Privacy Policy

Halfway Group Holdings (Pty) Ltd

1. Introduction

The right to privacy is a basic human right entrenched in the South African Constitution. The importance of the right to privacy is further entrenched with the enactment of the Protection of Personal Information Act 4 of 2013 (“POPIA”).

POPIA is a comprehensive set of data protection legislation enacted in South Africa. POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests. POPIA further seeks to regulate every step of the processing of personal information from how personal information must be handled when it is collected until the time it is destroyed.

Given the importance of privacy, the Halfway Group is fully committed to protecting your privacy to ensure that your personal information is collected and processed properly, lawfully, and transparently.

2. Definitions

Biometrics
Means a technique of personal identification that is based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition.
Child
A natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.
Competent person
any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
Consent
Any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
Data Subject
This refers to the natural or juristic person to whom personal information relates, such as an individual client, customer or a company that supplies the organisation with products or other goods.
De-Identify
This means to delete any information that identifies a data subject, or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the Data Subject.
Direct marketing
to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
1. promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or
2. requesting the Data Subject to make a donation of any kind for any reason.
Electronic communication
Any text, voice, sound, or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
Information Officer
The Information Officer is responsible for ensuring the organisation’s compliance with POPIA. Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer.
Operator
A person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Personal Information
Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to
1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well- being, disability, religion, conscience, belief, culture, language, and birth of the person
2. information relating to the education or the medical, financial, criminal or employment history of the person
3. any identifying number, symbol, e-mail address, physical address, telephone number, ocation information, online identifier, or other particular assignment to the person
4. the biometric information of the person
5. the personal opinions, views, or preferences of the person
6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence
7. the views or opinions of another individual about the person; and
8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
Processing
Any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
1. Collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
2. dissemination by means of transmission, distribution or making available in any other form
3. merging, linking, as well as restriction, degradation, erasure, or destruction of information
Responsible Party
A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Record
Means any recorded information, regardless of form or medium, including:
1. Writing on any material
2. Information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored
3. Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means
4. Book, map, plan, graph or drawing
5. Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced

3. Purpose

This Policy explains how the Halfway Group obtain, use, and disclose personal information, in accordance with the requirements of the Protection of Personal Information Act (“POPIA”).
The Halfway Group aims to ensure that the most updated version of this policy is always made available and assessable to you. To do this, we will ensure that the latest version of this policy is available for download on our website and/or made available on request.

4. Contact Details

General information:

Name of Body:	Halfway Group Holdings (PTY) LTD
Registration number:	2015/274007/07
Physical Address:	31 Stevens Road, Park Rynie, 4182
Telephone number:	039 978 7500
Website:	www.halfwaygroup.co.za

The Information Regulator South Africa

Physical Address:	JD House, 27 Stiemens Street Braamfontein Johannesburg 2001 P.O Box 31533 Braamfontein Johannesburg, 2017
Telephone number:	010 023 5200
Email Address:	enquiries@inforegulator.org.za
Website:	www.justice.gov.za/inforeg/index.html

5. Scope

The Scope of this policy extends to the following:

all operating entities which the Halfway Group holds a majority interest; and
all close corporations to which Mr John George Baikie (Snr) holds majority membership

6. Why we process your information?

We collect and process your personal information mainly to provide you with our products and services, and as required by, tax and other legislation.

We use your personal information to do the following:

Identify you or to verify that you are an authorised user for security purposes.
Process your requests or instructions.
To be able to sell you our products and services.
Manage the goods and services you purchased from us.
Comply with the laws of South Africa.
Detect and prevent fraud, money laundering and other malpractice.
For audit and record keeping purposes.
Offer other products and services to you.

7. What Personal Information we process?

Specific Personal Information processed

We will use your personal information only for the purposes for which it was collected and agreed with you. We will ensure that your personal information is adequate, relevant, and not excessive. In most instances we collect information directly from you. If information is obtained from a third-party source, we will obtain your express consent to do so. Where possible, we will inform you what information you are required to provide to us and what information is optional.

The Halfway Group processes information about the following categories of Data Subjects, including but not limited to:

Category of Data Subjects	Types of Information processed
Individuals (customer, policyholders etc)	Name, surname, South African identity number or other identifying number (e.g., passport), date of birth, age, marital status, citizenship, telephone numbers, email address, physical and postal addresses, drivers’ licence, income tax number, employment information, occupation, financial information (e.g., remuneration), banking information including account numbers, claims and payment history, FICA documentation.
Entities (Corporate Customers, Companies, Close Corporations, Trusts and Partnerships)	Entity name, registration number, tax-related information, contact details for representatives, FICA documentation, beneficial owners’ personal information (as for Individuals).
Directors, Members, Partners & Trustees	Identity numbers, names, physical and postal address, contact numbers, email address & FICA documentation.
Employees (potential employees, new recruitments, independent contractors)	Name, surname, South African identity number or other identifying number (e.g., passport number), contact details, physical and postal address, date of birth, age, marital status, race, disability, information, employment history, criminal background checks, fingerprints, CVs, education history, banking details, income tax reference number, remuneration and benefit information, drivers’ licence, health information, details related to employee performance, disciplinary procedure information. May also include the personal information of children / minors, if they are listed as beneficiaries or dependants.
Service providers (including outsourced or hosted services, auditors, etc)	Company registration details, identity numbers, BEE certificates, tax clearance, income tax and VAT registration details, payment information including bank account numbers, invoices, contractual agreements, addresses, contact details.

Information automatically collected.
When you use any of our digital channels like websites and apps, we receive, and store information generated by your activities (usage data gathered by Cookies) and other information that is automatically collected from your browser or mobile device. Most of this data is generally not personally identifiable. However, some of this data, either alone or when linked with other information, may allow your identity to be discovered. We treat this combined data as personal information, and we protect it accordingly.
- Cookies are small text files that are created when you view a website. They gather usage data which includes information about the sites you visited, the number of times you visit, the date, time and length of your visit, which products or services you viewed and which areas of the site you visited. We may assign you one or more unique identifiers to help keep track of your future visits.
- Other information automatically collected may include your IP (Internet protocol) address, browser type and version, preferred language, geographic location, wireless or Bluetooth technology on your device, operating system, and computer platform.
Information collected through online advertising.
We use internal and external service providers to help us deliver our banner advertisements and other online communications.

To understand which types of offers, promotions and advertising are most appealing to our customers, these service providers may collect and use some of your personal information. This information is aggregated and cannot be linked to you.
- Data aggregation is any process in which information is gathered and expressed in a summary form using specific variables such as age, profession, income and interests.
- These service providers show our ads on sites on the Internet, and they use the information stored in Cookies based on your prior visits to our website. If you don’t want your personal information to be used in this way, you can opt out of the use of Cookies, by visiting any of the following sites:
  - Google at http://www.google.com/policies/privacy/ads/
  - Network Advertising Initiative at http://www.networkadvertising.org/managing/opt_out.asp

8. Who do we share your personal information with?

In order to provide our products and services to you, we may share your personal information with:

Service providers who are involved in the delivery of products or services to you. We have agreements in place to ensure that they comply with the privacy requirements as required by the Protection of Personal Information Act.
Entities within the Group. We only do this, in instances where we have received your express consent to do so.
Insurers, intermediaries, administrators, and Underwriting Managers.
Provident Funds and their Trustees and Principal Officers.
Medical aid companies.
Recruitment organisations that may collect information on our behalf.
Regulators and Law Enforcement Agencies.
Motor Licencing Bureau.
Original Equipment Manufacturers (OEMs).
Banks and other financing Institutions.
The South African Revenue Service (SARS).

We will also disclose your personal information to fulfil legal obligations that we may have.

9. Information security

We take every reasonable precaution to protect your personal information (including information about your activities) from theft, unauthorised access and disruption of services.

We will implement appropriate levels of data security, confidentiality, integrity, and availability in accordance with general accepted practices and standards.

When we contract with third parties, we impose appropriate security, privacy, and confidentiality obligations on them to ensure that personal information that we remain responsible for, is kept secure. We will ensure that anyone to whom we pass your personal information agrees to treat your information with the same level of protection as we are obliged to.

10. Planned transborder flows of information.

The Halfway Group make use of hosted services provided by third parties. These operations may be hosted in various countries resulting in the transfer of personal information.

In general, we try as far as possible to ensure that these service providers are located in jurisdictions with strong data protection legislation, such as the European Union or the United Kingdom. Where this is not possible, data protection requirements are enforced by means of contractual agreement.

11. Duration for which personal information will be kept

We will only retain your personal information for a period necessary to achieve the intended purpose unless –

Retention is required or authorised by law.
Retention is required by the Halfway Group for lawful purposes related to its function or activities.
Retention is required by a contract between the parties.
You have consented to the retention of the record.
Retention is required for historical, statistical and research purposes.

We will ensure in the aforementioned scenarios that appropriate safeguards against the records being used for any other are purpose are in place.

12. Deletion or destruction of personal information

We will ensure that personal information is deleted, destroyed and de-identified as soon as reasonably practicable after the Halfway Group is no longer authorised to retain the personal information.

We will ensure that the destruction or deletion of the personal information is done in a manner that prevents its reconstruction in an intelligible form.

13. Notification of Data Breaches

Every attempt has been made to ensure that your personal information is safe and secure. In the event of a data or security breach which affects you, we are under a legal obligation to notify you as well as any impacted entity of this breach together with the measures we will be taking to mitigate any losses or damages.

Depending on the nature and severity of the breach, we will use the following communication channels to notify you of the breach:

Telephone call.
Email.
SMS.
Media release.

Notification of breach (1st notification) will be issued within 24 hours of detection of the breach.

14. Information Quality

We take all reasonable steps to ensure that your personal information is complete, accurate, not misleading and updated where necessary. Please make sure that we always have your latest contact details.

15. Rights of Data Subjects

Where appropriate, the Halfway Group will ensure that its customers, directors, employees, and service providers are made aware of the rights conferred upon them as data subjects.

Where you are required to fill or complete any forms in relation to a request for access, amendment, objection, and deletion of record of your personal information, the Halfway Group will render such reasonable assistance as necessary free of charge to enable you to complete the required forms.

The Right to access Personal Information.
The Halfway Group recognises that you have a right to establish whether the Halfway Group holds personal information related to you including the right to request access to that personal information.

If you wish to request access to your personal information, you must submit a request to the Information Officer or Deputy Information Officer of Entity within the Halfway Group to which the request pertains by completing Annexure A, the “Personal Information Request Form”.
The Right to Object to the Processing of Personal Information
You have a right, on reasonable grounds, to object to the processing of your personal information.

If you wish to object to processing of your personal information, you must submit a request to the Information Officer or Deputy Information Officer of the entity within the Halfway Group to which the request pertains by completing Annexure B.

In such circumstances, the Information Officer or Deputy Information Officer of the entity within the Halfway Group will give due consideration to the request and the requirements of POPIA. The Entity may cease to use or disclose your personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of your personal information.
The Right to have Personal Information Corrected or Deleted
You have the right to request, where necessary, that your personal information must be corrected or deleted where the Halfway Group is no longer authorised to retain the personal information.

If you wish to request a correction or deletion of your personal information or the destruction or deletion of a record of your personal information, you must submit a request to the Information Officer or Deputy Information Officer of the entity within the Halfway Group to which the request pertains by completing Annexure C.
The Right to change your marketing preferences.
We like to keep our customers informed of the latest products and services offered by us and our service providers. When you buy a new product or service from us, we will ask you what your marketing preferences are.

If you do not want to receive marketing from us, you can change your preference by using the “opt out” function or the “unsubscribe option”, alternatively you can contact the Information officer of the relevant Entity within the Halfway Group. Contact details for the relevant Information Officer can be obtained directly from Entity concerned.

Remember that even if you choose not to receive marketing from us, we will still send you communications about your current (product/vehicle etc.).

16. Request access to personal information procedure

You may ask us to access, change or remove your personal information from our records. Where legislation allows, we may charge an administrative fee, but we will always inform you of any cost before performing your request.

Any of the aforementioned requests, can be made via email, on the applicable form mentioned above. The email must be addressed to the Information Officer of the Entity within the Halfway Group to which your request pertains to. Contact details for the relevant Information Officer can be obtained directly from the Entity concerned.

Once the completed form has been received, the Information Officer will verify the identity of the Data Subject prior to handing over any personal information.

The Information Officer will endeavour to process all requests within a reasonable time.

17. Complaints

You may submit a complaint to the Entity within the Halfway Group to which your complaint pertains to. You may address your complaint via email using the requisite Annexure D . Your complaint must be addressed to the Information Officer of the Entity within the Halfway Group. Contact details for the relevant Information Officer can be obtained directly from the Entity concerned.

You have the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of your personal information.

In addition, where we are unable to resolve your complaint, to your satisfaction you also have the right to lodge a complaint with the Information Regulator. You may do so, by submitting the completed Annexure E to the Information Regulator. The details for the Information Regulator can be found in Section 4 of this document.

18. Duties of Information Officers

This policy refers to the term Information Officer and Deputy Information Officer interchangeably. The Information Officer or Deputy Information Officer is a person/s appointed by the entity to ensure compliance with the POPI Act within the entity.

A high-level summary of their duties are as follows:

Development of internal measures to process a request for access to information.
Monitoring of data security & safeguards.
Implementation of POPIA requirements within the entity.
Training and awareness.
Responding to and action of requests from Data Subjects.
Work with the Information Regulator on investigations.
Reporting and notification of security breaches.
Make available copies of the Promotion of Access to Information Manual to customers.

For the purposes of this policy, the Information Officer/Deputy Information Officer is only responsible for the duties listed above in relation to the entity for which s/he has been appointed and therefore only assumes responsibility for the personal information within that Entity.

In addition, it is specifically recorded that the Information Officer for Halfway Group Holdings (PTY) Ltd is only responsible for personal information held in relation to the company secretarial function for this company.

19. Conclusion

We reserve the right to amend this Policy from time to time, and you agree that you will review the terms of this Policy whenever you visit our website for any such amendments.

This Policy will be governed by and construed and interpreted in accordance with the laws of the Republic of South Africa.

Please ensure that you have read and understood the terms and conditions of this Policy before you provide us with your personal information.

20. Policy Review

The Policy will undergo a full review on, at least, an annual basis.

Name of Policy	Version No.	Reason for change	Author	Approver	Approver signature	Effective Date
Privacy Policy	V1.0	New Policy	Halfway Group Compliance	Chairman of the Board of Directors of Halfway Group Holdings (Pty) Ltd		1 July 2021
Privacy Policy	V2.0	Amendment	Halfway Group Compliance	Group Chief Executive Officer		1 July 2023