Privacy Policy
INTRODUCTION
The information, content, services, and/or materials offered by NGA on, or through its website www.nga.co.za (“the Website”), are made available subject to the provisions contained below.
Please read this Privacy Policy carefully to understand how your personal information will be treated when you use the Website. All queries and/or requests relating to this Privacy Policy should be sent to info@nga.co.za.
NGA endeavors to comply with all laws and regulations providing for privacy including, but not limited to, the Constitution of the Republic of South Africa, 108 of 1996, and the Protection of Personal Information Act, 4 of 2013 (“the Act”).
For purposes of this Privacy Policy, the person accessing the Website, or on whose behalf the Website is accessed, is referred to as “the User” and the term “Personal Information” bears the meaning as ascribed to it in the Act.
NGA seeks to ensure the quality, accuracy, and confidentiality of all Personal Information in its possession and recognizes the importance of protecting the User’s privacy in respect of the User’s Personal Information collected by NGA when the User visits the Website. NGA is committed to protecting and preserving the Personal Information of all visitors to the Website.
By accessing the Website, the User agrees to the processing of the User’s Personal Information for the purposes stated in this Privacy Policy. This Privacy Policy includes various consents and permissions provided by the User to NGA in respect of the User’s Personal Information.
The User should not use this Website if the User does not agree with NGA’s processing activities described in this Privacy Policy. NGA undertakes that the processing of the User’s Personal Information shall be carried out by it solely in accordance with the provisions of this Privacy Policy.
The User will be subject to the Privacy Policy in force at the time that the User accesses the Website. This Privacy Policy should not be viewed in isolation and must be read together with the applicable terms of use of the Website (which are available on the Website) and any further agreement/s entered into between the User and NGA (such as an agreement in terms of which the User elects to subscribe for any of the services rendered by NGA).
SECTION 1 – WHAT DO WE DO WITH YOUR INFORMATION?
When you browse our site, we automatically receive your computer’s internet protocol (IP) address and information about your browser and operating system. This data is required to provide the service, but we do not permanently store it or use it in any other way.
SECTION 2 – CONSENT
You can contact us by email or other channels using the information provided on our website. The information you provide to us when contacting us (e.g., your email address) will only be used for the purpose of answering your communication, such as providing you with information that you may require.
How do I withdraw my consent? You may withdraw your consent for us to contact you at any time, by contacting us at info@nga.co.za.
SECTION 3 – DISCLOSURE
We may disclose your personal information if we are required by law to do so.
SECTION 4 – THIRD-PARTY SERVICES
In general, the third-party providers used by us (e.g., for hosting the website) will only collect, use, and disclose your information to the extent necessary to allow them to perform the services they provide to us.
When you click on links on our website, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
SECTION 5 – SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed. NGA will not sell your data or personal information.
SECTION 6 – AGE OF CONSENT
By using this site, you represent that you are at least the age of majority in your state or province of residence.
SECTION 7 – CHANGES TO THIS PRIVACY POLICY
We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.
If our site is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to provide services to you.
QUESTIONS AND CONTACT INFORMATION
If you would like to access, correct, amend, or delete any personal information we have about you, register a complaint, or simply want more information, contact us at info@nga.co.za.
INFORMATION COLLECTION AND USE
NGA strives to collect only that Personal Information which is necessary for the intended purpose of the collection. NGA and/or its authorized agents shall collect certain Personal Information from the User in connection with the User’s use of the Website. The information collected is used for the following purposes:
- To make the User’s visit to the Website more efficient;
- To enable efficient use of the Website;
- To process electronic communications and transactions;
- To administer any promotion, survey, or similar interactive activity conducted by NGA; and
- To provide the User with newsletters or other periodic emails and/or promotional materials as requested by the User.
When the User accesses the Website, the User’s Personal Information will be automatically collected in relation to the User’s visit to the Website. This information includes but is not limited to:
- The User’s browser type and version;
- The User’s operating system and information about the User’s use of the Website including details of the User’s visits to the Website (such as pages viewed and the resources that the User accessed on the Website).
The Website also uses different types of cookies, such as cookies which provide web analytics services, flash cookies, and other types of cookies. NGA’s hosting agents and/or service providers may automatically log the User’s “IP address” (the unique identifier for the User’s computer and/or other access device). The aforesaid information collected by NGA is for aggregate purposes only and cannot be used to identify the User personally.
Should the User subscribe to receive any newsletter, periodic email, or promotional material or information distributed by NGA, the User’s Personal Information (including but not limited to the User’s email address) will be processed by NGA. NGA may also track whether the User has read the material supplied by NGA and/or whether the User has clicked on any of the links so provided. All NGA communications shall contain an unsubscribe link and by following the unsubscribe process, the User shall be removed from the relevant distribution list and NGA shall no longer send the User the subscription content or contact the User.
CONSENT TO PROCESS PERSONAL INFORMATION
By accessing the Website, the User agrees and consents that NGA may process the User’s Personal Information for the purposes set out in this Privacy Policy including providing the User with access to the Website and its contents.
By providing NGA with his/her/its Personal Information, the User expressly consents to having his/her/its Personal Information processed in accordance with this Privacy Policy, which processing is necessary to enable NGA to carry out the actions required of it in relation to the User when the User accesses the Website.
Processing shall include the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as blocking, degradation, erasure, or destruction of information.
This consent is effective immediately and will endure until the User’s relationship with NGA has been terminated, or until such time as the User expressly notifies NGA that such consent is retracted.
RETAINING PERSONAL INFORMATION
The User expressly consents to NGA retaining the Personal Information once the User’s relationship with NGA has been terminated for the following purposes:
- Aggregate, statistical, and reporting purposes and for only so long as is necessary to enable NGA to achieve the purpose for which the Personal Information was collected or subsequently processed, subject to the further provisions of section 14 of the Act;
- In order to ensure that the User’s Personal Information is treated in accordance with the User’s prior instructions, for example ensuring that the User remains unsubscribed from NGA’s mailing list; and
- NGA’s operational purposes and/or for production as evidence by NGA in legal proceedings in which event records relating to the User’s use of the Website and the Personal Information submitted by the User may be required to be retained in terms of legislated records retention requirements.
HANDLING OF THE USER’S PERSONAL INFORMATION
NGA shall secure the integrity and confidentiality of the User’s Personal Information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss of, damage to, or unauthorized destruction of the User’s Personal Information and the unlawful access to or processing of such Personal Information.
NGA will not sell, exchange, or transfer the User’s Personal Information to any third party without the User’s consent and save as provided for in this Privacy Policy.
DISCLOSURE OF PERSONAL INFORMATION
NGA may disclose the User’s Personal Information to its third-party service providers, where necessary. NGA requires that its service providers take appropriate, reasonable, technical, and organizational measures to keep the User’s Personal Information secure and such third parties may not use or disclose the User’s Personal Information for any purpose other than providing the services required by the User on NGA’s behalf.
NGA may disclose the User’s Personal Information under the following circumstances:
- to comply with the law or with legal process;
- to protect and defend NGA’s legitimate interests (safety, property, or other rights);
- to protect NGA against misuse or unauthorized use of the Website and/or of the services offered by NGA; and
- to protect other customers, Website users, or third parties affected negatively by the User’s actions in his/her/its use of the Website.
ACCESSING AND UPDATING PERSONAL INFORMATION BY THE USER
NGA will take reasonable steps to keep the User’s Personal Information accurate and complete. NGA suggests that the User regularly updates his/her/its Personal Information.
The User can request access to any of his/her/its Personal Information held by NGA at any time and for any purpose, including to request NGA to correct any portion of the Personal Information held by NGA which is inaccurate, or to delete the Personal Information which NGA is no longer entitled to retain by law or for a legitimate purpose.
The User also has the right to revoke his/her/its consent to the processing of his/its Personal Information by NGA.
DATA PRIVACY COMPLIANCE (POPIA & GDPR)
- Introduction
NGA provides its services to Accountable Institutions to assist them in meeting their compliance obligations in terms of the Financial Intelligence Act (FICA). These services are provided using software licensed from NGA. The integrity and confidentiality of the personal information of our customers and their clients is of critical importance for NGA.
- Data Privacy Laws and Regulations
The flow of our customer data originates in South Africa and is stored within South Africa, hosted via our own data storage facilities. NGA therefore complies with local (Protection of Personal Information Act) (POPIA) and global (General Data Protection Regulation) (GDPR) data privacy laws and regulations.
Personal information is processed by NGA, as well as our third-party service providers, for the specific, lawful purpose for which it is gathered, which is the customers’ FICA compliance obligations.
Section 72 of the POPIA allows for the transfer of data across international borders. However, as NGA’s data storage facilities are located within South Africa, the need for trans-border data flow is minimized.
As a responsible data controller and processor, NGA ensures that all data handling, storage, and processing activities comply with the highest standards of data protection and security as outlined by POPIA and GDPR.
The storage of our customers’ data within South Africa meets the stringent requirements set forth by section 72 of POPIA. This includes ensuring that adequate protections are in place for the secure handling and storage of personal information.
In summary, while the data remains within South Africa under the stringent security measures implemented by NGA, our compliance with local and international data protection laws remains a priority to safeguard the privacy and integrity of our customers’ information.
- Compliance and Data Protection Measures
NGA takes the security of our customer data very seriously and therefore has implemented the following data privacy compliance and security controls to mitigate the risk of data breaches. These controls are monitored regularly to ensure their operating effectiveness.
3.1 Data Privacy Policy
NGA has a privacy policy, and our policy approach is consistent with the core principles of POPIA, which is to protect the privacy rights of individuals and juristic entities and to ensure the secure handling of personal data. NGA is registered with the Information Regulator in South Africa, and any privacy-related concerns or complaints can be directed via info@nga.co.za.
3.2 Service Level Agreements (SLAs)
NGA has an SLA in place with every customer, where it is incumbent on the customer to obtain the necessary consent of their data subjects. The SLA confirms that NGA will only collect, store, and process data which is necessary to deliver agreed services. In addition, we have SLAs in place with our subcontractors, which state that data is not permitted for onward transmission.
Clauses in the SLA also address a vital part of POPIA, which is the destruction or de-identification of personal information when NGA no longer has the legal right to retain such information. For example, when an SLA with a customer is cancelled or is not renewed.
3.3 Data Access Control
Customer data is only examined directly if it is absolutely necessary for technical reasons. Furthermore, only the core development and support team have access privileges that allow for the direct modification of production data. Such modification is to be done in only the most critical of cases and/or at the documented request of a customer.
3.4 Data Encryption & Recovery Processes
Technical security measures are also monitored by NGA, this includes all customer data being encrypted during transmission and at rest. All data is backed up on a regular basis, and disaster recovery tests are run annually per company policy.
Users of the web interface must authenticate themselves with a username, password, and multi-factor authentication. NGA uses various software, infrastructure, and architecture to restrict logical access, including a defense-in-depth approach with gateway and perimeter defenses, encryption, secure operations policies and procedures, secured endpoints, and backups.
4.Conclusion
NGA’s security and risk management procedures have been audited by an independent audit firm, that has tested our controls as per the SOC 2 (Security and Organizational Controls) reporting standards. We trust that this provides your organization with assurance with regard to our commitment to data privacy and security standards. Should you have any further questions, please feel free to contact us at info@nga.co.za.