Tennant Privacy Policy
This policy relates to Tennant Consolidated (Pty) Ltd and all subsidiaries and Financial Service Providers (FSP) subsidiaries thereof, hereinafter referred to as Tennant Group.
This policy explains, in detail, the nature of the personal data that we require in order to effectively provide relevant services and how our organisation uses this data (which is collected from you directly or from your employer) to effectively deliver high quality services.
The policy also provides an overview of the way in which data is collected and subsequently stored or destroyed and includes the details of the security measures that we have in place as well as the process to be followed should a breach occur.
This policy aims to promote the purposes of The Protection of Personal Information Act (Act No. 4 of 2013) by ensuring that people are protected from harm through the protection of their personal information and giving effect to the constitutional right to privacy.
This policy applies to you if you are:
· a visitor to our website;
· use the mobile Tennant App;
· a customer; or
· a member on any Fund that we administer or provide brokerage services to.
Your rights under this privacy policy include:
1. The right to find out whether we hold your personal information and if we do, you have the right to request access to any of your personal information that we hold;
2. The right to request, where necessary, that we correct, update, destroy or delete your personal information;
3. The right to object, on reasonable grounds, to the processing of your personal information;
4. The right to be notified that your personal information is being collected or that your personal information has been accessed or acquired by an unauthorised person (please refer to our data breach protocol for details).
5. The right to submit a complaint to the Information Regulator if you believe that there has been interference with the protection of your personal information, or that an independent adjudicator who may be resolving your complaint against us, has not decided the matter correctly;
6. Lastly, you have the right to institute civil proceedings against Tennant Group if you believe that we have interfered with the protection of your personal information.
How do we comply with the 8 conditions set out by the protection of personal information act?
1. Accountability: Tennant Group complies with and adheres to POPIA.
2. Processing Limitation: Tennant Group only processes personal information when a legitimate basis exists. Information is processed in a fair, lawful, and non-excessive manner.
3. Purpose specification: Tennant Group only processes personal information for specific purposes. A list of these purposes is outlined in detail in this policy, which explains the lawful purpose that each department within the Tennant Group may use personal information for.
4. Further processing limitation: Tennant Group does not process personal information for a secondary purpose unless that secondary purpose is compatible with the original intended purpose and necessary to action processes outlined in this policy.
5. Information quality: Tennant Group makes every reasonable effort to ensure that the personal information that we process is complete, accurate, up to date and in no way misleading. Tennant Group relies on employers and other operators that we engage with to ensure the same when sending us a data subject’s personal information.
6. Openness: Tennant Group ensures that data subjects are aware of the processing of their personal information, including the source and purpose of its collection, which is all explained in this policy.
7. Security safeguards: Tennant Group has made every effort to ensure that the integrity and confidentiality of personal information is protected by taking appropriate, reasonable, technical and organisational measures. Examples of our security measures include data encryption and implementing a “clean desk” policy which all Tennant employees must adhere to.
8. Data subject participation: Tennant Group ensures that data subjects have access to their personal information upon request. Data subjects may also request the deletion or correction of any of their personal information.
What personal data do we collect?
Personal/Identification information
· Full name
· ID number
· Race/Colour
· Gender/Sex
· Pregnancy status
· Marital status
· National/Ethnic/Social origin
· Age
· Current physical/mental health status
· Disability/Well-being
· Language
Employment information
· Company that you are employed by
· Number of years employed
· Employee number (if applicable)
· Job title/role
· Current salary
· Income tax number
Information as required by FICA and amendments thereto
· Qualification verification
· Criminal background checks
· Credit check / financial status check
· Identity verification checks
Contact information
· Cellphone number
· Email address
· Residential address
Pension Fund information
· Current pension fund that you belong to
· Member category applicable
· Contribution percentage
· Risk benefit policy applicable
· Beneficiary Nominations
· Transferring Fund information where applicable
Medical Scheme information
· Current medical scheme that you belong to
· Number and nature of dependents (if applicable)
· Claims history (where applicable when assisting with escalated claim queries)
How do we collect your data?
We collect certain information on registration when you complete data fields on one of our group company websites or register on our mobile Tennant App. Upon visiting our website/registering on our App, you are informed of the data which needs to be entered and acknowledge you give us permission to make use of the personal information that you provide us with when you register.
If you are a member on one of the funds which we administer or provide brokerage services to; some of the personal information that you have provided to your employer will be provided to us by your employer. We may also request information directly from you if necessary. We only collect information which is necessary for us to effectively render consulting and administration services.
When you receive a membership certificate; paid-up membership certificate or when you fill in/update a beneficiary nomination form we will request your consent to collect and use the personal information that you provide us with in accordance with applicable law.
How will we use your data?
Please note that all data received and stored is used for the purpose of providing financial consulting, administration, billing and financial functionality services to our clients. Information collected for FICA purposes will be screened against the United Nations Sanctions List as amended from time to time.
The data collected is used by various departments and sub-companies within the Tennant Group which all adhere to this privacy policy. The details of how each division/ company makes use of the data received is outlined below:
Tennant Administration Services (Pty) LTD
Data is used to process:
· Administrative Reports
· Payroll Reconciliations
· Home Loan Reports
· Risk Schedules
· Share of Fund Letters
· Contribution History Information
· Benefit Statements
· Member Beneficiary Nominations
· Fund Withdrawal Claims
· Tax Directives
· Quarterly Accounts
· Risk reports for Insurers
· Quotation information for new funds or policies
· Investment/Disinvestment instructions
· Investment Switch Forms
· FICA Documents (for banking purposes)
· Auditor’s Working Papers/Reports
· Supporting Audit Documentation and Schedules
· Schedules for Tracing Agents
· Actuarial/Valuation Data Reports
· Transfer (Recognition of Transfer) Documentation
· Quotation information for new funds or policies
Tennant International (Pty) LTD
Data is used to process:
· New Business Quotations (member data obtained from the employer is sent to obtain quotes)
· Re-broke Quotations (member data obtained from the employer is sent to obtain quotes)
· Insurance Quoted for Group Risk
· Member Queries (usually dealt with in connection with the Payroll/HR department and occasionally the Trustees of the Fund will also be involved)
· Trustee Resolutions
· Actuarial Queries
· Auditor Queries
· Asset Management
· Medical Underwriting Requests
· Monthly billing details (member details uploaded and/or captured on administrator portals on behalf of our clients and claims are electronically loaded on administrator portals on behalf of our clients)
· Leads sent to Tennant Wealth in respect of members withdrawing from funds we consult on.
· New Investment Applications or New Instructions
· Client Investment Statements
· Client Policy Documents
· Medical questionnaires
· Claims lodged for risk protection (death, disability or otherwise)
· Quotes requested for clients for investments and risk protection
· Records of advice
· Activation of Membership
· Billing Statements (claims transaction history)
· Corporate Health Reviews
· Medical Scheme applications and Employer forms
· Year-end Benefit Updates
· Onboarding of New Staff and Dependents
· Withdrawal of Staff and Dependents
Tennant Life Benefits (Pty) LTD - Legal Department
Data is used to process:
· Section 14 Transfers
· Adjudicator Complaints
· FSCA Complaints
· Deregistration of Funds
· Monthly Trustee Reports (includes data on general fund financials as well as member home loans and indemnity cover)
Tennant Life Benefits (Pty) LTD - Consulting Department
Data is used to process:
· New Business Quotations (member data obtained from the employer is sent to obtain quotes)
· Re-broke Quotations (member data obtained from the employer is sent to obtain quotes)
· Insurance Quoted for Group Risk
· Member Queries (usually dealt with in connection with the Payroll/HR department and occasionally the Trustees of the Fund will also be involved)
· Trustee Resolutions
· Actuarial Queries
· Auditor Queries
· Asset Management
· Medical Underwriting Requests
· Monthly billing details (member details uploaded and/or captured on administrator portals on behalf of our clients and claims are electronically loaded on administrator portals on behalf of our clients)
· Leads sent to Tennant Wealth in respect of members withdrawing from funds we consult on.
· New Investment Applications or New Instructions
· Client Investment Statements
· Client Policy Documents
· Medical questionnaires
· Claims lodged for risk protection (death, disability or otherwise)
· Quotes requested for clients for investments and risk protection
· Records of advice
Tennant Life Benefits (Pty) LTD - Health Benefits Department
Data is used to process:
· Activation of Membership
· Billing Statements (claims transaction history)
· Corporate Health Reviews
· Medical Scheme applications and Employer forms
· Year-end Benefit Updates
· Onboarding of New Staff and Dependents
· Withdrawal of Staff and Dependents
Tennant Wealth (Pty) LTD
Data is used to process:
· New Investment Applications or New Instructions
· Client Investment Statements
· Client Policy Documents
· Medical questionnaires
· Claims lodged for risk protection (death, disability or otherwise)
· Quotes requested for clients for investments and risk protection
· The drafting of Wills arranged for clients
· Records of advice
Enable Better Solutions (Pty) LTD AND Tennant Payroll Services (Pty) LTD
Data is used to process:
· Personal files on payroll and PaySpace software
· Process actual and mock payslips
· Calculations
· Reconcile Payroll
· Extract and submit Reports (Management, Statutory, 3rd Party, ACBs)
· Bi-annual reconciliation of payroll taxes and IRP5 submission to SARS
· Monthly reconciliation of payroll taxes and 3rd party payments
· Tax Directives
· Auditor’s Working Papers/Reports
Tennant Human Capital Solutions (Pty) LTD
Data is used to process:
· Billing information received directly from clients via various channels
· Employment data and employment history information
· Psychometric evaluations and criminal records
· Credit information check
· FICA information as detailed above
· SARS information as pertaining to employment
Tennant Financial Services (Pty) LTD AND Galatis (Pty) LTD
Data is used to process:
· Personal files and contact details
· Beneficiary details
· Bank account details
· Investment details
· Calculations of personal worth
· Director and Shareholder information
· Extract and submit Reports (Management, Statutory, 3rd Party, ACBs)
· Tax Information
· Auditor’s Working Papers/Reports
Who do we share your data with?
· Trustees of the Fund on which you are a member
· Your Employer (usually the HR/Payroll Department)
· The Fund’s Valuator/Actuary
· Other Retirement Fund/Employee Benefit Administrators (where applicable)
· External Consultants/Brokers of the Fund on which you are a member (where applicable)
· The Financial Sector Conduct Authority (FSCA)
· Pension Fund Adjudicator (in the case of a complaint having been received)
· Asset/Investment managers
· Auditors
· Insurers and Underwriters
· Medical Aid Schemes
· Medical Doctors (where applicable given the nature of the services being provided)
· Tracing Agents (where necessary)
· South African Revenue Services (SARS)
· Department of Employment and Labour
· Compensation Commissioner
· Financial Intelligence Centre (where applicable)
How do we store your data?
All data is stored in privately hosted data centers. Physical access to these facilities is restricted. The data is encrypted and access to removable storage has been limited.
Communications between the data centers is secured by means of IPSEC tunnel.
How long do we keep your data?
Section 14 of The Protection of Personal Information Act (Act No. 4 of 2013) states that records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
· retention of the record is required or authorised by law;
· the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
· retention of the record is required by a contract between the parties thereto; or
· the data subject or a competent person where the data subject is a child has consented to the retention of the record.
Please note that as a Financial Services Provider, the Tennant Group is legally required (as per the Financial Advisory and Intermediary Services Act 37 of 2002) to keep historical data for a minimum period of 5 years. Furthermore, Tennant Group (as Operator and Responsible Party) reasonably requires records to be kept for lawful purposes related to our various business functions and activities.
Due to our specific lines of business and the nature/regulations of the industries in which we operate, we do not delete or destroy any data which we receive. The purpose of retaining all the personal information which we have on record is to enable us to address any queries received from current or former members/ clients as well as the relevant authorities (e.g. the Pension Fund Adjudicator or FSCA), regardless of the number of years which the queries may date back to.
Data which is stored electronically will be kept indefinitely.
Protocol that will be followed should a data breach occur
A data breach is a security incident of unauthorised release of private and sensitive information. Data breaches can expose personal information, financial information, software codes, and even intellectual property.
Section 22 of The Protection of Personal Information Act sets out that security compromises (data breaches) occur anytime that there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person (which in turn triggers the comprehensive, mandatory data breach reporting obligations of the responsible party as soon as reasonably possible).
The reporting obligations require the Responsible Party to notify the Information Regulator as well as the data subject(s) concerned (unless the identity of the data subject(s) cannot be established).
The Information Regulator may allow/direct the responsible party to publicise the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.
In line with the requirements of POPIA, the below outlines the procedure following a data breach that all Tennant employees are obligated to follow:
1. Immediately notify line manager/director/other person of authority in the organisation.
2. Co-operate fully regarding the nature of the loss and all important or required details.
3. The line manager/director/person of authority will immediately contact the Information Officer, Mr. Steve Tennant and the IT Team.
4. Immediate action will be taken regarding the safety and security of information and preventing any loss of information.
5. The Information Officer will notify the Information Regulator as soon as is reasonably possible (within 72 hours) as well as any parties whose personal information has been accessed or acquired by an unauthorised party.
6. The notification will, at the very least, contain the following information:
1.1 A description of the possible consequences of the security compromise;
1.2 A description of the measures taken or proposed to be taken by the responsible party to remedy the security breach;
1.3 A recommendation of the measures that any party whose personal information was leaked in the security compromise should take in order to mitigate the possible adverse effects of the security compromise;
1.4 The identity of the unauthorised person, if known, who accessed or acquired the personal information.
7. If the personal information of individuals in the European Union (EU) is affected by a data breach in South Africa, the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, requires the responsible party to notify the supervisory authority in the EU without undue delay, and at the latest within seventy-two hours after having become aware of the security breach. The notification in this case must:
7.1 Describe the nature of the breach;
7.2 State the categories and number of persons affected by the breach;
7.3 State the contact details of the data protection officer where further information can be obtained;
7.4 Describe the likely consequences of the breach; and
7.5 Describe the measures taken or proposed to be taken by the Company to remedy the breach, including measures to mitigate its possible adverse effects.
8. A full investigation will be undertaken to analyse the nature and reason for the breach with documentation of the incident response and notification.
9. Security policies and procedures must be reviewed and adjusted where necessary.
10. Evidence of education and awareness programs undertaken by Tennant employees is to be provided where applicable.
11. A security risk analysis will be implemented and risk mitigation plans revisited.
12. Should the breach be caused by a vendor, the vendor agreements will be analysed and amended.
13. Evidence of corrective action will be provided.
14. A full report regarding the nature and reason for the breach will be provided to the Tennant Exco Board and made available to affected parties where necessary.
15. Simulation testing may be undertaken.
Marketing
Marketing material and company newsletters (e.g. The Tennant Times) are only sent to data subjects who are on our database. The majority of our database consists of our existing and potential clients.
The Tennant Group does attempt to avoid sending unsolicited marketing material to the general public, however, should a data subject wish to no longer receive marketing material from Tennant, they can request to be removed by means of replying to the email informing us that they wish to unsubscribe. As soon as this request is received the data subject will be removed from the relevant mailing list.
How to contact us
Our information officers:
Stephen Tennant, the Managing Director of Tennant Consolidated (Pty) Ltd, is the appointed Information Officer for all divisions of the Tennant Group and all Funds administered by Tennant.
· Email: stephen.tennant@tennant.co.za
· Telephone: (011) 100 8110
Shelley Gaillard, the head of Legal and Compliance at Tennant Life Benefits (Pty) Ltd, is serving as the Deputy Information Officer on all Funds administered by Tennant.
· Email: shelley.gaillard@tennant.co.za
· Telephone: (011) 100 8100
General Contact Numbers:
Tennant Administration Services (Pty) Ltd: (011) 100 8101
Tennant Life Benefits (Pty) Ltd: (011) 100 8100
How to contact the appropriate authorities:
Address Woodmead North Office Park, 54 Maxwell Drive, Woodmead, 2191
Email Address enquiries@inforegulator.org.za
Contact Number (010) 023-5207
Website inforegulator.org.za