WHO WE ARE?
“Spark” means Spark ATM Systems (Pty) Ltd forming part of Cardtronics group of companies, including Cardtronics Plc and all of its subsidiaries (“the Group”). The Group is made up of a number of business entities and while those entities operate in different ways and in different jurisdictions, this privacy notice sets out the general principles in accordance with which Spark will collect, process and treat your personal information. When we mention Spark, “we”, “us” or “our” in this privacy notice, we are referring to Spark responsible for processing your personal information.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing your personal information so that you are fully aware of how and why we are using your personal information.
If you have any queries about how Spark processes your personal information please contact us via this online form here and we will get back to you.
DATA PRIVACY MANAGER
We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your rights, please contact the data privacy manager using the details set out below.
BACKGROUND AND PURPOSE OF THIS PRIVACY NOTICE
This privacy notice is to let you know how Spark acting as a responsible party will look after your personal information. Protecting customers’ personal information is important to Spark and to do so, it follows general principles in accordance with applicable privacy laws. This includes what you tell us about yourself, what we learn by having you as a customer, determining why and how we use your personal information as well as the choices you make about marketing you elect to receive. This notice explains how we do this, your privacy rights and how the law protects you.
WHAT IS PERSONAL INFORMATION AND PROCESSING OF PERSONAL INFORMATION
Personal information means any information about an individual and where applicable, juristic person from which that person can be identified. It does not include data where the identity of the you have been removed (de-identified data).
If a you are acting on behalf of a juristic person, such as a company or close corporation, Spark may collect and use personal information relating to the juristic person’s directors, officers, employees, beneficial owners, partners, shareholders, members, authorised signatories, representatives, agents, payers, payees, customers, guarantors, spouses of guarantors, sureties, spouses of sureties, other security providers and other persons related to the juristic person. These are “related persons”.
If you provide the personal information of a related person to Spark, you warrant that the related person is aware that you are sharing their personal information with Spark, and that the related person has consented thereto. Spark will process the personal information of related persons as stated in this notice, thus references to you in this notice will include related persons with the necessary amendments.
In this notice “process” means how Spark collects, uses, stores, makes available, destroys, updates, transfer, discloses, or otherwise deals with your personal information. As a general rule, we will only process your personal information if this is required to deliver or offer a service to you. Spark respects your privacy and will treat your personal information confidentially. Spark may combine your personal information and use the combined personal information for any of the purposes stated in this notice.
WHAT PERSONAL INFORMATION DO WE COLLECT?
|Contact Details||Your name, company name, physical address (e.g. work or physical address) / location information, how to contact you i.e. email address, phone number|
|Financial||Bank account and branch code details|
|Contractual||Signed agreements for the services we provide you|
|KYC supporting documents||Details about you taken from documents such as identity number, company registration number, passport number, driving license or visa.|
|Deed Registry||Property details and property owners’ names and contact details|
|Communication||What we find out about you from letters, phone calls and emails we received from you which shall remain confidential correspondence.|
|Consent||Any permissions or consent you have provided us.|
|Usage and technical data||Includes information about how you use our website, products and services, internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website|
We collect contact details in each case and then supplementary information required for the purposes of fulfilling the relationship Spark has with you.
We also collect, use and share statistical or demographic data. This may be derived from your personal information but is not considered personal information in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this privacy notice.
WHEN AND WHERE WE COLLECT YOUR PERSONAL DATA FROM:
Spark may process your personal information for lawful purposes relating to their business if the following circumstances apply:
- it is necessary to conclude or perform under a contract Spark has with you or to provide the services to you including but not limited to communicate or carry out instructions and requests under such contract, respond to your queries and complaints, enforce and collect on any agreement when you are in default or breach of the terms and conditions of the agreement such as institute legal proceedings, meet record keeping obligations, for promotional and surveys material provided to you and for any other related purposes;
- the law requires or permits it which may include but not limited to comply with legislative, regulatory, risk and compliance requirements (directives, sanctions, industry codes of conduct and rules), detect, prevent and report theft, fraud, money laundering, corruption and other crimes and for any other related purposes;
- it is required to protect or pursue your, Spark’s or a third party’s legitimate interest in the daily management of Spark’s business and protect our customers, employees, service providers and assets which includes but not limited to developing, implementing, monitoring and improving our business processes, policies and systems, managing business continuity, protect and enforce Spark’s rights and remedies in the law, market services to you, meet record keeping obligations;
- you have consented thereto; or
- a person legally authorised by you, the law or a court, has consented thereto.
We will collect personal information about you:
- Directly from you;
- When you complete a form on Spark’s website;
- When you enter into a contract with Spark;
- When you interact with Spark through emails or letters and surveys;
- Based on your use of Spark’s service channels (such as applications and ATMs, including both assisted and unassisted interactions) as applicable;
- When you speak to us on the phone;
- When you apply for any of our services;
- From public sources (such as company register and the deed registry;
- From technology, such as your access and use including both assisted and unassisted interactions (e.g. or website and online merchant portal (SparkWeb)) to access and engage with Spark’s platform;
- When you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies.
We will also collect data about you from third parties we interact with for the purpose of conducting our business and who we have an association with, including but not limited to:
- Fraud prevention agencies;
- Government and law enforcement agencies;
- Public information sources including driving licence department, Deed Registry and Company register (CIPC); or
- Vetting and other agents working on our behalf.
Generally, we do not rely on consent as a legal basis for processing your personal information. In most cases we will need to collect and process your data in relation to a contractual relationship you have with Spark or on the grounds of a legitimate business interest. Note that we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your personal information. Please contact us if you require details about the specific legal ground we are relying on to process your personal information where more than one ground has been set out in the table below. Where we rely on a legitimate business interest to process your personal information, we will carefully assess to what extent processing is necessary and ensure that our business interests do not infringe your own interests and fundamental rights.
HOW DO WE USE YOUR PERSONAL DATA?
Here is a list of all the ways that we will use your personal information and the lawful basis for collecting and processing your data.
|Purpose/Activity||Type of personal information||Lawful basis for processing including basis of legitimate interest|
|To manage our relationship with you or your business, take orders, process and deliver products and services to you including complaint and dispute resolution. Managing how we work with other companies that provide services to us and our customers.||Contact and identity data, KYC, documentation, financial data, usage and technical data||(a) Performance of a contract with you e.g. making payments, service communications|
(b) Necessary for our legitimate interests e.g. KYC
(c) Legal duty – record retention
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||Identity and contact information, technical and usage data||(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)|
(b) Necessary to comply with a legal obligation
|Security and risk management including detection and investigation and reporting of financial crime. Managing risk for us and our customers.||Contact and identity data, documentation, financial data, usage and technical data, CCTV images.||(a) Performance of a contract|
(b) Necessary for our legitimate interests including crime prevention and detection)
(c) Legal duty
|To develop new ways to meet your needs and grow our business, develop new products and services.||Usage and technical data.||(a) Necessary for our legitimate interests|
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use the same personal information for other purposes and that purpose is allowed by law and/or compatible with the original purpose.
We may also further use or process your personal information if:
- the personal information about you was obtained from a public record, like the deed’s registry;
- the personal information is used for historical, statistical or research purposes, the results will not identify you;
- proceedings have started or are contemplated in a court or tribunal;
- it is in the interest of national security;
- if we must adhere to the law, specifically tax legislation; or
- the Information Regulator has exempted the processing.
If you wish to receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
WHO WE SHARE YOUR DATA WITH?
Third parties (which may include parties Spark engages with as independent responsible parties, joint responsible parties or operators) from whom we transfer and/or may collect your personal information include, but are not limited to, the following:
- embers of the Group, any connected companies, subsidiary companies, its associates, cessionaries, delegates, assignees, affiliates or successors in title whom provide IT, system administration and other services to the Group and you and/or appointed external third parties (such as its authorised agents, service providers, partners, contractors and suppliers) acting at operators who provide services to us and you;
- , tracing agents, debt collectors and other persons that assist with the enforcement of agreements acting as joint responsible parties and/or operators;
- processing services providers, merchants, banks and other persons that assist with the processing of your payment instructions, such as card scheme providers (including VISA or MasterCard);
- enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime;
- authorities, industry ombudsmen, government departments, and local and international tax authorities; or
- of law or tribunals.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
HOW LONG DO WE KEEP YOUR INFORMATION?
Spark collects and processes your personal information at the start of, and for the duration of your relationship with us. We will keep your personal information for as long as you are a customer of Spark. We may also process your personal information when your relationship with us has ended and we will only retain your personal information after that for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
After you stop being a customer, we may keep your data for one of these reasons:
- To respond to any questions or complaints;
- To show that we treated you fairly;
- To maintain records according to rules that applies to us;
- The law stipulates a retention period in relation to specific personal information.
DATA AND ATMS
When you use one of our ATMs you need to be aware that the details from your card will be captured and shared with your card issuer for the purposes of validating the requested transaction. The details from your card together with the details of the requested transaction will be used by Spark, a number of third-party service providers and your card issuer to authenticate and approve or decline the transaction request. Spark does not use any form of automated decision making in this process but other third parties and/or your card issuer might. The details Spark collects from your card as part of a transaction have been anonymised by your card issuer and Spark has no means of reconciling your card number (which is further anonymised and encrypted) with a living individual. As such Spark does not consider card and transaction details to be personal data for the purposes of data protection law but this also means that Spark cannot identify you in the event of a disputed ATM transaction – if you encounter any issues in using one of our ATMs, you should in the first instance contact your card issuer.
Please note that Spark may as part of the transaction validation process be asked by the card issuer to retain the card inserted into the ATM. This may be because of the card being out of date, the card being abused, where the incorrect PIN number has been attempted several times or where an incompatible card has been inserted. Note that under banking rules and regulations, Spark cannot return captured cards to users under any circumstances and any cards collected from the ATM will be securely destroyed on collection. If an ATM has retained your card, in most circumstances this will be at the request of your card issuer and you should contact them in the first instance.
THIRD PARTY LINKS
Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
SENDING DATA OUTSIDE OF THE REPUBLIC OF SOUTH AFRICA (THE “REPUBLIC”)
We share your personal data within the Group. This may involve transferring your data outside the Republic. In addition, some of our third party service providers are located outside of the Republic or use cloud based services that are operated on servers located outside the Republic .Spark will only transfer your personal information to third parties in another country in any one or more of the following circumstances:
- where your personal information will be adequately protected under the other country’s laws or an agreement with the third-party recipient;
- where the transfer is necessary to enter into, or perform, under a contract with you or a contract with a third party that is in your interest;
- where you have consented to the transfer; and/or
- where it is not reasonably practical to obtain your consent, but the transfer is in your interest.
This transfer will happen within the requirements and safeguards of applicable laws or privacy rules that bind the Group.
Where possible, the party processing your personal information in another country will agree to apply the same level of protection as available by law in your country, or if the other country’s laws provide better protection, the other country’s laws would be agreed to and applied.
IF YOU CHOOSE NOT TO GIVE THIS INFORMATION
We may need to collect personal information by law, or under the terms of a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts or business services. It could mean that we may have to cancel a product or service you have with us.
Any data collection that is optional will be made clear at the point of collection.
We may use your personal information to tell you about relevant products and offers in relation to our services. This is what we mean when we talk about ‘marketing’. Spark will do this in person, by post, telephone, or electronic channels such as SMS, email and fax. The personal information we have for you consists of what you tell us, and data we collect when you use our services, or from third parties we work with.
We can only use your personal information to send you marketing messages if we have either your consent or a legitimate interest. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you.
If a person is not a Spark customer, or in any other instances where the law requires, we will only market to you by electronic communications with your consent.
You can ask us to stop sending you marketing messages by contacting us at any time.
If you change your mind you can update your choices at any time by contacting us.
Spark operates closed circuit television (CCTV) systems in and around Spark’s facilities and assets to provide a safe and secure environment for staff, visitors, the general public and to protect Spark’s property and assets. We operate CCTV to:
- Deter those having criminal intent;
- Assist in prevention and detection of crime;
- Facilitate with the identification, apprehension and prosecution of offenders;
- Monitor security of Spark buildings and vehicles;
- Identify vehicle movement problems around Spark buildings.
We have put in place appropriate and reasonable security measures (including physical, technological and procedural safeguards) to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Spark takes appropriate and reasonable technical and organisational steps to protect your personal information in line with industry best practices. This includes the following:
- keeping Spark systems secure (such as monitoring access and usage);
- storing Spark records securely;
- controlling the access to Spark premises, systems and/or records; and
- safely destroying or deleting records.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
YOUR LEGAL RIGHTS
You must provide Spark with proof of identity when enforcing the rights below and inform us when your personal information changes, as soon as possible after the change.
You have the right to:
Request Access and a copy of your Personal Information
Request access to your personal information (commonly known as a “data subject access request”). This enables you to confirm that Spark holds your personal information, receive a copy and/or description of the record containing your personal information we hold about you, to identify or categorise of third parties who have had access to your personal information and to check that we are lawfully processing it.
Spark will attend to requests for access to personal information within a reasonable time. You may be required to pay a reasonable fee to receive copies or descriptions of records, or information about, third parties. We will inform you of the fee before attending to your request. You should note that the law may limit your right to access information.
Please refer to Spark’s information manual prepared in accordance with Section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (information manual) for further information on how you can give effect to this right. The information manual is available on Spark’s website.
Request correction, deletion or destruction of the personal information that we hold about you
You have the right to request us to correct, delete or destroy personal information we have about you if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or if Spark is no longer authorised to keep it. You must inform Spark of your request in the prescribed form.
We will take reasonable steps to determine if the personal information is correct and make any correction needed. It may take a reasonable time for the change to reflect our platform/systems. Spark may request documents from you to verify the change in personal information.
If the law requires us to keep the personal information, it will not be deleted or destroyed upon your request. The deletion or destruction of certain personal information may lead to the termination of your business relationship with Spark.
Object to processing of your personal information
Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms, you must inform Spark of your objection in the prescribed form. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms and will not be able to give effect to your objection if the objection is not based upon reasonable grounds and substantiated with appropriate evidence.
We will not be able to give effect to your objection if the processing of your personal information was and is permitted by law, you provided consent to the processing and Spark’s processing was conducted in line with your consent or the processing is necessary to conclude or perform under a contract with you.
Where you have provided your consent for processing your personal information, you may withdraw consent at any time by completing the form here however, this will not affect the lawfulness of any processing carried out before you withdraw your consent as it may be a reasonable time for the change to reflect on Spark’s systems. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Spark may proceed to process your personal information, even if you have withdrawn consent, if the law permits or requires it.
HOW TO GET A COPY OF YOUR PERSONAL INFORMATION
You can access your personal information we hold by filling in the form here or by writing to us at either address below:
Data Protection Team Data Protection Team
Spark ATM Systems Cardtronics UK Ltd,
31 Transvaal Street, PO Box 476,
Paarden Eiland, Cape Town Hatfield,
7405 AL10 1DT
We will respond to Data Subject access requests within 30 (thirty) days.
HOW TO COMPLAIN
Please let us know if you are unhappy with how we have used your personal information. You can contact us using our online form.
You also have the right to complain to the Information Regulator about an alleged contravention of the protection of your personal information.
The contact details of the Information Regulator are provided below:
Adv Pansy Tlakula (Chairperson)
JD House, 27 Stiemens Street
P.O Box 31533, Braamfontein, Johannesburg, 2017
We would, however, appreciate the chance to deal with your concerns before you approach the Information Regulator so please contact us in the first instance.
POSSIBLE FUTURE CHANGES
Our privacy notice is reviewed and updated annually.