Isabella Garcia International Proprietary Limited, with registration number 2008/002757/07 (the Company, us, our, we), is a cosmetics company that specialises in the marketing, selling and distribution of its products to clients anywhere in South Africa.
The Company is associated with a group of companies including Platinum Life, The Box Fashion, IPS Health and Wellness, and Besige Breintjies (“the Group Affiliates”) which enables us to provide holistic care and support to our clients.
The Company collects, stores and processes personal information of client, potential clients, employees, etc. (the Individual).
The Company’s business model is largely based on a referral system and relationships with Group Affiliates. When the Company collects personal information from sources other than directly from the Individual, you will have had to confirm that you are agreeable for others to have shared your information. In order to provide holistic care and support to our clients we rely on all Group Affiliates and their services. Isabella Garcia International and the Group Affiliates are committed to offer you an all-encompassing solution, that is in your interest and that will benefit your health and wellbeing.
The Company values its clients and business partners. We understand the sensitive nature of the personal information which we hold. It is for this reason that the protection of personal information is one of our top priorities. We endeavour to maintain the confidentiality of personal information and process personal information in adherence to the Protection of Personal Information Act 4 of 2013 (“POPIA”).
In terms of POPIA, personal information is information that may be used to identify an individual or a company.
Examples of personal information include, but is not limited to:
Information relating to race, gender or sexual orientation.
Physical or mental health.
Personal information that the Company collects:
The Company collects and uses personal information mainly to perform direct marketing, and to perform contractual obligations. The Company undertakes direct marketing in instances where the Company has a pre-existing relationship with the Individual, where the Individual has agreed for the Company to contact them for the purposes of direct marketing or where the Company has asked for permission to do so. In other words, where there is a legitimate and mutual interest.
The Company markets and sells cosmetic products and services to various parties including individuals and other companies/organisations.
The Company may collect personal information which includes, but is not limited to:
Identification and contact information, and information that will assist the Company to provide products and services to the Individual:
Physical and postal address.
Telephone or other contact details.
Date of birth.
Financial information and account details:
Bank account number and account details.
Medical condition and health information:
Current physical, mental or medical condition.
Past physical, mental or medical condition.
Injury or disability information.
Personal information relating to
Physical attributes including race.
Other sensitive information:
Other sensitive information voluntarily provided by the individual.
The Company may also collect feedback, comments and questions received from the Individual in service-related communications and activities.
When personal information is collected, the Company will indicate the purpose for the collection of the personal information and whether the personal information required is compulsory or voluntary. The Company will, to the extent possible, inform the Individual of the consequences for failing to provide the requested information.
How data is collected:
Personal information is collected in any of the following ways:
Directly from the Individual through various methods including (but not limited to):
The Company Website.
The Individual communicating with the Company through various portals:
Website forms, surveys or chat functions.
Social media platform communication.
Data may also be received indirectly from the following sources:
Referrals from current clients.
Where consent was given by the Individual to collect information from another source (including Group Affiliates) and the Company has provided the detail of the source.
Where information is publicly available.
The use of personal information:
Personal information collected by the Company may be used, stored, disclosed or shared for the following purposes:
The administration of the Company.
To communicate with the Individual regarding orders, product information, billing and queries.
To provide the Individual with appropriate product advice and recommendations.
To send the Individual information regarding changes to services, products or prices and other terms and conditions.
To manage any disputes.
To process payments and manage accounts.
To personalise and tailor product or service offerings to the individual.
To analyse and manage other commercial risks.
To conduct market research.
To provide the Individual with marketing information (including information about other products and services in the interest of the Individual’s overall well-being, offered by Group Affiliates and in so doing enhance the holistic service to the Individual.
To comply with internal policies and procedures such as:
Finance and accounting.
Billing and collections.
Data and website management.
To respond to queries or resolve complaints.
To handle requests for the correction, updating, access or deletion of the Individuals personal information.
To comply with applicable laws and regulatory obligations.
Automated decision making:
The Company uses the following automated system/s for carrying out certain kinds of decision-making and / or profiling. If at any point the Individual wishes to query any action that was taken on the basis of this or wishes to request ‘human intervention’, the Company will provide the opportunity to do so.
The following automated decision-making method(s) may be used:
Product allocation based on skincare questions.
Campaign allocation based on market research questions.
Sharing of personal information:
Access to personal information within the Company and it’s Group Affiliates is restricted to those individuals who require access to personal information for business purposes.
In order to provide products and services to the Individual that enhances holistic care and support, the Company share the Individual’s information with the following Group Affiliates:
Platinum Life: A risk insurance provider specialising in female cancer and male debility cover.
The Box Fashion: A fashion accessories service company.
IPS Health and Wellness: A company focused on providing clients with nutritional supplements.
Besige Breintjies: An educational programme designed to develop and improve children’s intellectual, social, physical and emotional well-being.
The Company may also share personal information of the Individual with other companies who are not Group Affiliates. This will only be done to the extent that it is in pursuance of our legitimate interests or once the Individual has given explicit and prior consent to do so. Furthermore, the Company may share personal information of the Individual with third parties in the event of any of the following occurring:
Any insolvency or similar proceedings.
Transfer of all or any part of the Company.
Where the Company discloses personal information of the Individual to the above parties, those parties will be bound to use that personal information for the reasons and purposes it was provided to them and not for any other purpose.
The Company may be obliged to disclose personal information to the extent that is required to do so by law or where we believe it is necessary to protect our rights.
Personal information security:
The Company securely stores The User’s data on dedicated servers based in Ireland and South Africa.
The servers are secured with a firewall and access to the servers are password protected and strictly limited.
Notwithstanding this, no security measures or systems are impenetrable. The Company cannot make any guarantees against data breaches.
Information is transferred over a secure connection and stored in a password protected database.
The Company will:
Take reasonable and appropriate technical and organisational measures to ensure that personal information is kept secure and is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. This includes, for example, encryption of personal information and ensuring that adequate firewalls are in place.
Provide the Individual with access to their personal information to view and/or update personal details upon request.
Promptly notify the Individual if we become aware of any unauthorised use, disclosure or processing of their personal information.
Provide reasonable evidence of compliance with obligations under this policy on reasonable notice and request.
Whilst the Company will do all things reasonably necessary to protect rights of privacy, we cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of personal information, whilst in our possession, by a third party who is not subject to our control, unless such disclosure is as a result of our gross negligence.
Review and correction of personal information:
The Company undertakes to provide the Individual with access to their personal information upon request and provide mechanisms so that any personal information found to be inaccurate or incomplete can be corrected or amended as feasible, subject to any requirement or rule for such personal information to be retained by law.
Prior to the amendment, correction or removal of personal information, the Company will require the Individual to identify themself and to identify the portion of information requested to be amended, corrected or removed. A request for the amendment, correction or removal of personal information may be declined if the process of the request is unreasonably repetitive, require disproportionate technical effort, or jeopardizes the privacy of others.
The services of access and correction of personal information is done free of charge, except to the extent that it would require disproportionate effort by the Company. Once personal information is deleted, residual copies of the information may take a period of time before they are deleted from our servers and may remain in our backup systems.
It is important that any information provided directly to the Company is accurate and correct. Please inform the Company as soon as possible if any information held about the Individual is no longer correct.
Providing false or inaccurate information in order to obtain a product or service may also result in said product or service being restricted or cancelled.
For further information on how to exercise the Individuals right of access to personal information, please refer to the Company’s procedure for data subject access to, objection to, correction or deletion of personal information processed by the Company as set out in the PAIA/POPIA manual which is available at the link provided in point 1.9.
The Company will only retain personal information on the Individual to the extent and duration that a legitimate interest to process this personal information as defined in the point on “Use of Personal Information” above is valid.
The Company will, upon request by the Individual, promptly return or destroy any and all personal information in the possession or control of the Company, save for that which is legally obliged to retain.
Cross border personal information transfers:
To the extent that the Company transfers personal information of the Individual outside the borders of South Africa, the Company will ensure appropriate safeguards are in place, including, for example, ensuring that the third party who is the recipient of the information is subject to a law or binding agreement which provides for an adequate level of protection similar to POPIA.
Data subject rights:
As a data subject, the Individual has a number of data privacy rights. These rights include:
The right of access: Subject to certain exceptions, a data subject after providing adequate proof of identity has the right to:
Request the Company to confirm whether any personal information is held about the data subject, and/or
Request from the Company a description of the personal information held including information about third parties who have or have had access to personal information.
The right to request correction or deletion: A data subject may request the Company to:
Correct or delete personal information about the data subject in our possession or control that is inaccurate, irrelevant, excessive, outdated, incomplete, misleading or obtained unlawfully; and/or
Destroy or delete a record of personal information about the data subject that the Company is no longer authorised to retain in terms of the relevant legislative provision.
The right to withdraw consent and to object to processing: A data subject that has previously consented to the processing of their personal information has the right to withdraw such consent and may do so by providing the Company with notice to such effect to our Information Officer (at the contact details set out below). Furthermore, a data subject may object, on reasonable grounds, to the processing of personal information relating to them.
The right to not be subjected to direct marketing by means of unsolicited electronic communications: A data subject has the right not to be subject to direct marketing by means of unsolicited electronic communications unless the Individual has given the Company consent or are an existing customer of the Company.
The right not to be subjected to automated decision making: a data subject has the right not to be subject to a decision which results in legal consequences for them which is based solely on the basis of the automated processing of personal information.
As a data subject, the Individual also has the right to lodge a complaint to the Information Regulator of South Africa if they are unsatisfied with the manner in which the Company addresses any complaint with regard to the Company’s processing of the Individual’s personal information, the contact details of the Information Regulator are as follows: