top of page

Privacy Policy

At Aloha Lodge CC (hereinafter the “Company”), we are committed to protecting the privacy of our clients, patrons, suppliers, contractors and employees. This policy outlines our approach to the collection, use, and protection of personal information in accordance with the Protection of Personal Information (POPIA) Act. The policy applies to all employees, customers, and any other relevant parties who interact with the Company.
This Policy is mandated by the introduction and enforcement of the requirements of the following South Africa Regulatory acts:


a) “Promotion of Access to Information Act” and
b) “Protection Of Personal Information Act”.


These Acts are more commonly referred to as “PAIA & POPIA”. The reason for the propagation of these acts was to ensure that both Individual (Person) and Juristic Persons (Entities) rights, which are part of The South African Constitution, are upheld. These reference documents and Acts are available to the Company employees, contractors and third parties on the internet.

Data Collection:

The Company collects personal information for various purposes, including but not limited to, providing services and support, processing payments, to support ongoing employer and employee relationships, as well as to communicate and engage with customers, service providers and contractors.
The Company undertakes that it shall only process information in a manner that is compliant with the regulations and is lawful and reasonable. Furthermore, where specific consent is required for the processing of information, such consent will be obtained.
In line with the regulations, Personal Information will be processed under the following (non- exhaustive) set of circumstances:

  • for legal compliance

  • for the conclusion or performance of a contract

  • for the protection of a legitimate interest of the data subject

  • for pursuing the legitimate interests of the Company

  • for a legally authorised third party to whom the information is supplied.

The Company collects personal information through forms, emails, contracts, web browsers, website cookies, social media platforms, resumés and other means. In some cases, we may obtain personal information from third-party sources, such as credit bureaus or social media sites.

Data Processing Conditions:

As a Company, we shall abide by the processing conditions stipulated by the POPIA.
The eight conditions are:

  1. Lawfulness: Personal information may only be processed if it is done so in a lawful manner. 

  2. Purpose specification: The specific purpose for which personal information is being processed must be specified. 

  3. Further processing limitation: Personal information may only be processed for the purpose specified and cannot be processed for any other purpose. 

  4. Minimization: The amount of personal information collected and processed must be limited to what is necessary for the specified purpose. 

  5. Accuracy: Personal information must be accurate, complete, and up-to-date.

  6. Transparency: Individuals must be informed of the collection, use, and processing of their personal information.

  7. Security: Appropriate measures must be taken to ensure the security of personal information, including protection against unauthorized access, loss, theft, or destruction.

  8. Accountability: Those processing personal information must be accountable for ensuring that the above conditions are met and must take responsibility for any breaches of the POPI Act.

The Company shall ensure that all the conditions above are integrated into any Data Processing or operations to ensure that the Company is compliant with the provisions of the Act.

Data Special & Minor Information:

The Company may hold and collect Special and Minor data in relation to our Employees or Patrons. This is for the purpose of administration, management and concluding various agreements with the respective party and in compliance with applicable laws and regulations.

Compliance Obligation:

The Company will manage their compliance requirements based on laws, required policies and in respect of the assessed risks and liabilities in order to conduct business on a ‘day-to- day’ basis. These obligations shall be assessed, and appropriate policies developed and implemented by the Company to manage compliance requirements within the organisation and with relevant stakeholders.

Data Security:

The Company takes the protection of Personal Information very seriously and will implement appropriate measures to secure the personal information it collects. All personal information shall be stored on secure servers and will only be accessible by authorized personnel for specific, lawful purposes. The Company takes the stance that they do not share personal information with third parties unless it is necessary for the provision of our services or as required by law.

Data Records Schedule:

The Company in accordance with the POPIA, is obligated to maintain a Schedule of records. The Schedule of records will be maintained by the Company to ensure compliance regarding the defined access to these records from the public, our employees and appointed third parties.

Data Retention:

The Company shall only keep personal information for as long as necessary to provide the services or support requested by our customers and appointed operators. The Company shall establish conditions for determining when Personal Information is no longer needed and will ensure that it is deleted or destroyed in a secure manner once such conditions are met.
In accordance with the “Protection of Personal Information Act (POPIA)”, the Company is obligated to manage this retention of documentation, based on:
1. the different legal requirements which are imposed on the Company for document retention; and
2. the requirements imposed on the Company for the execution of contracts, agreements and/or association rules; and
3. internal policies regarding data retention.

Data Deletion:

The Company in accordance with the POPIA requires that the Company implement a record Deletion policy. This policy will manage and establish conditions for determining when data records are no longer needed and will ensure that it is deleted or destroyed in a secure manner once such conditions are met. This policy obligates the Company to manage the deletion of documentation, based on the different legal requirements which are imposed on the Company. Where document deletion and associated legal requirements are imposed on the Company for the execution of contracts, agreements and/or association rules and internal policies regarding data retention, the
Company shall adhere to all such obligations.

Data Sharing:

In some cases, it may be necessary for the Company to share information with third parties, in order to provide our services. In these instances, we shall ensure that the third party is also compliant with the POPIA and has appropriate measures in place to protect the data subject. We shall also have agreements in place with these third parties to ensure that information is used only for the purposes for which it was supplied.

Data Storage:

Based on the document classification, all information regarding the Company, clients, employees, subcontractors, and appointed third party/operators and/or service providers, may be stored on the Company IT Infrastructure or equipment and/or at appointed third party service providers and at their respective locations. The location of the storage of the data will be dependent on the provided IT Equipment and in accordance with the agreed-upon service being provided by the appointed third party service provider. Physical documentation and/or items will be access controlled or stored with a third party who specialises in the storage of physical documents and/or items in a secure manner.

Data Online:

The Company recognises that the access to or storage of information online is a major risk and as such shall implement all the appropriate and/or policies required for legal compliance and to mitigate and manage risk, to ensure that the organisation and all information captured, stored and/or held in any form electronically online or stored locally in physical form shall be secured, tracked and controlled.

Impact Assessments:

In line with the regulatory obligations, the Company shall perform an annual Data Processing Impact Assessment in order to evaluate any risks, and to the best of our ability, develop mitigating factors for each risk so identified and report annually to the board.

Data Breaches:

In the event of a data breach, the Company shall have established procedures in place to quickly respond and minimize the impact on those affected. This includes reporting the breach to the relevant authorities, notifying Data Subjects, and taking appropriate steps to prevent future breaches.

Rights of Data Subjects:

It is understood that Data subjects have the right to access, correct, and delete their personal information. They also have the right to know who is processing their personal information and for what purpose. By appointing an Information Officer, the Company will ensure that Data subjects can exercise these rights by contacting the Information Officer.

Reporting:

The Company has an obligation to report any Data Breaches to the regulator as well as to the Data Subjects who are affected. We commit to informing affected parties, as well as the Regulator as soon as a breach is identified, or within a maximum of 30 business days after identifying a Data Breach. Such breaches shall also be reported when they occur, and on an annual basis, to the board of directors. If a Data Subject exercises their rights under the act, this shall be reported on an annual basis to the board of directors.

bottom of page