Protection of Personal Information

1. For the purpose of this clause, the words “personal information”, “process or processing or processed”, “data subject” and “person” have the meaning given to them under Chapter 1 of South Africa’s Protection of Personal Information Act 4 of 2013 (hereinafter referred to as the “POPI Act”).

2. The Operator will:

2.1 process the personal information strictly in accordance with the POPI Act;

2.2 process the personal information only for purposes specifically instructed by SARIMA and the personal information received shall not be further processed or disclosed without the consent of SARIMA;

2.3 keep the personal information confidential and not disclose it, unless any disclosure is required by law, or for the purposes of performing its mandate, or where the Operator has been called upon to hand over and disclose the information, provided that it will not hand over or disclose such information until such time it has provided SARIMA with notice that it is required to hand such information over and an opportunity to communicate with the person who is requiring such handover and/or disclosure;

2.4 secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, unlawful access to or processing of personal information;

2.5 have in place reasonable measures to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards;

2.6 have in place generally accepted information security practices and procedures which are expected of it generally or in terms of the specific industry or professional rules and regulations, to which it is subject;

2.7 where it is allowed to transfer the personal information onwards to any third party for the purposes of performing its mandate, it has in place written arrangements which compel the said third party to respect and maintain the confidentiality and security of the personal Information in compliance with POPI;

2.8 remedy any security breach within the shortest reasonable time, and provide SARIMA with the details of the security breach and the measures that the Operator intends to take or has taken to address the security compromise; and

2.9 notify SARIMA immediately where the Operator has reasonable grounds to believe that the personal information, which has been provided to the Operator, has been accessed or acquired by any unauthorised person.

3. The Operator indemnifies and holds SARIMA harmless against any loss, damage, action or claim that may be brought by whomsoever against SARIMA or any of its partners or employees in consequence of it or its employees or agents breaching any of the or undertakings set out in this Agreement, and which breach pertains to the personal information which it has been mandated by SARIMA to process.

4. In the event of the Operator, its employees or agents breaching this clause of the Agreement, and which breach pertains to the personal information which it has been mandated by SARIMA to process, then in such any event, the Operator shall be liable for all and any damages it may have caused in consequence of said breach including patrimonial, non-patrimonial and punitive damages actually suffered by SARIMA and/or the data subject to whom the personal information relates.

5. The parties agree that the termination of this Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions set out under this Agreement with regards to the processing of the personal information.

6. In the event of this Agreement being terminated whenever, and for whatever reason, the Operator undertakes:

6.1 to restore and/or transfer back to SARIMA within a period of 1 month, all the personal information which has been provided to the Operator, together with any related documentation and/or information;

6.2 confirm in writing simultaneously when the transfer under clause 1 takes place, that all such information will be kept confidential as per the provisions of clause 2.3 and that it will not under any circumstances used the aforementioned information.