Privacy Policy



  • 1.1.“Consent” means the voluntary, specific and informed expression of will;
  • 1.2.“Confidential Information” means all information or data disclosed to or obtained by the Group by any means whatsoever;
  • 1.3.“CPA” means City Property Administration Proprietary Limited (Registration number: 1968/010808/07)
  • 1.4.“Data Subject” means the natural or juristic person to whom the Personal Information relates;
  • 1.5.“Direct Marketing” means approaching a Data Subject personally for the purpose of selling them a product or service;
  • 1.6.“ECTA” means Electronic Communications and Transactions Act, 25 of 2002;
  • 1.7.“Electronic communication” means communication by means of data messages.
  • 1.8.“Electronic signature” means data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature;
  • 1.9.“Electronic transactions” include e-mails sent and received;
  • 1.10.“PAIA” means Promotion of Access to Information Act, 2 of 2000;
  • 1.11.“Personal Information” means information relating to an identifiable, living, natural person, or an identifiable, existing juristic person;
  • 1.12.“POPIA” means the Protection of Personal Information Act, No. 4 of 2013;
  • 1.13.“Processing” means an operation or activity, whether or not by automatic means, concerning Personal Information;
  • 1.14.“The Group” means City Property Administration Proprietary Limited (Registration number: 1968/010808/07) (“CPA”), Octodec Investments Limited (Registration No: 1956/002868/06) (“Octodec”) and/or any other entity or individual in respect of which CPA provides a property management function and/or in terms of which CPA acts as its duly authorised representative and as a result an operator as defined in POPIA, from time to time and thereby deemed an operator as defined in POPIA. Any subsidiary within, any successor-in-title employees, directors, board members, contractors, sub-contractors, agents, and appointees of the aforementioned shall be included in this definition.

This Policy sets out the manner in which The Group accesses and processes personal information in compliance with the prescribed legislation and as dictated by business practice from time to time.


The Policy applies to the Group, their employees, directors, shareholders, contractors, agents, and appointees. The provisions of this Policy are applicable to both on and off-site processing of personal information.

  • 4.1 Categories of Data Subjects and their Personal Information
    • 4.1.1Data Subject: Natural PersonNames; contact details; physical and postal addresses; date of birth; ID/Passport number, permit information; financial/banking information, tax related information; nationality; gender; employment/business information; correspondence.
    • 4.1.2Data Subject: Juristic Person/EntitiesNames of contact persons; name of legal entity; physical and postal address and contact details; financial/banking information; registration number; registration information; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information, permit information.
    • 4.1.3Service Providers / Contractors / Sub-contractorsNames of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; registration information; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information.
    • 4.1.4Employees / Directors / Board MembersGender; pregnancy; marital status; colour, race; age; language; education information; financial information; employment history; ID/passport number; permit information; physical and postal address; contact details; criminal record; well-being medical information.

All information is obtained directly from the data subject and/or an authorised representative.

  • 6.1Only necessary personal information is collected and is then processed for the purposes for which it was collected and in the manner agreed to with data subject. In addition, where necessary information may be retained for legal or research purposes.
  • 6.2All Company and client information must be dealt with in the strictest confidence and may only be disclosed, without fear of redress, in the following circumstances:
    • 6.2.1where disclosure is under compulsion of law;
    • 6.2.2where there is a duty to the public to disclose;
    • 6.2.3where the interests of the Company require disclosure; and
    • 6.2.4where disclosure is made with the express or implied consent of the data subject;
  • 6.3Disclosure to third parties is only permitted if the data subject has consented thereto. The Group may supply the Personal Information to any party to whom the Group may have assigned or transferred any of its rights or obligations under any agreement, and/or to service providers who render the following services:
    • 6.3.1Capturing, organising and storing of data;
    • 6.3.2Correspondence with Data Subjects;
    • 6.3.3Conducting due diligence checks and Auditing; and/or
    • 6.3.4Administration of Property Management and Human Resource services;
    • 6.3.5Direct marketing and information sharing to specified third parties as expressly consented to by the data subject
  • 7.1It is a requirement of POPIA to adequately protect personal information and therefore the Group has put the following procedures and controls in place in order to safeguard personal information in its possession:
    • 7.1.1Appointment of an Information Officer (details set out under clause 11 below) who is responsible for the compliance with the conditions of the lawful processing of personal information and other provisions of POPIA and related privacy and access to information legislation.
    • 7.1.2This Policy has been put in place and The Groups employees have received training on POPIA;
    • 7.1.3Service Providers / Contractors / Sub-contractors have been requested to sign Service Level Agreements and/or Data Protection Agreements to ensure that they align with The Groups vision and policies in respect of POPIA and are committed to the protection of personal information;
    • 7.1.4The applicable and necessary consents are obtained from Data Subjects before any personal information is processed and/or shared by the Group;
    • 7.1.5All hard copy records are scanned electronically and then archived and/or stored securely on and off site. Access to the records and the storage areas are limited to authorised personal only and record is keep of such access;
    • 7.1.6All electronic files or data are backed up where necessary, by the Groups IT Division which is also responsible for system security that protects third party access and physical threats. The Group IT Division is responsible for Electronic Information Security.
  • 8.1IAll personal information which has become obsolete must be destroyed.
  • 8.2IEach department is responsible for attending to the destruction of records under the control of the relevant department, which must be done as and when necessary. Files must be checked in order to make sure that they may be destroyed and also to ascertain if there are important original documents in the file. Original documents must be returned to the holder thereof, failing which, they should be retained by the Company pending such return.
  • 8.3IPersonal Information is destroyed in accordance with all applicable legislation.
  • 9.1Data Subjects have the right to access the personal information that The Group holds about them.
  • 9.2Data Subjects are also required to update, correct or delete their personal information on reasonable grounds.
  • 9.3The Group’s manuals in terms of Access to Information including the requirements of PAIA, which contains the prescribed forms and details of prescribed fees, is available on the CPA and Octodec websites:
  • 9.4Confidential company and/or business information may not be disclosed to third parties as this could constitute industrial espionage. The affairs of the Group must be kept strictly confidential at all times unless required in terms of law.

The Company views any contravention of this policy very seriously and employees who are guilty of contravening the policy will be subject to disciplinary procedures, which may lead to the dismissal of any guilty party.

  • 11.1All complains by Data Subjects can be addressed to the Information officer, the details of whom is reflected in clause 12.2 below.
  • 11.2A data subject may at any time complain to the Information Regulator if misuse is suspected, the details of whom is reflected in clause 12.3 below.
  • The Groups representative
    • Company:City Property Administration Proprietary Limited
    • Registration Number:1968/010808/07
    • Directors:JP Wapnick
      S Wapnick
      P Kruger
  • Information Officer
    • Designated Information Officer: JP Wapnick
    • Email Address:
    • Postal Address: PO Box 15, Pretoria, 0001
    • Registered Address: CPA House, 101 Du Toit Street,
      Pretoria, 0002
    • Telephone number: 012 319 8781
    • Facsimile number: 086 647 1598
    • Website:
    • General
  • Information Regulator
    • Complaints Email
    • Postal Address:P.O Box 31533, Braamfontein,
      Johannesburg, 2017
    • Registered Address:JD House, 27 Stiemens Street,
      Braamfontein, Johannesburg, 2001
    • General
  • 13.1Amendments to, or a review of this Policy, will take place on an ad hoc basis as and when required. Data Subjects are advised to access THE GROUP’s website periodically to keep abreast of any changes.