LEVI STRAUSS SOUTH AFRICA PROPRIETARY LIMITED

Registration Number: 1994/009168/07




PAIA MANUAL

Manual in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000

  1. DEFINITIONS AND INTERPRETATION

    Company means Levi Strauss South Africa Proprietary Limited (registration number 1994/009168/07);

    Conditions for Lawful Processing means the conditions for the lawful Processing of Personal Information as fully set out in POPIA and in section 13 of this Manual;

    Customer means any natural or juristic person that received or receives services or products from the Company;

    Data Subject has the meaning ascribed thereto in section 1 of POPIA and includes both natural persons and juristic persons;

    Employee means any person who works for, or provides services to or on behalf of the Company, and receives or is entitled to receive remuneration, which includes, without limitation, directors, permanent, temporary and part-time staff;

    Information Officer means such person that has been registered as the information officer with the Information Regulator in accordance with POPIA, being Byron Grant;

    Manual means this manual prepared in accordance with section 51 of PAIA;

    PAIA means the Promotion of Access to Information Act 2 of 2000, as amended or replaced from time to time;

    Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-

    (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

    (b) information relating to the education or the medical, financial, criminal or employment history of the person;

    (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

    (d) the biometric information of the person;

    (e) the personal opinions, views or preferences of the person;

    (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

    (g) the views or opinions of another individual about the person; and

    (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

    POPIA means the Protection of Personal Information Act 4 of 2013, as amended or replaced from time to time;

    POPIA Regulations means the regulations promulgated in terms of section 112(2) of POPIA;

    Private Body means-

    (a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity;

    (b) a partnership which carries or has carried on any trade, business or profession; or

    (c) any former or existing juristic person, but excludes a public body;

    Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including-

    (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

    (b) dissemination by means of transmission, distribution or making available in any other form; or

    (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

    Record of, or in relation to, a public or Private Body, means any recorded information-

    (a) regardless of form or medium;

    (b) in the possession or under the control of that public or Private Body, respectively; and

    (c) whether or not it was created by that public or Private Body, respectively;

    Requester, in relation to a Private Body, means any person, including, but not limited to, a public body or an official thereof, making a request for access to a record of that Private Body or any person acting on behalf of such person;

    Request for Access, in relation to a Private Body, means a request for access to a Record of a Private Body in terms of section 50 of PAIA;

    Responsible Party means a public or Private Body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;

    SAHRC means the South African Human Rights Commission; and

    Special Personal Information means Personal Information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information and criminal behaviour.

    Capitalised terms used in this Manual have the meanings ascribed thereto in section 1 of POPIA and PAIA as the context specifically requires, unless otherwise defined herein.

  2. PREAMBLE

    2.1 PAIA came into operation on 23 November 2001 and POPIA came into effect on 1 July 2020, subject to a 12-month grace period. The Company is a Private Body as defined in PAIA. Section 51 of PAIA requires that the Company, as a Private Body, compiles a manual giving information to the public regarding the procedure to be followed in requesting information from the Company for the purpose of exercising or protecting rights.

    2.2 The Manual is not exhaustive of, nor does it comprehensively deal with, every procedure provided for in PAIA and POPIA. Requesters are advised to familiarise themselves with the provisions of PAIA and POPIA before making any request to the Company in terms of PAIA and POPIA.

    2.3 Nothing stated in this Manual shall limit, or constitute a waiver of, any of the rights of the Requester or the Company in terms of PAIA and POPIA.

    2.4 The Company makes no representation and gives no undertaking or warranty that the information in this Manual or any other information provided by us to a Requester is complete or accurate, or that such information is fit for any purpose. All users of any such information shall use such information entirely at their own risk, and the Company shall not be liable for any loss, expense, liability or claims, of whatsoever nature or howsoever arising, resulting from any use of this Manual or any other information provided in this Manual or from any error therein.

  3. INTRODUCTION TO THE COMPANY

    3.1 Levi Strauss & Co. is one of the world's largest brand-name apparel companies and a global leader in jeanswear, Levi Strauss & Co. designs and markets jeans, casual wear and related accessories for men, women, and children.

    3.2 The Company has compiled this Manual, not only to comply with the provisions of PAIA and POPIA, but also to foster a culture of transparency and accountability in our environment and to ensure that members of the public have effective access to information in the Company's possession which will assist them in the exercise and protection of their rights. Where information requested is not immediately available we will endeavour to make it available in a timely manner insofar as that is reasonably practicable in the circumstances.

    3.3 This Manual sets out the procedure to be followed to facilitate a request to access to information as well as the following information:

       (a) Purpose of the Processing of Personal Information;

       (b) Description of the categories of Data Subjects and of the information or categories of information relating thereto;

       (c) The recipients or categories of recipients to whom Personal Information may be supplied;

       (d) Planned transborder flows of Personal Information;

       (e) A general description of the security measures implemented by the Company to ensure the confidentiality, integrity and availability of the information which is to be processed.

  4. OUR DETAILS

    Full name: Levi Strauss South Africa Proprietary Limited

    Registration number: 1994/009168/07

    Registered address: 4 Bree Street 17th Floor Portside Building Cape Town Western Cape 8001

    Business address: 4 Bree Street 17th Floor Portside Building Cape Town Western Cape 8001

    Postal address: P O Box 7314 Roggebaai Western Cape 8012

    Telephone number: +27 21 403 9416 (landline) +27 82 528 7935

    Information Officer: Byron Grant

    Email address of Information Officer: [email protected]

  5. THE OFFICIAL GUIDE

    5.1 Section 10 of PAIA requires the South African Human Rights Commission (SAHRC) to publish a guide containing information reasonably required by a person wishing to exercise any right in terms of PAIA.

    5.2 The Guide that has been published contains the following information:

       (a) the object of PAIA;

       (b) particulars of the information;

       (c) the manner and form of a Request for Access to information held by a Private Body;

       (d) assistance available from both the Information Officer and the SAHRC in terms of PAIA;

       (e) all remedies in law regarding acts, omissions, rights and duties, including how to lodge an internal appeal and a court application;

       (f) schedules of fees to be paid in relation to requests for access to information;

       (g) and regulations made in terms of PAIA.

    5.3 A copy of this Guide is available for inspection at the offices of the SAHRC and on the website at www.sahrc.org.za. Contact details are as follows:

       Post: South African Human Rights Commission Promotion of Access to Information Act Unit Research and Documentation Department Private Bag X2700 Houghton 2041

       Telephone: 011 877 3600

       Fax: 011 403 0668

       Website: www.sahrc.org.za or [email protected]

       E-mail: [email protected]

  6. CATEGORIES OF INFORMATION AVAILABLE IN TERMS OF PAIA

    We hold the following categories of information which will be available for inspection in terms of PAIA.The procedure in terms of which such Records may be requested from the Company is set out in Section 10 of this Manual. The Records listed below will not in all instances be provided to a Requester who requests them in terms of PAIA as the Requester is required to identify the right the Requester is seeking to exercise or protect and provide an explanation of why the requested Record is required for the exercise or protection of that right. Furthermore, the request may be denied on the basis of the grounds of refusal under PAIA.

      Categories of Records and description of Records held:

       (a) Statutory information/Records

          (i) Records of Minutes, as well as Resolutions passed (where applicable);

          (ii) Memorandum & Articles of Association, copies of all CK and/or CM forms lodged with the CIPC;

          (iii) Directors attendance register;

          (iv) Combined computerised register.

       (b) Financial Records (where applicable)

          (i) Tax Records;

          (ii) Debtors’ Records;

          (iii) Creditors’ Records;

          (iv) Insurance Records;

          (v) Auditors’ Reports;

          (vi) Interim and annual financial statements;

          (vii) Bank statements and other banking records;

          (viii) Invoices issued in respect of debtors and billing information;

          (ix) Records regarding the Company’s financial commitments.

       (c) Accounting Records

          (i) Books of account including journals and ledgers;

          (ii) Delivery notes, orders, invoices, statements, receipts and vouchers.

       (d) Taxation Records

          (i) Employee tax information;

          (ii) Company tax information.

       (e) Statutory Employee Records including internal policies and procedures

          (i) Personnel Records of Employees;

          (ii) Conditions of employment;

          (iii) Employment contracts;

          (iv) Employment policies and procedures;

          (v) Salary and wage register and other payroll Records;

          (vi) Registrations with Department of Labour, Unemployment Insurance Fund, Compensation Fund and in terms of the Skills Development Levies Act;

          (vii) Records of Unemployment Insurance Fund contributions;

          (viii) Records relating to employee benefits;

          (ix) Health and safety Records;

          (x) Workplace skills plans and training Records; and

          (xi) Other internal Records.

       (f) Agreements and contracts

          (i) All agreements of a material nature.

       (g) Administration, secretarial and legal Records (where applicable)

          (i) Complaints, pleadings, briefs and other documents pertaining to any actual, pending or threatened litigation, arbitration or investigation;

          (ii) Shareholder Records;

          (iii) Share register;

          (iv) Minutes of meetings of directors;

          (v) Records relating to the incorporation of the Company;

          (vi) Minutes of meetings of committees and sub-committees;

          (vii) Powers of Attorney;

          (viii) Records of litigation / arbitration proceedings;

          (ix) Title deeds;

          (x) Mortgage bonds;

          (xi) Trade mark, copyright, patent, service mark certificates and registrations;

          (xii) Material licences, permits and authorisations.

       (h) Insurance

          (i) Insurance policies;

          (ii) Claim Records;

          (iii) Details of insurance coverage, limits and insurers.

       (i) Information Technology

          (i) Hardware;

          (ii) Operating systems and other operational Records;

          (iii) Telephone and other lines;

          (iv) Software packages;

          (v) Agreements;

          (vi) Support and maintenance agreements;

          (vii) User manuals and licences.

       (j) Sales, advertising, promotional and marketing materials;

       (k) Databases;

       (l) Records pertaining to health and safety and the environment.

  7. INFORMATION AVAILABLE IN TERMS OF OTHER LEGISLATION

    7.1 Information is available in terms of the following legislation, persons or entities specified in such legislation:

       (a) Basic Conditions of Employment Act, 75 of 1997;

       (b) Companies Act, 71 of 2008;

       (c) Compensation for Occupational Injuries and Diseases Act, 130 1993;

       (d) Competition Act, 89 of 1998;

       (e) Consumer Protection Act, 68 of 2008;

       (f) Electronic Communications and Transactions Act, 25 of 2002;

       (g) Employment Equity Act, 55 of 1998;

       (h) Financial Intelligence Centre Act, 38 of 2001;

       (i) Income Tax Act, 58 of 1962;

       (j) Insolvency Act, 24 of 1936;

       (k) Insurance Act, 63 of 2001;

       (l) Labour Relations Act, 66 of 1995;

       (m) Medical Schemes Act, 131 of 1998;

       (n) National Health Act, 61 of 2003;

       (o) Occupational Health and Safety Act, 85 of 1993;

       (p) Pension Funds Act, 24 of 1956;

       (q) Protected Disclosures Act, 26 of 2000;

       (r) Protection of Personal Information Act, 4 of 2013;

       (s) Skills Development Act, 97 of 1998;

       (t) Skills Development Levies Act, 9 of 1999;

       (u) Unemployment Insurance Act, 63 of 2001;

       (v) Unemployment Insurance Contributions Act, 4 of 2002;

       (w) Value Added Tax Act, 89 of 1991.

    7.2 The abovementioned Acts, as amended, apply and the list is not exhaustive.

  8. INFORMATION AUTOMATICALLY AVAILABLE

    8.1 The following categories of Records are automatically available for inspection, purchase or photocopying.

    8.2 Request forms for these categories of information are also available from the Company's Information Officer, whose contact details appear in section 1 of this Manual:

       (a) General information pertaining to the Company;

       (b) Services information and brochures;

       (c) Newsletters.

  9. SUBJECTS, CATEGORIES AND DESCRIPTION OF INFORMATION HELD

    Please note that the Records listed in section 6 above are not automatically available, and the process outlined in PAIA in respect of access to information must be followed.

  10. PROCEDURE FOR REQUESTING ACCESS TO INFORMATION IN TERMS OF PAIA

    10.1 A request must comply with all the procedural requirements as contained in section 53 of PAIA relating to a Request for Access to a Record. These procedural requirements are set out in this section.

    10.2 If a Requester wishes to request access to any of the aforementioned categories of information, s/he is required to complete a request form as set out in annexure "A" hereto. These forms are also available from:

       (a) The Company's Information Officer (whose contact details are in section 1 of this Manual);

       (b) the SAHRC website (www.sahrc.org.za );

       (c) The Department of Justice and Constitutional Development website (www.doj.gov.za).

    10.3 In certain instances there is a prescribed fee (payable in advance where applicable) for requesting and accessing information in terms of PAIA. Details of these fees are contained in the request form. A Requester may also be called upon to pay the additional fees prescribed by regulation for searching for and compiling the information that is requested, including copying charges.

    10.4 In terms of 54(3)(b) of PAIA a Requester may lodge a complaint with the Information Regulator (in accordance with Annexure H attached hereto) or make an application with a court against the tender or payment of the request fee or the tender or payment of a deposit, as the case may be.

    10.5 It is important to note that access is not automatic – the Requester must identify the right he/she/it is seeking to protect and explain why the Record requested is required for the exercise or protection of that right. The Request for Access form must be completed with enough particularity to at least enable the Information Officer to identify the following:

       · The Record/s requested;

       · The identity of the Requester;

       · The form of access that is required, if the request is granted;

       · The postal address or fax number of the Requester; and

       · The right that the Requester is seeking to protect and an explanation as to why the Record is necessary to exercise or protect such a right.

    10.6 The Requester will be notified in the manner indicated by him/her/it on the Request for Access form whether or not his/her/its request has been approved.

    10.7 The completed request must be submitted, together with the prescribed fee where applicable, to the Information Officer at the postal or physical address or electronic mail address recorded in section 4 above.

    10.8 The Company will process the Request for Access within 30 days of receipt of the Request for Access, unless the Request for Access is of such a nature that an extension of the prescribed time limit is necessitated in accordance with section 57 of PAIA. In the case of an extension of the time limit, the Requester has the right to lodge a complaint with the Information Regulator by following the process and completing the form prescribed by POPIA and annexed hereto as Annexure H. The Requester may also make an application with a court against the refusal of the request.

    10.9 If, in addition to a written reply from the Information Officer, the Requester wishes to be informed of the decision on the Request for Access in any other manner, the Requester must state the manner and the particulars so required.

    10.10 If a Request for Access is made on behalf of another person, the Requester must submit proof of the capacity in which the Requester is making the request to the reasonable satisfaction of the Information Officer.

    10.11 If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request orally.

    10.12 The Company will voluntarily provide the requested Records to a Personal Requester (as defined in section 1 of PAIA). The prescribed fee for reproduction of the Record requested by a Personal Requester will be charged in accordance with PAIA.

    10.13 If the search for a Record of the Company in respect of which a Request for Access by a Requester has been made; and the preparation of that Record for disclosure would, in the opinion of the Information Officer, require more than the hours prescribed for this purpose for Requesters, the Information Officer must by notice require the Requester to pay as a deposit the prescribed portion (being not more than one third) of the access fee which would be payable should the request be granted.

    10.14 The Requester may lodge a complaint with the Information Regulator against the tender of the request fee or the tender or payment of a deposit, as the case may be.

  11. GROUNDS FOR REFUSAL

    11.1 There are various grounds upon which the Company may or must refuse a Request for Access to a Record in accordance with Chapter 4 of PAIA. They are:

       (a) the protection of Personal Information of a third person (who is a natural person, including a deceased person) from unreasonable disclosure (section 63 of PAIA);

       (b) the protection of commercial information of a third party if the Records contain trade secrets, financial, commercial, scientific or technical information that may harm the commercial or financial interests of a third party (section 64 of PAIA);

       (c) refusing access to a Record if disclosure would result in the breach of a duty of confidence owed to a third party (section 65 of PAIA);

       (d) refusing access to a Record if it would jeopardise the safety of an individual or prejudice or impair certain property rights of a third person (section 66 of PAIA);

       (e) refusing access to a Record that was produced during legal proceedings, unless that legal privilege has been waived (section 67 of PAIA);

       (f) refusing access to a Record containing trade secrets, financial or sensitive information or any information that would put the private body at a disadvantage in negotiations or prejudice it in commercial competition (section 68 of PAIA);

       (g) refusing access to a Record containing information about research being carried out or about to be carried out on behalf of a third party (section 69 of PAIA).

    11.2 Section 70 of PAIA contains an overriding provision. Disclosure of a Record that has been requested is compulsory if it would reveal a substantial contravention of, or failure to comply with the law, or imminent and serious public safety or environmental risk and the public interest in the disclosure of the Record clearly outweighs the harm contemplated by its disclosure.

    11.3 If the Requester’s interest affects a third party then the Company will first need to inform the third party within 21 days of receiving the request. The third party has 21 days to make representations and/or submissions regarding the granting of access to the Record.

  12. THE INFORMATION OFFICER'S DECISION AND REQUESTER'S RECOURSE

    12.1 Once the Information Officer has heard all the submissions, he or she will make a decision as to whether or not access to the Record will be granted. If access is granted the Requester must then be granted access to the Record within 30 days of being informed of the decision.

    12.2 If the Information Officer does not grant the Requester access to the Record the Requester is entitled in accordance with sections 56(3) (c) and 78 of PAIA to apply to a court for relief within 180 days of notification of the decision. Such relief may include any order compelling the Record or Records requested to be made available to the Requester or for another appropriate order. The court will determine whether the Records should be made available or not. The Requester may also lodge a complaint with the Information Regulator against the refusal of the request in accordance with Annexure H attached hereto.

    12.3 The Requester may approach the Information Regulator and lodge a complaint in accordance with section 74 of POPIA in the prescribed form (see Annexure H attached hereto) against the access fee to be paid or the form of access granted. The details of the Information Regulator are as follows:

    The Information Regulator (South Africa)

       33 Hoofd Street

       Forum III, 3rd Floor Braampark

       Braamfontein, Johannesburg

       Email: [email protected] / [email protected]

    12.4 The Company does not have any internal appeal procedures. As such, the decision made by the Information Officer is final and Requesters will have to exercise the external remedies at their disposal in the event that a Request for Access is refused.

    12.5 The Requester is entitled to receive proper reasons as to why the request was refused.

    12.6 If the Information Officer decides to grant access to a Record affecting a third party, the third party that has been affected has 30 days in which to appeal the decision in the High Court or to lodge a complaint with the Information Regulator in accordance with section 74 of POPIA in the prescribed form, which is attached hereto as Annexure H. If no appeal or complaint is lodged within 30 days, the Requester must be granted access to the Record.

  13. PROTECTION OF PERSONAL INFORMATION THAT IS PROCESSED BY THE COMPANY

    13.1 Conditions for Lawful Processing

       Chapter 3 of POPIA sets out the Conditions for Lawful Processing of Personal Information which must be complied with when a Responsible Party Processes Personal Information. Below is a description of the eight Conditions for Lawful Processing as contained in POPIA:

        a) Accountability

       POPIA provides that the Responsible Party is obliged to ensure that the Conditions for Lawful Processing and all other measures required in terms of POPIA are complied with.

       b) Processing limitation

       The Processing must be done lawfully and in a manner that does not infringe the right to privacy of a Data Subject. Personal Information may only be Processed if, given the purpose for which it is Processed, it is adequate, relevant and not excessive. There must furthermore be a justification for Processing Personal Information. Consent is one of the justifications but Personal Information may be Processed in the absence of consent if it is necessary for pursuing the legitimate interests of the Responsible Party or the third party to whom it is disclosed or for the protection of the legitimate interests of the Data Subject. It may also be Processed if it complies with an obligation imposed by law or where it is necessary for the performance of a contract. The Processing of Special Personal Information or Personal Information of children generally requires consent, subject to certain limited exceptions.

       c) Purpose specification

        POPIA provides that Personal Information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the Responsible Party. Subject to certain exceptions, Records of Personal Information must not be retained for longer than is necessary to achieve the purpose for which it was collected or subsequently Processed, and must be destroyed or deleted once the Responsible Party is no longer authorised to retain the Record. Such exceptions include where (i) the retention is required or authorised by law, (ii) the Data Subject has consented to the retention, or (iii) the Personal Information is being retained for historical, statistical or research purposes.

       d) Further Processing Limitation

       POPIA provides that the further Processing of Personal Information must be in accordance with or compatible with the purpose for which the Personal Information was collected.

       e) Information quality

       A Responsible Party must take reasonably practicable steps to ensure that Personal Information is complete, accurate, not misleading and updated where necessary.

       f) Openness

       A Responsible Party is required to maintain the documentation of all Processing operations under its responsibility as required in terms of PAIA and must take reasonably practicable steps to ensure that the Data Subject is made aware of the Personal Information being collected, together with other stipulated information, subject to certain exceptions.

       g) Security safeguards

       POPIA provides that a Responsible Party must secure the integrity and confidentiality of Personal Information in its possession or under its control by implementing appropriate, reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of Personal Information, or unlawful access to or Processing of Personal Information. In addition, the Responsible Party should take all reasonable measures to identify all reasonably foreseeable internal and external risks, establish and maintain appropriate safeguards against risks identified, verify that the safeguards are effectively implemented and ensure that the safeguards are updated in response to new risks.

       h) Data subject participation

       A Data subject is entitled to request a Responsible Party to confirm whether or not it holds Personal Information about the Data Subject, and to request the Record itself or a description of the Record, subject to the requirements in PAIA. A Data Subject may also request a Responsible Party to correct or delete Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or to destroy or delete personal information that a Responsible Party is no longer authorised to retain.

    13.2 Purpose of the Processing of Personal Information by the Company

       The purposes for which the Company Processes or will Process Personal Information are set out in Annexure B.

    13.3 Categories of Data Subjects and Personal Information/Special Personal Information relating thereto

       As per section 1 of POPIA, a Data Subject may either be a natural or a juristic person. The categories of Data Subjects in relation to which the Company Processes Personal Information are set out in Annexure C.

    13.4 Recipients or categories of recipients of Personal Information

       The following are the recipients to whom the Company may provide a Data Subject's Personal Information:

       a) third party business partners;

       b) payroll service providers;

       c) accountancy firms;

       d) tax authorities (i.e. the South African Revenue Service);

       e) banks;

       f) insurance companies;

       g) professional service providers;

       h) companies within the LS&CO group of companies;

       i) IT service providers;

       j) benefit providers;

       k) storage facility providers;

       l) airlines, hotels and travel agents;

       m) cloud service providers;

       n) third-party applications or platforms;

       o) other third party service providers;

       p) data analytics advisors; and

       q) market research companies.

    13.5 Cross-border flows of Personal Information

       Section 72 of POPIA provides that Personal Information may only be transferred by a Responsible Party to a third party in a foreign country outside of the Republic of South Africa in the following circumstances:

       (a) If the third party who is the recipient of the Personal Information is subject to a law, binding corporate rules or a binding agreement which provide an adequate level of protection that effectively upholds principles similar to the Conditions for Lawful Processing under POPIA, including provisions relating to the further transfer of Personal Information from the recipient to third parties who are in a foreign country; or

       (b) If the Data Subject consents to the transfer of their Personal Information; or

       (c) If the transfer is necessary for the performance of a contractual obligation between the Data Subject and the Responsible Party; or

       (d) If the transfer is necessary for the conclusion or performance of a contract between the Responsible Party and a third party, concluded in the interests of the Data Subject; or

       (e) If the transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were, the Data Subject, would in all likelihood provide such consent.

    13.6 Annexure D contains a list of the planned cross-border transfers of Personal Information and the justification for such transfers.

    13.7 The Company ensures that there is a justification under POPIA when it transfers Personal Information to third parties in countries that do not have adequate data protection laws similar to POPIA.

    13.8 Description of information security measures to the implemented by the Company

       The types of security measures implemented by the Company in order to secure the integrity and confidentiality of the Personal Information and ensure that Personal Information is protected from loss, damage, unauthorized destruction or unlawful access are listed in Annexure E hereto.

    13.9 Objection to the Processing of Personal Information by a Data Subject

       Section 11(3) of POPIA and Regulation 2 of the POPIA Regulations provides that a Data Subject may object to Processing in the prescribed form attached as Annexure F to this Manual where the Processing is based on one of the following grounds, unless legislation provides for such Processing:

       · Processing protects a legitimate interest of the Data Subject;

       · Processing is necessary for the proper performance of a public law duty by a public body;

       · Processing is necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom it is supplied;

       · Processing is for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69 of POPIA.

    13.10 Request for correction or deletion of Personal Information

       Section 24 of POPIA and Regulation 3 of the POPIA Regulations provides that a Data Subject may request for their Personal Information to be corrected/deleted in the prescribed form attached as Annexure G to this Manual.

ANNEXURE A: REQUEST FOR ACCESS TO RECORD

[Regulation 7]>

Note: If requests made on behalf of another person, proof of the capacity in which the request is made, must be attached to this form.

TO:     Theinformation officer

(Addres

E-mail address:

Fax number:

Mark with an "X"

Request is made in my own name              Request is made on behalf of another person.

PERSONAL INFORMATION

Full names:

 

Identity number:

 

Capacity in which request is made (when made on behalf of another person):

 

Postal Address:

 

Street Address:

 

E-mail address:

 

Contact
numbers:

Tel. (B):

Facsimile:

Cellular:

 

Full names of person on whose behalf request is made (if applicable):

 

Identity number:

 

Postal Address:

 

Street Address:

 

E-mail address:

 

Contact
numbers:

Tel. (B):

Facsimile

Cellular:

 

PARTICULARS OF RECORD REQUESTED

Provide full particulars of the record to which access is requested, including the reference number if that is known to you, to enable the record to be located. (If the provided space is inadequate, please continue on a separate page and attach it to this form. All additional pages must be signed.)

Description of record or relevant part of the record:

 

 

 

 

 

 

 

 

 

 

Reference number, if available:

 

Any further particulars of record:

 

 

 

 

 

 

 

 

 

 

TYPE OF RECORD

(Mark the applicable box with an "X")

Record is in written or printed form

 

Record comprises virtual images (this includes photographs, slides, video recordings, computer-generated images, sketches, etc)

 

Record consists of recorded words or information which can be reproduced in sound

 

Record is held on a computer or in an electronic, or machine-readable form

 

FORM OF ACCESS

(Mark the applicable box with an "X")

Printed copy of record (including copies of any virtual images, transcriptions and information held on computer or in an electronic or machine-readable form)

 

Written or printed transcription of virtual images (this includes photographs, slides, video recordings, computer-generated images, sketches, etc)

 

Transcription of soundtrack (written or printed document)

 

Copy of record on flash drive (including virtual images and soundtracks)

 

Copy of record on compact disc drive(including virtual images and soundtracks)

 

 

MANNER OF ACCESS

(Mark the applicable box with an "X")

Personal inspection of record at registered address of public/private body (including listening to recorded words, information which can be reproduced in sound, or information held on computer or in an electronic or machine-readable form )

 

Postal services to postal address

 

Postal services to street address

 

Courier service to street address

 

Facsimile of information in written or printed format (including transcriptions)

 

E-mail of information (including soundtracks if possible)

 

Preferred language:

(Note that if the record is not available in the language you prefer, access may be granted in the language in which the record is available)

 

 

PARTICULARS OF RIGHT TO BE EXERCISED OR PROTECTED

If the provided space is inadequate, please continue on a separate page and attach it to this Form. The requester must sign all the additional pages.

Indicate which right is to be exercised or protected:

 

 

 

 

 

Explain why the record requested is required for the exercise or protection of the aforementioned right:

 

 

 

 

 

 

FEES

a)         A request for access to a record, other than a record containing personal information about yourself, will be processed only after a request fee has been paid.

b)         You will be notified of the amount required to be paid as the request fee.

c)         The fee payable for access to a record depends on the form in which access is required and the reasonable time required to search for and prepare a record.

d)         If you qualify for exemption of the payment of any fee, please state the reason for exemption

Reason:

 

 

 

 

 

 

 

 

You will be notified in writing whether your request has been approved or denied and if approved the costs relating to your request, if any. Please indicate your preferred manner of correspondence:

Postal address

Post to street address

Facsimile

E-mail

 

Signed at___________________ this__________ day of_______________ 20

Signature of requester / person on whose behalf request is made

FOR OFFICIAL USE

Reference number:

 

Request received by: (state rank, name and surname of information officer)

 

Date received:

 

Access fees:

 

Deposit (if any):

 

 

Signature of information officer


ANNEXURE B: DESCRIPTION OF RECORDS OF PERSONAL INFORMATION HELD AND PURPOSES OF PROCESSING SUCH PERSONAL INFORMATION

 

Description of Record of Personal Information

Purpose of Processing

Current, prospective and former employees, directors, temporary and casual workers, agents, independent contractors, occasional workers, freelancers, volunteers and apprentices:

  • full legal name;
  • preferred name/ nickname;
  • gender;
  • citizenship, nationality and place of birth;
  • personal and work locations (address, city, province);
  • country of residence;
  • professional and personal phone numbers;
  • mobile number;
  • national/ government identity number;
  • social security number;
  • passport number;
  • photograph;
  • email address;
  • date of birth/ age;
  • driving licence;
  • marital status;
  • dependant's details;
  • family history;
  • emergency contact number;
  • driving record;
  • vehicle license plates;
  • bank account information;
  • expense claim records;
  • compensation and remuneration and other payroll information;
  • benefits elected;
  • tax identification numbers and details;
  • social security deduction data;
  • employee ID;
  • employee contact details;
  • position and occupation category;
  • type of work;
  • job title;
  • CV data;
  • hire date;
  • work history;
  • previous work tenure and other work history;
  • working schedule;
  • working hours;
  • holidays;
  • appraisal data;
  • termination date;
  • potential new employers;
  • pension membership;
  • pension join date and entry;
  • pension contributions;
  • life insurance beneficiaries;
  • completion of training modules including mobile e-learning;
  • registration for employee discounts;
  • survey results, employee resource group membership;
  • data related to material, tools and furniture;
  • disciplinary measures and records of objectionable conduct;
  • network user-ID, username, IP address;
  • IT access rights;
  • IT logs, timesheet and attendance data;
  • websites visited and email content;
  • voice recordings;
  • health-related data including medical/ health information;
  • disability status;
  • pregnancy status;
  • race/ ethnicity;
  • union membership;
  • prior convictions;
  • educational and/ or professional qualifications and graduation name;
  • findings of background checks, criminal record checks and credit checks in respect of employees;
  • electronic signatures;
  • location data;
  • medical aid benefits;
  • information related to employer/ employee assistance programme;
  • talent management information; and
  • biometric information of employees.
  • verifying employees' identity;
  • communicating with employees;
  • managing the employment relationship including recruitment;
  • background checks;
  • verification of right to work;
  • work references;
  • on-boarding;
  • off-boarding;
  • time and attendance;
  • planning;
  • labour organization;
  • employee data management;
  • leave management;
  • processing vacation requests;
  • performance management;
  • managing disciplinary processes;
  • career planning;
  • talent management;
  • succession planning;
  • compensation and benefits administration;
  • insurance administration and management;
  • remuneration and payroll administration;
  • pension management;
  • mobility;
  • management of reimbursements and corporate expenses and corporate credit card programs;
  • learning and development;
  • general human resources administration and management;
  • managing workplace health and safety;
  • security and access control to the business premises;
  • IT and devices monitoring and maintenance;
  • employee relations including grievances, complaints, harassment, discrimination, misconduct, disciplinary, theft or loss prevention;
  • fraud detection;
  • quality control;
  • e-Discovery;
  • reporting purposes through the telephone hotline;
  • managing employee compliance with Company rules and policies;
  • complying with employment equity obligations under the Employment Equity Act, 1998 ("EEA");
  • managing legal disputes;
  • arranging and facilitating travel;
  • offering learning and development and training opportunities;
  • administrating salary, compensation and benefits, including performance reviews and payroll;
  • learning about the Company's workforce, improving the workplace, fostering diversity, inclusion and belonging;
  • conducting surveys and contests;
  • eliciting feedback and workforce analytics;
  • maintaining health, security and safety programs;
  • safeguarding personal property and the health of the workforce including through health and safety measures, whistleblowing, internal investigations, engagement of law enforcement;
  • monitoring to protect the Company's and its employees' legal rights;
  • managing Company assets and properties, turnover, resourcing, workforce deployment;
  • providing employees with opportunities to engage in a positive workforce culture that emphasizes engagement, well-being, diversity, enrichment and fulfilment;
  • Completing a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding;
  • maintaining the safety, security, functionality and integrity of the Company's websites, assets and business including troubleshooting technical problems when they arise;
  • conducting other business initiatives;
  • complying with a legal obligation such as subpoenas or court orders or to protect and enforce the Company's legal rights or to protect employees, the Company, or others against injury or harm.

B2B customers:

  • company registration numbers;
  • registration number of vehicles;
  • video images;
  • financial data;
  • copies of the incorporation certificate;
  • customer's financial history including supporting documents;
  • tax related information including VAT numbers;
  • authorised representative name and contact details;
  • directors' identification documents;
  • customers’ contact and registration details;
  • names and addresses;
  • email address;
  • contact numbers;
  • consumers’ contact and registration details.

 

Current, prospective, former consumers:

  • names;
  • addresses;
  • email address;
  • contact numbers;
  • birth date;
  • age;
  • gender;
  • credit card number;
  • credit card expiration date;
  • credit card security code;
  • online profile details;
  • wish list;
  • preferred store;
  • family composition;
  • areas of interest;
  • purchase data and history;
  • shipping and billing data;
  • loyalty program data;
  • physical characteristics (height, weight, clothing sizes and fit preferences);
  • images;
  • geolocation data;
  • feedback data;
  • user generated content;
  • website browsing information, and logs;
  • usage data;
  • device information;
  • MAC address;
  • social media account credentials;
  • health-related data;
  • online identifiers, nicknames and social media handles;
  • physical description such as preferred clothing sizes;
  • purchase and return data;
  • survey responses;
  • customization services;
  • feedback, communication/ information shared in public forums such as on social media;
  • account or member (loyalty) program information;
  • size, fit and product preferences;
  • exchanges with LS&CO artificial intelligence chatbot the Company's websites and tools, similar network activity, IP address device identifiers;
  • stores visited;
  • buying trends and preferences;
  • audio recordings,
  • visual film or still images;
  • physical and behavioural characteristics or patterns;
  • geolocation data including GPS latitude and longitude, approximate location, post code, state/ province/ territory;
  • Internet Protocol ("IP") addresses;
  • general or specific demographic data;
  • information shared with Customer Service;
  • survey responses;
  • customization services;
  • feedback;
  • choices made with respect to communications we send or how we use data (i.e. to opt out);
  • physiological and behavioral characteristics;
  • browsing history;
  • buying trends, transaction patterns and preferences;
  • characteristics and predispositions;
  • behaviour and attitudes.
  • storage of information;
  • maintenance of customer profiles;
  • inputting, updating, deleting, archiving, and/ or processing payments for purchases and returns;
  • shipping orders to customers;
  • registration and operation of websites, apps and/ or loyalty programs;
  • sending transaction-related emails or push notifications;
  • account verification;
  • purchase and billing confirmations and reminders;
  • moderation messages;
  • changes/updates to features of the websites/ apps;
  • disseminating technical and security notices;
  • assisting with customer service questions or issues;
  • conducting statistical analysis of aggregated data;
  • targeting and sending promotional materials and interest-based advertising;
  • improving the services to customers;
  • conducting marketing initiatives;
  • providing information about interactions with data exporter's brands;
  • assisting with development of new products and services;
  • evaluating what types of information may be of interest to consumers;
  • preventing fraud, security and compliance with legal obligations and government or court orders in accordance with applicable law;
  • managing the accounts receivable and collection of the debts incurred by the customer;
  • taking out policies to insure customers' debts;
  • verifying the B2B customer’s creditworthiness and approving the customer for purposes of onboarding;
  • ensuring that the business controls are compliant with Group standards;
  • managing credit control in relation to procurement and payments by customers;
  • controlling access to the premises;
  • creating a strategy to gain new customers;
  • screening as required during the COVID-19 pandemic;
  • preparing and negotiating legal agreements/contracts between parties;
  • reviewing applications in respect of customers as well as handling queries relating to customer information that is received;
  • communicating with customers re relationship/ transactional/ commercial matters;
  • administering sweepstakes, surveys or contests;
  • for marketing and advertising purposes;
  • administering, supporting and improving online and in-store presence and experience;
  • helping the Company understand customer interests, personalize interactions with customers, develop business relationship with customers;
  • making customer interactions more convenient;
  • enabling the holding by the Company of the customer's shopping cart selections;
  • enabling customers to locate nearby stores;
  • creating summaries and profiles of customers;
  • maintaining the safety, security, functionality, and integrity of the Company's websites and other assets or business;
  • performing testing, research, analytics, and product development;
  • understanding, improving, and providing customized and streamlined experiences with the Company's products, stores, website, app, and/ or member (loyalty) program;
  • providing services in-store, on the website or app, including processing requested purchases, returns and exchanges, payments and orders;
  • shipping products;
  • providing Customer Service.

 

Vendors/ business partners, third party service providers including software providers, hosting service providers, analytics providers, benefits providers and administrators, payroll agencies, training providers, consultants, franchisees, law firms, insurers and other third parties:

  • authorised persons' names;
  • dates of birth;
  • identity numbers;
  • company registration numbers;
  • health information;
  • video images;
  • financial data;
  • physical and postal addresses;
  • contact numbers;
  • email addresses;
  • copies of the incorporation certificate;
  • vendors' tax information and tax clearance certificate;
  • VAT vendor details;
  • banking details and evidence of banking details; and
  • various sensitive type of data as part of the background checks which include sanction screening and credit checks.
  • on-boarding new vendors/ business partners, service providers and/ or franchisees;
  • effecting payment to the vendor/ business partner on completion of the services or delivery of the goods;
  • conducting sanction checks;
  • conducting criminal and credit checks on potential vendors/ business partners;
  • managing accounts payable in respect of vendors/ business partners;
  • for statistical and budgetary purposes;
  • verifying vendor's/ business partners' BEE certification;
  • controlling access to the premises;
  • management of the relationship and entering into contracts with B2B customers, vendors, business partners, service providers and/ or and franchisees.

Group Companies:

  • director's names;
  • identity numbers;
  • passport numbers;
  • age;
  • occupation;
  • qualifications;
  • results of background checks;
  • employee records;
  • records of performance and/ or objectionable conduct of individuals;
  • company registration details;
  • tax numbers,;
  • physical addresses of company premises;
  • company contact details such as telephone numbers;
  • web addresses;
  • financial information; and
  • accounting-related records
  • conducting the Company's business;
  • ensuring that the business controls are compliant with Group standards;
  • submitting data requests internally and externally for data when engaging with third party juristic entities;
  • engaging in company secretarial matters;
  • investigating and preventing cases of suspected fraud and non-compliance related to the business; and
  • managing business control process flows and standard document controls.

Hotline reports:

  • identity;
  • position/ title;
  • company name;
  • contact details;
  • alleged facts reported; and
  • statements made by callers.

 

 


 

ANNEXURE C: DESCRIPTION OF DATA SUBJECT OR CATEGORY OF DATA SUBJECTS AND CATEGORIES OF PERSONAL INFORMATION IN RELATION TO THE DATA SUBJECTS

 

Data Subject or Category of Data Subject

Description of Personal Information processed in relation to Data Subject

Employees, contractors, temporary workers, occasional workers, freelancers, volunteers, apprentices

  • Contact Information such as employee's name, email address, physical address, phone numbers, and preferred name/nickname;
  • Financial Information such as bank account data, credit card information including card details and statements, expenses and claim records, compensation information, benefits elected, salary, payroll info, tax identification numbers and details, insurance beneficiaries, social security, disability and other deduction data ;
  • Other Personal Information including special personal information such as gender, citizenship/nationality, national/government ID number, social security number, passport number, driving license number, pension membership, trade union/union membership, pension join date and entry, pension contributions, medical and health information, criminal history or convictions, health information, disability status, pregnancy status, race/ethnicity/sexual orientation; military status, disability information;
  • Other Identifying Information such as vehicle license plates, fuel card data and vehicle details, marital status, dependants’ details, family history, emergency contact phone, driving record, unique identifiers such as a Network User-ID, username, IP address;
  • Education and Professional Information including CV and resume data, education/diploma(s), transcript data, names of employers or schools, accomplishments, recognitions, degrees, certificates, awards, references;
  • Information relating to the Business Relationship such as hire date, work history, work information (such as tenure), working schedule, working hours, holidays, appraisal data, termination date, potential new employers; employee ID, employee contract and any amendments to it, position, occupation category, type of work, job titles; job performance data, registration for employee discounts, survey results, employee resource group membership; data related to material, tools and furniture granted by us, disciplinary measures (if any), IT access rights, timesheet or attendance data;
  • Audio, Visual and Biometric Information such as visual film or still images, voice and video recording, facial recognition or physical characteristics or patterns (such as where a face or fingerprint are used for secure access), physiological, behavioral, and biological characteristics or activity patterns;
  • Online and Technical Information including browsing data, data about how data subjects interact with our websites and tools, network activity, device identifiers, IT logs, websites visited and email content;
  • Location Data such as employee's address, travel plans and locations, location information from any company issued or paid for mobile device or laptop, office locations the employee is assigned to or has visited.

B2B Customers, customers (past, present and prospective), vendors/ business partners, third party service providers including software providers, hosting service providers, analytics providers, benefits providers and administrators, payroll agencies, training providers, consultants, franchisees, law firms, insurers and other third parties

 

  • names;
  • company registration details;
  • identity numbers;
  • contact numbers;
  • signatures;
  • financial information;
  • agreements with corporate entities;
  • photographic/video records;
  • directors’ identification documents;
  • VAT registration documents;
  • bank statements or utility bills;
  • physical address;
  • email address;
  • job;
  • title;
  • birth date;
  • nationality;
  • gender;
  • city, post code, country of residence; and
  • login and password.

Hotline reports

  • identity;
  • position/ title;
  • company name;
  • contact details;
  • alleged facts reported;
  • statements made by callers; and
  • Special Personal Information potentially inadvertently collected

 


 

ANNEXURE D: CROSS-BORDER FLOWS OF PERSONAL INFORMATION

Country

Justification for Transfer (in terms of section 72 of POPIA)

Belgium

an intra-group data transfer agreement

India

an intra-group data transfer agreement

Singapore

an intra-group data transfer agreement

United States of America

an intra-group data transfer agreement

 

 

 

 

 


 

ANNEXURE E: SECURITY MEASURES TO BE IMPLEMENTED BY THE COMPANY

 

The following is a list of the types of security measures implemented by the Company in order to ensure that Personal Information is protected from loss of, damage to or unauthorized destruction of or unlawful access to Personal Information:

 

  • Global information security ("GIS") is only authorized to access any network, computer, application, data and personnel after global information security has provided a need-to-know statement;
  • In emergency situations GIS is authorized to implement corrective measures that reduce risk to an acceptable level on any resource that presents a clear and present vulnerability;
  • GIS is authorized to determine ownership of electronic resources for purposes of ensuring implementation of security controls by or on behalf of an owner;
  • GIS is authroized to access the information security elements associated with new business ventures and acquisitions and must advise management of possible security risks, security measures and potential expenditures required for the new venture/ acquisition to meet the global standards;
  • IT security process, systems or software may not be circumvented, disabled or modified to change function without review and approval by a member of the GIS leadership team;
  • Default account names are changed when possible, at the very least default passwords are changed at installation;
  • All unnecessary default accounts are disabled immediately after system installation;
  • Default accounts that cannot be disabled are monitored for abuse;
  • Access requests for information must be approved by the information owner and the requester's supervisor;
  • Access requests are required in order to perform certain IT actions;
  • Access requests require certain minimum information;
  • Records of access requests are retained for 1 year;
  • Systems that process, store, transmit and/ or otherwise handle PCI cardholder data is restricted to those with a clearly defined business need to access the data;
  • Access reviews are conducted by IT security on a  semi-annual basis;
  • Documented reviews are maintained on file for 1 year;
  • Access controls on mutli-user systems that process PCI cardholder data are set to allow access to authorised users only;
  • Access by internal users to the PCI cardholder data environment must originate from one of two network sources;
  • No devices that have not been approved and configured within LS&Co may be used in the cardholder data environment;
  • No wireless devices such as smart phones or handheld devices may be used in the cardholder data environment;
  • A change in a user's job status (transfer, termination, leave of absence) requires information access updates;
  • User access to systems that store, process, transmit and / or otherwise handle PCI cardholder data is revoked immediately upon an individual's reassignment of duties;
  • A unique user ID is required to access any system;
  • User ID's are created for approved users only with validated business reasons for system / application access;
  • Each user account is assigned an ID that is unique and traceable;
  • Guest accounts are disabled, changed or properly configured to prevent access to confidential or internal information;
  • User ID's must have a minimum of 6 characters, incorporating the user's name and a numeric assignment;
  • User ID's may not be shared;
  • Generic user ID's are authorized by exception only and must be approved;
  • User ID's must be disabled within 24 hours of a termination notification from HR or a user's manager;
  • User ID's on systems that process, store, transmit and / r otherwise handle cardholder data are revoked immediately upon termination of an individual's employment;
  • Access to sensitive data is permitted only when the role, duties or functions of the individual requires the individual to have the information in order to meet valid business objectives;
  • Roles are restricted to the least privileges necessary to perform the job responsibility;
  • Permissions/ entitlements for each role are reviewed annually by the data owner;
  • Roles that include access to unencrypted PCI cardholder data is limited to those individuals who are specifically authorised by the business to access that data;
  • The identification of individuals who access PCI cardholder data must be positively verified before the individual is allowed access to the information;
  • As part of the logon procedure the system displays an advisory warning message to the user that includes an instruction to logoff if they are not authorised to use the system and a warning that the system is monitored and unauthorised users will face disciplinary action;
  • Users access will be disabled after 5 incorrect login attempts;
  • Inactive sessions are set to time out after 30 minutes and after 15 minutes in respect of systems that hold PCI cardholder data;
  • The time, date and location of a user's last access is recorded;
  • Unsuccessful attempts to gain entry into a system are recorded;
  • Passwords are used to verify the user ID or to restrict access to a system;
  • Use of vendor-supplied default passwords is prohibited;
  • Passwords must contain at least 7 characters, be a mix of upper- and lower-case letters, numeric and special characters;
  • Passwords are valid for a maximum of 90 days;
  • A password will not be accepted if it has been used within 5 previous times;
  • Passwords are locked after 5 failed login attempts;
  • Password lock time is at least 30 minutes;
  • No blank passwords are allowed;
  • Following a password change users are prompted to re-enter the password for verification purposes;
  • Positive identification of a user is required once a user has been locked out of his/ her account, has forgotten his/her password or had rendered his/ her account inoperative due to any issues;
  • User re-authentication is required prior to unlocking a session once it has been locked;
  • The Company may elect to disable an employee's access if an employee is away from work for an extended period of time;
  • Inactive user accounts are disabled after 90 days of inactivity and then deleted if no longer needed;
  • Accounts for contractors or temporary employees are configured with an expiration date equal to the term of the contract or 6 months, whichever is sooner;
  • Physical access requests must be completed in specified circumstances and will require certain minimum information;
  • Physical access is recorded for entry to facilities containing sensitive information. This documentation must contain certain minimum the following information;
  • Visitor logs are maintained in respect of entry/ exit to secured locations that house sensitive information;
  • An accurate and complete inventory of media containing PCI cardholder data is maintained;
  • Electronic and paper based information is sanitized and destroyed before disposal;
  • Electronic information which is no longer needed is destroyed using either of the degaussing, purging or shredding method;
  • The following protection equipment is in use:

o   Fire extinguishers;

o   Smoke detectors;

o   Water detectors;

o   Alarm systems;

o   Emergency generator;

  • A data sanitation policy is in place whereby retired devices and media where LS&CO information is stored have their contents securely removed, destroyed or overwritten once the device or media is retired;
  • Video conferencing facilities are located in a physically secure facility;
  • The LS&CO internal network is protected by a firewall and intrusion detection systems;
  • Passwords are required on all smart phone devices;
  • All laptops must have firewall installed ;
  • Users cannot modify the configuration settings in a manner which would reduce the security of the device;
  • Virus protection software is installed on laptops and PC's that connect to the LS&CO network including those that have access to PCI cardholder data; and
  • Virus scanning and intrusion prevention software is updated regularly.

 

 


 

ANNEXURE F: FORM FOR THE OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF POPIa

 

OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017 [Regulation 2(1)]

Note:

1.            Affidavits or other documentary evidence in support of the objection must be attached.

2.            If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.

Reference Number....

A

 

DETAILS OF DATA SUBJECT

Name and surname of Data Subject:

 

 

Residential, postal or business address:

 

 

 

 

 

 

 

Code (

)

Contact number(s):

 

Fax number:

 

 

E-mail
address:

B

 

 

 B

DETAILS OF RESPONSIBLE PARTY

Name and surname
of Responsible Party(if
the Responsible Party is a
natural)
:

Residential, postal or
business address:

 

 

 

 

 

 

Code ( )

 

Contact number(s):

 

Fax number:

 

 

 

E-mail address:

Name of public or Private Body(if the Responsible Party is not a natural person):

Business address:

Code ( )

Contact number(s):

Fax number:

E-mail address:

C         REASONS

 

 

 

 

Signed at                                   this                  day of                                      20                   

 

 

Signature of Data Subject (applicant)

 


 

annexure G: FORM FOR THE REQUEST TO DELETE OR CORRECT PERSONAL INFORMATION IN TERMS OF POPIA

REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017

[Regulation 3(2)]

Note:

1.            Affidavits or other documentary evidence in support of the request must be attached.

2.            If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.

Reference Number

Mark the appropriate box with an "x".

Request for:

Reference Number....

Correction or deletion of the Personal Information about the Data Subject which is in possession or under the control of the Responsible Party.

Destruction or deletion of a Record of Personal Information about the Data Subject which is in the possession or under the control of the Responsible Party and who is no longer authorised to security the Record of information.

A         DETAILS OF THE DATA SUBJECT

Surname:

 

Full names:

 

Identity number:

 

Residential, postal or business address:

 

 

 

Code ( )

Contact number(s):

 

Fax number:

 

E-mail address:

 

 

B

DETAILS OF RESPONSIBLE PARTY

Name and surname of responsible party(if the responsible party is a natural person):

 

Residential, postal or business address:

 

 

 

Code ( )

Contact number(s):

 

Fax number:

 

E-mail address:

 

 

Name of public or Private Body (if the Responsible Party is not a natural person):

Business address:

Code ( )

Contact number(s):

Fax number:

E-mail address:

C

REASONS FOR *CORRECTION OR DELETION OF THE PERSONAL INFORMATION
ABOUT THE DATA SUBJECT/
*DESTRUCTION OR DELETION OF A RECORD OF
PERSONAL INFORMATION ABOUT THE DATA SUBJECT WHICH IS IN POSSESSION OR UNDER THE CONTROL OF THE RESPONSIBLE PARTY.
(Please provide detailed reasons for the request)

 

 

Signed at                     on this              day of                          20        .


 

ANNEXURE H: FORM FOR THE LODGING OF A COMPLAINT
[Regulation 10]

Note:

1.         This form is designed to assist the Requester (hereinafter referred to as “the Complainant) 9 in requesting a review of a public or private body’s response or non-response to a request for access to records under the Promotion of Access to Information Act 2 of 2000 (“PAIA)9. Please fill out this form and send it to the Information Regulator (“Regulator) 9 or complete the online complaint form available at https://www.justice.gov.za/inforeg/.

2.         PAIA gives the public a right to file a complaint with the Regulator about any of the nature of complaints detailed in part E of this complaint form-

3.         It is the policy of the Regulator to defer investigating or to reject a complaint if the Complainant has not first given the public or private body (herein after referred to as “the Body) 9 an opportunity to respond to and attempt to resolve the issue. To help the Body address your concerns prior to approaching the Regulator, you are required to complete the prescribed PAIA form and submit it to the Body.

4.         A copy of this form will be provided to the Body that is the subject of your complaint. The information you provide on this form, attached to this form or that you supply later, will only be used to attempt to resolve your dispute, unless otherwise stated herein

5.         The Regulator will only accept your complaint once you confirm having complied with the prerequisites below.

6.         Please attach copies of the following documents, if you have them:

·       Copy of the form to the organisation requesting access to records;

·       The organisation’s response to your complaint or access request;

·       Any other correspondence between you and the organisation regarding your request;

·       Copy of the appeal form, if your compliant relate to a public body;

·       The organisation’s response to your appeal;

·       Any other correspondence between you and the organisation regarding your appeal;

·       Documentation authorizing you to act on behalf of another person (if applicable);

·       Court order or court documents relevant to your complaint, if any.

7.       If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.

TO:     The Information Regulator

            P.O Box 31533

            Braamfontein,

            2017

E-mail address:            [email protected]

Tel number:                 +27 (0) 10 023 5200

PREREQUISITES

Did you submit request (PAIA form) for access to record of a public/private body?

Yes

 

No

 

Has 30 days lapsed from the date on which you submitted your PAIA form?

Yes

 

No

 

Did you exhaust all the internal appeal procedure against a decision of the Information officer of a pubic body?

Yes

 

No

 

Have you applied to Court for appropriate relief regarding this matter?

Yes

 

No

 

 

FOR REGULATOR’S USE ONLY

Received by: (Full names)

 

 

Position:

 

 

Signature:

 

 

Complaint accepted:

Yes

No

Reference Number:

 

 

Date stamp

 

 

 

PART A

PERSONAL INFORMATION OF COMPLAINANT

Full names:

 

Identity number:

 

Postal Address:

 

Street Address:

 

E-mail address:

 

Contact
numbers:

Tel. (B):

Facsimile

Cellular

 

I consent to being contacted at the above e-mail address or through that of my representative on my behalf. I acknowledge that sending e-mail over the Internet is not secure, in that it can be intercepted and/or manipulated and retransmitted.

PART B
REPRESENTATIVE INFORMATION
(Complete only if you will be represented. A Power of Attorney must be attached if complainant is a
representative, failing which the complaint will be rejected)

Full names of representative:

 

Nature of representation:

 

Identity number/Registration number:

 

Postal Address:

 

Street Address:

 

E-mail address:

 

Contact numbers:

Tel. (B):

Facsimile

Cellular:

 

 

PART C

ORGANISATION AGAINST WHICH THE COMPLAINT IS LODGED

 

Type of body:

Private                                                                                        Public

 

Name of *public/private body:

 

 

Registration number (if any):

 

 

 

Name, surname and title of person you dealt with at the public or private body to try to resolve your complaint or request to access of information:

 

 

Postal Address:

 

 

Street Address:

 

 

E-mail address:

 

 

Contact
numbers:

Tel. (B):

Facsimile

 

Cellular

 

 

Reference number given (if any):

 

 

PART D
COMPLAINT
Tell us about the steps you have taken to try to resolve your complaint (Complaints should first be
submitted directly to the public body for response and possible resolution; there are limited exceptions)

 

 

 

 

 

 

 

 

Date on which request for access to records submitted:

 

Please specify the nature of the right(s) to be exercised or protected, if a compliant is against a private body:

 

Have you attempted to resolve the matter with the organisation?

Yes

 

No

 

If yes, when did you receive it? (Please attach the letter to this application.)

 

Did you appeal against a decision of the information officer of the public body?

Yes

 

No

 

If yes, when did you lodge an appeal?

 

Have you applied to Court for appropriate relief regarding this matter?

Yes

 

No

 

If yes, please indicate when was the matter adjudicated by the Court? Please attach Court Order, if there is any.

 

 

 

PART E

DETAILED TYPE OF ACCESS TO RECORDS

(Please select one or more of the following to describe your complaint to the Regulator)

 

Unsuccessful appeal: (Section 77A(2)(a) or section 77A(3)(a) of PAIA)

I have appealed against the decision of the public body and the appeal is unsuccessful.

 

 

Unsuccessful application for condonation:

I filed my appeal against the decision of the public body late and applied for

 

 

(Sections 77A(2)(b) and 75(2) of PAIA)

condonation.         The        condonation

application was dismissed.

 

 

Refusal of a request for access: (Section 77A(2)(c)(i) or 77A (d)(i) or 77A(3)(b) or of PAIA)

I requested access to information held by a body and that request was refused or partially refused.

 

 

The body requires me to pay a fee and I feel it is excessive:

(Sections 22 or 54 of PAIA)

Tender or payment of the prescribed request fee.

 

 

The tender or payment of a deposit.

 

 

The tender or payment of a deposit.

 

 

Repayment of the deposit: (Section 22(4) of PAIA)

The information officer refused to repay a deposit paid in respect of a request for access which is refused.

 

 

Disagree with time extension: (Sections 26 or 57 of PAIA)

The body decided to extend the time limit for responding to my request, and I disagree with the requested time limit extension or a time extension taken to

respond  to    my   access    request    is
inappropriate.

 

 

Form of access denied: (Sections 29(3) or sections 60(a) of PAIA)

I requested access in a particular and reasonable form and such form of access was refused.

 

 

Deemed refusal: (Sections 27 or 58 of PAIA)

It is more than 30 days since I made my request and I have not received a decision. No response received and no extension has been taken.

 

 

Extension period has expired and no response received.

 

 

Inappropriate disclosure

of a record:

(Mandatory grounds for

refusal  of   access     to
record)

Records that are subject to the grounds for refusal of access to records have been inappropriately or unreasonable disclosed.

 

 

No adequate reasons for the refusal of access: (Section 56(3)(a) of PAIA)

My request for access is refused, and a body did not provide valid or adequate reasons for the refusal, including the provisions of this Act relied on.

 

 

Partial access to record: (Section 28(2) of 59(2) of PAIA)

The body has granted access to part of the requested records and I believe that more of them should be disclosed.

 

 

Fee waiver:

(Sections 22(8) or  54(8)of PAIA)

I am exempt from paying any fee and the body has refused to grant my request to waive the fees.

 

 

Records that cannot be found or do not exist: (Section 23 or 55 of  PAIA)

The body indicated that some or all of the requested records do not exist and I believe that more records do exist.

 

 

Failure to disclose records:

The body decided to grant me access to

requested   records, but    I  have    not
received them.

 

 

No jurisdiction (exercise or protection of any rights): (Section 50(1)(a) of PAIA)

The body indicated that the requested records are excluded from PAIA and I disagree.

 

 

Frivolous or vexatious request: (Section 45 of PAIA)

The body indicated that my request is manifestly frivolous or vexatious and I disagree.

 

Access to personal information: (Section 23 of POPIA)

My request to a responsible party to confirm whether or

not   the    responsible     party    holds
personal my information has been refused

 

 

My request for access to record or a

description       of       my         personal
information held by the responsible party, including information about the

identity    of   all     third   parties,     or
categories of third parties, who have, or have had, access to my personal information has been refused.

 

 

Other:

(Please explain):

 

 

 

 

PART F

EXPECTED OUTCOME

How do you think the Regulator can assist you? Describe the result or outcome that you seek.

 

PART G

AGREEMENTS

The legal basis for the following agreements is explained in the Privacy Notice on how to file your complaint document. In order for the Regulator to process your complaint, you need to check each one of the checkboxes below to show your agreement:

I agree that the Regulator may use the information provided in my complaint to assist it in researching issues relating to the promotion the right of access to information as well as the protection of the right to privacy in South Africa. I understand that the Regulator will never include my personal or other identifying information in any public report, and that my personal information is still protected by Protection of Personal Information Act, 2013. I understand that if I do not agree, the Regulator will still process my complaint.

The information in this Complaint Form is true to the best of my knowledge and belief.

I authorize the Regulator to collect my personal complaint information (such as the information about me in this complaint form) and use it to process my human rights complaint relating to the the right of access to information and / or the protection of the right to privacy.

I authorize anyone (such as an employer, service provider, witness) who has information needed to process my complaint to share it with the Regulator. The Regulator can obtain this information by talking to witnesses or asking for written records. Depending on the nature of the complaint, these records could include personnel files or employer data, medical or hospital records, and financial or taxpayer information.

If any of my contact information changes during the complaint process, it is my responsibility to inform the Regulator; otherwise my complaint could experience a delay or even be closed.

Signed at__________________ this___________ day of_____________ 20___

 

Complainant

________________________