PRIVACY NOTICE

At Gijima (“Gijima”, “we”, or “us”), we are committed to protecting your privacy and handling your Personal Information with transparency and care. This Privacy Notice outlines how we collect, use, and protect your Personal Information when you engage with us, visit our website, or make use of our services.

We comply with applicable data protection regulations such as the Protection of Personal Information Act, 2013 (POPIA), and where relevant, the EU General Data Protection Regulation (GDPR). Our aim is to ensure that your Personal Information is processed lawfully, fairly, and transparently for clearly defined and legitimate purposes, while respecting your right to privacy.

We collect and process Personal Information for a variety of purposes, and the manner in which we collect, use, share, and retain that information will vary depending on the specific context.

If we request any Personal Information while you use our website (https://www.gijima.com/) or services, it will be managed in accordance with this Privacy Notice. By accessing our website, communicating with us, collaborating with us, or using our services, you agree to the practices described in this Notice.

Collection and Processing of Personal Information

Gijima is a South African Information and Communications Technology (ICT) services provider that provides a wide range of digital and IT solutions to clients across various sectors. In providing such services, we collect and Process Personal Information for several reasons but mostly to:

  • Deliver services to clients.
  • Manage relationships with partners, suppliers, and service providers.
  • Facilitate recruitment and hiring.
  • Support employee and contractor relationships.
  • Engage with other stakeholders.

Gijima’s Role in Processing Personal Information

Gijima Processes Personal Information both as a Responsible Party and an Operator, depending on the context.

As a Responsible Party, Gijima determines the purpose and means of Processing Personal Information for its own business operations. This includes managing employee information, supplier data, and information related to its internal systems and administration.

As an Operator, Gijima processes Personal Information on behalf of its clients in accordance with their instructions and contractual agreements. This applies when Gijima provides ICT services such as cloud hosting, managed IT support, cybersecurity, systems integration, and data analytics.

Personal Information We Process

The Personal Information we collect and/or Process may differ depending on our purpose of collecting and Processing your Personal Information. We may collect and/or Process your Personal Information subject to the purpose above, which may include, but is not limited to:

Contact and Identity

Name, email, phone number, ID/passport

Business Details

Company name, job title, service credentials (e.g., admin logins)

Technical Data

IP address, device type, browsing behaviour (via cookies)

Sensitive Data

Biometric access logs (for security), health data (employee records only)

Gijima collects Personal Information in various instances, including when you contact or engage with Gijima through the website, telephonically, email or any other process. This applies to any contact or engagements by clients, partners, subcontractors, staff members, visitors, candidates under recruitment or any other third parties.

We also may Process Personal Information automatically on our website and through cookies and other technologies. These technologies record information about you, including location, browser and device data and usage data. All temporary files generated during system operations or user sessions are configured to be automatically deleted upon session termination or after a predefined period in accordance with our data minimisation and storage limitation practices.

We only Process your Personal Information, if such:

Processing is necessary to carry out actions for the conclusion or performance of a contract, agreement or arrangement to which you are a party;

  • Processing is required to fulfil a legal obligation such as providing information to regulators, professional bodies, supervisory authorities, statutory bodies, law enforcement;
  • Processing protects your legitimate interest;
  • Processing is necessary for pursuing our or a third-party’s legitimate request; and/or
  • Processing was agreed to by you in the form of consent.

Where allowed under relevant national laws regulating the Processing of Personal Information, as a business we Process Personal Information about you. When we do so, we balance our legitimate interests against the interests and rights of the individuals whose Personal Information we Process. The following list sets out the business purposes that we have identified as legitimate:

  • To fulfil our contractual and statutory obligations to our:
    • clients as an ICT services provider;
    • members of staff;
    • subcontractors, partners or suppliers when commencing and concluding a business relationship,;
    • third-party service providers that provide services on our behalf;
    • Reporting to the relevant authorities and regulators;
    • Improving our systems and tools as well as developing new products or services;
    • Enable network and information security throughout Gijima;
    • Exercising or defending legal rights; and
    • Sharing Personal Information among our affiliates for administrative purposes.

Consequences of Your Refusal to Provide Personal Information

It could hinder our ability to perform our duties and responsibilities if you refuse to provide or allow us to collect your Personal Information, where our purpose for such collection is based on a contractual requirement, legal obligation and/or our legitimate interest.

Persons who will Access Your Personal Information

Our employees, independent contractors, staff members and/or third-party entities who are contracted by us as sub-Processors will have access to your Personal Information to administer and manage our inclusive services and our various stakeholder relationships. Your Personal Information will further be shared with third parties, subject to the purpose of us collecting and Processing your information, including but not limited to:

  • Third-party sub-Processors, who Process Personal Information for us in terms of a contract or mandate, without coming under our direct authority for example service providers etc. with whom we have contractual arrangements and security mechanisms in place to protect the Personal Information and to comply with our data protection, confidentiality and security standards. Such third-party contractors are our sub-Processors, and we maintain a list of sub-Processors with whom your information has been shared. This list can be requested by forwarding a query to our Information Officer, whose details are set out below.
  • Government agencies and law enforcement. if we are under a duty to disclose or share your Personal Information to comply with any legal obligation.

Disclosures of Your Personal Information and Transfers to Third-Party Countries

We may share the personal information described in section ‎3 (Collection and Processing of Personal Information) for the purposes set out in section ‎4 (We only Process your Personal Information, if such:) with the following service providers and third-parties:

  • Service providers who provide IT and system administration services.
  • Professional advisers who legitimately need to have access to the Personal Information for a business need.
  • Regulators and other authorities who require reporting of Processing activities in certain circumstances.
  • Third-parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Information in the same way as set out in this Policy.

Your Personal information may be shared with the companies within our group. We share information with them, so they can assist us in providing our services.

All Gijima companies have a legitimate business interest (that is to provide a complementary or related service for you or your business) in accessing the data and may do so for the purposes and in the way described in this Notice. When we transmit data between our group entities located inside and outside of South Africa, this sharing is governed by our intra-group data sharing and Processing agreement which is drafted in compliance with POPIA and the GDPR.

We require all third-parties to respect the security of your Personal Information and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Information for their own purposes and, unless otherwise notified to you, only permit them to Process your Personal Information for specified purposes and in accordance with our instructions.

Some of our external third-parties are based outside South Africa so their Processing of your Personal Information will involve a transfer of data outside South Africa.

Whenever we transfer your Personal Information out of South Africa, we will take reasonable steps to ensure that it adequately protected, including where relevant, by entering into appropriate contractual terms with the receiving party, or any other approved mechanisms that may become available to us in the future. We will also carry out a risk assessment of the laws and practices of the destination country to identify any technical and organisational measures that need to be put in place to ensure that your Personal Information is fully protected when transferred to that country.

Protection and Retention of Your Personal Information

We will take the necessary steps to secure the integrity and confidentiality of Personal Information in our possession and under our control by taking appropriate, reasonable technical and organisational measures to prevent loss of damage to or unauthorised destruction of your Personal Information and unlawful access to or Processing of Personal Information, regardless of the format in which it is held.

Data security is extremely important to us, and we have put in place appropriate security measures (such as encryption, confidentiality obligations of our personnel, log-in records, and vulnerability testing etc,) to prevent your Personal Information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Information to those employees, agents, contractors and other third-parties who have a business need to know.

We have put in place procedures and incident management policies to deal with any suspected Personal Information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We will retain your Personal Information for a period as required to achieve the purpose of which the Personal Information was collected initially or subsequently Processed, unless retention is required or authorised for legal reasons, or we reasonably require the records for lawful purposes related to our functions or activities or is required by a contract or you have consented to the retention of the record.

We may retain your Personal Information for periods longer than these periods for historical, statistical or research purposes based on us maintaining appropriate safeguards against the records being used for any other purposes.

In the event in which we used your Personal Information record to decide whether to act for you or not, we shall retain the record for such a period that may be required or prescribed by law or code of conduct or if there is no law of code of conduct, retain the record for a period sufficient to afford you a reasonable opportunity, taking all considerations relating to the use of the Personal Information into account, to request access to the record.

Marketing Activities

We may contact you periodically to provide information regarding our services and content that may be of interest to you. We will only send such communications after receiving your consent.

If you do not wish to receive further marketing communications from us, you can click on the unsubscribe link in the marketing communication to withdraw your consent. Note that all withdrawal of your consent will not affect the lawfulness of Processing based on the consent before its withdrawal. Upon withdrawal of your consent, we will no longer be able to inform you of our services, publishing topics etc.

Receipt of Your Information from a Third-Party

In some instances, we may receive your Personal Information (including your name and contact details) from a third-party and we will notify you of our collecting your Personal Information as soon as reasonably practicable after it has been collected.

Laws Authorising or Requiring the Collection of Personal Information

Under certain circumstances, we are authorised or required for legal reasons to collect your Personal Information. We will only collect such Personal Information as we are required to collect in terms of such legal reasons and such collection, Processing, storing, and destruction will be done in compliance with any relevant national laws regulating the Processing of Personal Information.

We further confirm that we use Personal Information to verify the identity of our counterparties to comply with fraud monitoring, prevention and detection obligations, laws associated with the identification and reporting of illegal and illicit activity, such as  Anti-Bribery and Corruption (ABC) obligations. We may be required to record and verify your identity for compliance with legislation intended to prevent money laundering and financial crimes. These obligations are imposed on us by the operation of law, industry standards, and by our financial partners, and may require us to report our compliance to third parties and to submit to third-party verification audits.

Automated Decision Making

We may sometimes use systems to make automated decisions about you or your business to provide you with a better and safer experience. You can object to automated decision-making and ask that a person review the decision.

Your Rights

You, as a Data Subject, have certain rights which you may exercise against us where applicable. You have the right to:

  • have your Personal Information Processed in-line with the conditions of lawful Processing;
  • be notified that your Personal Information is being collected;
  • be notified that your Personal Information has been accessed or acquired by an unauthorised person;
  • request confirmation of whether we hold Personal Information about you;
  • request the record or a description of the Personal Information we hold about you, including information about the identity of all the third parties or categories of third parties who have or have had access to your information (right of access);
  • request us to correct (right of rectification) or delete your Personal Information (right of erasure; ‘right to be forgotten’) in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, or destroy or delete a record of your Personal Information we are no longer authorised to retain;
  • object to the Processing of your Personal Information (right to object), subject to the relevant lawful purpose of Processing, on reasonable grounds relating to your particular situation;
  • object to the Processing of Personal Information for direct marketing;
  • request that the Processing of your Personal Information is restricted under certain circumstances (right to restriction of Processing), subject to relevant national law regulating the Processing of Personal Information; and
  • request that Personal Information held by us be transferred to another Responsible Party (right to data portability).

Should you wish to exercise any of the above rights you may contact our Information Officer.

No fee is usually required to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if a Data Subject request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with such request in these circumstances.

We may need specific information from you to help us confirm your identity and ensure you have the right to access the Personal Information (or to exercise any of rights).

The time limit to respond, in cases of legitimate requests, is one month. Occasionally it may take us longer than one month if the request is particularly complex or there are a multiple requests made by you. In this case, we will notify you and will keep you updated.

Information Officer

Information Officer:

Mr Maphum Nxumalo

Email address:

[email protected]

Personal Information Regulators

Should you believe that the Processing of your Personal Information is in contravention with applicable Gijima’s, you can lodge a formal complaint with the Information Regulator. Follow the link for contact details: https://inforegulator.org.za/contact-us/

Changes to Privacy Notice

We will review this Privacy Notice and may amend or supplement this Privacy Notice from time to time, following regulatory changes, business strategies and new technology introduced into our operations. We will publish an updated version of this Privacy Notice, as and when amendments or supplements have been made on our website

Third-party Website Links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third-parties to collect or share data about Data Subjects. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, you are encouraged to read the privacy notice of every website you visit.

Definitions

In this Privacy Notice, all capitalised terms have the meaning ascribed to them in terms of the POPIA.

Enquiries, Requests, Complaints and/or Concerns

To address any enquiries, requests, complaints and/or concerns regarding this Policy Notice, the Processing of your Personal Information, or to exercise the rights as stated in section ‎13 (Your Rights), please contact our Information Officer.

ACRONYMS AND ABBREVIATIONS

Abbreviation

Explanation

ABC

Anti-Bribery and Corruption

EU

European Union

GDPR

General Data Protection Regulation

ICT

Information and Communications Technology

ID

Identification

IP

Internet Protocol

IT

Information Technology

POPIA

Protection of Personal Information Act, 2013