Privacy Notice
South Africa
At Wonde, we take privacy very seriously. We have prepared this Privacy Notice to ensure that we communicate to you, in the clearest way possible, how we treat your personal information. We encourage you to read this Privacy Notice carefully.
This notice sets out how we look after your personal data if you are a:
- Parent or student;
- Member of staff at a school;
- Visitor to our website (https://www.wonde.com/za/company/)(“Website”) ; and/or
- Supplier or business contact of Wonde.
We may update this notice from time to time, and you can find our latest notice on our Website or by asking us for a copy.
For your convenience, we have included at paragraph 14 explanations of important terms used in this notice.
1. Who is Wonde?
Wonde (Pty) Limited is a company incorporated in the Republic of South Africa, with company number 2024/018756/07 (referred to as “we” “us” “our” and “Wonde” in this notice).
This privacy notice applies to Personal Data we collect and process through all of our different businesses, unless we provide a separate privacy notice for that business.
We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Data Protection Officer as follows:
Address: PO BOX 2764, Durbanville, Cape Town, Western Cape, 7550
Telephone Number: +44 1638 779 144
Email address: [email protected]
2. What does Wonde do?
We provide applications and platforms to help schools better manage and securely control their data. Our Wonde platform integrates with a school’s management information systems, to allow schools to seamlessly and securely transfer data to and from Third Party Application Providers.
3. Know the parties that will collect and process your Personal Data
In most cases, Wonde acts as a Data Processor. This means we assist the school and the application provided to transfer your Personal Data, and that of pupils, to and from each other. In these cases, the school (and in some instances the Third Party Application Provider) will be the Data Controller and the party responsible for deciding how and when your Personal Data is collected and processed, whilst we follow the instructions of the school. The school may provide you with their privacy policy or privacy notice, setting out how the school processes your Personal Data.
When we are appointed as a Data Processor, we have legally binding agreements in place with the school (and Third Party Application Providers) which restrict how we process your personal data, in accordance with Data Protection Laws.
When you log in to our platform, visit our Website, or contact Wonde support, we will receive certain data directly from you, such as your name and login details. For this limited data only, we will be the party responsible for deciding how and when your data is used, and we will be the Data Controller.
We are a Data Controller when we collect Personal Data from suppliers and other third parties who interact with us.
4. The purpose of this Privacy Notice
The purpose of the remainder of this Privacy Notice is to set out how we use your Personal Data when we act as a Data Controller.
This notice does not apply when we act as a Data Processor. In those cases, our separate licence agreement with the school will apply, and you should obtain the school’s privacy policy or privacy notice to understand what personal data is collected and how it is used and shared by the school with third parties such as ourselves.
5. The data we collect and how we collect it
Depending on your relationship with us (for instance, whether you are a parent or a professional contact), we collect, use, store and transfer some or all of the following data:
- Identity Data: your name. For pupils, we also collect year group and age information.
- Financial Information: whether a pupil is entitled to school meal vouchers, and if so, the value.
- Contact Data: your email address, telephone number and postal address.
- Relatives’ Data: the name(s) of (i) your parent(s) in the case of a pupil; and/or (ii) your child or children in the case of parent(s).
- Technical Data: information we collect automatically when you visit our Website, including your IP address, browser details, and device details;
You can withhold your Personal Data from us, but we may not be able to provide our services to you if you do so. We may collect your Personal Data from different sources:
- We collect all of the types of data listed above directly from you when you interact with us. This includes when you register with one of our platforms, and when you login to our platforms.
- We collect Identity Data, Contact Data and Relatives’ Data from the school(s) you are connected to.
- We collect Technical Data automatically when you interact with our Website or platform, by using cookies and other similar technologies.
6. How we process your personal data
We will only process your Personal Data where lawful under Data Protection Laws.
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and/or allowed in accordance with Data Protection Laws.
When we are acting as a Data Controller, we will use your Personal Data for the purposes set out in the table below. Data Protection Laws sets out a number of different reasons for which we may collect and process your data. The legal grounds on which we collect and process your Personal Data are also set out in the table below.
| Purpose for using your data | Legal ground for using your data for this purpose |
|---|---|
| To allow you to access your account on our platform. | Necessary for our legitimate interests (to allow those with an account on our platform to use it). |
| To allow you to communicate with your school/the school your children are at. | Necessary for our legitimate interests (to allow staff, children and parents of our school customers to use our platform). |
| To provide support to you when you contact us. | Necessary for our legitimate interests (to respond to support calls as our users would expect). |
| To manage our relationship with you, which will include notifying you about changes to our privacy notice. | To comply with a legal obligation. Necessary for our legitimate interests (to provide important updates to our users). |
| Where you are a supplier, to register you as a supplier and to purchase goods or services from you. | To enter into and/or perform a contract with you. Necessary for our legitimate interests (to make purchases of goods and services). |
| To administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). | Necessary for our legitimate interests (to protect our business and Website; to keep our services updated). |
| To use data analytics to improve our Website, products/services, marketing, customer relationships and experiences. | Necessary for our legitimate interests (to continuously improve our services for our customers and users). |
| To create anonymous aggregated data, as set out below. | Necessary for our legitimate interests (to provide additional benefits and functionality to our customers and users without disclosing personal data). |
7. Use of Aggregated Data
We may aggregate and use non-personally identifiable data we have collected from you and others. This data will in no way identify you or any other individual.
We may use this aggregated non-personally identifiable data to:
- assist us to better understand how our users are using our platforms and services;
- provide users with further information regarding the uses and benefits of our platforms and services;
- enhance school productivity, including by creating useful school insights from that aggregated data and allowing benchmarking of performance against aggregated data; and
- otherwise to improve our platform and services.
8. Cookies when using our Website
Our Website uses cookies. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Website may become inaccessible or not function properly.
9. Sharing your Personal Data
We may need to share your Personal Data when using your Personal Data as set out in the table in paragraph 6 above. We may share your Personal Data with the following third parties:
● Our professional advisers, including lawyers, auditors and insurers.
● Service providers who provide IT and system administration services, or who store data on our behalf.
● Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
10. International Transfers
We may transfer your Personal Data to third parties providing services to us who are based outside of South Africa. This includes parties providing IT administration services and hosting services, and parties providing assistance with managing our marketing databases.
Whenever we transfer your Personal Data outside of South Africa, we ensure a v3 Jan 2025 Page 6 of 11 similar degree of protection as set out herein is afforded to it by ensuring at least one of the following safeguards is implemented:
- transferring data to countries that have been deemed to provide an adequate level of protection for Personal Data; or
- using specific contracts approved for use in South Africa and the UK which give Personal Data the same protection it has in South Africa and the UK.
11. Retention Period
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
For more details of our specific retention periods, please contact our Data Protection Officer.
12. Your rights as a data subject
Under certain circumstances, you have rights under Data Protection Laws in relation to your Personal Data. These rights are set out below. If you wish to exercise any of the rights set out below, please contact our Data Protection Officer whose details are recorded in paragraph 1 above.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Your rights are as follows:
- Right of access – you have the right to request a copy of the Personal Data that we hold about you and to check that we are lawfully processing it.
- Right of rectification – you have a right to request that we correct Personal Data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten / erasure – in certain circumstances you can ask for the Personal Data we hold about you to be erased from our records, which may mean that we can no longer provide our services to you.
- Right to restriction of processing – where certain conditions apply, you have a right to restrict the processing of Personal Data.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to processing of your Personal Data in certain circumstances.
- Right to withdraw consent – Where we are relying on your consent to process your Personal Data, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent, or to processing carried out on other legal grounds. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
All of the above requests will be forwarded should there be a third party involved in the processing of your Personal Data.
13. Complaints to the Information Commissioner’s Office
You have the right to make a complaint at any time to the South African Information Regulator at https://inforegulator.org.za/ for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the Information Regulator and invite you to contact us in the first instance.
14. Definitions and Interpretation
| “Aggregated Data” | means data that may be derived from your personal data but is not considered personal data under Data Protection Laws as this data does not reveal your identity. For example, where a subscriber’s usage data is aggregated to calculate the percentage of users accessing our website or Applications. |
| Application or App | the term ‘app’ is short for ‘application’. It refers to a program accessible on a phone or mobile device (which is not a website) that is downloaded from an app store which places the program on a mobile device. Once the user downloads the app, they simply click on the application button to start the software. |
| “Cookies” | cookies are small pieces of text sent to your browser by a website you visit. They help that website remember information about your visit, which can both make it easier to visit the site again and make the site more useful to you. It collects non-personal data. |
| “Data Controller” | refers to the party that decides the purpose or ‘way’ of processing the Personal Data. Under South African law (specifically the Protection of Personal Information Act) this party is referred to as the ‘responsible party’, and in other jurisdictions it is referred to as the ‘data controller’. |
| “Data Processor” | refers to the party that processes the personal data on behalf of and on instruction of the Data Controller. Under South African law (specifically the Protection of Personal Information Act) this party is referred to as the ‘operator’, and in other jurisdictions it is referred to as the ‘data processor’. |
| “Data Protection Laws” | Refers to the South African Protection of Personal Information Act 4 of 2013 and, where applicable, the United Kingdom’s Data Protection Act, 2018 (as amended or replaced from time-to-time), UK GDPR (as defined in the Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party. |
| “Personal Data” | Personal data is any information which is related to an identified or identifiable natural person. A data subject is identifiable if the person can be directly or indirectly identified from the data. For example, where the person is identifiable from a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. Under South African law (specifically the Protection of Personal Information Act) this is referred to as “personal information” whilst in other jurisdictions the phrase “personal data” is used. |
| “Technical Data” | includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Wonde Platform. |
| “Third Party Application Providers” | an Application provided by a third party, that is used by or accessed by Wonde or a school to which Wonde provides its services. |