Virgin Active South Africa (Pty) Ltd and/or Virgin Active Botswana (Pty) Ltd, as the case may be (“we”, “our”, “us”, “the company”, "Virgin Active") collects, receives and uses the Personal Information of customers, employees, workers and other third parties in the course of our business. We are committed to being transparent about how we collect and use Personal Information, and to meeting our data protection obligations.
Regardless of whose data we collect or where it is stored, we recognise the importance of managing Personal Information in a responsible and sensitive manner, with appropriate safeguards, and in accordance with the laws relating to data protection and privacy.
We all have a responsibility for data protection, as set out under the Protection of Personal Information Act (POPIA). This policy outlines our commitment to data protection and your obligations in relation to Personal Information. It outlines what we expect from you in order that we comply with the law and do the right thing in relation to data protection.
We have appointed Phila Zulu, Legal Director, as our Information Officer (IO). The IO’s role is to inform and advise us on our data protection obligations. If you are unable to find answers to any questions you have relating to this Data Protection Policy from the POPI Guide or from your line manager, or if you have any concerns that this Data Protection Policy is not being or has not been followed, please contact the IO.
- Responsible Party: the person or Company that determines when, why and how to process Personal Information. It is responsible for establishing practices and policies in line with the POPIA. Virgin Active is the Responsible Party of all Personal Information relating to customers, employees, workers, suppliers and others used in our business.
- Data Subject: a living, identified or identifiable individual or juristic person (i.e. a legal person like a company) about whom we hold Personal Information.
- Information Officer (IO): a person required to be appointed under the POPIA. They have responsibility for overseeing data protection compliance in an organisation.
- Protection of Personal Information Act (POPIA): the Protection of Personal Information Act 4 of 2013. Personal Information is subject to the legal safeguards specified in the POPIA.
- IR: the Information Regulator - South Africa’s supervisory authority in relation to Personal Information.
- Personal Information: is any information that relates to a person who can be identified from that information. Personal Information includes Pseudonymised Personal Information but excludes deidentified data or data that has had the identity of an individual or juristic person permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
- Personal Information Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Information or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Information is a Personal Information Breach.
- Processing or Process: any activity that involves the use of Personal Information. It includes obtaining, recording or holding the data, or carrying out any actions in relation to the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Information to third parties.
- Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
What are the key principles we have to follow?
We will process Personal Information in accordance with the following data protection principles:
- we process Personal Information lawfully, fairly and in a transparent manner;
- we collect Personal Information only for specified, explicit and legitimate purposes;
- we process Personal Information only where it is adequate, relevant and limited to what is necessary for the purposes of processing;
- we keep accurate Personal Information and take all reasonable steps to ensure that inaccurate Personal Information is rectified or deleted without delay;
- we keep Personal Information only for as long as is necessary for the purpose for which we process it;
- we adopt appropriate measures to make sure that Personal Information is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
How do we use Personal Information?
We will only collect and use Personal Information fairly and lawfully and for specified permitted purposes.
The key permitted purposes most relevant to our business are:
- where the Processing is necessary for the performance of a contract with the Data Subject;
- where the Data Subject has consented to Processing;
- pursuing our legitimate business interests where those are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of the Data Subject;
- meeting our legal compliance obligations.
We cannot use Personal Information for new, different or incompatible purposes from those disclosed when the Personal Information was obtained unless we have informed the Data Subject of the new purpose and, where necessary, they have consented to that new purpose.
You may only Process Personal Information when necessary to perform your job duties. You cannot Process Personal Information for any reason unrelated to your job duties.
What rights do customers have in relation to their Personal Information?
Our members and others whose Personal Information we collect and use have a number of rights when it comes to how we handle their Personal Information.
These include rights to:
- receive certain information about our processing activities;
- request access to their Personal Information that we hold;
- prevent our use of their Personal Information for direct marketing purposes;
- ask us to erase Personal Information if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
- challenge processing which has been justified on the basis of our legitimate interests;
- prevent processing that is likely to cause damage or distress to the Data Subject or anyone else;
- be notified of a Personal Information Breach make a complaint to the IR.
The requests must also be made in the prescribed form which is included in our POPI Guide. It is important that we verify the identity of an individual requesting data under any of the rights listed above. Do not allow third parties to persuade you to disclose Personal Information to them without being sure that they are the person to whom the Personal Information relates or, if they are making the request on behalf of someone else, without checking that the person to whom the Personal Information relates has consented to the disclosure.
If you receive any Data Subject request from a customer, please forward it immediately to your Customer Experience Manager. When dealing with Data Subject requests, the steps set out in our POPI Guide must be followed.
If you receive any Data Subject request from an employee or tenant, please contact the People Team (Regional or NHO) for further advice.
What are your rights in relation to Personal Information?
As an employee, tenant or independent contractor, you have various rights in relation to the Personal Information that we collect, receive and use about you.
How do we look after data?
Personal Information must be protected using appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage. As a business, we maintain safeguards to protect Personal Information appropriate to our size and scope of business and the level or risk to data.
We are all responsible for protecting the Personal Information we hold and use. You must follow all procedures and technologies we put in place to maintain the security of all Personal Information from the point of collection to the point of destruction.
You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Information, defined as follows:
- confidentiality means that only people who have a need to know and are authorised to use the Personal Information can access it;
- integrity means that Personal Information is accurate and suitable for the purpose for which it is processed;
- availability means that authorised users are able to access the Personal Information when they need it for authorised purposes.
You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the POPIA and relevant standards to protect Personal Information.
Can we share Personal Information with third parties?
Generally no, we are not allowed to share Personal Information with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the Personal Information we hold with another employee, agent or representative of Virgin Active if they have a job-related need to know the information.
You may only share the Personal Information we hold with third parties, such as our approved third party service providers, if:
- they have a need to know the information for the purposes of providing contracted services to us;
- the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- a fully executed written contract that contains POPIA approved third party clauses has been obtained.
There are additional stringent requirements that must be met before Personal Information can be transferred to a country outside South Africa, or viewed or accessed from a country outside South Africa. Do not transfer Personal Information to any third party outside South Africa without the prior approval of the IO.
How long should we keep data, and where should it be stored?
The general guideline we apply for the business is to retain Personal Information for a period of 3 (three) years after a person has left us.
There is some data we need to keep for longer in order to comply with legal obligations or for other legitimate reasons.
What happens if there is a breach of the Personal Information?
POPIA requires Responsible Parties to notify any Personal Information Breach to the IR and, in certain circumstances, the Data Subject.
We have put in place procedures to deal with any suspected Personal Information Breach and will notify the IR and any affected Data Subjects where we are legally required to do so.
If you know or suspect that a Personal Information Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact your line manager, the IT team (if relevant) and the legal department who will be able to advise on next steps. It is very important that you do this without delay, so that steps can be taken to stop the situation worsening and deal with any adverse consequences. You should keep all evidence relating to the potential Personal Information Breach.
What support will you give me in relation to POPIA?
We will provide you with training in POPIA and how we expect you to look after our customer’s data. This will be through line manager briefings, the continuation of awareness messages sent via the Weekly Business Update, and in due course we hope to implement a mandatory e-learning course.
We will also regularly test and audit our systems and processes to make sure they remain compliant.
You will also find the POPI Guide on the Intranet.
What about direct marketing to our customers?
We are subject to certain rules and privacy laws when marketing to our customers. For example, a Data Subject's prior consent in the prescribed manner and form in terms of POPIA is required for electronic direct marketing (including marketing by email or text). There is a limited exception for existing customers (known as "soft opt in") which allows us to send marketing texts or emails if we have obtained contact details in the context of a sale to that person, we are marketing similar products or services, and we gave the person an opportunity to opt out of marketing when we first collected their details and continue to give that option in every subsequent message.
We use this “soft opt in” to enable us to send marketing communications to our customers, and filter those communications through a centrally managed “suppression list” that stops them going to people who have asked not to receive them. All electronic marketing communications include an “opt out” or “unsubscribe” link enabling a customer to opt out of future marketing communications.
A Data Subject's objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.