PREAMBLE

The Protection of Personal Information Act, 4 of 2013 (the 'POPI Act' or 'POPIA'), effective from 1 July 2021 regulates:

1. The promotion of the protection of personal information processed by public and private bodies;
2. The minimum requirements for the processing of personal information;
3. The establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of the POPI Act and the PAIA Act;
4. The issuing of codes of conduct;
5. The rights of persons regarding unsolicited electronic communications and automated decision making; and
6. The regulation of the flow of personal information across the borders of the Republic.

The Promotion of Access to Information Act No. 2 of 2000 (‘PAIA’) came into operation in November 2001. Section 51 requires that private entities compile a manual giving information to interested parties such as customers, employees and suppliers, regarding the procedures we are required to follow for requesting information for the purpose of exercising or protecting rights. On request, a private body or government body is obliged to release such information unless the PAIA Act expressly states that the records containing such information may or must not be released.

This Manual serves to guide interested parties—such as customers, employees, and suppliers—on how to request access to records held by Daisy Business Solutions, ensuring transparency while adhering to legal restrictions on disclosure.

WHO ARE DAISY BUSINESS SOLUTIONS

Daisy Business Solutions is a business environment infrastructure and business technology solution provider with core capabilities in Information Communication Technology (ICT), Office Automation (OA), Optimised Energy Infrastructure (OEI) & Business Security Technologies (BST).

Our solutions that include finance, service and support infrastructure allows us to provide our customers with a complete 360° turnkey solutions.

For over 35 years we have built a business network that today forms the backbone of our national operation. With the foresight to understand future business environments & business technology, we continue to invest in and distribute solutions that enable companies to operate in digitally advanced business environments.

Our ability to maintain and service our base of customers and product solutions is fundamental to our future success. Our people are our key ingredient and we're "nice people to do business with".

We believe in our People, our Brand & our Products. Our aim is to become a household name in companies and business across South Africa. We want people to experience the Daisy Way by partnering with our clients for the future success of their own businesses and/or organisations.

Our promise - The Daisy Way AT EVERY TOUCH POINT.

PROTECTION OF PERSONAL INFORMATION ACT 2013

1. Who

We are a large group of companies trading under the name Daisy Business Solutions, and our policies apply to each one of our branches, franchises, subsidiaries, affiliates or related companies.

2. How We Collect Information

We collect personal information about our customers, our employees and any other confidential information which is provided to us in accordance with the relevant privacy laws:

• Directly from our customers via our sales channels when a credit application and/or rental and/or service agreement is completed with supporting documentation, either electronic or hardcopy
• Directly from our customers at marketing events and functions
• Via a response from customers to our communication emails
• Indirectly from our customers who interact with us digitally via our website, emails, apps, social media sites
• Where other entities within the Daisy group, financiers, cessionaries which represent the Daisy group or have intermediary agreements with other Daisy group entities, financial institutions, credit bureaus and fraud prevention agencies

3. Collection of Information by Third Parties

Daisy Business Solutions makes use of social networking services such as Facebook, Instagram, Whatsapp to communicate with existing customers and prospective customers. When you communicate with us via these channels, the social networking service may collect your personal information for its own purposes. These services may track use of your digital channels on those pages where our website links are displayed. Please ensure you read their privacy policies and practices.

4. The Nature of the Information We Collect

The nature of the business relationships established with Daisy Business Solutions dictates the type of information we collect from our customers in accordance with applicable privacy laws, which includes but not limited to the following:

• Personal information of Company directors
• Company financial information
• Company registration documents
• Company resolutions
• Contact information – including email addresses, telephone numbers, physical addresses
• Invoicing information

Our customers have, by way of an existing business relationship, provided the confidential information on a voluntary basis provided the information is stored and processed in accordance with the relevant privacy laws. It should be noted that this consent can be withdrawn at any point and such withdrawal should be communicated to us in writing in order for us to comply with the withdrawal appropriately.

5. How We Use Your Information

As a sales company, we hold various digital records of our customers, our communications to clients, our dealings with clients, as well as the products and services being utilised by our present and past customers.

In order for us to provide clients with product sales advice, rental finance and repair/maintenance for our products they require, as well as any after-sales communication, we are required to collect, use and disclose the information of our clients, their representatives, controlling persons of the entities and business contacts.

As a sales company, we maintain proper customer records in a secure data centre. In order for us to provide you with our services, we may use your information:

• To provide our customers with our products and services
• On a rental or cash purchase basis
• To provide after-sales service and repairs on our products
• To conduct market research and provide you with information about our products
• To process customer marketing preferences, such as where customers have unsubscribed from certain direct marketing communications, keeping a record of customer information and ensure we do not send marketing to those customers
• To meet our contractual obligations with you or take steps necessary for the conclusion of an agreement with existing and potential customers
• To perform any risk analysis for purposes of risk management
• Audit and record-keeping purposes

6. Sharing Your Information

Daisy Business Solutions will protect the confidentiality of information provided to it by third parties, subject to its obligations to disclose information in terms of any applicable law or regulation or a court order requiring disclosure of information. Entities within the Daisy Group will only share customer personal information if there is a legitimate reason to do so. We may disclose the personal information you provide to the following Daisy Group entities for the exclusive purpose the information was provided in terms of privacy laws:

• Sereti Office Automation (BBB-EE partner)
• Smart Office Connexion (Service/Maintenance/Repair)
• Assetfin (Rental Finance)

7. Security and Storage of Information

Daisy intends to protect the integrity and confidentiality of your personal information. We have implemented the appropriate technical and organisational information security measures to keep your information secure, current, accurate and complete. All information submitted to us online is done so at the data subjects’ own risk.

8. Right of Access to Information

The Promotion of Access to Information Act (PAIA) coupled with POPIA offer an individual the right to access information held by a public or private body in certain instances. This right can be exercised in accordance with the Daisy Policy.

9. Objection to Processing of Your Information

In accordance with POPIA, you may object to our processing of your personal information on reasonable grounds relating to your particular situation, unless legislation provides for such processing.

THE INFORMATION REGULATOR (SOUTH AFRICA)

SA HUMAN RIGHTS COMMISSION (SAHRC)

The Human Rights Commission has been tasked with the Administration of the PAIA Act. Section 10 of the PAIA Act requires the South African Human Rights Commission to publish a guide which is intended to assist users in the interpretation of the PAIA Act and how to access the records of private and public bodies and the remedies available in law regarding a breach of any of the provisions of the PAIA Act.

The guide contains the following information:

1. The objectives of the act
2. The particulars of the information officer of every public body
3. The particulars of every private body as are practicable
4. The manner and form of a request for access to information held by a body
5. Assistance available from both the information officers and the SAHRC in terms of the Act
6. All remedies in law regarding acts, omissions, rights and duties, including how to lodge an internal appeal and a court application
7. Schedule of fees to be paid in relation to requests for access to information

The guide is available from the SAHRC or on their website: www.sahrc.org.za

PARTICULARS OF THE COMPANY INFORMATION OFFICER

RECORDS HELD BY DAISY BUSINESS SOLUTIONS

For the purposes of this manual, “Personnel” refers to any person who works for, or provides services to or on behalf of Daisy Business Solutions and receives or is entitled to receive remuneration and any other person who assists in carrying out or conducting the business of Daisy Business Solutions.

This includes, without limitation, directors, all permanent, temporary and part time staff, as well as contract workers.

Schedule A serves as a reference to the categories of information which Daisy Business Solutions holds. The information is classified and grouped according to records relating to the categories recorded in Schedule A.

Should you wish to send any request, enquiry, complaint or withdrawal of consent to Daisy, you can submit your query to privacy@daisy.co.za and a task team will manage your query.

SCHEDULE A

INFORMATION AVAILABLE IN TERMS OF THE ACT

Companies Act Records

• All trust deeds (not applicable to Daisy)
• Documents of Incorporation
• Index of names of Directors
• Memorandum of Incorporation
• Minutes of Meetings of the Board of Directors
• Share Certificates
• Share Register and other statutory registers/records and/or documents
• Resolutions passed at general meetings
• Records relating to the appointment of auditors, directors and prescribed officer information

Financial Records

• Accounting records
• Annual Financial Reports
• Annual Financial Statements
• Asset Registers
• Bank Statements
• Banking details and bank accounts
• Banking Records
• Debtors / Creditors statements and invoices
• General ledgers and subsidiary ledgers
• General reconciliation
• Invoices
• Paid cheques
• Policies and procedures
• Rental agreements
• Tax returns

Income Tax Records

• PAYE records
• Documents issued to employees for income tax purposes
• Records of payments made to SARS on behalf of employees
• Supporting documents

All Other Statutory Compliances

• VAT
• Regional Services Levies
• Skills Development Levies
• UIF
• COIDA – Workmen's Compensation

Personnel Documents and Records

• Address Lists
• Disciplinary Code and Records
• Employee Benefits Arrangements/Rules/Records
• Employment Contracts
• Employment Equity Records
• IRP5's for employee returns
• Returns to UIF
• Payroll Forms and Applications
• Grievance Procedures
• Leave Records
• Medical Aid Records
• Payroll Reports / Wage Register
• Pension Fund Records
• Expense accounts
• Safety, Health and Environmental Records
• Salary Records
• SETA Records
• Staff loan agreements
• Disability/Funeral/Group Life insurance
• Standard Letters and Notices
• Training Manuals
• Training Records
• Arbitration awards
• Terminated staff records

Procurement

• Standard Terms and Conditions for supply of services and products
• Contractor, client and supplier agreements
• Inventory records
• Purchase orders
• Lists of suppliers, products, services and distribution
• Policies and procedures

Sales

• Customer details
• Credit Application Information
• Information and records provided by a third party

Marketing

• Advertising and promotional material
• Product information
• Target markets
• Customer information
• Brochures, newsletters, flyers
• Customer communications

Risk Management and Audit

• Auditor reports
• Risk Management plans

Safety, Health and Environment

• Safety, Health and Environment Risk Assessment

IT Department

• Computer/Laptop/Mobile device documentation
• Performance of IT infrastructure
• Internal systems support and programming/development
• Development or investment plans/projects
• Disaster recovery plans
• Hardware Asset Registers
• Information Security policies/standards/procedures
• IT Systems and User Manuals
• Information usage policy documentation
• Project implementation plans
• Software licensing
• System documentation and manuals

Corporate Social Responsibility

• Schedule of projects/record of organisations which receive funding
• Reports, books, publications and general information related to CSR spend

Intellectual Property

• Litigation and other disputes
• Solutions and products developed
• Pricing lists
• Know how

Agreements and Contracts

• Building Lease agreements
• SLA agreements
• Agreements with contractors, suppliers and service providers
• Agreements with customers
• Sale agreements
• Distributor, dealer or agency agreements
• Restraint agreements
• Non-disclosure agreements
• Purchase or lease agreements

Insurance

• Insurance policies
• Claim records
• Details of insurance coverage, limits and insurers
• Insurance declarations

Note that the accessibility of the records may be subject to the grounds of refusal set out in this PAIA manual. Records deemed confidential on the part of a third party, will necessitate permission from the third party concerned, in addition to normal requirements, before Daisy Business Solutions will consider access.

RECORDS NOT AUTOMATICALLY AVAILABLE

Records of the company which are not automatically available must be requested in terms of this PAIA manual or in terms of the Regulations set out in terms of POPIA and which may be subject to the restrictions and right of refusal to access as provided for in the PAIA and POPI Acts.

No request shall be accepted telephonically nor shall any information be supplied telephonically. Only the information officer or any deputy shall have a mandate to disclose information in terms of this manual.

Policy to be followed to Request Access to a Record kept by Daisy Business Solutions:

1. The requester must comply with all the procedural requirements contained in the Act relating to the request for access to a record.
2. The requester must complete the prescribed form and submit same, as well as payment of a requested fee to the Information Officer on behalf of Daisy Business Solutions.
3. The prescribed form must be completed with sufficient information to enable the Information Officer to identify:
   1. The record(s) being requested; and
   2. The identity of the requester.
4. The requester should indicate which form of access is required and specify a postal address and/or email address of the requester within the Republic.
5. The requester must state that he/she requires the information in order to exercise or protect a right, and clearly state the nature of the right to be exercised or protected. The requester must clearly state the reason why the record is necessary to exercise or protect such a right.

POPI - PURPOSE OF PROCESSING INFORMATION

Daisy uses the Personal Information under its care in the following ways:

• Conducting credit reference checks and assessments
• Administration of agreements
• Providing products and services to customers
• Discounting and asset funding purposes
• Detecting and prevention of fraud, crime, money laundering and other malpractice
• Conducting market or customer satisfaction research
• Marketing and sales
• In connection with legal proceedings
• Staff administration
• Keeping of records and accounts
• Complying with legal and regulatory requirements
• Profiling data subjects for the purposes of direct marketing

1. Categories of Data Subjects and Their Personal Information

Daisy may possess records relating to suppliers, shareholders, contractors, service providers, staff and customers:

2. Categories of Recipients for Processing of the Personal Information

Daisy may share the information with its agents, affiliates and associated companies who may use this information to send the Data Subject information regarding their products and services. It may also supply the Personal Information to any party to whom it may have assigned or transferred any of its rights/obligations under any agreement, and/or to service providers who render the following services:

• Capturing and organising of data
• Storing of data
• Sending of emails and other correspondence to customers
• Conducting due diligence checks

3. Retention of Personal Information Records

Daisy may retain these personal records indefinitely, unless the Data Subject objects thereto. If the Data Subject objects to the infinite retention of its Personal Information, Daisy will retain the Personal Information records to the extent permitted or required by law.

4. General Description of Information Security Measures

Daisy employs up to date technology to ensure the confidentiality, integrity and availability of the Personal Information under its care. Measures include:

• Firewalls
• Virus protection software and protocols
• Logical and physical access control
• Secure set up of hardware and software making up for IT infrastructure

5. Objection to Processing of Personal Information, Request for Correction or Deletion of Personal Information or Destroying/Destruction and Withdrawal of Consent in terms of POPI

You may send your objection, request for correction or request for deletion/destroying of a record of personal information, alternatively your withdrawal of consent at any time to:

Email address: privacy@daisy.co.za

Daisy are committed to privacy protection and will continue to endeavour to be compliant with the rules and regulations of POPI and PAIA.

JAMES DURAND
CHIEF OPERATIONS OFFICER DAISY BUSINESS SOLUTIONS