Skip to main content

SOP - POPIA FOOD CS

TAKEALOT

 

Introduction

What is POPIA and why is it important ?

POPIA (Protection of Personal Information Act)  is the new data privacy law which comes into effect for businesses on 1st July 2021.

 

The goal of the POPI Act is to protect data subjects from security breaches, theft, and discrimination.

 

POPI gives the public the right to data privacy. It defines and regulates the processing of personal information.

 

Companies that are in breach of this law can be fined up to 10 million rand for non compliance per complaint or 10 years in prison.

 

As a company and group we apply and maintain the highest data privacy and security standards to guarantee the accuracy, integrity and privacy of our customers, suppliers, drivers and any other data subject personal data.

 

In South Africa, we are also governed by other laws when storing data which includes the CPA ( Consumer Protection Act) & Companies Act.

 

What is a data subject and what is personal information?

All information that identifies a person or a company. Information is any data recorded relating to the person or company.

 

Personal information relates to 

  • ID Number
  • Email Address
  • Physical Address
  • Telephone Numbers
  • Location Information
  • Bank Account Information
  • IP Address

Data subjects within the Takealot group:

  • Customers
  • Third-party Vendors
  • Drivers
  • Restaurants
  • Employees, ex Employees and interview candidates 

How does POPIA change your world in CS?

  • We will have a team which facilitates all data access and deletion requests. 
    • CS Data Subject Compliance team will be responsible for facilitating and processing all requests across the 3 brands in our group Takealot, Superbalist & Mr D Food
  • Customer engagement and the information we exchange during our contacts can only be actioned after the vetting process has successfully been completed.
    • CS will now introduce compliance protocols before any exchange of information can be provided.

Security Questions 

Security Vetting Channels

POPIA requires agents to ask security questions to identify the person contacting us is a valid data subject

Security checks will be mandatory on all contacts.

  • All channels of communication :
  • Social Media
  • Email via Zendesk or gmail 
  • Calls ( inbound and outbound)

(FNB outbound calls for scheduling will use the MR D Express Script)

 

Security Vetting Process 

 

The security questions to be asked to the data subject with immediate communication. The questions posed are as follows:

If a data subject fails these security questions, we will need to follow the declined security question process.

  • This means that the data subject will be required to email us from the email address linked to their profile for us to validate they have made the request. We will request for them to do so in the following manner:

 

e.g “Regrettably, we’re unable to continue assisting you due to the failure of our security questions. Please forward us an email from the email address linked to your profile for us to further assist you.”

 

Each contact will always have a 3 mandatory questions to be asked for calls.

Mandatory Questions

  • To confirm the name and surname
  • To confirm the email address
  • To confirm the contact number

Supplementary Questions

  • Confirm your last order number (current order in query or last order placed)
  • Confirm restaurant from last order
  • Confirm the delivery address of last Order

1

Call’s security process

  • The data subject calls in
  • Greetings and introduction, e.g thank you for calling Mr D Food, you are speaking with Megan, how can I assist you? 
  • Identify query – e.g I would like to track my order/delivery/return/refund?
  • Security vetting- e.g before we continue with the call for the privacy and security of our customers, I need you to answer these short security questions? 
    • Pass – continue with query
    • Fail – mandatory – ask supplementary questions
    • Fail mandatory and supplementary – request email from profile address
    • NB*Complete Zendesk POPIA Section
    • Questions
    • Security vetting outcome: 

2

Email security process

    • The data subject sends us an email 
    • Identify query – e.g I would like to track my order/delivery/return/refund?
  • Internal security vetting check on Mr D Food
  • Check email address ( does it correspond to profile?
  • Order number on profile
  • Security vetting outcome:
  • Pass – go to zd form field security vetting – select Security check passed
  • Failed – go to zd form field security vetting – select Security check failed
  • Respond to customer and request email to be sent from profile email address.

(macro to be created explaining the reason)

3

Social Media security process

  • The data subject interacts with our social media team requesting information relating to account or an order
  • Identify query – e.g I would like to track my order/delivery/return/refund?
  • Check customer social media handle? Can this be traced to a profile?
    • Yes:Internal security vetting check on Mr D Food
    • No:respond via DM/private message and ask Mandatory security questions to continue with contact interaction
    • Security vetting outcome
    • Pass: continue with query – add internal note in Sprout social – passed security checks
    • Fail : add internal note – failed security checks and respond to customer 

(macro to be created explaining the reason and process to be followed)

 

Complete Zendesk POPIA Ticket Section

For Calls and emails we will introduce a new form field to indicate if the customer has been vetted.

  • Security questions passed
  • Security questions failed

mceclip0.png

For failed security checks, we will not be able to continue with the call and the contact will be required to email us using the primary email address linked to the customer profile.

 

In the event the customer’s email address linked to the profile is no longer working, the customer will need to request via email on our Help center and additional security questions will be asked 

Channels of communication used for inbound and outbound interactions

Security Vetting for Customer Call Contacts 

1

Inbound & Outbound Call & Ask Security Questions

 

Inbound Call:

Hi/Hello/Good morning/Afternoon, this is (your name) speaking from (your teams name), please provide me with an order number ? Before we continue, for security purposes can you kindly confirm:

  • Name and surname 
  • Phone number
  • Email address linked to your profile 

Check the information on the customer's profile in relation to their answer. 

 

If the customer still has not answered the questions correctly, state the following:

  • Please send an email from the email address that’s on your profile. For security purposes we cannot continue this 

Outbound Call:

  • Verify the customer's name to confirm that you are speaking to the correct person

2

Security Vetting Outcome


Customer answers all 3 questions

  • If all the questions were answered correctly, proceed to assist the customer with the information they require.

Customer Fails 1 or more questions 

If any of the questions were answered incorrectly ask the following questions:

  • Confirm your last order number (current order in query or last order placed)
  • Confirm name of restaurant from last order
  • Confirm the delivery address of last Order

Customer Fails 1 or more  supplementary questions

  • Please send an email from the email address that’s on your profile. For security purposes we cannot continue this 

Outbound Call:

  • If the customer confirms their name, proceed with the call.

3

Complete Zendesk POPIA Section 

  • Complete POPIA section on Zendesk Ticket
  • Select Passed IF customer passed all mandatory or supplementary questions
  • Select Failed IF customer failed mandatory or supplementary questions

 

Security Vetting for Restaurant Call Contacts 

NB: Do not share any personal information related to the customer with restaurants

1

Inbound & Outbound Call

Inbound Call:

  • Confirm the Restaurant/Shops/Pick n Pay partner name

Outbound Call:

  • Confirm the Restaurant/Shops/Pick n Pay partner name

2

Complete Zendesk POPIA Section 

  • Complete POPIA section on Zendesk Ticket
  • Select Passed IF partner confirmed their partner name
  • Select Failed IF partner failed to confirm their partner name

 

Security Vetting for Branch Call Contacts 

1

Inbound & Outbound Call

Inbound Call:

  • Confirm the branch name and code

Outbound Call:

  • Confirm the branch name and code

2

Complete Zendesk POPIA Section 

  • Complete POPIA section on Zendesk Ticket
  • Select Passed IF branch confirmed their branch name and code
  • Select Failed IF branch failed to confirm their branch name and code

 

Security Vetting for Customer Email Contacts 

1

Check if email address is linked to profile

  • Search for the customer on Admin using the email address or DFD number provided in the email
  • Search for the restaurants email address on Marketplace

2

Security Vetting Outcomes

Email Address is linked to profile or order

  • Proceed to assist the customer with the resolution required.

Email address is not linked to profile but Order Number provided 

  • Order Related Query:
    • Call using the contact number we have on record to confirm their request and validate their account before assisting them
    • Customer does not answer send them a email requesting confirmation of their details “POPIA:: Security Vetting Question”

Email address is not linked to profile and no order number provided

  • Send information confirmation request to the email address used to make contact

3

Complete Zendesk POPIA Section 

  • Complete POPIA section on Zendesk Ticket
  • Select Passed IF customer passed all mandatory or supplementary questions
  • Select Failed IF customer failed mandatory or supplementary questions

 

Security Vetting for Social Media Contacts

  1. If a data subject interacts with us via social media. It is important to consider the following:
  • Is the data subject requesting information relating to their account
  • Is the data subject exchanging information relating to the security questions 
  1. If an interaction is made publicly, move the interaction to a private conversation before requesting the security questions.
  2. Validate all information the customer has provided before continuing with the action request

 

1

Receive Social Media Interaction 


Respond via DM


Hi/Hello (Cx Name/handle), 

We are gladly able to assist with your request. Please can you confirm the following information for us via DM:


  • Name and surname
  • Phone number
  • Email address linked to your profile

Proceed to check that the information provided matches the information provided in their answer

2

Security Vetting Outcome


Customer answers all 3 questions

  • If all the questions were answered correctly, proceed to assist the customer with the information they require.

Customer Fails 1 or more questions 

If any of the questions were answered incorrectly ask the following questions:


  • Confirm your last order number (current order in query or last order placed)
  • Confirm restaurant from last order
  • Confirm the delivery address of last Order

Customer Fails 1 or more  supplementary questions

  • Please send an email from the email address that’s on your profile. For security purposes we cannot continue this 

3

Complete Zendesk POPIA Section 

  • Complete POPIA section on Zendesk Ticket
  • Select Passed IF customer passed all mandatory or supplementary questions
  • Select Failed IF customer failed mandatory or supplementary questions



The security questions to be asked to the data subject with immediate communication. The questions posed are as follows:

If a data subject fails these security questions, we will need to follow the declined security question process.

  • This means that the data subject will be required to email us from the email address linked to their profile for us to validate they have made the request. We will request for them to do so in the following manner:

e.g “Regrettably, we’re unable to continue assisting you due to the failure of our security questions. Please forward us an email from the email address linked to your profile for us to further assist you.”

 

Each contact will always have a minimum of 3 mandatory questions to be asked for calls.

Mandatory Questions

  • To confirm the name and surname
  • To confirm the email address
  • To confirm the contact number

 

Supplementary Questions

  • Confirm your last order number (current order in query or last order placed)
  • Confirm restaurant from last order
  • Confirm the delivery address of last Order

Supplementary Questions (Profile but no order placed)

  • What platform did you use when registering your profile (Web, Android, IOS)

For failed security checks, we will not be able to continue with the call and the contact will be required to email us using the primary email address linked to the customer profile.

Possible Scenarios of how to handle Contacts 

Scenario 1

Scenario 2

Scenario 3

Customer reaches out and requests information. We do the security checks. If they pass we proceed with the call and provide the information required

Customer reaches out and requests information. We do the security checks. If they fail one of the questions we ask additional security questions. If they pass the additional questions we proceed with the call and provide the information required

Customer reaches out and requests information. We do the security checks. If they fail one of the questions we ask additional security questions. If they fail the additional questions we will tell the customer to send an email from the email address we have on record, alternatively they can log into their profile, obtain the correct details and call us back.

Data Access Request Process 

Help Questions on the website from a customer’s perspective

MR D Food

How can I request my personal data?

How can I manage my personal data?

Can I track the status of my personal information or account deletion request?

How can I delete my account and personal information?

How do we act when they fail the security questions

Behavior should remain the same and always willingness to assist our customers. Request the data subject to send an email from their email which is linked to their Mr D Food account to validate. 

  • If the data subject fails to forward the requested email within 48 hours, the request will be closed. 

Personal Data Request

When a request is made for personal information, validation checks are put into place to ensure we are assisting a valid data subject. 

This is done when the request is made through the Help Centre via an email form that is sent straight to the data subject's email.  Once this form is filled out, the information is sent through to One Trust which is filtered into the correct queue.

 

Data Requests steps to consider

  • Validity: data subject confirms and passes security questions.
  • Data Validity and Consolidation: retrieve data information for the data subject.
  • Completion: provide the data subject with the insight or email details to them.

The relevant specialist assigned the subtask will then validate the requester's information. Once confirmed, they can proceed to the next subtask. Once these subtasks are completed, the data subject's request will then be addressed and completed. 

Data Deletion Request

Data deletion requests apply when the data subject no longer wants any brand in the TAL Group to retain any information of theirs. The above scenarios display each of the circumstances. Most commonly found is scenario 3 and will be focused on.

Data Deletion Request steps to consider

    • Validity: data subject confirms and passes security questions.
    • Eligibility: No orders within 6 months, no credit allocated on account.
  • Completion: Deletion of data is completed.

The data subject or person requesting their personal data to be deleted/destroyed will first be required to validate themselves and pass the security questions. 

The account will verified and will need to meet eligibility requirements:

  • Check the account to see that there is no credit requiring action 
  • Check the account to see no order have been placed within 48 hours
  • Check the account to see that there is 6 months passed from the date of the last order placed.
  • If credit is on the account, refund any credit still due to the customer via CS Portal by following the refund processing steps.
  • If an order has been placed within 48 hours the customer will have to wait for a period of 6 months before the data can be deleted.
  • If eligibility is not met then the customer would need to wait until the time has passed for the last order on the account to be 6 months old before requesting the data to be deleted.

 

Once these checks have been done and eligibility is confirmed. The assignee must mark the request of the subtask on One Trust as done and action the request on CS Portal. Each subtask on One Trust needs to be completed as done by the assignee before continuation of the request can be actioned and completed.

 

The assignee will then pass the subtask on to the next form of action required, which can either be actioned by the same assignee or assigned to whomever will address the subtask.

 

Escalation Process to Data Compliance Team 

Customers will be able to call in directly to the Data Compliance Team, alternatively, they would also be able to email directly through this team. 

If the customer comes through to the Customer Service Team but requests to speak to a Data Compliance Specialist. The following steps need to be followed

Data subjects will be offered 3 different services linked to data access

  • Data subject access request for personal information
  • Data subject deletion request of personal information
  • PAIA process for 3rd party data subjects e.g recipients on orders 

 

1

CS agents take when a contact comes through via a phone call:

  • Escalate via One Agent to the Data Compliance Specialist. This needs to be a warm transfer by providing the following information to the specialist:
    • Confirm validation checks have been completed (email address, name and surname, phone number, last order placed etc.)
    • Provide insight to the request

2

Steps CS agents take when a contact comes through via email:

Escalate to the Data Compliance Team via Zendesk and complete the ZD form. All security questions needs to be answered at this point from the customer before the transfer can be done:

  • Confirm validation checks have been completed (email address, name and surname, phone number, last order placed etc.)
  • Provide insight to the request
  • Tick the Data Compliance check box in the ZD Forms



How do we deal with contacts for data access or deletion requests?

  • All these requests will be handled by the Data subject compliance team.
  • Data requests such as request for access or deletion cannot be completed on behalf of a data subject due to the validation process put in place to secure the privacy and data of a data subject.

 

POPIA Data Access and Deletion Enquiries and Requests

 

The Data Compliance team operates between Monday-Friday between 08:00 am to 18:00 pm. All POPIA enquiries must be transferred to the Data compliance team during their working hours. Enquiries that arise outside of the working hours CS agents must create a new Zendesk ticket and assign it to the data compliance team

 

1

What do I do if a data subject would like more information on the process.

process to be explained - help center question (link to be added)

2

What do I do if a data subject would like to know what data is stored?

  • Complete the security questions
  • Follow internal process ( transfer call “Food Service Internal Inbound” and change ticket form to Data subject request-POPI)
  • Add internal note with the request 
  • Assign on hold to CS Data Compliance
  • Submit as “On Hold”

3

What do I do if a data subject would like to track the progress of their request

  • Complete the security questions
  • Follow internal process  ( transfer call “Food Service Internal Inbound” and change ticket form to Data subject request-POPI)
  • Add internal note with the request 
  • Assign on hold to CS Data Compliance
  • Submit as “On Hold”

4

What do I do if a data subject would like to cancel their data request?

  • Complete the security questions
  • Follow internal process  ( transfer call “Food Service Internal Inbound” and change ticket form to Data subject request-POPI)
  • Add internal note with the request 
  • Assign on hold to CS Data Compliance
  • Submit as “On Hold”

5

What do I do if a data subject says they have received their email with the data but cannot access it?

  • Complete the security questions
  • Follow internal process  ( transfer call “Food Service Internal Inbound” and change ticket form to Data subject request-POPI)
  • Add internal note with the request 
  • Assign on hold to CS Data Compliance
  • Submit as “On Hold”



Each department will have a  privacy champion which will ensure that the correct procedure is followed and all POPI information is protected. Champions are responsible for classifying personal data, approving personal data retention, storage and destruction requirements appropriate for his/her Department (“Retention Requirements”) and ensuring compliance with the Retention Requirements.

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk