Protection of Personal Information

EXTERNAL PRIVACY POLICY

HOW TO CONTACT US

For any questions or requests regarding this Privacy Policy or if a Data Subject would like to exercise his/her rights including contacting the Information Officer, please use the following contact details of the Information Officer:

Information Officer: Cisca Nieuwoudt

Email: cisca@cederbergwine.com

Telephone: +27 (0) 27 482 2827

IMPORTANT NOTICE:

Please do not submit any Personal Information to Cederberg if you do not agree to any of the provisions of this Privacy Policy.

If you do not consent to the provisions of this Privacy Policy, or parts of the Privacy Policy, Cederberg may not be able to communicate with you or provide its products and/or services to you.

  1. INTRODUCTION

    1.1. Cederberg is engaged in the following business activities:
    1.1.1. the production, marketing, sale and distribution of liquors products in the South African and international markets;
    1.1.2. the provision of accommodation.
    1.2. As part of managing Cederberg’s business and creating value for all its stakeholders, Cederberg is required, in certain instances, to process Personal Information. Accordingly, Cederberg is required to protect such Personal Information as set out in the Protection of Personal Information Act and declares its commitment to comply with the Act.
    1.3. Cederberg shall ensure that all Personal Information is processed within the parameters of the law.
    1.4. This Privacy Policy sets out how Personal Information of a Data Subject will be used by Cederberg and applies to any information, including Personal and Special Personal Information, the Data Subject gives to Cederberg or which Cederberg may collect from third parties.
    1.5. It is important that the Data Subject reads this Privacy Policy carefully before submitting any Personal Information to Cederberg because by accessing Cederberg’s website and/or interacting/corresponding with Cederberg and/or submitting any Personal Information to Cederberg, the Data Subject consents to the Processing of the Data Subject’s Personal Information as set out in this Privacy Policy and this includes Processing of Personal Information which was in Cederberg possession prior to the commencement of the Act.
    1.6. The provisions of this Privacy Policy are subject to mandatory, unalterable provisions of the Act and must be read in conjunction with the Act and its regulations, where applicable

  2. OBJECTIVE

    2.1. The objective of this Privacy Policy is to give effect to the Act and to explain the following: 2.1.1. The way in which Cederberg uses and protects the Personal Information of a Data Subject; 2.1.2. The period for which Cederberg keeps the Personal Information of a Data Subject; 2.1.3. The rights of a Data Subject regarding his/hers/its Personal Information; and 2.1.4. The action a Data Subject should take if he/she/it does not want to provide Cederberg with his/her/its Personal Information.

  3. INTERPRETATION AND DEFINITIONS

    In this Privacy Policy:

    3.1. Clause headings are for convenience and reference purposes only and shall not be used in the interpretation thereof; 3.2. Any gender includes all other genders and a natural person includes a juristic person and vice versa; 3.3. All the annexures (if any) hereto are incorporated herein and shall have the same force and effect as if they were set out in the body of this Privacy Policy; 3.4. The following words and/or expressions shall, unless the context indicates otherwise, bear the meaning assigned to them below and in the Act: 3.4.1. “the Act” means the Protection of Personal Information Act, Act 4 of 2013, and any regulations thereto, as amended from time to time; 3.4.2. “Cederberg” means Cederberg Wines (Pty) Ltd and Gebroeders Nieuwoudt (Pty) Ltd and all other companies, close corporations or entities that form part of the Cederberg group of entities, including but not limited to its holding companies, subsidiaries and affiliates, irrespective of the nature of the relationship between the members of the group; 3.4.3. “Cookie/s” (also called web cookie, internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing to inter alia remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity; 3.4.4. “Data Subject” means the Person to whom the Personal Information relates; 3.4.5. “Employee” means a permanent, fixed-term or temporary employee of Cederberg; 3.4.6. “Information Officer” means the person appointed by Cederberg, from time to time, who is responsible for the monitoring of compliance, by Cederberg, with the conditions for the lawful Processing of Personal Information; dealing with requests made to Cederberg in terms of the Act; working with the Regulator in relation to investigations conducted in relation to prior authorisation by the Data Subject and ensuring compliance by Cederberg with the provisions of the Act; 3.4.7. “Operator” means a third party that processes Personal Information in terms of a mandate or contract with Cederberg, without coming under the direct authority of Cederberg; 3.4.8. “Person” means any person, company, close corporation, trust, partnership or other entity; 3.4.9. “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: 3.4.9.1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the Person; 3.4.9.2. information relating to the educational, medical, financial, criminal or employment history of the Person; 3.4.9.3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the Person; 3.4.9.4. the biometric information of the Person; 3.4.9.5. the personal opinions, views or preferences of the Person; 3.4.9.6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; 3.4.9.7. the views or opinions of another individual about the person; and 3.4.9.8. the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the Person; 3.4.10. “Privacy Policy” means this Privacy Policy as amended from time to time; 3.4.11. “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including: 3.4.11.1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; 3.4.11.2. dissemination by means of transmission, distribution or making available in any other form; or 3.4.11.3. merging, linking, as well as restriction, degradation, erasure or destruction of information. 3.4.12. “Special Personal Information” means religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject or the criminal behaviour of the Person to the extent that such information relates to: 3.4.12.1. the alleged commission by the Person of any offence; or 3.4.12.2. any proceedings in respect of any offence allegedly committed by the Person or the disposal of such proceedings.

  4. PROCESSING OF PERSONAL INFORMATION

    4.1. Data Subject Personal Information collected by Cederberg and the basis thereof.
    The Personal Information Cederberg collects in the ordinary course of business includes:
    4.1.1. only information that is adequate, necessary, and relevant to enable it to effectively supply products or render services or assist in any manner required, such as the Data Subject’s name, identity number or registration number (where applicable), Data Subject’s employees or its directors’ Personal Information, contact information etc.; 4.1.2. electronic or other communications sent to Cederberg by the Data Subject and by Cederberg to the Data Subject; 4.1.3. information submitted to Cederberg by the Data Subject or on behalf of the Data Subject, including Personal Information submitted as part of Cederberg’s online shopping platform; 4.1.4. technical information, for instance through the use of cookies (such as activity data) when the Data Subject completes a form on Cederberg website, subscribes to a newsletter, alerts or other services from Cederberg or taking part in a competition, prize draw or survey; 4.1.5. information from the Data Subject’s visits to Cederberg website, including the type of browsers and operating system that the Data Subject uses, access times, pages viewed, URLs clicked on, the Data Subject’s IP address and the pages visited before and after navigating Cederberg’s website; 4.1.6. social media tracking pixels that allow platforms such as Facebook and Twitter to interact with Cederberg and its website and give feedback on the Data Subject’s actions; 4.1.7. device information, including the unique device identifier, hardware model, operating system and version and mobile network information; 4.1.8. Personal Information that Cederberg collects when it monitors other websites and may include the Data Subject’s public Personal Information, for example when Cederberg monitors digital conversations on public platforms to understand what people are saying about it or Cederberg’s industry in general. Cederberg may combine information that it has about a Data Subject from various sources; 4.1.9. Cederberg website uses various technologies including "cookies" which allow the website to recognise and respond to the Data Subject as an individual. The Data Subject can elect to accept or decline cookies. If a Data Subject elects to decline cookies, not all elements of the website may function as intended, so the Data Subject’s website experience may be affected; and 4.1.10. Personal Information that is provided to Cederberg by its clients in the conducting of Cederberg’s business. 4.2. Protection of Data Subject’s Personal Information 4.2.1. Cederberg uses a variety of security measures and technologies to help protect Personal information of a Data Subject from unauthorised access, use, disclosure, alteration or destruction in line with applicable Personal Information protection and privacy laws. For example, when Cederberg shares the Personal Information of a Data Subject with external suppliers, it shall put in place a written agreement which commits the suppliers to keep the Data Subject’s Personal Information confidential and to put in place appropriate security measures to keep it secure. 4.2.2. The transmission to Cederberg of information via the internet or a mobile phone network connection may not be completely secure and any transmission in this manner, is at the Data Subject’s risk. 4.2.3. From time to time Cederberg may provide links to websites or mobile applications that it does not own or control. This Privacy Policy does not apply to those websites. If a Data Subject chooses to use those websites, he/she/it must check the legal and privacy policies or statements posted on each website or mobile application he/she/it accesses to understand their privacy practices. 4.2.4. Despite the security measures that Cederberg has in place to protect Personal Information of a Data Subject (firewalls, password access control, SFTP transfers and encryption methods), the Data Subject acknowledges that it may be accessed by an unauthorised third party, e.g. as a result of an illegal activity, and indemnifies Cederberg against any damages or loss suffered as a result of such activity. 4.3. How does Cederberg use the Personal Information of a Data Subject
    Cederberg may use the Personal Information of a Data Subject to provide the Data Subject with information, products and services including, but not limited to:
    4.3.1. online or physical events, such as webcast events; 4.3.2. press releases; 4.3.3. promotions and competitions; 4.3.4. job postings; 4.3.5. financial results; 4.3.6. marketing communications about Cederberg products and services. Cederberg will obtain consent for marketing to the extent required by law; 4.3.7. contact and interact with the Data Subject, including to: 4.3.7.1. receive information from the Data Subject; 4.3.7.2. request the Data Subject to update it information, including Personal Information on Cederberg website, online shopping platform and other records; 4.3.7.3. respond to requests from the Data Subject (including in circumstances where a Data Subject applied for employment); and 4.3.7.4. provide important notices and updates, such as changes to terms, standard operating procedures (SOPs), policies, security alerts and administrative messages. 4.3.8. operate Cederberg’s business, including: 4.3.8.1. screening visitors through CCV footage, conducting searches for dangerous weapons and completing the attendance register for security purposes to ensure that only authorised persons enter the premises of Cederberg; 4.3.8.2. complying with applicable laws, regulations and guidance; and 4.3.8.3. complying with demands or requests made by regulators, governments, courts and law enforcement authorities. 4.3.9. improve Cederberg’s day-to-day operations, including: 4.3.9.1. for internal purposes such as auditing, data analysis and research to help Cederberg deliver and improve its digital platforms, content and services; 4.3.9.2. to monitor and analyse trends, usage and activities in connection with Cederberg products and services to understand which parts of Cederberg digital platforms and services are of the most interest and to improve the design and content of those platforms; 4.3.9.3. to improve Cederberg products and services and communications to the Data Subject; and 4.3.9.4. to ensure that Cederberg has up-to-date contact information for the Data Subject, where applicable. 4.4. Retention period by Company of Personal information of a Data Subject Cederberg will always keep the Personal Information of a Data Subject for the period required by law and where it needs to do so in connection with legal action or an investigation in which it is involved or to mitigate risks which Cederberg is exposed to in the normal course of its business. Otherwise, Cederberg will keep Personal Information of a Data Subject: 4.4.1. for as long as needed to provide the Data Subject with access to products and services he/she/it has requested; 4.4.2. where the Data Subject has contacted Cederberg with a question or request, for as long as necessary to allow Cederberg to respond to the question or request and as required by law. 4.5. Permitted sharing by Company of Personal Information of a Data Subject 4.5.1. Cederberg may share Personal Information of a Data Subject with the following third parties and/or Operators: 4.5.1.1. The entities in the Cederberg group and including but not limited to any holding company/ies or subsidiary/ies as defined in the Companies Act, Act 71 of 2008 or affiliates, irrespective of the legal nature of how the entities comprise the group; 4.5.1.2. Cederberg directors, officials, Employees, agents, Operators and suppliers, including those who provide it with technology services such as data analytics, hosting and technical support; 4.5.1.3. Cederberg’s professional advisors, auditors and business partners; 4.5.1.4. regulators, governments and law enforcement authorities; and 4.5.1.5. other third parties in connection with re-organising all or any part of Cederberg’s business. 4.5.2. Personal Information of a Data Subject may be processed by Cederberg and/or Cederberg’s Operators outside of the Republic of South Africa. The Data Subject acknowledges that Personal Information laws in the countries to which the Personal Information of a Data Subject is transferred, may not always be equivalent to, or as protective as, the laws in the Republic of South Africa and agrees and consents to its Personal Information being transferred as such. 4.5.3. Cederberg will implement appropriate and reasonable measures to ensure that the Personal Information of a Data Subject remains protected and secure when it is transferred outside of the Republic of South Africa, in accordance with applicable Personal Information protection and privacy laws. These measures include data transfer agreements implementing standard data protection clauses. 4.6. Data Subject’s rights regarding his Personal Information The Data Subject is entitled, subject to Cederberg’s rights as set out in the Act, to: 4.6.1. request Cederberg for access to Personal Information Cederberg holds about him/her/it; 4.6.2. request a correction and/or deletion of his/her/its Personal Information; 4.6.3. request the restriction of the Processing of his Personal Information, or object to that Processing; 4.6.4. withdraw his/her/its consent to the Processing of his/her/its Personal Information (where Cederberg is Processing his/her/its Personal Information based on his/her/its consent); 4.6.5. withdraw his/her/its consent to receive marketing messages; 4.6.6. request for the receipt or the transfer to another organisation, in a machine-readable form, of the Personal Information, that he/she/it has provided to Cederberg; and 4.6.7. complain to his local data protection authority if his/her/its privacy rights are violated, or if he/she/it has suffered as a result of unlawful Processing of his Personal Information. 4.7. What the Data Subject should do if he/she/it does not want to provide Cederberg with his Personal Information 4.7.1. Where a Data Subject is given the option to share his/her/its Personal Information with Cederberg, he/she/it can always elect not to do so. 4.7.2. If a Data Subject objects to the Processing of his/her/its Personal Information, or if he/she/it has provided his/her/its consent to Processing and he/she/it later chooses to withdraw it, Cederberg will comply with the request in accordance with its legal obligations. Cederberg’s legal obligations in respect of the withdrawn Personal Information shall therefore cease to exist. 4.7.3. The rights of the Data Subject are subject to Cederberg’s rights as set out in the Act.
  5. IMPORTANT NOTICE TO DATA SUBJECTS

    5.1. By visiting Cederberg’s website and communicating electronically or otherwise with Cederberg, the Data Subject consents to the Processing of his/hers/its Personal Information, including the processing and transfer of his/her/its Personal Information as set out in this Privacy Policy. 5.2. Cederberg is continually improving its methods of communication and adding new functionality and features to its website. Due to these ongoing changes, changes in the law and the changing nature of technology, Cederberg’s data protection practices will change from time to time as set out in clause 6 below. If and when its protection practices change, Cederberg will update this Privacy Policy to describe its new practices. The Data Subject is encouraged to check it regularly. 5.3. The Data Subject indemnifies and holds Cederberg, including all its directors, officials, members, Employees and agents harmless against any claim (including legal costs on an attorney-and-own client scale) which may be made against Cederberg pursuant to a Data Subject with Personal Information of a Person which has not been lawfully obtained and/or Processed by the Data Subject

  6. AMENDMENTS TO PRIVACY POLICY

    6.1. Cederberg may amend this Privacy Policy from time to time for any of the following reasons: 6.1.1. to provide for the introduction of new systems, methods of operation, services, products or facilities; 6.1.2. to comply with changes to any legal or regulatory requirements. 6.1.3. to ensure that this Privacy Policy is clearer; 6.1.4. to rectify any mistake that may be discovered from time to time; and/or 6.1.5. for any other reason which Cederberg, in its sole discretion, may deem reasonable or necessary. 6.2. Any such amendment will come into effect and become part of any agreement the Data Subject has with Cederberg when notice is given to the Data Subject of the change by publication of the amended Privacy Policy on Cederberg’s website.

  7. COMPLAINTS

    7.1. Should the Data Subject believe that Cederberg has utilised Personal Information contrary to the Act, the Data Subject undertakes to first attempt to resolve any concerns with Cederberg. 7.2. If the Data Subject is not satisfied with such process, the Data Subject may have the right to lodge a complaint with the Information Regulator, using the contact details listed below: Tel: 012 406 4818 Fax: 086 500 3351 E-mail: inforeg@justice.gov.za