Privacy Policy

Disclaimer

This document contains information confidential and proprietary to IQbusiness (Pty) Ltd
and/or its subsidiary companies (“IQbusiness Insights”). The information is intended only
for IQbusiness Insights and authorised consulting resources that are privy to the
information. The information may not be used, disclosed or reproduced without the prior
written consent of IQbusiness Insights and those so authorised may only use this
information for evaluation consistent with the authorisation. Reproduction of any section
of this document must include this notice.

Table of Contents

Overview ............................................................................................................................................................ 1
Statement of Purpose .................................................................................................................................... 1
Definitions ......................................................................................................................................................... 1
Categories of Data Subjects and their Personal Information.............................................................. 3
Categories of Recipients for Processing the PI ...................................................................................... 4
Channels Used for the Collection of Information ................................................................................... 4


Privacy Policy 1
Copyright © 2022 IQbusiness Insights
Overview

This policy details the measures that IQbusiness Insights Pty Ltd (hereinafter referred to as
“IQbusiness Insights”) is taking to proactively ensure compliance with the provisions of
POPIA. The requirements within this policy are primarily based upon the Protection of
Personal Information Act, No 4 of 2013 (hereinafter referred to as “POPIA”), as that is the key
piece of legislation covering data protection.

IQbusiness Insights as a subsidiary of the IQbusiness Group will be required to comply with
the measures that will be implemented, therefore the detail contemplated within this policy
applies to IQbusiness Insights and its affiliated companies.

Statement of Purpose

This document has been prepared to provide a policy for the safeguarding of IQbusiness
Insights’ customers’ (both internal and external) and its employee’s personal information,
compliance with relevant legislation and to serve as reference documents for internal quality
control processes.

The objectives defined in this document may in certain cases conflict with other business
objectives (such as improved efficiency and the reduction of costs). Management has
examined these conflicts and resolved that the controls set out in this policy are required to
manage the risks to IQbusiness Insights. The responsibility to ensure the protection of
Personal Information is not limited to the IT or Legal and Compliance departments but
requires the co-operation of every employee. This policy has accordingly been written with
the following goals in mind:

a) To guide the establishment and implementation of the POPIA project; and

b) To facilitate the establishment of policies, processes, and business rules to ensure the
protection of Personal Information as envisaged in POPIA.

Definitions

‘‘data subject’’ means the person to whom the Personal Information relates;

“electronic communication” means any communication of information by electronic

means;

“electronic communications systems” means all systems used by IQbusiness Insights

that enable electronic communications, including (without limitation) the Internet, voice
mail, electronic mail, and facsimiles;

“employee,” refers to a part or fulltime employee of IQbusiness Insights;

“incident” means any problem, malfunction, breach or suspected breach of information or

the compromise of an information system;

Privacy Policy 1
Copyright © 2022 IQbusiness Insights
“information” means representations of information in any form generated, sent, received,
or stored and includes:

• voice, where the voice is used in an automated transaction; and

• A stored record.

“information system” means a system for generating, sending, receiving, storing,

displaying, or otherwise processing data messages and includes electronic
communications systems;

‘‘operator’’ means a person who processes Personal Information for a responsible party in
terms of a contract or mandate, without coming under the direct authority of that party;

“Personal Information (herein after referred to as PI)” has the meaning given to it in
POPI, being information relating to an identifiable, living, natural person, and where it
is applicable, an identifiable, existing juristic person, including, but not limited to:

• information relating to the race, gender, sex, pregnancy, marital status, national,
ethnic, or social origin, colour, sexual orientation, age, physical or mental health,
well-being, disability, religion, conscience, belief, culture, language, and birth of
the person;

• information relating to the education or the medical, financial, criminal or

employment history of the person;

• any identifying number, symbol, e-mail address, physical address, telephone

number, location information, online identifier, or other particular assignment to
the person;

• the biometric information of the person;

• the personal opinions, views, or preferences of the person;

• correspondence sent by the person that is implicitly or explicitly of a private or

confidential nature or further correspondence that would reveal the contents of
the original correspondence;

• the views or opinions of another individual about the person; and

• the name of the person if it appears with other PI relating to the person or if the
disclosure of the name itself would reveal information about the person;

“policy” refers to the IQbusiness Insights POPIA Policy;

Privacy Policy 2
Copyright © 2022 IQbusiness Insights
‘‘processing’’ means any operation or activity or any set of operations, whether or not by
automatic means, concerning personal information, including:

• the collection, receipt, recording, organisation, collation, storage, updating or

modification, retrieval, alteration, consultation, or use;

• dissemination by means of transmission, distribution or making available in any other

form; or

• merging, linking, as well as restriction, degradation, erasure, or destruction of

information;

‘‘responsible party’’ means a public or private body or any other person which, alone or in
conjunction with others, determines the purpose of and means for processing
personal information.

“Special personal information” is a subcategory of PI given the highly sensitive nature of

such information. It includes information concerning a child and PI concerning the
religious or philosophical beliefs, race or ethnic origin, trade union membership,
political opinions, health, DNA, sexual life, or criminal behaviour of a data subject.

Categories of Data Subjects and their Personal Information

IQbusiness Insights may possess the following records relating to suppliers, shareholders,
partners, contractors, service providers, employees, and customers;

Entity Type PI Processed

Names of contact persons; the name of the legal entity; physical and postal
3rd Party address and contact details; financial information; registration number;
Suppliers Service founding documents; tax-related information; authorised signatories;
Providers beneficiaries; ultimate beneficial owners; shareholding information; BBBEE
information; company registration number, banking details
Name; surname, physical address, preferences, cell phone number; email;
Market Research
race; gender, ID numbers, products and services, salary range,
Participants
demographics, claim amounts.
Customer
Name; surname; cell phone number; email address ID number; banking
Representatives:
details, tax number
Natural Persons
Company Name; Contact Person Name; Contact Person Surname; Contact
Customers:
Person Email Address; Company Address
Juristic Persons
Company Postal Address

Privacy Policy 3
Copyright © 2022 IQbusiness Insights
Entity Type PI Processed
Name, surname, ID number, physical address, postal address, email
address, date of birth, salary information, race, gender, disability; marital
status, employer information, telephone numbers, bank details, next of kin,
Employees/
tax information, financial records, pregnancy; age; language; education
Directors
information; financial information; employment history; opinions; criminal
record; wellness information; medical history; pensions; Employee number;
medical aid information, UIF information, IRP 5
Names of contact persons; the name of the legal entity; physical and postal
Partners: Juristic address and contact details; financial information; registration number;
Persons / founding documents; tax-related information; authorised signatories;
Entities beneficiaries; ultimate beneficial owners; shareholding information; BBBEE
information

Categories of Recipients for Processing the PI

IQbusiness Insights may supply the PI to any party to whom IQbusiness Insights may have
assigned or transferred any of its rights or obligations under any agreement, and/or to service
providers who render the following services:

• Capturing and organising of data;

• Storing of data;
• Sending of emails and other correspondence to customers;
• Conducting due diligence checks; or
• Administration of Medical Aid and Pension Schemes.

Channels Used for the Collection of Information

Direct Collection:

IQbusiness Insights often collects information directly from data subjects through electronic
communication of any form, mainly from our website, platforms, and email, or physical
depending on the function of the organisation that requires that information to fulfil duties as
a part of daily operating procedures of that function.

User Supplied Information:

At times, the data subject volunteers their information to IQbusiness Insights. These
instances include, but are not limited to, the following:

a) Online platforms through which data subjects sign up for events and/or marketing
communications;

b) Online recruitment platforms where a data subject is an applicant for a vacancy;

Privacy Policy 4
Copyright © 2022 IQbusiness Insights
c) Online platforms through which market research participants sign up for market research
being conducted; or

d) IQbusiness Insights websites where potential clients may volunteer information to get
contact with respect to IQbusiness Insights products and/or offerings.

POPIA Compliance

Introduction

IQbusiness Insights as a registered private company and management consulting firm which
is required to meet certain legislative requirements. Some of these acts provide for the
protection of PI and POPIA provides for 8 Data Protection Information principles to comply
with to ensure the protection of all data that relates to companies, employees, and clients.
The Promotion of Access to Information Act, 2000 (hereinafter referred to as “PAIA”) provides
for access to such information and in which instances it may be refused.

Purpose

Data privacy and protection is important to IQbusiness Insights, and this policy set out the
POPIA principles to ensure the safekeeping of all Data by IQbusiness Insights and Persons/
Employees/ Parties (as applicable). This document thus applies to all Data obtained via
partners, 3rd parties, products, services, websites, and events operated by IQbusiness
Insights or by any other means.

Embedment of 8 POPIA Principles

Principle 1 - Accountability:

IQbusiness Insights will ensure that technology, structures, processes, procedures, roles,
and responsibilities will be put in place, in addition to the current controls, to create an
environment where PI is processed lawfully. This applies from the moment of collection to
any and all subsequent forms of processing.

IQbusiness Group has appointed an Information Officer who is a senior person in the
organisation and is part of the Executive Committee. IQbusiness Insights has also resolved
to appoint Deputy Information Officers who, together with the Information Officer, will be
responsible for ensuring that IQbusiness Insights has been properly informed and trained on
ensuring the safekeeping and protection of Information within the organisation and that the
required processes are implemented to ensure compliance. The Deputy Information Officers
include representatives from the subsidiaries that have been detailed. The Information Officer
and Deputies can be contacted on the below details;
Privacy Policy 5
Copyright © 2022 IQbusiness Insights
 Title Name Number Email
[email protected]
Information Officer Annalize Buck +27 11 259 4000
[email protected]
Yesthiel Singh +27 11 259 4000
[email protected]
Deputy Information Jaco Pretorius +27 11 259 4000
Officer(s)
Vanessa Mdumo +27 11 259 4000 [email protected]
Samantha-Anne
+27 11 259 4000 [email protected]
Louw

IQbusiness Insights will formulate and implement a governance framework that will give effect
to the policy statements in this document.

Principle 2 - Processing Limitation:

When processing or further processing Personal Information, IQbusiness Insights will ensure
that it is done in a lawful and reasonable manner and does not knowingly infringe on the
rights of the Data Subject.

IQbusiness Insights will only process the minimal required information to provide the service
or product to the Data Subject. No excessive information will be processed. To do this, all
business units that process PI within IQbusiness Insights will define the PI they deem
necessary to perform activities specific to their functions and ensure that no PI in excess of
this is processed.

IQbusiness Insights interpreted POPIA to imply that consent does not have to be gained
explicitly where processing PI is necessary during the course of fulfilling a contractual or
performance obligation. As interpreted, IQbusiness Insights will process PI when the
following conditions are met:

a) It is necessary to deliver the service or product required by the data subject; or

b) It is required to conclude a contract, adhere to law, comply with an obligation, or protect

a legitimate interest of the data subject.

Where consent is explicitly required as per the act, IQbusiness Insights will ensure that
operating procedures are amended to include consent as a part of the process. The
identification of processes that require consent to be embedded will be conducted by the
POPI Implementation team as a part of the implementation project.

Where consent is obtained, IQbusiness Insights will allow for a Data Subject to object to the
processing of their PI or withdraw consent initially given. IQbusiness Insights will ensure that

Privacy Policy 6
Copyright © 2022 IQbusiness Insights
this is done in the prescribed manner, on reasonable grounds relating to the Data Subject’s
situation.

If this results in IQbusiness Insights not being reasonably able to comply with its contractual
or performance obligations, IQbusiness Insights will follow the standard, reasonable business
processes to end the contractual relationship with the data subject. IQbusiness Insights
agrees that they will not process the PI where the data subject has objected to same.

PI will be collected directly from the data subject, unless:

a) Collection from other sources does not prejudice the data subject;

b) It is already from a public record;

c) The data subject consented to the collection of the information from another source;

d) The collection from another source will not prejudice the legitimate interest of the data
subject;

e) Is not reasonably achievable; or

f) In compliance with an act.

Principle 3 - Purpose Specification

IQbusiness Insights will collect PI for a specific purpose which will be defined in relation to a
function, or activity performed by IQbusiness Insights. The purposes of the collection of PI
include the following:

a) Providing consulting and/or contracting services to clients;

b) Appointing suitable consultants, whether permanent, or contracting;

c) Acquiring the services of suppliers for IQbusiness Insights as and when required;

d) Forming formal agreements with clients for the fulfilment of consulting and/or contracting
engagements; and

e) Ensuring compliance with legislation that requires specific information to be collected and
reported on.

A process will be defined and developed to set out how a Data Subject will be made aware
of the purpose for which their PI was collected.

Privacy Policy 7
Copyright © 2022 IQbusiness Insights
IQbusiness Insights will not retain any PI longer than is necessary to achieve the purpose for
which it was collected, or subsequently processed unless:

a) It is required by law: IQbusiness Insights will undertake efforts to identify retention periods
as stipulated in regulations and laws applicable to the business; or

b) IQbusiness Insights requires the record for lawful purposes related to its business
interests, functions and/or activities: In the absence of a requirement by law, IQbusiness
Insights’ functions will define purposes for retention of records for purposes related to that
function

c) The records of PI is retained for historical, statistical, or research purposes

When the records are no longer required, IQbusiness Insights will destroy and/or de-identify
the PI within a reasonable period of time. The details will be captured in the IQbusiness
Insights Data Retention and Destruction Policy.

Principle 4 - Further Processing Limitation

Where IQbusiness Insights is required to further process the information, this will be done in
line with the original purpose for which it was collected. This extends to cases where further
processing will result in a clear benefit to the data subject or a third party.

To assess whether further processing is allowed, consideration will be given to:

a) The contractual relationship between IQbusiness Insights and the data subject;

b) The consequences of further processing for the data subject; and

c) The nature of the information collected.

Further processing will be considered lawful for IQbusiness Insights, if, the information is
derived in terms of the statements hereunder:

a) It is derived from a source within the public domain;

b) It is required to avoid prejudice, required for court proceedings or to adhere to the SARS
Act;

a) It is required as a matter of national security or to prevent a real or imminent threat to

public health and safety or the data subject; or

b) For historical, statistical and research purposes and in a non-identifiable form.

Principle 5 - Information Quality

Privacy Policy 8
Copyright © 2022 IQbusiness Insights
Reasonable, practical steps will be taken by IQbusiness Insights to ensure that all information
collected is accurate, complete, not misleading, and up to date in accordance with the
purpose for which it was collected. In line with internal procedures and standard background
checks on all data subjects upon the establishment of a business relationship, as well as
standard operating procedures within individual business units where the accuracy of the
information on record is confirmed at every point of contact, after the establishment of a
business relationship.

Principle 6 – Openness

When PI is collected, IQbusiness Insights will take reasonable practical steps to make the
Data Subject aware of:

a) The PI being collected;

b) The purpose for which the PI is collected;

c) Whether the information supplied is voluntary or mandatory;

d) The consequences of failure to provide the information;

e) Whether third parties are involved in processing the information; and

f) The data subject’s rights as it pertains to:

• Access to their PI;

• Their rights to object to processing; and
• Their right to lodge a complaint with the information regulator.

The said steps include but are not limited to the inclusion of details of the abovementioned
aspects in relevant documentation issued to the customer.

Pursuant to the Openness Principle as per POPIA, IQbusiness Insights will embed channels
to make data subjects aware of the detail highlighted above, in existing, relevant business
processes as follows:

a) Online Privacy Notices: IQbusiness Insights public website and online PI collection
platforms,

b) Privacy Clauses: legal agreements with employees, suppliers, clients and other third party
service providers

c) Privacy Declarations: Ad – hoc instances, both internal and external, where PI is collected

Privacy Policy 9
Copyright © 2022 IQbusiness Insights
Principle 7 - Security Safeguards

IQbusiness Insights will implement appropriate security measures to safeguard and secure
the PI in its possession or under its control. It will undertake appropriate, reasonable technical
and organizational measures to prevent:

a) Loss, damage, or unauthorized destruction of Personal Information; and

b) Unlawful access to or processing of Personal Information.

IQbusiness Insights will not disclose or share Information relating to any Data Subject unless:

a) It is specifically agreed with the Data Subject;

b) It is already publicly available or in the interests of the public;

c) It is required in terms of Law; or

d) If IQbusiness Insights believes in good faith that the law requires disclosure thereof.

IQbusiness Insights stores Information about Data Subjects on platforms where access has
been restricted according to roles. There is appropriate monitoring and IQbusiness Insights
uses a variety of technical security measures to secure Information, including intrusion
detection and virus protection software.

Related Policy: Access Control Policy

IQbusiness Insights will secure the integrity and confidentiality of PI by taking reasonable
practical steps to:

a) Establish a Risk and Compliance Committee through which the following will be managed:

• Identification of foreseeable internal and external risks to PI under the control of

IQbusiness Insights;
• Establishment of appropriate safeguards against organisational and technology
threats that could pose risks to the privacy of PI
• Ongoing monitoring and updates of risk responses

IQbusiness Insights will ensure, with written contracts between itself and its operators or co-
responsible parties, to establish and maintain security safeguards as it applies to itself to
ensure that the operator:

a) Only processes PI under the control of IQbusiness Insights with the knowledge or
authorisation of IQbusiness Insights; and

Privacy Policy 10
Copyright © 2022 IQbusiness Insights
b) Treats the PI as confidential, unless required by law or in the course of performance of
their duties.

In certain instances, IQbusiness Insights acknowledges that it may at times act as an operator
depending on the requirements of the client engagement. In such instances, IQbusiness
Insights will maintain security safeguards as it applies to itself as well as ensuring that:

a) PI that is being processed on behalf of the client is processed with the knowledge or,
authorisation of said client; and

b) PI that is being processed on behalf of the client is treated as confidential unless required
by law, or in the course of performance of their duties

IQbusiness Insights will embed a process where, in the instance(s) that there are reasonable
grounds to believe that the PI of a data subject has been accessed, or acquired by any
unauthorised person, the regulator and the affected data subject(s) are notified as soon as
reasonably possible.

Related Policy: Incident management

IQbusiness Insights will ensure that adequate detail is provided to the affected data subjects
including, but not limited to, the following:

a) Possible consequences of the security compromise;

b) The measures that IQbusiness Insights intends to take, or has taken to address the
compromise;

c) Recommendation of any measures that the data subject can take to mitigate possible
adverse effects of the compromise; and

d) If known to IQbusiness Insights, the identity of the unauthorised person.

Principle 8 - Data Subject Participation

IQbusiness Insights recognizes the rights of a data subject who has adequately validated
their identity to gain access to their Personal Information.

IQbusiness Insights will confirm, free of charge, whether or not IQbusiness Insights holds PI
about the data subject. This process will be managed as part of the existing business-as-
usual business processes.

In the case where the data subject requests a record or description of PI held by IQbusiness
Insights, the data subject can contact the Information Officer on the details provided above.
IQbusiness Insights will ensure that the detail requested is provided:

Privacy Policy 11
Copyright © 2022 IQbusiness Insights
a) Within a reasonable time;

a) In a reasonable manner and format; and

b) In a form that is understandable.

In order to effectively manage Data Subject Participation, it will be managed via the Data
Subject Access Management process as documented in the IQbusiness Insights PAIA
manual. Any dispute or reasons for the non-supply of information will also be dealt with
through this process.

A data subject may request IQbusiness Insights to update, delete or correct information,
which is inaccurate, irrelevant, out of date, incomplete or obtained unlawfully by completing
the form request in the PAIA manual. IQbusiness Insights will take all reasonable steps to
confirm the Data Subject’s identity before making changes to the Information.

Where the deletion or change of the information will change decisions or the ability to fulfil
contractual obligations to the data subject, the data subject should be informed of this and
the resultant consequences should be clarified.

Additional POPIA Applications

Special PI and Information of Children

IQbusiness Insights will not process Special PI and Information of Children unless

a) The Processing is carried out with the Data Subject’s Consent, or in the case of children,
with the prior consent of a competent and legally authorised person;

b) Processing is necessary for the establishment, exercise, defence of a right or Regulatory

Requirement; or

c) Processing is necessary to comply with international public law;

d) The Processing is for historical, statistical or research purposes to the extent that:

i. It serves a public interest and is necessary for the Purpose concerned; or

ii. It appears to be impossible or would involve a disproportionate effort to ask for
consent and enough guarantees are provided, to ensure that the Processing does
not adversely affect the individual privacy of the Data Subject to a disproportionate
extent.

Privacy Policy 12
Copyright © 2022 IQbusiness Insights
Direct Marketing

IQbusiness Insights will gain consent from the data subject in order to market directly to the
data subject. This relates to all forms of electronic communication and channels for the
purpose of direct marketing including the following:

a) Automatic calling machine

b) SMS, email, and other forms of electronic communication

IQbusiness Insights may approach a data subject to obtain their consent to market directly if
they have not previously withheld consent before. In the instance that IQbusiness Insights
directly markets to a data subject who is a customer of IQbusiness Insights, IQbusiness
Insights must ensure the following:

a) Contact details were obtained in the context of the sale of a IQbusiness Insights product,
or service;

b) The purpose of the marketing is of IQbusiness Insights’ similar products or services;

c) The data subject has been given a reasonable opportunity to object, free of charge and
in a manner free of unnecessary formality, at the time the information was collected, or
on the occasion of each communication, if the data subject had not initially objected to
such communication.

Where a data subject withdraws their consent for direct marketing, IQbusiness Insights will
add them to a list of data subjects that have opted out of marketing communication and will
cease to continue direct marketing to the data subjects on the opt out list.

Transborder Information Flows

At times, IQbusiness Insights may transfer data containing PI to third parties outside of the
Republic for purposes of processing. In the instances that IQbusiness Insights transfers this
information, IQbusiness Insights will ensure the following:

a) The third-party who is the recipient of the information is subject to a law, binding corporate
rules and/or binding agreement which provides an adequate level of protection;

b) The data subject consents to such transfer;

c) The transfer is necessary for the performance of a contract between the data subject and
IQbusiness Insights;

d) The transfer is necessary for the conclusion, or performance of a contract concluded in

the interest of the data subject between IQbusiness Insights and the third party; or
Privacy Policy 13
Copyright © 2022 IQbusiness Insights
e) The transfer is for the benefit of the data subject.

POPIA Compliance Management processes

The Information Officer, as the party responsible for ensuring IQbusiness Insights’
compliance with POPIA, must develop and implement a POPIA Compliance Management
process and it is recommended that such process include:

a) The development of a PI lifecycle including acquisition, processing, retention, and

destruction practices;

b) The development of reasonable and appropriate measures to ensure ongoing compliance

including but not limited to self-assessments, health-checks, and formal audits; and

c) The development of a dashboard for POPIA compliance

Employee Training and Awareness

A series of training and awareness programmes have been developed that includes:

1. Fulfilling the training requirements as per POPIA;

2. Training of new recruits as part of the onboarding programme and

3. Special needs training such as the IO/DIO roles.

Privacy Policy 14
Copyright © 2022 IQbusiness Insights