1. Purpose

Precise Byte(Pty) Ltd strives to comply with applicable laws and regulations relating to privacy and Personal Information protection, including the Protection of Personal Information Act, 2013 (“POPI”). This Policy sets forth the basic principles (referred to as Processing Conditions) which Precise Byte applies when Processing the Personal Information of consumers, customers, suppliers, business partners, employees and other individuals. This policy also outlines the responsibilities of Precise Byte’s respective business departments and employees while Processing Personal Information.

2. Scope

2.1. This Policy applies to Precise Byte(Pty) Ltd (referred to as either "Precise Byte" or "Company").

2.2. Any breach of this Policy amounts to serious misconduct and may result in disciplinary action.

3. Basic Conditions to be applied in respect of Privacy Protection and Personal Information being Processed (Processing Conditions)

3.1. When Precise Byte Processes Personal Information, it must comply with the following 8 Processing conditions:

3.1.1. Condition 1: Accountability;

3.1.2. Condition 2: Processing Limitation;

3.1.3. Condition 3: Purpose Specification;

3.1.4. Condition 4: Further Processing Limitation;

3.1.5. Condition 5: Information Quality;

3.1.6. Condition 6: Openness;

3.1.7. Condition 7: Security Safeguards; and

3.1.8. Condition 8: Data Subject Participation.

Condition 1: Accountability

3.2 Precise Byte must ensure that the Processing Conditions are complied with.

3.3. Precise Byte will appoint an IO to encourage and support Precise Byte’s overall compliance with POPI.

3.4. The IO is responsible for drafting an information security policy, which will, among other things, address document retention, access to information and classification of Personal Information.

3.5. Precise Byte will furthermore designate specific individuals to monitor compliance with information security standards within each business area.

3.6. Training or awareness sessions for employees on information security will be conducted on a regular basis.

Condition 2: Processing Limitation

3.7. Personal Information may only be Processed if, given the purpose for which it is Processed, it is adequate, relevant and not excessive.

3.8. This condition applies to electronic Personal Information and paper-based records stored in a non-automated filing system.

3.9. Precise Byte requires a justification to Process Personal Information. To this end, and where possible and necessary, Precise Byte will obtain voluntary, informed and specific consent by means of an expression of will from Data Subjects, before collecting their Personal Information. Where this is not possible or necessary, Precise Byte may seek to rely on one of the exceptions to having obtain consent set out in section 11 of POPI.

3.10. A Data Subject may withdraw consent at any time and such withdrawal of consent should be noted. A Data Subject may also object at any time on reasonable grounds, to the Processing of its Personal Information, save if legislation (including POPI) provides for such Processing. Precise Byte will then no longer Process the Personal Information, unless it is authorised to do so under relevant laws.

Condition 3: Purpose specification

3.11. Personal Information may only be Processed for specific, explicitly defined and legitimate reasons relating to the functions or activities of Precise Byte, of which the Data Subject is made aware.

3.12. Personal Information will only be collected to the extent that it is required for the specific purpose notified to the Data Subject, unless it is not reasonably practicable to do so in the circumstances or collection will not affect a legitimate interest of the Data Subject. Any Personal Information which is not necessary for such purpose will not be collected in the first place, unless Data Subject consent is obtained.

3.13. Records of Personal Information may only be kept for as long as necessary for achieving the purpose for which the information was collected or subsequently Processed, unless:

3.13.1. retention of the record is required or authorised by law;

3.13.2. Precise Byte reasonably requires the record for lawful purposes related to its functions or activities;

3.13.3. retention of the record is required by a contract between Precise Byte and a third party thereto; or

3.13.4. the Data Subject or a competent person, where the Data Subject is a child, has consented to the retention of the record.

3.14. Personal Information will therefore not be kept longer than is necessary for the purpose for which it was collected. This means that Personal Information must be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form or be de-identified as soon as reasonably practicable after Precise Byte is no longer authorised to retain the record..

Condition 4: Further Processing limitation

3.15. Further Processing of Personal Information must be compatible or in accordance with the purpose of collection, unless the Data Subject has consented to such further Processing.

3.16. Once collected, Personal Information will only be Processed for the specific purposes notified to the Data Subject when the Personal Information was first collected under Condition 3 or for other purposes which are compatible with such purpose. This means that Personal Information will not be collected for one purpose and then used for another incompatible purpose. If it becomes necessary to change the purpose for which the Personal Information is Processed, the Data Subject will be informed of the new purpose and the Data Subject’s consent will be obtained before any Processing occurs. Where this is not possible, the IO should be consulted.

3.17. Where Personal Information is transferred to a third party for further Processing, the further Processing must be compatible with the purpose for which it was initially collected.

Condition 5: Information quality

3.18. Precise Byte must take reasonably practicable steps to ensure that Personal Information is complete, accurate, not misleading and updated where necessary in light of the purpose for which such information is collected.

3.19. Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any Personal Information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date information will be destroyed.

3.20. The IO will develop appropriate Processes to ensure compliance with the above as well as the applicable provisions of the POPI.

Condition 6: Openness

3.21. Precise Byte must take reasonably practicable steps to ensure that the Data Subject is aware of:

3.21.1. the Personal Information being collected and where the information is not collected from the Data Subject, the source from which it is collected;

3.21.2. the name and address of Precise Byte;

3.21.3. the purpose for which the information is being collected;

3.21.4. whether or not the supply of the information by that Data Subject is voluntary or mandatory;

3.21.5. the consequences of failure to provide the information;

3.21.6. any particular law authorising or requiring the collection of the information;

3.21.7. where applicable, the fact that Precise Byte intends to transfer the information to a country or international organisation and the level of protection afforded to the information by that country or international organisation;

3.21.8. any further information such as the recipient or category of recipients of the information, the nature or category of the information and the existence of the right of access to and the right to rectify the information collected;

3.21.9. the existence of the right to object to the Processing of Personal Information; and

3.21.10. the right to lodge a complaint to the Regulator and the contact details of the Information Regulator,which is necessary, having regard to the specific circumstances in which the information is or is not to be Processed, to enable Processing in respect of the Data Subject to be reasonable.

Condition 7: Security safeguards

3.22. Precise Byte will take reasonable organisational and technical measures to ensure that all Personal Information is secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure and conduct regular risk assessments to identify and manage all reasonably foreseeable internal and external risks to Personal Information under its control.

Duty in Respect of Operators

3.23. Operators (i.e. third parties which may further Process Personal Information collected by Precise Byte on its behalf) include, but is not limited to, call centres, outsourced payroll administrators, marketing database companies, recruitment agencies, psychometric assessment centres, document management warehouses, external consultants, credit bureaus and persons who clear the payment instructions of Precise Byte’s clients.

3.24. Precise Byte will implement the following key obligations in respect of Operators:

3.24.1. The Operator may not Process Personal Information on behalf of Precise Byte without the knowledge and authorisation of Precise Byte;

3.24.2. Precise Byte will ensure that the Operator implements the security measures required in terms of Condition 7: Security Safeguards;

3.24.3. There will be a written contract in place between Precise Byte and the Operator which requires the Operator to maintain the confidentiality and integrity of Personal Information Processed on behalf of Precise Byte;

3.24.4. The written contract between Precise Byte and the Operator will include the mandatory provisions under sections 19 to 21 of POPI; and

3.24.5. If the third party is located outside of South Africa, Precise Byte will consult the IO.

Duties in Respect of Security Compromises

3.25. In the event that Personal Information has been compromised, or if there is a reasonable belief that a compromise has occurred, Precise Byte (or an Operator Processing Personal Information on its behalf) will comply with the notification requirements set out in section 22 of POPI.

Condition 8: Data subject participation

Request for Information

3.26. Precise Byte recognises that a Data Subject has the right to request Precise Byte to confirm, free of charge, whether or not it holds Personal Information about the Data Subject and request Precise Byte to provide a record or a description of the Personal Information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information at a prescribed fee.

3.27. Precise Byte’s PAIA manual, which can be found at https://www-file.Precise Byte.com/-/media/corporate/local-site/za/pdf/paia-manual-2021.pdf and must be consulted in respect of any access to Personal Information requests by Data Subjects and Data Subjects must also follow the request procedure as stipulated therein.

Request to Correct or Delete

3.28. The Data Subject may request Precise Byte to:

3.28.1. correct or delete Personal Information relating to the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading or obtained unlawfully; or

3.28.2. destroy or delete a record of Personal Information about the Data Subject that Precise Byte is no longer authorised to retain.

3.29. Precise Byte will provide credible proof to the Data Subject of the action that has been taken in response to the request.

3.30. If any changes to the Personal Information are made and has an impact on any decisions to be made in respect of the Data Subject, Precise Byte will inform all third parties to whom the information has been disclosed of such changes.

4. Building Privacy Protection and the Processing Conditions into Business Activities

4.1. Notification to Data Subjects:

4.1.1. In compliance with Condition 6, before Processing Personal Information in respect of products, services or marketing activities, Precise Byte will use reasonable endeavors to notify Data Subjects of:

4.1.1.1. the types of Personal Information that will be Processed;

4.1.1.2. the purpose/s of the Processing;

4.1.1.3. the Processing methods that will be used;

4.1.1.4. the Data Subjects’ rights with respect to their Personal Information; and

4.1.1.5. Precise Byte's security measures to protect the Personal Information that is being Processed.

4.2. Data Subject's choice and consent:

In compliance with Condition 2, the Processing of Personal Information will be based on the Data Subject's consent, customers' written authorisation or other lawful grounds and a record of such consent or authorisation must be retained and stored. Precise Byte will also provide Data Subjects with the option to withdraw the consent given by them to Process their Personal Information.

4.3. Processing of Personal Information which includes collection of Personal Information:

When Processing the Personal Information of a Data Subject, Precise Byte will strive to collect the least amount of Personal Information possible to achieve the purpose of the Processing and ensure that the Personal Information being Processed is:

4.3.1. relevant to the purpose of the Processing;

4.3.2. necessary for the purpose/s of the Processing;

4.3.3. is not excessive considering the purpose/s of the Processing.

If Personal Information is collected from a third party, Precise Byte will try to ensure that the Personal Information is Processed in accordance with applicable laws and regulations.

4.4. Use, retention, and disposal:

4.4.1. In compliance with Condition 3, the use, purpose/s for Processing, method/s of Processing and the retention period of Personal Information should be consistent with the information contained in the notice to the Data Subjects or authorisations by customers. Precise Byte will maintain the accuracy, integrity and relevance of Personal Information based on the purpose/s of the Processing.

4.4.2. Under Condition 7, security mechanisms designed to protect Personal Information shall be used to prevent Personal Information from being stolen, leaked, damaged, accessed unlawfully, misused, abused, disseminated unlawfully or without approval. For example:

4.4.2.1. Personal Information should be anonymised or de-identified in a manner that makes re-identification impossible where practicable and appropriate or aggregate data, such as statistical or research results that does not identify an individual, should be used, if possible.

4.4.2.2. Precise Byte encourages Pseudonymisation, if possible, to reduce the ability to link Personal Information to a Data Subject.

4.4.2.3. Access to and Processing of Personal Information should be controlled. Encryption or other methods should be used to help ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems.

4.4.2.4. Personal Information should be restored in a timely manner in the event of a data security incident.

4.4.2.5. Security measures should be evaluated regularly.

4.5. Disclosure to third parties:

4.5.1. n compliance with Condition 7, when Precise Byte authorises a supplier or business partner to Process Personal Information on behalf of Precise Byte, i.e. act as an operator, Precise Byte should seek to ensure that the supplier or business partner provides security measures to safeguard Personal Information that are appropriate to the risks associated with the Personal Information.

4.5.2. Precise Byte should also ensure that the supplier or business partner provides the same level of data protection as Precise Byte would have provided through the conclusion of a contract containing data protection provisions.

4.5.3. The supplier or business partner should only Process Personal Information to the extent necessary to carry out its contractual obligations to Precise Byte or upon the instruction of Precise Byte and not for any other purpose.

4.5.4. When Precise Byte Processes Personal Information jointly with an independent third party, Precise Byte should explicitly specify the respective responsibilities of Precise Byte and the third party in the relevant contract.

4.6. Cross-border transfer of Personal Information:

4.6.1. Precise Byte may transfer and Process Personal Information worldwide for routine business operations. As different countries may impose different requirements for the cross-border transfer of Personal Information ranging from no limitations to conditional limitations to prohibitions against transfers of certain types of Personal Information out of the country, Precise Byte will monitor the regulations relating to cross-border transfers of Personal Information. Before transferring Personal Information out of a country, the relevant department must consult the IO or Legal Affairs Dept.

4.6.2. Before transferring Personal Information out of the Republic of South Africa, the Data Subject or customers' express written consent must be obtained, unless the transfer complies with another safeguard set out in section 72 of POPI

4.7. Access to Personal Information by Data Subjects:

4.7.1. In compliance with Condition 8, when acting as a Responsible Party, Precise Byte should provide Data Subjects with a mechanism which will enable them to:

4.7.1.1. access their Personal Information;

4.7.1.2. request that the Personal Information relating to them that is being Processed be updated, rectified, erased and/or deleted; and

4.7.1.3. object to the Processing of their Personal Information.

4.8. The Processing of Special Personal Information:

4.8.1. In most cases when Special Personal Information is being Processed, the Data Subject's explicit consent to the Processing of such information will usually be required.

4.8.2. Examples of when special Personal Information of employees is likely to be Processed are set out below and may include, but are not necessarily limited to:

4.8.2.1. information about an employee's physical or mental health or condition in order to monitor sick leave and take decisions as to the employee's fitness for work;

4.8.2.2. the employee's racial or ethnic origin or religious or similar information, in so far as it is required to monitor compliance with employment equity legislation; and

4.8.2.3. in order to comply with legal requirements and obligations to third parties.

4.9. Authorisation from the Regulator:

Precise Byte will obtain prior authorisation from the Regulator, in terms of section 58 of POPIA, prior to any processing if that Precise Byte plans to-

4.9.1. process any unique identifiers of Data Subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information together with information processed by other responsible parties;

4.9.2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;

4.9.3. process information for the purposes of credit reporting; or

4.9.4. transfer special personal information, the personal information of children under the age of 18, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72 of POPIA.

4.10. Organisation and Responsibilities:

4.10.1. The objective of Precise Byte’s privacy program is to take a risk based approach to ensuring legal compliance, if required, and business competitiveness.

4.10.2. The Information Officer is the owner of managing Precise Byte’s Privacy protection program and is responsible for the development and promotion of end-to-end Privacy protection policies. The Information Officer of Precise Byte is responsible for and ensures that the various departments:

4.10.2.1. develop privacy protection policies and guidance in its business ;

4.10.2.2. determine privacy protection roles and responsibilities;

4.10.2.3. apply data protection requirements to Process management and business decision making systems;

4.10.2.4. audit data protection compliance and promotes improvements.

4.10.3. The Legal Affairs Department, as a legal competence center for privacy protection, monitors and analyses the privacy laws and regulations, develops compliance requirements and assists business departments in achieving their Privacy goals.

4.10.4. The Human Resource Mgmt Dept is responsible for improving all employees' awareness about user privacy protection, organising privacy protection expertise and awareness training for privacy protection practitioners and introducing training materials and certification criteria from the industry.

4.10.5. In the consumer domain, Device Business Department of Precise Byte is responsible for end-to-end privacy protection. When Precise Byte acts as a Responsible Party, Precise Byte should observe laws to proactively protect consumers' privacy, enhance consumers' trust, and facilitate business success.

4.10.6. In the ICT infrastructure domain, Carrier Business Department and Enterprise Business Department are responsible for Privacy protection during sales and the provision of services. When Precise Byte Processes Personal Information, Precise Byte should ensure the security of Personal Information. Precise Byte must never Process Personal Information beyond the customer's authorisation.

4.10.7. When Precise Byte acts as a Responsible Party or joint Responsible Party, Precise Byte should strictly comply with paragraph 4 of this Policy. At the same time, Precise Byte should expressly clarify the responsibilities of relevant parties in legal documents, such as the contracts signed with customers and partners. The reference to responsibilities include, but is not limited to:

4.10.7.1. which party is responsible for notifying Data Subjects of the Processing of their Personal Information;

4.10.7.2. which Party is responsible for obtaining the Data Subject’s consent (where apposite) in order for their Personal Information to be Processed;

4.10.7.3. which party is responsible for responding to Data Subjects’ complaints and requests for access to their Personal Information, if necessary and/or required.

4.10.8. If a customer's instruction violates applicable laws, regulations or the Basic Principles on Privacy Protection and Personal Information Processing of Precise Byte, as set out in this Policy or any other privacy protection communication sent out by Precise Byte, Precise Byte should reject the customer's instruction.

4.10.9. In the employee domain, the Human Resource Mgmt Dept is responsible for end-to-end employee Privacy protection. Employees' Personal Information should be Processed in accordance with the abovementioned principles and in compliance with POPI and other relevant laws.

4.10.10. The Admin Dept. is responsible for taking measures to protect visitor’s Personal Information and flow down privacy requirements to suppliers (i.e. receptionists).

4.10.11. The Procurement Dept is responsible for imposing Privacy protection obligations and responsibilities, which includes but is not limited to meeting certification requirements, incorporating legal terms into contracts and monitoring implementation, on suppliers and improving suppliers' levels of privacy protection.

4.10.12. The Supply Chain Mgmt Dept is responsible for taking reasonable measures to protect Personal Information associated with supply centers and to prevent Personal Information breaches.

4.10.13. The Public Affairs and Communications Dept (PACD) is responsible for delivering key messages about Precise Byte’s privacy compliance in response to government and media enquiries.

4.10.14. Directors of relevant business departments at all levels are primarily responsible for ensuring the implementation of privacy protection practices, requirements and policies within business departments under their charge.

5. Response to Personal Information security breach incidents:

5.1. In compliance with Condition 7, if Precise Byte obtains knowledge of an actual or suspected Personal Information security breach incident, Precise Byte shall perform an internal investigation and take appropriate remedial measures, as soon as reasonably possible.

5.2. If there are reasonable grounds to believe that a security breach occurred and it is required by applicable law, Precise Byte’s authorised representative/s should notify the competent regulatory authority, the Data Subject and any affected stakeholders in a manner and within the time period required by law.

6. DIRECT MARKETING

Personal Information of Data Subjects will only be Processed for Direct Marketing purposes, in compliance with relevant legislation, including POPI.

7. Audit and Accountability:

7.1. The Audit Dept. is responsible for auditing how well business departments implement this Policy.

7.2. Any Precise Byte employee who acts in contravention of this Policy may be subjected to disciplinary action within Precise Byte and the employee may also be subjected to civil or criminal proceedings if his or her conduct is in breach of applicable laws or regulations.

8. Policy Hierarchy

This Policy is the basis for Precise Byte’s privacy protection practice. Each department can apply additional privacy protection compliance requirements, based on applicable laws and regulations.

9. Conflicts of Law

This Policy is intended to comply with the applicable laws and regulations of South Africa, including POPI, or any other applicable jurisdiction (the “Applicable Laws”). In the event of any conflict between this Policy and Applicable Laws, the latter shall prevail.

10. Interpretation and Maintenance

The Information Officer of Precise Byte is responsible for interpreting and maintaining this Policy.

11. Date of Validity

This policy takes effect on the day it is issued.

12. Definitions

12.1. Anonymisation: irreversibly de-identifying Personal Information such that the person cannot be identified by using reasonable time, cost, technology either by the Responsible Party or by any other person to identify that individual (also known as de-identification);

12.2. Child / Children: means a natural person under the age of 18 (eighteen) years old and who is not legally competent to take certain actions;

12.3. Data Subject: means the natural or juristic person to whom Personal Information relates;

12.4. Direct Marketing: means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of -

12.4.1. promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or

12.4.2. requesting the Data Subject to make a donation of any kind for any reason;

12.5. IO: means the information officer appointed as such by Precise Byte in terms of section 56 of POPI and who will have the ultimate responsibility to ensure that Precise Byte complies with the provisions of POPI;

12.6. Operator: means a person who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party;

12.7. Personal Information: means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

12.7.1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;

12.7.2. information relating to the education or the medical, financial, criminal or employment history of the person;

12.7.3. any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

12.7.4. the biometric information of the person;

12.7.5. the personal opinions, views or preferences of the person;

12.7.6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

12.7.7. the views or opinions of another individual about the person; and

12.7.8. the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;

12.8. Processing/Process/Processed: means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including: (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

12.9. Pseudonymisation: means the Processing of Personal Information in such a manner that the Personal Information can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Information are not attributed to an identified or identifiable natural person. Pseudonymisation reduces, but does not completely eliminate, the ability to link Personal Information to a Data Subject;

12.10. Responsible Party: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;

12.11. Special Personal Information: includes Personal Information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or the criminal behaviour of a Data Subject to the extent that such information relates to the alleged commission by a Data Subject of any offence; or any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.