1. Document Control

This table provides a summary of revisions to the document

VersionDateCustodianSummary of Changes

2. Abbreviations and Definitions

Term Definition

Child Means – a) under POPIA, any natural living person under the age of 18 (eighteen) years; or b) under GDPR, any natural person under the age of 16 (sixteen) years;

Country Office means an office of DT in any territory or country other than South Africa;

Data Subject means the DT clients or suppliers who may be natural or juristic persons or any other person(s) in respect of whom DT Processes Personal Information

Employee means any employee of DT, including permanent, full time, fixed term and part time employees;

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Operator means a person who Processes Personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of the Responsible Party; PAIA means the Promotion of Access to Information Act No. 2 of 2000 as amended from time to time;

Personal Information Means information relating to any Data Subject, including but not limited to

(i) views or opinions of another individual about the Data Subject; and

(ii) information relating to such Data Subject’s –

  1. a) race, sex, gender, sexual orientation, pregnancy, marital status, nationality, ethnic or social origin, colour, age, physical or mental health, well-being, disability, religion, conscience, belief, cultural affiliation, language and birth;
  2. b) education, medical, financial, criminal or employment history;
  3. c) names, identity number and/or any other personal identifier, including any number(s), which may uniquely identify a Data Subject, account or client number, password, pin code, customer or Data Subject code or number, numeric, alpha, or alphanumeric design or configuration of any nature, symbol, email address, domain name or IP address, physical address, cellular phone number, telephone number or other particular assignment;
  4. d) blood type, fingerprint or any other biometric information;
  5. e) personal opinions, views or preferences;
  6. f) correspondence that is implicitly or expressly of a personal, private or confidential nature (or further correspondence that would reveal the contents of the original correspondence); and
  7. g) corporate structure, composition and business operations (in circumstances where the Data Subject is a juristic person) irrespective of whether such information is in the public domain or not;

Policy Means this Data Protection and Privacy Policy POPIA Means the Protection of Personal Information Act, 2013 and its Regulations, as amended from time to time;

Processing / Process means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –

  1. a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  2. b) dissemination by means of transmission, distribution or making available in any other form; or
  3. c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

Regulator means either

(i) the Information Regulator established in terms of POPIA, or

(ii) the relevant supervisory authority under the GDPR or other data protection legislation;

Responsible Party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing of Personal Information;

DT means the Durban Tourism;

Special Personal Information means personal information relating to:

(i) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

(ii) the criminal behaviour of a data subject to the extent that such intimation relates to:

(a) the alleged commission by a data subject of any offence; or

(b) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings; and

Third-Party means any independent contractor, agent, consultant, subcontractor or other representative of DT.

3. Introduction

3.1. Scope

3.1.1 This Policy applies to Personal Information collected by DT in connection with the services offered by it. This includes information collected offline through DT’s consumer call centres, direct marketing campaigns, sweepstakes and competitions, and online through SAT’s websites, branded pages on Third-Party platforms and applications accessed or used through such websites or Third-Party platforms which are operated by or on behalf of DT.

3.1.2 The Policy is hereby incorporated into and forms part of DT’s terms and conditions of use.

3.1.3 This Policy does not apply to the information practices of Third Party companies (including, without limitation, their websites, platforms and/or applications) which DT does not own or control; or individuals that DT does not manage or employ. These Third-Party sites may have their own privacy policies and terms and conditions and Data Subjects are encouraged to read them before using those Third-Party sites.

3.1.4 In the case of DT’s Country Offices, the provisions of this Policy must be read together with the applicable domestic laws of the jurisdiction in which the Country Office is situated. In the event that the provisions of this Policy are less stringent compared to or in conflict with the domestic laws of the Country Office, such domestic laws take precedence over the provisions of this Policy to the extent of such inconsistency

3.2. Objective

3.2.1 The purpose of this Policy is to inform Data Subjects about how DT Processes their Personal Information by, amongst other things, collecting or collating, receiving, recording, storing, updating, distributing, erasing or destroying, disclosing and/or generally using the Data Subject’s Personal Information.

4. Regulatory Framework

List legislations that informs this policy


Act     Constitution of the Republic of South Africa, 1996 Section 195

Act     Tourism Act, 2014

Act     Protection of Personal Information Act, 2013

Act     Public Finance Management Act, 1999

Act    Regulation General Data Protection Regulation Various

4.1. Other Policy Links

4.1.1 Privacy Policy;

4.1.2 Schedule A: Principles Relating to Record Retention and Disposal;

4.1.3 Schedule B: Principles Relating to Direct Marketing;

4.1.4 Schedule C: Principles Relating to Data Breach Response; and

4.1.5 Schedule D: Data Protection and Privacy Policy.

5. Privacy Policy

5.1 General principles

5.1.1 DT acknowledges the need to ensure that Personal Information is handled with care and is committed to ensuring that it complies with the requirements of POPIA and, where relevant, the GDPR for the Processing of Personal Information.

5.1.2 DT, in its capacity as Responsible Party and/or Operator, shall strive to observe, and comply with, its obligations under the POPIA as well as internationally accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

5.2 Collecting Personal Information

5.2.1 DT will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects the Data Subject’s privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect the Data Subject in question.

5.2.2 DT often collects Personal Information directly from the Data Subject and/or from Third-Parties. Where DT obtains Personal Information from Third-Parties, it will ensure that it obtains the consent of the Data Subject to do so or will only Process the Personal Information without the Data Subject’s consent where it is permitted to do so in terms of the applicable laws.

5.2.3 Examples of such Third Parties include other DT entities; DT’s clients when DT handles Personal Information on their behalf; regulatory bodies; credit reference agencies; other companies providing services to DT and where DT makes use of publicly available sources of information.

5.2.4 Should DT need to collect Personal Information by law, such as in-relation to anti money laundering or under the terms of a contract that DT may have with a Data Subject and the Data Subject fails to provide such information when requested, DT may be unable to perform the contract. In such a case, DT may have to decline to provide or receive the relevant services, in which event it will notify the Data Subject.

5.3 Lawful Processing of Personal Information

5.3.1 Where DT is the Responsible Party, it will only Process a Data Subject’s Personal Information where – consent of the Data Subject (or a competent person where the Data Subject is a Child) is obtained; or Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party; or Processing complies with an obligation imposed by law on DT; or Processing protects a legitimate interest of the Data Subject; or Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in DT; or Processing is necessary for pursuing the legitimate interests of DT or of a third party to whom the information is supplied.

5.3.2 SAT will make Data Subjects aware of the fact that it is Processing their Personal Information and inform them of the specific purpose for which it will be Processing such Personal Information, including making the Data Subject aware of any ThirdParty recipients of the Personal Information (which may also include cross-border transfers of Personal Information).

5.3.3 Where SAT relies on a Data Subject’s consent as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to DT’s Processing of the Personal Information at any time. This will not affect the lawfulness of any Processing done prior to the withdrawal of consent or any Processing justified by a legal ground.

5.3.4 If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information, Durban Tourism will ensure that the Personal Information is no longer Processed

5.4 Use of Personal Information

5.4.1 DT will only Process a Data Subject’s Personal Information for a specific, lawful and clear purpose and will ensure that it makes that Data Subject aware of such purpose(s) as far as possible.

5.4.2 SAT will not use the Personal Information of a Data Subject for any purpose other than the disclosed purpose without the consent of the Data Subject, unless it is permitted or required to do so by law.

5.4.3 SAT will use Personal Information for the following purposes – providing any services to the Data Subject from time to time; receiving services or products provided by the Data Subject to DT from time to time; responding to any correspondence that the Data Subject may send to DT, including via email or by telephone; to contact the Data Subject from time to time, where specific consent has been given; for such other purposes to which the Data Subject may consent from time to time; and for such other purposes authorised in terms of applicable law.

5.5 Use of Personal Information for Direct Marketing

5.5.1 DT may only use Personal Information to contact the Data Subject for purposes of direct marketing from time to time where it is permissible to do so.

5.5.2 DT may use Personal Information to contact any Data Subject and/or market DT’s services directly to the Data Subject(s) if the Data Subject is one of its existing clients, the Data Subject has requested to receive marketing material from DT or DT has the Data Subject’s consent to market its services directly to the Data Subject.

5.5.3 If the Data Subject is an existing client, DT will only use their Personal Information if it had obtained the Personal Information through the provision of a service to the Data Subject and only in relation to similar services to the ones DT previously provided to the Data Subject.

5.5.4 DT will ensure that a reasonable opportunity is given to the Data Subject to object to the use of their Personal Information for marketing purposes when collecting the Personal Information and on the occasion of each communication to the Data Subject for purposes of direct marketing.

5.5.5 DT will not use a Data Subject’s Personal Information to send marketing materials if they have requested not to receive them. If a Data Subject requests that DT stop Processing their Personal Information for marketing purposes, DT shall do so. Requests to opt-out of marketing should be made via forms and links provided for that purpose in the marketing materials sent to the Data Subject.

5.6 Processing of Special Personal Information and Personal Information of Children

5.6.1 Special Personal Information is sensitive Personal Information of a Data Subject.

5.6.2 Special Personal Information may not be Processed unless allowed by law.

5.6.3 Where POPIA applies, Special Personal Information may be processed in the following circumstances: Processing is carried out in accordance with the Data Subject’s express consent; or Processing is necessary for the establishment, exercise or defence of a right or obligation in law; or Processing is necessary to comply with an obligation of international public law; or Processing is for historical, statistical or research purposes, subject to stipulated safeguards; or information has deliberately been made public by the Data Subject; or specific authorisation has been obtained in terms of POPIA.

5.6.4 Where GDPR applies, Processing Special Personal Information is allowed in the following circumstances: Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of DT or of the Data Subject in the field of employment and social security and social protection law; Processing is necessary to protect the vital interests of the data subject or of another natural person where the Data Subject is physically or legally incapable of giving consent; Processing is necessary for reasons of substantial public interest; Processing is necessary for the purposes of preventative or occupational medicine; or Processing is necessary for reasons of public interest in the area of public health.

5.6.5 DT may not Process any Personal Information concerning a Child and will only do so where it has obtained the consent of the parent or guardian of that Child or where it is permitted to do so in accordance with applicable laws.

5.7 Provision of Personal Information to Third Parties

5.7.1 DT may disclose Personal Information to Third-Party service providers and will enter into written agreements with such Third-Party service providers to ensure that they Process any Personal Information in accordance with the provisions of this Policy, POPIA and, where relevant, the GDPR.

5.7.2 Third-Parties may render various services to SAT, including data storage and other services to assist DT with any of the purposes of processing stipulated in this Policy.

5.7.3 DT will disclose Personal Information with the consent of the Data Subject or if it is permitted to do so without such consent in accordance with the applicable laws.

5.7.4 DT may also send Personal Information to a foreign jurisdiction outside of the Republic of South Africa in order to achieve the purpose(s) for which the Personal Information was collected and Processed, including for Processing and storage by Third-Party service providers.

5.7.5 When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa, DT will obtain the necessary consent to transfer the Personal Information to such foreign jurisdiction or may transfer the Personal Information without the necessary consent where it is permitted to do so in accordance with the laws applicable to the trans-border flows of Personal Information under POPIA and, where relevant, the GDPR.

5.7.6 The Processing of Personal Information in a foreign jurisdiction may be subject to the laws of the country in which the Personal Information is held, and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

5.8 Storage of Personal Information

5.8.1 DT will keep the Personal Information that it Processes on behalf of Data Subjects at its offices in Johannesburg, France, Germany, the United Kingdom, Netherlands, Australia, India, China, Japan, Brazil, the United States, Nigeria and Ghana.

5.8.2 DT’s Third-Party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

5.8.3 DT will ensure that such Third-Party service providers will process the Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures, POPIA and, where relevant, the GDPR.

5.8.4 DT may store Personal Information using its own secure on-site servers or other internally hosted technology. Personal Information may also be stored by ThirdParties, via cloud services or other technology, to whom DT has contracted with, to support its business operations.

5.8.5 These Third Parties do not use or have access to Personal Information other than for cloud storage and retrieval, and DT requires such parties to employ at least the same level of security that DT uses to protect the Personal Information under its direct control.

5.8.6 Personal Information may be stored and processed in the Republic of South Africa or another country where DT, its affiliates and their service providers maintain servers and facilities. DT will take steps, including by way of contracts, to ensure that it continues to be protected regardless of its location, in a manner consistent with the standards of protection required under the applicable law.

5.9 Safe-Keeping of Personal Information

5.9.1 DT has implemented physical, organisational, contractual and technological security measures to keep all Personal Information secure, including measures protecting any Personal Information from loss or theft, and unauthorised access, disclosure, copying, use or modification.

5.9.2 DT will notify the Regulator and the affected Data Subject (unless the law requires that we delay notification to the Data Subject) in writing in the event of a security breach (or a reasonable belief of a security breach) in respect of that Data Subject’s Personal Information.

5.9.3 DT will provide such notification as soon as reasonably possible and, where feasible, not later than 72 hours after having become aware of any security breach of such Data Subject’s Personal Information.

5.9.4 Furthermore, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DT implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including – the pseudonymisation and encryption of Personal Information; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of Processing.

5.10 Retention of Personal Information

5.10.1 DT may keep records of the Personal Information it has collected, corresponded using, or commented on in an electronic or hardcopy file format.

5.10.2 DT will retain Personal Information for as long as necessary to fulfil the purposes for which that Personal Information was collected and/or as permitted or required by applicable law.

5.10.3 DT may retain Personal Information for longer periods for statistical, historical or research purposes, and should this occur, DT will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and the applicable laws.

5.10.4 Once the purpose for which the Personal Information was initially collected and Processed no longer applies or becomes obsolete, DT will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that a person cannot re-identify such Personal Information.

5.10.5 In instances where a Data Subject’s Personal Information is anonymised for research or statistical purposes, DT may use such anonymised information indefinitely without further notice to the Data Subject.

5.11 Keeping Personal Information Accurate

5.11.1 DT will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up-to-date as reasonably possible.

5.11.2 DT may not always expressly request the Data Subject to verify and update their Personal Information, unless this process is specifically necessary.

5.11.3 DT, however, expects that the Data Subject will notify it from time to time in writing of any updates required in respect of their Personal Information.

5.12 Access to Personal Information

5.12.1 SAT may request the Data Subject to provide sufficient identification to permit access to, or provide information regarding the existence, use or disclosure of the Data Subject’s Personal Information.

5.12.2 Any such identifying information shall only be used for the purpose of facilitating access to or information regarding the Personal Information.

5.12.3 The Data Subject can request in writing, to review any Personal Information about the Data Subject that is held by DT, including Personal Information that it has collected, utilised or disclosed, as well as the following information:

(i) the purposes of Processing;

(ii) the categories of Personal Information concerned;

(iii) where possible, the envisaged period for which the Personal Information will be stored or, if not possible, the criteria used to determine that period;

(iv) the existence of the right to request from SAT rectification or erasure of Personal Information or restriction of Processing of Personal Information concerning the Data Subject or to object to such processing;

(v) the right to lodge a complaint with the Regulator;

(vi) where the Personal Information is not collected from the Data Subject, any available information as to their source; and

(vii) the existence of automated Processing, including profiling and, at least in those cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the Data Subject.

5.12.4 DT will provide the Data Subject with any such Personal Information to the extent required by law and any of DT’s policies and procedures which apply in terms of PAIA.

5.12.5 The Data Subject can challenge the accuracy or completeness of their Personal Information in DT’s records at any time in accordance with the process set out in DT’s PAIA Manual for accessing information.

5.12.6 If a Data Subject successfully demonstrates that their Personal Information in DT’s records is inaccurate or incomplete, DT will ensure that such Personal Information is amended or deleted as required (including by any Third-Parties).

5.13 Cost of Access to Personal Information

5.13.1 The prescribed fees to be paid for copies of the Data Subject’s Personal Information are listed in DT’s PAIA Manual.

5.14 Changes to this Policy

5.14.1 DT may regularly amend or add new terms to this Policy. Data Subjects must review the Policy regularly to stay up to date with the content. Any changes shall come into effect immediately and automatically.

5.15 Queries and Complaints

5.15.1 All queries and complaints in connection with Personal Information or this Policy may be referred to the Information Officer of DT, whose contact details are:

The Information Officer

Durban Tourism

90 Florida Rd, Windermere, Durban, 4091

(+27) 031 322 4164


5.15.2 If a Data Subject in South Africa is unsatisfied with the manner in which South African Tourism addresses any complaint with regard to South African Tourism’s Processing of Personal Information, the Data Subject can contact the office of the South African Regulator, the details of which are set out below –

Website: http://visitdurban.travel

Tel: +27 31 322 4164

Email: info@visitdurban.travel

5.15.3 If a Data Subject in any of the other jurisdictions mentioned above is unsatisfied with the manner in which DT addresses any complaint with regard to the Processing of Personal Information, the Data Subject can contact the office of the Regulator or other relevant supervisory authority in the relevant jurisdiction.


The purpose of the awards are: To reward people who deliver excellence in tourism in Durban.
To give the public a voice that counts in terms of the feedback/review they give.