1.1 In this Policy, the following terms shall bear the following meanings:
1.2 “Access to the NPS” means, firstly, access to the NPS granted by Amplifin to an Amplifin User who has concluded a User Agreement with Amplifin. Access includes access to payment streams and NPS non-regulated services such as Account Verification Services. Secondly, access to the NPS is granted to Amplifin once debits against the bank account nominated by the Amplifin User are processed to recoup fees due and payable to Amplifin. Thirdly, access to the NPS is granted to Amplifin once payment instructions of Clients of Banks as Data Subjects are processed;
1.3 ”Applicable Law” means: (i) any statute, directive, order, enactment, regulation, by-law, ordinance, or subordinate legislation in force from time to time; (ii) any binding court order or judgement; (iii) any applicable industry code, guidance, policy, or standard enforceable by law; and (iv) any applicable direction, statement of practice, guidance, policy, rule, or order that is set out by a regulator (including the Regulator) that is binding on Amplifin in the NPS;
1.4 “Data Subject” means any natural persons in respect of whom Personal Information relates and/or in respect of whom Personal Information is obtained, Processed, and stored on the Amplifin centralised environment and ALLPS-i as part of the Services rendered as an authorised System Operator in the NPS;
1.5 “Amplifin” means Amplifin (Pty) Ltd, Registration Number 1997/001713/07;
1.6 “Amplifin Personnel” means all employees appointed by Amplifin as employer in terms of an Amplifin Employment Agreement and where each Amplifin Employment Agreement contains and specifies all requirements to be met by both Amplifin and the Amplifin Personnel to comply with Applicable Law;
1.7 “Amplifin Qualified Security Assessor” means the contractually-appointed entity who, on an annual basis, assists Amplifin in obtaining the required compliance certification with the Payment Card Industry Data Security Standard (PCI DSS) as mandated by Visa, Mastercard, American Express, and other Card Associations;
1.8 “Amplifin User Agreement” means the Agreement concluded between Amplifin and a Amplifin User;
1.9 “Amplifin User” means an individual or entity who has concluded an Amplifin User Agreement with Amplifin and through which Agreement the Amplifin User as a client of Amplifin is granted access to the NPS using Amplifin as System Operator or using Amplifin as an Independent Sales Organisation (“ISO”) to render such Service as described and set out in this Policy;
1.10 “Maker of a Promissory Note” means any Client of a Bank who is a Data Subject and who has concluded an Agreement with Amplifin and who has issued a Promissory Note payment instruction in favour of an Amplifin User and Amplifin;
1.11 “NPS” means the South African National Payment System within the geographical borders of the Republic of South Africa;
1.12 “Operator” means Amplifin as Operator described in section 20 of POPIA;
1.13 “PASA” means the Payment Association of South Africa;
1.14 “Personal Information” shall have the meaning ascribed thereto in Chapter 1 of POPIA;
1.15 “Processing” or “Processed” shall have the meaning ascribed to it in Chapter 1 of POPIA;
1.16 “POPIA” means the Protection of Personal Information Act 4 of 2013, as amended;
1.18 “Regulator” means the appropriate Information Regulator as defined under POPIA or in the context of the NPS, the South African Reserve Bank (“SARB”) and PASA. PASA is the recognised Payment System Management Body as set out in the NPS Act, Act No. 78 of 1998 as amended;
1.19 “Responsible Person” means the applicable Responsible Person as set out in section 20 of POPIA and in terms of this Policy, either the Amplifin User or Amplifin, as the case may be;
1.20 “Security Standards” means, due to the requirements of the Regulator or the NPS Regulator, the changes to generally accepted information security practices, or specific threats identified by the Amplifin Qualified Security Assessor;
1.21 “Services” means the Access to the NPS as set out in this Policy.
- AMPLIFIN USER CLIENT AS RESPONSIBLE PERSON
2.1 The Amplifin business operations is that of a PASA authorised System Operator in the NPS.
2.2 Amplifin is further classified by the Card Associations as an ISO and Third-Party Processor for Card purchase transactions, registered as such with the Card Associations by Capitec Bank and where Capitec Bank is the Acquiring Bank of Amplifin.
2.3 Amplifin and First National Bank, a Division of FirstRand Bank Ltd, concluded an Agreement with regard to the issuing of FEZA VISA branded cards and the opening of eWallet bank accounts. The Amplifin / First National Bank Agreement specifies that Amplifin must obtain personal information of the eWallet bank account holder and a copy of the identity document or Passport of the Data Subject.
2.4 As such, Amplifin renders Services to a Client of a Bank and to an Amplifin User.
2.5 Where Amplifin renders Services to an Amplifin User, there is no direct interaction between Amplifin and the Data Subject as a client of the Amplifin User. As such, the Amplifin User is the Responsible Person with regard to the Personal Information as set out in POPIA and the Amplifin User must meet and comply with all requirements set out in POPIA.
2.6 Where clause 2.3 of this Policy applies, Amplifin acts as Operator as described in section 20 of POPIA.
- AMPLIFIN AS RESPONSIBLE PERSON
3.1 During the conclusion of the Amplifin User Agreement, Amplifin obtains Personal Information of the Amplifin User through the supply, signing of, and the consent and authority supplied by the Amplifin User to Amplifin to debit the bank account specified by the Amplifin User, allowing and mandating Amplifin to recoup fees and charges payable to Amplifin.
3.2 During the conclusion of the Amplifin Agreement between Amplifin and the Maker of a Promissory Note, Amplifin obtains Personal Information of the Maker of the Promissory Note as Data Subject. The Personal Information is obtained through the Agreement, the issue and the supply of the Promissory Note payment instruction, and the consent and authority supplied by the Data Subject to Amplifin to execute the Maker’s payment instruction, allowing Amplifin to request a debit against the bank account specified by the Maker of the Promissory Note. The Maker of a Promissory Note further consented that Amplifin may report the outcome of the payment instruction to credit bureaus.
3.3 Where clauses 3.1 and 3.2 of this Policy applies, Amplifin acts as the Responsible Person as described in section 20 of POPIA.
- OBLIGATIONS OF AMPLIFIN WITH RESPECT TO PROCESSING OF PERSONAL INFORMATION
4.1 treat the Personal Information as strictly confidential in accordance with the provisions of this Policy;
4.2 only Process Personal Information in accordance with Applicable Laws, in terms of this Policy and in accordance with any reasonable instructions, requirements, or specific directions of the Amplifin User or Data Subject; subject thereto that the Amplifin User’s instructions or the Data Subject’s requirements or specific directions will not compromise the Amplifin annual PCI-DSS certification, taking cognisance of the fact that Amplifin processes authenticated card and PIN based payment instructions;
4.3 not disclose or otherwise make available the Personal Information to any third party other than NPS regulators who require access to such Personal Information strictly for Amplifin to carry out its obligations under this Policy and as System Operator, and where no permission is required from the Amplifin User or Data Subject to part with information to a NPS Regulator, a Paying Bank who hosts the bank account of a Data Subject, or the Amplifin Acquiring Bank.
4.4 ensure that all Amplifin Personnel having access to the Personal Information are bound by appropriate and legally binding confidentiality and non-use obligations in relation to the Personal Information on substantially the same terms and conditions as set forth in this Policy;
4.5 take appropriate, reasonable, technical, and organisational measures to ensure that the integrity of the Personal Information in its possession or under its control is secure and that such Personal Information is protected against unauthorised or unlawful Processing, accidental loss, destruction or damage, alteration, disclosure, or access by having regard to:
4.5.1 any requirement set forth in Applicable Law; stipulated in industry rules or in codes of conduct or by a professional body; and/or
4.5.2 generally accepted information security practices and procedures which apply to: (i) Amplifin’s business; and (ii) to the Amplifin User, as may be appropriate to discharge its obligations in terms of this Policy;
4.6 take appropriate, reasonable, technical, and organisational measures to ensure that the Personal Information in its possession or under its control remains immediately available to the Amplifin User as and when it may be required;
4.7 comply with the specific requirements with regard to Personal Information as may be set forth in an instruction relating to the Services or any other specific directions or requirements of the Amplifin User with regard to Personal Information;
4.8 conduct PCI-DSS audits as required to do so as a System Operator and conduct a PCI-DSS certification annually. Amplifin will provide PASA and the Amplifin Acquiring Bank with the results of its annual PCI-DSS certification;
4.9 take all necessary steps to:
4.9.1 implement and maintain appropriate safeguards against the risks identified by Amplifin and/or the Amplifin Qualified Security Assessor;
4.9.2 regularly verify that the safeguards that Amplifin has in place have been effectively implemented or updated as required for PCI-DSS certification or as requested by the Amplifin Qualified Security Assessor. The supply of Amplifin’s annual PCI-DSS certification to PASA and the Amplifin Acquiring Bank will constitute the required written report annually of having completed each such verification exercises; and
4.9.3 ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards as required for PCI-DSS certification or as requested by the Amplifin Qualified Security Assessor.
4.10 agree to reasonable amendments to this clause from time to time, to the extent that data protection legislation or Applicable Laws generally require such amendments for the benefit of Data Subjects.
- NOTIFICATION OF PERSONAL INFORMATION SECURITY BREACH
5.1 Amplifin shall:
5.1.1 immediately notify the NPS Regulator and the Amplifin Paying and Acquiring Banks in writing of Amplifin becoming aware of or having reasonable grounds to believe that the Personal Information of a Data Subject stored on the Amplifin centralised environment has been accessed or acquired by an unauthorised person and take all appropriate steps to limit the compromise of Personal Information and to restore the integrity of the affected information systems as quickly as possible;
5.1.2 as soon as reasonably possible thereafter, Amplifin shall be required to engage with the NPS Regulator and the Amplifin Paying and Acquiring Banks to discuss the security breach, to report all relevant facts relating to the compromise, and to communicate to the NPS Regulator and the Amplifin Paying and Acquiring Banks on the steps to be taken to mitigate the extent of the compromise and loss experienced by the compromise;
5.1.3 provide the NPS Regulator and the Amplifin Paying and Acquiring Banks with details of the Personal Information affected by the compromise, including but not limited to the identity of Data Subjects, the nature and extent of the compromise, and, where possible, details of the identity of the unauthorized person(s) who are known to, or who may reasonably be suspected of, having accessed or acquired the Personal Information;
5.1.4 immediately upon notifying the NPS Regulator and the Amplifin Paying and Acquiring Banks as set forth in clause 5.1.1:
18.104.22.168 at its own cost, take all necessary steps as well as steps directed by the Amplifin Paying and Acquiring Banks, PASA, or the SARB, to prevent and/or mitigate the continuation of the compromise, the repetition of a similar compromise, and mitigate the extent of the loss occasioned by the compromise of Personal Information;
22.214.171.124 implement all measures reasonably necessary to restore the integrity of Amplifin’s information system(s);
126.96.36.199 provide the Amplifin Paying and Acquiring Banks, PASA, or the SARB with a report on its progress in resolving the compromise at the intervals required by the Amplifin Paying and Acquiring Banks, PASA, or the SARB following the initial notification, until such time as the compromise is resolved to the Amplifin Paying and Acquiring Banks’, PASA’s, or the SARB’s satisfaction.
5.2 If required by law, notify the South African Police Service and/or the National Intelligence Agency and co-operate with the South African Police Service and/or the National Intelligence Agency in the investigation of the cause of the compromise and the prosecution of person(s) who may have gained or attempted to gain unauthorised access to, or acquired Personal Information from, Amplifin.
5.3 Notify the Regulator and/or the V User and/or the affected Data Subjects. Any such notification shall be in a form prescribed by the Regulator.
- CO-OPERATION WITH THE AMPLIFIN USER AND A DATA SUBJECT
6.1 Amplifin shall:
6.1.1 assist the Amplifin User in complying with any requests for access to Personal Information received from the Amplifin User or from a Data Subject whose Personal Information was obtained through this Policy;
6.1.2 under instruction and authority of the Amplifin User, and at no extra cost to the Amplifin User, provide the Amplifin User with all assistance required for the Amplifin User to discharge its duties relating to a requirement by the Regulator in instances where unauthorised access was gained to the Amplifin centralised environment. It is, however, recorded that all Personal Information received from the Amplifin User relating to Data Subjects are displayed in the ALLPS software and are accessible by the Amplifin User’s Personnel. The requirement for Amplifin to assist the Amplifin User to discharge a requirement by the Regulator at no extra cost is not applicable when the compromise occurred due to the Amplifin User’s Personnel;
6.1.3 Upon request from the Amplifin User or a Data Subject, promptly return or destroy all Personal Information in the possession or control of Amplifin, subject to any specific retention, destruction, and purging requirements on financial transactions processed as may be prescribed by the NPS Regulators on Amplifin as System Operator; and
6.1.4 not Process the Personal Information other than in accordance with this Policy.
- LAWFUL PROCESSING OF PERSONAL INFORMATION
7.1 In addition to, and without limiting any other provision of this Policy, Amplifin agrees that it:
7.1.1 shall only Process the Personal Information of Data Subjects provided to it by the Amplifin User, provided to it by the Amplifin User’s Personnel, or provided to it by a Data Subject to allow Amplifin to perform its obligations as set out in this Policy and to provide the Services;
7.1.2 shall not carry out any related or further Processing activities for any other reason whatsoever without the expressed written consent of the Amplifin User or the Data Subject.
7.2 In addition to, and without limiting any other provision of this Policy, the Amplifin User agrees that it and the Amplifin User’s Personnel:
7.2.1 shall only Process the Personal Information of Data Subjects provided to it to allow for the products and services offered by the Amplifin User to the Data Subject; and
7.2.2 if required to collect information from Data Subjects in terms of the Policy, to do so in a manner that does not infringe the privacy of the Data Subject, in accordance with any Applicable Law governing the collection of Personal Information from the Data Subject; and
7.2.3 shall immediately notify Amplifin in writing of the Amplifin User becoming aware of or having reasonable grounds to believe that the Personal Information of a Data Subject stored on the Amplifin Centralised Environment has been accessed or acquired by an unauthorised person using their assigned log-on credentials for ALLPS-i allocated to the Amplifin User and Amplifin User’s Personnel, and to take all appropriate steps to cancel such access to ALLPS-i in order to limit Personal Information being compromised; and
7.2.4 ensure that all Amplifin User’s Personnel who have access to the Personal Information are bound by appropriate and legally binding confidentiality and non-use obligations in relation to the Personal Information on substantially the same Terms and Conditions as set forth in this Policy.
- DISCLOSURE REQUIRED BY LAW, REGULATION OR COURT ORDER
8.1 If Amplifin is required to disclose any Personal Information pursuant to a requirement under Applicable Law, or if the supply of such Personal Information is required to enable a public body to properly perform a public law duty, Amplifin:
8.1.1 will advise the Amplifin User thereof prior to disclosure, if possible. If it is not possible to advise the Amplifin User prior to disclosure, Amplifin shall advise the Amplifin User immediately after such disclosure;
8.1.2 will take such steps to limit the extent of the disclosure to the extent that it lawfully, reasonably, and practically can;
8.1.3 will afford the Amplifin User a reasonable opportunity, if possible and permitted, to intervene in the proceedings; and
8.1.4 will comply with the Amplifin User’s requests as to the manner and terms of any such disclosure, if possible and permitted.
- SEPARATION, COMBINING OR MERGING OF PERSONAL INFORMATION
9.1 Unless otherwise specifically recorded in this Policy or any contract documents, Amplifin shall not as itself, or via Amplifin Personnel, Process, combine, or merge Personal Information provided by the Amplifin User with any information (whether Personal Information or not) of another party.
9.2 It is, however, recorded that Amplifin is obliged to supply statistical information to the NPS Regulators and to the Amplifin Paying and Acquiring Banks on payment instructions processed either of a specific Amplifin User or from Amplifin Users as a collective.
- TRANSFER OF PERSONAL INFORMATION OUTSIDE OF NPS
10.1 Amplifin shall not transfer Personal Information provided to it by the Amplifin User or Data Subject outside of the Republic of South Africa unless expressly authorised in writing by the Amplifin User or Data Subject to do so.
10.2 Amplifin agrees to comply strictly with the Amplifin User’s instructions for cross-border transfers of any Personal Information, including as may be stipulated in this Policy.
- RETENTION AND DESTRUCTION REQUIREMENTS
Amplifin shall be required to comply with the retention and destruction policies of processing of financial transactions applicable to Amplifin as a System Operator in the NPS. Amplifin shall store all Personal Information that it Processes for the minimum time periods as are stipulated by the NPS Regulators and shall be required to destroy all Personal Information relating to the Data Subjects in compliance with the destruction time periods stipulated by the NPS Regulators.
- TRANSMISSION OF DATA
Amplifin shall ensure that all Personal Information communicated (including any digital communication or any Personal Information stored in digital form) shall be secured against being accessed or read by unauthorised parties by: (i) using appropriate security safeguards; and (ii) having due regard of generally accepted information security practices and procedures which may apply to it generally, or which may be required in terms of specific industry or professional rules and regulations.
Through publication of this Policy on www.amplifin.co.za, and through the publication of this Policy in the ALLPS-i software solution made available to all Amplifin Users, from the date of publication, the Parties as described in any Amplifin User Agreement concluded, hereby fully indemnify and hold each other harmless from all losses, liabilities, costs, expenses, fines, penalties, and damages arising from or attributable to a Party’s breach of its obligations set out in this Policy.
- COUNTER SIGNED EXECUTION OF THIS POLICY
Any Parties to an Amplifin Agreement may request, in writing, for this Policy to be recorded as a further Annexure to the existing Amplifin Agreement, counter-signed and dated by both Parties.
- APPOINTED SECURITY OFFICER
The Amplifin appointed Security Officer is A de Swardt in his capacity as Managing Director.
- CONTACT DETAILS
PO Box 101889, Moreleta Plaza, 0167
Tel: (012) 998 7979