Full policy

 

                                                

 

GZ INDUSTRIES SOUTH AFRICA

(“GZI”)

 Data Protection and Information

Sharing Policy

Policy Category	STRATEGIC
Policy Title	Data Protection and Information Sharing Policy
Policy Owner and Custodian
Date of Finance and Risk Committee
Date of Board Approval
Date of next review

Table of Contents

1. INTRODUCTION

1.1.        Contact Details

1.2.        Contact Details

2. DEFINITIONS

3. SCOPE OF THE POLICY

4. POLICY STATEMENT

5. PROCESSING OF PERSONAL INFORMATION

5.1.        Purpose of Processing

5.2.        Categories of Data Subjects and their Personal Information

5.3.        Categories of Recipients for Processing the Personal Information

5.4.        Actual or Planned Transborder Flows of Personal Information

5.5.        Retention of Personal Information Records

5.6.        General Description of Information Security Measures

6. ACCESS TO PERSONAL INFORMATION

6.1.        Remedies available if request for access to Personal Information is refused

6.2.        Grounds for Refusal

7. IMPLEMENTATION GUIDELINES

7.1.        Training & Dissemination of Information

7.2.        Employee Contracts

8. EIGHT PROCESSING CONDITIONS

8.1.        Accountability

8.2.        Processing Limitation

8.3.        Purpose Specification

8.4.        Further Processing

8.5.        Information Quality

8.6.        Openness

8.7.        Data Subject Participation

8.8.        Security Safeguards

9. DIRECT MARKETING

10. DESTRUCTION OF DOCUMENTS

11. STATUTORY RETENTION PERIODS

12      DOCUMENT CONTROL

1. INTRODUCTION

This Data Protection and Information Sharing Policy describes the way that GZI, will meet its legal obligations and requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon the Protection of Personal Information Act (No 4 of 2013), as that is the key piece of legislation covering security and confidentiality of personal information.

1.1.      Contact Details

Information Officer : A. Kekae

Physical Address : 1 Snapper Rd

Wadeville

Johannesburg

1428

Telephone Number : +27 10 141 6740

Email address : Alphina.Kekae@gzican.com

 

1.2.        Contact Details

Deputy Information Officer : S. Mthenjana

Postal Address : 1 Snapper Rd

Wadeville

Johannesburg

1428

 Telephone Number : +27 10 141 6745

Email address : Sibusiso.Mthenjana@gzican.com

2. DEFINITIONS

2.1.        Consent means the voluntary, specific and informed expression of will;

2.2.        Data Subject means the natural or juristic person to whom the Personal Information relates;

2.3.        Direct Marketing means approaching a Data Subject personally for the purpose of selling them a product or service, or requesting a donation;

2.4.         POPI means the Protection of Personal Information Act, No. 4 of 2013;

2.5.         Personal Information means information relating to an unidentifiable, living, natural person, or an identifiable, existing juristic person, as defined in POPI;

2.6.         Processing means an operation or activity, whether or not by automatic means, concerning Personal Information.

 

3. SCOPE OF THE POLICY

The Policy applies to all GZI employees, directors, sub-contractors, agents, and appointees. The provisions of the Policy are applicable to both on and off-site processing of personal information.

 

4. POLICY STATEMENT 

GZI collects and uses Personal Information of the individuals and corporate entities with whom it works in order to operate and carry out its business effectively. GZI regards the lawful and appropriate processing of all Personal Information as crucial to successful service delivery and essential to maintaining confidence between GZI and those individuals and entities who deal with it. GZI therefore fully endorses and adheres to the principles of the Protection of Personal Information Act (“POPI”)and other applicable regulation on the processing of personal information

 

5. PROCESSING OF PERSONAL INFORMATION

5.1.      Purpose of Processing

GZI uses the Personal Information under its care in the following ways:

-      Conducting credit reference checks and assessments

-      Administration of agreements

-      Providing products and services to customers

-      Detecting and prevention of fraud, crime, money laundering and other malpractice

-      Conducting customer satisfaction research

-      Marketing and sales

-      In connection with legal proceedings

-      Staff administration

-      Keeping of accounts and records

-      Complying with legal and regulatory requirements

-      Profiling data subjects for the purposes of direct marketing

 

5.2.      Categories of Data Subjects and their Personal Information

GZI may possess records relating to suppliers, members, contractors/service providers, employees and customers:

Entity Type	Personal Information Processed
Customers: Natural Persons (including beneficiaries)	Names; contact details; physical and postal addresses; date of birth; ID number; tax related information; nationality; gender; bank account details; financial information confidential correspondence
Customer – Juristic Persons / Entities	Names of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; bank account details; BBBEE information
Contracted Service Providers	Names of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; bank account details; BBBEE information
Employees / Directors	Gender; pregnancy; marital status; colour, race; age; language; education information; financial information; employment history; ID number; physical and postal address; contact details; opinions; criminal record; well-being, union membership

 

5.3. Categories of Recipients for Processing the Personal Information  

GZI may share the Personal Information with its agents, affiliates, and associated companies who may use this information to send the Data Subject information on products and services. GZI may supply the Personal Information to any party to whom GZI may have assigned or transferred any of its rights or obligations under any agreement, and/or to service providers who render the following services:

-      Capturing and organising of data;

-      Storing of data;

-      Sending of emails and other correspondence to customers;

-      Conducting due diligence checks;

-      Administration of the Medical Aid and Pension Schemes.

-      Transferring of salaries to employees/directors

-      Pre-employment information verification

 

5.4. Actual or Planned Transborder Flows of Personal Information

Personal Information may be transmitted transborder to GZI Group of companies in other countries, GZI’s authorised dealers and its suppliers in other countries, and Personal Information may be stored in data servers hosted outside South Africa, which may not have adequate data protection laws. GZI will endeavour to ensure that its dealers and suppliers make all reasonable efforts to secure said Data and Personal Information.

 

5.5.       Retention of Personal Information Records

GZI may retain Personal Information records indefinitely, unless the Data Subject objects thereto. If the Data Subject objects to the indefinite retention of its Personal Information GZI shall retain the Personal Information records to the extent permitted or required by law only.

 

5.6.      General Description of Information Security Measures

GZI employs up to date technology to ensure the confidentiality, integrity and availability of the Personal Information under its care. Measures include:

-      Firewalls

-      Virus protection software and update protocols

-      Logical and physical access control;

-      Secure setup of hardware and software making up the IT infrastructure;

-      Outsourced Service Providers who process Personal Information on behalf of GZI are contracted to implement security controls.

 

6. ACCESS TO PERSONAL INFORMATION

All individuals and entities may request access, amendment, or deletion of their own Personal Information held by GZI. Any requests should be directed, on the prescribed form, to the Information Officer.

6.1.      Remedies available if request for access to Personal Information is refused

6.1.1. Internal Remedies

 GZI does not have internal appeal procedures. As such, the decision made by the Information Officer pertaining to a request is final. The Information Officer may refuse a request from a data subject for reasons listed but not limited in Clause 6.2. Reasons for refusal will be communicated. Then the requestor may seek external legal remedies if dissatisfied with the decision of the Information Officer at his/her own cost.

 6.1.2. External Remedies

 A requestor that is dissatisfied with the information officer’s refusal to disclose information, may within 30 days of notification of the decision, apply to a court for relief. Likewise, a third party dissatisfied with the information officer’s decision to grant a request for information, may within 30 days of notification of the decision, apply to a court for relief. For purposes of the Act, courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another court of similar status.

 6.2.      Grounds for Refusal

 GZI may legitimately refuse to grant access to a requested record that falls within a certain category. Grounds on which GZI may refuse access include:

 -      Protecting personal information that GZI holds about a third person (who is a natural person) including a deceased person, from unreasonable disclosure;

-      Protecting commercial information that GZI holds about a third party or GZI (for example trade secret: financial, commercial, scientific or technical information that may harm the commercial or financial interests of the organisation or the third party);

-      If disclosure of the record would result in a breach of a duty of confidence owed to a third party in terms of an agreement;

-      If disclosure of the record would endanger the life or physical safety of an individual;

-      If disclosure of the record would prejudice or impair the security of property or means of transport;

-      If disclosure of the record would prejudice or impair the protection of a person in accordance with a witness protection scheme;

-      If disclosure of the record would prejudice or impair the protection of the safety of the public;

-      The record is privileged from production in legal proceedings, unless the legal privilege has been waived;

-      Disclosure of the record (containing trade secrets, financial, commercial, scientific, or technical information) would harm the commercial or financial interests of GZI;

-      Disclosure of the record would put GZI at a disadvantage in contractual or other negotiations or prejudice it in commercial competition;

-      The record is a computer programme; and

-      The record contains information about research being carried out or about to be carried out on behalf of a third party or GZI.

Records that cannot be found or do not exist

If GZI has searched for a record and it is believed that the record does not exist or cannot be found, the requester will be notified by way of an affidavit or affirmation. This will include the steps that were taken to try to locate the record.

 

7. IMPLEMENTATION GUIDELINES

7.1.         Training & Dissemination of Information

This Policy has been put in place throughout GZI, training on the Policy and POPI will take place with all employees.

All new employees will be made aware at induction, or through training programmes, of their responsibilities under the terms of this Policy and POPI.

Modifications and updates to data protection and information sharing policies, legislation, or guidelines will be brought to the attention of all employees.

 

7.2.         Employee Contracts

7.2.1.      Each new employee will sign an Employment Contract containing the relevant consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however it is stored. Failure to comply will result in the instigation of a disciplinary procedure.

7.2.2.      Each employee currently employed within GZI will sign an addendum to their Employment Contract containing the relevant consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however it is stored. Failure to comply will result in the institution of disciplinary proceedings.

 

8. EIGHT PROCESSING CONDITIONS

POPI is implemented by abiding by eight processing conditions. GZI shall abide by these principles in all its possessing activities.

8.1.      Accountability

GZI shall ensure that all processing conditions, as set out in POPI, are complied with when determining the purpose and means of processing Personal Information and during the processing itself. GZI shall remain liable for compliance with these conditions, even if it has outsourced its processing activities.

8.2.      Processing Limitation

8.2.1. Lawful grounds

The processing of Personal Information is only lawful if, given the purpose of processing, the information is adequate, relevant and not excessive.

GZI may only process Personal Information if one of the following grounds of lawful processing exists:

-        The Data Subject consents to the processing;

-        Processing is necessary for the conclusion or performance of a contract with the Data Subject;

-        Processing complies with a legal responsibility imposed on GZI;

-        Processing protects a legitimate interest of the Data Subject;

-        Processing is necessary for pursuance of a legitimate interest of GZI, or a third party to whom the information is supplied;

Special Personal Information includes:

-        Religious, philosophical, or political beliefs;

-        Race or ethnic origin;

-        Trade union membership;

-        Health or sex life;

-        Biometric information (including blood type, fingerprints, DNA, retinal scanning, voice recognition, photographs);

-        Criminal behaviour;

-        Information concerning a child.

GZI may only process Special Personal Information under the following circumstances:

-        The Data Subject has consented to such processing;

-        The Special Personal Information was deliberately made public by the Data Subject;

-        Processing is necessary for the establishment of a right or defence in law;

-        Processing is for historical, statistical, or research reasons

-        If processing of race or ethnic origin is in order to comply with affirmative action laws

All Data Subjects have the right to refuse or withdraw their consent to the processing of their Personal Information, and a Data Subject may object, at any time, to the processing of their Personal Information on any of the above grounds, unless legislation provides for such processing. If the Data subject withdraws consent or objects to processing then GZI shall forthwith refrain from processing the Personal Information.

8.2.2. Collection directly from the Data Subject

Personal Information must be collected directly from the Data Subject, unless:

-        Personal Information is contained in a public record;

-        Personal Information has been deliberately made public by the Data Subject;

-        Personal Information is collected from another source with the Data Subject’s consent;

-        Collection of Personal Information from another source would not prejudice the Data Subject;

-        Collection of Personal Information from another source is necessary to maintain, comply with or exercise any law or legal right;

-        Collection from the Data Subject would prejudice the lawful purpose of collection;

-        Collection from the Data Subject is not reasonably practicable.

8.3.      Purpose Specification

GZI shall only process Personal Information for the specific purposes as set out and defined above at paragraph 5.1.

8.4.      Further Processing

New processing activity must be compatible with original purpose of processing. Further processing will be regarded as compatible with the purpose of collection if:

-        Data Subject has consented to the further processing;

-        Personal Information is contained in a public record;

-        Personal Information has been deliberately made public by the Data Subject;

-        Further processing is necessary to maintain, comply with or exercise any law or legal right;

-        Further processing is necessary to prevent or mitigate a threat to public health or safety, or the life or health of the Data Subject or a third party.

8.5.      Information Quality

GZI shall take reasonable steps to ensure that Personal Information is complete, accurate, not misleading and updated. GZI shall periodically review Data Subject records to ensure that the Personal Information is still valid and correct. 

Employees should as far as reasonably practicable follow the following guidance when collecting Personal Information:

-        Personal Information should be dated when received;

-        A record should be kept of where the Personal Information was obtained;

-        Changes to information records should be dated;

-        Irrelevant or unneeded Personal Information should be deleted or destroyed;

-        Personal Information should be stored securely, either on a secure electronic database or in a secure physical filing system.

8.6.      Openness

GZI shall take reasonable steps to ensure that the Data Subject is made aware of:

-        What Personal Information is collected, and the source of the information;

-        The purpose of collection and processing;

-        Where the supply of Personal Information is voluntary or mandatory, and the consequences of a failure to provide such information;

-        Whether collection is in terms of any law requiring such collection;

-        Whether the Personal Information shall be shared with any third party.

8.7.    Data Subject Participation

Data Subject have the right to request access to, amendment, or deletion of their Personal Information.

All such requests must be submitted in writing to the Information Officer. Unless there are grounds for refusal as set out in paragraph 6.2, above, GZI shall disclose the requested Personal Information:

-        On receipt of adequate proof of identity from the Data Subject, or requester;

-        Within a reasonable time;

-        On receipt of the prescribed fee, if any;

-        In a reasonable format

GZI shall not disclose any Personal Information to any party unless the identity of the requester has been verified.

8.8.      Security Safeguards

GZI shall ensure the integrity and confidentiality of all Personal Information in its possession, by taking reasonable steps to:

-        Identify all reasonably foreseeable risks to information security;

-        Establish and maintain appropriate safeguards against such risks;

8.8.1. Written records

-        Personal Information records should be kept in locked cabinets, or safes;

-        When in use Personal Information records should not be left unattended in areas where non-employee members may access them;

-        GZI shall implement and maintain a “Clean Desk Policy” where all employees shall be required to clear their desks of all Personal Information when leaving their desks for any length of time and at the end of the day;

-        Personal Information which is no longer required should be disposed of by shredding.

Any loss or theft of, or unauthorised access to, Personal Information must be immediately reported to the Information Officer.

8.8.2. Electronic Records

-        All electronically held Personal Information must be saved in a secure database;

-        As far as reasonably practicable, no Personal Information should be saved on individual computers, laptops or hand-held devices;

-        All computers, laptops and hand-held devices should be access protected with a password, fingerprint or retina scan, with the password being of reasonable complexity and changed frequently;

-        GZI shall implement and maintain a “Clean Screen Policy” where all employees shall be required to lock their computers or laptops when leaving their desks for any length of time and to log off at the end of the day;

-        Electronic Personal Information which is no longer required must be deleted from the individual laptop or computer and the relevant database. The employee must ensure that the information has been completely deleted and is not recoverable.

Any loss or theft of computers, laptops or other devices which may contain Personal Information must be immediately reported to the Information Officer, who shall notify the IT department, who shall take all necessary steps to remotely delete the information, if possible.

9. DIRECT MARKETING

All Direct Marketing communications shall contain GZI’s, and/or the Company’s details, and an address or method for the customer to opt-out of receiving further marketing communication.

9.1.1. Existing Customers

Direct Marketing by electronic means to existing customers is only permitted:

-        If the customer’s details were obtained in the context of a sale or service; and

-        For the purpose of marketing the same or similar products;

The customer must be given the opportunity to opt-out of receiving direct marketing on each occasion of direct marketing.

9.1.2. Consent

GZI may send electronic Direct Marketing communication to Data Subjects who have consented to receiving it.  GZI may approach a Data Subject for consent only once. 

 9.1.3. Record Keeping

GZI shall keep record of:

 -        Date of consent                                      

-        Wording of the consent

-        Who obtained the consent

-        Proof of opportunity to opt-out on each marketing contact

-        Record of opt-outs

10. DESTRUCTION OF DOCUMENTS

10.1.   Documents may be destroyed after the termination of the retention period specified herein, or as determined by the Company from time to time.  

10.2.   Each department is responsible for attending to the destruction of its documents and electronic records, which must be done on a regular basis. Files must be checked in order to make sure that they may be destroyed and also to ascertain if there are important original documents in the file. Original documents must be returned to the holder thereof, failing which, they should be retained by the Company pending such return.

10.3.   The documents must be made available for collection by the approved document disposal company.

10.4.    Deletion of electronic records must be done in consultation with the IT Department, to ensure that deleted information is incapable of being reconstructed and/or recovered.

 

11. STATUTORY RETENTION PERIODS

Legislation	Document Type	Period
Companies Act	Any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act; Notice and minutes of all shareholders meeting, including resolutions adopted and documents made available to holders of securities; Copies of reports presented at the annual general meeting of the company; Copies of annual financial statements required by the Act; Copies of accounting records as required by the Act; Record of directors and past directors, after the director has retired from the company; Written communication to holders of securities and Minutes and resolutions of directors’ meetings, audit committee and directors’ committees.	7 Years
	Registration certificate; Memorandum of Incorporation and alterations and amendments; Rules; Securities register and uncertified securities register; Register of company secretary and auditors and Regulated Companies (companies to which chapter 5, part B, C and Takeover Regulations apply) – Register of disclosure of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued.	Indefinitely
Consumer Protection  Act	Full names, physical address, postal address and contact details; ID number and registration number; Contact details of public officer in case of a juristic person; Service rendered; Cost to be recovered from the consumer; Frequency of accounting to the consumer; Amounts, sums, values, charges, fees, remuneration specified in monetary terms; Conducting       a   promotional competition  refer to Section 36(11)(b) and Regulation 11 of Promotional Competitions;	3 years
Financial Intelligence Centre Act	Whenever a reportable transaction is concluded with a customer, the institution must keep record of the identity of the customer; If the customer is acting on behalf of another person, the identity of the person on whose behalf the customer is acting and the customer’s authority to act on behalf of that other person; If another person is acting on behalf of the customer, the identity of that person and that other person’s authority to act on behalf of the customer; The manner in which the identity of the persons referred to above was established; The nature of that business relationship or transaction; In the case of a transaction, the amount involved and the parties to that transaction; All accounts that are involved in the transactions concluded by that accountable institution in the course of that business relationship and that single transaction; The name of the person who obtained the identity of the person transacting on behalf of the accountable institution; Any document or copy of a document obtained by the accountable institution	5 years
Compensation  for Occupational Injuries and Diseases Act	Register, record or reproduction of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees.	4 years
	Section 20(2) documents : -Health and safety committee recommendations made to an employer in terms of issues affecting the health of employees and of any report made to an inspector in terms of the recommendation; -Records of incidents reported at work.	3 years
	Asbestos Regulations, 2001, regulation 16(1): -Records of assessment and air monitoring, and the asbestos inventory; -Medical surveillance records; Hazardous Biological Agents Regulations, 2001, Regulations 9(1) and (2): -Records of risk assessments and air monitoring; -Medical surveillance records. Lead Regulations, 2001, Regulation 10: -Records of assessments and air monitoring; -Medical surveillance records Noise - induced Hearing Loss Regulations, 2003, Regulation 11: -All records of assessment and noise monitoring; -All medical surveillance records, including the baseline audiogram of every employee.	40 years
	Hazardous Chemical Substance Regulations, 1995, Regulation 9: -Records of assessments and air monitoring; -Medical surveillance records	30 years

 

 

 

 

 

 

 

Legislation	Document Type	Period
Basic Conditions of Employment Act	Section 29(4): -Written particulars of an employee after termination of employment; Section 31: -Employee’s name and occupation; -Time worked by each employee; -Remuneration paid to each employee; -Date of birth of any employee under the age of 18 years.	3 years
Employment Equity Act	Records in respect of the company’s workforce, employment equity plan and other records relevant to compliance with the Act; Section 21 report which is sent to the Director General	3 years
Labour Relations Act	Records to be retained by the employer are the collective agreements and arbitration awards.	3 years
	An employer must retain prescribed details of any strike, lock-out or protest action involving its employees; Records of each employee specifying the nature of any disciplinary transgressions, the actions taken by the employer and the reasons for the actions	Indefinite
Unemployment Insurance Act	Employers must retain personal records of each of their current employees in terms of their names, identification number, monthly remuneration and address where the employee is employed	5 years
Tax Administration Act	Section 29 documents which: -Enable a person to observe the requirements of the Act; -Are specifically required under a Tax Act by the Commissioner by the public notice; -Will enable SARS to be satisfied that the person has observed these requirements	5 years
Income Tax Act	Amount of remuneration paid or due by him to the employee; The amount of employees tax deducted or withheld from the remuneration paid or due; The income tax reference number of that employee; Any further prescribed information; Employer Reconciliation return.	5 years
Value Added Tax Act	Where a vendor’s basis of accounting is changed the vendor shall prepare lists of debtors and creditors showing the amounts owing to the creditors at the end of the tax period immediately preceding the changeover period; Importation of goods, bill of entry, other documents prescribed by the Custom and Excise Act and proof that the VAT charge has been paid to SARS; Vendors are obliged to retain records of all goods and services, rate of tax applicable to the supply, list of suppliers or agents, invoices and tax invoices, credit and debit notes, bank statements, deposit slips, stock lists and paid cheques; Documentary proof substantiating the zero rating of supplies; Where a tax invoice, credit or debit note, has been issued in relation to a supply by an agent or a bill of entry as described in the Customs and Excise Act, the agent shall maintain sufficient records to enable the name, address and VAT registration number of the principal to be ascertained.	5 years

 

 

12    DOCUMENT CONTROL

12.1 Version history

This document is the latest version indicated in the following table:

Version	Details of changes	Author
	First draft	Legal Officer

12.2                    Version review

This document version was reviewed as indicated in the following table:

Person	Designation	Review date

12.3                    Version approval

This document version was approved for implementation as shown below, and is effective from the date of approval.

This policy will be reviewed every second year or when necessary (i.e. legislative changes), from the date of approval.

Person (or Committee)	Designation	Approval date

 

Full policy

8.3. The recipients or categories of recipients to whom the personal information may be supplied

●     Any firm, organisation or person that GZI SA uses to collect payments and recover debts or to provide a service on its behalf;

●     Any firm, organisation or person that/who provides GZI SA with products or services;

●     Any person who GZI SA has reason to believe to be a data subject’s/consumer’s parent, carer or helper where he/she is unable to handle his/her own affairs because of mental incapacity or other similar issues;

●     Any payment system the GZI SA uses;

●     Regulatory and governmental authorities or ombudsmen, or other authorities, including tax authorities, where the GZI SA has a duty to share information;

●     Credit Bureaux;

●     Third parties to whom payments are made on behalf of employees;

●     Financial institutions from whom payments are received on behalf of data subjects;

●     Any other operator not specified;

●     Employees, contractors and temporary staff; and

●     Agents.

 

               8.4.      Planned transborder flows of personal information

●     Storing information electronically; and

●     Making use of third-party service providers to fulfil a business function on behalf of the GZI SA.

8.5.      General description of information security measures to be implemented by GZI

GZI SA undertakes extensive information security measures to ensure the security, confidentiality, integrity and availability of personal information in our possession. This is supported by appropriate technical and organisational measures designed to ensure that personal data remains confidential and secure against unauthorised or unlawful processing and against accidental loss, destruction or damage.

9.         INFORMATION AVAILABLE IN TERMS OF OTHER LEGISLATION

Information is available in terms of certain provisions of the following legislation to the persons or entities specified in such legislation:

●       Administration of Estates Act 66 of 1965

●       Basic Conditions of Employment Act 75 of 1997

●       Broad-Based Black Economic Empowerment Act 53 of 2003

●       Companies Act 71 of 2008

●       Compensation for Occupational Injuries and Health Diseases Act 130 of 1993

●       Competition Act 89 of 1998

●       Consumer Protection Act 68 of 2008

●       Copyright Act 98 of 1978

●       Customs and Excise Act 91 of 1964

●       Customs Duty Act 30 of 2014

●       Debt Collectors Act 114 of 1998

●       Electronic Communications and Transactions Act 25 of 2002

●       Electronic Communications Act, 36 of 2005

●       Employment Equity Act 55 of 1998

●       Financial Advisory and Intermediary Services Act 37 of 2002

●       Financial Intelligence Centre Act 38 of 2001

●       Income Tax Act 58 of 1962

●       Insolvency Act No. 24 of 1936

●       Labour Relations Act 66 of 1995

●       Merchandise Marks Act 17 of 1941

●       National Credit Act 34 of 2005

●       Occupational Health & Safety Act 85 of 1993

●       Pension Funds Act 24 of 1956

●       Prevention of Organised Crime Act 121 of 1998

●       Prevention and Combating of Corrupt Activities Act 12 of 2004

●       Protection of Personal Information Act 4 of 2013

●       Promotion of Access to Information Act 2 of 2000

●       Promotion of Equality and Prevention of Unfair Discrimination Act 4 of 2000

●       Protected Disclosures Act 26 of 2000

●       Skills Development Act 97 of 1998

●       Skills Development Levies Act 9 of 1999

●       Stamp Duties Act 77 of 1968

●       Unemployment Contributions Act 4 of 2002

●       Unemployment Insurance Act 30 of 1966

●       Value Added Tax Act 89 of 1991

●       Such other legislation as may from time to time be applicable

10.       CATEGORIES OF RECORDS AVAILABLE UPON REQUEST

GZI SA maintains records on the categories and subject matters listed below. Please note that recording a category or subject matter in this manual does not imply that a request for access to such records would be honoured. All requests for access will be evaluated on a case-by-case basis in accordance with the provisions of PAIA.

Please note further that many of the records held by GZI are those of third parties, such as clients and employees, and GZI takes the protection of third-party confidential information very seriously. In particular, where GZI SA acts as professional advisors to clients, their records held are confidential and others are the property of the client and not of GZI. For further information on the grounds of refusal of access to a record please see paragraph 11.5 below. Requests for access to these records will be considered very carefully.  Please ensure that requests for such records are legitimate and in compliance with the PAA and POPIA Acts.

 

Category of records	Records
Internal records The records listed pertain to GZI affairs	●                 Memorandum of Incorporation ●                 Financial records ●                 Operational records ●                 Intellectual property ●                 Marketing records; ●                 Internal correspondence; ●                 Service records; ●                 Statutory records; ●                 Internal policies and procedures; ●                 Minutes of meetings.
Personnel records For the purposes of this section, “personnel” means any person who works for or provides services to or on behalf of GZI SA and receives or is entitled to receive any remuneration and any other person who assists in carrying out or conducting the business of GZI.   This includes partners, directors, all permanent, temporary and part-time staff as well as consultants and contract workers.	●         Any personal records provided to GZI  by itspersonnel; ●         Any records a third party has provided to us about any of their personnel; ●         Conditions of employment and other personnel-related contractual and quasi legal records; ●         Employment policies and procedures; ●         Internal evaluation and disciplinary records; and ●         Other internal records and correspondence.
Client-related records	●	Contracts with the client and between the client and other persons;
Other third-party records Records are kept in respect of other parties, including without limitation joint ventures and consortia to which GZI SA is a party, contractors and sub-contractors, suppliers, service providers, and providers of information regarding general market conditions.    In addition, such other parties may possess records which can be said to belong to GZI.	● ●	Personnel, client, or GZI records which are held by another party as opposed to being held by GZI; and Records held by GZI pertaining to other parties, including financial records, correspondence, contractual records, records provided by the other party, and records third parties have provided about the contractors or suppliers.
Other records	●	Information relating to GZI; and
	●	Research information belonging to GZI or carried out on behalf of a third party.

 

11.       REQUEST PROCEDURE

               11.1.    Completion of the prescribed form

Any request for access to a record in terms of PAIA must substantially correspond with Form C of Annexure B to Government Notice No. R.187 dated 15 February 2002 and should be specific in terms of the record requested. Please complete the prescribed form attached hereto as Appendix A and submit it to the Information Officer at the postal or physical address or electronic mail address:

Alphina.Kekae@gzican.com (See Appendix A hereto.)

A request for access to information which does not comply with the formalities as prescribed by PAIA will be returned to you.

POPIA provides that a data subject may, upon proof of identity, request GZI SA to confirm, free of charge, all the information it holds about the data subject and may request access to such information, including information about the identity of third parties who have or have had access to such information.

POPIA also provides that where the data subject is required to pay a fee for services provided to him/her, GZI must provide the data subject with a written estimate of the payable amount before providing the service and may require that the data subject pays a deposit for all or part of the fee.

Grounds for refusal of the data subject’s request are set out in PAIA and are discussed below.

POPIA provides that a data subject may object, at any time, to the processing of personal information by GZI SA, on reasonable grounds relating to his/her particular situation, unless legislation provides for such processing.

The data subject must complete the prescribed form attached hereto as Appendix C - Form 1 and submit it to the Information Officer at the postal or physical address or electronic mail address: alphina.kekae@gzican.com.

Section 24 of POPIA provides that a data subject having provided adequate proof of identity may request access to personal information as per Appendix D - Form 3 by submitting a request to the Information Officer at the postal or physical address or electronic mail address: alphina.kekae@gzican.com.

A data subject may also request GZI to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that GZI SA is no longer authorised to retain records in terms of POPIA's retention and restriction of records provisions.

A data subject that wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information must submit a request to the Information Officer at the postal or physical address or electronic mail address: alphina.kekae@gzican.com set out above on the form, attached hereto as Appendix E - Form 2.

               11.2.    Proof of identity

Proof of identity is required to authenticate your identity and the request. You will, in addition to this prescribed form, be required to submit acceptable proof of identity such as a certified copy of your identity document or other legal forms of identity.

               11.3.    Payment of the prescribed fees

There are two categories of fees which are payable:

● The request fee: R50

● The access fee: This is calculated by taking into account reproduction costs, search and preparation costs, as well as postal costs. These fees are set out in Appendix B.

Section 54 of PAIA entitles GZI SA to levy a charge or to request a fee to enable it to recover the cost of processing a request and providing access to records. The fees that may be charged are set out in Regulation 9(2)(c) promulgated under PAIA.

When a decision to grant a request has been taken, the record will not be disclosed until the necessary fees have been paid in full.

               11.4.    Timelines for consideration of a request for access

Requests will be processed within 30 (thirty) days, unless the request contains considerations that are of such a nature that an extension of the time limit is needed.

Should an extension be required, you will be notified, together with reasons explaining why the extension is necessary.

               11.5.    Grounds for refusal of access and protection of information

There are various grounds upon which a request for access to a record may be refused.  These grounds include:

●       the protection of personal information of a third person (who is a natural person) from unreasonable disclosure;

●       the protection of commercial information of a third party (for example: trade secrets; financial, commercial, scientific or technical information that may harm the commercial or financial interests of a third party);

●       if disclosure would result in the breach of confidence owed to a third party;

●       if disclosure would jeopardise the safety of an individual or prejudice or impair certain property rights of a third person;

●       if the record was produced during legal proceedings, unless that legal privilege has been waived;

●       if the record contains trade secrets, financial or sensitive information or any information that would put GZI (at a disadvantage in negotiations or

prejudice it in commercial competition); and/or

●       if the record contains information about research being carried out or about to be carried out on behalf of a third party or by GZI.

Section 70 of the PAIA contains an overriding provision wherein the Ddsclosure of a record is compulsory if it would reveal (i) a substantial contravention of, or failure to comply with the law; or (ii) there is an imminent and serious public safety or environmental risk; and (iii) the public interest in the disclosure of the record in question clearly outweighs the harm contemplated by its disclosure.

If the request for access to information affects a third party, then such a third party must first be informed within 21 (twenty-one) days of receipt of the request. The third party would then have a further 21 (twenty-one) days to make representations and/or submissions regarding the grantof access to the record.

12.                   REMEDIES AVAILABLE ON THE REFUSAL OF ACCESS

If the Information Officer decides to grant access to the particular record, such access must be granted to the requester within 30 (thirty) days of being informed of the decision.

There is no internal appeal procedure that may be followed after a request to access information has been refused. The decision made by the Information Officer is final. In the event that you are not satisfied with the outcome of the request, you are entitled to apply to a court of competent jurisdiction to take the matter further.

Where a third party is affected by the request for access and the Information Officer has decided to grant the access to the record, the third party has 30 (thirty) days in which to appeal the decision in a court of competent jurisdiction. If no appeal has been lodged by the third party within 30 (thirty) days, the requester will be granted access to the record.

13.       AVAILABILITY OF THIS MANUAL

Copies of this Manual are available for inspection, free of charge, at the offices of GZI and at www.gzican.com

APPENDIX A

FORM C: REQUEST FORM

ACCESS REQUEST FORM

Requests can be submitted either via post or e-mail: popia-io@GZI.co.za and should be addressed to the

Information Officer.

REQUEST FOR ACCESS TO THE RECORD OF A PRIVATE BODY

Section 53(1) of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

[Regulation 10]

A.              Particulars of private body The Head:

B.              Particulars of person requesting access to the record

a)	The particulars of the person who requests access to the record must be given below.
b)	The address in the Republic to which the information is to be sent must be given.
c)	Proof of the capacity in which the request is made, if applicable, must be attached.

Full names and surname:

Identity number:

Postal address:

Telephone number:

Capacity in which request is made, when made on behalf of another person:

C.              Particulars of person on whose behalf request is made

Full names and surname:

Identity number:

D.              Particulars of record

a)	Provide full particulars of the record to which access is requested, including the reference number if that is known to you, to enable the record to be located.
b)	If the provided space is inadequate, please continue on a separate folio and attach it to this form. The requester must sign all the additional folios.

1.    Description of record or relevant part of the record:

2.    Reference number, if available:

3.    Any further particulars of record:

E.               Fees

a)	A request for access to a record, other than a record containing personal information about yourself, will be processed only after a request fee has been paid.
b)	You will be notified of the amount required to be paid as the request fee.
c)	The fee payable for access to a record depends on the form in which access is required and the reasonable time required to search for and prepare a record.
d)	If you qualify for exemption of the payment of any fee, please state the reason for exemption.

Reason for exemption from payment of fees:

F.               Form of access to record

Disability:

Form in which record is required:

1.    If the record is in written or printed form:

       Copy of record*                            Inspection of record

2.    If record consists of visual images

(This includes photographs, slides, video recordings, computer-generated images, sketches, etc)

       View the images            Copy of the images*      Transcription of the images*

3.    If record consists of recorded words or information which can be reproduced in sound:

       Listen to the soundtrack (CD)        Transcription of soundtrack*

4.    If record is held on computer or in an electronic or machine-readable form:

Printed copy of

Copy in computer readable

* If you requested a copy or transcription of a record (above), do you wish the copy or transcription to be posted to you? (POSTAGE IS PAYABLE)	YES	NO
Particulars of right to be exercised or protected
If the provided space is inadequate, please continue on a separate folio and attach it to this form. The requester must sign all the additional folios.

Printed copy of record*information derived from form*(CD) record* G.

1.    Indicate which right is to be exercised or protected:

2.    Explain why the record requested is required for the exercise or protection of the aforementioned

right:

H. Notice of decision regarding request for access

How would you prefer to be informed of the decision regarding your request for access to the record?

	YOU MUST			SEND WITH THIS APPLICATION
1     Complete all necessary spaces			1      The request fee
2     Sign the access request form Sign			2    Any additional folios completed
3     Sign additional folios completed			3      Copy of Identity Document

Signed at .......................................... this ...................... day of ...........................20………...

............................................................

Signature of Requester/Person on behalf of whom request is made

APPENDIX B

FEES IN RESPECT OF PRIVATE BODIES

Description		Rand
1	The fee for a copy of the manual as contemplated in regulation 9(2)(c) - for every photocopy of an A4-size page or part thereof.	1,10
2	The fees for reproduction referred to in regulation 11(1) are as follows:
(a)	For every photocopy of an A4-size page or part thereof	1,10
(b)	For every printed copy of an A4-size page or part thereof held on a computer or in electronic or machine-readable form	0,75
(c)	For a copy in a computer-readable form on -
(ii)	compact disc	70,00
(d)(i)	For a transcription of visual images, for an A4-size page or part thereof	40,00
(ii)	For a copy of visual images	60,00
(e)(i)	For a transcription of an audio record, for an A4-size page or part thereof	20,00
(ii)	For a copy of an audio record	30,00
3	The request fee payable by a requester, other than a personal requester, referred to in regulation 11(2)	50,00
4	The access fees payable by a requester referred to in regulation 11(3) are as follows:
4.1(a)	For every photocopy of an A4-size page or part thereof	1,10
(b)	For every printed copy of an A4-size page or part thereof held on a computer or in electronic or machine readable form	0,75
(c)	For a copy in a computer-readable form on -
(i)	compact disc	70,00
(d)(i)	For a transcription of visual images, for an A4-size page or part thereof	40,00
(ii)	For a copy of visual images	60,00
(e)(i)	For a transcription of an audio record, for an A4-size page or part thereof	20,00
(ii)	For a copy of an audio record	30,00
(f)	To search for and prepare the record for disclosure, R30,00 for each hour or part of an hour reasonably required for such search and preparation.
4.2	For purposes of section 54(2) of the Act, the following applies:
(a)	Six hours as the hours to be exceeded before a deposit is payable; and
(b)	one third of the access fee is payable as a deposit by the requester.
4.3	The actual postage is payable when a copy of a record must be posted to a requester.

 

 

APPENDIX C

FORM 1

OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF

THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO.  4 OF 2013)

Requests can be submitted either via post or e-mail: alphina.kekae@gzican.com and should be addressed to the Information Officer.

REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018

[Regulation 2]

Note:

1.                Affidavits or other documentary evidence as applicable in support of the objection may be attached.

2.                If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.

3.                Complete as is applicable.

A	DETAILS OF DATA SUBJECT
Name(s) and surname/ registered name of data subject:
Unique Identifier/ Identity Number
Residential, postal or business address:
	Code (         )
Contact number(s):
E-mail address:
B	DETAILS OF RESPONSIBLE PARTY
Name(s) and surname/ Registered name of responsible party:

Signed at .......................................... this ...................... day of ...........................20………...

............................................................

Signature of data subject/designated person

APPENDIX D

FORM 3

ACCESS TO PERSONAL INFORMATION

REQUEST FOR ACCESS TO PERSONAL INFORMATION IN TERMS OF SECTION 23 OF THE

PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

Requests can be submitted either via post or e-mail: alphina.kekae@gzican.com and should be addressed to the Information Officer.

Name of Responsible Party request is made to:

Mrs.      Ms.    Miss	Last Name :
First Name :	Middle name :
Address : (Street/Apt. No./PO Box)	City :
Province :	Postal Code :
Telephone Number (Day)       )	Telephone Number (Eevening)       )
Detailed description of requested records and/or personal information. (If you are requesting access to your personal information, please identify the personal information record containing the personal information, if known.)

Responsible party us	e
Date Received:	Request Number:	Comments:

 

Personal Information contained on this form is collected pursuant to the Protection of Personal Information Act, 2013 and will be used for the purpose of responding to your request. Questions about this collection should be directed to the Information Officer of the Responsible Party.

 

APPENDIX E

FORM 2

REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR

DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE

PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

Requests can be submitted either via post or e-mail: alphina.kekae@gzican.com and should be addressed to the Information Officer.

REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018

[Regulation 3]

Note:

1.            Affidavits or other documentary evidence as applicable in support of the request may be attached.

2.            If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.

3.            Complete as is applicable.

Mark the appropriate box with an "x". Request for:

Correction or deletion of the personal information about the data subject which is in possession or under the control of the responsible party.

Destroying or deletion of a record of personal information about the data subject which is in possession or under the control of the responsible party and who is no longer authorised to retain the record of information.

A	DETAILS OF THE DATA SUBJECT
Name(s) and surname / registered name of data subject:
Unique identifier/ Identity Number:
Residential, postal or business address:
	Code (          )
Contact number(s):

 

E-mail address:
B	DETAILS OF RESPONSIBLE PARTY
Name(s) and surname / registered name of responsible party:
Residential, postal or business address:
	Code (         )
Contact number(s):
E-mail address:
C	INFORMATION TO BE CORRECTED/DELETED/ DESTRUCTED/ DESTROYED
D	REASONS FOR *CORRECTION OR DELETION OF THE PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(a) WHICH IS IN POSSESSION OR UNDER THE CONTROL OF THE RESPONSIBLE PARTY ; and/or REASONS FOR *DESTRUCTION OR DELETION OF A RECORD OF PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(b) WHICH THE RESPONSIBLE PARTY IS NO LONGER AUTHORISED TO RETAIN. (Please provide detailed reasons for the request)

 

Signed at .......................................... this ...................... day of ...........................20………...

............................................................

Signature of data subject/ designated person