NML internal privacy policy

General terms

Purpose of this privacy policy New Media Labs Services (Pty) Limited (NML) respects your privacy and is committed to protecting your personal information. This privacy policy explains how we collect and process the personal information that you provide to us. Where we refer to “personal information”, it means “personal information” as defined in the Protection of Personal Information Act, 4 of 2013 (POPI), and “personal data” as per the General Data Protection Regulation 2016/679 (GDPR). Please also see the Glossary that gives the meaning of some of the terms used in this privacy policy. This privacy policy applies to all employees, workers and contractors.

NML is a "responsible party" which means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection laws to notify you of the information contained in this privacy policy. This policy applies to current and former employees, workers and contractors. This policy may form part of your contract of employment or other contracts to provide services. It is important that you read and retain this policy so that you are aware of how and why we are using such information and what your rights are under the data protection laws.

Contact details

If you have any questions about this privacy policy or would like to enforce any rights that you may have under applicable data protection laws, please contact us at:

Information Officer

Email: charl@nml.co.za

Address: 15a Peter Cloete Avenue, Constantia 7806, Cape Town, South Africa

If you believe we are using your personal information unlawfully, please contact us in the first instance. You have the right to make a complaint at any time to the Information Regulator (South Africa) or other relevant supervisory authority:

Information Regulator Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 Postal Address: P.O Box 31533, Braamfontein, Johannesburg, 2017 Tel No: +27 (0) 10 023 5200 Cell No: +27 (0) 82 746 4173 Complaints email: complaints.IR@justice.gov.za General enquiries email: inforeg@justice.gov.za

Changes to this privacy policy and your duty to inform us of changes

This privacy notice was last updated on 25 May 2021. We reserve the right to update this privacy policy at any time, and we will provide you with a new privacy policy when we make any substantial updates. It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

The kind of information we hold about you

Personal information means any information about an individual from which that person can be identified. It does not include information where the identity has been removed (anonymous data). We will collect, store, and use the following categories of personal information about you:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
• Date of birth.
• Identity number.
• Gender.
• Next of kin and emergency contact information.
• Income tax number.
• Bank account details, payroll records and tax status information.
• Salary, annual leave, benefits information.
• Start date.
• Leaving date and your reason for leaving.
• Location of employment or workplace.
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
• Employment records (including job titles, work history, working hours, holidays, training records and professional memberships).
• Compensation history.
• Performance information.
• Disciplinary and grievance information.
• CCTV footage and other information obtained through electronic means such as access records.
• Information about your use of our information and communications systems.
• Photographs.

We may also collect, store and use the following Special Personal Information:

• Information about your race or ethnicity.
• Information about your health, including any medical condition, health and sickness records, including details of any absences (other than holidays) from work including time on statutory parental leave and sick leave.
• Biometric data.
• Information about criminal convictions and offences.

How we collect your personal information

We collect personal information about employees, workers and contractors through our recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers or references. We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• Where we need to perform the contract we have entered into with you.
• Where we need to comply with a legal obligation.
• Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.
• We may also use your personal information to protect your interests (or someone else's interests) or where it is needed in the public interest, both of which are likely to be rare situations.

Purposes for which we will use your personal information We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information to pursue legitimate interests, provided your interests and fundamental rights do not override those interests. We have set out below a non-exhaustive list of the situations in which we will process your personal information.

• Making a decision about your recruitment or appointment.
• Determining the terms on which you work for us.
• Determining your income tax status.
• Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax, UIF and SDL payments.
• Administering the contract we have entered into with you.
• Business management and planning, including accounting and auditing.
• Conducting performance reviews, managing performance and determining performance requirements.
• Making decisions about salary reviews and compensation.
• Assessing qualifications for a particular job or task, including decisions about promotions.
• Gathering evidence for possible grievance or disciplinary hearings.
• Making decisions about your continued employment or engagement.
• Making arrangements for the termination of our working relationship.
• Education, training and development requirements.
• Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work.
• Ascertaining your fitness to work.
• Managing sickness absence.
• Complying with health and safety obligations.
• To prevent fraud.
• To monitor your use of our information and communication systems to ensure compliance with our IT policies.
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
• Monitoring in terms of employment equity and BBEEE laws and regulations.

Some of the above grounds for processing will overlap and there may be several grounds that justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Change of purpose

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may also process your personal information without your knowledge or consent where this is required or permitted by law.

Special Personal Information

We will only collect and process Special Personal Information (i) with your consent, (ii) where we need to carry out our legal obligations or exercise legal rights, (iii) where it is needed in the public interest, such as for monitoring in terms of employment equity and BBEEE laws and regulations, or (iv) where you have already made the information publicly available.

Automated decision-making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you. We do not envisage that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes.

Data sharing

We will only share your personal information for purposes of administering the working relationship with you or where we have another legitimate interest in doing so. Where required for business activities, we may share your personal information with our third-party service providers or other entities in our group.

Third parties

"Third parties" means includes other entities within our group and third-party service providers (including contractors and designated agents), for example:

• Service providers based in the United States who provide hosting or email messaging services.
• Professional advisers including lawyers, accountants, auditors, information technology service providers, payroll service providers, human resources service providers based in South Africa.
• The South African Revenue Service (SARS) and other regulators based in South Africa who require reporting in certain circumstances.
• Third parties in the context of the possible sale or restructuring of the business.
• Third-party security

We require all third parties to take appropriate security measures to protect your personal information in line with our policies and the law. We do not allow our third-party service providers to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes and in accordance with our instructions. International transfers

Some of our third parties, for example, hosting and email messaging providers, may be based outside of South Africa (or the EU) so their processing of your personal information will involve a transfer of data. Whenever we transfer your personal information internationally, we ensure a similar and adequate degree of protection is afforded to it by ensuring safeguards are implemented, for example:

• We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information.
• Where we use certain service providers, we may use specific standard contracts which give personal information the necessary level of protection.
• Where we use providers based in the United States, in addition to other necessary adequate levels of protection, we may transfer data to them if they are part of the Privacy Shield. Please contact us if you want further information on how we transfer your personal information internationally.

Data security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. All information you provide to us is stored on our or our third party’s secure servers. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further policy to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with applicable laws and regulations.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal information and to check that we are lawfully processing it.

Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with applicable law. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you.

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal information to you or to a third party. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data or request that we transfer a copy of your personal information to another party, please contact the Information Officer in writing.

Withdraw consent at any time where we are relying on consent to process your personal information. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to perform the contract we have entered into with you (such as paying you). We will advise you if this is the case at the time you withdraw your consent. Once we have been notified that you have withdrawn your consent, we will no longer process your information for the purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

If you wish to exercise any of the rights set out above, please contact our Information Officer using the contact details stated above.

General

No fee usually required. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with the request in such circumstances.

What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Time limit to respond. We try to respond to all legitimate requests as soon as is reasonably practicable and in any event within the statutory time-limits. It could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Glossary

Legitimate interest means the interest of our business in conducting and managing our business. We make sure we consider and balance any potential impact on you and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Comply with a legal obligation means processing your personal information where it is necessary for compliance with a legal obligation that we are subject to.