PAIA AND POPI MANUAL
Privacy is paramount

Published in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000

This manual applies to:

SENSORY FX (PTY) LIMITED
Registration number: 2010/016074/07 and all of its subsidiaries
(“Organisation”)

1. BACKGROUND TO THE PROMOTION OF ACCESS TO INFORMATION ACT

1.1 The Promotion of Access to Information Act, No.2 of 2000 (“PAIA Act”) was enacted on 3 February 2000, giving effect to the constitutional right in terms of section 32 of the Bill of Rights contained in the Constitution of the Republic of South Africa 108 of 1996 (the “Constitution”) of access to any information held by the state and any information that is held by another person that is required for the exercise or protection of any rights.

1.2 In terms of section 51 of the PAIA Act, all private bodies (juristic and natural persons) are required to compile an Information Manual (“PAIA Manual”).

1.3 Where a request is made in terms of the PAIA Act, the body to whom the request is made is obliged to release the information, subject to applicable legislative and/or regulatory requirements, except where the PAIA Act expressly provides that the information may be adopted when requesting information from a public or private body.

2. DETAILS OF ORGANISATION THIS MANUAL APPLIES TO

2.1 This manual was prepared in accordance with section 51 of the PAIA Act and to address requirements of the POPI Act for the Organisation.

2.2 The Organisation is in the business of manufacturing flavours and fragrances.

2.3 This PAIA manual is available at its premises: 154 Edward Avenue, Hennopspark, Centurion, South Africa, as well as on its website: www.sensoryfx.co.za.

3. PURPOSE

3.1 The purpose of the PAIA Act is to promote the right of access to information, to foster a culture of transparency and accountability within the Organisation by giving the right to information that is required for the exercise or protection of any right and to actively promote a society in which the people of South Africa have effective access to information to enable them to exercise and protect their rights.

3.2 In order to promote effective governance of private bodies, it is necessary to ensure that everyone is empowered and educated to understand their rights in relation to public and private bodies.

3.3 Section 9 of the PAIA Act recognizes that the right to access information cannot be unlimited and should be subjected to justifiable limitations, including, but not limited to:

3.3.1 limitation aimed at the reasonable protection of privacy;
3.3.2 commercial confidentiality;
3.3.3 effective, efficient and good governance,
and in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution.
3.4 This PAIA manual complies with the requirements of the guide contained in section 10 of the PAIA Act and recognizes that upon commencement of the POPI Act, that the appointed Information Regulator will be responsible to regulate compliance with the PAIA Act and its regulations by private and public bodies.

4. CONTACT DETAILS [Section 51(1)(a)]

4.1 The details of the Organisation that adopted this PAIA Manual is as follows:

Managing Director Daniel Francois Strydom
Registered Address 154 Edward Avenue, Hennopspark, Centurion, South Africa
Postal Address Postnet Suite 224
Private Bag X132, Centurion, 0046, South Africa
Telephone Number 0834117958
Website www.sensoryfx.co.za

5. THE INFORMATION OFFICER [Section 51(1)(b)]

5.1 The PAIA Act prescribes the appointment of an Information Officer for the public bodies where such Information Officer is responsible to, inter alia, assess request for access to information.

5.2 The head of a private body fulfils such a function in terms of section 51 of the PAIA Act. The Organisation has opted to appoint the following person as Information Officer to assess such a request for access to information as well as to oversee its required functions in terms of the PAIA Act:

Information Officer Johannes Wilhelm Stodart
Address 154 Edward Avenue, Hennops Park, Centurion, South Africa
Telephone Number 0834117958
E-mail accounts@sensoryfx.co.za

5.3 The Information Officer appointed in terms of the PAIA Act also refers to the Information Officer as referred to in the POPI Act. The Information Officer oversees the functions and responsibilities as required for in terms of both the PAIA Act as well as the duties and responsibilities in terms of section 55 of the POPI Act after registering with the Information Regulator.

5.4 The Information Officer may appoint, where it deemed necessary, Deputy Information Officers, as allowed in terms of section 17 of the PAIA Act as well as section 56 of the POPI Act. The Organisation has opted to appoint the following person as Deputy Information Officer to assist the Information Officer to assess such a request for access to information as well as to oversee its required functions in terms of the PAIA Act:

Deputy Information Officer Elcois Wesseloo
Address 154 Edward Avenue, Hennops Park, Centurion, South Africa
Telephone Number 0825755054
E-mail accounts@sensoryfx.co.za

5.5 This is to render the Organisation as accessible as reasonable possible for requesters of its records and to ensure fulfilment of its obligations and responsibilities as prescribed in terms of section 55 of the POPI Act. All requests for information in terms of the PAIA Act must be addressed to the Information Officer.

6. GUIDE OF SA HUMAN RIGHTS COMMISSION AND THE INFORMATION REGULATOR [Section 51(1)(b)]

6.1 The PAIA Act grants a Requester access to records of a private body, if the record is required for the exercise to protection of any rights.

6.2 Requests in terms of the PAIA Act shall be made in accordance with the prescribed procedures, at the rates provided. The forms and tariff are dealt with in paragraphs 6 and 7 of the PAIA Act.

6.3 Requests are referred to the Guide in terms of section 10 of the PAIA Act which has been compiled by the South African Human Rights Commission (“SAHRC”), which will contain information for the purposes of exercising Constitutional Rights. The Guide is available from the SAHRC.

6.4 The contact details of the SAHRC are:

Contact Body The South African Human Rights Commission
Physical Address PAIA Unit
29 Princess of Wales Terrace
Cnr York and Andrew Streets
Parktown
Postal Address Private Bag 2700
Houghton
2041
Telephone Number +27 11 877 3600
E-mail PAIA@sahrc.org.za

Website www.sahrc.org.za

6.5 Sections 110 and 114(4) of the POPI Act states that the SAHRC will be replaced as the Regulator under the PAIA Act and will be replaced with the Information Regulator. The Information Officer will take over the PAIA functions from SAHRC on such date as agreed to between the parties. Until then requests to access records of a private body can be made to the SAHRC or to the Information Regulator as follows:

Contact Body The Information Regulator (South Africa)
Physical Address JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal Address P.O Box 31533, Braamfontein, Johannesburg, 2017
Telephone Number +27 (0)12 406 4818
E-mail inforeg@justice.gov.za

Website www.justice.gov.za/inforeg

7. LATEST NOTICE IN TERMS OF SECTION 52(2) (IF ANY) [Section51(1)(c)]

No notice has been published on the categories of records that are automatically available without a person having to request access in terms of section 52(2) of the PAIA Act.

8. SUBJECTS AND CATEGORIES OF RECORDS AVAILABLE ONLY ON REQUEST TO ACCESS IN TERMS OF THE ACT [Section 51(1)(e)]

8.1 Records held by the Organisation

8.1.1 This clause serves as reference to the categories of information that the Organisation holds. The information is classified and grouped according to records relating to the following subjects and categories:

Subject Category
Companies Act Records All trust deeds
Documents of Incorporation
Index of names of Directors
Memorandum of Incorporation
Minutes of meetings of the board of directors
Minutes of meetings of shareholders
Proxy forms
Register of debenture-holders
Register of directors ’shareholdings
Share certificates
Share Register and other statutory registers and/or records and/or documents
Special resolutions/Resolutions passed at General and Class meetings
Records relating to the appointment of:
Auditors
Directors
Prescribed officers
Public Officers
Secretary
Financial Records Accounting records
Annual Financial Reports
Annual Financial Statements
Asset Registers
Bank statement
Banking details and bank accounts
Banking records
Debtors/Creditors statements and invoices;
General ledgers and subsidiary ledgers
General reconciliation
Invoices
Paid Cheques
Policies and procedures
Rental Agreements; and
Tax returns
Income Tax records PAYE Records
Documents issued to employees for income tax purposes
Records of payments made to SARS on behalf of employees
All other statutory compliances:
VAT
Regional Services Levies
Skills Development Levies
UIF
Workmen’s Compensation
Personal Documents and Records Accident books and records
Address lists
Disciplinary Code and Records
Employee benefit arrangement rules and records
Employment contracts
Employment Equity Plans
Forms and Applications
Grievance procedure
Leave records
Medical Aid records
Payroll Reports/ Wage registers
Pension Fund Records
Safety, Health and Environmental records
Salary records
SETA records
Standard letters and notices
Training Manuals
Training records
Workplace and Union agreements and records
Procurement Standard terms and Conditions for supply of services and products
Contractor, client and supplier agreements
Lists of suppliers, products, services and distribution
Policies and Procedures
Sales Customer details
Credit application information
Information and records provided by a third party
Marketing Advertising and promotional material
Safety, Health and Environment Complete Safety, Health and Environmental Risk assessment
Environmental Management Plans
Inquiries, inspections, examinations by environmental authorities
IT Computer/mobile device usage policy documentation
Disaster recovery plans
Hardware asset registers
Information security policies/standard/procedures
Information technology systems and user manuals
Information usage policy documentation
Project implementation plans
Software licensing
System documentation and manuals

8.2 Note that the accessibility of the records may be subject to the grounds of refusal set out in this PAIA Manual.

8.3 Amongst other, records deemed confidential on the part of a third party, will necessitate permission from the third party concerned, in addition to normal requirements, before the Organisation will consider access.

9. RECORDS AVAILABLE WITHOUT REQUEST TO ACCESS IN TERMS OF THE PAIA ACT

9.1 Records of a public nature, typically those disclosed on the Organisation website and in its various annual reports, may be accessed without the need to submit a formal application.
9.2 Other non-confidential records, such as statutory records maintained at Companies and Intellectual Property Commission, may also be accessed without the need to submit a formal application. However, please note that an appointment to view such records will still have to be made with the Information Officer.
10. DESCRIPTION OF RECORDS OF THE BODY WHICH ARE AVAILABLE IN ACCORDANCE WITH ANY OTHER LEGISLATION [Section 51(1)(d)]

10.1 Where applicable to its operations, the Organisation also retains records and documents in terms of the legislation below. Unless disclosure is prohibited in terms of legislation, regulations, contractual agreement or otherwise, records that are required to be made available in terms of these shall be made available for inspection by interested parties in terms of the requirements and conditions of the PAIA Act and the POPI Act or in terms of the below mentioned legislation and applicable internal policies, should such interested parties be entitled to such information.

10.2 A request to access must be done in accordance with the prescriptions of the PAIA Act.

10.3 The legislation applicable to the Organisation includes but may not be limited to the following:

10.3.1 Basic Conditions of Employment Act, No 75 of 1997;
10.3.2 Broad-Based Black Economic Empowerment Act, No 53 of 2003;
10.3.3 Business Act, No71 of 1991;
10.3.4 Companies Act, No 71 of 2008;
10.3.5 Compensation for Occupational Injuries & Diseases Act, 130 of 1993;
10.3.6 Competition Act, No 71 of 2008;
10.3.7 Constitution of the Republic of South Africa 2008;
10.3.8 Consumer Protection Act No 68 of 2008;
10.3.9 Copyright Act, No 98 of 1978;
10.3.10 Customs and Excise Act, 91 of 1964;
10.3.11 Electronic Communications Act, No 36 of 2005;
10.3.12 Electronic Communications and Transactions Act No 25 of 2002;
10.3.13 Employment Equity Act No 55 of 1998;
10.3.14 Financial Intelligence Centre Act, No 38 of 2001;
10.3.15 Foodstuffs, Cosmetics and Disinfectants Act 54 of 1972;
10.3.16 Identification Act, No 68 of 1997;
10.3.17 Income Tax Act, No 58 of 1962;
10.3.18 Intellectual Property Laws Amendment Act No 38 of 1997;
10.3.19 Labour Relations Act, No 66 of 1995;
10.3.20 Occupational Health and Safety Act, No 85 of 1993;
10.3.21 Prescription Act, No 68 of 1969;
10.3.22 Prevention of Organised Crime Act, No 121 of 1998;
10.3.23 Promotion of Access to Information Act, No. 2 of 2000;
10.3.24 Protection of Personal Information Act, No 4 of 2013;
10.3.25 Regulations of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002;
10.3.26 Revenue Laws Second Amendment Act No. 61 of 2008;
10.3.27 Skills Development Levies Act No. 9 of 1999;
10.3.28 Unemployment Insurance Contributions Act 4 of 2002;
10.3.29 Unemployment Insurance Act no.30 of 1966; and
10.3.30 Value Added Tax Act 89 of 1991.

10.4 It is further recorded that the accessibility of documents and records may be subject to the grounds of refusal set out in this PAIA Manual.

11. DETAIL TO FACILTATE A REQUEST FOR ACCESS TO A RECORD OF THE ORGANISATION [Section 51(1)(e)]

11.1 The Requester, as defined in the PAIA Act, must comply with all the procedural requirements contained in the PAIA Act relating to the request for access to a record.

11.2 The Requester must complete the prescribed form and submit same as well as payment of a request fee and a deposit (if applicable) to the Information Officer or the Deputy Information Officer at the postal or physical address or electronic mail address as noted in clause 5 above.

11.3 The form can be obtained from the Information Regulator’s website www.justice.gov.za/inforeg (Form C – Request for access to record of Private Body).

11.4 The prescribed from must be filled in with sufficient information to enable the Information Officer to identify:

11.4.1 the record or records requested; and
11.4.2 the identity of the requester.

11.5 The Requester should indicate which form of access is required and specify a postal address or fax number of the Requester in the Republic of South Africa.

11.6 The Requester must state that he/she requires the information in order to exercise or protect a right, and clearly state what the nature of the right is so to be exercised or protected. The Requester must clearly specify why the record is necessary to exercise or protect such a right (section 53(2)(d) of the PAIA Act).

11.7 The Organisation will process the request within 30 (thirty) days, unless the Requester has stated special reasons to the satisfaction of the Information Officer that circumstances dictate that the above time periods not be complied with.

11.8 The Requester shall be advised whether access is granted or denied in writing. If, in addition, the Requester requires the reasons for the decision in any other manner, the Requester will be obliged to state which manner and the particulars required.

11.9 If a request is made on behalf of another person, then the Requester must submit proof of the capacity in which the Requester is making the request to the reasonable satisfaction of the Information Officer (section 53(2)(f) of the PAIA Act).

11.10 If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request orally.

11.11 The Requester must pay the prescribed fee, before any further processing can take place.

11.12 All information as listed in this clause 11 herein should be provided and failing which the process will be delayed until the required information is provided. The prescribed time periods will not commence until the Requester has furnished all the necessary and required information. The Information Officer shall sever a record, if possible, and grant only access to that portion requested and which is not prohibited from being disclosed.

12. REFUSAL OF ACCESS TO RECORDS

12.1 Grounds to Refuse Access

12.1.1 A private body such as the Organisation is entitled to refuse a request for information.

12.1.2 The main grounds for the Organisation to refuse a request for information relates to the:

12.1.2.1 mandatory protection of the privacy of a third party who is a natural person or a deceased person (section 63) or a juristic person, as included in POPI Act, which would involve the unreasonable disclosure of personal information of that natural or juristic person;
12.1.2.2 mandatory protection of personal information and for disclosure of any personal information to, in addition to any other legislative, regulatory or contractual agreements, to comply with the provisions of the POPI Act;
12.1.2.3 mandatory protection of the commercial information of a third party (section 64 of the PAIA Act) if the record contains:

12.1.2.3.1 trade secrets of the third party;
12.1.2.3.2 financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of that third party; or
12.1.2.3.3 information disclosed in confidence by a third party to the Organisation, if the disclosure could put that third party at a disadvantage in negotiations or commercial competition;

12.1.2.4 mandatory protection of confidential information of third parties (section 65 of the PAIA Act) if it is protected in terms of any agreement;
12.1.2.5 mandatory protection of the safety of individuals and the protection of property (section 66 of the PAIA Act);
12.1.2.6 mandatory protection of records which would be regarded as privileged in legal proceedings (section 67 of the PAIA Act);
12.1.2.7 the commercial activities (section 68 of the PAIA Act) of a private body, such as the Organisation, which may include:

12.1.2.7.1 trade secrets of the Organisation;
12.1.2.7.2 financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of the Organisation;
12.1.2.7.3 information which, if disclosed could put the Organisation at a disadvantage in negotiations or commercial competition;
12.1.2.7.4 a computer program which is owned by the Organisation, and which is protected by copyright; or
12.1.2.7.5 the research information (section 69 of the PAIA Act) of the Organisation or a third party, if its disclosure would disclose the identity of the Organisation, the researcher or the subject matter of the research and would place the research at a serious disadvantage; or

12.1.2.8 requests for information that are clearly frivolous or vexatious, or which involve an unreasonable diversion of resources shall be refused.

12.1.3 All requests for information will be assessed on their own merits and in accordance with the applicable legal principles and legislation.

12.1.4 If a requested record cannot be found or if the record does not exist, the Information Officer shall, by way of an affidavit or affirmation, notify the Requester that it is not possible to give access to the requested record. Such a notice will be regarded as a decision to refuse a request for access to the record concerned for the purpose of the PAIA Act. If the record should later be found, the Requester shall be given access to the record in the manner stipulated by the Requester in the prescribed form, unless the Information Officer refuses access to such record.

13. REMEDIES AVAILABLE WHEN THE ORGANISATION REFUSES A REQUEST

13.1 Internal Remedies

13.1.1 The Organisation does not have internal appeal procedures. The decision made by the Information Officer is final.

13.1.2 Requesters will have to exercise such external remedies at their disposal if the request for information is refused and the Requestor is not satisfied with the answer supplied by the Information Officer.

13.2 External Remedies

13.2.1 A Requestor that is dissatisfied with the Information Officer’s refusal to disclose information, may within 30 (thirty) days of notification of the decision, may apply to a Court for relief.

13.2.2 For purposes of the PAIA Act, the Courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another court of similar status and a Magistrate’s Court designated by the Minister of Justice and Constitutional Development, and which is presided over by a designated Magistrate.

14. ACCESS TO RECORDS HELD BY THE ORGANISATION

14.1 Prerequisites for Access by Personal/Other Requester

14.1.1 Records held by the Organisation may be accessed by requests only once the prerequisite requirements for access have been met.

14.1.2 A Requester is any person making a request for access to a record of the Organisation.

14.1.3 There are 2 (two) types of requesters:

14.1.3.1 Personal Requester

14.1.3.1.1 A personal requester is a requester who is seeking access to a record containing personal information about the Requester.
14.1.3.1.2 The Organisation will voluntarily provide the requested information, or give access to any record with regard to the requester’s personal information. The prescribed fee for reproduction of the information requested will be charged.

14.1.3.2 Other Requester

14.1.3.2.1 This Requester (other than a personal requester) is entitled to request access to information on third parties.
14.1.3.2.2 In considering such a request, the Organisation will adhere to the provisions of the PAIA Act. Section 71 of the PAIA Act requires that the Information Officer take all reasonable steps to inform a third party to whom the requested record relates of the request, informing him/her that he/she may make a written or oral representation to the Information Officer why the request should be refused or, where required, give written consent for the disclosure of the Information.

14.2 The Organisation is not obliged to voluntarily grant access to such records. The Requester must fulfil the prerequisite requirements, in accordance with the requirements of the PAIA Act and as stipulated in Chapter 5: Part 3, including the payment of a request and access fee.

15. PRESCRIBED FEES [Section 51(1)(f)]

15.1 Fees Provided by the PAIA Act

15.1.1 The PAIA Act provides for 2 (two) types of fees, namely:

15.1.1.1 a request fee, which is a form of administration fee to be paid by all Requesters except personal requesters, before the request is considered and is not refundable; and
15.1.1.2 an access fee, which is paid by all Requesters in the event that a request for access is granted. This fee is inclusive of costs involved by the private body in obtaining and preparing a record for delivery to the Requester.

15.1.2 When the request is received by the Information Officer, such officer shall by notice require the Requester, other than a personal requester, to pay the prescribed request fee, before further processing of the request (section 54(1) of the PAIA Act).

15.1.3 If the search for the record has been made and the preparation of the record for disclosure, including arrangement to make it available in the requested form, requires more than the hours prescribed in the regulations for this purpose, the Information Officer shall notify the Requester to pay as a deposit the prescribed portion of the access fee which would be payable if the request is granted.

15.1.4 The Information Officer shall withhold a record until the Requester has paid the fees as indicated below.

15.1.5 A Requester whose request for access to a record has been granted, must pay an access fee that is calculated to include, where applicable, the request fee, the process fee for reproduction and for search and preparation, and for any time reasonably required in excess of the prescribed hours to search for and prepare the record for disclosure including making arrangements to make it available in the request form.

15.1.6 If a deposit has been paid in respect of a request for access, which is refused, then the Information Officer concerned must repay the deposit to the Requester.

16. REPRODUCTION FEE

16.1 Where the Organisation has voluntarily provided the Minister with a list of categories of records that will automatically be made available to any person requesting access thereto, the only charge that may be levied for obtaining such records, will be a fee for reproduction of the record in question, which will be as follows:
Reproduction of Information Fees Fees to be Charged
Information in an A-4 size page photocopy or part thereof R 1,10
A printed copy of an A4-size page or part thereof R 0,75
A copy in computer-readable format, for example: Compact disc R 70,00
A transcription of visual images, in an A4-size page or part thereof R 40,00
A copy of visual images R 60,00
A transcription of an audio record for an A4-size page or part thereof R 20,00
A copy of an audio record R 30,00

16.2 Request Fees

16.2.1 Where a Requester submits a request for access to information held by an institution on a person other than the Requester himself/herself, a request fee in the amount of R50,00 is payable up-front before the institution will further process the request received.

16.3 Access Fees

16.3.1 An access fee is payable in all instances where a request for access to information is granted, except in those instances where payment of an access fee is specially excluded in terms of the PAIA Act or an exclusion is determined by the Minister in terms of section 54(8) of the PAIA Act. The applicable access fees which will be payable are:
Access of Information Fees Fees to be Charged
Information in an A4-size page photocopy or part thereof R 1,10
A printed copy of an A4-size page or part thereof R 0,75
A copy in computer-readable format, for example: USB
Compact disc R 7,50
R 70,00
A transcription of visual images, in an A4-size page or part thereof R 40,00
A copy of visual images R 60,00
A transcription of an audio record for an A4-size page or part thereof R 20,00
A copy of an audio record
*Per hour or part of an hour reasonably required for such search. R 30,00*
Where a copy of a record need to be posted the actual postal fee is payable.

16.4 Deposits

16.4.1 Where the institution receives a request for access to information held on a person other than the Requester himself/herself and the Information Officer upon receipt of the request is of the opinion that the preparation of the required record of disclosure will take more than 6 (six) hours, a deposit is payable by the Requester.

16.4.2 The amount of the deposit is equal to 1/3 (one third) of the amount of the applicable access fee.

16.5 Collection Fees

16.5.1 The initial “request fee” of R50,00 should be deposited into the bank account nominated by the Organisation and a copy of the deposit slip, application form and other correspondence / documents, forwarded to the Information Officer via fax/ email.

16.5.2 All fees are subject to change as allowed for in the PAIA Act and as a consequence such escalations may not always be immediately available at the time of the request being made.

16.5.3 Requesters shall be informed of any changes in the fees prior to making a payment.

17. DECISION

17.1 Time Allowed to Institution

17.1.1 The Organisation will, within 30 (thirty) days of receipt of the request, decide whether to grant or decline the request and give notice with reasons (if required) to that effect.

17.1.2 The 30 (thirty) day period within which the Organisation has to decide whether to grant or refuse the request, may be extended for a further period of not more than (30) thirty days if the request is for a large number of information, or the request requires a search for information held at another office of the Organisation and the information cannot reasonably be obtained within the original 30 (thirty) day period.

17.1.3 The Organisation will notify the Requester in writing should an extension be sought.

18. PROTECTION OF PERSONAL INFORMATION THAT IS PROCESSED BY THE ORGANISATION

18.1 The POPI Act requires the Organisation to inform their clients as to the manner in which their Personal Information is used, disclosed and destroyed.

18.2 Chapter 3 of the POPI Act provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in the POPI Act.

18.3 In this clause 18 words and phrases shall have the meanings assigned to them as in the POPI Act.

18.4 The Organisation needs Personal Information relating to both individual and juristic persons in order to carry out its business and organisational functions. The manner in which this information is Processed and the purpose for which it is Processed is determined by the Organisation. The Organisation is accordingly a Responsible Party for the purposes of the POPI Act and will ensure that the Personal Information of a Data Subject:

18.4.1 is processed lawfully, fairly and transparently. This includes the provision of appropriate information to Data Subjects when their data is collected by the Organisation, in the form of privacy or data collection notices. The Organisation must also have a legal basis (for example, consent) to process Personal Information;
18.4.2 is processed only for the purposes for which it was collected;
18.4.3 will not be processed for a secondary purpose unless that processing is compatible with the original purpose.
18.4.4 is adequate, relevant and not excessive for the purposes for which it was collected;
18.4.5 is accurate and kept up to date;
18.4.6 will not be kept for longer than necessary;
18.4.7 is processed in accordance with integrity and confidentiality principles. This includes physical and organisational measures to ensure that Personal Information, in both physical and electronic form, are subject to an appropriate level of security when stored, used and communicated by the Organisation, in order to protect against access and acquisition by unauthorised persons and accidental loss, destruction or damage;
18.4.8 is processed in accordance with the rights of Data Subjects, where applicable. Data Subjects have the right to:

18.4.8.1 be notified that their Personal Information is being collected by the Organisation. The Data Subject also has the right to be notified in the event of a data breach;
18.4.8.2 know whether the Organisation holds Personal Information about them, and to access that information. Any request for information must be handled in accordance with the provisions of this PAIA Manual;
18.4.8.3 request the correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained personal information;
18.4.8.4 object to the Organisation’s use of their Personal Information and request the deletion of such Personal Information (deletion would be subject to the Organisation’s record keeping requirements);
18.4.8.5 object to the processing of Personal Information for purposes of direct marketing by means of unsolicited electronic communications; and
18.4.8.6 complain to the Information Regulator regarding an alleged infringement of any of the rights protected under the POPI Act and to institute civil proceedings regarding the alleged non- compliance with the protection of his, her or its personal information.

18.5 Purpose of the Processing of Personal Information by the Organisation

18.5.1 As outlined above, Personal Information may only be processed for a specific purpose. The purposes for which the Organisation processes or will process Personal Information is:
18.5.1.1 providing products or services to clients and to carry out the transactions requested;
18.5.1.2 for the ordering, manufacturing and delivery of products;
18.5.1.3 for the opening of trading accounts, where applicable;
18.5.1.4 for communication purposes relating to the ordering, manufacturing and delivery of products; and
18.5.1.5 to communicate with clients with regards to future orders, prices and accounts.
18.5.1.6 confirming, verifying and updating client details;
18.5.1.7 conducting market or customer satisfaction research;
18.5.1.8 for audit and record keeping purposes;
18.5.1.9 in connection with legal proceedings; and
18.5.1.10 in connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.

18.6 Categories of Data Subjects and Personal Information/Special Personal Information relating thereto

18.6.1 As per section 1 of the POPI Act, a Data Subject may either be a natural or a juristic person. Below are the various categories of Data Subjects that the Organisation Processes Personal Information on and the types of Personal Information relating thereto:

18.6.1.1 the Personal Information of natural and juristic persons will be collected which will include:

18.6.1.1.1 title, full names, initials and identity number/ passport number of natural person;
18.6.1.1.2 registration name and number or juristic person;
18.6.1.1.3 tax numbers;
18.6.1.1.4 contact number;
18.6.1.1.5 email addresses;
18.6.1.1.6 fax numbers;
18.6.1.1.7 web page details;
18.6.1.1.8 postal addresses;
18.6.1.1.9 physical addresses;
18.6.1.1.10 banking details;
18.6.1.1.11 BB-BEE information; and
18.6.1.1.12 quality, food safety and health & safety systems and processes implemented and maintained.

18.7 Recipients of Personal Information

18.7.1 The Organisation may provide a Data Subject’s Personal Information to the following recipients:
18.7.1.1 employees of the Organization;
18.7.1.2 sub-contractors;
18.7.1.3 auditors; and
18.7.1.4 as required by law.

18.8 Cross-border flows of Personal Information

18.8.1 Section 72 of the POPI Act provides that Personal Information may only be transferred out of the Republic of South Africa if the:

18.8.1.1 recipient country can offer such data an “adequate level” of protection. This means that its data privacy laws must be substantially similar to the Conditions for Lawful Processing as contained in the POPI Act; or
18.8.1.2 Data Subject consents to the transfer of their Personal Information; or
18.8.1.3 transfer is necessary for the performance of a contractual obligation between the Data Subject and the Responsible Party; or
18.8.1.4 transfer is necessary for the performance of a contractual obligation between the Responsible Party and a third party, in the interests of the Data Subject; or
18.8.1.5 the transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were, the Data Subject, would in all likelihood provide such consent.

18.8.2 The Organisation’s planned cross-border transfers, if applicable, of Personal Information and the condition that applies thereto will be on the same terms and conditions as set out herein.

18.9 Description of information security measures to be implemented by the Organisation

18.9.1 The types of security measures to be implemented by the Organisation in order to ensure that Personal Information is respected and protected is:

18.9.1.1 firewalls;
18.9.1.2 anti-virus programmes;
18.9.1.3 password protected doors to the offices;
18.9.1.4 locked server room;
18.9.1.5 password protected computers; and
18.9.1.6 access rights to confidential information and systems.

18.9.2 A preliminary assessment of the suitability of the information security measures implemented or to be implemented by the Organisation may be conducted in order to ensure that the Personal Information that is processed by the Organisation is safeguarded and Processed in accordance with the Conditions for Lawful Processing.

18.10 Objection to the Processing of Personal Information by a Data Subject

18.10.1 Section 11 (3) of the POPI Act and regulation 2 of the POPI Act Regulations provides that a Data Subject may, at any time object to the Processing of his/her/its Personal Information in the prescribed form (Form 1 to be obtained under the POPI Act Regulations), subject to exceptions contained in the POPI Act.

18.11 Request for correction or deletion of Personal Information

18.11.1 Section 24 of the POPI Act and regulation 3 of the POPI Act Regulations provides that a Data Subject may in the prescribed form (Form 2 to be obtained under the POPI Act Regulations) request for their Personal Information to be corrected or deleted.

19. AVAILABILITY AND UPDATING OF THE PAIA MANUAL

19.1 This PAIA Manual is made available in terms of Regulation Number R.187 of 15 February 2002. The Organisation will update this PAIA Manual at such intervals as may be deemed necessary.

19.2 This PAIA Manual of the Organisation is available to view at its premises and on its website.

Menu