CAVALEROS GROUP PRIVACY NOTICE
WHO WE ARE
We are the Cavaleros Group, consisting of Cavaleros Group Holdings Proprietary Limited (Registration Number: 1999/018061/07) and its Associated Companies and Subsidiaries (“Cavaleros”, “we”, or “us”). We are a Real Estate Investment Group that primarily invests, develops and manages commercial, industrial, hotel and retail assets in South Africa and the United Kingdom. Our offices are situated at Block B, Eastgate Office Park, South Boulevard, Bruma, Johannesburg, 2198, South Africa.
This Privacy Notice applies for all entities within the Cavaleros Group of Companies.
WHO THIS PRIVACY NOTICE APPLIES TO
This Privacy Notice applies to all persons (both natural and juristic) that Cavaleros collects and process personal information from or about (“you”), including but not limited to:
- Clients, consumers, tenants and prospective tenants;
- Property brokers (current or potential) and property sellers and purchasers (current or potential);
- Suppliers, service providers, contractors, consultants;
- Employees and recruitment candidates; and
- Other third parties.
Cavaleros is committed to protecting the confidentiality and privacy of the personal information it processes. This Privacy Notice explains how we process and protect your personal information. As a South African group of companies, all our data processing activities are primarily regulated by the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”), as amended from time to time. For the purposes of this Privacy Notice, the terms “personal information” and “process”, are as defined in POPIA.
POPIA defines personal information as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
WHAT PERSONAL INFORMATION WE MAY COLLECT AND PROCESS
While using our website, or engaging with us for any reason, you may be required to provide us with your personal information. This may happen when, for example, you send through an enquiry on a contact form on our website, you submit a job application to us, you become employed by us, it is necessary for the provision of any services provided by us or you, or when concluding a contract with us.
In certain instances, you may also be required to provide us with sensitive information that is classified by POPIA as special personal information. The collection of this information from you, when required, will be necessary in order to achieve the purpose that we are collecting and processing it for.
Some of the personal information that we may collect from you, could include:
- Personal identification details such as name, surname, ID/Passport Number;
- Corporate identification details, such as name, registration number, CIPC registrations and details, banking details, SARS and VAT registration information;
- Contact details, such as phone numbers, email addresses, physical and postal addresses;
- Demographic details, such as race, gender, language, marital status and age groups (primarily in relation to employees and recruitment applicants) and corporate demographic details (in relation to tenants and/or prospective tenants);
- Biometric information (in relation to employees, contractors, tenants and security personnel);
- Personal details, such as names, family information, next of kin details, employee benefit information and dependant details (primarily in relation to employees);
- Financial information, for example bank account details and tax information (primarily in relation to service providers, suppliers, contractors, employees and tenants/prospective tenants), assets, liabilities, income and expenses, audited financial statements (primarily in relation to tenants and prospective tenants);
- Credit information (primarily in relation to tenants and prospective tenants);
- Background information and checks, and criminal checks (primarily in relation to employees, contractors, security personnel and recruitment candidates);
- Qualification information, CV’s and other personal information that may be requested throughout the recruitment process to assess and consider your job application (in relation to employees and recruitment applicants);
- Personal opinions and correspondence of a private and confidential nature (primarily in relation to employees, tenants, contractors, suppliers, service providers and consultants);
- When you use one of our contact forms on our website, personal information may be requested and once submitted will be stored in the database of our website.
WHO WE COLLECT YOUR PERSONAL INFORMATION FROM
Generally, we collect your personal information directly from you. However, in certain circumstances we may also collect your personal information from other sources, where this is necessary to achieve the purpose that such information is being collected for.
Generally, the collection of personal information from you and the other sources referred to above is mandatory in order to achieve the purpose for which it is being collected by us (as set out below). We will notify you where the collection of certain personal information is voluntary and not mandatory. The refusal to provide us with the mandatory personal information that we may require, may have an impact on our ability to provide you with our services or to achieve the purpose that we require the personal information for.
THE PURPOSES THAT WE MAY USE PERSONAL INFORMATION FOR
We may collect, use, share and/or generally process your personal information (including, where applicable your special personal information) for the following purposes (“Permitted Purposes”):
- To provide you with products and services;
- To conclude or perform a contract with you, or to take any take steps linked to or necessary for the conclusion or performance of a contract with you;
- To perform general administrative, operational, management and performance functions and activities relating to the operation and running of our business and of our website, and for the purposes of managing our legal and operational affairs;
- Where you are applying for a vacancy with us, to process your application throughout our recruitment process;
- Where you an employee or consultant of Cavaleros, for the purposes of managing your employment or consultancy with us, to enable you to carry out your employment or consultancy with us, and for the purposes of performing under the employment contract or consultancy agreement concluded with us;
- Where you are a tenant, contractor, consultant, service provider or supplier, to enable us to perform our financial and procurements processes, such as vetting, invoicing, purchase orders and payments and to conduct general day to day business with you;
- Where you are a contractor, employee, tenant, or security personnel, biometric information is processed to enable access to the applicable Cavaleros property that is secured with biometric access control and, where applicable to conduct criminal checks in screening for access into sensitive areas;
- Where you are a tenant or prospective tenant, for the purposes of tenant vetting, concluding an offer to lease document and lease agreement, including the vetting of named sureties and conclusion of suretyship agreements, and to generally manage the leasing relationship and payment of rental between us;
- To improve our services and to manage our relationship with you, for example by asking for your feedback on the services you received from us or through the completion of a satisfaction survey or questionnaire;
- Where applicable, for general marketing and communication purposes, where you are a previous or existing client of Cavaleros or where you have signed up to receive marketing communications from us. This will include where you have signed up and consented to receiving marketing communications from any of our shopping centres through the use of our public Wi-Fi that is made available at the centre. In instances where you sign up to receive marketing communications from us, the contact details and/or email address that you provide us with for the purposes of these marketing communications is solely used for the purposes of our marketing database. All general marketing and communications will be in compliance with the provisions of POPIA. You will be given the opportunity to unsubscribe from any marketing communications, general communications and/or newsletters at any time, and with each communication received;
- For credit checking or credit reporting purposes (though a credit bureau or tenant profiling organisation), in order to assist Cavaleros’ decision to provide services to you or to report on any slow or non-payment of your accounts with Cavaleros;
- Where necessary, for any purposes which are in our, your, or a third party’s legitimate interest;
- To comply with all legislative and legal requirements placed on us, which may include, but not be limited to, legislative reporting and document retention periods and where the law requires that information be notified to third parties (such as government institutions or statutory bodies);
- For any purposes which are required or authorised by law;
- To respond to requests by government, statutory bodies, a court of law, or law enforcement authorities conducting an investigation;
- For reporting, statistical, analytical, research and historical purposes;
- In relation to the use of our website, to identify, investigate and attend to any technical issues, support and user queries;
- To detect, prevent or deal with any actual or alleged fraud, security breach, or the abuse, misuse or unauthorised use of the website and/or contravention of this Privacy Notice.
We may also collect, use, share and/or generally process personal information or data that has been de-identified and/or aggregated, for example statistical or demographic data, for any purpose. Aggregated or de-identified data is not considered personal information in terms of POPIA, as this information is de-identified and does not, directly or indirectly, reveal your identity.
DISCLOSURE OF YOUR PERSONAL INFORMATION
We value and respect the confidentiality and privacy of the personal information that you entrust us with. We are not in the business of selling your personal information and we will not share or disclose your personal information to anyone except as provided in this Privacy Notice and/or any contracts or terms and conditions of service concluded with us.
By using our website and/or engaging with us for the provision of products or services, you acknowledge and agree that we may share your personal information (including, where applicable your special personal information) in the following instances:
- If it is necessary in order to provide you with a service that you have requested or contracted us to provide or source on your behalf;
- If it is in your legitimate interest;
- If it is necessary for the proper performance of a public law duty by a public body;
- If it is required or authorised by law;
- If you have provided us with your consent;
- With our service providers (including our suppliers, subcontractors, affiliates, partners, agents, consultants and professional advisors), in order to provide you with our services, for reporting purposes or generally as required for the administration and management of our business. In these instances, we will ensure that the necessary security safeguards and confidentiality undertakings are in place to secure your personal information. We will only allow third parties to process your personal information for a specific purpose, in accordance with our instructions and in accordance with the requirements of POPIA and any other applicable data privacy laws;
- With our employees and contractors, who may require that information to do their jobs;
- In respect of our tenants, with the Tenant Profile Network (TPN) or any similar tenant profiling organisation, with our billing and administration service providers, with any leasing agents or leasing managers contracted by us, with our appointed security services providers to set up and manage you access to and security at the leased premises, and with Credit Bureaus (where required);
- In respect of our employees, with companies that have been contracted to provide you with employee benefits that are offered to you as an employee, including medical schemes and administrators, pension and provident funds, and any other applicable employee benefit companies;
- In relation to our direct marketing activities, with our marketing services providers who may be contracted to manage or administer our direct marketing activities on our behalf. In these instances, we will ensure that the necessary security safeguards and confidentiality undertakings are in place to secure your personal information. We will only allow your personal information to be processed for a specific purpose, in accordance with our instructions and in accordance with the requirements of POPIA and any other applicable data privacy laws;
- With regulators, government authorities and statutory bodies in connection with our compliance procedures and legal obligations;
- With a purchaser or prospective purchaser of all or part of any of our assets, business, or the shares of our company (or of any subsidiary company), and their professional advisers, in connection with the purchase;
- With a third party, in order to enforce or defend our rights, or to address financial or reputational risks.
SECURING YOUR PERSONAL INFORMATION
Securing the personal information you give us, or that we receive about you, is a priority for Cavaleros.
We have appropriate and reasonable physical, technical and organisational security measures in place to protect the personal information that we process, in accordance with the requirements of POPIA.
HOW LONG WE RETAIN PERSONAL INFORMATION FOR
We will not retain your personal information longer than necessary. We will retain the personal information you provide to us or that we receive about you for as long as is needed to achieve the purpose that it was collected for, or for an extended period of time, even after the personal information is no longer needed to achieve the purpose that it was collected for, if the retention of your personal information records is:
- Required by law or any code of conduct;
- Required to meet regulatory requirements;
- Needed for evidentiary purposes, to resolve disputes, to prevent or investigate fraud and abuse, or to enforce any contract concluded with you;
- Reasonably required for lawful purposes that are related to Cavaleros’ functions, operations or activities;
- Determined necessary in accordance with our internal document retention and destruction policies;
- Required for historical, research or statistical purposes. In these circumstances we will take measures to de-identify this personal information as far as reasonably possible and ensure that such retention is in compliance with the provisions of POPIA, where not de-identified.
Where applicable, personal information that has been included on customer or client database and that is used for marketing and communication purposes will be retained by us. When you request to unsubscribe from these communications, your contact information contained in this database will be placed into an unsubscribe list, to enable us to manage and honour your unsubscribe request. Should you require us to delete your information completely from our marketing and communications database, you understand that we will no longer be able to manage your unsubscribe request (as we will no longer have a record of your unsubscribe request available in our database).
Cavaleros does engage in certain direct marketing activities. Any electronic communications sent out by Cavaleros for the purposes of direct marketing will however be done in compliance with the requirements of POPIA.
STORAGE AND TRANSFER OF YOUR PERSONAL INFORMATION
We may store both hard copy and electronic records containing personal information.
While Cavaleros endeavours, as far as reasonably possible, to store your personal information locally in South Africa, we may be required to transfer to and/or store your personal information on servers located outside of South Africa. Cavaleros may also have third party service providers that are located outside of South Africa, which may result in your personal information being transferred and processed outside of South Africa. Some of this personal information may be special personal information.
Cavaleros will take reasonable and appropriate measures to ensure that any personal information, including special personal information, that is transferred outside of the borders of South Africa is transferred in compliance with the requirements of POPIA and that an adequate level of privacy protection is in place between us and these third-party service providers.
PROCESSING OF SPECIAL PERSONAL INFORMATION AND CHILDREN’S PERSONAL INFORMATION
In certain limited instances, Cavaleros may be required to collect and process special personal information and/or children’s personal information, particularly in relation to our employees and the management of their employment with us.
Any special personal information and children’s personal information that is required to be collected and processed by Cavaleros will be done in compliance with the provisions of POPIA.
WHAT ARE YOUR PRIVACY RIGHTS
As a data subject, POPIA provides you with a number of rights in relation to how your personal information is used and processed. In terms of POPIA, you are entitled, in the prescribed manner and form, to:
- Request a copy of the personal information that we hold about you (subject to and in accordance with the provisions of the Promotion of Access to Information Act);
- Update the personal information you have given to us, in the event that the personal information is inaccurate or outdated;
- Request the correction, destruction or deletion of personal information we hold about you (where legally permissible and subject to our right not to correct or delete the personal information record in certain circumstances);
- Object to your personal information being processed by us (on reasonable and lawful grounds), in instances where you have a legitimate reason to believe that we are not processing your personal information in accordance with the provisions of POPIA; and to
- Object to any processing of your personal information for the purpose of direct marketing by electronic communication, in the prescribed manner and form, or to unsubscribe from receiving any marketing or communication emails received from us by clicking the “unsubscribe” link at the bottom of any email.
We will make commercially reasonable efforts to provide you reasonable access to any of your personal or other account information that we process and/or retain. In certain circumstances, such as when we are required retain or withhold the disclosure of certain personal information by law, we may not be able to provide you with access to all your personal information or we may not be able to change, rectify or delete your personal information at your request. In these circumstances, we will provide you with reasons as to why your request cannot be complied with.
Generally, all personal information records will only be made available in accordance with the Promotion of Access to Information Act, 2 of 2002 (“PAIA”), and such requests are required to be made in terms of PAIA, through the completion and submission of the prescribed PAIA Form C . These requests will be addressed and dealt with in accordance with the provisions of PAIA and in accordance with the processes and timelines that have been put in place by Cavaleros to address data subject access requests and complaints.
If you have a complaint about how we are processing your personal information, or if you wish to object to us processing your personal information or request the correction, deletion or destruction of any of the personal information records we hold about you please contact our Information Officer at email@example.com (Attention: Information Officer), in the first instance, so that we can resolve the complaint or attend to your request.
All requests need to be submitted on the prescribed forms, as set out in the POPIA Regulations.All requests for access to personal information records must be done through the completion and submission of the prescribed PAIA Form C, as prescribed in terms of PAIA. The prescribed form for reporting complaints regarding the use or processing of your personal information by us, must be addressed on Form 1-Objection to Processing of Personal Information.pdf
The prescribed form for requesting the correction, deletion or destruction of your personal information records by us, must be addressed on Form 2 – Request for Correction or Deletion of Personal Information.pdf. You acknowledge that in some instances Cavaleros may not be able to comply with your request to correct or delete your personal information, where this request conflicts with any applicable laws.
In terms of POPIA, you are also entitled to direct a compliant to the Office of the Information Regulator, South Africa, if you feel that your complaint has not been adequately addressed directly with us. Complaints to be addressed to the Information Regulator must be completed in the prescribed manner and form (on prescribed Form 5 Part II, as set out in the POPIA Regulations). The Office of the Information Regulator may be contacted at firstname.lastname@example.org (general enquiries) or complaints.IR@justice.gov.za (complaints). Their website is: http://www.justice.gov.za/inforeg/.
CHANGES TO THIS PRIVACY NOTICE
Changes may need to be made to this Privacy Notice, from time to time. We will endeavour to only make changes to this Privacy Notice where they are material, necessary and/or required as a result of legislative or regulatory changes or guidance, or any code of conducts published that may be relevant to the industry in which our business operates. Any changes made to this Privacy Notice will be posted through an updated Privacy Notice that is loaded onto this website page. Please check this page to keep informed of any updated or revised Privacy Notice that may be posted.
LAWS APPLICABLE TO THIS PRIVACY NOTICE
This Privacy Notice is governed by the laws of the Republic of South Africa, and you hereby consent to the jurisdiction of the South African courts in respect of any dispute which may arise out of or in connection with the formation, interpretation, substance or application of this Privacy Notice.