Privacy Notice & Consent to Use of Personal Information
This Club Metropolitan Golf Club (“the Club”), is firmly committed to protecting the privacy of our Members and associates. The Club is the sole owner of the information collected on this website. We will not share, sell, or otherwise distribute the financial or personal information of our Members, or those who otherwise provide personal information to us, to any other persons or organisations in any way other than what is disclosed in this Notice.
This Club is aware of its personal data obligations towards its Members, GolfRSA and all affiliates and associates of GolfRSA and hence this Notice and the Club’s personal data protection policy and practical implementation will always be compliant with South African law and international best practice.
We respect the privacy of everyone who visits this website. As a result, we would like to inform you regarding the way we would use your Personal Information. We recommend you read this Privacy Notice & Consent to Use of Personal Information (“Notice”) so that you understand our approach towards the use of your Personal Information. By submitting your Personal Information to this Club, you will be treated as having given your permission – where necessary and appropriate – for disclosures referred to in this Notice.
By using this website, you acknowledge that you have reviewed the terms of this Notice and agree that we may collect, use and transfer your Personal Information in accordance therewith. If you do not agree with these terms, you may choose not to use our website and please do not provide any Personal Information through this website. This Notice forms part of our Website Terms and Conditions of Use (where relevant or standalone if not displayed) and such shall be governed by and construed in accordance with the laws of South Africa. This Notice explains how we obtain, use and disclose your personal information, as is required by the Protection of Personal Information Act, No 4. Of 2013 (“POPIA”). This Club is committed to protecting your privacy and to ensure that your Personal Information is collected and used properly, lawfully and safely.
We collect and process your Personal Information mainly to provide you with access to our services and to interface with other Clubs, GolfRSA and the handicaps network provider. The type of information we collect will depend on the purpose for which it is collected and used. We will only collect information that we need for that purpose. We collect information directly from you where you provide us with your personal details, for example when you join this Club, or enter a competition associated with this Club. This Club collects Personal Information from when you register with us as a Member or to enter a competition played on our course. We will only use this information to carry out the processes for the purpose for which you registered with us. We will protect your Personal Information in accordance with this Notice and POPIA. If you agree, we will use your information to send marketing information to you (it will always have an “opt-out” element). This Club will not share your Personal Information with external third parties, save for the GolfRSA appointed handicaps network operator.
The Club will only collect Personal Information from you when the purpose for collection has been explicitly defined and agreed. We undertake to ensure that as the data subject, you are aware of the purpose for collecting your Personal Information. Where reasons for processing for further purposes arise, these will be explicitly defined and agreed. The Club will take reasonable steps to ensure that information is complete, accurate, not misleading and where necessary, updated. The Club will ensure that appropriate information security measures are established to ensure that Personal Information is protected in line with industry practices and standards. If the data has not been collected directly from the data subject, the source of collection will be provided together with name and address of the party.
- According to POPIA ‘‘Personal Information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. The POPIA, which has more specific examples if you need them, can be found at the following link: https://popia.co.za/section-1-definitions/. Examples of information we collect from you are (“Personal Information”):
- residential address
- email address
- telephone/cell number
- possibly details of prior club
- banking details (where debit orders are implemented)
We also collect information about you from other sources as explained below. With your consent, we may also supplement the information that you provide to us with information we receive from other associates under the auspices of GolfRSA, in order to offer you a more consistent and personalised experience in your interactions with Club.
We may automatically collect non-personal information about you, such as the type of internet browsers you use, or the website from which you linked to our website. We may also aggregate details which you have submitted to the website (for example, the products or services you are interested in). You cannot be identified from this information and it is only used to assist us in providing an effective service on this website. We may from time-to-time supply third parties with this non-personal or aggregated data for uses in connection with this website.
We will use your Personal and non-personal information only for the purposes for which it was collected or agreed with you, for example:
- Analyse the effectiveness of our advertisements, competitions and promotions
- Collect information about the device you are using to view the website, such as your IP address or the type of Internet browser or operating system you are using and link this to your Personal Information so as to ensure that the website presents the best web experience for you
- Evaluate the use of the website, products and services
- For audit and record keeping purposes
- For market research purposes
- For monitoring and auditing website usage
- Help speed up your future activities and experience on the website. For example, a website can recognise that you have provided your Personal Information and will not request the same information a second time.
- In connection with legal proceedings
- Make the website easier to use and to better tailor the website and our products to your interests and needs
- Offer you the opportunity to take part in competitions or promotions
- Personalise your website experience, as well as to evaluate (anonymously and in the aggregate) statistics on website activity, such as what time you website it, whether you have website it before and what website referred you to it
- To assist with business development
- To carry out our obligations arising from any contracts entered into between you and us
- To conduct market or Member satisfaction research or for statistical analysis
- To confirm and verify your identity or to verify that you are an authorised Member for security purposes
- To contact you regarding products and services which may be of interest to you (including the Club’s newsletter), provided you have given us consent to do so or you have previously requested a product or service from us and the communication is relevant or related to that prior request and made within any timeframes established by applicable laws.
- To notify you about changes to our service
- To respond to your queries or comments
- We will also use your Personal Information to comply with legal and regulatory requirements or industry codes to which we subscribe, or which apply to us, or when it is otherwise allowed by law
- Where we collect Personal Information for a specific purpose, we will not keep it for longer than is necessary to fulfil that purpose, unless we have to keep it for legitimate business or legal reasons. In order to protect information from accidental or malicious destruction, when we delete information from our services, we may not immediately delete residual copies from our servers or remove information from our backup systems
- You can opt out of receiving communications from us at any time. Any direct marketing communications that we send to you will provide you with the information and means necessary to opt out.
We may disclose your Personal Information to our business partners who are involved in the delivery of GolfRSA’s handicap system. We may thus share your Personal Information with and obtain information about you from:
- Third parties for the purposes listed above
- Other third parties from whom you have chosen to receive marketing information.
We may also disclose your information where we have a duty or a right to disclose in terms of law or industry codes.
We are legally obliged to provide adequate protection for the Personal Information we hold and to stop unauthorised access and use of personal information. We will, on an on-going basis, continue to renew security controls and related processes to ensure that your Personal Information is secure. Our security policies and procedures cover:
- Acceptable usage of personal information
- Access to personal information
- Computer and network security
- Governance and regulatory issues
- Investigating and reacting to security incidents
- Monitoring access and usage of personal information
- Physical security
- Retention and disposal of information
- Secure communications
- Security in contracting out activities or functions (these details are in the Club’s PAIA & POPI Policy and as a Member of this Club you may request a copy thereof).
When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that Personal Information that we remain responsible for, is kept secure. We will ensure that anyone to whom we pass your Personal Information agrees to treat your information with the same level of protection as we are obliged to.
In terms of the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA Act”) you have the right to request a copy of the Personal Information we hold about you. To do this, simply contact us at the numbers/addresses listed on our home page and specify what information you would like. We will take all reasonable steps to confirm your identity before providing details of your personal information. Please note that any such access request may be subject to a payment of a legally allowable fee, as laid down in our PAIA & POPIA Policy.
You have the right to ask us to update, correct or delete your Personal Information. We will take all reasonable steps to confirm your identity before making changes to Personal Information we may hold about you. We would appreciate it if you would take the necessary steps to keep your Personal Information accurate and up-to-date by notifying us of any changes we need to be aware of.
Should you have any concerns with the way in which we are processing your Personal Information, please contact your Club’s Information Officer, the details of whom are held at the Pro Shop, alternatively you are entitled to lodge a complaint with the Information Regulator, whose contact details are:
33 Hoofd Street
Forum III, 3rd Floor Braampark
P.O Box 31533
Braamfontein, Johannesburg, 2017
Complaints email: complaints.IR@justice.gov.za
General enquiries email: firstname.lastname@example.org.
We pledge that our processing of your Personal Information will be handled in a way that complies with all the relevant laws and that your rights to privacy will be protected as required by law.
Please note that we may amend this Notice from time to time. Please check our website periodically to inform yourself of any changes. If you have any queries about this Notice or believe we have not adhered to it or need further information about our privacy practices or wish to give or withdraw consent, exercise preferences or access or correct your Personal Information, please contact us at the numbers/addresses listed on our website.
Privacy PAIA & POPI POLICY
This is the Metropolitan Golf Club’s (“the Club”) policy in terms of the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”) and the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA“) (“the Policy”)
This Policy applies to the business of the Club wherever it is conducted, it applies to its Members, paid staff, guests, volunteers and associates of the Club upon the premises of the Club and towards the Club’s general business, golf and Member management conduct.
A: PAIA Policy
- PAIA is an act that was passed to give effect to the constitutional right, held by everyone in South African, of access to information which is held by the State or by another person (including the Club) and which is required for the exercise or protection of any right. Where a request is made in terms of PAIA, the body to which the request is made is obliged to give access to the requested information, except where the Act expressly provides that the information may or must not be released. It is important to note that PAIA recognises certain limitations to the right of access to information, including, but not exclusively, limitations aimed at the reasonable protection of privacy, commercial confidentiality, and effective, efficient, and good governance and in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution.
- One of the main requirements specified in PAIA is the compilation of an information manual that provides information on both the types and categories of records held by a private body. This Policy serves as the Club’s Information Manual. This Policy is compiled in accordance with Section 51 of PAIA and the Schedule to POPIA. It is intended to give a description of the records held by and on behalf of the Club, to outline the procedure to be followed and the fees payable when requesting access to any of these records in the exercise of the right of access to information, with a view of enabling requesters to obtain records which they are entitled to in a quick, easy, and accessible manner. This Policy is available for public inspection at the physical address of the Club, free of charge.
- The Club only keeps the Personal Information of the Member as defined in the POPIA Policy below. Members shall at all reasonable times have access to such data and retrieve it in full via:
- personal presentation of his/her RSA ID at the Club’s Pro Shop; or
- via email to the Club Secretary, assuming that is the email held by the Club on record.
- The Club shall within a reasonable time provide a Member with that Personal Information and shall charge no fee to provide it.
B: POPIA Policy
Note: POPIA compliance is still in its infancy. The procedures and guidelines in this Policy are drafted using the best available guidance from the Information Regulator as of 1 July, 2021 and hence this Policy is Version 1.0. The Club notes that it will amend this document should practices and procedures change in due course (amendments as provided for and approved by GolfRSA).
- POPIA is intended to balance two competing interests. These are:
- our individual constitutional rights to privacy (which requires our Personal Information to be protected); and
- the needs of our society to have access to and to process (work with) our Personal Information for legitimate purposes, including the purpose of doing business.
- This Policy sets out the framework for our Clubs compliance with POPIA. Where reference is made to the “processing” of Personal Information, this will include any activity in which the information is worked with, from the time that the information is collected, up to the time that the information is destroyed, regardless of whether the information is worked with manually, or by automated systems.
- The purpose of this policy is to enable Club to:
- comply with the law in respect of the data it holds about individuals (known as Data Subjects in the POPIA);
- follow good reasonable commercial practice; &
- protect the Club’s staff and other individuals.
- The Club will always:
- comply with both the law and good practice;
- respect individuals’ rights;
- be open and honest with individuals whose data is held; &
- provide training and support for staff who handle personal data, so that they can act confidently and consistently with regards to PAIA and POPIA.
- POPIA aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are considered. In addition to being open and transparent, the Club will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
- The Club undertakes to follow POPIA at all relevant times and to process Personal Information lawfully and reasonably, so as not to infringe unnecessarily on the privacy of our Members and the Club recognises that its first priority under the POPIA is to avoid causing harm to individuals. In the main this means:
- the Club undertakes to process information only for the purpose for which it is intended, to enable us to do our work, as agreed with our Members;
- keeping information securely in the right hands;
- retention of good quality information;
- whenever necessary, the Club shall obtain consent to process Personal Information;
- where the Club does not seek consent, the processing of our Members Personal Information will be following a legal obligation placed upon us, or to protect a legitimate interest that requires protection;
- the Club shall stop processing Personal Information if the required consent is withdrawn, or if a legitimate objection is raised;
- the Club shall retain records of the Personal Information the Club has collected for the minimum period as required by law unless the Member has furnished their consent or instructed us to retain the records for a longer period;
- the Club shall destroy or delete records of the Personal Information (so as to de-identify the Member) as soon as reasonably possible after the time period for which the Club uses said data (please note that GolfRSA keeps Member’s information after they have left the Club in case they should re-join or move to another club, this is kept on the national handicaps system to which the Club is affiliated and as approved by GolfRSA and is fully POPIA compliant, for a maximum of 3 years);
- the Club undertakes to ensure that the Personal Information which the Club collects and processes is complete, accurate and not misleading and up to date;
- the Club undertakes to retain the physical file and the electronic data related to the processing of the Personal Information; &
- the Club undertakes to take special care with our Member’s bank account details and the Club is not entitled disclose or procure the disclosure of such banking details to any third party, save for the Club’s bank and the Member’s bank, purely for purposes of executing a debit order.
- The Club shall collect Personal Information directly from the Member whose information the Club require, unless:
- the information is of public record;
- the Member has consented to the collection of their Personal Information from another source;
- the collection of the information from another source does not prejudice the Member;
- the information to be collected is necessary for the maintenance of law and order or national security;
- the information is being collected to comply with a legal obligation, including an obligation to SARS;
- the information collected is required for the conduct of proceedings in any court or tribunal, where these proceedings have commenced or are reasonably contemplated;
- the information is required to maintain our legitimate interests; or
- where requesting consent is not reasonably practical in the circumstances.
- The Club shall restrict the processing of Personal Information:
- where the accuracy of the information is contested, for a period sufficient to enable us to verify the accuracy of the information;
- where the purpose for which the Personal Information was collected has been achieved and where the Personal Information is being retained only for the purposes of proof; or
- where the Member requests that the Personal Information be transmitted to another automated data processing system.
- According to POPIA ‘‘Personal Information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. The POPIA, which has more specific examples if you need them, can be found at the following link: https://popia.co.za/section-1-definitions/
The Club collects the following information from its Members (Personal Information):
- residential address
- email address
- telephone/cell number
- possibly details of prior club
- banking details (where debit orders are implemented)
- The Club may automatically collect non-Personal Information about a Member such as the type of internet browsers a Member may use. The Club may also aggregate details which a Member has submitted to our website (for example, the products or services they are interested in). They cannot be identified from this information and it is only used to assist the Club in providing an effective service by the Club.
- The Club has identified the following potential key risks, which this Policy is designed to address:
- breach of confidentiality (information being given out inappropriately);
- insufficient clarity about the range of uses to which data will be put — leading to Data Subjects (our Members) being insufficiently informed;
- failure to offer choice about data use when appropriate;
- breach of security by allowing unauthorised access;
- harm to individuals if personal data is not up to date; &
- third party data operator contracts.
- The Members of the Club hold the following specific rights:
- in cases where the Member’s consent is required to process their Personal Information, this consent may be withdrawn.
- in cases where the Club processes Personal Information without consent to protect a legitimate interest, to comply with the law or to pursue or protect our legitimate interests, the Member has the right to object to such processing; &
- all Members are entitled to lodge a complaint regarding our application of POPIA with the Information Regulator.
- In order to secure the integrity and confidentiality of the Personal Information in our possession, and to protect it against loss or damage or unauthorised access, the Club must continue to implement the following security safeguards:
- our business premises where records are kept must remain protected by access control, burglar alarms and if possible, armed response;
- archived files must be stored behind locked doors and access control to these storage facilities must be implemented;
- all the user terminals on our internal computer network and our servers / PC’s / laptops must be protected by passwords which must be changed on a regular basis. This also applies to all cloud data storage modalities;
- our email infrastructure must comply with industry standard security safeguards (clubs shall deal directly with their service provider in this regard);
- if necessary, vulnerability assessments shall be carried out on our digital infrastructure to identify weaknesses in our systems and to ensure the Club has adequate security in place;
- the Club must use an internationally recognised firewall to protect the data on its local servers, and the Club must run antivirus protection at least every week to ensure its systems are kept updated with the latest patches;
- Club staff must be trained to carry out their duties in compliance with POPIA, and this training must be ongoing;
- it must be a term of the contract with every staff member that they must maintain full confidentiality in respect of all of our Members’ affairs, including our Members’ Personal Information;
- employment contracts for staff whose duty it is to process a Member’s Personal Information, must include an obligation on the staff member: (1) to maintain the Club’s security measures, and (2) to notify their manager/supervisor immediately if there are reasonable grounds to believe that the Personal Information of a Member has been accessed or acquired by any unauthorised person;
- the processing of the Personal Information of our staff members must take place in accordance with the rules contained in the relevant labour legislation; &
- the digital work profiles and privileges of staff who have left our employ must be properly terminated.
These security safeguards must be verified on a regular basis to ensure effective implementation, and these safeguards must be continually updated in response to new risks or deficiencies.
- Should it appear that the Personal Information of a Member has been accessed or acquired by an unauthorised person, the Club must notify the Information Regulator and the relevant Member/s, unless the Club is no longer able to identify the Member/s. This notification must take place as soon as reasonably possible.
- Such notification must be given to the Information Regulator first as it is possible that they, or another public body, might require the notification to the Member/s be delayed.
- The notification to the Member must be communicated in writing in one of the following ways, with a view to ensuring that the notification reaches the Member:
- by email to the Member’s last known email address;
- by publication on the Club’s website, or in the news media; or
- as directed by the Information Regulator
- This notification to the Member must give sufficient information to enable the Member to protect themselves against the potential consequences of the security breach, and must include:
- a description of the possible consequences of the breach;
- details of the measures that the Club intends to take or have taken to address the breach;
- the recommendation of what the Member could do to mitigate the adverse effects of the breach; &
- if known, the identity of the person who may have accessed, or acquired the Personal Information.
Correction of Personal Information
- A Member is entitled to require the Club to correct or delete Personal Information that the Club has, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully.
- A Member is also entitled to require the Club to destroy or delete records of Personal Information about the Member that the Club is no longer authorised to retain.
- Upon receipt of such a lawful request, the Club must comply as soon as reasonably practicable:
- in the event that a dispute arises regarding the Member’s rights to have information corrected, and in the event that the Member so requires, the Club must attach to the information, in a way that it will always be read with the information, an indication that the correction of the information has been requested but has not been made; &
- the Club must notify the Member who has made a request for their Personal Information to be corrected or deleted what action the Club have taken as a result of such a request.
Special Personal Information
- Special rules apply to the collection and use of information relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.
- The Club shall not process any of this special Personal Information without the Member’s consent, or where this is necessary for the establishment, exercise or defense of a right or an obligation in law.
- Having regard to the nature of the Club’s work, it is unlikely that the Club will ever have to process special Personal Information (save for that of minors), but should it be necessary the guidance of the Information Officer must be sought.
- The Club may only process the Personal Information of a minor if the Club have the consent of the child’s parent or legal guardian.
- Our Information Officer is our General Manager or is in a senior management position nominated and authorised by said General Manager in writing. Our Information Officer’s responsibilities include:
- encourage and ensure overall compliance with POPIA;
- encourage compliance with conditions for the lawful processing of Personal Information;
- deal with requests made by the Information Regulator or data subjects (individuals);
- work with the Regulator in relation to investigations conducted in accordance with the relevant provisions of POPIA;
- develop, implement and monitor a compliance framework;
- ensure that a personal information impact/risk assessment is performed to guarantee that adequate measures and standards exist within the entity;
- develop, monitor, maintain and make available a PAIA manual;
- develop internal measures and adequate systems to process requests for access to information; &
- ensure that internal awareness sessions are conducted regarding the provisions of POPI, the regulations and any codes of conduct or information obtained from the Regulator.
- Our Information Officer must register themselves with the Information Regulator prior to taking up their duties.
- In carrying out their duties, our Information Officer must ensure that:
- this Policy is implemented;
- that this Policy is developed, monitored, maintained, and made available;
- that internal measures are developed together with adequate systems to process requests for information or access to information;
- that internal awareness sessions are conducted regarding the provisions of POPIA, the Regulations, codes of conduct or information obtained from the Information Regulator; &
- that copies of this Policy are provided to persons at their request, (hard copies to be provided upon payment of a fee).
- Guidance notes on Information Officers have been published by the Information Regulator and our Information Officer must familiarise himself / herself with the content of these notes.
- A Member can rest assured that unless the Club is legally obliged to share their Personal Information, the Club will only share so much of a Member’s Personal Information as is needed by the authority that requires it, and we will only do so when it is necessary for the Club to do its work for the Member. In addition, all of our staff are bound by confidentially clauses in their letters of employment.
- Should a Member have any concerns with the way in which the Club is processing their Personal Information, the Member is entitled to lodge a complaint with the Information Regulator, whose contact details are:33 Hoofd Street
Forum III, 3rd Floor, Braampark
P.O Box 31533
Braamfontein, Johannesburg, 2017
Complaints email: complaints.IR@justice.gov.za
General enquiries email: email@example.com
Staff Training & Acceptance of Responsibilities
- The Club’s Information Officer will ensure that all staff who have access to any kind of Personal Information will have their responsibilities outlined during their induction procedures. Continuing training will provide opportunities for staff to explore POPIA issues through training, team meetings, and supervision. Procedure for staff signifying acceptance of policy will ensure that all staff sign acceptance of this Policy once they have had a chance to understand the Policy and their responsibilities in terms of the policy and the POPIA.
- The Club may only carry out direct marketing (using any form of electronic communication) to Members if:
- they have been given an opportunity to object to receiving direct marketing material by electronic communication at the time that their Personal Information was collected; &
- they did not object then or at any time after receiving any such direct marketing communications from the Club.
- The Club may only approach Members using their Personal Information if the Club has obtained their Personal Information in the context of providing services associated with our business to them and the Club may then only market Club services to them.
- The Club may approach a person to ask for their consent to receive direct marketing material only once, and the Club may not do so if they have previously refused their consent.
- All direct marketing communications must disclose a Member’s identity and must contain an address or opt-out functionality, to which the Member may send a request that the communications cease.
Transborder Information Flows
- The Club may not transfer a Member’s Personal Information to a third party in a foreign country, unless:
- the Member consents to this, or requests it;
- such third party is subject to a law, binding corporate rules or a binding agreement which protects the Personal Information in a manner similar to POPIA, and such third party is governed by similar rules which prohibit the onward transfer of the Personal Information to a third party in another country;
- the transfer of the Personal Information is required for the performance of the contract between ourselves and the Member;
- the transfer is necessary for the conclusion or performance of a contract for the benefit of the Member entered into between the Club and the third party; or
- the transfer of the Personal Information is for the benefit of the Member and it is not reasonably possible to obtain their consent and that if it is possible the Member would be likely to give such consent.
Offences & Penalties
- POPIA provides for serious penalties for the contravention of its terms. For minor offences, a guilty party can receive a fine or be imprisoned for up to 12 months. For serious offences, the period of imprisonment rises to a maximum of 10 years. Administrative fines for the Club can reach a maximum of R10 million.
- Breaches of this Policy will also be viewed as a serious disciplinary offence by employees.
- It is therefore imperative that the Club complies strictly with the terms of this Policy and protects our Member’s Personal Information to international standard.
- This Policy shall be governed by and construed in accordance with the laws of South Africa.
Season: 7am - 7pm (Oct - March)
Non-Season: 7am - 6pm (April - Sept)
Bar Facilities: 11am - 9:00pm
Fritz Sonnenberg Road
Cape Town, 8001
Member Admin: 021 430 6013
General Manager: 021 430 6012
Golf Shop: 021 430 6015