WATU CREDIT LIMITED: DATA PROTECTION AND PRIVACY NOTICE
Subsidiary: K2024238427 (SOUTH AFRICA) PTY LTD T/A WATU SA
Privacy Policy
This Privacy Policy informs you about how and for which purposes Watu SA (also referred to here as “we” or “us”) will process your personal information and explain your rights under Protection of Personal Information Act 4 of 2013 (”POPIA”). We remain dedicated to handling your personal information responsibly, diligently and in compliance with all legal requirements to ensure the integrity and security of your personal information. For the purposes of this Privacy Policy, “personal information” means any information relating to an identified or identifiable individual as provided for in POPIA and in so far we process such information.
1. Introduction
1.1. Watu SA operates in a highly data-oriented environment which requires the processing and use of personal information for the primary purpose of providing credit.
1.2. At Watu SA, we respect the privacy of individuals and recognize the importance of the personal information entrusted to us by our customers, our employees and other parties. It is our responsibility to process and protect in a relevant and proper manner all personal information in compliance with the applicable data protection legislation.
1.3. This Privacy Policy explains the personal information we collect, how we process it and for what purpose and to whom your personal information may be disclosed by us in the context of our relationship. It also describes how Watu SA handles your information that is in its possession and the controls that Watu SA has established to safeguard your information. Further, this Privacy Policy includes information regarding your rights with respect to the processing of your personal information.
1.4. We may, from time to time, amend this Privacy Policy, in keeping with amended legislation or business practices. We will effect all changes on our website, mobile application, Agreements and Policies. The latest published version of our Privacy Policy will replace all earlier versions of it, unless otherwise stated. We will inform you of important changes to this policy via a notification on our website or via any other effective mode of communication.
1.5. The Privacy Policy applies to our visitors who either physically visit our premises or visit our website, customers (including those whose loan applications are under review or rejected), suppliers, agents, employees and all our stakeholders whose information we process.
2. Definition of terms
2.1. Data Collection means gathering of information that relates to you.
2.2. Information Officer is a person designated or appointed by Watu SA to monitor compliance with
the POPIA.
2.3. Personal data means information about you that identifies you directly or indirectly as a unique individual such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. The personal information that we collect will depend on the context of our relationship with you. We may collect, use, store and transfer different kinds of personal information about you or people connected to you.
2.4. Processing means any operation or sets of operations which is performed on your personal information whether by automated means, such as: collection, recording, organisation or structuring; Storage, adaptation or alteration; Retrieval, consultation or use; Disclosure by transmission, dissemination, or otherwise making available; Alignment or combination, restriction, erasure or destruction.
2.5. Special personal information is information revealing your racial or ethnic origin, political opinions, professional membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health.
2.6. Third Party or Operator means a natural or legal person, public or private authority, agency or body other than you and Watu, who under the direct authority of Watu are authorized to process your personal information.
2.7. You/ Your (s) means:
2.7.1. Any person who has downloaded and uses any of our mobile applications or websites.
2.7.2. Any person who has entered (or intends to enter) into an Agreement with Watu.
2.7.3. Any staff who has been employed by Watu.
2.7.4. Any agent, dealer and/or merchants who has signed an agreement with Watu and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
2.7.5. Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any Watu premises or electronic platforms.
2.7.6. Any supplier/ service provider who has been contracted by Watu.
2.7.7. Any external lawyer or professional advisor of Watu.
2.7.8. Any other service provider or financial entity who has signed an agreement with Watu.
2.7.9. Any other person whose Personal Information is legally processed by Watu in terms of
POPIA.
3. The general principles for protecting personal information within Watu SA are:
3.1. We are transparent on how we comply with applicable data protection legislation.
3.2. We limit the collection and processing of personal information as required by law. The information we collect about you will be for specified and legitimate purposes and will not be further processed in a manner incompatible with those purposes.
3.3. We process special personal information only if the processing has a clear and explained legal ground.
3.4. We register details about individuals limited to achieving the purpose of the processing.
3.5. We inform individuals which personal information we collect and how this data will be stored and used.
3.6. We treat personal information as strictly confidential and take appropriate technical and organisational security measures to protect personal information against loss or unlawful access and processing.
3.7. We keep personal information only for as long as necessary to fulfill the purposes for which it was collected, or local law may require.
3.8. If our processing of personal information is likely to pose a high risk to individuals’ rights and freedoms, we will perform a data protection impact assessment and, if necessary, take appropriate security measures as guided by the Information Regulator in South Africa.
3.9. Our systems and processes support personal information protection. We maintain documentation showing that our systems and processes work as intended.
3.10. Where we outsource the processing of personal information, we impose contractual obligations to protect this data by written contract.
4. Why do we collect and process your personal information? We collect your personal information for the following purposes:
4.1. For the performance of contractual obligations.
4.2. To assess whether you are eligible for our products and services and to process your application, including all steps until we conclude a contract or reject your application.
4.3. To comply with our obligation to collect information about you from credit bureaus and to report to credit bureaus, including your payment behaviour.
4.4. Where you consent to our use of your personal information.
4.5. Where we need to comply with or fulfill legal or regulatory obligations and protect ourselves and our customers against fraud or legislative non-compliance.
4.6. Where we need to protect your vital interests or the vital interests of third parties (for example when contacting your listed beneficiaries/guarantor under an Agreement.
4.7. Where it is necessary for our legitimate interests (or those of a third party) such as maintaining our records, developing, assessing, and improving our services, risk evaluation, improving our customer administration and engagement.
4.8. To comply with our Know Your Customers (KYC) requirements, including to collect information about you from public databases.
4.9. To establish, exercise or defend our legal rights such as when we are faced with any legal claim or where we want to pursue any legal claims.
4.10. To communicate new products and services (please note that if you do not want to receive our marketing information you may opt out anytime by contacting us).
4.11. To send you important notices such as changes to our terms, conditions and policies, any promotions, discounts, loan balances, or unusual activity with respect to your loan account or Agreement with us.
4.12. If you apply for an employment position at Watu SA or we note that you are a potential candidate for employment, we may use your personal information in evaluating your candidacy, including to do checks involving third parties, and to contact you about the employment opportunity.
4.13. When we receive your personal information from third parties, we may use it to validate the information you have provided to us or for fraud prevention purposes.
4.14. To enable us to register you for our services and verify your identity and authority to use our services.
4.15. To address fraud or safety concerns, or to investigate complaints or suspected fraud or illegality.
4.16. To process payments in terms of our contract or collect on any debt you may owe us.
4.17. To monitor and analyse our platforms for system administration, operation, testing and support purposes.
4.18. To cooperate with, respond to requests from, and to report transactions and/or other activity to government, tax or regulatory bodies, or other intermediaries or counterparties, courts or other third parties.
4.19. To do business development or product and services enhancements, quality assurance and for internal business operational purposes.
5. Whose personal information do we collect? We collect your personal information because you are our actual or potential customer, employee, supplier, business partner or other valued relation.
6. How do we collect your personal information? We mostly collect your personal information with your knowledge and consent. We may also collect
your personal information from public sources or third parties through any of the following ways: (please note that this list is not exhaustive):
6.1. Directly from you, such as when entering a contract with us as customer or contractor or employee,
6.2. Visiting our premises, website or applications,
6.3. Downloading our applications and registering,
6.4. Subscribing to our communications,
6.5. Registering for an event, applying for a job,
6.6. From other sources, such as business partners, suppliers or service providers with whom we have business relationships.
6.7. By interacting with our website. We collect this personal information by using cookies and similar technologies. You can find out more about this in our cookies and website policy,
6.8. From publicly available sources including government bodies.
6.9. Contact, financial and transaction data from databases such as credit bureaus, fraud prevention, public data bases, including the Department of Home Affairs, agencies and providers of technical, payment and delivery services.
6.10. Medical professionals and hospitals for human resource purposes.
6.11. Social media – If you are a potential candidate for employment with Watu, we may have received your personal information from third parties such as recruiters or external websites.
6.12. Directly from you as the individual.
6.13. Directly from a person who is making a claim or application, and they include information about you which is related to their claim or application.
6.14. From your family members if they are recorded as your next of kin, mostly for human resource purposes and collections purposes in respect of Watu SA lending customers.
6.15. Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations within Watu SA premises to provide a safe and secure environment. By choosing to interact with us in any way specified under clause 6.0 above, you will be doing so with full knowledge and consent that we will collect and process your personal information. By consenting, you allow Us to collect, process, store, disclose and transfer your data as provided for under the Protection of Personal Information Act and the regulations thereto.
7. What personal information do we collect? Personal data that we process will depend on the purpose for processing and may include:
7.1. Identification information such as name, date and place of birth, identity number, identity card or passport number and copies of these documents, tax identification number, photo, marital status, title, nationality, gender, and specimen signature.
7.2. Contact information such as email address, postal address, physical address, residential address, and telephone number.
7.3. Financial information such as bank account details, payment card details, mobile money statements, income, credit history, score and credit bureau data, credit worthiness, bank statements, details about payments to or from you and other details of products and services you have obtained through us.
7.4. Information on your involvement in the matter giving rise to a claim.
7.5. Information about the nature of your business and commercial assets.
7.6. Employment information such as the name of the employer, position in the organisation and office address.
7.7. Children’s personal information such as the name, date of birth and gender, mostly for human resource purposes.
7.8. Special personal information such as health information, mostly for human resource purposes and information about race for Broad Based Black Economic Empowerment purposes.
7.9. Marketing and communications information including your preferences in receiving marketing information from us and communication from us.
7.10. Online data whenever you access our website and mobile applications such as cookies, login data, IP address (your computer’s internet address), browser type and version, ISP or operating system, domain name, access time, page views and location data.
7.11. Geolocation Information – We may request access or permission to track location-based information from your mobile device, either continuously or while you are using our mobile application(s), to provide certain location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
7.12. Mobile Device Access – We may request access or permission to certain features from your mobile device, including your mobile device’s SMS messages, and other features. If you wish to change our access or permissions, you may do so in your device’s settings.
7.13. Mobile Device Data – We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware
model, Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID, and information about the features of our application(s) you accessed and information about the locking of the device (if applicable).
7.14. Push Notifications – We may request you to allow us to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device’s settings. If there is a justifiable need for information about other people connected to you, we may request you to provide the information in relation to those people. If you are providing information about another person, we expect you to ensure that they know that you are doing so and are content with their information being provided to us. It might be helpful to show them this Privacy Policy and if they have any concerns, please contact us to discuss.
8. With whom do we share your personal information?
8.1. We may share your personal information with other companies and subsidiaries within the Watu Group for processing your personal information in accordance with the business purposes of the Watu Group. Personal information may also be shared with Watu SA’s trusted partners, such as dealers, manufacturers and the specified third parties listed below, to achieve the purposes. We will ensure that appropriate contractual safeguards are implemented to ensure protection of
your personal information when disclosing it to a third party.
8.2. Subject to your rights and the applicable laws, we may share your personal information with the third parties set out below:
8.2.1. Public authorities or governments and regulatory bodies when required by law, public interest, national security, regulation, legal process or enforceable governmental request.
8.2.2. Persons or entities that you explicitly request us to transfer your personal information to them.
8.2.3. Your relatives, guardians or persons acting on your behalf where you are incapacitated or for the purposes of settling your beneficiaries.
8.2.4. Insurers, reinsurers, and brokers for insurance services.
8.2.5. Our professional advisers such as auditors, tax advisers, insurers, reinsurers, medical agencies, legal advisers who act on our or your behalf, or who represent another third party.
8.2.6. Medical institutions and professionals where we may require access to your health records and assessments for specific purposes.
8.2.7. Debt collection agencies, credit reference agencies, fraud detection agencies and other agencies that we will contract to provide services to us.
8.2.8. Service providers who process personal information on our behalf, to deliver a service to us.
8.3. In case personal information is being transferred cross border, appropriate measures will be taken to ensure protection of your personal information. You agree that we may transfer your personal information across border if our business interests require cross-border flow of information. This may typically happen where we have decided to store information with a trusted third party in another country or where a service provider makes use of systems or processes cross border or if we need to share information with other companies within the Watu Group for internal business purposes. We will only transfer Personal Information to third parties in countries with adequate data protection laws or do so in terms of a written agreement with the recipient which imposes data protection requirements on that party as required by POPIA.
9. How long do we store your personal information?
9.1. We will only retain your personal information for as long as may be reasonably necessary to fulfill the purpose we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting information.
9.2. We may retain your personal information for a longer period if the retention is:
9.2.1. required or authorized by law.
9.2.2. reasonably necessary for a lawful purpose.
9.2.3. authorized or consented by you.
9.2.4. is necessary for the purpose of responding to a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
9.2.5. for historical, statistical, journalistic, literature and art or research purposes.
10. How do we protect your personal information?
10.1. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
10.2. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties on a need to know basis. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
10.3. When we share your personal information with third party service providers, we regulate their
limited use of the information by written agreement.
10.4. Our Website is protected through secure encryption in line with international standards, but the internet is an open and often vulnerable system and the transfer of information via the internet may not always be completely secure. Although we will implement all reasonable measures to protect personal information, we cannot guarantee the security of your personal information transferred to us using the internet. Therefore, you acknowledge and agree that any transfer of personal information via the internet is at your own risk and you are responsible for ensuring that any personal information that you send is sent securely.
11. What are your rights as a Data Subject and how can you exercise them? You have the right to:
11.1. information about and access to your personal information;
11.2. updating or rectification of your personal information;
11.3. erasure of your personal information (‘right to be forgotten’);
11.4. restriction of processing of your personal information;
11.5. objection to the processing of your personal information;
11.6. not be subject to automated decision-making – where a decision that has a legal or other significant effect is based solely on automated decision making, including profiling;
11.7. lodge a complaint with the Information Regulator. To exercise your rights, please send an email to: [email protected] There may be circumstances that restrict your rights, particularly if processing your personal information is required to meet our legal or regulatory obligations or to protect our legitimate
interests. In these circumstances, the law may allow us to retain your personal information and continue processing despite your objection. The law may also prohibit us for complying with a request for access to information in certain circumstances. An example will be where we have shared your personal information with regulatory bodies in terms of a legal requirement and you request a copy of such communications.
12. Do we collect personal information from minors?
12.1. We do not knowingly or intentionally collect information from or carry out marketing activities to persons under 18 years of age, also referred to as minors/ children.
12.2. We do not knowingly solicit information from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor/ dependent’s use of our Services. If we learn that personal information from users less than 18 years of age has been collected, we shall deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data, that we may have collected from children under age 18, please contact us at [email protected].
13. Personal use of emails and statement about checking on emails
13.1. Our communication and information systems are for business use. However, we realize that our employees occasionally use our systems for personal use.
13.2. Personal use includes sending or receiving personal emails within or outside Watu. Whilst our employees are bound by strict usage policies and security safeguards, we do not accept responsibility for the contents of personal emails sent by our employees using our systems.
13.3. Please note that we may intercept, check on and delete any communications created, stored, sent, or received using our systems, according to any law that applies.
14. Contact
We have appointed an information officer who is responsible for overseeing questions in relation to this Privacy Policy. If you have any concerns about the use of your personal information, questions about this policy, including any requests to exercise your legal rights under the law, please contact us using the details set out below:
Email address: [email protected].
Postal address: Watu SA, Atrium on 5th, 9th Floor, 5th Street Sandton, Johannesburg,
Gauteng, 2196, South Africa
Physical address: Atrium on 5th, 9th Floor, 5th Street Sandton, Johannesburg,
Gauteng, 2196, South Africa
Telephone number: 010 003 0800
15. Lodging A Complaint
15.1. If you want to raise any objection or have any queries about our privacy practices, you can
contact our information officer at : [email protected]
15.2. You also have the right to formally lodge a complaint to the Information Regulator in terms of
POPIA as follows:
Website: https://www.justice.gov.za/inforeg/
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal address: P.O Box 31533, Braamfontein, Johannesburg, 2017
Complaints email: [email protected]
Privacy Policy Effective Date: 26 August 2024
