LEVI STRAUSS SOUTH AFRICA PROPRIETARY LIMITED

DEFINITIONS AND INTERPRETATION

Company means Levi Strauss South Africa Proprietary Limited (registration number 1994/009168/07);

Conditions for Lawful Processing means the conditions for the lawful Processing of Personal Information as fully set out in POPIA and in section 13 of this Manual;

Customer means any natural or juristic person that received or receives services or products from the Company;

Data Subject has the meaning ascribed thereto in section 1 of POPIA and includes both natural persons and juristic persons;

Employee means any person who works for, or provides services to or on behalf of the Company, and receives or is entitled to receive remuneration, which includes, without limitation, directors, permanent, temporary and part-time staff;

Information Officer means such person that has been registered as the information officer with the Information Regulator in accordance with POPIA, being Oliver Cloete, or such other person who is appointed as information officer from time to time;

Manual means this manual prepared in accordance with section 51 of PAIA;

PAIA means the Promotion of Access to Information Act 2 of 2000, as amended or replaced from time to time;

Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

(d) the biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

POPIA means the Protection of Personal Information Act 4 of 2013, as amended or replaced from time to time;

POPIA Regulations means the regulations promulgated in terms of section 112(2) of POPIA;

Private Body means-

(a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity;

(b) a partnership which carries or has carried on any trade, business or profession; or

(c) any former or existing juristic person, but excludes a public body;

Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including-

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

Record of, or in relation to, a public or Private Body, means any recorded information-

(a) regardless of form or medium;

(b) in the possession or under the control of that public or Private Body, respectively; and

(c) whether or not it was created by that public or Private Body, respectively;

Requester, in relation to a Private Body, means any person, including, but not limited to, a public body or an official thereof, making a request for access to a record of that Private Body or any person acting on behalf of such person;

Request for Access, in relation to a Private Body, means a request for access to a Record of a Private Body in terms of section 50 of PAIA;

Responsible Party means a public or Private Body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information; and

Special Personal Information means Personal Information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information and criminal behaviour.

Capitalised terms used in this Manual have the meanings ascribed thereto in section 1 of POPIA and PAIA as the context specifically requires, unless otherwise defined herein.

PREAMBLE

Promotion of Access to Information Act, 2000

2.1 The Promotion of Access to Information Act 2000 gives effect to the section 32 Constitutional right of access to information held by the State and any information that is held by another person that is required for the exercise and protection of any rights and to provide for matters connected therewith. Where a request is made in terms of PAIA and the requester demonstrates why the information is required to exercise or protect a legal right, the body to which the request is made is obliged to give access to the requested information, except where PAIA expressly provides that the information may or must not be released. It is important to note that PAIA recognises certain limitations to the right of access to information including, but not exclusively, limitations aimed at the reasonable protection of privacy, commercial confidentiality, and effective, efficient and good governance in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution.

Protection of Personal Information Act, 2013

2.2 The Protection of Personal Information Act 4 of 2013 promotes the protection of Personal Information processed by public and private bodies, inducing certain conditions so as to establish minimum requirements for the processing of Personal Information. POPIA amended certain provisions of PAIA, balancing the need for access to information against the need to ensure the protection of Personal Information by providing for the establishment of an Information Regulator to exercise certain powers and perform certain duties and functions in terms of POPIA and in terms of PAIA, providing for the issuing of codes of conduct and providing for the rights of persons regarding unsolicited electronic communications and automated decision making in order to regulate the flow of Personal Information and to provide for matters concerned therewith.

2.3 PAIA came into operation on 23 November 2001 and POPIA came into effect on 1 July 2020, subject to a 12-month grace period which ended on 30 June 2021. The Company is a Private Body as defined in PAIA. Section 51 of PAIA requires that the Company, as a Private Body, compiles a manual giving information to the public regarding the procedure to be followed when requesting information from the Company for the purpose of exercising or protecting rights.

2.4 The Manual is not exhaustive of, nor does it comprehensively deal with, every procedure provided for in PAIA and POPIA. Requesters are advised to familiarise themselves with the provisions of PAIA and POPIA before making any request to the Company in terms of PAIA and POPIA.

2.5 This Manual is available for public inspection:

   (a) at the physical address of the Company, free of charge; and

   (b) on the Company website, free of charge; and

   (c) on request by any person (along with payment of a prescribed fee).

2.6 The Manual is available from the designated Information Officer, whose details appear in 5 clause 4 below.

2.7 Nothing stated in this Manual shall limit, or constitute a waiver of, any of the rights of the Requester or the Company in terms of PAIA and POPIA.

2.8 The Company makes no representation and gives no undertaking or warranty that the information in this Manual or any other information provided by us to a Requester is complete or accurate, or that such information is fit for any purpose. All users of any such information shall use such information entirely at their own risk, and the Company shall not be liable for any loss, expense, liability or claims, of whatsoever nature or howsoever arising, resulting from any use of this Manual or any other information provided in this Manual or from any error therein.

INTRODUCTION TO THE COMPANY

3.1 Levi Strauss & Co. is one of the world's largest brand-name apparel companies and a global leader in jeanswear, Levi Strauss & Co. designs and markets jeans, casual wear and related accessories for men, women, and children.

3.2 The Company has compiled this Manual, not only to comply with the provisions of PAIA and POPIA, but also to foster a culture of transparency and accountability in our environment and to ensure that members of the public have effective access to information in the Company's possession which will assist them in the exercise and protection of their rights. Where information requested is not immediately available we will endeavour to make it available in a timely manner insofar as that is reasonably practicable in the circumstances.

3.3 This Manual sets out the procedure to be followed to facilitate a request to access to information as well as the following information:

   (a) the categories of Records held by the Company which are available without a person having to submit a formal PAIA request;

   (b) the purpose of the Processing of Personal Information;

   (c) the process for making a Request for Access to a Record of the Company;

   (d) the categories of Data Subjects and of the information or categories of information relating thereto;

   (e) a description of the Records of the Company which are available in accordance with any other legislation;

   (f) the contact details of the Information Officer who will assist the public with the Records they intend to access;

   (g) a description of the guide on how to use PAIA, as updated by the Information Regulator and how to obtain access to the guide;

   (h) the recipients or categories of recipients to whom Personal Information may be supplied;

   (i) any planned transborder flows of Personal Information;

   (j) a general description of the security measures implemented by the Company to ensure the confidentiality, integrity and availability of the information which is to be processed.

OUR DETAILS

Full name: Levi Strauss South Africa Proprietary Limited

Registration number: 1994/009168/07

Registered address: 4 Bree Street 17th Floor Portside Building Cape Town Western Cape 8001

Business address: 4 Bree Street 17th Floor Portside Building Cape Town Western Cape 8001

Postal address: P O Box 7314 Roggebaai Western Cape 8012

Telephone number: +27 21 403 9416 (landline) +27 82 528 7935

Information Officer: Oliver Cloete

Email address of Information Officer: [email protected]

THE OFFICIAL GUIDE

5.1 The Information Regulator has in terms of section 10(1) of PAIA amended, updated and made available a revised guide containing information reasonably required by a person wishing to exercise any right in terms of PAIA and POPIA (Guide).

5.2 The Guide is available in each of the official languages and in braille.

5.3 The Guide that has been published contains the following information:

   (a) the objects of PAIA and POPIA;

   (b) the postal and street address, phone and fax number, and if available, the electronic mail address of the Information Officer of:

      (i) every public body; and

      (ii) every Deputy Information Officer of every public and private body designated in terms of section 17(1) of PAIA and section 56 of POPIA;

   (c) the manner and form of a Request for Access to:

      (i) a Record of a public body; and

      (ii) a Record held by a Private Body;

   (d) assistance available from the Information Officer of a public body in terms of PAIA and POPIA;

   (e) the assistance available from the Information Regulator in terms of PAIA and POPIA;

   (f) all remedies in law regarding an act or an omission in respect of a right or duty conferred or imposed by PAIA and POPIA including how to lodge an internal appeal, a complaint to the Information Regulator and a court application;

   (g) the requirements for a public body and Private Body, respectively, to compile a Manual, and how to obtain access to a Manual;

   (h) the voluntary disclosure of categories of records by a public body and Private Body, respectively;

   (i) the notices issued in terms of sections 22 and 54 of PAIA regarding fees to be paid in relation to Requests for Access; and

   (j) the regulations made in terms of section 92 of PAIA.

5.4 A copy of this Guide is available for inspection upon request to the Information Officer of the Company during normal working hours. It is also on the Information Regulator's website.

CATEGORIES OF INFORMATION AVAILABLE IN TERMS OF PAIA

We hold the following categories of information which will be available for inspection in terms of PAIA.The procedure in terms of which such Records may be requested from the Company is set out in Section 10 of this Manual. The Records listed below will not in all instances be provided to a Requester who requests them in terms of PAIA as the Requester is required to identify the right the Requester is seeking to exercise or protect and provide an explanation of why the requested Record is required for the exercise or protection of that right. Furthermore, the request may be denied on the basis of the grounds of refusal under PAIA.

Categories of Records and description of Records held:

   (a) Statutory information/Records

      (i) Records of Minutes, as well as Resolutions passed (where applicable);

      (ii) Memorandum & Articles of Association, copies of all CK and/or CM forms lodged with the CIPC;

      (iii) Directors attendance register;

      (iv) Combined computerised register

   (b) Financial Records (where applicable)

      (i) Tax Records;

      (ii) Debtors’ Records;

      (iii) Creditors’ Records;

      (iv) Insurance Records;

      (v) Auditors’ Reports;

      (vi) Interim and annual financial statements

      (vii) Bank statements and other banking records;

      (viii) Invoices issued in respect of debtors and billing information;

      (ix) Records regarding the Company’s financial commitments

   (c) Accounting Records

      (i) Books of account including journals and ledgers

      (ii) Delivery notes, orders, invoices, statements, receipts and vouchers.

   (d) Taxation Records

      (i) Employee tax information;

      (ii) Company tax information.

   (e) Statutory Employee Records including internal policies and procedures

      (i) Personnel Records of Employees;

      (ii) Conditions of employment;

      (iii) Employment contracts;

      (iv) Employment policies and procedures;

      (v) Salary and wage register and other payroll Records;

      (vi) Registrations with Department of Labour, Unemployment Insurance Fund, Compensation Fund and in terms of the Skills Development Levies Act;

      (vii) Records of Unemployment Insurance Fund contributions;

      (viii) Records relating to employee benefits;

      (ix) Health and safety Records;

      (x) Workplace skills plans and training Records; and

      (xi) Other internal Records.

   (f) Agreements and contracts

      (i) All agreements of a material nature.

   (g) Administration, secretarial and legal Records (where applicable)

      (i) Complaints, pleadings, briefs and other documents pertaining to any actual, pending or threatened litigation, arbitration or investigation;

      (ii) Shareholder Records;

      (iii) Share register;

      (iv) Minutes of meetings of directors;

      (v) Records relating to the incorporation of the Company;

      (vi) Minutes of meetings of committees and sub-committees;

      (vii) Powers of Attorney;

      (viii) Records of litigation / arbitration proceedings;

      (ix) Title deeds;

      (x) Mortgage bonds;

      (xi) Trade mark, copyright, patent, service mark certificates and registrations;

      (xii) Material licences, permits and authorisations.

   (h) Insurance

      (i) Insurance policies;

      (ii) Claim Records;

      (iii) Details of insurance coverage, limits and insurers.

   (i) Information Technology

      (i) Hardware;

      (ii) Operating systems and other operational Records;

      (iii) Telephone and other lines;

      (iv) Software packages;

      (v) Agreements;

      (vi) Support and maintenance agreements;

      (vii) User manuals and licences.

   (j) Sales, advertising, promotional and marketing materials;

   (k) Databases;

   (l) Records pertaining to health and safety and the environment.

INFORMATION AVAILABLE IN TERMS OF OTHER LEGISLATION

The Records listed below will not in all instances be provided to a Requester who requests them in terms of PAIA as the Requester is required to identify the right the Requester is seeking to exercise or protect and provide an explanation as to why the requested Record is required for the exercise or protection of that right. Furthermore, the request may be denied on the basis of the grounds of refusal under PAIA.

The abovementioned Acts, as amended, apply and the list is not exhaustive.

INFORMATION AUTOMATICALLY AVAILABLE

8.1 The following categories of Records are automatically available for inspection, purchase or photocopying

8.2 Request forms for these categories of information are also available from the Company's Information Officer, whose contact details appear in section 1 of this Manual:

   (a) General information pertaining to the Company;

   (b) Services information and brochures;

   (c) Newsletters.

SUBJECTS, CATEGORIES AND DESCRIPTION OF INFORMATION HELD

Please note that the Records listed in sections 6 and 7 above are not automatically available, and the process outlined in PAIA in respect of access to information must be followed.

PROCEDURE FOR REQUESTING ACCESS TO INFORMATION IN TERMS OF PAIA

10.1 A request must comply with all the procedural requirements as contained in section 53 of PAIA relating to a Request for Access to a Record. These procedural requirements are set out in this section.

10.2 If a Requester wishes to request access to any of the aforementioned categories of information, s/he is required to complete a request form as set out in annexure "A" hereto. These forms are also available from the Company's Information Officer (whose contact details are in section 4 of this Manual).

10.3 In certain instances there is a prescribed fee (payable in advance where applicable) for requesting and accessing information in terms of PAIA. Details of these fees are contained in the request form. A Requester may also be called upon to pay the additional fees prescribed by regulation for searching for and compiling the information that is requested, including copying charges.

10.4 In terms of 54(3)(b) of PAIA a Requester may lodge a complaint with the Information Regulator (in accordance with Annexure I attached hereto) or make an application with a court against the tender or payment of the request fee or the tender or payment of a deposit, as the case may be.

10.5 It is important to note that access is not automatic – the Requester must identify the right he/she/it is seeking to protect and explain why the Record requested is required for the exercise or protection of that right. The Request for Access form must be completed with enough particularity to at least enable the Information Officer to identify the following:

   · The Record/s requested;

   · The identity of the Requester;

   · The form of access that is required, if the request is granted;

   · The postal address or fax number of the Requester; and

   · The right that the Requester is seeking to protect and an explanation as to why the Record is necessary to exercise or protect such a right.

10.6 The Requester will be notified in the manner indicated by him/her/it on the Request for Access form whether or not his/her/its request has been approved.

10.7 The completed request must be submitted, together with the prescribed fee where applicable, to the Information Officer at the postal or physical address or electronic mail address recorded in section 4 above.

10.8 Timeline for processing request and extension of prescribed time period

   (a) The Company will process the Request for Access within 30 days of receipt of the Request for Access, unless the Request for Access is of such a nature that an extension of the prescribed time limit is necessitated in accordance with section 57 of PAIA. In the case of an extension of the time limit, the Requester has the right to lodge a complaint with the Information Regulator by following the process and completing the form prescribed by POPIA and annexed hereto as Annexure I. The Requester may also make an application with a court against the refusal of the request.

   (b) If, in addition to a written reply from the Information Officer, the Requester wishes to be informed of the decision on the Request for Access in any other manner, the Requester must state the manner and the particulars so required.

   (c) If a Request for Access is made on behalf of another person, the Requester must submit proof of the capacity in which the Requester is making the request to the reasonable satisfaction of the Information Officer.

   (d) If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request orally.

   (e) The prescribed fee for reproduction of the Record requested by a Personal Requester will be charged in accordance with PAIA.

   (f) If the search for a Record of the Company in respect of which a Request for Access by a Requester has been made; and the preparation of that Record for disclosure would, in the opinion of the Information Officer, require more than the hours prescribed for this purpose for Requesters, the Information Officer must by notice require the Requester to pay as a deposit the prescribed portion (being not more than one third) of the access fee which would be payable should the request be granted.

   (g) The Requester may lodge a complaint with the Information Regulator against the tender of the request fee or the tender or payment of a deposit, as the case may be.

10.9 Third parties

      If the Requester's interest affects a third party then the Company will first need to inform the third party within 21 days of receiving the request and the third party will have 21 days to make representations and/or submissions regarding the granting of access to the Record. If the Information Officer does decide to grant access to the Record after considering these submissions, the third party that has been affected has 30 days in which to appeal the decision in the High Court or to lodge a complaint with the Information Regulator in the prescribed form. If no appeal or complaint is lodged within 30 days, the Requester must be granted access to the Record.

GROUNDS FOR REFUSAL

11.1 There are various grounds upon which the Company may or must refuse a Request for Access to a Record in accordance with Chapter 4 of PAIA. They are:

   (a) the protection of Personal Information of a third person (who is a natural person, including a deceased person) from unreasonable disclosure (section 63 of PAIA);

   (b) the protection of commercial information of a third party if the Records contain trade secrets, financial, commercial, scientific or technical information that may harm the commercial or financial interests of a third party (section 64 of PAIA);

   (c) if the disclosure would result in the breach of a duty of confidence owed to a third party (section 65 of PAIA);

   (d) if the disclosure would jeopardise the safety of an individual or prejudice or impair certain property rights of a third person (section 66 of PAIA);

   (e) if the Record was produced during legal proceedings, unless that legal privilege has been waived (section 67 of PAIA);

   (f) if the Record contains trade secrets, financial or sensitive information or any information that would put the private body at a disadvantage in negotiations or prejudice it in commercial competition (section 68 of PAIA);

   (g) if the Record contains information about research being carried out or about to be carried out on behalf of a third party (section 69 of PAIA).

11.2 Section 70 of PAIA contains an overriding provision. Disclosure of a Record that has been requested is compulsory if it would reveal a substantial contravention of, or failure to comply with the law, or imminent and serious public safety or environmental risk and the public interest in the disclosure of the Record clearly outweighs the harm contemplated by its disclosure.

11.3 Records that cannot be found
If all reasonable steps have been taken to find a Record requested and there are reasonable grounds for believing that the record:

   (a) is in the Private Body's possession but cannot be found; or

   (b) does not exist,

the Head of the Private Body must, by way of affidavit or affirmation, notify the Requester that it is not possible to give access to that Record. The Company will include information regarding the steps that were taken to try to locate the Record.

THE INFORMATION OFFICER'S DECISION AND REQUESTER'S RECOURSE

12.1 Once the Information Officer has heard all the submissions, he or she will make a decision as to whether or not access to the Record will be granted. If access is granted the Requester must then be granted access to the Record within 30 days of being informed of the decision.

12.2 The Requester is entitled to receive proper reasons as to why the request was refused.

12.3 If the Information Officer does not grant the Requester access to the Record the Requester is entitled in accordance with sections 56(3)(c) and 78 of PAIA to apply to a court for relief within 180 days of notification of the decision. Such relief may include any order compelling the Record or Records requested to be made available to the Requester or for another appropriate order. The court will determine whether the Records should be made available or not. The Requester may also lodge a complaint with the Information Regulator against the refusal of the request in accordance with Annexure I attached hereto.

The Requester may approach the Information Regulator and lodge a complaint in accordance with section 74 of POPIA in the prescribed form (see Annexure I attached hereto) against the access fee to be paid or the form of access granted. The details of the Information Regulator are as follows:

The Information Regulator (South Africa)
JD House
27 Stiemens Street
Braamfontein
Johannesburg
2001
Email: [email protected]

12.4 The Company does not have any internal appeal procedures. As such, the decision made by the Information Officer is final and Requesters will have to exercise the external remedies at their disposal in the event that a Request for Access is refused.

PROTECTION OF PERSONAL INFORMATION THAT IS PROCESSED BY THE COMPANY

13.1 Conditions for Lawful Processing

Chapter 3 of POPIA sets out the Conditions for Lawful Processing of Personal Information which must be complied with when a Responsible Party Processes Personal Information. Below is a description of the eight Conditions for Lawful Processing as contained in POPIA:

    a) Accountability

   POPIA provides that the Responsible Party is obliged to ensure that the Conditions for Lawful Processing and all other measures required in terms of POPIA are complied with.

   b) Processing limitation

   The Processing must be done lawfully and in a manner that does not infringe the right to privacy of a Data Subject. Personal Information may only be Processed if, given the purpose for which it is Processed, it is adequate, relevant and not excessive. There must furthermore be a justification for Processing Personal Information. Consent is one of the justifications but Personal Information may be Processed in the absence of consent if it is necessary for pursuing the legitimate interests of the Responsible Party or the third party to whom it is disclosed or for the protection of the legitimate interests of the Data Subject. It may also be Processed if it complies with an obligation imposed by law or where it is necessary for the performance of a contract. The Processing of Special Personal Information or Personal Information of children generally requires consent, subject to certain limited exceptions.

   c) Purpose specification

   POPIA provides that Personal Information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the Responsible Party. Subject to certain exceptions, Records of Personal Information must not be retained for longer than is necessary to achieve the purpose for which it was collected or subsequently Processed, and must be destroyed or deleted once the Responsible Party is no longer authorised to retain the Record. Such exceptions include where (i) the retention is required or authorised by law, (ii) the Data Subject has consented to the retention, or (iii) the Personal Information is being retained for historical, statistical or research purposes.

   d) Further Processing Limitation

   POPIA provides that the further Processing of Personal Information must be in accordance with or compatible with the purpose for which the Personal Information was collected.

   e) Information quality

   A Responsible Party must take reasonably practicable steps to ensure that Personal Information is complete, accurate, not misleading and updated where necessary.

   f) Openness

   A Responsible Party is required to maintain the documentation of all Processing operations under its responsibility as required in terms of PAIA and must take reasonably practicable steps to ensure that the Data Subject is made aware of the Personal Information being collected, together with other stipulated information, subject to certain exceptions.

   g) Security safeguards

   POPIA provides that a Responsible Party must secure the integrity and confidentiality of Personal Information in its possession or under its control by implementing appropriate, reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of Personal Information, or unlawful access to or Processing of Personal Information. In addition, the Responsible Party should take all reasonable measures to identify all reasonably foreseeable internal and external risks, establish and maintain appropriate safeguards against risks identified, verify that the safeguards are effectively implemented and ensure that the safeguards are updated in response to new risks.

   h) Data subject participation

   A Data subject is entitled to request a Responsible Party to confirm whether or not it holds Personal Information about the Data Subject, and to request the Record itself or a description of the Record, subject to the requirements in PAIA. A Data Subject may also request a Responsible Party to correct or delete Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or to destroy or delete personal information that a Responsible Party is no longer authorised to retain.

13.2 Purpose of the Processing of Personal Information by the Company

   The purposes for which the Company Processes or will Process Personal Information are set out in Annexure C.

13.3 Categories of Data Subjects and Personal Information/Special Personal Information relating thereto

   As per section 1 of POPIA, a Data Subject may either be a natural or a juristic person. The categories of Data Subjects in relation to which the Company Processes Personal Information are set out in Annexure D

13.4 Recipients or categories of recipients of Personal Information

   The following are the recipients to whom the Company may provide a Data Subject's Personal Information:

   a) third party business partners;

   b) payroll service providers;

   c) accountancy firms;

   d) tax authorities (i.e. the South African Revenue Service);

   e) banks;

   f) insurance companies;

   g) professional service providers;

   h) companies within the LS&CO group of companies;

   i) IT service providers;

   j) benefit providers;

   k) storage facility providers;

   l) airlines, hotels and travel agents;

   m) cloud service providers;

   n) third-party applications or platforms;

   o) other third party service providers;

   p) data analytics advisors; and

   q) market research companies.

13.5 Cross-border flows of Personal Information

   Section 72 of POPIA provides that Personal Information may only be transferred by a Responsible Party to a third party in a foreign country outside of the Republic of South Africa in the following circumstances:

   (a) If the third party who is the recipient of the Personal Information is subject to a law, binding corporate rules or a binding agreement which provide an adequate level of protection that effectively upholds principles similar to the Conditions for Lawful Processing under POPIA, including provisions relating to the further transfer of Personal Information from the recipient to third parties who are in a foreign country; or

   (b) If the Data Subject consents to the transfer of their Personal Information; or

   (c) If the transfer is necessary for the performance of a contractual obligation between the Data Subject and the Responsible Party; or

   (d) If the transfer is necessary for the conclusion or performance of a contract between the Responsible Party and a third party, concluded in the interests of the Data Subject; or

   (e) If the transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were, the Data Subject, would in all likelihood provide such consent.

Annexure E contains a list of the planned cross-border transfers of Personal Information and the justification for such transfers.

The Company ensures that there is a justification under POPIA when it transfers Personal Information to third parties in countries that do not have adequate data protection laws similar to POPIA.

Description of information security measures to the implemented by the Company

The types of security measures implemented by the Company in order to secure the integrity and confidentiality of the Personal Information and ensure that Personal Information is protected from loss, damage, unauthorized destruction or unlawful access are listed in Annexure F hereto.

Objection to the Processing of Personal Information by a Data Subject

Section 11(3) of POPIA and Regulation 2 of the POPIA Regulations provides that a Data Subject may object to Processing in the prescribed form attached as Annexure G to this Manual where the Processing is based on one of the following grounds, unless legislation provides for such Processing:

• Processing protects a legitimate interest of the Data Subject;
• Processing is necessary for the proper performance of a public law duty by a public body;
• Processing is necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom it is supplied;
• Processing is for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69 of POPIA.

13.6 Request for correction or deletion of Personal Information

Section 24 of POPIA and Regulation 3 of the POPIA Regulations provides that a Data Subject may request for their Personal Information to be corrected/deleted in the prescribed form attached as Annexure H to this Manual.