Privacy Notice

DEFINITIONS AND INTERPRETATION

1.1. “the Company” means TRANS AFRICA INTERNATIONAL TELECOMMUNICATIONS (PTY) LTD, 2002/015376/07;

1.2. “Constitution” means the Constitution of the Republic of South Africa, 1996;

1.3. “Client” refers to any natural or juristic person that received or receives services from the Company;

1.4. “Data Subject” has the meaning ascribed thereto in terms of section 1 of POPIA;

1.5. “Information Officer” means the duly authorised Information Officer, in terms of POPIA, as per the Information Officer Appointment Document, attached hereto;

1.6. “Manual” means this manual prepared in accordance with POPIA;

1.7. “Personal Information” has the meaning ascribed thereto in section 1 of POPIA;

1.8. “POPIA” means the Protection of Personal Information Act 4 of 2013;

1.9. “POPIA Regulations” means the regulations promulgated in terms of section 112(2) of POPIA;

1.10. “Processing” has the meaning ascribed thereto in section 1 of POPIA;

1.11. “Responsible Party” has the meaning ascribed thereto in section 1 of POPIA;

1.12. “SAHRC” means the South African Human Rights Commission.

1.13. Capitalised terms used in this Manual have the meanings ascribed thereto in section 1 of POPIA as the context specifically requires unless otherwise defined herein.

INTRODUCTION

2.1. POPIA

2.1.1. POPIA was assented to on 26 November 2013. Broadly, the purpose of POPIA is to give effect to section 14 of the Constitution, being the constitutional right to privacy by protecting Personal Information and regulating the free flow and Processing of Personal Information.

2.1.2. POPIA sets minimum conditions which all Responsible Parties must comply with so as to ensure that Personal Information is respected and protected. These minimum conditions are the Conditions for Lawful Processing and are more fully described in paragraph 4.1 of this Manual.

2.2. Purpose of the Manual

2.2.1. The purpose of this Manual is to give effect to the constitutional right to privacy in relation to the protection of Personal Information.

2.2.2. POPIA recognises that the right to privacy may be limited in accordance with section 36 of the Constitution to the extent that such limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality, and freedom.

2.2.3. This Manual, amongst other things, details the purpose for which Personal Information may be processed; a description of the categories of Data Subjects for whom the Company Processes Personal Information as well as the categories of Personal Information relating to such Data Subjects; and the recipients to whom Personal Information may be supplied.

2.2.4. This Manual has been compiled by the Information Officer:

2.2.4.1. as an integral part of the Company’s compliance framework in terms of Regulation 4(1)(a) of the POPIA Regulations; and

2.2.4.2. following the completion of a personal information impact assessment as envisaged by section 4(1)(b) of the POPIA Regulations.

THE COMPANY CONTACT DETAILS

3.1. Name of Information Officer: DEON ROESTORFF

3.2. Address: 1 – 5 Adrain Road (Off Umgeni Road) Stamford Hill Durban

3.3. Postal address: P.O. Box 3985 KwaZulu Natal South Africa 4000

3.4. Telephone: +27 (31) 312 9288

3.5. E-mail: de[email protected]

PROTECTION OF PERSONAL INFORMATION THAT IS PROCESSED BY

The company

4.1. Conditions for Lawful Processing

4.1.1. Chapter 3 of POPIA provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These conditions may not be derogated unless specific exclusions apply as outlined in POPIA. Below is a description of the eight Conditions for Lawful Processing as contained in POPIA:

4.1.1.1. Accountability – the Responsible Party has an obligation to ensure that there is compliance with POPIA in respect of the processing of Personal Information.

4.1.1.2. Processing limitation – Personal Information must be collected directly from a Data Subject to the extent applicable; must only be processed with the consent of the Data Subject and must only be used for the purposes for which it was obtained.

4.1.1.3. Purpose specification – Personal Information must only be processed for the specific purpose for which it was obtained and must not be retained for any longer than it is needed to achieve such purpose.

4.1.1.4. Further processing limitation – further processing of Personal Information must be compatible with the initial purpose for which the information was collected.

4.1.1.5. Information quality – the Responsible Party must ensure that Personal Information held is accurate and updated regularly and that the integrity of the information is maintained by appropriate security measures.

4.1.1.6. Openness – there must be transparency between the Data Subject and the Responsible Party.

4.1.1.7. Security safeguards – a Responsible Party must take reasonable steps to ensure that adequate safeguards are in place to ensure that Personal Information is being processed responsibly and is not unlawfully accessed.

4.1.1.8. Data Subject participation – the Data Subject must be made aware that their information is being processed and must have provided their informed consent to such processing.

4.2. Purpose of the Processing of Personal Information by the Company

4.2.1. As outlined in paragraph 4.1.1.3 above, Personal Information may only be processed for a specific purpose. The purposes for which the Company Processes or will Process Personal Information is as follows:

4.2.2. to provide accounts and/or services to the Client in accordance with terms agreed to by the Client;

4.2.3. to undertake activities related to the provision of accounts and/or services to the Client;

4.2.4. to verify the identity of the Client;

4.2.5. for risk assessment, information security management, statistical, trend analysis and planning purposes;

4.2.6. to monitor and record calls and electronic communications with the Client for quality, training, investigation, and fraud prevention purposes;

4.2.7. for crime detection, prevention, investigation and prosecution;

4.2.8. to enforce or defend the Company’s rights;

4.2.9. to manage the Company’s relationship with the Client, which may include providing information to the Client about the Company’s products and/or service;

4.2.10. any additional purposes expressly authorised by the Client; and

4.2.11. any additional purposes as may be notified to the Client or Data Subjects in any notice provided by the Company.

4.3. Categories of Data Subjects and Personal Information/Special Personal Information relating thereto

The Company shall Process Personal Information on the following Data subjects:

4.3.1. Juristic person:

4.3.1.1. client profile information;

4.3.1.2. account details;

4.3.1.3. payment information;

4.3.1.4. corporate structure;

4.3.1.5. customer risk rating; and

4.3.1.6. client information, including to the extent the categories of information relating to individuals or representatives of Clients (e.g., shareholders, directors, etc.) are required.

4.3.2. Natural person:

4.3.2.1. name;

4.3.2.2. contact details (company and home);

4.3.2.3. tax identification number;

4.3.2.4. bank account information (bank account number, bank account name, bank account type);

4.3.2.5. account opening forms; and

4.3.2.6. photographs and other identification and verification data as contained in images of ID card, passport, and other ID documents, including images of customer signature.

4.3.3. Employees:

4.3.3.1. name;

4.3.3.2. employee ID number; and

4.3.3.3. business contact details (address/telephone number/email address).

4.4. Recipients of Personal Information

The Company may provide a Data Subjects Personal Information to the Company, its affiliates, and their respective representatives.

4.5. Cross-Border flows of Personal Information

Section 72 of POPIA provides that Personal Information may only be transferred out of the Republic of South Africa:

4.5.1. If the recipient country can offer such data an “adequate level” of protection. This means that its data privacy laws must be substantially similar to the Conditions for Lawful Processing as contained in POPIA; or

4.5.2. If the Data Subject consents to the transfer of their Personal Information; or

4.5.3. If the transfer is necessary for the performance of a contractual obligation between the Data Subject and the Responsible Party; or

4.5.4. If the transfer is necessary for the performance of a contractual obligation between the Responsible Party and a third party, in the interests of the Data Subject; or

4.5.5. If the transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were, the Data Subject, would in all likelihood provide such consent.

4.6. Information security measures to be implemented by the Company

The Company shall implement the following security measured in order to ensure that Personal Information is respected and protected:

4.6.1. Access Control of Persons

The Company shall implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where the data is processed.

4.6.2. Data Media Control

The Company undertakes to implement suitable measures to prevent the unauthorized manipulation of media, including reading, copying, alteration or removal of the data media used by the Company and containing personal data of clients.

4.6.3. Data Memory Control

The Company undertakes to implement suitable measures to prevent unauthorized input into data memory and the unauthorized reading, alteration, or deletion of stored data of the Data Exporter’s customers.

4.6.4. User Control

The Company shall implement suitable measures to prevent its data processing systems from being used by unauthorized persons by means of data transmission equipment.

4.6.5. Access Control to Data

The Company represents that the persons entitled to use the Company’s data processing system are only able to access the data within the scope and to the extent covered by their respective access permissions (authorisation).

4.6.6. Transmission Control

The Company shall be obliged to enable the verification and tracing of the locations and/or destinations to which the Personal Information is transferred by utilisation of the Company’s data communication equipment and devices.

4.6.7. Transport Control

The Company shall implement suitable measures to prevent Personal Information from being read, copied, altered, or deleted by unauthorized persons during the transmission thereof or during the transport of the data media.

4.6.8. Organisation Control

The Company shall maintain its internal organisation in a manner that meets the requirements of this Manual.

A preliminary assessment of the suitability of the information security measures implemented or to be implemented by the Company may be conducted in order to ensure that the Personal Information that is processed by the Company is safeguarded and Processed in accordance with the Conditions for Lawful Processing.

4.7. Objection to the Processing of Personal Information by a Data Subject

Section 11(3) of POPIA and regulation 2 of the POPIA Regulations provides that a Data Subject may, at any time object to the Processing of his/her/its Personal Information, in the prescribed form, subject to exceptions contained in POPIA.

The prescribed form is available on request from the Company.

4.8. Request for Correction or Deletion of Personal Information

4.8.1. Section 24 of POPIA and regulation 3 of the POPIA Regulations provides that a Data Subject may request for their Personal Information to be corrected/deleted in the prescribed form.

4.8.2. The prescribed form is available on request from the Company.

In this policy the following words and expressions shall, in addition to their respective ordinary meanings, bear the following meanings assigned to each of them respectively:

“Act” means the Protection of Personal Information Act, 2013;

“Company” means TRANS AFRICA INTERNATIONAL TELECOMMUNICATIONS (PTY) LTD, registration number 2002/015376/07;

“Device” means any computer used to access the Service, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device;

“Service” means www.emcom.co.za.

This Privacy Policy provides the Company’s policies and procedures for collecting, using, processing and disclosing your information. Users can access the Service through the Company’s website. This Privacy Policy governs the access of the Service, regardless of how it is accessed, and by using the Services you consent to the collection, transfer, processing, storage, disclosure and other uses described in this Privacy Policy on these terms and conditions. All of the different forms of data, content, and information described below are collectively referred to as “Information”.

1. The Information We Collect and Store

We may collect and store the following information when running the Service:

Information Provided by You

When you register on the Website, you are required to provide us with certain personal information, such as your name, phone number, billing information, email address and business postal addresses.

Log Data

When you use the Service, we automatically record information from your Device, its software, and your activity using the Services. This may include the Device’s Internet Protocol (“IP”) address, browser type, the web page visited before you came to our website, information you search for on our website, locale preferences, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Service.

Cookies

We may also use “cookies” to collect information and improve our Services. A cookie is a small data file that we transfer to your Device. We may use “persistent cookies” to save your registration ID and login password for future logins to the Service. We may use “session ID cookies” to enable certain features of the Service, to better understand how you interact with the Service and to monitor aggregate usage and web traffic routing on the Service. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use all aspects of the Service.

2. How We Use Personal Information

Personal Information

In the course of using the Service, we may collect personal information that can be used to contact or identify you (“Personal Information”). Personal Information is or may be used: (i) to provide and improve our services and/or products and/or the website, (ii) to administer your use of the Service, (iii) to better understand your needs and interests, (iv) to personalize and improve your experience, and (v) to provide or offer software updates and product announcements. If you no longer wish to receive communications from us, please follow the “unsubscribe” instructions provided in any of those communications, or update your profile information.

Analytics

We also collect some information (ourselves or using third party services) using logging and cookies, such as IP address, which can sometimes be correlated with Personal Information. We use this information for the above purposes and to monitor and analyze the use of the Service, for the Service’s technical administration, to increase our Service’s functionality and user-friendliness, and to verify users have the authorization needed for the Service to process their requests.

3. Information Sharing and Disclosure

Your Use

We do not display your information to other users of the Service. You can review and revise your information at any time. We do not sell your information to any third party.

Service Providers, Business Partners and Others

We may use certain trusted third-party companies and individuals to help us provide, analyze, and improve the Service (including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improvement of the Service’s features). These third parties may have access to your information only for purposes of performing these tasks on our behalf and under obligations similar to those in this Privacy Policy.

Compliance with Laws and Law Enforcement Requests; Protection of the Company’s Rights

We may disclose to third parties’ files stored in your account and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary in order to:

  1. comply with a law, including the Act;
  2. protect the safety of any person from death or serious bodily injury;
  3. prevent fraud or abuse; or
  4. to protect the Company’s property rights.
Non-private or Non-Personal Information

We may disclose your non-private, aggregated, or otherwise non-personal information, such as usage statistics of our Service.

4. Changing or Deleting Your Information

If you are a registered user, you may review, update, correct or delete the Personal Information provided in your registration or account profile by changing your “account settings.” If your personally identifiable information changes, or if you no longer desire our service, you may update or delete it by making the change on your account settings. In some cases, we may retain copies of your information if required by law. For questions about your Personal Information on our Service, please contact [email protected]

5. Data Retention

We will retain your information for as long as your account is active or as needed to provide you with services. If you wish to cancel your account or request that we no longer use your information to provide you with services, you may delete your account. We may retain and use your information in order to comply with our legal obligations, resolve disputes, and enforce our agreements. Consistent with these requirements, we will try to delete your information quickly upon request. Please note, however, that there might be latency in deleting information from our servers and backed-up versions might exist after deletion.

6. Security

The security of your information is important to us. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL).

We follow generally accepted standards to protect the information submitted to us, both during transmission and once we receive it. No method of electronic transmission or storage is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our website, contact us at +27 (31) 312 9288.

7. Contacting Us

If you have any questions about this Privacy Policy, please contact us at:

Email: [email protected]
Phone: +27 (31) 312 9288

8. Compliance with the Act

The whole of this Privacy Policy is subject to – and shall be interpreted in compliance with – the Act.

9. Changes to our Privacy Policy

This Privacy Policy may change from time to time. If we make a change to this privacy policy that we believe materially reduces your rights, we will provide you with notice (for example, by email). And we may provide notice of changes in other circumstances as well. By continuing to use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.

INTRODUCTION

1.1. The aim of the manual is to assist potential requestors as to the procedure to be followed when requesting access to information/documents from the Company as contemplated in terms of the Act.

1.2. The manual may be amended from time to time and as soon as any amendments have been finalised, the latest version of the manual will be made public.

1.3. Any requestor is advised to contact the Information Officer should he/she require any assistance in respect of the utilization of this manual and/or the requesting of information/documents from the Company.

1.4. The following words will bear the following meaning in this manual:

1.4.1. “the Act” means the Promotion of Access to Information Act, No. 2 of 2000, together with all relevant regulations published;

1.4.2. “the Company” means TRANS AFRICA INTERNATIONAL TELECOMMUNICATIONS (PTY) LTD, registration number 2002/015376/07;

1.4.3. “Manual” shall mean this manual together with all annexures thereto, as available at the offices of the Company and on the Company’s website;

1.4.4. “SAHRC” shall mean the South African Human Rights Commission;

1.4.5. “Information Officer” means the Information Officer appointed by the Company from time to time, whose details are included under clause 2 below, to which requests for information in terms of the Act should be addressed.

INFORMATION OFFICER CONTACT DETAILS

2.1. The Company hereby appoints, in terms of Section 51(1)(a) of the Act the below-named individual as the information officer:

2.1.1. Name of Information Officer: DEON ROESTORFF

2.1.2. Address: 1 – 5 Adrain Road (Off Umgeni Road) Stamford Hill Durban       

2.1.3. Postal address: P.O. Box 3985 KwaZulu Natal South Africa 4000

2.1.4. Telephone: +27 (31) 312 9288

2.1.5. E-mail: [email protected]

GUIDE IN TERMS OF SECTION 10 OF THE ACT 

3.1. In terms of Section 10 of the Act, a guide will be compiled by the South African Human Rights Commission containing such information as may be required by a person who wishes to exercise any right contemplated in the Act. The guide will be made available in all official languages by the SAHRC and is obtainable from the SAHRC.

3.2. Contact details of the South African Human Rights Commission are as follows:

PAIA Unit

3.2.1. Address: 33 Hoof Street, Braamfontein

3.2.2. Telephone: +27 11 877 3600

3.2.3. Fax: +27 11 403 0625

3.2.4. Website: www.sahrc.org.za

3.2.5. E-Mail: [email protected]

NOTICE(S) IN TERMS OF SECTION 52(2) OF THE ACT (Section 51(1)(c) of the Act)

4.1. At this stage, no notice(s) has/have been published.

INFORMATION / DOCUMENTS AVAILABLE IN ACCORDANCE WITH OTHER LEGISLATION 

5.1. The Company shall keep information/documents in accordance with the following legislation (please note that this is not an exhaustive list):

5.1.1. Insolvency Act, No. 24 of 1936 (Section 134 and155);

5.1.2. Pension Funds Act, No. 24 of 1956;

5.1.3. Income Tax Act, No. 58 of 1962 (Section 75);

5.1.4. Companies Act, No. 71 of 2008;

5.1.5. Copyright Act, No. 98 of 1978;

5.1.6. Regional Services Councils Act, No. 109 of 1985;

5.1.7. Value Added Tax Act, No. 89 of 1991 (Section 65);

5.1.8. Occupational Health and Safety Act, No. 85 of 1993;

5.1.9. Compensation for Occupational Injuries and Diseases Act, No. 130 of 1993 (Section 97);

5.1.10. Labour Relations Act, No. 66 of 1995;

5.1.11. Basic Conditions of Employment Act, No. 75 of 1997 (Section 31);

5.1.12. Employment Equity Act, No. 55 of 1998 (Section 26);

5.1.13. Skills Development Act, No. 97 of 1998;

5.1.14. Medical Schemes Act, No. 131 of 1998;

5.1.15. Skills Development Levies Act, No. 9 of 1999; and

5.1.16. Unemployment Insurance Act, No. 63 of 2001.

5.2. The above records, insofar as it being of a public nature are available automatically without a person having to request access thereto in term of the Act, as envisaged in Section 52.

DOCUMENTS/INFORMATION HELD BY THE COMPANY IN TERMS OF (Section 51(1)(e) of the Act)

6.1. The Company holds the information/documents listed herein below:

6.1.1. details relating to the operational, commercial, and financial interests of the Company;

6.1.2. commercial contracts;

6.1.3. client database (personal information of clients, commercial and financial information, information on contemplated, existing, and past business transactions, information on agreements, proposals, and intellectual property of such clients);

6.1.4. employment contracts;

6.1.5. personnel records for the Company’s employees;

6.1.6. human resources (personal information of past, present and prospective employees, and partners/directors); and

6.1.7. insurance policies.

6.2. It is recorded that any and all documents/information requested pertaining to the aforesaid shall only be made available to a requestor subject to the provisions of the Act.

6.3. None of the information held by the Company is automatically available without a person having to request access in terms of and subject to the provisions of the Act.

6.4. A request for information should be in the prescribed form, addressed to the Information Officer and submitted against payment of the prescribed fee.

OTHER INFORMATION (Section 51(1)(f) of the Act)

The Minister of Justice and Constitutional Development has to date not published any regulations in terms of this Section.

AVAILABILITY OF THE MANUAL (Section 51(3) of the Act)

8.1. This manual is available for inspection at the offices of the Company and on the Company website, free of charge.

8.2. It should be noted that the manual accessible on the website of the SAHRC and in the Government Gazette, does not include the request forms or fee structure. The request forms and fee structure can be obtained on the SAHRC website (www.sahrc.org.za) or the website of the Department of Justice and Constitutional Development (www.doi.gov.za) (under “regulations”).

In this agreement, the following words bear the meanings associated with them below:

“Personal Information” means information relating to an identifiable, living, natural person, including:

1. Financial information related to a person, including information provided by the Customer, or information obtained from a Credit Bureaux or CIPC (the Companies and Intellectual Property Commission);

2. Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; and/or

3. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about that person.

“Data Subject” means each director of the Customer and each shareholder of the Company that is a natural person.

WHEREAS:

In the course of the Company’s customer verification and credit vetting processes, the Company will collect and process Personal Information related to Data Subjects. 

The Company is committed to ensuring that any processing of Personal Information related to Data Subjects is limited to the express purposes of opening and management of an account for the Customer and that such processing is compliant with POPIA.

IT IS HEREBY AGREED THAT:

1. The Customer consents to the Company:

  • performing a credit search on the Customer’s record, as well as the record of Data Subjects, with one or more of the registered Credit Bureaux when assessing the Customer’s Application for Credit (and at any other time in the Company’s discretion);
  • recording the existence of the Customer’s account with any Credit Bureau; and/or
  • recording and transmitting details of how the Customer has performed, and how the account is conducted by the Customer in meeting its obligations on the account.

2. The Customer acknowledges and agrees that any information regarding its creditworthiness, defaults in payment to the Company, and details of its account with the Company is conducted may be disclosed to any other creditor of the Customer or any registered Credit Bureaux, after 21 (twenty-one) days’ notice having been given to the Customer.

3. The Customer consents to the collection, processing and storage of Personal Information by the Company related to Data Subjects, for the purposes of both the opening and ongoing management of a customer account.

4. The Customer warrants and represents that:

  • it has concluded a contract with each Data Subject; and that in terms of such contract, the Customer has obtained the consent from such person to the processing of Personal Information by suppliers in the credit vetting process; and
  • the processing of Personal Information by the Company is necessary for the legitimate interests of the Company in the Company’s credit vetting process.

5. The Customer warrants that all Personal Information supplied to the Company is accurate, up to date, is not misleading and that it is complete in all respects.

6. The Customer undertakes to immediately advise the Company of any changes to the relevant Personal Information of a Data Subject, but not limited to, a change of ownership or control in the Customer.

7. The Company undertakes:

  • to act in accordance with POPIA in relation to the collection, processing and storing of Personal Information related to the Customer. The processing of Personal Information by the Company will be limited to the purposes set out herein and will not be excessive;
  • not to disclose the Customer’s Personal Information unless it is legally or contractually required or for its legitimate business purposes; and
  • to use reasonable efforts in order to ensure that Personal Information related to Data Subjects in its possession or processed on its behalf is:
    • kept confidential; 
    • stored in a secure manner; and 
    • processed in terms of the provisions of POPIA, and, for the purposes for which the Company has been authorized;
  • to take reasonable steps to identify risks associated with the processing of the Customer’s information and establish safeguards against any such identified risks; and
  • to take reasonable steps to ensure that the Customer is notified in the event of a breach of the confidentiality of the Customers Personal Information.

8. The Customer has a right to lodge a complaint with the Information Regulator if the Customer if it is of the view that its rights in terms of POPIA have been breached. The contact details of the Information Regulator are:

To promote compliance in terms of POPIA, the parties hereto record and agree as follows:

1. During the course of the Supplier’s appointment to render services to the Company, the Supplier will gain access to Personal Information related to the Company’s guests and prospective guests.

2. The Company is obliged under POPIA to ensure that any third party appointed by it does not, in its name and stead, infringe POPIA.

3. The Supplier is committed to ensuring that it is compliant with POPIA and that its conduct does not place the Company in breach thereof. Therefore, the Supplier provides the following undertakings to the Company in relation to Personal Information collected during the course of the Supplier’s appointment by the Company:

3.1. the Supplier is familiar with its obligations under POPIA and has conducted inter alia the necessary Personal Information Impact Assessment, and, has implemented a POPIA Compliance Framework;

3.2. all Personal Information will be stored securely;

3.3. Personal Information will neither be disseminated nor sold without the prior written consent of both the data subject and the Company;

3.4. Personal Information will not be retained for longer than is strictly necessary;

3.5. the Supplier’s systems that hold Personal Information, whether it be in a data or physical format, have been reviewed to ensure compliance with POPIA. Such review was conducted so as to inter alia identify all foreseeable internal and external risks to Personal Information and steps have been taken to guard against the identified risks;

3.6. should there be a breach of the confidentiality of Personal Information, the Supplier will take all reasonable steps to ensure that the data subject and the Company is notified thereof; and

3.7. the Supply will continuously review and update its POPIA Compliance Framework.

The parties hereto agree to co-operate with each other in good faith so as to ensure that they are compliant with POPIA.