Client Data Protection Agreement

POPIA Manual

Entered into and between Amaya Industries CC and the Customer / Supplier / Contractor.

WHEREAS the Customer / Supplier / Contractor wishes to engage the services of the Company / supply services or products to the Company;

AND WHEREAS the provision of the said services / products involve the collection, storage, processing and management of Personal Information;

AND WHEREAS the parties wish to record their compliance with the regulations of the POPI Act

1. The POPI Act

The Protection of Personal Information Act, 4 of 2013 ("POPIA") aims to safeguard the integrity and sensitivity of Personal Information. The Act further regulates and controls the processing of Personal Information relating to a natural person as well as a juristic person. Processing includes the collection, use, and transfer of a person or legal entity’s Personal Information.

2. POPI Act Definitions

• Child: A natural person under the age of 18 years who is not legally competent, without assistance, to take any decision regarding themselves.
• Data Subject: The person (natural or juristic) to whom the personal information relates.
• Electronic Communication: Any text, voice, sound, or image message sent over an electronic communications network and stored until retrieved by the recipient.
• Information Officer: In a private body, this means the head of the body as defined by the POPI Act.
• Operator: A person who processes personal information for a responsible party under a contract or mandate, without being under direct authority.
• Person: A natural or juristic person.
• Personal Information: Information relating to an identifiable living person or existing juristic person including identity numbers, contact details, demographics, biometric data, opinions, correspondence, etc.
• Processing: Any operation concerning personal information including collection, storage, modification, use, dissemination, or destruction.
• Record: Any recorded information in any format including writing, audio, visuals, and electronic formats.

3. Terms and Conditions

3.1 In terms of the POPI Act, where a Responsible Party processes a Data Subject’s Personal Information, the Responsible Party has a legal duty to protect that Data Subject’s Personal Information in a lawful, legitimate and responsible manner and in accordance with the provisions of the POPI Act read together with the eight core processing conditions set out under POPIA.

3.2 Furthermore unless the processing:

• 3.2.1 is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party; or
• 3.2.2 is required and complies with an obligation imposed by law on either the Data Subject or the Responsible Party; or
• 3.2.3 is necessary to protect the legitimate interests of the Data Subject or the Responsible Party; or
• 3.2.4 is necessary for the proper performance of a public law duty by a public body; or
• 3.2.5 is necessary for pursuing the Data Subject or the Responsible Party’s legitimate interests, or that of a third party to whom the Personal Information is supplied,

... all processing of a Data Subject’s Personal Information must be done with the Data Subject’s express and informed consent and permission.

3.3 The Company does and will from time to time process Personal Information which belongs to, or which is held by a Data Subject.

3.4 In order to comply with the POPI Act, the Company, as the Responsible Party, requires the Data Subject’s consent and express and implied permission to process the Data Subject’s Personal Information.

3.5 The Personal Information and any associated records received by or compiled by or processed by the Company shall remain at all times the sole property of the Company.

3.6 POPIA Conditions Include:

• Accountability: The Company ensures compliance with POPIA, led by the Information Officer, Anton Smith.
• Processing Limitation: Personal Information may only be processed in a fair, lawful manner with consent and only for specific, required purposes.
• Purpose Specific: Information must only be processed for clearly defined, legitimate reasons, and destroyed after 5 years unless otherwise required by law.
• Further Processing Limitation: Any secondary usage of personal data must be compatible with the original purpose and require new consent.
• Information Quality: Reasonable steps will be taken to ensure the data is complete, accurate, and up-to-date.
• Openness: The Company will clearly explain why personal data is collected and how it will be used.
• Security Safeguards: The Company will ensure security measures are in place to protect data against unauthorized access, loss, or breaches. Suspected breaches will be reported promptly.
• Data Subject Participation: Data Subjects can request to access, correct, or delete their personal information, and must be provided access without charge.

4. Purpose for the Collection of Personal Information

4.1 In order for the Company to engage with the Customer / Supplier / Contractor, the Company needs to process the Customer / Supplier / Contractor’s Personal Information including certain Special Personal Information, which will be used for a number of legitimate purposes, including, inter alia, the following:

• For the provision of transport services as per the Transporter / Client Agreement;
• For record-keeping purposes;
• In connection with legal proceedings;
• To conduct credit reference searches or verification;
• To confirm and verify the identity of the Customer / Supplier / Contractor or that of the authorised representative;
• To conduct market or customer satisfaction research or for statistical analysis;
• For audit and record-keeping purposes;
• In connection with legal and regulatory requirements.

4.2 The Company may also use the Customer / Supplier / Contractor’s Personal Information for other lawful purposes relating to its business activities, provided the individual is made aware and gives consent where necessary.

5. Consequences of Withholding Consent or Personal Information

5.1 Should the Customer / Supplier / Contractor refuse to provide the Company with the required Personal Information, which is essential for the purposes described above, along with the necessary consent to process such information, then the Company will be unable to engage with the Customer / Supplier / Contractor.

6. Obligation of the Data Subject

• 6.1 It is the responsibility of the Data Subject to provide the Company with Personal Information that is accurate, up-to-date, not misleading, and complete in all respects. Should this information change, the Data Subject must notify the Company accordingly.
• 6.2 Where the information pertains to a juristic person, the individual providing the information confirms they have the necessary authorization to do so on behalf of that entity.

7. Liability

The Customer / Supplier / Contractor indemnifies and holds the Company harmless against any claims, damages, or liabilities of any kind that may arise, now or in the future, due to the Company’s failure to comply with the relevant laws or regulations applicable to this agreement or the processing of Personal Information. This includes liability arising from the Company's processing activities in good faith based on the information and consent provided by the Data Subject.