PRIVACY POLICY - S CORPORATE ADVISORS
Our website address is: https://scorpa.co.za.
MANUAL IN TERMS OF SECTION 51 OF THE PROMOTION OF ACCESS TO
INFORMATION ACT 2 OF 2000 (“PAIA”)
AS AMENDED BY THE PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013
(“POPIA”)
K2020052565 T/A S CORPORATE ADVISORS
(REG. NO.: 2020/052565/07)
(“COMPANY”)
1 Introduction
1.1 This Manual constitutes the Company PAIA manual.
1.2 This Manual is compiled in accordance with section 51 of PAIA as amended by the Protection of
Personal Information Act, 2013 ("POPIA"). POPIA promotes the protection of personal information
processed by private bodies, including certain conditions so as to establish minimum requirements
for the processing of personal information. POPIA amends certain provisions of PAIA, balancing
the need for access to information against the need to ensure the protection of personal information.
Where a request is made in terms of PAIA to a private body, that private body must disclose the
information if the requester is able to show that the record is required for the exercise or protection
of any rights, and provided that no grounds of refusal contained in PAIA are applicable. PAIA sets
out the requisite procedural issues attached to information requests.
1.3 This PAIA manual also includes information on the submission of objections to the processing of
personal information and requests to delete or destroy personal information or records thereof in
terms of POPIA.
1.4 For purposes of this Manual, we refer to ourselves as the “Company”, “we”,” us” or “our”.
2 Who Are We - About Us And Our Business
2.1 Transaction Capital Ltd is an investor in and operator of credit-orientated alternative assets.
3 Our Contact Details
3.1 All requests for access to records in terms of the Act for the Company must be in writing and must
be addressed to the Information Officer, at the contact details below;
Information Officer: Nkosana Shongwe
Street Address: Rivonia Office Park, Sandton, Johannesburg
Email address: nkosana@scorpa.co.za
4 PAIA Guide
An official guide has been compiled which contains information to assist a person wishing to exercise
a right of access to information in terms of PAIA and POPIA. This guide is made available by the
Information Regulator (established in terms of POPIA). Copies of the updated guide are available
from the Information Regulator in the manner prescribed. Any enquiries regarding the guide should
be directed to:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O Box 31533, Braamfontein, Johannesburg, 2017
General enquiries email: inforeg@justice.gov.za
5 Information That Is Automatically Available Without A PAIA Request
5.1 The information available on our website, may be automatically accessed by you, without having to
follow the formal PAIA request process.
6 Records Kept In Terms Of The Other Legislation
6.1 We are subject to many laws and regulations, some of which require us to keep certain records.
6.2 These laws are detailed in Appendix E attached hereto:
6.3 Note that the list is not exhaustive.
7 Description Of Subjects We Hold Records On And Categories Of Records
7.1 Described below are the records which we hold, divided into categories for ease of reference:
Personnel Records
Personnel records include:
• personal records (provided by personnel
themselves);
• records provided by a third party
relating to personnel;
• conditions of employment and other
personnel-related contractual and quasi-legal records;
• internal evaluation records and other
internal records;
• training schedules and material;
• pension records;
• employee benefits records;
• labour relations records;
• employment equity records and
Private Body Records
“Private Body Records” are records which include, but are not limited to, records which pertain to the Company’s
own affairs including:
• financial records;
• operational records;
• databases;
• information technology systems and documents;
• marketing records;
• internal correspondence;
• service records;
• statutory records;
• internal policies and procedures;
• trademarks and intellectual property;
Other Party Records
• personnel, investment or private body records which are held by another party on the Company’s behalf,
as opposed to the records held by the Company itself.
• records held by the Company pertaining to other parties, including without limitation, financial records,
correspondence, contractual records, and records about the Company’s contractors / vendors /
suppliers / service providers.
8 Information Related to POPIA
8.1 Requests for personal information under POPIA must be made in accordance with the provisions
of PAIA. This process is outlined in paragraph 9 below.
8.2 If we provide you with your personal information, you have the right to request the correction,
deletion or destruction of your personal information, in the prescribed form. You may also object to
the processing of your personal information in the prescribed form.
8.3 We have attached the prescribed forms to this Manual for your convenience.
8.4 We will give you a written estimate of the fee for providing you with your personal information,
before providing you with the services. We may also require you to provide us with a deposit for all
or part of the fee prior to giving you the requested personal information.
8.5 Purpose of processing:
8.5.1 POPIA provides that personal information may only be processed lawfully and in a
reasonable manner that does not infringe on the data subject’s privacy.
8.5.2 The type of personal information that we process will depend on the purpose for which it is
collected.
8.5.3 We may use, transfer, share and disclose your personal information for the purposes of:
• providing services or offerings and keeping you informed,
• managing the account or contract / relationship with us;
• detecting and preventing fraud and money laundering and / or in the interest of security and crime
prevention;
• assessing and dealing with complaints and requests;
• operational, marketing, auditing, legal and record keeping requirements;
• identifying and verifying your identity or the identify of your beneficial owner;
• transferring or processing your personal information outside of the Republic of South Africa to such
countries that may not offer the same level of data protection as the Republic of South Africa,
including for cloud storage purposes and the use of any of our websites;
• complying with applicable laws, including lawful requests for information received from law
enforcement, bureaus, government and tax collection agencies;
• recording and / or monitoring your telephone calls and electronic communications to / with the
Company in order to process instructions and requests;
• conducting market research and providing information about the Company’s services from time to
time via our website, email, telephone or other means;
• disclosing personal information to third parties for reasons set out in our privacy notice or where it
is not unlawful to do so;
• monitoring, keeping record of and having access to all forms of correspondence or communications
received by or sent from the Company or any of its employees, agents or contractors, including
monitoring, recording and using as evidence all communications between parties;
• feasibility and viability studies;
• statistical, historical and research purposes;
• commercial arrangements;
• We may from time to time (and at any time) contact you about services and announcements which
we believe may be of interest to you, by email, phone, text or other electronic means, unless you
have unsubscribed from receiving such communications. You can unsubscribe from receiving such
communications at any time.
8.6 Personal information that is processed includdes;
• names, addresses, contact details, date of birth, identity/passport/registration number, bank
details, company details, vat/tax number and financial information.
• records of correspondence or enquiries from you or anyone acting on your behalf;
• details of any contracts and transactions.
8.6.1 Categories of data subjects include;
• our employees,
• investors,
• any third parties with whom we conduct business.
8.6.2 Categories of personal information includes personal information and special personal information
8.7 Categories of recipients for purposes of processing personal information
8.7.1 Personal information may be shared with other entities in the Transaction Capital Ltd group, our
agents and subcontractors, partners, vendors and selected third parties, including service
providers who process the information on our behalf for the purposes set-out in 8.5.3 above.
8.8 Actual or planned trans-border flows of personal information
8.8.1 The Company may need to transfer a Data Subject's information to service providers in countries
outside South Africa, in which case it will fully comply with applicable South African data
protection legislation.
8.8.2 These countries may not have data protection laws which are similar to those of South Africa.
8.9 General description of information security measures
8.9.1 The Company employs appropriate, reasonable technical and organisational measures to
prevent loss of, damage to or unauthorised destruction of personal information and unlawful
access to or processing of personal information.
8.9.1.1 The following policies have been put in place to govern the way the Company treats
personal information;
• POPI policy
• Record retention policy
• Promotion of access to information policy
• Privacy incident management policy
• Privacy notice
• Our HR code of conduct handbook codifies what is deemed acceptable conduct for
employees performing their work as it relates to confidentiality and the security of
personal information of customers, suppliers, and the Company.
8.9.1.2 The following protocols have been put in place to control the way the Company treats
personal information;
• Protocols for handling complaints
• Transborder controls
• Protocols for requests to access, correct and delete personal information
• Monitoring and assurance reviews testing the ongoing adequacy and effectiveness of
controls
• Privacy incident management tool was created to effectively log and track potential
privacy incidents
• Due diligence evaluations have been deployed to evaluate prospective Operator’s
propensity to secure the privacy, confidentiality and integrity of personal information
prior to appointment.
• Operator contracts and agreements include privacy clauses
• Operator attestations allow us to assess current Operator’s ongoing propensity to
secure the privacy, confidentiality and integrity of personal information they process
on our behalf.
8.9.1.3 The Company’s IT Security Control environment includes controls suchas ;
• Access restrictions
• Authentication
• Virus and malware protection
• Firewall protection
• Segregation of duties
• Encryption
• Monitoring and alert tools
• Cyber insurance
• Use of SFTP sites
• Formatting hard drives of devices to remove information when those devices are reused.
9 Request Procedure
9.1 Completion of the prescribed form
9.1.1 Any request for access to a record from a private body in terms of PAIA must substantially
correspond with the form attached hereto marked Appendix A
9.1.2 A request for access to information which does not comply with the formalities as prescribed
by PAIA will be set-aside.
9.2 Payment of the prescribed fees
9.2.1 A fee may be payable, depending on the type of information requested, as described under
Appendix B - Fees in respect of private bodies.
9.2.2 There are two categories of fees which are payable:
9.2.2.1 The request fee: R140
9.2.2.2 The access fee: This is calculated by taking into account reproduction costs, search
and preparation costs, as well as postal costs.
9.2.3 Section 54 of PAIA entitles the Company to levy a charge or to request a fee to enable it to
recover the cost of processing a request and providing access to records. The fees that may
be charged are set out in Regulations promulgated under PAIA.
9.2.4 Where a decision to grant a request has been taken, the record will not be disclosed until the
necessary fees have been paid in full.
9.2.5 POPIA provides that a data subject may, upon proof of identity, request the Company to
confirm, free of charge, all the information it holds about the data subject and may request
access to such information, including information about the identity of third parties who have
or have had access to such information.
9.2.6 POPIA also provides that where the data subject is required to pay a fee for services provided
to him/her, the Company must provide the data subject with a written estimate of the payable
amount before providing the service and may require that the data subject pays a deposit for
all or part of the fee.
10 Objection
10.1 POPIA provides that a data subject may object, at any time, to the processing of personal
information by the Company, on reasonable grounds relating to his/her particular situation, unless
legislation provides for such processing. The data subject must complete the prescribed form
attached hereto as Appendix C - FORM 1 - Objection to the processing of personal information in
terms of section 11(3) of POPIA Regulations relating to the protection of personal information, 2018
[Regulation 2] and submit it to the Information Officer at the postal or physical address or electronic
mail address set out above.
11 Correction
11.1 A data subject may also request the Company to correct or delete personal information about the
data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of
date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal
information about the data subject that the Company is no longer authorised to retain records in
terms of POPIA's retention and restriction of records provisions.
11.2 A data subject that wishes to request a correction or deletion of personal information or the
destruction or deletion of a record of personal information must submit a request to the Information
Officer at the postal or physical address or electronic mail address set out above on the form
attached hereto as Appendix D - FORM 2 - Request for correction or deletion of personal
information or destroying or deletion of record of personal information in terms of section 24(1) of
POPIA’s Regulations relating to the protection of personal information, 2018 [Regulation 3]
12 Proof Of Identity
12.1 Proof of identity is required to
authenticate your identity and the request. You will, in addition to this prescribed
form, be required to submit acceptable proof of identity such as a certified
copy of your
identity document or other legal forms of
identity.
13 Timelines For Consideration Of A Request For Access
13.1 Requests will be processed within 30 (thirty) days, unless the request contains considerations that
are of such a nature that an extension of the time limit is needed.
13.2 Should an extension be required, you will be notified, together with reasons explaining why the
extension is necessary.
14 Grounds For Refusal Of Access And Protection Of Information
14.1 There are various grounds upon which a
request for access to a record may be refused. These
grounds include:
14.1.1 the protection of personal
information of a third person (who is a natural person) from
unreasonable disclosure;
14.1.2 the protection of commercial
information of a third party (for example: trade secrets; financial,
commercial, scientific or technical
information that may harm the commercial or financial
interests of a third party);
14.1.3 if disclosure would result in the
breach of a duty of confidence owed to a third party;
14.1.4 if disclosure would jeopardise the
safety of an individual or prejudice or impair certain
property rights of a third person;
14.1.5 if the record was produced during
legal proceedings, unless that legal privilege has been
waived;
14.1.6 if the record contains trade
secrets, financial or sensitive information or any information that
would put The Company at a disadvantage in
negotiations or prejudice it in commercial
competition; and/or
14.1.7 if the record contains information
about research being carried out or about to be carried out
on behalf of a third party or by the
Company.
14.2 Section 70 of PAIA contains an
overriding provision. Disclosure of a record is compulsory if it would
reveal (i) a substantial contravention of,
or failure to comply with the law; or (ii) there is an imminent
and serious public safety or environmental
risk; and (iii) the public interest in the disclosure of the
record in question clearly outweighs the
harm contemplated by its disclosure.
14.3 If the request for access to
information affects a third party, then such third party must first be
informed within 21 (twenty one) days of
receipt of the request. The third party would then have a
further 21 (twenty one) days to make
representations and/or submissions regarding the granting of
access to the record.
15 Remedies Available To A Requester On
Refusal Of Access
15.1 If the Information Officer decides to grant a requester access to the particular record, such access
must be granted within 30 (thirty) days of being informed of the decision.
15.2 There is an appeal procedure that may be followed after a request to access information has been
refused, which will be described in the correspondence addressed to you by the Information Officer.
15.3 In the event that you are not satisfied with the outcome of the appeal, you are entitled to apply to
the Information Regulator or a court of competent jurisdiction to take the matter further.
15.4 Where a third party is affected by the request for access and the Information Officer has decided to
grant you access to the record, the third party has 30 (thirty) days in which to appeal the decision
in a court of competent jurisdiction. If no appeal has been lodged by the third party within 30 (thirty)
days, you must be granted access to the record.
16 Availability Of This Manual
16.1 Copies of this Manual are available
for inspection, free of charge.