Tax Elves Privacy Policy

Introduction

This Privacy Policy outlines Tax Elves (Pty) Ltd (" we ", " our " or " the Company ") practices with respect to information collected from users who access our website at https://www.taxelves.co.za (" Site "), or otherwise share personal information with us (collectively: " Users "). 

We operate in the field of accounting, taxation, estates and trust administration and includes limited assurance engagements (i.e Independent Review Engagements) and Agreed-Upon Procedures Engagements;

The company assists its clients depending on the clients’ needs and as per agreement with the clients and ensures fulfillment with the Financial, Trust and Estate Administration, Taxation and Auditing Regulatory compliance and reporting functions when dealing with its clients. Our client base include both individuals, entities, associations, institutions and individuals within such entities, associations and institutions. 



In the fulfillment of its professional services, TAX ELVES deals with many role players in the various accounting, trust, estates and tax fields and acknowledge that, in performing its business operations most of its communications are done electronically via the internet and email and personal information is collected and processed electronically in compliance with the Electronic Communications and Transaction Act 25 of 2002. In recognizing the international risk of data breach and also to ensure that lawful conditions exist surrounding its data subject’s information, TAX ELVES accept that all its South African based data subjects’ Constitutional Right to Privacy is of utmost importance. TAX ELVES further accepts that its data subjects based in other parts of the world are entitled to equal rights to privacy in terms of Regulations applicable to such data subjects in the countries in which they are based. As such, TAX ELVES is committed to comply with South Africa’s POPIA. TAX ELVES is further committed to the education of its data subjects in respect of their rights to privacy and will make all operational amendments necessary. 

What information we collect?

We collect two types of data and information from Users. 

The first type of information is un-identified and non-identifiable information pertaining to a User(s), which may be made available or gathered via your use of the Site (“ Non-personal Information ”). We are not aware of the identity of a User from which the Non-personal Information was collected. Non-personal Information which is being collected may include your aggregated usage information and technical information transmitted by your device, including certain software and hardware information (e.g. the type of browser and operating system your device uses, language preference, access time, etc.) in order to enhance the functionality of our Site. We may also collect information on your activity on the Site (e.g. pages viewed, online browsing, clicks, actions, etc.).

The second type of information Personal Information which is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual. Such information includes:

• Device Information: We collect Personal Information from your device. Such information includes geolocation data, IP address, unique identifiers (e.g. MAC address and UUID) and other information which relates to your activity through the Site.
•  Voluntary information you give up for the functioning of our services, including your tax numbers, passport and ID numbers,
• Registration information: When you register to our Site you will be asked to provide us certain details such as: full name; e-mail or physical address, and other information. 
• Information about your entities such as sole proprietorships, partnerships, companies, non-profit organisations or trusts
• Information about your related parties such as your spouse, partners, co-business owners, co-trustees, children and other relevant information.

 DEFINITIONS

“Biometrics”

means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition; 

“Child”

means a natural person under the age of 18 years who is not competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself; 

“Competent Person”

means any person who is competent to consent to any action or decision being taken in respect of any matter concerning a child; 

“Data Subject”

means the person or entity to whom personal information relates and for the purposes of TAX ELVES, this will include but not be limited to – accounting/auditing/taxation/estates and trust administration clients, full time employees, part time employees, trainees, external service suppliers and all associates of TAX ELVES; 

 “Direct Marketing” 

means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of – a) Promoting or offering to supply, in the ordinary course of business of TAX ELVES to the data subject; or b) Requesting the data subject to make a donation of any kind for any reason; 

“Deputy Information Officer”

 means employees that are appointed and designated as deputy information officers in terms of section 17 of PAIA providing assistance to the information officer to be as accessible as possible.

“Electronic Communication”: 

means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient; 

 “Filing System”: 

means any structured set of personal information which in the case of TAX ELVES consists of physical files kept in the offices of TAX ELVES together with the data filed on the various software systems used by TAX ELVES; 

“Information Officer”:

 The information officer of TAX ELVES is CHRISTOPHER KLOPPER; 

“Operator”: 

means a person or organization who processes personal information for TAX ELVES known as the responsible party in terms of a contract or mandate, without coming under the direct authority of that party; 

“PERSON”: 

means a natural person or a juristic person; 

“Personal Information”: 

• means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: Information relating to the education or the medical, financial, criminal or employment history of the person;
• Any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person;
• The biometric information of the person; The personal opinions, views or preferences of the person; Correspondence sent by the person that would reveal the contents of the original correspondence if the message is of a personal or confidential nature; The views or opinions of another individual about the person; and
• The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person; 

“Private Body”: 

means (a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity; (b) a partnership which carries or has carried on any trade, business or profession; or (c) any former or existing juristic person, but excludes a public body; 

“Processing”: 

means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –

a) The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

b) Dissemination by means of transmission, distribution or making available in any other form; or

c) Merging, linking, as well as restriction, degradation, erasure or destruction of information; 

“Promotion of Access to Information Act”: 

means the Promotion of Access to Information Act (PAIA), 2000 (Act No. 2 of 2000); 

“Public Record”: 

means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body. 

“Record”: 

means any recorded information – a) Regardless of form or medium, including any of the following: I. Writing on any material; II. Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; III. Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means; IV. Book, map, plan, graph, or drawing; V. Photograph, film, negative, tape or other device in which one or more visuals images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced; b) In the possession or under the control of a responsible party; and c) Regardless of when it came into existence; 

“Regulator”: 

means the Information Regulator established in terms of Section 39 of the POPIA; 

“Responsible Party”: 

means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information; 

“Restriction”: 

means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information; 

“Special Personal Information”:

means personal information as referred to in Section 26 of the POPIA which includes Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; 

“This Act”: 

means the Protection of Personal Information Act, No. 4 of 2013. 

“Unique Identifier”: 

means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party. 

OBJECTIVE 

 

The objective of this Policy is to ensure adherence to the provisions within POPIA together with its Regulations aimed at protecting all TAX ELVES’ data subjects from harm by protecting personal information, adhering to the requirements of responsible handling of data subjects’ information in terms of POPIA, to ensure that data subjects’ Consent is obtained as provided for in POPIA, to ensure that data subjects’ information is not unlawfully shared with third parties unless Consent for such sharing is obtained, to stop identity fraud and generally to protect privacy. This Policy constitutes the EXTERNAL SET OF PRIVACY RULES and sets out the standard for suitable protection of personal information as required by POPIA. 

POPIA CORE PRINCIPLES 

• To continue developing and maintaining reasonable protective measures against the possibility of risks such as loss, unauthorised access, destruction, use, alteration or revelation of personal information. 
• To regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information; 
• To ensure that the requirements of the POPIA legislation are upheld within the organisation. In terms of sections 8, 17 and 18 of POPIA, TAX ELVES confirms that it adheres to an approach of transparency of operational procedures that controls collection and processing of personal information and subscribe to a process of accountability and openness throughout its operation. 
• In terms of the requirements set out within sections 9, 10, 11, 12, 13 14 and 15 of POPI, TAX ELVES undertakes to collect personal information in a lawful and reasonable way, for a specific reason and only if it is necessary for operations and to process the personal information obtained from clients and data subjects only for the purpose for which it was obtained in the first place. 
• Processing of personal information obtained from clients will not be undertaken in an insensitive, derogative discriminatory or wrongful way that can intrude on the privacy of the client. 
• In terms of the provisions contained within sections 23 to 25 of POPIA, all data subjects of TAX ELVES will be allowed to request access to certain personal information and may also request correction or deletion of personal information within the specifications of the POPIA and to this end, data subjects are referred to the FORMS 1 & 2 hereto attached. 
• To not request or process information related to race, religion, medical situation, political preference, trade union membership, sexual certitude or criminal record unless this is lawfully required and unless the data subject has expressly consented. TAX ELVES will also not process information of juveniles. 
• In terms of the provisions contained within section 16 of POPIA, TAX ELVES are committed that data subjects’ information is recorded and retained accurately. 
• To not provide any documentation to a third party or service provider without the express consent of the data subject except where it is necessary for the proper execution of the service as expected by the data subject. 
• To keep effective record of personal information and undertakes not to retain information for a period longer than specified in the industry’s Code of Conduct or any other direction issued by the SARS, SAIPA, IFAC (The International Federation of Accountants). 
• In terms of sections 19 to 22 of POPIA, TAX ELVES will secure the integrity and confidentiality of personal information in its possession. TAX ELVES will provide the necessary security of data and keep it in accordance with prescribed legislation. 

 

CONSENT 

When data subjects’ information is collected, processed or shared by TAX ELVES during the process of TAX ELVES delivering its professional services, TAX ELVES recognizes the obligations to explain the reasons for the collection of information from the particular data subject/s and to obtain the required Consents to process and where required the sharing of the information pursuant to such explanation. TAX ELVES further acknowledges the importance of obtaining its data subjects’ Consent, especially for the purposes of sharing their information and possibly using the information for limited marketing purposes. 

When data subjects’ information is collected, processed or shared by TAX ELVES for any other reason than the original reason of it being collected, the specific Consent for such purpose must be obtained from the data subject. If SPECIAL PERSONAL INFORMATION is collected, processed and stored for any reason from any of TAX ELVES’ data subjects, specific Consent for such collection must first be obtained. 

The prohibition on collection and processing of special personal information does not apply if:

• Processing is carried out with the consent of the data subject; 
• Processing is necessary for the establishment, exercise or defense of a right or obligation in law; 
• Processing is for historical, statistical or research purposes. 

 

We have amended its standard documentation with references to the Act and will obtain all data subjects’ general Consent in each transaction in order that data subjects are aware at all times of the reasons for the information being collected, how the information will be processed and for what the information will be used. 

With reference to the nature of the accounting, trust and estates administration, taxation and assurance services provided by TAX ELVES, it is inevitable that TAX ELVES will collect information of individuals employed within entities for whom GROUP are being rendered by TAX ELVES. In such events, such entities will be required to collect the necessary Consents of its own employees whose information is shared with TAX ELVES for such purposes. 

COLLECTION, PROCESSING AND SHARING OF INFORMATION 

TAX ELVES collect and process personal information from its data subjects for a variety of reasons and in a variety of ways. The most pertinent reason for data collection and processing relates to the accounting, trust and estates administration, taxation or assurance function/s being facilitated by TAX ELVES and the integrated nature of operation between TAX ELVES and the other primary role players such as but not limited to: The South African Revenue GROUP and the Financial Intelligence Centre, the software suppliers of TAX ELVES and any other third party involved in or during the services delivered by TAX ELVES to such data subjects. 

The primary way of collection and processing of personal information is electronically. By submitting personal and special personal information details to TAX ELVES all data subjects acknowledge the following terms: 

• Personal information collected by TAX ELVES will be collected directly from the data subject, unless – 
• The information is contained or derived from a public record or has deliberately been made public by the data subject; 
• Collection of the information from another source would not prejudice a legitimate interest of the data subject; 
• Collection of the information from another source is necessary - 
• To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences; 
• To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; 
• For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; 
• In the interest of national security; 
• To maintain the legitimate interests of TAX ELVES or of a third party to whom the information is supplied; 
• Compliance would prejudice a lawful purpose of the collection; 
• Compliance is not reasonably practicable in the circumstances of the particular case. 
• Personal information is collected for a specific, explicitly defined and lawful purpose related to a function or activity of TAX ELVES; 
• Steps will be taken to ensure that the data subject is aware of the purpose of the collection of the information. 
• TAX ELVES will take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which the personal information is collected and further processed. 
• Where personal information is collected; from a data subject directly, TAX ELVES will take reasonably practicable steps to ensure that the data subject is aware of: - 

a. The nature of the information being collected and where the information is not collected from the data subject, the source from which it is collected; 

b. The name and address of TAX ELVES; 

c. The purpose for which the information is being collected; 

d. Whether or not the supply of the information by the data subject is voluntary or mandatory; 

e. The consequences of failure to provide the information; 

f. Any particular law authorizing or requiring the collection of the information; 

STORAGE OF INFORMATION 

TAX ELVES acknowledges the risks facing data subjects with the storage of personal and special personal information on the TAX ELVES’ software systems as well as filing copies of the physical information sheets containing personal information physically in an office. To ensure that its best attempts are made to minimize data subjects from suffering loss of personal information, misuse or unauthorized alteration of information, unauthorized access or disclosure of personal information generally, it will: 

Store personal information in databases that have built-in safeguards and firewalls to ensure the privacy and confidentiality of your information. 

Constantly monitor the latest internet developments to ensure that the systems evolve as required. TAX ELVES test its systems regularly to ensure that our security mechanisms are up to date. 

Continue to review its internal policies and third party agreements where necessary to ensure that these are also complying with the POPIA and Regulations in line with TAX ELVES’ Policy rules. 

 

TAX ELVES retains physical copies of data subjects’ information in its offices for 1 year whereafter the copies are stored onsite at 8 Michaels Road, Kraaifontein, 7570. 

DISPOSAL OF DATA SUBJECTS’ INFORMATION 

With reference to the provisions contained in clause 7 above, TAX ELVES is responsible to ensure that necessary records and documents of their data subjects are adequately protected and maintained to ensure that records that are no longer needed or are of no value are disposed of at the proper time. These rules apply to all documents which are collected, processed or stored by TAX ELVES and include but are not limited to documents in paper and electronic format, for example, e-mail, web and text files, PDF documents etc.   

TAX ELVES adheres to the Guidelines issued by the SAIPA, governed by IFAC (The International Federation of Accountants) in relation to services rendered and retain documents containing data subjects’ personal information for a minimum period of 5 years. 

TAX ELVES does not discard or dispose of the telephone numbers and email addresses of data subjects with whom it has previously dealt as these are stored on cellphones and the system of TAX ELVES but will do so on request by the data subject. Data subjects are entitled to request removal of their personal information with reference to FORM 2 hereto attached. 

Rules governing the secure disposal are necessary in order to maintain data security and support compliance with this TAX ELVES Policy. TAX ELVES acknowledges that electronic devices and media can hold vast amounts of information, some of which can linger indefinitely. Data subjects, who interact with TAX ELVES acknowledge the following disposal rules: 

Under no circumstances will paper documents or removable media (CD’s, DVD’s, discs, etc.) containing personal or confidential information be simply binned or deposited in refuse tips. 

TAX EVES undertakes to ensure that all electrical waste, electronic equipment and data on disk drives be physically removed and destroyed in such a way that the data will by no means be able to be virtually retrievable. 

TAX ELVES will ensure that all paper documents that should be disposed of, be shredded locally and then be recycled. 

In the event that a third party is used for data destruction purposes, the Information Officer will ensure that such third party will also comply with this policy and any other applicable legislation. 

TAX ELVES may suspend the destruction of any record or document due to pending or reasonably foreseeable litigation, audits, government investigations or similar proceedings. TAX ELVES undertakes to notify employees of applicable documents where the destruction has been suspended to which they have access to. 

In the event that a document and/or information is no longer required to be stored in accordance with this policy and relevant legislation, it should be deleted and destroyed. 

The Information Officer should be consulted where there is uncertainty regarding the retention and destruction of a document and/or information. 

 

INTERNET AND CYBER TECHNOLOGY 

 

These clauses constitute a summary of the Internal TAX ELVES Internet/IT/Cyber Security Policy applicable to all internal employees and clerks. 

 Acceptable use of TAX ELVES’ Internet Facilities & standard Anti-Virus rules 

The repercussions of misuse of TAX ELVES systems can be severe. Potential damage includes, but is not limited to, malware infection (e.g. computer viruses), financial penalties for data leakage and lost productivity resulting from network downtime.   

In order to ensure that TAX ELVES’ IT systems are not misused, everyone who uses or has access to TAX ELVES’ systems have received training and internal guidelines in order to meet the following five high-level IT Security requirements: 

Information will be protected against any unauthorized access as far as possible; 

Confidentiality of information will be assured as far as possible; 

Integrity of information will be preserved as far as possible; 

Availability of information for business processes will be maintained; 

Compliance with applicable laws and regulations to which TAX ELVES is subject will be ensured by the Information Officer as far as possible. 

Every user of TAX ELVES’ IT systems takes responsibility for exercising good judgment regarding reasonable personal use. 

 IT Access Control 

TAX ELVES undertakes to ensure that logging into the IT system and software packages is password controlled and shall exercise all caution in allowing unauthorized access to the password. It is a further undertaking that the password/s shall be reviewable from time to time but in particular where GOOGLE based products are used and linked (such as Facebook, Whatsapp and GMAIL based domains). 

TAX ELVES’ Email Rules 

TAX ELVES acknowledges that most of its communications are conducted via email and instant messaging (IM). Given that email and IM may contain extremely sensitive and confidential information, the information involved must be appropriately protected. In addition, email and IM are potentially sources of spam, social engineering attacks and malware, so TAX ELVES must be protected as completely as possible from these threats. The misuse of email and IM can pose many legal, privacy and security risks, so it is important for users to be aware of the appropriate use of electronic communications. 

It is of use to note that all users of TAX ELVES’ email system are prohibited from using email to: 

• Send, receive, solicit, print, copy, or reply to text, images, or jokes that disparage others based on their race, religion, colour, gender, sex, sexual orientation, national origin, veteran status, disability, ancestry, or age. 
• Send, receive, solicit, print, copy, or reply to messages that are disparaging or defamatory. 
• Spread gossip, rumours, or innuendos about employees, clients, suppliers, or other outside parties. 
• Send, receive, solicit, print, copy, or reply to sexually oriented messages or images. 
• Send, receive, solicit, print, copy, or reply to messages or images that contain foul, obscene, disrespectful, or adult-oriented language. 
• Send, receive, solicit, print, copy, or reply to messages or images that are intended to alarm others, embarrass TAX ELVES negatively impact productivity, or harm morale. 

 

The purpose of this Email and IM policy is to ensure that information sent or received via these TAX ELVES’ IT systems is appropriately protected, that these systems do not introduce undue security risks to TAX ELVES and that users are made aware of what TAX ELVES deems as acceptable and unacceptable use of its email and IM. 

TAX ELVES Rules related to handheld devices 

Many users do not recognize that mobile devices represent a threat to IT and data security. As a result, they often do not apply the same level of security and data protection as they would on other devices such as desktop or laptop computers. The rules hereunder outline TAX ELVES’ requirements for safeguarding the physical and data security of mobile devices such as smartphones, tablets, and other mobile devices such as PCs and Notebooks. 

TAX ELVES’ users of handheld devices are expected to diligently protect their devices from loss and disclosure of private information belonging to or maintained by TAX ELVES. 

In the event of a security incident or if suspicion exists that the security of TAX ELVES’ systems have been breached, TAX ELVES shall be obliged to notify the IT support and Information Officer immediately especially when a mobile device may have been lost or stolen. 

 

Anti-virus rules 

Management of TAX ELVES is responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into TAX ELVES’ programs (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited. 

It is worth noting that users are discouraged from attempting to remove viruses themselves. If a virus infection is detected, users are expected to disconnect from TAX ELVES’ networks, stop using the infected computer immediately and notify the IT support. 

It is further worth noting that TAX ELVES’ users are encouraged to be cautious of e-mail attachments from an unknown source as viruses are often hidden in attachments. If a virus is suspected the attachment must not be opened or forwarded and must be deleted immediately. 

 Physical access control 

All of TAX ELVES’ premises that include computers and other types of information technology resources will be safeguarded against unlawful and unauthorized physical intrusion, as well as fire, flood and other physical threats. This includes but is not limited to; security doors, key entry areas, external doors that are locked from closing until opening of the building, locked and/or barred windows, security cameras, registration of visitors at entrances, security guards, and fire protection. 

 Usage Data 

Usage Data is collected automatically when using the internet GROUP of TAX ELVES. Usage Data may include information such as data subjects’ device's internet protocol address (e.g. IP address), browser type, browser version, details of the pages of TAX ELVES’ website that are visited by data subjects, the time and date of the website visit, the time spent on those pages, unique device identifiers and other diagnostic data. When data subjects access the website of TAX ELVES by or through a mobile device, TAX ELVES may collect certain information automatically, including, but not limited to, the type of mobile device used by the data subject, unique ID, the IP address of the mobile device, the mobile operating system, the type of mobile Internet browser used, unique device identifiers and other diagnostic data. TAX ELVES may also collect information that the user’s browser sends whenever TAX ELVES’ website is visited. 

 Tracking Technologies and Cookies 

Cookies and similar tracking technologies are used to track the activity on TAX ELVES’ website and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze the efficiency of the website. The technologies which may be used to track may include: 

Cookies or Browser Cookies. A cookie is a small file which may be placed on a data subject’s device. Data subjects can instruct their browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if this function of TAX ELVES’ website is not accepted, data subjects may not be able to use some parts of the website. Unless the browser settings have been adjusted, TAX ELVES’ website may use Cookies. 

Flash Cookies. Certain features of the website may use local stored objects (or Flash Cookies) to collect and store information about data subjects’ preferences or activity on the website. Flash Cookies are not managed by the same browser settings as those used for Browser Cookies. For more information on how Flash Cookies can be deleted the following process can be followed: "Where can I change the settings for disabling, or deleting local shared objects?" available at https://helpx.adobe.com/flashplayer/kb/disable-local-shared-objects; 

Web Beacons. Certain sections of the website and emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit TAX ELVES for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity). 

Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on data subjects’ personal computer or mobile device even when offline, while Session Cookies are deleted as soon as data subjects’ web browsers are closed. 

THIRD PARTY OPERATORS 

TAX ELVES recognizes that, in fulfilling its service offering to its client base and in order to operate efficiently, it is necessary at times to share data subjects’ personal and special personal information with third parties for specific reasons related to TAX ELVES’ service delivery. As referenced in clauses 5 and 6 above, TAX ELVES will obtain the necessary Consent where required from the particular data subject. 

TAX ELVES shall moreover and where possible enter into an OPERATORS’ AGREEMENT with the relevant third party with which TAX ELVES shares data subjects’ information in order to ensure that the third party operator treats the personal information ofTAX ELVES’ data subjects responsibly and in accordance with the provisions contained in the Act and Regulations thereto. TAX ELVES shall, where possible, request copies of the third party operators’ POPIA Policy, rules, internet rules and details of the third party’s Information Officer. 

 BANKING DETAILS 

It is a known fact that emails and other types of electronic communication are particular targets for email interceptions and in particular the interception of banking details for purposes of payment in respect of the transaction. TAX ELVES’ data subjects are open to financial damages and losses if emails are intercepted and banking or other financial details are fraudulently amended without the data subject’s knowledge. 

TAX ELVES has implemented clear notifications within all its correspondences (emails and physical letters) warning data subjects of the risks of email hacking and interceptions. In the event that banking or other financial details are sent to data subjects or received from data subjects for purposes of payment or other financial reasons, the details will be confirmed with a telephone call and a follow up whatsapp where necessary. It is recorded that, in certain instances, data subjects’ bank details are to be shared with relevant third parties but in such an event, all care shall be taken to ensure encryption of emails. 

 DIRECT MARKETING 

TAX ELVES is committed to not sharing data subjects’ information with third parties for the sole purpose of such third party marketing to such data subjects. In the event that any associated third party using the data subjects’ information shared by TAX ELVES with such third party in the fulfilment of its service, TAX ELVES takes no responsibility for any consequences suffered by the data subject which may have been caused by the third party’s actions. 

Unless a data subject has expressly requested NOT to be OPTED INTO the TAX ELVES database, TAX ELVES use data subjects’ contact information in order to distribute regular bulk emails containing relevant industry news and information and recipients are allowed the option to OPT OUT/UNSUBSCRIBE from such emails by notifying the Information Officer of such request. New client declarations to be signed by new clients from 1 July 2024 onwards. 

DATA CLASSIFICATION 

All of TAX ELVES’ employees share in the responsibility for ensuring that TAX ELVES’ information assets receive an appropriate level of protection as set out hereunder: 

Managers of TAX ELVES or information ‘owners’ shall be responsible for assigning classifications to information assets according to the standard information classification system presented below. 

Where practicable, the information category shall be embedded in the information itself. 

All employees of TAX ELVES shall be guided by the information category in their security-related handling of TAX ELVES’s information. All information of TAX ELVES and all information entrusted to TAX ELVES from third parties fall into one of three classifications in the table below, presented in order of increasing sensitivity. 

RIGHTS OF THE DATA SUBJECT

The data subject or competent person where the data subject is a child, may withdraw his, her or its consent to procure and process his, her or its personal information, at any time, providing that the lawfulness of the processing of the personal information before such withdrawal or the processing of personal information is not affected.. 

A data subject may object, at any time, to the processing of personal information– 

In writing, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or 

For purposes of direct marketing other than direct marketing by means of unsolicited electronic communications. 

A data subject, having provided adequate proof of identity, has the right to – 

a) Request TAX ELVES to confirm, free of charge, whether or not TAX ELVES hold personal information about the data subject; and 

b) Request from TAX ELVES a record or a description of the personal information about the data subject held by TAX ELVES, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information – within a reasonable time; at a prescribed fee as determined by the Information Officer; in a reasonable manner and format; and in a form that is generally understandable. 

A data subject may, in the prescribed manner, request TAX ELVES to – 

a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or 

b) destroy or delete a record of personal information about the data subject that TAX ELVES is no longer authorised to retain. 

Upon receipt of a request referred to in the clause above, TAX ELVES will, as soon as reasonably practicable – 

a) correct the information; 

b) destroy or delete the information; 

c) provide the data subject, to his, her or its satisfaction, with credible evidence in support of the information; or 

d) where an agreement cannot be reached between TAX ELVES and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to 

 attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made. 

TAX ELVES will inform the data subject, who made a request as set out in clause 14.5, of the action taken as a result of the request. 

 

INFORMATION OFFICER 

Appointed Information Officer:

nformation Officer: Christopher Klopper

Contact: Contact with the information officer can be made directly on the website's contact form or by email same to info@taxelves.co.za 

 

The general responsibilities of TAX ELVES Information Officer delegated include the following: 

• The encouragement of compliance, by TAX ELVES, with the conditions for the lawful processing of personal information;
  
• Managing requests made to TAX ELVES pursuant to POPIA; 
  
• Working with the Regulator in relation to investigations conducted pursuant to prior authorisation required to process certain information of POPIA in relation to the business. 
  
• Continuously perform data backups, store at least weekly backup offsite, and test those backups regularly for data integrity and reliability. 
  
• Review policy rules regularly, document the results, and update the policy as needed. 
  
• Continuously update information security policies and network diagrams. 
  
• Secure critical applications and data by patching known vulnerabilities with the latest fixes or software updates. 
  
• Perform continuous computer vulnerability assessments and audits. 
  
• The Information Officer may appoint any number of Deputy Information Officers as is necessary to perform the duties of the Information Officer as set out above. The Information Officer has control over every Deputy Information Officer(s) appointed.   
  
• The Information Officer may delegate, in writing, his/her power of duty conferred or imposed by this Act, to a Deputy Information Officer(s). In his/her decision to delegate power of duty, the Information Officer must give due consideration to the need to render TAX ELVES as accessible as reasonably possible for requests of its records. 
  
• The Deputy Information Officer’s duties must only be exercised or performed subject to any conditions set by the Information Officer. The delegation of power does not prohibit the Information Officer from performing these duties himself/herself. The Information Officer may at any time withdraw or amend, in writing, the delegation of power of duty. 
  
• Any right or privilege acquired, or any obligation or liability incurred as a result of the delegation of power, is not affected by any subsequent withdrawal or amendment of that delegation. 

 The data breach responsibilities of TAX ELVES’ Information Officer include the following: 

• Ascertain whether personal data was breached; 
  
• Assess the scope and impact by referring to the following: 
  
• Estimated number of data subjects whose personal data was possibly breached 
  
• Determine the possible types of personal data that were breached 
  
• List security measures that were already in place to prevent the breach from happening. 

Once the risk of the breach is determined, the following parties need to be notified within 72 hours after being discovered: 

• The Information Regulator; 
  
• Any data subjects who have been affected by such data breach; 
  
• TAX ELVES will only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned. 
  
• The notification to a data subject will be in writing and communicated to the data subject in at least one of the following ways: 

a) Posted to the data subject’s last known physical or postal address; or 

b) Sent by email to the data subject’s last known e-mail address; or 

c) Placed in a prominent position on the website of TAX ELVES; or 

d) Published in the news media. 

Communication should include the following: 

• Contact details of Information Officer 
  
• Details of the breach, 
  
• Likely impact, 
  
• Actions already in place, and those being initiated to minimise the impact of the data breach. 
  
• Any further impact is being investigated (if required), and necessary actions to mitigate the impact are being taken. 
  
• A description of the possible consequences of the security compromise; 
  
• A description of the measures that TAX ELVES intends to take or has taken to address the security compromise; 
  
• A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and 
  
• If known to TAX ELVES, the identity of the unauthorised person who may have accessed or acquired the personal information. 

Review and monitor 

Once the personal data breach has been contained, TAX ELVES will conduct a review of existing measures in place, and explore the possible ways in which these measures can be strengthened to prevent a similar breach from reoccurring. 

All such identified measures should be monitored to ensure that the measures are satisfactorily implemented. 

AVAILABILITY AND REVISION 

A link to this Policy is made available on the TAX ELVES company website www.taxelves.co.za 

   

This policy will continually be updated to comply with legislation, thereby ensuring that personal information will be secure. 

This policy was last updated on 11 May 2025