POPI Information Processing Policy

The aim of the Information and record retention and disposal policy is to establish a framework and set out the guiding principles and the efforts of The GM Group on the collection, storage, processing, and destruction of Personal Information.

The policy is applicable to all employees of The GM Group, and its staff members shall receive training with regards to the Protection of personal information policy. Failure to adhere to the policy will result in disciplinary action.

This Policy is aimed at documenting The GM Group’s position on the processing of Information related to any person as described under POPI.
The Policy includes The GM Group’s position on:

●     The collection of personal information
●     The recording and storage of personal information
●     The filing, collation, merging and organisation of personal information
●     The updating or modification of personal information
●     The transmission, distribution, or other dissemination of information, and
●     The restriction, degradation, erasure, or destruction of information. 

The Policy applies to the processing of personal information entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof. 

This document should be read with The GM Group’s Information processing plan for detail on implementation of the policy objectives.

PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013

The GM Group is committed to processing data in accordance with its responsibilities under the Protection of Personal Information Act. Personal information must be processed—

●     lawfully
●     in a reasonable manner that does not infringe the privacy of the data subject
●     Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant, and not excessive.
●     Personal information may only be processed if
○    the data subject or a competent person where the data subject is a child consents to the processing.
○    processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
○    processing complies with an obligation imposed by law on the responsible party.
○    processing protects a legitimate interest of the data subject.
○    processing is necessary for the proper performance of a public law duty by a public body.
○    processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

The conditions for the lawful processing of personal information by or for a responsible party are the following:

●     "Accountability, as referred to in Section 8.
●     ‘Processing limitation’’, as referred to in sections 9 to 12.
●     "Purpose specification", as referred to in sections 13 and 14.
●     "Further processing limitation", as referred to in section 15.
●     "Information quality" as referred to in section 16.
●     "Openness" as referred to in sections 17 and 18.
●     "Security safeguards" as referred to in sections 19 to 22.
●     "Data subject participation" as referred to in sections 23 to 25.

The GM Group and its employees will act in accordance with the following principles or conditions:

Accountability

‍The GM Group is obligated to ensure compliance with the conditions for lawful processing of information, as provided for in terms of the POPI Act, and the measures that The GM Group implement to give effect to the conditions throughout its engagement with its clients, employees and other stakeholders. 

This policy shall set the principles for the personal information framework which shall include various measures, procedures, and controls to ensure that all personal information processed by The GM Group is protected.  The GM Group shall establish a function which shall be responsible for encouraging and ensuring compliance with the POPI Act and The GM Group personal information risk management and compliance framework. 

The GM Group has further implemented a Privacy Policy.

Processing limitations 

The GM Group shall process personal information in a lawful and fair manner. The GM Group shall process information for a specific reason and only adequate, relevant information which is limited to the purposes for which they are processed. Furthermore, information under The GM Group control shall only be processed with the informed consent of the data subject or for legitimate and justifiable reasons as provided for in the POPI Act. 

The GM Group shall inform its data subjects for the purpose or reasons for the collection of personal information and shall obtain written consent from the data subject. Information shall be obtained directly from the data subject unless the data subject has consented to the collection of personal information from another party or if The GM Group can demonstrate a justifiable reason for collecting information from another source as provided for in the POPI Act. 

‍The data subject has the right to withdraw consent or object to the processing of personal information and is required to do so in the prescribed manner. The GM Group shall further take special care to limit processing in respect of special information and shall in all such cases aim to comply with the conditions of Part B of the POPI Act.

Purpose specification 
‍
The GM Group shall collect personal information for a specific, explicitly defined, and lawful purpose which relates to the function or the activity of our organisation. The GM Group shall endeavor to ensure that the data subject is aware of the purpose for the collection of information to enable the data subject to make an informed decision on whether or not to disclose the personal information to our organisation. 

The GM Group may not retain personal information any longer than necessary for achieving the purpose for which we have collected or processed the information unless: 

●     We are required by law to retain information for a longer period;
●     Retention is required for lawful purposes related to our functions or activities;
●     Retention is required in terms of a contract between the data subject and The GM Group;
●     In the case of a child's personal information, a competent person has consented to the retention of the records. 

Once the personal information has been retained for the period of time mentioned above, the POPI Act requires that The GM Group:

●     Destroy or delete the record; or
●     De-identify personal data to such an extent that it cannot be reconstructed in a clear form. 

In circumstances where The GM Group is required to restrict the processing of personal data as prescribed by the POPI Act we shall only process information for the following purposes and before lifting the restriction inform the data subsequently:
‍
●     For storage purposes;
●     For purposes of proof;
●     With the consent of the data subject;
●     For the protection of another person’s rights; orIf such processing is in the public interest.

Further processing limitations 

If The GM Group wants to process the personal information further or for additional purposes, it must be compatible or in line with the purpose for which it was collected. 

To determine whether further processing is in accordance with the purpose for which it was initially collected The GM Group shall consider the following: 

●     The relationship between the purpose for which it wants to further process the information and the purpose for which the information was collected;
●     The nature of the information;
●     What are the consequences of further processing of information for the data subject;
●     The manner of how the information was collected; and
●     Our contractual obligations. 

Thus if The GM Group wants to process the information it holds further and the purpose is not compatible with the original purpose, TheGM Group shall be required to obtain consent from the data subject or demonstrate a justifiable reason as provided for in the POPI Act for further processing personal information.

Information quality 

‍The GM Group will take reasonably practicable steps to ensure that the personal information obtained from our data subjects or third parties is complete, accurate, not misleading and updated where necessary. 

As an organisation, we understand that personal information is sensitive and we have implemented reasonable measures to ensure that personal data is not modified or misused by an unauthorised person.

Openness 

The GM Group is required to maintain documentation of all processing operations under its responsibility as referred to in terms of the Promotion ofAccess to Information Act. 

The GM Group will take reasonable steps to ensure that the data subject knows that personal information about him or her is being collected; the source from which this is collected; and the purpose for which information is collected before collecting information, including the information below: 

●     The name and address of the responsible party;
●     Whether the information provided is mandatory or voluntary;
●     Consequences of failure to provide the information;
●     A law authorising or requiring the collection of information;
●     If applicable, whether the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded;
●     Recipients of the information;
●     Nature and category of the information;
●     The data subject’s right of access and the right to rectify the information collected;
●     The data subject’s right to object to the processing of personal information;The right to lodge a complaint to the InformationRegulator and the contact details of the Information Regulator.

Security safeguards 

The GM Group has the responsibility to secure the integrity and confidentiality of personal information in its possession or under its control and The GM Group shall take reasonable and appropriate technical and organisational measures to prevent the loss, damage unauthorized destruction of personal information and unlawful access to or processing of personal information. 

The GM Group shall identify all reasonably foreseeable internal and external risk to personal data under its control and establish safeguards against those risks. The GM Group will review its control measures and its effectiveness and update the safeguards in response to new risks of deficiencies in safeguards. 

In the unfortunate event that the safeguards implemented were breached or in the event that The GM Group has reasonable grounds to believe that the personal information has been accessed or acquired by an unauthorised person, The GM Group will be required to notify the Information Regulator and the data subject as soon as reasonably possible after the discovery was made.  

More detailed information in respect of Security safeguards aredetailed in the Information Processing Plan.

Data subject participation 

‍A data subject has the right to request from The GM Group whether it holds personal information about the data subject and The GM Group shall provide confirmation free of charge. A data subject may further request records of personal information.  The GM Group must first establish the identity of the data subject before disclosing the information and must respond to such a request within a reasonable time period and in a form that is generally understandable. 

If there are grounds for refusal of access to records set out in PAIA The GM Group may refuse access to the information, but information that does not fall within the ambit of the exclusion in terms of PAIA must be disclosed. The GM Group shall provide the data subject with reasons for refusing to provide access to information. 

A data subject may request The GM Group to correct or delete personal information under the control or in possession of The GM Group if: 

●     The personal information is inaccurate, irrelevant, excessive, out ofdate, incomplete, misleading, or obtained unlawfully; or
●     Delete a record or personal information about the data subject which the responsible party is no longer authorised to store or retain.

Data subject information requests 

The GM Group has implemented a POPI information request policy and procedure in terms of which a data subject may make a request for information from The GM Group. Such document is available on request from the POPIInformation Officer or her Deputy.

Handling of data subject complaints 

The GM Group has implemented a Complaints resolution policy and procedure which is available on request from the POPI Information Officer or her Deputy.

The GM Group shall not process personal information concerning— 

●     the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject
●     the criminal behaviour of a data subject to the extent that such information relates to—
○    the alleged commission by a data subject of any offence
○    any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

unless the—
●     processing is carried out with the consent of a data subject.
●     processing is necessary for the establishment, exercise or defence of a right or obligation in law.
●     processing is necessary to comply with an obligation of international public law
●     processing is for historical, statistical or research purposes to the extent that—
●     the purpose serves a public interest and the processing is necessary for the purpose concerned.
●     it appears to be impossible or would involve a disproportionate effort to ask for consent.
●     and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent.
●     information has deliberately been made public by the data subject.

Authorisation concerning data subject’s religious or philosophical beliefs 

A data subjects religious or philosophical may not be processed unlessthe processing is carried out by:

●      spiritual or religious organisations, or independent sections of those organisations if the information concerns data subjects belonging to those organisations or if it is necessary to achieve their aims and principles;
●      institutions founded on religious or philosophical principles with respect to their members or employees or other persons belonging to the institution, if it is necessary to achieve their aims and principles; or
●      other institutions: Provided that the processing is necessary to protect the spiritual welfare of the data subjects unless they have indicated that they object to the processing.

Spiritual or religious organisations may also process personal information concerning the religion or philosophy of life of family members of the data subjects if it maintains regular contact with those family members in connection with its aims and the family members have not objected.

Under no circumstances may personal information be supplied to a third party without the consent of the data subject.

Authorisation concerning data subject’s race or ethnic origin

‍A responsible party may process information about a data subject’s race or ethnic origin if the processing of the information is carried out to:

●      To identify the data subject when it is essential for that purpose;
●      Comply with laws and other measures designed to protector advance persons, or categories of persons, disadvantaged by unfair discrimination.

Authorisation concerning data subject’s trade union membership 

It is not prohibited to process information of the data subject’s trade union membership if the information processing is done by the trade union to which the data subject belongs or the trade union federation to which the trade union belongs and if the processing is necessary to achieve the aims of the trade union or trade union federation.

The trade union or trade union federation may not without the consent of the data subject supply personal information to third parties.

Authorisation concerning data subject’s political persuasion 

Processing of personal information by or for an institution founded onpolitical principles are allowed of:

●     its members or employees or other persons belonging to the institution, if such processing is necessary to achieve the aims or principles of the institution; or
●     a data subject if such processing is necessary for the purposes of—
○    forming a political party;
○    participating in the activities of, or engaging in the recruitment of members for or canvassing supporters or voters for, a political party with the view to National or municipal elections, referendum or campaigning for a political party or cause. 

No personal information may be supplied to third parties without the consent of the data subject

Authorisation concerning data subject’s health or sex life 

In general personal information of a data subject, health or sex lifemay not be processed. However, Section 32 of the POPI Act provides authorisation for the following persons: 

●     Medical professionals, healthcare institutions or facilities or social services:
‍If such processing of personal information about a datasubjects health or sex life is necessary for the proper treatment and care ofthe data subject, or for the administration of the institution or professionalpractice concerned.

●     Insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations:
‍If the processing of the personal information by the aforementioned bodies is necessary for:
○   assessing the insured risk by the insurance company or covered by the medical scheme and the data subject has not objected to the processing;
○   the performance of an insurance or medical scheme agreement; or
○   the enforcement of any contractual rights and obligations;

●      Schools
If such processing of personal information is necessary topovide special support for pupils or making special arrangements in connectionwith their health or sex life. 

●     Public or private body managing the care of a child
‍If such processing is necessary for the performance oftheir lawful duties; 

●     Public body
‍If such processing is necessary in connection with the implementation of prison sentences or detention measures 

●     Administrative bodies, pension funds, employers or institutions working for them,
‍If such processing is necessary for the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject or there integration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.

The responsible parties may only process the information subject to an obligation of confidentiality whether by virtue of office, employment, the profession of a legal provision or in terms of a written agreement, even if no such obligation exists the responsible party is nonetheless obliged to treat information as confidential unless required by law or in terms of its duties to communicate to other parties who are authorised to process such information.

Inherited characteristics of a data subject may not be processed unless it is for medical purposes or processing of the information is necessary for historical, statistical or research activity.

Authorisation concerning data subject’s criminal behaviouror biometric information 

Bodies which are charged by law with applying criminal law or responsible parties who have obtained information about the data subjects criminal behaviour or biometric information are permitted to process such information. The processing of information concerning personnel in the service of the responsible party must take place in accordance with the rules established in compliance with labour legislation.

The GM Group may not process the personal information of a child unless so authorised in terms of Section 35 of the POPI Act. 

A child “means a natural person under the age of18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him-or herself” 

‍A competent person “means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child” 

A responsible party shall be authorised or able to process personal information of a child if:

●     carried out with the prior consent of a competent person( for instance a guardian or parent);
●     necessary for the establishment, exercise or defence of a right or obligation in law;
●     necessary to comply with an obligation of international public law;
●     for historical, statistical or research purposes to the extent that is in the public interest or if it appears to be impossible to ask for consent or involved is proportionate effort to do so and guarantees are provided to ensure that processing of this nature does not affect the individual privacy of the child to a disproportionate extent;
●     personal information which has been made public by a competent person.  

Authorisation by the Regulator: 

The Regulator may, upon application by The GM Group or by notice inthe Gazette, authorise a responsible party to process personal information of children if:

●     It is in the public interest;
●     Appropriate safeguards have been established; and
●     Subject to conditions imposed.   

The last mentioned conditions that may be imposed by the Regulator are: 
‍
●     The manner in which the responsible party must provide means for the competent person to review the personal information processed and may refuse its further processing.
●     Provide notice regarding the nature of the personal information of children that is processed, how it is being processed and further processing practices;
●     How to ensure that a child is not persuaded to provide more information than necessary;
●     Establish procedures to ensure the integrity and confidentiality of the personal information from children.

Should you have any questions relating to this notice or wish to lodge a complaint relating to an interference with the protection of personal information, you can contact the Information Officer/Deputy Information Officer below.
 
‍Contact Person:             Mrs Tatenda Erica Macheka
‍Position:                         Information Officer
‍Postal Address:              PO Box 78219,Sandton, 2196
‍Physical Address:           28 Fricker Road, Illovo, 2146
‍Phone Number:             010 448 2200
‍Email Address:               info@gminvestments.co.za  

‍Contact Person:             Mr Cyril Chetty
‍Position:                         Deputy Information Officer
‍Postal Address:              PO Box 78219,Sandton, 2196
‍Physical Address:           28 Fricker Road, Illovo, 2146
‍Phone Number:             010 448 2200
‍Email Address:               info@gminvestments.co.za