UHY Hellmann (SA) Policy as required by the POPI ACT

UHY HELLMANN (SA) PRIVACY POLICY

OUR COMMITMENT TO DATA PRIVACY PROTECTION IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013

1 Protecting the security and privacy of your personal data is important to UHY Hellmann (SA) (“UHY”), therefore, we conduct our business in compliance with Applicable Laws on data privacy protection and data security. We hope the policy outlined below will help you understand what data UHY may collect, how UHY use and safeguard that data and with whom UHY may share it.

2 This Privacy Policy has been compiled in terms of the Protection of Personal Information Act 4 of 2013 (“POPI”) as read with the Promotion of Access to Information Act, 2 of 2000 (“PAIA”).

3 The following definitions in POPI are important for the context of this Privacy Policy:

3.1 “Applicable Law” means any national or provincial legislation, statutes, ordinances and other laws and regulations and any by-laws of any legally constituted Authority, including but not limited to:

3.1.1 any applicable statute or proclamation or any delegated or subordinate legislation;

3.1.2 any common law and any applicable judgment of a relevant court of law that is a binding precedent; and

3.1.3 any regulation, rule, condition, direction, decree, requirement, directive or other binding order made by any Judicial Authority;

in each case in force at any time in any relevant jurisdiction and as amended, varied, novated or substituted from time to time;

3.2 “Personal Information” means information relating to an identifiable, living, natural person and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

3.2.1 information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

3.2.2 information relating to the education or the medical, financial, criminal or employment history of the person;

3.2.3 any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

3.2.4 the biometric information of the person;

3.2.5 the personal opinions, views or preferences of the person;

3.2.6 correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

3.2.7 the views or opinions of another individual about the person; and

3.2.8 the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;

3.3 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:

3.3.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

3.3.2 dissemination by means of transmission, distribution or making available in any other form;

3.3.3 merging, linking, as well as restriction, degradation, erasure or destruction of information;

4 ACCOUNTABILITY

4.1 UHY will procure that the conditions for lawful Processing and the measures that give effect to such conditions, are complied with at the time of:

4.1.1 the determination of the purpose and means of the Processing; as well as

4.1.2 during the Processing itself.

5 PROCESSING LIMITATION

5.1 UHY will process Personal Information:

5.1.1 lawfully; and

5.1.2 in a reasonable manner that does not infringe on your privacy; and

5.1.3 in a manner that is, considering the purpose of such Processing, adequate, relevant and not excessive.

5.2 Personal information will only be processed in circumstances where:

5.2.1 you consent thereto, for example expressly via a signed mandate with UHY, alternatively tacitly through actions reasonably or necessarily undertaken in terms of instructions received from you. UHY bears the burden of proof of your consent;

5.2.2 Processing is necessary to carry out actions for the conclusion or performance of a contract which includes you and UHY as parties;

5.2.3 Processing complies with an obligation imposed by law on UHY;

5.2.4 Processing protects a legitimate interest of yours;

5.2.5 Processing is necessary for the proper performance of a public law duty by a public body;

5.2.6 Processing is necessary for pursuing the legitimate interests of UHY or of a third party to whom the information is supplied.

5.3 You may withdraw your consent, as referred to in 5.2.1, at any time; Provided that the lawfulness of the Processing of Personal Information before such withdrawal or the Processing of Personal Information in terms of subsections 5.2.1 to 5.2.6 will not be affected.

5.4 You may object at any time, to the Processing of your Personal Information:

5.4.1 in terms of 5.2.1 to 5.2.6, in the prescribed manner, on reasonable grounds relating to your particular situation, unless legislation provides for such Processing;

5.4.2 for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as contemplated and permitted in terms of section 69 of POPI;

5.5 If you have objected to the Processing of your Personal Information, UHY may subject to the above, no longer process your Personal Information.

5.6 UHY may only obtain Personal Information directly from you, except as otherwise provided for in 5.7.

5.7 UHY may obtain Personal Information other than directly from you, if:

5.7.1 the information is contained in or derived from a public record or has deliberately been made public by you;

5.7.2 you have consented to the collection of the information from another source;

5.7.3 collection of the information from another source would not prejudice a legitimate interest of yours;

5.7.4 collection of the information from another source is necessary:

5.7.4.1 to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

5.7.4.2 to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act. 1997 (Act No. 34 of 1997);

5.7.4.3 for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;

5.7.4.4 in the interests of national security; or

5.7.4.5 to maintain the legitimate interests of UHY or of a third party to whom the information is supplied.

5.7.5 to do otherwise:

5.7.5.1 would prejudice a lawful purpose of the collection; or

5.7.5.2 would not be reasonably practicable in the circumstances of the particular case.

6 PURPOSE SPECIFICATION

6.1 UHY may only collect Personal Information for specific, explicitly defined and lawful purposes related to a function or activity of UHY. The purposes for which UHY will collect, process and retain your Personal Information include:

6.1.1 Negotiating, concluding and/or exercising rights under contracts with you;

6.1.2 Compiling and/or maintaining various registers of clients from time to time;

6.1.3 Providing professional and ancillary services to you; and

6.1.4 Reporting in accordance with Applicable Law.

6.2 UHY will undertake such steps as are contemplated in section 18(1) of POPI to ensure that you are made aware of the purpose of the collection of the information unless the provisions of section 18(4) of POPI are applicable.

6.3 UHY will not retain Personal Information any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:

6.3.1 retention of the record is required or authorised by law;

6.3.2 UHY reasonably requires the record for lawful purposes related to its functions or activities;

6.3.3 retention of the record is required or authorised by a contract to which you and UHY are parties; or

6.3.4 you have consented to the retention of the record.

6.4 Records of Personal Information may be retained for periods in excess of those contemplated above for historical, statistical or research purposes if UHY has established appropriate safeguards against the records being used for any other purposes.

6.5 All records of your Personal Information used by UHY to make a decision about you, will:

6.5.1 be retained for such period as may be required or prescribed by law or a code of conduct: or

6.5.2 if there is no law or code of conduct prescribing a retention period, be retained for a period which will afford you a reasonable opportunity, taking all considerations relating to the use of the Personal Information into account, to request access to the record.

6.6 UHY must destroy or delete a record of Personal Information or de-identify it as soon as reasonably practicable after UHY is no longer authorised to retain the record.

6.7 The destruction or deletion of a record of Personal Information in terms of 6.6 must be done in a manner that prevents its reconstruction in an intelligible form.

6.8 UHY will restrict Processing of Personal Information if:

6.8.1 its accuracy is contested by you, for a period enabling UHY to verify the accuracy of the information;

6.8.2 UHY no longer needs the Personal Information for achieving the purpose for which the information was collected or subsequently processed but it has to be maintained for purposes of proof;

6.8.3 the Processing is unlawful and you oppose its destruction or deletion and request the restriction of its use instead; or

6.8.4 you request that the personal data be transmitted into an automated Processing system of your choice.

6.9 Personal information referred to in 6.8 may, with the exception of storage, only be processed for purposes of proof, or with your consent, or for the protection of the rights of another natural or legal person or if such Processing is in the public interest.

6.10 Where Processing of Personal Information is restricted pursuant to 6.8 UHY must inform you before lifting the restriction on Processing.

6.11 UHY will only process the Personal Information of a child/minor (e.g. as beneficiary of a trust) in circumstances where UHY:

6.11.1 has the consent of the parent or guardian of the minor; and/or

6.11.2 the Personal Information is being used for statistical or research purposes.

6.12 UHY will not:

6.12.1 use the Personal Information of a child/minor for marketing purposes;

6.12.2 make the Personal Information of a child/minor public;

6.12.3 request Personal Information of third parties from a child/minor.

6.13 The purposes for which UHY may process the information of a child/minor are limited to those necessitated in the performance by UHY of its services under a contract contemplated in 5.2.2 or in accordance with an instruction received in accordance with 5.2.1.

7 FURTHER PROCESSING LIMITATION

7.1 Further Processing of Personal Information must be in accordance or compatible with the purpose for which it was collected.

7.2 To assess whether further Processing is compatible with the purpose of collection, UHY will take account of:

7.2.1 the relationship between the purpose of the intended further Processing and the purpose for which the information has been collected;

7.2.2 the nature of the information concerned;

7.2.3 the consequences of the intended further Processing;

7.2.4 the manner in which the information has been collected; and

7.2.5 any contractual rights and obligations between the parties.

7.3 The further Processing of Personal Information is not incompatible with the purpose of collection if:

7.3.1 you have consented to the further Processing of the information;

7.3.2 the information is available in or derived from a public record or has deliberately been made public by you;

7.3.3 further Processing is necessary:

7.3.3.1 to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;

7.3.3.2 to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South 45 African Revenue Service Act, 1997 (Act No. 34 of 1997);

7.3.3.3 for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or

7.3.3.4 in the interests of national security;

7.3.4 the further Processing of the information is necessary to prevent or mitigate a serious and imminent threat to:

7.3.4.1 public health or public safety; or

7.3.4.2 your life or health, or that of another individual;

7.3.5 the further Processing of the information is in accordance with an exemption duly granted.

8 INFORMATION QUALITY

8.1 UHY will take reasonably practicable steps to ensure that the Personal Information is complete, accurate, not misleading and updated where necessary.

8.2 In taking the steps referred to in 8.1, UHY will have regard to the purpose for which Personal Information is collected or further processed.

9 OPENNESS

9.1 UHY will maintain the documentation of all Processing operations under its responsibility as referred to in sections 14 and 51 of PAIA.

9.2 If Personal Information is collected, UHY will take reasonably practicable steps to ensure that you are aware of the information being collected and where the information is not collected from you directly, the source from which it is collected. The Personal Information may be collected:

9.2.1 in a mandate or other instruction received from you;

9.2.2 during the professional services and/or reporting process required by law.

9.3 The full names and address of UHY are set out in the UHY website [www.uhy.co.za] under the tab “Contact Us”.

9.4 While there is no obligation on you to provide Personal Information to UHY, UHY reiterates that a substantial portion of its business is that of auditing, accounting and company secretarial and governance and accordingly to the extent that UHY is to fulfil its business objectives, and to transact in this area, Personal Information will be required to be collected, processed and corrected if necessary, for such objectives.

9.5 For the reasons set out in 9.4, failure or refusal to provide the requisite Personal Information may preclude you from doing business with UHY.

9.6 UHY will not be transferring the Personal Information to any other country.

9.7 You have the right at any time:

9.7.1 subject to 9.4 and 9.5, to object to the Processing of your Personal Information;

9.7.2 to lodge a complaint to the Information Regulator at the following address – [E-mail: inforeg@justice.gov.za; Tel: 012 406 4818], having regard to the specific circumstances in which the information is or is not to be processed, to enable Processing in respect of you to be reasonable. Such steps must be taken:

9.7.2.1 if the Personal Information is collected directly from you before, the information is collected, unless you are already aware of the information referred to; or

9.7.2.2 in any other case, before the information is collected or as soon as reasonably practicable after it has been collected;

9.7.3 It is not necessary for UHY to comply with this 9 if:

9.7.3.1 you have provided consent for the non-compliance;

9.7.3.2 non-compliance would not prejudice your legitimate interests as set out in POPI;

9.7.3.3 non-compliance is necessary:

9.7.3.3.1 to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

9.7.3.3.2 to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

9.7.3.3.3 for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

9.7.3.3.4 in the interests of national security;

9.7.3.4 compliance would prejudice a lawful purpose of the collection;

9.7.3.5 compliance is not reasonably practicable in the circumstances of the particular case; or

9.7.3.6 the information will:

9.7.3.6.1 not be used in a form in which you may be identified; or

9.7.3.6.2 be used for historical, statistical or research purposes.

10 SECURITY SAFEGUARDS

10.1 UHY will secure the integrity and confidentiality of Personal Information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent:

10.1.1 loss of, damage to or unauthorised destruction of Personal Information;

10.1.2 unlawful access to or Processing of Personal Information.

10.2 In order to give effect to the above, UHY will take reasonable measures to:

10.2.1 identify all reasonably foreseeable internal and external risks to Personal Information in its possession or under its control;

10.2.2 establish and maintain appropriate safeguards against the risks identified;

10.2.3 regularly verify that the safeguards are effectively implemented; and

10.2.4 ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

10.3 UHY will have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

10.4 UHY will procure that any operator or anyone Processing Personal Information on behalf of UHY, must (pursuant to a written agreement if necessary):

10.4.1 process such information only with the knowledge or authorisation of UHY;

10.4.2 treat Personal Information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties;

10.4.3 establish and maintain the security measures referred to in section 19 of POPI

10.4.4 notify UHY immediately where there are reasonable grounds to believe that your Personal Information has been accessed, acquired or otherwise compromised by any unauthorised person.

10.5 Where there are reasonable grounds to believe that your Personal Information has been accessed, acquired or compromised by any unauthorised person, UHY must, subject to the further provisions of POPI in this regard, notify:

10.5.1 the Regulator; and

10.5.2 you, the data subject.

11 DATA SUBJECT PARTICIPATION

11.1 You, having provided adequate proof of identity, have the right to:

11.1.1 request UHY to confirm, free of charge, whether or not UHY holds Personal Information about you; and

11.1.2 request from UHY the record or a description of the Personal Information about you held by UHY, including information about the identity of all third parties, or categories of third parties who have, or have had, access to the information:

11.1.2.1 within a reasonable time;

11.1.2.2 at a prescribed fee, if any;

11.1.2.3 in a reasonable manner and format; and

11.1.2.4 in a form that is generally understandable.

11.2 You have the right in terms of section 24 of POPI to request the correction of Personal Information.

11.3 If you are required by UHY to pay a fee for services provided to you in terms of 11.1.2 to enable UHY to respond to such request, UHY:

11.3.1 is required to, and will provide you with a written estimate of the fee before providing the services; and

11.3.2 may require you to pay a deposit for all or part of the fee.

11.4 UHY may or must refuse to disclose any information on the basis of the relevant sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of PAIA. The provisions of sections 30 and 61 of PAIA are applicable in respect of access to health or other records. If a request for access to Personal Information is made to UHY and part of that information may or must be refused in terms of the foregoing, UHY was subject to disclose every other part.

11.5 You may, in the prescribed manner, request UHY to:

11.5.1 correct or delete Personal Information about your in its possession or under its control that is inaccurate, irrelevant, excessive, out of date incomplete, misleading or obtained unlawfully; or

11.5.2 destroy or delete a record of Personal Information about your that UHY is no longer authorised to retain in terms of section 14.

12 LINKS TO OTHER WEB SITES

12.1 The UHY website may contain links to other web sites. We are not responsible for the privacy practices or the content of other web sites or mobile applications

13 COOKIES

 13.1 UHY does not and cannot control the confidentiality, access to or dissemination of information which is retrieved through the use of “cookies” or information retrieved through the collecting and storing of IP addresses of visitors to this website. A “cookie” is a computer file, which is transferred automatically from our website to a user’s computer during an online session which enable UHY and its sponsors and advertisers to customize webpage content and to gather general information on the use and frequency of the user traffic. An IP address is an address assigned to your computer or server identifying it when conducting Internet activity