PAIA Manual
In Terms of Section 51 of POPIA

PAIA MANUAL IN TERMS OF SECTION 51

OF PAIA AND POPIA REGULATIONS

MANUAL AS CONTEMPLATED IN SECTION 51 OF THE PROMOTION OF ACCESS TO INFORMATION ACT, ACT 2 OF 2000 AND REGULATION 4(1)(C) OF THE REGULATIONS ISSUED IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT, ACT 4 OF 2013

TABLE OF CONTENTS

1. Definitions and Interpretation
2. Recordal
3. Summary
4. Processing of Personal Information
5. Access to records held by Group Entity
6. Prescribed Fees
7. Records that cannot be found or do not exist
8. Decision
9. Grounds for refusal of access to records
10. Remedies available when a Group Entity refuses a request for access to records and/or Personal Information
11. Prescribed information

Annexure 1 – Request for access to record of private body
Annexure 2 – Prescribed Fees

1. DEFINITIONS AND INTERPRETATION

In this Manual the following words and/or terms shall have the meanings ascribed to them below and it shall be interpreted as provided herein:
1.1 “Client” means a Person who previously was a client or is an existing client or is a potential client of a Group Entity or any other Person who has provided personal or special Personal Information to a Group Entity;
1.2 “Contractor” means any Person who has entered into an agreement with a Group Entity to provide a service similar to that of an Employee, to such Group Entity;
1.3 “Data Subject” means any Person to whom Personal Information relates, including but not limited to, Clients, Employees, Contractors, Operators and Suppliers, other persons and third parties, as the context may indicate;
1.4 “Employee” means any natural Person who is employed by a Group Entity and receives or is entitled to receive remuneration, including a natural Person who conducts the business of such Group Entity and directors of such Group Entity;
1.5 “Group Entity” means each of Preference Capital (Pty) Ltd, Alternative Finance Solutions (Pty) Ltd trading as Bizcash, Cash Flow Capital (Pty) Ltd, Stonewood Capital Asset Finance (Pty) Ltd and Mobile Macs (Pty) Ltd;
1.6 “Information Officer” means the duly appointed information officer of a Group Entity being the chief executive officer or the authorised person appointed by the chief executive officer of such Group Entity;
1.7 “Information Regulator” means the Information Regulator as established in terms of Section 39 of POPIA;
1.8 “Operator” means a Person who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party;
1.9 “PAIA” means the Promotion of Access to Information Act, Act 2 of 2000 and all rules and regulations issued in terms thereof (as amended from time to time);
1.10 “Person” means any natural or juristic person, partnership, joint venture, trust, entity, association or body (whether incorporated or not) and public body, as the context may indicate;
1.11 “Personal Information” means personal information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) biometric information of the person; (e) personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person,
but excludes information about an individual who has been dead for more than 20 years;
1.12 “POPIA” means the Protection of Personal Information Act, Act 4 of 2013 and all regulations, applicable rules, guidance notes and codes issued in terms thereof (as amended from time to time);
1.13 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) disseminating by means of transmission, distribution or making available in any other form or (c) merging, linking, as well as restriction degradation, erasure or destruction of information, and “Process” shall be construed accordingly;
1.14 “Requester” means a Person (including a public body or an official thereof) making a request for access to a record of a Group Entity or a Person acting on behalf of the first mentioned Person;
1.15 “Responsible Party” means a public or private body (including each Group Entity) or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information;
1.16 “Special Personal Information” means any Personal Information of a data subject, concerning (a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or (b) the criminal behaviour of a Data Subject to the extent that such information relates to (i) the alleged commission by a Data Subject of any offence; or (ii) any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings;
1.17 “Supplier” means any Person who has entered into an agreement with a Group Entity to provide goods or services to such Group Entity;
1.18 “the/this Manual” means the manual as set out in this document;
1.19 In this Manual, any reference to:
1.19.1 the singular shall include the plural and vice versa;
1.19.2 any one gender shall include the other genders, as the case may be;
1.19.3 any statute, regulation, legislation or other law is a reference to the version of that statute, regulation, legislation or law in force at the time of publication of this Manual as amended or re-enacted thereafter;
1.19.4 the words “include” or “including” means “include without limitation” or “including without limitation”. Use of the words ‘’include’’ or including” is for illustration or emphasis only and when followed by specific examples, it must not be interpreted as limiting the meaning of the general wording preceding it.

2. RECORDAL

2.1 This Manual applies to each Group Entity individually as a Responsible Party and provides the detail of the procedures that each Group Entity will follow regarding the Processing of Personal Information and access thereto.
2.2 Nothing in this Manual should be construed as meaning that any Group Entity is liable for the acts or omissions of another Group Entity.
2.3 Any Group Entity may amend this Manual and any amendment shall become effective on the date of publication of such amendment on such Group Entity’s website (if any) or as otherwise determined by such Group Entity. It remains the obligation of all Data Subjects and Clients to regularly familiarise themselves with the latest version of this Manual.

3. SUMMARY

3.1 POPIA, amongst others, promotes the protection of Personal Information Processed by public and private bodies and gives effect to, amongst others, the constitutional right to privacy (subject to justifiable limitations) and of access to information that is held by another Person and that is required for the exercise or protection of any rights;
3.2 If a Person wishes to gain access to Personal Information or records thereof to which he/she/it does not have an automatic right, but which is required to protect his/her/its own rights, such Person must follow and comply with the procedure and requirements set out in this Manual, to request such Personal Information from the relevant Group Entity and to gain access thereto as envisaged in, amongst others, Sections 23 and 25 of POPIA;
3.3 A Person’s constitutional right to privacy and of access to Personal Information is not absolute and is subject to justifiable limitations as envisaged in POPIA and set out in more detail in paragraph 9 of this Manual;
3.4 This Manual provides the information as prescribed by PAIA and serves to inform Requesters of records and Personal Information, of procedural and other requirements that a request must meet, provides information regarding the types of records and Personal Information held by each Group Entity as well as the grounds for refusal or partial refusal of a request for access thereto.

4. PROCESSING OF PERSONAL INFORMATION

4.1 Each Group Entity regards the privacy and protection of Personal Information of utmost importance and only Processes Personal Information in accordance with the requirements, conditions for lawful processing and other prescriptions as provided in POPIA and other relevant legislation;
4.2 Each Group Entity Processes Personal Information for various purposes, as envisaged in POPIA and as set out in this Manual. Each Group Entity maintains a separate privacy policy that contains the purposes for Processing of Personal Information and other information as prescribed in terms of Section 18 of POPIA. Each Group Entity’s privacy policy is available on its website (if any) or at its place of business (if it does not have a website);
4.3 A Group Entity will Process Personal Information only if the following conditions for lawful processing as provided in POPIA, are complied with:
4.3.1 Responsible Party to ensure conditions for lawful processing: Each Group Entity shall ensure that the conditions set out in Chapter 3 of POPIA are complied with at the time of the determination of the purpose and means of the Processing and during the Processing itself;
4.3.2 Processing limitation: Each Group Entity shall Process Personal Information lawfully and in a reasonable manner that does not infringe the privacy of the Data Subject and only Process it if, given the purpose for which it is processed, it is adequate, relevant and not excessive. In this regard, each Group Entity shall when necessary, obtain the consent as prescribed by POPIA, shall only Process Personal Information if it is acceptable as envisaged in POPIA and shall allow a Data Subject to object to the Processing of Personal Information on reasonable grounds, as provided in POPIA. Each Group Entity shall collect Personal Information directly from the Data Subject, except as otherwise provided in POPIA;
4.3.3 Purpose specification: Each Group Entity shall only collect Personal Information for a specific, explicitly defined (as later herein set out) and lawful purpose related to a function or activity of such Group Entity. Each Group Entity shall not retain records of Personal Information any longer than is necessary for achieving the purpose for which it was collected or subsequently Processed unless such Group Entity is allowed to do so in terms of POPIA. Each Group Entity shall retain a record of Personal Information of a Data Subject that it has used to make a decision about the Data Subject as prescribed by POPIA and will destroy a record of Personal Information as soon as practicable after such Group Entity is no longer authorised to retain such record in terms of POPIA. Each Group Entity will restrict the Processing of Personal Information under the circumstances as provided in POPIA and will inform the Data Subject before lifting the restriction on the Processing;
4.3.4 Further Processing Limitation: Each Group Entity will ensure that further Processing of Personal Information will be in accordance or compatible with the purpose for which it was collected as provided in paragraph 4.3.3 above, taking into account all the factors prescribed by POPIA;
4.3.5 Information quality: Each Group Entity will take reasonably practicable steps to ensure that the Personal Information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which such Personal Information is collected or further Processed;
4.3.6 Openness: Each Group Entity shall maintain the documentation of all Processing operations under its responsibility as provided in PAIA and shall take reasonably practicable steps to ensure that a Data Subject is aware of the information and matters as provided in Section 18 of POPIA and more fully described in the privacy notice referred to in paragraph 4.2 of this Manual;
4.3.7 Security safeguards: Each Group Entity shall secure the integrity and confidentiality of Personal Information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of Personal Information and unlawful access to or Processing of Personal Information. In order to comply with its aforesaid obligations, each Group Entity will take the measures as prescribed by POPIA and will have due regard to generally accepted information security practices and procedures which may apply to it generally or may be required in terms of specific industry or professional rules and regulations. If a Group Entity uses an Operator, such Group Entity shall procure that the Operator (including an Operator in a foreign country) complies with the provisions applicable to it in terms of or as envisaged in POPIA and ensure that the contract between such Group Entity and the Operator provides that the Operator must establish and maintain the security measures as provided or envisaged in POPIA. Each Group Entity shall notify the Information Regulator and the Data Subject if there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by an unauthorised person, as provided in POPIA;
4.3.8 Data Subject participation: Each Group Entity acknowledges that a Data Subject who has provided adequate proof of identity, has the right to request a Group Entity to confirm, free of charge, whether or not such Group Entity holds Personal Information about the Data Subject and to request from such Group Entity, the record or a description of the Personal Information about the Data Subject held by such Group Entity, including the information as specifically provided by POPIA, which will be provided within a reasonable time, at a prescribed fee (if any), in a reasonable manner and format and in a form that is generally understandable. Each Group Entity will provide the Data Subject with a written estimate of the fee that the Data Subject must pay for services provided to the Data Subject relating to the Data Subject’s request for the record or description of the Personal Information as aforesaid, and may require the applicant to pay deposit for all or part of the fee. Each Group Entity will refuse to disclose any information requested (or part thereof) to which the grounds for refusal as set out in paragraph 9 of this Manual. Each Group Entity will inform a Data Subject that he/she/it has the right to request the Group Entity to the correct or delete Personal Information about the Data Subject in the Group Entity’s possession or under its control, and to destroy or delete a record of Personal Information about the Data Subject that the Group Entity is no longer authorised to retain, as provided in POPIA. Each Group Entity shall as soon as reasonably practicable, correct the information, destroy or delete the information, provide the Data Subject, to his or her satisfaction, with credible evidence in support of the information and where agreement cannot be reached between the Group Entity and the Data Subject, and if the Data Subject so requests, take such steps as are reasonable in the circumstances, to attach the information in such manner that it will always be read with the information and an indication that a correction of the information has been requested but has not been made. Each Group Entity shall comply with the other provisions of POPIA and PAIA in this regard;
4.4 No Group Entity will Process Special Personal Information in contravention of POPIA;
4.5 No Group Entity will Process Personal Information in respect of children in contravention of POPIA;
4.6 No Group Entity will supply Personal Information of Data Subjects to any third parties, except if it is obliged to provide such Personal Information in terms of the law;
4.7 A Group Entity will disclose Personal Information to government authorities only as provided by law.

5. ACCESS TO RECORDS HELD BY GROUP ENTITY

5.1 Records held by a Group Entity may be accessed only once the prerequisite requirements for access have been met and on condition that the request is made in the form prescribed by PAIA (as later herein set out) and addressed to the Group Entity at its address, fax number or e-mail address;
5.2 A Requester has the right to submit a request for access to records and Personal Information, on condition that he/she/it has provided to the relevant Group Entity, acceptable proof of his/her/its identity and after payment of any fee required by law (if applicable) as set out in Annexure 2;
5.3 A Group Entity will provide access to the requested information or access to its records regarding a Requester’s Personal Information on condition that the requirements of this Manual, POPIA, PAIA and any other relevant legislation (if any) have been met and the prescribed fees as set out in Annexure 2, has been paid;
5.4 Any Requester is entitled to request access to records and/or Personal Information of third parties on condition that he/she/it has complied with the requirements for access as provided in PAIA and that he/she/it has paid the reasonable fees as determined by the relevant Group Entity, set out in Annexure 2;
5.5 If a public body lodges a request for access to records or Personal Information, the public body must comply with the provisions of PAIA and/or POPIA, and must amongst others, provide sufficient detail to enable the relevant Group Entity to determine if such request is in the public interest, as required in terms of the law;
5.6 Each Group Entity will respond to a request for access to records or Personal Information, within a reasonable time as determined in view of the particular circumstances prevailing at the time.

6. PRESCRIBED FEES

6.1 A Requester shall be liable for all fees as prescribed by PAIA, including a request fee and an access fee. A list of the applicable fees is attached to this Manual as Annexure 2;
6.2 On receipt of a request for access to a record in the form prescribed by PAIA, a Group Entity’s Information Officer shall by notice require the Requester to pay the prescribed request fee (if any) before further processing of the request;
6.3 If the search for the record has been made and the preparation of the record for disclosure, including arrangement to make it available in the requested form, requires more than the hours prescribed in the regulations issued in terms of PAIA for this purpose, the Information Officer shall notify the Requester to pay as a deposit the prescribed portion (being not more than one third) of the access fee which would be payable if the request is granted;
6.4 The Information Officer may withhold a record until the Requester has paid the applicable fees.
6.5 A Requester whose request for access to a record has been granted, must pay an access fee for reproduction and for search and preparation, and for any time reasonably required more than the prescribed hours to search for and prepare the record for disclosure including planning to make it available in the requested form.
6.6 If a deposit has been paid in respect of a request for access which is refused, then the Information Officer must repay the deposit to the Requester.

7. RECORDS THAT CANNOT BE FOUND OR DO NOT EXIST

7.1 If all reasonable steps have been taken to find a record requested and there are reasonable grounds for believing that the record is in the Group Entity’s possession but cannot be found or does not exist, then Head of the Group Entity must by way of affidavit or affirmation notify the Requester that it is not possible to give access to the requested record;
7.2 The affidavit or affirmation shall give a full account of all the steps taken to find the record in question or to determine whether the record exist, including all communications with every person who conducted the search on behalf of Head of the Group Entity;
7.3 The notice referred to in paragraph 7.1 of this Manual shall be regarded as a decision to refuse a request for access to the record concerned;
7.4 If after the notice as provided in paragraph 7.1 of this Manual is given, the record in question is found, the Requester concerned shall be given access to the record, unless access is refused by as provided in PAIA and as set out in this Manual.

8. DECISION

8.1 A Head of a Group Entity to whom a request was made shall as soon as possible but in any event within 30 days after the request has been received, decide whether to grant or refuse the request and notify the Requester of the decision in the prescribed manner, including adequate reasons for refusal;
8.2 The 30 day period referred to above may be extended for a further period of not more than 30 days if the request is for a large number of records or requires a search through a large number of records and compliance with the original period of 30 days will unreasonably interfere with the activities of the Group Entity or the request requires a search for records in, or collection thereof, from an office of the Group Entity not situated in the same town or city as the office of the Head of the Group Entity that cannot reasonably be completed within the original period or if the Requester consents in writing to such extension;
8.3 If the Head of the Group Entity fails to give the decision on a request for access to the Requester concerned within the abovementioned time periods, the Head of the Group Entity will be regarded as having refused the request.

9. GROUNDS FOR REFUSAL OF ACCESS TO RECORDS

9.1 A Group Entity must refuse a request for access to a record, under the following circumstances as provided in PAIA:
9.1.1 Mandatory protection of privacy of a third party who is a natural person, if disclosure would involve the unreasonable disclosure of Personal Information about a third party, including a deceased individual, subject to the further provisions of PAIA;
9.1.2 Mandatory protection of commercial information of a third party, if the record contains trade secrets of such third party, financial, commercial, scientific or technical information, the disclosure of which would be likely to cause harm to the financial or commercial interests of that third party or information supplied in confidence by a third party, the disclosure of which could reasonably be expected to put that third party at a disadvantage in contractual or other negotiations or to prejudice that third party in commercial competition;
9.1.3 Mandatory protection of certain confidential information of third party, if disclosing such records would constitute an action for breach of a duty of confidence owed to a third party in terms of any agreement;
9.1.4 Mandatory protection of safety of individuals, and protection of property, if the disclosure could reasonably be expected to endanger the life or physical safety of an individual or if disclosure would be likely to prejudice or impair the security of a building, structure or system, including a computer or communication system, a means of transport or any other property or methods, systems, plans or procedures for the protection of an individual in accordance with a witness protection scheme, the safety of the public or any part of the public or the security of property contemplated herein;
9.1.5 Mandatory protection of records privileged from production in legal proceedings, if the requested record is privileged from production in legal proceedings;
9.1.6 Commercial information of a private body, if the requested record contains trade secrets of any Group Entity or financial, commercial, scientific or technical information of any Group Entity, the disclosure of which could reasonably be expected to put any Group Entity at a disadvantage in contractual or other negotiations or to prejudice any Group Entity in commercial competition or is a computer program owned by any Group Entity;
9.1.7 Mandatory protection of research information of a third party and protection of research information of any Group Entity, if the record contains information about research being or to be carried out by or on behalf of a third party or any Group Entity, the disclosure of which would be likely to expose the third party or any Group Entity or any person that is or will be carrying out the research on behalf of the third party or any Group Entity or the subject matter of the research, to serious disadvantage;
9.2 Mandatory disclosure in public interest: If a request for access to record would reveal evidence of substantial contravention of, or failure to comply with, the law or imminent or serious public safety or environmental risk and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question, the Head of the Group Entity must grant such request for access to a record.

10. REMEDIES AVAILABLE WHEN A GROUP ENTITY REFUSES A REQUEST FOR ACCESS TO RECORDS AND/OR PERSONAL INFORMATION

10.1 No Group Entity has internal appeal procedures and consequently the decision made by the Information Officer is final. Any Requestor who is dissatisfied with any decision must exercise external remedies available to him/her/it if the request for access to records and/or Personal Information is refused;
10.2 Subject to the provisions of PAIA, a Requestor who is dissatisfied with a decision regarding access to records, may within the time limits prescribed by PAIA, apply to a court with jurisdiction for relief or lodge a complaint to the Information Regulator.

11. PRESCRIBED INFORMATION

Each Group Entity hereby provides the information as prescribed in terms of PAIA:
11.1 The following is the contact information of each Group Entity, as contemplated in POPIA and PAIA:
11.1.1 Preference Capital (Pty) Ltd
• Postal address: Private Bag X02, Highlands North, Johannesburg, Gauteng, 2037
• Street address: Mazars House, 54 Glenhove Road, Melrose Estate, Johannesburg, 2196
• Telephone number: +27 (0)11 883 2897
• Electronic mail address of the Information Officer as appointed by the Chief Executive Officer: jason@prefcap.co.za
11.1.2 Alternative Finance Solutions (Pty) Ltd trading as Bizcash;
• Postal address: PO Box 69611, Bryanston, Gauteng, 2021
• Street address: 43 Wierda Road West, Wierda Valley, Johannesburg, 2196
• Telephone number: 086 193 9393
• Electronic mail of the Information Officer as appointed by the Chief Executive Officer: cuan@bizcash.co.za;
11.1.3 Cash Flow Capital (Pty) Ltd
• Postal address: 1st Floor, Glen Forum Building, 186 Corobay Avenue, Menlyn, Pretoria, 0081
• Street address: 1st Floor, Glen Forum Building, 186 Corobay Avenue, Menlyn, Pretoria, 0081
• Telephone number: 087 720 1287
• Electronic mail address of head of this Group Entity (Chief Executive Officer): mike@cashflowcapital.co.za;
11.1.4 Mobile Macs (Pty) Ltd
• Postal address: PO Box 560, Wynberg, Sandton, 2012
• Street address: 24 Andries Street, Wynberg, Sandton, 2090
• Telephone number: 0860 111 836
• Electronic mail of the Information Officer as appointed by the Chief Executive Officer: julian@mobilemacs.co.za;
11.2 The following is a description of the guide referred to in Section 10 of PAIA:
11.2.1 The South African Human Rights Commission (“SAHRC”) has compiled the guide contemplated in Section 10 of PAIA, which contains the information as prescribed by PAIA. In terms of the provisions of PAIA, the Information Regulator must update and make available the existing guide that has been compiled by the SAHRC, as provided by PAIA;
11.2.2 Copies of PAIA and POPIA, the relevant regulations and guides to them, may be obtained from the SAHRC or the Information Regulator and enquiries should be directed to:
• SAHRC, Braampark Forum 3, 33 Hoofd Street Braamfontein, Johannesburg, 2001; telephone number: 011 877 3600 (switchboard); and
• The Information Regulator (South Africa), JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001; PO Box 31533, Braamfontein, Johannesburg, 2017.
11.3 Categories of records voluntarily submitted to the Minister as envisaged in Section 52 of PAIA:
No Group Entity has submitted categories of records to the Minister which are automatically available without a Person having to request access in terms of PAIA.
11.4 The following are records which are available in accordance with other legislation, as contemplated in POPIA and PAIA:
Each Group Entity holds records which are available in accordance with the following legislation:
11.4.1 Deeds Registries Act, Act No. 47 of 1937;
11.4.2 The Criminal Procedures Act, Act No. 51 of 1977;
11.4.3 The Labour Relations Act, Act No. 66 of 1995;
11.4.4 Employment Equity Act, Act No. 55 of 1998;
11.4.5 The Basic Conditions of Employment Act, Act No. 75 of 1997;
11.4.6 Compensation for Occupational Injuries and Diseases Act, Act No. 130 of 1993;
11.4.7 Occupational Health and Safety Act, Act No. 85 of 1993;
11.4.8 Competition Act, Act No. 89 of 1998;
11.4.9 Insolvency Act, Act No. 24 of 1936;
11.4.10 The Companies Act, Act No. 61 of 1973
11.4.11 The Companies Act, Act No. 71 of 2008;
11.4.12 Unemployment Insurance Act, Act No. 63 of 2001;
11.4.13 Value Added Tax Act, Act No. 89 of 1991;
11.4.14 Skills Development Act, Act No. 97 of 1998;
11.4.15 Skills Development Levies Act, Act No. 9 of 1999;
11.4.16 Trademarks Act, Act No. 194 of 1993;
11.4.17 Income Tax Act, act No. 58 of 1962
11.5 The following is the detail to facilitate a request for access to a record of a Group Entity, as contemplated in POPIA and PAIA:
A Requester for access to records of a Group Entity must note the following when submitting a request for access to records of a Group Entity:
11.5.1 The Requester must comply with all the requirements relating to the request for access to a record of a Group Entity, as provided in PAIA;
11.5.2 The Requester must complete and sign the form prescribed in terms of PAIA. A copy of such form is enclosed in this Manual as Annexure 1. The form is also available in a fill-in format on the website of the Information Regulator. The prescribed form must be completed with sufficient detail to enable the Information Officer of the relevant Group Entity to (i) identify the record/s requested, (ii) verify the identity of the Requester, (iii) establish the manner of access which is required, (iv) establish the postal address or email address of the Requester and (v) to establish the right on which the Requester relies for access to the requested records. The Requester must thereafter submit the duly completed and signed form to the relevant Group Entity at its postal or physical address or email address as recorded in paragraph 11.1 of this Manual, marked for the attention of the relevant Information Officer;
11.5.3 The Requester must simultaneously with submission of the abovementioned form, pay to the Information Officer of the relevant Group Entity, the applicable request fee and other fees as well as a deposit (if applicable) as set out in Annexure 2 to this Manual;
11.5.4 It is important for a Requester to note that access to the records must be necessary for the exercise or protection of the relevant right relied upon by the Requester;
11.5.5 Subject to the provisions of PAIA in respect of extensions, a Group Entity will process a request for access to such Group Entity’s records within 30 days from the date when the request was received by the Group and the applicable fees were paid, or within the period of any extension;
11.5.6 Where a Requester has requested access to a record in respect of a third party, such third party may be afforded 21 days in which to make representations to require that access to the requested record be refused or to give written consent for the disclosure of the record to the Requester;
11.5.7 A Group Entity may be prohibited to provide access to a record as requested by a Requestor if such Group Entity is prohibited to do so in terms of the law (including POPIA) or a court order;
11.5.8 The Requester shall be informed whether access to the requested record has been granted or refused, in the manner indicated by the Requester in Part H of Annexure 1. If access to the requested record is refused, the Requester is entitled to a refund of the fees paid, in which instance, the Group Entity will refund the Requester by paying such refund into a bank account as indicated by the Requester in writing;
11.5.9 If a request for access to a record is made by a Requester on behalf of another Person, the Requester must submit to the Group Entity proof of the Requester’s authority to act on behalf of such other Person, which proof must be acceptable to the Information Officer of such Group Entity;
11.5.10 If a Person is unable to complete the prescribed form required to request access to a record due to illiteracy, disability or other incapacity, such Person may address the request orally to the relevant Group Entity, which request will then be reduced to writing by a staff member of such Group Entity;
11.5.11 The Requester must pay the prescribed fees, before any further processing of the request for access to a record will be attended to by a Group Entity;
11.6 The following is a description of the subjects on which a Group Entity holds records and the categories of records held on each subject, as contemplated in POPIA and PAIA:
11.6.1 information required to identify a Person, including information obtained from the Companies and Intellectual Property Commission, copies of identity documents, constitutional documents, including registration certificates, memorandums of incorporation, letters of authority and trust deeds, founding statements and partnership agreements, telephone and cell phone numbers and e-mail addresses;
11.6.2 financial records and information including, financial statements, management accounts and copies of bank account statements;
11.6.3 information to determine a Person’s creditworthiness including credit bureau information, Deeds Office information and bank codes;
11.6.4 information required for purposes of a Group Entity’s agreement with a Client (including invoices), a Supplier, a business associate and an Employee or Contractor as well as information pertaining to directors, members, trustees and shareholders, resolutions, minutes of meetings, security registers, share certificates, title deeds, bond documentation, records relating to the appointment of officials, auditors and directors, tax records, personnel records and information, correspondence and contracts, records regarding assets and liabilities;
11.6.5 information to determine if a person has the legal capacity to act, including marriage certificates, birth certificates and Deeds Office information;
11.6.6 information required for statistical purposes, market and other research, marketing in general and to improve a Group Entity’s services or communication with its Clients and other Persons, including IP addresses, information obtained through the use of cookies, information relating to the routing, duration and time of electronic communications on electronic communication networks, information collected through web browsers, search terms used, web pages accessed, information pertaining to visits to a Group Entity’s website and other websites, the type of web browser used and information collected through social networking services (which social networking services may collect information on its own, subject to its own privacy policies and practices);
11.6.7 information required for purposes of litigation and disciplinary and incapacity proceedings;
11.6.8 information required in terms of legislation.
11.7 The following are the purposes of the Processing of Personal Information by a Group Entity, as contemplated in POPIA and PAIA:
11.7.1 to identify a Person;
11.7.2 to establish a Person’s financial standing or condition;
11.7.3 to determine if a Person is creditworthy;
11.7.4 to draft, complete and give effect to all agreements and documentation relating to a Person’s agreements and relationship with the Group Entity;
11.7.5 to determine if a Person has the requisite legal capacity to act;
11.7.6 to use in the event of a dispute or in litigation, disciplinary or incapacity proceedings;
11.7.7 to comply with tax requirements;
11.7.8 to comply with labour related requirements;
11.7.9 to comply with the requirements of legislation;
11.7.10 to store the Personal Information securely;
11.7.11 to conduct market and other research;
11.7.12 to engage with a Person for marketing purposes;
11.7.13 to compile statistics;
11.8 The following are the categories of Data Subjects and of the information or categories of information relating thereto, as contemplated in POPIA and PAIA:
11.8.1 Clients and security providers – Records provided by a Client directly to a Group Entity, including records provided by a Client to a third party acting for or on behalf of a Group Entity, records provided by a third party to a Group Entity and records generated by a Group Entity relating to a Client, including transactional records, financial records, bank details including bank account number and products utilised, bank account statements operational records, databases, records regarding information technology, marketing records, internal and external correspondence, product records, statutory records, internal policies and procedures, supervisory body related records, securities and equities, records held by officials of the Client, shareholder personal information, name, identity number, race, gender, addresses, e-mail addresses, IP addresses, biometric special information, Client vehicle registration, surveillance records, Client contracts, Client location information and Client information held by third parties including information obtained from credit bureaux, Deeds Office and the Companies and Intellectual Property Commission;
11.8.2 Service providers and Suppliers – Records provided by a service provider or supplier directly to a Group Entity, including records provided by a service provider or a supplier to a third party acting for or on behalf of a Group Entity, records provided by a third party to a Group Entity and records generated by Group Entity relating to a service provider or a supplier, including transactional records, financial records, operational records, databases, records regarding information technology, marketing records, internal and external correspondence, product records, statutory records, internal policies and procedures, supervisory body related records, securities and equities, records held by officials of the service provider or a supplier, personal information, contracts, bank details, biometric information of service provider and supplier, detail of representatives, surveillance information and personal information of service provider’s and supplier’s representatives;
11.8.3 Business associates – Records provided by a business associate directly to Group Entity, includes records provided by a business associate to a third party acting for or on behalf of Group Entity, records provided by a third party to Group Entity and records generated by a Group Entity relating to a business associate, including personal information, transactional records, financial records, operational records, databases, records regarding information technology, marketing records, internal and external correspondence, product records, statutory records, internal policies and procedures, supervisory body related records, securities and equities, records held by officials of a business associate;
11.8.4 Employees and Contractors – Employee or contractor records including personal records and information provided by employees and contractors, records provided by or obtained from a third party relating to an employee or contractor, conditions of employment, employment contracts, agreements with contractors and other related records, internal evaluation records and other internal records, photographs, video material, records of disciplinary and incapacity proceedings, financial records, correspondence relating to employees or contractors, training schedules, records and material, Personal Information, qualifications, experience, curriculum vitae, psychometric records, medical information, disability information, biometric information, pension and provident fund information, bank details, tax and financial information, contracts, beneficiary information, vehicle registration, performance records, payroll records, electronic access records, physical access records, surveillance records, health and safety records, background checks, criminal records, employment history, application forms, family members’ Personal Information, medical and disability information, Personal Information acquired for processing travel documents, children’s Personal Information including birth certificates and identity numbers, children’s medical information and disability information, children’s information for processing of travel documents;
11.8.5 Visitors –names, identity number and other personal information, physical access records, electronic access records, scans and photographs, surveillance records and biometric information.
11.9 The following are recipients or categories of recipients to whom a Group Entity may supply Personal Information, as contemplated in POPIA and PAIA:
11.9.1 the Group Entity’s shareholders, holding company and subsidiaries;
11.9.2 the Group Entity’s insurers;
11.9.3 the Group Entity’s auditors and other professional advisers;
11.9.4 Credit bureaux;
11.9.5 the Group Entity’s bankers;
11.9.6 the Client’s bankers, auditors and/or other advisers;
11.9.7 the Group Entity’s business associates;
11.9.8 the Group Entity’s Employees and Contractors;
11.9.9 the Group Entity’s service providers and Suppliers.
11.10 The following are the planned transborder flows of Personal Information of each Group Entity, as contemplated in POPIA and PAIA:
11.10.1 to the Group Entity’s service providers situated or with facilities in countries outside South Africa, in respect of the storage of electronic information and data;
11.10.2 to business associates in countries outside South Africa, in respect of business opportunities in such countries;
11.10.3 to third parties, if the relevant transaction or situation requires cross-border Processing, but it will only be done if the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection as provided in POPIA or if a Data Subject consents to the transfer of its Personal Information to third parties in foreign countries or as otherwise provided in POPIA.
11.11 The following is a general description allowing a preliminary assessment of the suitability of the information security measures to be implemented by each Group Entity (as a Responsible Party) to ensure the confidentiality, integrity and availability of the information which is to be processed, as contemplated in POPIA and PAIA:
11.11.1 Each Group Entity has in place secure filing cabinets to store physical records safely and its electronic systems are adequately encrypted and/or protected to ensure the safe Processing and storage thereon of all Personal Information;
11.11.2 Each Group Entity has in place adequate policies and procedures to ensure the safety and security of all computer equipment, including laptop computers;
11.12 Employees, Contractors and Suppliers of each Group Entity are obliged to adhere to and comply with legislation relating to privacy and confidentiality and to undertake training in respect of privacy requirements in terms of POPIA and PAIA.
11.13 Availability of this Manual as contemplated in POPIA and PAIA:
11.13.1 This Manual (as updated from time to time) is available on each Group Entity’s website (if any) and at the principal place of business of the Group for inspection during a Group Entity’s normal business hours (08H30 to 16H30 on normal business days i.e. all weekdays excluding Saturdays, Sundays, official public holidays and other days when Group Entity’s place of business is not open for business as a consequence of any restrictions imposed by government e.g. in terms of lock down as a result of the Covid 19 pandemic), by any Person entitled thereto, upon request and on payment of the prescribed fee/s (being a reasonable amount as contemplated in PAIA), and by the Information Regulator on request.

Annexure 1 – Request for access to record of private body
Annexure 2 – Prescribed Fees