Privacy Statement of the Financial Sector Conduct Authority (FSCA)
The FSCA (we, us) has a legal mandate in terms of the Financial Sector Regulation Act No.9 of 2017 (hereafter referred to as the FSRA) for regulating the market conduct and the supervision of financial institutions. The FSCA aims to enhance and support the efficiency and integrity of financial markets and to protect financial customers by promoting their fair treatment by financial institutions, as well as providing financial customers with financial education. The FSCA will further assist in maintaining financial stability.
To achieve its objectives as set out above, the FSCA must collect and use information, including personal information as defined in the Protection of Personal Information Act No 4 of 2013. Personal information means information which alone or jointly with other factors identifies you as a person. This includes information such as your name, contact details, telephone number, biometric information, registration number and any other information we collect.
The FSCA treats all personal information they collect through different channels as private and confidential.
The purpose of this Privacy Statement is to explain how and why we use your personal information.
Right to change this Privacy Statement
We may change this Privacy Statement to align with changes in the law or changes in technology which impact on how we process your personal information. We will publish all changes which describes our new practices on our websites, and the latest version will replace previous versions.
Collection of personal information
Personal information is collected directly from you and may be collected indirectly from other external sources for purposes of fulfilling our legislative mandate and sector specific obligations.
Due to the supervisory and enforcement nature of the FSCA, we need to have a complete view of the markets we regulate, understand their behaviours and that of consumers, be proactive and pre-emptive in effectively identifying risks that impacts on the achievement of our mandate. In order to effectively achieve this, the FSCA must collect information from multiple sources, examples of other sources include:
- Other regulators. These regulators may be inside or outside of South Africa
- Media sources such as newspapers, social media and the broadcast news
- Law enforcement agencies such as the South African Police Service
- Members of the public
- Credit bureaus
- Our service providers
- Verification agencies
Why do we collect personal information?
We collect your personal information for a number of reasons including the following:
- To process your licence/registration application as required by the financial sector laws for which the FSCA is the responsible authority.
- Analyse your suitability for the products and services you apply for.
- To monitor financial sector trends and emerging market conduct risks.
- Supervising the business conduct of entities we regulate.
- Identify possible contravention of sector specific laws.
- Management of third-party relationships and facilitating payment where you are our service provider.
- To manage the employment relationship where you are employed by us.
- For processing your application where you have applied for employment with us
What personal information do we collect?
Each of our divisions collect and process different attributes of your personal information at specific points of our regulatory processes, to fulfil a legislative mandate or for internal business purposes. You will learn more about the type of personal information we collect and process below.
- Identifying number (employee number; company registration numbers, ID number),
- Email-addresses, physical address, telephone number
- Names, surname, marital status, nationality, sexual orientation, age, physical health status, mental health status, well-being, disability status, language, birth place, date of birth. Some of the information may be more prevalent in our employment processes than in the core business divisions.
- Biometric information such as fingerprinting, particularly in our employment processes.
- Information on your race, ethnic or social origin, criminal recordings/proceedings.
- Education, medical, financial, employment information
We may not be able to carry out our legislative mandate and provide our services to the public, employ you or procure your services without your personal information.
Publication and access to FSCA registers
The FSCA makes accessible certain information to the public on its website, such as lists of regulated entities and persons. The accessible information includes the details of the entity, its contact information, names of appointed compliance officers, key individuals, licensed products, list of approved nominees and holding companies.
We will only make accessible limited information that will allow the public the ability to verify licensed entities and persons and contact them for their financial needs, where necessary.
The use of Third Parties
We will from time to time share your personal information with third parties. We will only disclose your personal information if:
- It is necessary to fulfil our legislative mandate as provided for in the FSRA
- For business purposes
- The law requires it
- We have a public duty to disclose the information
- Your legitimate interests require disclosure or
- You have provided consent for us to disclose your information.
These third parties may include but not limited to:
- FSCA service providers
- Other regulators (including foreign regulators)
- Law enforcement agencies
- Verification agents
Where appropriate, we request the third parties with whom we share information with, to take adequate measures and comply with applicable data protection laws and protect the information we are disclosing to them. We do this through contractual arrangements with these third parties. We also take internal measures to ensure that the third parties we appoint have appropriate measures to protect the information we provide to them.
If you want to learn more about our internal measures, please contact the FSCA Privacy Officer.
Transborder information flows
Where necessary and appropriate, your personal information may be processed in other countries for:
- Business purposes, in instances where our third parties are located in countries outside of South Africa;
- Sharing with other regulators outside of South Africa for fulfilling a legislative mandate or
- Law enforcement agencies for investigation purposes.
These countries may not have the same level of protection. However, before we transfer personal information outside South Africa, we have stringent processes to ensure that appropriate organisational and security safeguards are put in place to protect the personal information which includes contractual and internal due diligence measures.
You have rights as the data subject which you can exercise in relation to the personal information we hold about you. You can exercise your right to:
- Request access to the information we hold about you. We may, if allowed by law, charge a fee for this.
- Request correction and updates to the personal information we hold about you through the sector specific service channels.
- Object to the way in which we use personal information about you.
- Request the deletion of your personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully or where we are no longer authorised to keep such information.
- Complain to us about the way we use your personal information. If you are not satisfied with how we handle your complaint, you can lodge a complaint with the Information Regulator.
- You have the right to query a decision that we make about a service that you have applied for and that was made solely by automated means.
It is important to note that the rights are not absolute and must be balanced against other competing rights. As such they may be limited owing to the nature of our public interest mandate. We may also rely on certain exceptions which may impact on your rights, for example, your right to object or the right of access to information. We will only do this where the interest we are mandated to protect outweighs to a substantial degree interference with your privacy. Where possible in terms of law, we will explain the exception we are relying on and its impact on your rights.
Our Security Practices
Our security systems and controls are designed to maintain confidentiality, prevent loss, unauthorised access and damage to information by unauthorised parties. Our cyber security strategy is aligned to industry standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.
Anonymous collection of data from use of our website
We monitor user experience while you are using our website and collect anonymous connection statistics through our monitoring solution. This is to improve our website service and add value to you when you visit our website.
We use cookie technology on our website. Cookies are small files which are stored on a user's computer when you use our website. We have non-essential cookies that enable us to distinguish users, and strict transport security which allows a website to declare itself as a secure host.
Links to other websites on our website
Our website may have links to or from other websites of other regulatory bodies or standards that are not operated by the FSCA. We request that you read and familiarise yourself with the privacy and security policies of these websites as we are not responsible for the privacy and security of the websites mentioned.
Use and monitoring of electronic communications
It is important that we keep the public abreast of any development that has a public interest. As such we communicate with you and the public using different channels, including the media.
We may also monitor electronic communications of the industry we regulate to ensure that it complies with certain regulatory requirements such as your social media accounts.
Retention of personal information
Our retention schedule and information policies define how long we keep all types of records, including any personal information we process in the different divisions. Personal information is retained and destroyed as required or authorised by law, and for defined purposes related to the activities of the FSCA.
How to contact us
If you have any queries, requests, questions or complaints about our privacy notice and how we process your personal information, please contact the FSCA Information Privacy Officer at email@example.com.
Financial Sector Conduct Authority (FSCA)
41 Matroosberg Road
Telephone: 012 367 7141