropriate technical and organisational security measures to preserve the integrity of Responsible Party’s data and/or Personal Information. and;
5.1.5 prevent any unauthorised or unlawful access, accidental or unauthorised destruction, corruption, loss, alteration or disclosure or other prohibited processing of Responsible Party’s data and/or Personal Information.
6. AUDIT
6.1 Operator has a robust information security management system (ISMS). An ISMS is a systematic approach to managing sensitive information so that it remains secure.
6.2 Audits are performed by external auditors on a regular basis.
6.4 Operator will make available, on request, the details of the approach to keeping sensitive information secure.
7. BREACHES AND NOTIFICATIONS
7.1 Operator will notify the Responsible Party, within a reasonable timeframe, after becoming aware of any Personal Information Breach and provide reasonable information in its possession to assist the Responsible Party to meet the Responsible Party‘s obligations to report a Personal Information Breach as required under POPI.
7.2 Operator may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by Operator.
8. STORAGE OF HISTORY DATA
8.1 Subject to clause 8.2 below, legal jurisdictions will dictate how long Responsible Party’s data is retained within the Territory (each respective country), if there is no standard, a default period of 5 (five) years will be used to determine whether data should be destroyed.
8.2 On notice of termination of Responsible Party account, Responsible Party will have 30 days to download or export the data using one of many mechanisms such as reports, web services and business intelligence tools. After that 30-day period, Operator will have no obligation to maintain or provide Responsible Party the data and will thereafter delete or destroy all copies of Responsible Party’s data in Operator’s systems or otherwise in Operator’s possession or control, unless legally prohibited.
9. LAW ENFORMENT REQUESTS AND DISCLOSURES
9.1 If the Operator or Sub-Processor receives any demand for disclosure of Personal Data by law, the Operator or Sub-Processor will promptly notify the Responsible Party, in writing, of the Legal Request (unless legally prohibited from doing so).
10. CROSS BORDER DATA REPLICATION
10.1 It is specifically recorded that:
10.1.1 the Operator will perform replication of personal information to a data center in the United Kingdom for the purposes of implementing adequate disaster recovery processes and other legitimate processing activities;
10.1.2 Section 72 of POPI allows the transfer of personal information to a Sub-processor in a foreign country in circumstances where amongst others:
10.1.2.1 the Sub-processor is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection that are substantially similar to POPI and effectively uphold the principles as set out in POPI. or;
10.1.2.2 data subject consents to the transfer. or;
10.1.2.3 the transfer is necessary for the performance of a contract between the data subject and the Responsible Party or for the performance of a contract concluded in the interest of the data subject between the Responsible Party and a third party. or;
10.1.2.4 the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to the transfer.
10.1.3 The data center to be used by the Operator in the United Kingdom will be subject to adequate laws that are substantially similar to POPI and effectively uphold the principles of lawful processing as set out in POPI. Accordingly, the Operator would comply with section 72 of POPI on the basis that the third-party recipient of the information (namely the data centre in the United Kingdom is subject to a law which provides an adequate protection level of protection. It will thus not be necessary for the Operator and/or the Responsible Party to obtain the consent of the data subject to transfer the personal information to the data center.
10.2 Having regard to the above, the parties agree that Operator has taken steps to ensure compliance with its obligations as set out in POPI.
11. CONFLICT
11.1 In the event that there is conflict between any Previous Agreement/s and this Agreement, the conditions of this agreement will apply.
12. TERM
12.1 This Agreement will commence on the effective date and will continue until the termination in accordance with any Previous Agreement/s or specifications as per Operator’s Terms and Conditions of Use.
13. COOPERATION WITH SUPERVISORY AUTHORITY
13.1 The Operator and the Responsible Party as applicable, shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.
14. INFORMATION OFFICER
14.1 Service Provider contact for any issues in relation to this Agreement:
14.1.1 Risk Officer – Ken Fargher.
14.2 Any questions or comments about this Agreement can be directed to Operator by contacting Operator by email on Papyrus Support.