top of page

< Go Back

Privacy Policy

Oosthuizen Du Toit Berg and Boon (ODBB Inc) Attorneys

Privacy Policy

Public-facing POPIA privacy notice for legal services and debt collection operations

 

1. Introduction

ODBB Inc processes personal information in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”), the Promotion of Access to Information Act 2 of 2000 (“PAIA”), and other applicable South African laws.

 ODBB Inc. processes personal information in the course of providing legal services, operating its practice, collecting debts on behalf of clients, managing staff and contractors, and complying with legal and professional obligations.  This Policy explains the categories of personal information processed, the purposes of processing, how information may be shared, data-subject rights, retention and security practices.

This Policy should be read together with ODBB’s PAIA Manual and any engagement-specific, collection-specific or website-specific notices that may apply.

The responsible parties for purposes of this Privacy Policy are:

Information Officer: Mr. Charl Fourie | charl@odbb.co.za | (011) 883 9041

Deputy Information Officer: Mr. Andre van der Merwe | andre@odbb.co.za | (011) 883 9041

 

2. When ODBB acts in different roles

Depending on the engagement and activity concerned, ODBB may process personal information as a responsible party in its own right where ODBB Inc determines the purpose of and means for processing.  or as an operator on behalf of or on the instruction of a client or another responsible party. Where ODBB acts as an operator, the primary responsible party’s notices and instructions may also apply.

3. Categories of personal information

Depending on the matter, service or relationship, ODBB may process categories of personal information including:

  1. identification information, including names, identity numbers, passport numbers, dates of birth and company or registration details;

  2. contact details, including physical addresses, postal addresses, email addresses and telephone numbers;

  3. employment, education or business information;

  4. client, mandate, file, matter, litigation and instruction-related information;

  5. debtor, recovery, tracing, enforcement and payment information;

  6. banking, invoice, billing and other financial information;

  7. communications, correspondence, complaints and call or interaction records;

  8. technical, access, device and system-use information;

  9. CCTV, visitor or premises-access information, where applicable; and

  10. any other personal information reasonably required for lawful service delivery, collections administration, compliance, fraud prevention, security and business operations.

4. Special personal information and criminal-history information

Where a matter requires it and the law permits, ODBB may process special personal information and personal information relating to alleged criminal behaviour, criminal proceedings or outcomes strictly to the extent necessary for legal services, debt collection, dispute handling, litigation, legal compliance, the establishment, exercise or defense of a right or obligation in law or another lawful basis recognised in POPIA or other applicable law.

5. Sources of information

Information may be obtained directly from data subjects, clients, employers, counterparties, public records, regulators, courts, service providers, correspondents, tracing sources, credit bureaux or other credit-related sources where lawful, and from communications or documents generated in the course of a matter or collection instruction.

Where personal information is not collected directly from the data subject, ODBB will process and, where required, notify the data subject in accordance with POPIA.

6. Purposes of processing

Personal information is processed to open, administer and manage matters, provide legal advice and representation, recover debts, communicate with clients and debtors, verify identity, make or receive payments, maintain records, enforce rights, defend claims, investigate complaints or incidents, comply with legal and professional duties, and secure firm systems and premises.

Depending on the context, the provision of personal information to ODBB may be mandatory because it is required by law, professional obligation, court process, client onboarding requirements, contract, mandate administration, anti-fraud controls or payment-processing requirements. In other cases, provision may be voluntary.

Where personal information is required and is not provided, ODBB may be unable to open or continue a matter, verify identity or authority, comply with legal obligations, accept instructions, recover a debt, make or receive payment, or otherwise provide the relevant services.

Depending on the matter or relationship, ODBB may process personal information where authorised or required by laws including POPIA, PAIA, the Legal Practice Act 28 of 2014 and applicable legal-profession rules, tax and employment legislation, court rules and procedures, and any other law applicable to the relevant service, instruction or legal process. Where debt collection or credit-related processing is undertaken, this may also include legislation applicable to such processing, where relevant.

In some mandates, ODBB may be required to comply with additional client-specific security, storage, transfer, access-control, remote-access, audit, monitoring or incident-reporting requirements. Where this applies, ODBB may process personal information in accordance with such additional contractual requirements, provided that they are lawful and consistent with applicable data protection obligations.

7. Disclosure and sharing

ODBB may disclose personal information where lawful and necessary to categories of recipients including clients, counsel, correspondents, sheriffs, courts, regulators, banks, tracing agents, experts, operators, service providers, auditors, insurers and technology providers, subject where appropriate to confidentiality, legal-professional, contractual, operator or security controls.

Personal information will not be disclosed more widely than is reasonably necessary for the relevant purpose, legal process or compliance requirement.

8. Security safeguards

ODBB implements appropriate, reasonable technical and organisational measures to protect personal information against loss, misuse, damage, unauthorised destruction, unauthorised or unlawful access, and unauthorised or unlawful processing.

These measures may include, where applicable:

8.1 access controls based on authorised users and devices only;

8.2 authentication controls, password standards and password reset procedures;

8.3 endpoint, server and network security controls, including anti-malware, firewalls, patch and update management, secure configuration, and remote-access protections;

8.4 encryption of data at rest and in transit, secure file-transfer measures, and restrictions on the sharing of personal information through insecure channels;

8.5 confidentiality undertakings, staff awareness and training, and service-provider security controls;

8.6 backup, disaster recovery and business continuity measures, including periodic testing where appropriate;

8.7 retention, secure destruction and media-handling controls for paper and electronic records; and

8.8 monitoring, logging, incident response and other reasonable technical and organisational safeguards appropriate to the nature of the information processed.

Where ODBB processes personal information for or on behalf of clients with specific contractual or security requirements, ODBB may apply additional controls required by those mandates.

9. Security compromise notifications

If there are reasonable grounds to believe that personal information has been accessed, acquired, disclosed or made available by an unauthorised person, whether intentionally or in error, ODBB will deal with the matter in accordance with POPIA, applicable contractual obligations and its incident-response process.

This may include immediate internal escalation and, where required by law or contract, notification to the relevant client, the Information Regulator and affected data subjects as soon as reasonably possible and, where applicable, without undue delay

10. Retention and destruction

ODBB retains personal information only for as long as necessary for the purpose for which it was collected or subsequently processed, unless longer retention is required or permitted by law, contract, legal hold, complaint handling, professional obligation, audit, insurance, litigation, collections activity, fraud prevention, archival requirements or another lawful operational purpose.  

ODBB takes reasonable steps to ensure that personal information is retained in secure environments and, where applicable, stored on controlled systems or servers rather than unsecured local devices

11. Cross-border transfers

Where personal information is transferred outside South Africa, ODBB will do so only on a lawful basis and in accordance with section 72 of POPIA, including where the recipient is subject to adequate protection, laws, the data subject consents, the transfer is necessary for the performance or conclusion of a contract, or the transfer is otherwise permitted by law.  Appropriate contractual, technical or organisational safeguards will be applied where required.

Where client-specific requirements apply, ODBB may restrict storage or hosting locations and may require that certain personal information be stored or processed only in approved jurisdictions or environments.

12. Data subject rights

Subject to applicable law, a data subject may request access to personal information, request correction or deletion where legally justified, object to certain processing, request destruction or deletion of a record where lawful, and lodge a complaint with the Information Regulator.

Requests for access to records held by ODBB may, where applicable, be submitted in terms of PAIA using the prescribed Form 2. Requests to object to processing may be submitted using the applicable POPIA objection form, and requests for correction, deletion, destruction or deletion of records of personal information may be submitted using the applicable POPIA correction/deletion form and procedures published by the Information Regulator.

 

Requests may be directed to the Information Officer or Deputy Information Officer using the contact details in this Policy.

Where ODBB sends direct marketing communications to data subjects, it will do so in accordance with applicable law, including POPIA. A data subject may object to direct marketing at any time by using the unsubscribe mechanism provided or by contacting ODBB.

Where a person interacts with ODBB’s website or online services, ODBB may collect technical and usage information through cookies, server logs, contact forms and similar technologies. Further information may be set out in a website cookie notice or similar online notice.

13. Contact details

A data subject has the right to lodge a complaint with the Information Regulator regarding an alleged interference with the protection of personal information or an alleged breach of POPIA, in accordance with the applicable procedures and forms published by the Information Regulator.

Questions, complaints or requests may be directed to the Information Officer or Deputy Information Officer or the Information Regulator using the details below.

The Information Regulator (South Africa)

 

Physical Address - Woodmead North Office Park

54 Maxwell Drive, Woodmead, Johannesburg, 2191

Email Address: enquiries@inforegulator.org.za

Number:   (010) 023-5200

Toll free 0800 017 160

https://inforegulator.org.za

bottom of page