1.1 “Child” means any natural person under the age of 18 (eighteen) years (where the child is in the Republic of South Africa or Mauritius), or any natural person under the age of 16 (sixteen) years (where the child is in the European Union);
1.2 “Cresco” means Cresco Holdings (Pty) Ltd (Registration Number: 2004/034974/07)
1.3 “Cresco Associated Entities” means: Cresco Advisory (Pty) ltd (Registration Number: 2003/016269/07); Cresco Project Finance (Pty) Ltd (Registration Number: 2005/036543/07);
Cresco Global Limited (Registration Number: 129062 C1/GBL); and Cresco Property Advisory (Pty) Ltd (Registration Number: 2008/004899/07)
1.4 “DPA” means the Data Protection Act 2017 (Mauritius);
1.5 “Data Subject” means the person to whom Personal Information relates;
1.6 “Direct Marketing” means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply services, in the ordinary course of business, to the Data Subject;
1.7 “Employees” means any employee of the Cresco;
1.8 “GDPR” means General Data Protection Regulation (EU GDPR) –Regulation (EU) 2016/679 Regulation (EU) 2016/679 on data protection and privacy in the European Union and the European Economic Area;
1.9 “Operator” means a person who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party;
1.10 “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: –
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- The biometric information of the person;
- The personal opinions, views or preferences of the person;
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the person; and
- The name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person. (for purposes of the DPA and GDPR, this is specifically limited to natural persons only);
1.12 “POPIA” means the Protection of Personal Information Act 4 of 2013;
1.13 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including: –
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
- Dissemination by means of transmission, distribution or making available in any other form; or
- Merging, linking, as well as restriction, degradation, erasure, or destruction of information;
1.14 “Regulator” means either the South African Information Regulator established in terms of POPIA; or the relevant supervisory authority under the DPA or GDPR;
1.15 “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;
1.16 “Special Personal Information” means the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or the criminal behaviour of a Data Subject to the extent that such information relates to the alleged commission of any offence; or any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.
1.17 “Third Party” means any independent contractor, agent, consultant, sub-contractor, or other representative of Cresco; and
1.18 “Website” means the Cresco website currently located at https://www.crescogroup.africa/
2 PURPOSE OF POLICY
The purpose of this Policy is to inform Data Subjects about how Cresco Processes their Personal Information.
3 PROCESS OF PROCESSING PERSONAL INFORMATION
3.1 Cresco will ensure that the Data Subject’s Personal Information is processed in a lawful and reasonable manner that does not infringe the Data Subjects’ right to Privacy.
3.2 When Processing Personal Information Cresco will ensure that all of the POPIA Processing conditions, and all measure that give effect to such conditions are adhered to. The 8 (eight) POPIA conditions for lawful Processing of Personal Information are set out below: –
3.2.2 Processing Limitation
3.2.3 Purpose specification
3.2.4 Further processing limitation
3.2.5 Information quality
3.2.7 Security Safeguards
3.2.8 Data subject participation
3.3 Cresco will collect the Personal Information directly from the Data Subject unless: –
- The information is contained in or derived from a public record or has deliberately been made public by the Data Subject;
- The Data Subject has consented to the collection of Personal Information from another source;
- Collection of the Personal Information from another source would not prejudice the legitimate interests of the Data Subject;
- Collection of the Personal Information from another source is necessary to comply with an obligation imposed by law, to avoid prejudice to the maintenance of law, for the conduct of proceedings in any court or tribunal, in the interest of national security, or to maintain the legitimate interests of the Responsible Party or a Third Party;
- Compliance would prejudice lawful purpose of collection;
- Consent is not reasonably practicable in the circumstances;
3.4 Personal Information will be processed by Cresco if, given the purpose for which it is processed, it is adequate, relevant, and not excessive;
3.5 In accordance with POPIA, Cresco will only Process Personal Information if: –
3.5.1 Consent is obtained from the Data Subject;
3.5.2 Processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is party;
3.5.3 Processing complies with an obligation imposed by law on the Responsible Party;
3.5.4 Processing protects a legitimate interest of the Data Subject;
3.5.5 Processing is necessary for the proper performance of a public law duty by a public body; or
3.5.6 Processing is necessary for pursuing the legitimate interests of the Responsible Party or of a Third Party to whom the Personal Information is supplied.
3.6 Should a Data Subject object to Cresco Processing his/her/its Personal Information in which case Cresco will no longer Process such personal Information.
4 PURPOSE OF PROCESSING PERSONAL INFORMATION
4.1 Cresco will only Process a Data Subject’s Personal Information for a specific, explicitly defined, and lawful purpose and will ensure that the Data Subject is made aware of such purpose as far as possible.
4.2 Cresco will generally use Personal Information for purposes required to operate and manage its normal business operations. Some of these purposes include, without limitation, the following: –
4.2.1 Providing its services to the Data Subject from time to time;
4.2.2 Processed as part of the “Know Your Customer” (“KYC”) process as per the requirements of the Financial Intelligence Centre Act 38 of 2001;
4.2.3 To conduct due diligence processes on Cresco Clients;
4.2.4 Performing general information technology-related functions for all business functions within the Cresco
4.2.5 Internal audit purposes (i.e., ensuring that the appropriate internal controls are in place in order to mitigate the relevant risks, as well as to carry out any investigations where this is required);
4.2.6 Employment-related purposes such as administering payroll, assessing credit and criminal history, and determining Employment Equity Act 55 of 1998 statistics;
4.2.7 To respond to any correspondence that the Data Subject may send to Cresco, including via email, Cresco’s site(s) or by telephone;
4.2.8 In connection with the execution of payment processing functions, including payment of Cresco’s suppliers’ invoices;
4.2.9 To contact the Data Subject for direct marketing purposes subject to the provisions of section 69 of POPIA;
4.2.10 For such other purposes to which the Data Subject may consent from time to time; and
4.2.11 For such other purposes as authorised in terms of applicable law.
4.3 A Data Subject’s Personal Information may be Processed in South Africa or another country where Cresco, its affiliates and their Third-Party service providers maintain servers and facilities, however, Cresco will ensure that Personal Information is protected in accordance with this Policy and with the applicable law.
5 SPECIAL PERSONAL INFORMATION & PERSONAL INFORMATION OF CHILDREN
5.1 Cresco will not Process Special Personal Information unless: –
- A Data Subjects’ consent is obtained;
- Processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- Processing is necessary to comply with an obligation of international public law;
- Processing is for historical, statistical or research purposes to the extent provided for in POPIA;
- Information has deliberately been made public by the Data Subject; or
- Provisions of sections 28 to 33 of POPIA are complied with.
5.2 Cresco does not intend to Process any Personal Information concerning a Child and will only do so where it has obtained the consent of the parent or guardian of that Child or where it is permitted to do so in accordance with applicable laws.
6 ACCURACY OF PERSONAL INFORMATION
6.1 Cresco will take reasonable steps to ensure that all Personal Information is kept as accurate, complete, and up to date as reasonably possible depending on the purpose for which Personal Information is collected or further processed.
6.2 It is expected that the Data Subject will notify Cresco of any updates regarding his/her/its Personal Information.
7 STORAGE OF PERSONAL INFORMATION
7.1 Cresco may store your Personal Information in hardcopy format and/or in electronic format using Cresco’s own secure on-site servers or other internally hosted technology.
7.2 A Data Subject’s Personal Information may also be stored by Third Parties, with whom Cresco has contracted with to support Cresco’s business operations.
7.3 Cresco’s Third-Party service providers may have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected. Cresco will ensure that such Third-Party service providers will only use or have access to Data Subject’s Personal Information for purposes specified by us and Cresco will further ensure that such Third-Party service providers will process the Personal Information in accordance with the provisions of this Policy, all other relevant internal policies, and procedures and POPIA and DPA and GDPR, where applicable.
7.4 Cresco requires Third Parties to, at the very least, to have the same level of security in place that Cresco uses to protect a Data Subject’s Personal Information.
8 RETENTION OF PERSONAL INFORMATION
8.1 Cresco will not retain Personal Information for any period longer than necessary and Cresco will only retain Personal Information for the purpose for which it was initially collected or subsequently processed and will, unless required by law or contract, delete, destroy or de-identify the information as soon as is reasonably practicable once the purpose has been achieved.
8.2 Where Cresco retains Personal Information for longer periods for statistical, historical or research purposes, Cresco will ensure that appropriate safeguards have been put in place to ensure that the Personal Information is not used for any other purposes.
8.3 Cresco will restrict Processing of Personal information if: –
- The accuracy of the Personal Information is contested;
- Cresco no longer needs the Personal Information for achieving the purpose for which it was collected or processed but it has to be maintained for purposes of proof;
- Processing is unlawful and the Data Subject opposes its destruction or deletion and requests restriction of its use instead;
- A Data Subject requests to transfer the Personal Information into another automated processing system.
8.4 Restricted Personal Information, with the exception of storage, will only be Processed by Cresco for purposes of proof or with the Data Subjects consent.
8.5 Cresco will inform a Data Subject if it intends lifting any restriction imposed on the Processing of that Data Subject’s Personal Information.
9 SECURITY SAFEGUARDS
9.1 In order to secure the integrity and confidentiality of Personal Information in its possession or under its control it will ensure that the appropriate reasonable technical and organisational measures are in place to prevent loss of, damage, or unauthorised destruction of Personal Information.
9.2 Cresco’s technical and organisational measures will include: –
- Identifying all reasonably foreseeable internal and external risks to Personal Information in its possession or under its control;
- Establish and maintain safeguards against the risks identified;
- Ensure that the safeguards are effectively implemented and continually updated in response to new risks or deficiencies in previously implemented safeguards.
9.3 Should an Operator process Personal Information with the knowledge and authorisation of Cresco, the Operator will be required to treat such Personal Information as confidential and may not disclose such Personal Information unless required by law or in the course of proper performance of its duties. In the event that the Operator has reasonable grounds to believe that Personal Information of the Data Subject has been accessed or acquired by any unauthorised person, the Operator must inform Cresco immediately. Cresco will, as soon as reasonably possible after the compromise, inform the Regulator and the Data Subject unless the identity of such Data Subject cannot be established or unless notification will impede a criminal investigation.
10 PROVISION OF PERSONAL INFORMATION TO THIRD PARTY SERVICE PROVIDERS
10.1 Should Cresco disclose Personal information to Third Parties, Cresco will enter into written agreements with such Third Parties to ensure that the Third Parties Process Personal Information in accordance with the provisions of this Policy, and POPIA and, where applicable, the DPA and the GDPR.
10.2 Cresco may transfer Personal Information to a foreign jurisdiction and will ensure that the necessary consent is obtained unless consent is not required in accordance with applicable laws.
10.3 The Data Subject should note that Processing of Personal Information in a foreign jurisdiction may be subject to the laws of the country in which the Personal Information is held, and may be subject to disclosure to the governments, courts of law, enforcement, or regulatory agencies of such other country, pursuant to the laws of such country.
11 ACCESS TO PERSONAL INFORMATION
11.1 A Data Subject, upon furnishing adequate proof of identity, has the right to request Cresco to confirm, free of charge, whether or not Cresco holds Personal Information about the Data Subject, and a Data Subject also has the right to sight of the record or a description of the Personal Information, including information about the identity of all Third Parties, or categories of Third Parties, who have, or have had, access to the Personal Information.
11.2 A Data Subject has a right to request Cresco to correct or delete any Personal Information held by Cresco correction of information. On receipt of such request, Cresco will correct the information, or delete or destroy the information and will thereafter, provide the Data Subject with evidence in support of the information.
11.3 In the event that Cresco requires a fee to be paid for services provided to the Data Subject, Cresco will give the Data Subject applicant a written estimate of the fee before providing the services.
11.4 The Provisions of section 18 and 53 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”) apply to request for access to information.
11.5 The provisions of sections 30 and 61 of the PAIA are applicable in respect of access to health or other records.
12 USE OF WEBSITE COOKIES
12.3 If you accept a “cookie” or fail to deny the use of “cookies”, you agree that Cresco may use your Personal Information collected using “cookies” and Cresco’s system will issue cookies when you log on to the Cresco website.
Should you have an issue with Cresco processing your personal information or would like to lodge a complaint in relation to the Personal Information held and processed by Cresco you may contact the Information Officer, Deputy Information Officer or the Data Protection Officer. Alternatively, you may contact the Information Regulator.
T: +27 (0)12 406 4818
14 CHANGES TO THIS POLICY
Cresco reserves the right to make amendments to this Policy from time to time and will use reasonable efforts to notify Data Subjects of such amendments. The current version of this Policy will govern the respective rights and obligations between Data Subjects and Cresco each time that you access and use Cresco’s website.
15 CRESCO CONTACT DETAILS
South African Office
Physical Address: 1st Floor | 267 West Building | 267 West Avenue, Centurion | South Africa
1 Protea Place Sandown Sandton 2146
PO Box 67550 | Highveld | 0169 | South Africa
T: +27 (0)12 663 3660
Deputy Information Officer
Ms Corinne Berg
T: +27 (0)12 663 3660
Suite No 6 | Perrieri Office Suites | Level 4 | Office
Block C | La Croisette | Grand Baie | Mauritius
3rd Floor | Labama House | Sir William Newton Street | Port Louis | Mauritius
Data Protection Officer
Helgaard Muller (Cresco Global Limited)
T: +230 5497 4583