POPI & PAIA MANUAL

POPI & PAIA MANUAL.

The basis of the POPI Act is that organisations need to conduct themselves responsibly - responsible corporate citizenship. Organisations should not only be responsible, but should be seen to be responsible corporate citizens. Part of this responsibility is to protect the information inside the organisation, to be responsible when it comes to the process of storing and sharing personal information.

Mi Buget uses and maintains its data responsibly. Our full POPI manual is listed below and our complaints line and opt-out features are readily available.

MI BUGET (PTY) LTD

MANUAL IN TERMS OF SECTION 51 OF THE PROMOTION OF ACCESS TO INFORMATION ACT

CONTENTS

• Introduction
• Availability of Manual
• Contact Details
• Guide of The South African Human Rights Commission
• Information Regulator
• Notice ito Section 52(2) of PAIA
• Records Available in accordance with Legislation
• Records Available with a Request to Access
• How to Request Access to a Record
• Prescribed Fees
• Refusal of a Request to Access Records
• Remedies Available when a Request is Refused
• Processing of Personal Information
• Purpose of Processing Personal Information
• Categories of Personal Information
• Sharing of Personal Information
• Transborder Flows of Personal Information
• Security of Personal Information
• Annexure 1 – Request for access to record of a private body
• Annexure 2 – Request for correction or deletion of personal information

INTRODUCTION

Mi Buget (Pty) Ltd (“Mi Buget”) is a private company with registration number 2014/095777/07 and registered address at Physical Address: V&A Waterfront, Cape Town, 8001, South Africa. We are a digital lead generation and branding company that utilises a range of digital channels and strategies to create brand awareness and generate leads as well as increasing sales revenue of our clients.

The objective of the Promotion of Access to Information Act, 2000 (“PAIA”) is to give effect to the constitutional right to access to information, which is held by a public or private body and which is required for the exercise or protection of any rights. PAIA recognises the right entrenched in Section 32 of the Constitution of the Republic of South Africa, 1996, and aims to foster a culture of transparency and accountability in public and private bodies by giving effect to the right of access to information.

This manual is published in terms of Section 51 of PAIA and provides an outline of the type of records and personal information which we hold. The manual also explains how to submit requests for access to these records, and explains how to access, or object to, personal information held by us, or request correction of the personal information, in terms of the Protection of Personal Information Act, 2013 (“POPIA”).

This manual further describes how we use your information when you utilise our software and services and sets out the requirements with which we undertake to comply when processing personal information pursuant to undertaking our operations.

AVAILABILITY OF MANUAL

This manual is available at our place of business at : Physical Address: V&A Waterfront, Cape Town, 8001, and to view on our website at www.mibudget.co.za

CONTACT DETAILS

Mi Buget:

Call: +27 21 140 3222

Physical Address: V&A Waterfront, Cape Town, 8001

Postal Address: V&A Waterfront, Cape Town, 8001

Website: www.mibuget.co.za

Information Officer:

Name: Ian Kinsey

Email address: ian@mibudget.co.za

Call: +27 21 140 3222

We are a private body and as such our Head of Body, Ian Kinsey, is our information officer. We have appointed Ian Kinsey as a deputy information officer to whom the responsibilities in terms of PAIA and POPIA have been delegated.

GUIDE OF THE SOUTH AFRICAN HUMAN RIGHTS COMMISSION

The South African Human Rights Commission has compiled the Guide as required in terms of Section 10 of PAIA. The Guide contains such information as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and accordingly it contains information on understanding and how to use PAIA and includes the objectives of PAIA, the particulars of every public and private body, the manner and form for requests, and contents of the Regulations promulgated under PAIA.

The Guide is available in all the official languages of the Republic of South Africa and can be obtained from the South African Human Rights Commission, at:

PAIA Unit (The Research and Documentation Department)

29 Princess of Wales Terrace, corner York and St. Andrews Street, Parktown, Johannesburg

Private Bag X2700, Houghton, 2041

Telephone Number: +27 21 140 3222

Facsimile Number: 011 403-0625

Website: http://www.sahrc.org.za

E-mail Address: section51.paia@sahrc.org.za

INFORMATION REGULATOR

The Information Regulator has jurisdiction over PAIA and POPIA to educate, guide, monitor and enforce PAIA and POPIA.

Queries and complaints can be directed to the Office of the Information Regulator at:

The Office of the Information Regulator

Braampark Forum, 33 Hoofd Street, Braamfontein, Johannesburg

PO Box 31533, Braamfontein, Johannesburg, 2017

Telephone Number: 021 140 7069 / 010 023 5207

Website: sahrc.org.za

Email: inforeg@justice.gov.za

NOTICE ITO SECTION 52(2) OF PAIA

At this stage, no notice(s) has/have been published on the categories of records that are automatically available without a person having to request access in terms of PAIA.

Records Available with a Request to Access

The following records are held by us and available only on a request to access in terms of this PAIA manual. The information is classified and grouped according to records relating to the following subjects and categories:

Personnel Records

• Information provided by personnel
• Information provided by third parties relating to personnel
• Conditions of employment
• Internal evaluation records
• Correspondence
• Training schedules and material
• Other personnel and consultant-related records

Contractor / Consultant Records

• Information provided by contractors / consultants
• Information provided by third parties relating to contractors / consultants
• Conditions of service level agreements with contractors / consultants
• Internal evaluation records
• Correspondence
• Other contractor/consultant-related records

Client Records

• Records provided by a client
• Records provided by a third party related to a client
• Records generated within MiBudget related to a client
• Records generated within MiBudget in execution of MiBudget’s contract with their clients
• Other client-related records

Potential Customer Records

• Records provided by potential customers
• Recordings
• Correspondence
• Other potential customer-related records

Customer Records

• Records provided by customers
• Recordings
• Correspondence
• Records generated within MiBudget in execution of MiBudget’s contract with their customers
• Other customer-related records

Company Records

• Financial records
• Operational records
• Databases
• Information technology
• Statutory records
• Internal policies and procedures
• Correspondence
• Other company-related records

How to Request Access to a Record

Records held by us may be accessed by requests only once the prerequisite requirements for access have been met. A requester is any person making a request for access to a record. There are two types of requesters:

Personal Requester

A requester who is seeking access to a record containing personal information about the requester. We will voluntarily provide the requested information or give access to any record with regard to the requester’s personal information. We will not charge a request fee, however the prescribed fee for reproduction of the information requested will be charged.

Other Requester

This requester (other than a personal requester) is entitled to request access to information on third parties. The requester must comply with all the procedural requirements contained in PAIA relating to the request for access to a record. In considering such a request, we will adhere to the provisions of PAIA and the Information Officer will take all reasonable steps to inform a third party to whom the requested record relates of the request, informing the third party that they may make a written or oral representation to the Information Officer why the request should be refused or, where required, give written consent for the disclosure of the information. We are not obliged to voluntarily grant access to such records. The requester must fulfil the prerequisite requirements as stated herein. The prescribed fees will be charged.

The requester must complete the prescribed form – refer to Annexure 1 – Request for access to record of a private body. A requester may need to pay a fee to enable us to respond to a request. These fees will be charged in terms of PAIA. Refer to paragraph 10 below – Prescribed Fees. Where these fees are applicable, the requester will be given a written estimate of the fee before providing the services.

Prescribed Fees

• Requesting access to a record: R50.00
• Copy per A4 page: R1.10
• Printing per A4 page: R0.70
• Copy on a CD: R70.00
• Transcript of visual images per A4 page: R40.00
• Copy of a visual image: R60.00
• Transcription of an audio recording per A4 page: R20.00
• Copy of an audio recording: R30.00
• Search & preparation of the record for disclosure, per hour or part thereof (excluding the first hour): R30.00
• Actual postage fee: as applicable

Refusal of a Request to Access to Records

We are entitled to refuse a request for information in accordance with PAIA. The main grounds for refusal include:

• Mandatory protection of the privacy of a third party who is a natural person or a deceased person or a juristic person, as included in POPIA, which would involve the unreasonable disclosure of personal information of that natural or juristic person.
• Mandatory protection of personal information and for disclosure of any personal information to, in addition to any other legislative, regulatory, or contractual agreements, comply with the provisions of POPIA.
• Requests for information that are clearly frivolous or vexatious, or which involve an unreasonable diversion of resources will be refused.

Remedies Available When a Request is Refused

We do not have an internal appeal procedure. The decision made to refuse access to a record is final.

A requestor who is dissatisfied with our refusal to disclose information may, within 30 (thirty) days of notification of the decision, apply to a Court for relief.

A third party dissatisfied with our decision to grant a request for information may, within 30 (thirty) days of notification of the decision, apply to a Court for relief.

Processing Personal Information

We have appointed Ian Kinsey as our Information Officer who is responsible and accountable for ensuring that we comply with the provisions of PAIA and POPIA. He is te information officer to whom the responsibilities in terms of PAIA and POPIA have been delegated. Refer to paragraph 3 – Contract Details.

We abide by strict principles when collecting, recording, storing, disseminating, and destroying personal information, and responding to requests for our information. We place a high premium on the privacy of every person or organization we interact with and therefore acknowledge the need to ensure that personal information is handled with a reasonable standard of care. We are committed to ensuring compliance with the requirements of POPIA.

We ensure that we only process personal information necessary for running our business, executing contracts, and protecting our legitimate interests. We will only process personal information if, given the purpose for which it is processed, it is adequate, relevant, and not excessive.

We collect personal information for specific, lawful purposes related to a legitimate function or activity, and only process personal information for reasons compatible with those purposes. We take reasonably practicable steps to ensure the accuracy, completeness, and relevance of the personal information we process.

Data subjects may access and contest their personal information by following the appropriate procedures outlined in Annexure 1 and Annexure 2. We secure the integrity and confidentiality of personal information in our possession through appropriate technical and organizational measures.

We process personal information for the purpose of direct marketing only with the consent of the data subject. Any direct marketing communication will contain sender identity and opt-out instructions.

Purpose of Processing Personal Information

• Company secretarial purposes
• General administration purposes
• Recruitment and employment purposes
• Execution of contracts and provision of services
• Customer relationship management
• Secure storage and retention of personal information
• Health and safety compliance
• Risk assessment and management
• Direct marketing
• Improvement of MiBudget’s products and services
• Compliance with regulatory requirements
• Transborder transfers of personal information to foreign countries

Categories of Personal Information

We process the following personal information for various categories of data subjects:

• Prospective Employees: Name, gender, age, ID number, contact information, location, education, and employment history
• Employees and Apprentices: Same as prospective employees
• Clients: Identification and contact information
• Suppliers and Contractors: Identification and contact information
• Customers / Potential Customers: Name, gender, age, ID number, contact information, location

Sharing of Personal Information

We may share personal information with third-party processors under an operator’s agreement, including payment processors, data storage providers, and server hosts. These operators are bound by agreements to secure the personal information and use it only as required by us.

We share personal information of customers with our clients as necessary to execute contracts, always obtaining prior consent from the data subject. We do not share personal information with third parties outside of these agreements.

Transborder Flows of Personal Information

We do not transfer personal information to a foreign country unless the recipient is subject to laws or agreements providing adequate protection similar to POPIA. We currently transfer personal information to third parties in the United Kingdom.

Security of Personal Information

We take appropriate, reasonable technical and organizational measures to secure the integrity and confidentiality of personal information in our possession, including performing risk assessments, implementing safeguards, and ensuring data security. Our servers are fully redundant and load-balanced to ensure high availability and data security.

We also ensure that third-party processors who handle personal information on our behalf apply adequate safeguards as required by our agreements and applicable laws.