REALTY’S CLUB(RC) Protection of Personal Information Policy and Compliance Manual (dated December 2024) shall hereinafter be referred to as the “POPI Policy”, having been prepared in terms of the Protection of Personal Information Act 4 of 2013, as amended from time to time and in terms of the Regulations thereto (“POPI Act”).

The POPI Policy has been unanimously adopted and approved by all of the directors of REALTY’S CLUB on 19 December 024.

1. THE PURPOSE OF THE POPI ACT

1. In terms of the Constitution, 1996 everyone has a right to privacy which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.
2. The purpose of the POPI Act is to amongst others to regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.

2. RC’s IS A RESPONSIBLE PARTY

1. 1. Processing is defined in the POPI Act to include the collection, receipt, storage, recording, organisation, collation, updating or modification, usage, retrieval, retention and destruction of personal information.
   2. Personal information is defined very broadly as an identifiable, living, natural person’s information and, where applicable, an identifiable, existing juristic person’s information, including:
   3. As at the date of these rules being adopted the RC
   4. Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
   5. The name of the person as it appears with other personal information relating to that person or if disclosure of the name itself would reveal information about the person; Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; Biometric information of the person; The personal opinions, views or preferences of the person;
   6. The views or opinion of another individual about the person;
   7. Information relating to the education or the medical, financial, criminal or employment history of the person. As RC intends on storing and processing personal information for the purposes of marketing to clients it is a responsible party as defined in the POPI Act and is required to comply with the POPI Act.

3. INFORMATION OFFICERS AND DEPUTY INFORMATION OFFICERS

1. 1. The directors of each office of RC are responsible for ensuring compliance with the POPI Act and this Policy by each such office and by the staff of each such office.
   2. In order to assist the directors with discharging their duties the following nominated information officers and deputy information offices are appointed by each office to support and report to the directors:
   3. RC Information Officer: Angela and Deputy Information Officer: to be determined by the directors from time to timeand such other additional personnel as may be appointed by RCas notified to the employees in writing from time to time (hereinafter each referred to as the “Nominated Information Officer”).
   4. Any and all assistance required in implementing the Policy, or concerns arising regarding potential and existing clients should be escalated to the Nominated Information Officer or Deputy Information Officer.

4. RIGHTS OF DATA SUBJECTS (SECTION 5)

1. 1. In terms of the POPI Act certain rights are given to “data subjects” (being the person to whom personal information relates). These rights include:
      1. Notification of the information being collected and for what purpose;
      2. Establishing what information, the responsible party holds and the right to request access to such information.
      3. Object to the processing of his/her information.
      4. Request correction, destruction or deletion of personal information.
      5. Refuse processing for direct marketing by unsolicited electronic communications.
      6. Complain to the Regulator and institute civil proceedings.

5. REQUIREMENTS TO BE COMPLIANT – CONDITIONS OF LAWFUL PROCESSING – CHAPTER 3 OF POPI ACT

1. 1. The POPI Act provides for the establishment of minimum requirements for processing of personal information. The conditions for lawful processing of personal information which consist of eight conditions, which will be dealt with as necessary in more detail in this Policy, namely:
      1. Condition 1 – Accountability;
      2. Condition 2 – Processing limitation (consent);
      3. Condition 3 – Specific purpose;
      4. Condition 4 – Further processing limitation;
      5. Condition 5 – Information quality;
      6. Condition 6 – Openness;
      7. Condition 7 – Security safeguards;
      8. Condition 8 – Data subject participation.

6. PROCESSING LIMITATIONS – CONDITION 2

1. 1. The RC Consent Form must be signed by the client personally and obtained by the client directly.
   2. The personal information obtained will be stored on our electronic database along with a scanned copy of the signed RC Consent Form, assuming the client has consented to the processing and use of their personal information.
   3. If the clients do not consent to the processing and storage of their information on the RC Consent Form and opts out of direct marketing, the RC Consent Form is to be placed in the clients file and their personal information will not be included in our marketing database.
   4. Their personal information will remain on file and will be treated in the ordinary course in accordance with the RC FICA obligations as set out in the RC RMCP.
   5. It is noted that clients may at any time withdraw his/her consent at which time they shall be removed from the relevant marketing database.

7. PURPOSE SPECIFICATION – CONDITION 3

1. 1. The personal information of the client shall be retained for birthday notifications, anniversary notifications and for marketing the services of RC and its affiliates as provided for in the RC Consent Form.
   2. As provided for in the RC Consent Form the personal information of clients shall be retained until the client requests the destruction or deletion of such information or otherwise requests to be removed from the RC marketing database. At such time the Nominated Information Officer shall as soon as practicable ensure that such information is destroyed and deleted.

8. FURTHER PROCESSING LIMITATION – CONDITION 4

1. 1. Further processing of personal information may be undertaken as approved by the Directors and Nominated Information Officer from time to time, in accordance with the consent contained in the RC Consent Form.

9. INFORMATION QUALITY – CONDITION 5

1. 1. The Nominated Information Officer must take all reasonable steps to ensure that the information uploaded o the relevant physical and electronic marketing databases are complete and accurate, are not misleading and are updated where necessary.

10. OPENNESS – CONDITION 6

1. 1. A client may request a copy of the RC PAIA manual, a copy of which will be provided by the Nominated Information Officer on request.
   2. Clients must be made aware of certain information when obtaining their consent, this is specified in the RC Consent Form and should be pointed out by staff to the client when the relevant form is signed.

11. SECURITY SAFEGUARDS– CONDITION 7

1. 1. RC must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent –
      1. loss of, damage to or unauthorised destruction of personal information; and
      2. unlawful access to or processing of personal information.
      3. The Nominated Information Officer shall identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
      4. The Nominated Information Officer shall take such steps and shall ensure that RC’s POPI Act obligations are carried forward into any such services contract and that service providers that may store and/or process such information from time to time agree to comply with the terms of this manual and the applicable statutory obligations.
      5. If personal information accessed or acquired by any unauthorised person the Nominated Information Officer must notify the Information Regulator and clients as soon as reasonably possible.

12. DATA SUBJECT PARTICIPATION – CONDITION 8

1. 1. Clients may request RC and the Nominated Information Officer shall then correct or
   2. delete information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
   3. On request from a client subject RC and the Nominated Information Officer shall as soon as reasonably possible correct, destroy or delete the personal information.

13. RECORDS OF INFORMATION NOT TO BE KEPT BY RC

1. RC will not store or process information relating to a client’s religious or philosophical beliefs, or a data subjects race or ethnic origin (other than such information which is set out in a client’s identity number and is obtained by default but such information is not used to differentially categorise or process information); or
2. trade union membership; or
3. political persuasions, or
4. in respect of a persons health or sex life or the criminal or biometric information of clients.
5.  

14. PROCESSING OF PERSONAL INFORMATION RELATING TO CHILDREN

1. Information regarding children shall only be stored and processed with the prior consent of a competent person, as provided for in the RC Consent Form.

15. CODE OF CONDUCT

The Nominated Compliance Officer shall advise of any amendments to the RCConsent Form or this Policy from time to time in terms of amendments to the POPI Act, the Regulations issued pursuant thereto and any directives and codes of conduct issued by the Information Regulator from time to time.

16. TRAINING

1. Training of staff and employees will be conducted by way of:
2. 1. 1. A meeting involving the entire staff complement of employees and administrative personnel and for all new staff in each group of companies forming part of RC.
      2. Training may be undertaken in group sessions, when importance changes occur and as frequently as the board of directors may direct. Training and individual refresher training will also be available to employees on request. Each staff member will be provided with a copy of the Policy as revised from time to time and may be required to sign an acknowledgement of receipt and an acknowledgement that training has been effected.

17. NON-COMPLIANCE AND PENALTIES FOR NON-COMPLIANCE

Compliance will be enforced by an Information Regulator, which will have far-reaching powers.  The legislation provides for the following penalties for non-compliance after the initial grace period:

1. 12 months to ten years’ imprisonment.
2. Up to R 10 million fine.
3. Civil remedies.

Failure by any employee to comply with this Policy will constitute a breach of such employee’s conditions of employment, and may therefore expose such employee to disciplinary procedures, or may expose the staff member and RC to criminal penalties which are severe. In the event of non-compliance, alleged or suspected noncompliance with the POPI Act and this Policy a disciplinary hearing will be held and non-compliance could result in dismissal.