Policy Statement | Stratfinn Simple

Privacy Statement

1.In terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”), any responsibleparty that processes personal information must do so in accordance with the principlesoutlined in POPIA.

2.Whereas Stratfinn (Pty) Ltd (“hereinafter referred to as Stratfinn”) is a responsible party,now therefore this policy forms part of Stratfinn (Pty) Ltd’s (“Stratfinn”) internal businessprocesses and procedures.

3.Any reference to the “Stratfinn” shall be interpreted to include the “organisation”.

4.The Directors, employees, volunteers, contractors, suppliers and any other persons actingon behalf of Stratfinn are required to familiarise themselves with the policy’s requirementsand undertake to comply with the stated processes and procedures.

5.The Director of Stratfinn may authorise the adoption of this policy by signing the PolicyStatement section.

5.1 The Right to Access Personal Information 11

5.2 The Right to have Personal Information Corrected or Deleted 11

5.3 The Right to Object to the Processing of Personal Information 11

5.4 The Right to Object to Direct Marketing 12

5.5 The Right to Complain to the Information Regulator 12

5.6 The Right to be Informed 12

GENERAL GUIDING PRINCIPLES 12

6.1 Accountability 12

6.2 Processing Limitation 13

6.3 Purpose Specification 13

6.4 Further Processing Limitation 13

6.5 Information Quality 14

6.6 Open Communication 14 -15

6.7 Security Safeguards 16-17

6.8 Data Subject Participation 18

6.9 Retention of records 18

6.10 Notification of security compromises 19

6.11 Processing Special Personal Information 20

6.12 Transferring Personal Information to a foreign country 21

INFORMATION OFFICERS 21

SPECIFIC DUTIES AND RESPONSIBILITIES 21

8.1 Directors 21

8.2 Information Officer 22

8.3 IT Manager 23

8.4 Marketing & Communication Manager 24

8.5 Employees and other Persons acting on behalf of the Organisation 24 -27

POPIA AUDIT 27

REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE 28

POPIA COMPLAINTS PROCEDURE 28

DISCIPLINARY ACTION 29-30

1.INTRODUCTION

The right to privacy is an integral human right recognised and protected in the South African Constitution and in POPIA.

POPIA aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner.

Through the provision of quality services, Stratfinn is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of clients, customers, employees and other stakeholders.

A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.

Given the importance of privacy, Stratfinn is committed to effectively managing personal information in accordance with POPIA’s provisions.

2.DEFINITIONS

2.1 Personal Information

Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:

•race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexualorientation, age, physical or

•mental health, disability, religion, conscience, belief, culture, language and birth of aperson;

•information relating to the education or the medical, financial, criminal or employmenthistory of the person;

•any identifying number, symbol, email address, physical address, telephone number,location information, online identifier or other particular assignment to the person;

•the biometric information of the person;

•the personal opinions, views or preferences of the person;

•correspondence sent by the person that is implicitly or explicitly of a private or confidentialnature or further correspondence that would reveal the contents of the originalcorrespondence;

•the views or opinions of another individual about the person;

•the name of the person if it appears with other personal information relating to the personor if the disclosure of the name itself would reveal information about the person.

2.2 Data Subject

This refers to the natural or juristic person to whom personal information relates, such as an individual client, customer or a company that supplies Stratfinn with products or other goods or services.

2.3 Responsible Party

The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, Stratfinn is the responsible party.

2.4 Operator

An operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, a third-party service provider that has contracted with the organisation to shred documents containing personal information.

2.5 Information Officer

The Information Officer is responsible for ensuring Stratfinn’s compliance with POPIA.

No formal qualifications are required for an Information Officer but anybody who holds this position must familiarise themselves with the provisions of POPIA if they are to fulfil their duties properly. The Information Officer must be aware of the information security that is appropriate in respect of the information processed by StratFin. Although most information today is stored electronically, the role of Information Officer should not be delegated to people responsible for information technology if they are neither the owners of information nor able to assess the importance of the information.

Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer.

2.6 Processing

The act of processing information includes any activity or any set of operations, whether or not by automatic means, concerning personal information and includes:

•the collection, receipt, recording, organisation, collation, storage, updating or modification,retrieval, alteration,

•consultation or use;

•dissemination by means of transmission, distribution or making available in any other form;or

•merging, linking, as well as any restriction, degradation, erasure or destruction ofinformation.

Stratfinn may only process personal information if the purpose for which it is collected is adequate, relevant and not excessive. This is intended to ensure that only personal information which is appropriate for the purpose it is being collected, is collected. It also relates to the nature of the processing which is being contemplated. This is likely to be viewed in a more relaxed light if the person has already consented to the processing of the personal information.

Stratfinn must also ensure that the personal information that it processes is collected for a specific, explicitly defined and lawful purpose. The purpose of the personal information influences every aspect of the processing of the information, the manner of its collection, periods of retention, further processing, disclosure to third parties and any further issues which may apply to the processing of the information. Stratfinn must ensure, when collecting the information, that the person is aware of the purpose for which the information is being collected, unless one of the exceptions applies.

2.7 Record

Means any recorded information, regardless of form or medium, including:

•Writing on any material;

•Information produced, recorded or stored by means of any tape-recorder, computerequipment, whether hardware or software or both, or other device, and any materialsubsequently derived from information so produced, recorded or stored;

•Label, marking or other writing that identifies or describes anything of which it forms part,or to which it is attached by any means;

•Book, map, plan, graph or drawing;

•Photograph, film, negative, tape or other device in which one or more visual images areembodied so as to be capable, with or without the aid of some other equipment, of beingreproduced.

2.8 Filing System

Means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

2.9 Unique Identifier

Means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

2.10 De-Identify

This means to delete any information that identifies a data subject or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.

2.11 Re-Identify

In relation to personal information of a data subject, means to resurrect any information that has been de-identified that identifies the data subject, or can be used or manipulated by a reasonably foreseeable method to identify the data subject.

2.12 Consent

Means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

Personal information may be collected and processed if the person to whom the personal information relates or a competent person, where such person is a child (under 18 years of age), consents to the processing. In most cases, a parent or guardian will be regarded as a competent person, however, other people like a medical practitioner may be regarded as a competent person, in certain circumstances. All three elements (voluntary, specific and informed) must be valid for the consent to be considered valid.

If the party is given an opportunity to object to the processing of personal information and fails to do so, consent may be inferred from this omission. Although consent does not have to be.

in writing, Stratfinn will seek to ensure the consent is obtained in writing since it will be responsible for providing proof of the consent should it ever be disputed. It is also important to note that the party may withdraw his/her consent at any time. If the consent of the party cannot or has not been obtained, then the personal information may only be processed if the processing:

•is necessary to carry out actions for the conclusion or performance of a contract towhich the person is a party;

•complies with an obligation imposed by law on the organisation;

•protects a legitimate interest of such person;

•is necessary for the proper performance of a public law duty by the organisation; or

•is necessary for pursuing the legitimate interests of the organisation or of a third partyto whom the information is supplied.

Although it is possible for the personal information held by Stratfinn to fall under the aforementioned exceptions (depending on the circumstances), each employee must obtain written consent before processing any personal information in order to prevent a potential dispute unless otherwise determined by the Information Officer.

2.13 Direct Marketing

Means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:

•Promoting or offering to supply, in the ordinary course of business, any services to thedata subject; or

•Requesting the data subject to make a donation of any kind for any reason.

2.14 Biometrics

Means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.

2.15 Special Personal Information

Special Personal Information is sensitive personal information that is of a more private nature than ordinary personal information. It consists of information concerning:

•religious or philosophical beliefs;

•race or ethnic origin;

•trade union membership;

• political persuasion;

• health or sex life;

• biometric information; or

• the criminal behaviour of a person.

3. POLICY PURPOSE

This purpose of this policy is to protect Stratfinn from the compliance risks associated with the protection of personal information which includes:

• Breaches of confidentiality. For instance, Stratfinn could suffer loss in revenue where it is found that the personal information of data subjects has been shared or disclosed inappropriately.

• Failing to offer choice. For instance, all data subjects should be free to choose how and for what purpose Stratfinn uses information relating to them.

• Reputational damage. For instance, Stratfinn could suffer following an adverse event such as a computer hacker deleting the personal information held by Stratfinn.

Stratfinn will be accountable for the personal information that it holds as it is regarded as the "responsible party" in terms of POPIA because it, "alone or in conjunction with others, determines the purpose of and means for processing personal information". If Stratfinn passes the personal information to a third party to process in terms of a contract or mandate and the third party is not under the direct authority of Stratfinn, the third party will be regarded as an "operator" in terms of POPIA.

Stratfinn, however, will still remain responsible for the processing of the information. Therefore, Stratfinn will be responsible for the personal information it stores and processes, even if such personal information is stored by a storage company.

POPIA requires that the responsible party, in this case, Stratfinn must ensure, in terms of a written contract between the responsible party and the operator, that the operator which processes the personal information for the responsible party establishes and maintains appropriate security measures. If the operator loses or misuses the personal information and there is an agreement in place, the responsible party will still be liable but the agreement could be used to mitigate the responsible party’s risk, claim damages from the operator or soften the responsible party’s case with the Information Regulator or the courts.

Therefore, it is important that Stratfinn identifies the personal information that it processes and that someone is appointed internally to safeguard the personal information in its control, known as the "Information Officer". For purposes of POPIA, Domonique Ramos is the Information Officer of Stratfinn and has been appointed and registered as such.

This policy demonstrates Stratfinn’s commitment to protecting the privacy rights of data subjects in the following manner:

• Through stating desired behaviour and directing compliance with the provisions of POPIA and best practice.

• By cultivating an organisation culture that recognises privacy as a valuable human right.

• By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.

• By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the organisation.

• By assigning specific duties and responsibilities to the Information Officer and if, and when necessary, in the future, a Deputy Information Officer in order to protect the interests of Stratfinn and data subjects.

• By raising awareness through training and providing guidance to individuals who process personal information so that they can act confidently and consistently.

4. POLICY APPLICATION

This policy and its guiding principles applies to:

• The Board of Directors;

• All branches and departments of the organisation;

• All employees and interns; and

• All contractors, suppliers and other persons acting on behalf of Stratfinn.

The policy’s guiding principles find application in all situations and must be read in conjunction with POPIA as well as Stratfinn’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).

The legal duty to comply with POPIA’s provisions is activated in any situation where there is:

• A processing of personal information entered into a record by or for a responsible person who is domiciled in South Africa.

POPIA does not apply in situations where the processing of personal information:

• is concluded in the course of purely personal or household activities, or

• where the personal information has been de-identified.

• by the Cabinet and its committees or the Executive Council of a province

• relating to the judicial functions of a court referred to in section 166 of the Constitution

• by or on behalf of a public body

o which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety; or

o the purpose of which is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures

o only to the extent that adequate safeguards have been established in legislation for the protection of such personal information

• journalistic, literary or artistic purposes.

5. RIGHTS OF DATA SUBJECTS

Where appropriate, Stratfinn will ensure that its clients are made aware of the rights conferred upon them as data subjects. Stratfinn will ensure that it gives effect to the following seven rights.

5.1 The Right to Access Personal Information

Stratfinn recognises that a data subject has the right to establish whether the organisation holds personal information related to him, her or it including the right to request access to that personal information.

5.2 The Right to have Personal Information Corrected or Deleted

The data subject has the right to request, where necessary, that his, her or its personal information must be corrected or deleted where Stratfinn is no longer authorised to retain the personal information.

5.3 The Right to Object to the Processing of Personal Information

The data subject has the right, on reasonable grounds, to object to the processing of his, her or its personal information.

In such circumstances, Stratfinn will give due consideration to the request and the requirements of POPIA.

Stratfinn may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.

5.4 The Right to Object to Direct Marketing

The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications.

5.5 The Right to Complain to the Information Regulator

The data subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA which may be committed by Stratfinn and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information.

5.6 The Right to be Informed

The data subject has the right to be notified that his, her or its personal information is being collected by Stratfinn and Stratfinn undertakes to notify the data subject accordingly.

The data subject also has the right to be notified in any situation where Stratfinn has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.

In the event that the data subject is a client of the organisation, s/he or an authorised representative will need to sign Stratfinn’s letter of engagement, which shall indicate that Stratfinn will be collecting his/her or its personal information.

6.GENERAL GUIDING PRINCIPLES

All employees and persons acting on behalf of Stratfinn will at all times be subject to, and act in accordance with, the following guiding principles:

6.1 Accountability

Failing to comply with POPIA could potentially damage Stratfinn’s reputation or expose Stratfinn to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.

Stratfinn will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, Stratfinn will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.

6.2 Processing Limitation

Stratfinn will ensure that personal information under its control is processed:

• in a fair, lawful and non-excessive manner, and

• only with the informed consent of the data subject, and

• only for a specifically defined purpose.

Stratfinn will inform the data subject of the reasons for collecting his, her or its personal information and obtain written consent prior to processing personal information.

Alternatively, where services or transactions are concluded over the telephone or electronic video feed, Stratfinn will maintain a voice recording of the stated purpose for collecting the personal information followed by the data subject’s subsequent consent.

Stratfinn will under no circumstances distribute or share personal information between separate legal entities or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected.

Where applicable, the data subject must be informed of the possibility that their personal information will be shared with other aspects of the organisation’s business and be provided with the reasons for doing so.

6.3 Purpose Specification

Stratfinn’s daily operations will be informed by the principle of transparency.

Stratfinn will process personal information only for specific, explicitly defined and legitimate reasons. Stratfinn will inform data subjects of these reasons prior to collecting or recording the data subject’s personal information.

6.4 Further Processing Limitation

Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose.

Therefore, where Stratfinn seeks to process personal information, it holds for a purpose other than the original purpose for which it was originally collected, and where this secondary purpose is not compatible with the original purpose, the organisation will first obtain additional consent from the data subject.

If the further processing of personal information is incompatible with the purpose for which the personal information was first collected, then the organisation may only process the information again if:

• the person has provided his/her consent;

• the information is within public knowledge or the public domain;

• further processing is necessary to avoid the prejudice to the maintenance of the law, to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue by SARS, conduct of court or tribunal proceedings or in the interests of national security;

• further processing is necessary to prevent or mitigate a serious and imminent threat to public health or safety or the life or health of the party or another individual;

• the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or

• the request for further processing has been granted by the Information Regulator.

6.5 Information Quality

Stratfinn will take reasonable steps to ensure that all personal information collected is complete, accurate, not misleading and kept updated. In doing this, Stratfinn must keep in mind the purpose for which the personal information is collected or further processed and it is important that all personal information processed must be treated as confidential.

The more important it is that the personal information be accurate, the greater the effort Stratfinn will put into ensuring its accuracy.

Where personal information is collected or received from third parties, Stratfinn will take reasonable steps to ensure that the information is correct by verifying the accuracy of the information directly with the data subject or by way of independent sources.

6.6 Open Communication

Stratfinn will take reasonable steps to ensure that data subjects are notified (are at all times aware) that their personal information is being collected including the purpose for which it is being collected and processed.

Stratfinn will ensure that it establishes and maintains a “contact us” facility, for instance via its website or through an electronic helpdesk, for data subjects who want to:

• Enquire whether the organisation holds related personal information, or

• Request access to related personal information, or

• Request the organisation to update or correct related personal information, or

• Make a complaint concerning the processing of personal information.

If personal information is collected, Stratfinn must take reasonably practicable steps to ensure that the party is aware of, by way of notification:

• the information being collected and where the information is not collected from the party, the source from which it is collected;

• the name and address of the responsible party;

• the purpose for which the information is being collected;

• whether or not the supply of the information by that person is voluntary or mandatory;

• the consequences of failure to provide the information;

• any particular law authorising or requiring the collection of the information;

• the fact that, where applicable, the organisation intends to transfer the information to another country or international organisation and the level of protection afforded to the information by that country or international organisation;

• any further information such as the:

o recipient or category of recipients of the information;

o nature or category of the information;

o existence of the right of access to and the right to rectify the information collected;

o existence of the right to object to the processing of personal information; and

o the right to lodge a complaint to the Information Regulator and contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the person to be reasonable.

Stratfinn must ensure that the person is aware of the factors listed above before the information is collected or as soon as reasonably practicable after it has been collected. However, it will not be necessary for the organisation to do this if:

• the party has consented to the non-compliance;

• not informing the party of the details listed above would not prejudice the legitimate interests of the party;

•non-compliance is necessary to avoid prejudice to the maintenance of the law, to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue by SARS, for the conduct of proceedings in any court or tribunal or in the interests of national security;

•compliance would prejudice a lawful purpose of the collection;

•compliance is not reasonably practicable in the circumstances of the particular case; or

•the information will not be used in a form in which the party may be identified or be used for historical, statistical or research purposes.

In the event that the person is a client of Stratfinn, s/he or an authorised representative will need to sign the organisation's letter of engagement, which shall indicate that Stratfinn will be collecting his/her or its personal information and the client duly consents to such collection and processing of information in order for Stratfinn to fulfil its functions.

6.7 Security Safeguards

It is important that Stratfinn ensures that the integrity and confidentiality of the personal information that it holds is maintained. Stratfinn must take reasonable measures to prevent all personal information that it controls from being lost, damaged or from being unlawfully accessed. In order to do this, Stratfinn will need to identify the risks to the personal information in its possession and establish and maintain appropriate safeguards.

Stratfinn must put a variety of measures in place to make sure the information is handled properly and with great care. These measures must be stipulated in information security and electronic communications policies. For example:

•only authorised people have access to information;

•personal information must be communicated securely and deleted in the proper way (e.g.proper shredding and deleting of information, encryption, authorisations concepts, limitingphysical access, using locked filing cabinets, marking documents, limiting access todatabases etc.);

•a clean desk policy needs to be maintained; and

•no information must be stored on external hard drives etc.

Regular checks must be conducted in order to make sure that the safeguards are being effectively implemented and updated, if necessary. Stratfinn must also consider the information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Stratfinn will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction.

Security measures also need to be applied in a context-sensitive manner. For example, the more sensitive the personal information, such as medical information or credit card details, the greater the security required.

Stratfinn will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks.

Stratfinn will ensure that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals.

All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal information for which Stratfinn is responsible. All existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.

If Stratfinn passes on personal information to a third party to process, Stratfinn will ensure that the third party (the "operator") treats the personal information as confidential.

An operator cannot process personal information without the organisation's knowledge and express authorisation. Stratfinn is also obliged to ensure that the operator establishes and maintains the standard of security measures required by POPIA.

The processing of the personal information and the security safeguards required by Strat must be provided in a written agreement entered into between Stratfinn and the operator. Stratfinn is also obliged to ensure that an operator not domiciled in South Africa adheres to the laws governing the processing of the personal information. Accordingly, Stratfinn’s operators and third-party service providers will be required to enter into service level agreements (“SLA”) or Data Processing Agreements, whichever is applicable and the most appropriate in the circumstances with Stratfinn whereby both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.

6.8 Data Subject Participation

A data subject may request Stratfinn to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been unlawfully obtained.

Stratfinn undertakes that it will correct or delete or destroy the information as soon as reasonably practicable and notify the data subject of such action and provide the data subject with credible evidence proving that the information has been corrected, deleted or destroyed, whatever the case may be.

If the Stratfinn corrects, deletes or destroys any information in such a way that the changed information has an impact on decisions that have been or will be taken in respect of the data subject, Stratfinn will, if reasonably practicable, inform each person or body to whom the personal information has been disclosed of such changes.

Stratfinn will ensure that it provides a facility for data subjects who want to request the correction of deletion of their personal information.

Where applicable, Stratfinn will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.

6.9 Retention of records

Stratfinn undertakes not to retain records of personal information for any longer than is necessary for achieving the purpose for which the information was collected or processed.

Stratfinn will not retain personal information any longer than is necessary, unless:

• retention of the record is required or authorised by law;

• Stratfinn reasonably requires the record for lawful purposes related to its functions or activities;

• retention of the record is required by a contract between the parties thereto;

• the party has consented to the retention of the record; or

• the personal information is being used for historical, statistical or research purposes provided that Stratfinn has established appropriate safeguards against the records being used for any other purposes.

If Stratfinn is no longer authorised to retain the record of the personal information, Stratfinn will ensure that the personal information is destroyed, deleted or de-identified (parts of the,

information have been removed so that it can no longer be linked to a specific person e.g. male, aged 25) as soon as reasonably practicable.

The destruction or deletion of the record will be done in such a way that it cannot be reconstructed in an intelligible form. There may be instances, however, where certain personal information may have to be retained, like in situations where people have requested not to be part of a particular mailing list even though they might have also requested to have their personal information destroyed.

Stratfinn must restrict the processing of personal information if:

• its accuracy is contested by the party to which the information relates, for a period enabling Stratfinn to verify the accuracy of the information;

• Stratfinn no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for the purposes of proof;

• the processing is unlawful and the party opposes its destruction or deletion and requests the restriction of its use instead; or

• the party requests to transmit the personal data into another automated processing system.

6.9 Notification of security compromises

If Stratfinn has reasonable grounds to believe that the personal information of a party has been accessed or acquired by any unauthorised person, Stratfinn undertakes to notify the Information Regulator and the person concerned, unless the identity of such person cannot be established immediately.

This will be done as soon as reasonably possible, taking into account the needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party's information system. However, if notifying the party may impede a criminal investigation, then the Information Regulator or a public body responsible for the prevention, detection or investigation of offences may determine that the organisation must delay the notification of the party. When the party is notified about the unlawful access to the personal information, such notification must be in writing and mailed to the party's last known physical, postal or email address, placed in a prominent position on Stratfinn's website, published in the news media or in any other way that the Information Regulator may direct.

Stratfinn must be aware of additional contractual obligations regarding what Stratfinn must do in the event of a data breach as set out in agreements with its operators and/or suppliers.

Failure to notify is a breach of POPIA and may, upon conviction of certain offences, lead to imprisonment, a fine, or both.

Stratfinn has implemented a comprehensive incident response plan ("Incident Response Plan"). This sets out what needs to be done by in the event of a data breach, what the internal response times are, Stratfinn will communicate the breach to the Information Regulator and data subjects (e.g. client) and any other reporting requirements (both internally and externally).

Stratfinn has considered taking out a cyber liability insurance policy to cover losses in respect of a data breach and holds the view that this is not necessary at this point in time given the nature and size of the organisation but Stratfinn reserves its right to do so should it become necessary in the future.

6.10 Processing Special Personal Information

Stratfinn will not process Special Personal Information unless:

•the person has consented to the processing;

•processing is necessary to comply with an obligation of international public law;

•processing is for historical, statistical or research purposes to the extent that the purposeserves a public interest and the processing is necessary for the purpose concerned; or itappears to be impossible or would involve a disproportionate effort to ask for consent, andsufficient guarantees are provided for to ensure that the processing does not adverselyaffect the individual privacy of the person to a disproportionate extent;

•information has deliberately been made public by the party;

•the various specific exceptions in respect of the different categories of Special PersonalInformation have been complied with; or

•the Information Regulator has authorised the organisation to process the Special PersonalInformation.

6.11 Transferring Personal Information to a foreign country

Stratfinn agrees that it may not transfer personal information about a person to a third party who is in a foreign country unless:

• such person consents to the transfer;

• the third party who is receiving the information is subject to a law or binding agreement which provide an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information;

• the transfer is necessary for the performance of a contract between the person and the organisation, or the implementation of pre-contractual measures taken in response to such party's request;

• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the party between the organisation and a third party; or

• the transfer is for the benefit of the party and it is not reasonably practicable to obtain the consent of the person to that transfer and if it were reasonably practicable to obtain such consent, the person would be likely to give it.

7. INFORMATION OFFICER

Domonique Ramos is the appointed Information Officer of Stratfinn. Stratfinn will not appoint a Deputy Information Officer at this stage but reserves its right to do so. Domonique Ramos is responsible for ensuring compliance with POPIA and understands the obligations and responsibilities in this regard.

Consideration will be given on an annual basis to the re-appointment or replacement of the Information Officer and the re-appointment or replacement of any Deputy Information Officers.

8. SPECIFIC DUTIES AND RESPONSIBILITIES

8.1 Board of Directors

Stratfinn’s board cannot delegate its accountability and is ultimately answerable for ensuring that Stratfinn meets its legal obligations in terms of POPIA.

The Board may however delegate some of its responsibilities in terms of POPIA to management or other capable individuals.

The Board is responsible for ensuring that:

1. Stratfinn appoints an Information Officer, and where necessary, a Deputy Information Officer(s).

2. All persons responsible for the processing of personal information on behalf of the organisation:

2.1. are appropriately trained and supervised to do so,

2.2. understand that they are contractually obligated to protect the personal information they come into contact with, and

2.3. are aware that a wilful or negligent breach of this policy’s processes and procedures may lead to disciplinary action being taken against them.

3. Data subjects who want to make enquires about their personal information are made aware of the procedure that needs to be followed should they wish to do so.

4. The scheduling of a periodic POPIA audit in order to accurately assess and review the ways in which the organisation collects, holds, uses, shares, discloses, destroys and processes personal information.

8.2 Information Officer

Domonique Ramos is responsible for:

• Taking steps to ensure Stratfinn’s reasonable compliance with the provision of POPIA.

• Keeping updated about Stratfinn’s information protection responsibilities under POPIA.

• Continually analysing privacy regulations and aligning herself with Stratfinn’s personal information processing procedures. This will include reviewing Stratfinn’s information protection procedures and related policies.

• Ensuring that POPIA audits are scheduled and conducted on a regular basis.

• Ensuring that Stratfinn makes it convenient for data subjects who want to update their personal information or submit POPIA related complaints to Stratfinn. For instance, maintaining a “contact us” facility on the website.

• Approving any contracts entered into with operators, employees and other third parties which may have an impact on the personal information held by Stratfinn. This will include overseeing the amendment of any contracts and service level agreements currently in force.

• Encouraging compliance with the conditions required for the lawful processing of personal information.

• Ensuring that employees and other persons acting on behalf of Stratfinn are fully aware of the risks associated with the processing of personal information and that they remain informed about Stratfinn’s security controls.

• Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of Stratfinn.

• Addressing POPIA related questions.

• Addressing all POPIA related requests and complaints made by the data subjects.

• Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, with regard to any other matter.

8.3 IT Manager (if applicable)

The organisation’s IT Manager is responsible for:

• Ensuring that Stratfinn’s IT infrastructure, filing systems and any other devices used for processing personal information meet acceptable security standards.

• Ensuring that all electronically held personal information is kept only on designated drives and servers and uploaded only to approved cloud computing services.

• Ensuring that servers containing personal information are sited in a secure location, away from the general office space.

• Ensuring that all electronically stored personal information is backed-up and tested on a regular basis.

• Ensuring that all back-ups containing personal information are protected from unauthorised access, accidental deletion and malicious shacking attempts.

• Ensuring that personal information being transferred electronically is encrypted.

• Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software.

• Performing regular IT audits to ensure that the security of the organisation’s hardware and software systems are functioning properly.

• Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by any unauthorised persons.

• Performing a proper due diligence review prior to contracting with operators or any other third-party service providers to process personal information on the organisation’s behalf. For instance, cloud computing services.

8.4 Marketing & Communication Manager (if applicable)

Stratfinn’s Marketing & Communication Manager is responsible for:

• Approving and maintaining the protection of personal information statements and disclaimers that are displayed on Stratfinn’s website, including those attached to communications such as emails and electronic newsletters.

• Addressing any personal information protection queries from journalists or media outlets such as newspapers.

• Where necessary, working with persons acting on behalf of the organisation to ensure that any outsourced marketing initiatives comply with POPIA.

8.5 Employees and other Persons acting on behalf of the Organisation

Employees and other persons acting on behalf of Stratfinn will, during the course of the performance of their services, gain access to and become acquainted with the personal information of certain clients, suppliers and other employees.

Employees and other persons acting on behalf of Stratfinn are required to treat personal information as a confidential business asset and to respect the privacy of data subjects.

Employees and other persons acting on behalf of Stratfinn may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within the organisation or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties.

Employees and other persons acting on behalf of Stratfinn must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to the protection of a data subject’s personal information.

Employees and other persons acting on behalf of Stratfinn will only process personal information where:

• The data subject is a client of the organisation that such client has signed the organisation's letter of engagement; or

• The data subject, or a competent person where the data subject is a child, consents to the processing; or

• The processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; or

• The processing complies with an obligation imposed by law on the responsible party; or

• The processing protects a legitimate interest of the data subject; or

• The processing is necessary for pursuing the legitimate interests of the organisation or of a third party to whom the information is supplied.

Furthermore, personal information will only be processed where the data subject:

•Clearly understands why and for what purpose his, her or its personal information is beingcollected; and

•Has granted Stratfinn with explicit written or verbally recorded consent to process his, heror its personal information.

Employees and other persons acting on behalf of Stratfinn will consequently, prior to processing any personal information, obtain a specific and informed expression of will from the data subject, in terms of which permission is given for the processing of personal information.

Informed consent is therefore when the data subject clearly understands for what purpose his, her or its personal information is needed and who it will be shared with.

Consent can be obtained in written form which includes any appropriate electronic medium that is accurately and readily reducible to printed form. Alternatively, the organisation will keep a voice recording of the data subject’s consent in instances where transactions are concluded telephonically or via electronic video feed.

Consent to process a data subject’s personal information will be obtained directly from the data subject, except where:

•the information is contained in or derived from a public record or has been deliberatelymade public by the person;

•the party has consented to the collection of the information from another source;

•the legitimate interests of the party are not prejudiced;

•collection of the information from another source is necessary to avoid the prejudice tothe maintenance of the law, to comply with an obligation imposed by law or to enforcelegislation concerning the collection of revenue by SARS, conduct of court or tribunalproceedings, the interests of national security or the maintenance of the legitimateinterests of the organisation or of a third party to whom the information is supplied;

•compliance would prejudice a lawful purpose of the collection; or

•compliance is not reasonably practicable.

Employees and other persons acting on behalf of the Stratfinn will under no circumstances:

•Process or have access to personal information where such processing or access is not arequirement to perform their respective work-related tasks or duties.

• Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets or smart phones. All personal information must be accessed and updated from Stratfinn’s central database or a dedicated server.

• Share personal information informally. In particular, personal information should never be sent by email, as this form of communication is not secure. Where access to personal information is required, this may be requested from the relevant line manager or the Information Officer.

• Transfer personal information outside of South Africa without the express permission from the Information Officer.

Employees and other persons acting on behalf of Stratfinn are responsible for:

• Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy.

• Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created.

• Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager will assist employees and where required, other persons acting on behalf of the organisation, with the sending or sharing of personal information to or with authorised external persons.

• Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected. Passwords must be changed regularly and may not be shared with unauthorised persons.

• Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.

• Ensuring that where personal information is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used.

• Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet.

• Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer or lying exposed on the employee's desk.

• Taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, verifying a data subject’s contact details when the client or customer phones or communicates via email.

•Where a data subject’s information is found to be out of date, authorisation must first beobtained from the relevant line manager or the Information Officer to update theinformation accordingly.

•Taking reasonable steps to ensure that personal information is stored only for as long asit is needed or required in terms of the purpose for which it was originally collected. Wherepersonal information is no longer required, authorisation must first be obtained from therelevant line manager or the Information Officer to delete or dispose of the personalinformation in the appropriate manner.

•Undergoing POPIA awareness training from time to time.

Where an employee, or a person acting on behalf of Stratfinn, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal information, he or she must immediately report this event or suspicion to the Information Officer or the Deputy Information Officer.

In the event that an employee of Stratfinn receives a mandate from a client who is an EU-citizen, s/he must notify the Information Officer as further requirements may be necessary in respect of personal information relating to such new client in terms of the European Commission's (EU) General Data Protection Regulation (GDPR).

9.POPIA AUDIT

Stratfinn’s Information Officer will schedule periodic POPIA audits.

The purpose of a POPIA audit is to:

•Identify the processes used to collect, record, store, disseminate and destroy personalinformation.

•Determine the flow of personal information throughout Stratfinn.

•Redefine the purpose for gathering and processing personal information.

•Ensure that the processing parameters are still adequately limited.

•Ensure that new data subjects are made aware of the processing of their personalinformation.

•Re-establish the rationale for any further processing where information is received via athird party.

•Verify the quality and security of personal information.

•Monitor the extend of compliance with POPIA and this policy.

•Monitor the effectiveness of internal controls established to manage the organisation’sPOPIA related compliance risk.

In performing the POPIA audit, Information Officers will identify areas within in the organisation’s operation that are most vulnerable or susceptible to the unlawful processing of personal information.

10.REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE

Data subjects have the right to:

•Request what personal information Stratfinn holds about them and why.

•Request access to their personal information.

•Be informed how to keep their personal information up to date.

Access to information requests can be made by email, addressed to the Information Officer. The Information Officer will provide the data subject with a “Personal Information Request Form”.

Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against the organisation’s PAIA Policy.

The Information Officer will process all requests within a reasonable time.

11.POPIA COMPLAINTS PROCEDURE

Data subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. Stratfinn takes all complaints very seriously and will address all POPIA related complaints in accordance with the following procedure:

•POPIA complaints must be submitted to Stratfinn in writing. Where so required, theInformation Officer will provide the data subject with a “POPIA Complaint Form”.

•Where the complaint has been received by any person other than the Information Officer,that person will ensure that the full details of the complaint reach the Information Officerwithin 1 working day.

•The Information Officer will provide the complainant with a written acknowledgement ofreceipt of the complaint within 2 working days.

•The Information Officer will carefully consider the complaint and address the complainant’sconcerns in an amicable manner. In considering the complaint, the Information Officer will,

endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA.

•The Information Officer must also determine whether the complaint relates to an error orbreach of confidentiality that has occurred and which may have a wider impact on theorganisation’s data subjects.

•Where the Information Officer has reason to believe that the personal information of datasubjects has been accessed or acquired by an unauthorised person, the InformationOfficer will consult with the organisation’s Board where after the affected data subjectsand the Information Regulator will be informed of this breach.

•The Information Officer will revert to the complainant with a proposed solution within

7 working days of receipt of the complaint. In all instances, the organisation will providereasons for any decisions taken and communicate any anticipated deviation from thespecified timelines.

•The Information Officer’s response to the data subject may comprise any of the following:

1.A suggested remedy for the complaint,

2.A dismissal of the complaint and the reasons as to why it was dismissed,

3.An apology (if applicable) and any disciplinary action that has been taken against anyemployees involved.

•Where the data subject is not satisfied with the Information Officer’s suggestedremedies, the data subject has the right to complain to the Information Regulator.

•The Information Officer will review the complaints process to assess the effectivenessof the procedure on a periodic basis and to improve the procedure where it is foundwanting. The reason for any complaints will also be reviewed to ensure the avoidanceof occurrences giving rise to POPIA related complaints.

12.DISCIPLINARY ACTION

Where a POPIA complaint or a POPIA infringement investigation has been finalised, Stratfinn may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.

In the case of ignorance or minor negligence, Stratfinn will undertake to provide further awareness training to the employee.

Any gross negligence or the wilful mismanagement of personal information, will be considered a serious form of misconduct for which Stratfinn may summarily dismiss the employee.

Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence.

Examples of immediate actions that may be taken subsequent to an investigation include:

•A recommendation to commence with disciplinary action.

•A referral to appropriate law enforcement agencies for criminal investigation.

•Recovery of funds and assets in order to limit any prejudice or damages caused.