VERSION CONTROL


VIRTUALLY CLEAR SECURE PRODUCT SPECIALISTS (PTY) LTD ('VIRTU@LLY CLEAR') retains the
copyright in this Privacy Policy as well as any new versions of it published at any time by VIRTU@LLY
CLEAR.

1

INTRODUCTION

1.1

VIRTU@LLY CLEAR, in the course of its business, will receive, process, communicate store and otherwise
handle the personal information of subscribers, its employees and third parties.

1.2

The board of directors of VIRTU@LLY CLEAR also requires that all personal information is appropriately
protected in terms of the requirements of applicable law and generally accepted privacy ethics and
business practice.

2

PURPOSE

The purpose of this policy is to regulate the proper handling of all personal information under the control or
in the custody of VIRTU@LLY CLEAR in accordance with the board's requirements.

3

SCOPE

This policy applies to all subscribers, employees or third parties using VIRTU@LLY CLEAR information
systems or subscribing to its services. It shall also apply to the owners of communication and information
storage devices not owned or under the control of VIRTU@LLY CLEAR but which are used to gain access
to the information stored on VIRTU@LLY CLEAR information systems.
This policy shall apply to the personal information of all VIRTU@LLY CLEAR subscribers, employees and
third parties.

4

GLOSSARY OF DEFINITIONS AND ABBREVIATIONS

Unless inconsistent with the context, the expressions set out in this policy will have the meanings assigned
to them in the Glossary of Privacy Policy applicable to all policies, procedures, standards and guidelines
adopted and published by the Information Security Committee (ISC).
The Glossary of Privacy Policy shall be available on the VIRTU@LLY CLEAR website
(www.virtuallyclear.co.za) to all subscribers to VIRTU@LLY CLEAR services.
This Policy is subject to the definitions and abbreviations contained in the Glossary of Privacy Policy. For
the purpose of convenience, definitions relating to specific terms dealt with in this policy, the following
definitions are provided:

4.1

'personal information' means:

4.1.1

any information about an identifiable natural person, and in so far as it is applicable, an identifiable, juristic
person, including, but not limited to:

4.1.1.1

race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation,
age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language, identity
number, address, and any information which may be linked to that person;

4.1.1.2

opinions, views, preference of the person;

4.1.1.3

communications sent or received by that person that are explicitly of a private nature.

4.1.2

This definition excludes information:

4.1.2.1

which may have been derived from personal information but which cannot be used to identify a person;

4.1.2.2

about a person, whether natural and has been dead, or juristic and has ceased to exist, as the case may
be, for more than 20 (twenty) years.

4.2

'data subject' means:

4.2.1

the person who owns or to whom personal information relates;

4.3

'processing' means:

4.3.1

any operation or any set of operations concerning personal information including, but not limited to the
collection, recording, collation, retention, updating or modification, retrieval, use, communication,
distribution or provision of information in any other form, merging, linking, blocking and destruction of
personal information.

5

POLICY STATEMENTS

5.1

VIRTU@LLY CLEAR shall:

5.1.1

process all personal information fairly and lawfully;

5.1.2

ensure that personal information is collected only for purposes communicated to the data subject and not
processed or further processed in a way incompatible with those purposes;

5.1.3

ensure that personal information collected and/or processed is adequate, relevant and not excessive in
relation to the purpose for which it is collected or processed;

5.1.4

maintain personal information in a manner that ensures that it is complete, not misleading, up to date and
accurate;

5.1.5

grant the data subject access to personal information held by VIRTU@LLY CLEAR to which the data
subject is entitled.

5.2

The data subject shall be entitled to request:

5.2.1

the correction of personal information; or

5.1.3

ensure that personal information collected and/or processed is adequate, relevant and not excessive in
relation to the purpose for which it is collected or processed;

5.1.4

maintain personal information in a manner that ensures that it is complete, not misleading, up to date and
accurate;

5.1.5

grant the data subject access to personal information held by VIRTU@LLY CLEAR to which the data
subject is entitled.

5.2

The data subject shall be entitled to request:

5.2.1

the correction of personal information; or

5.2.2

failing agreement by VIRTU@LLY CLEAR to consent to the correction of personal information processed,
stored or communicated by it, it agreed that it will attach to the personal information a statement of the
correction sought by the data subject but which VIRTU@LLY CLEAR has not agreed to amend.

5.3

VIRTU@LLY CLEAR will process information, even if that processing is in breach of the provisions of this
Privacy Policy, if legally ordered to do so by an Information Protection Regulator, State entity (which has
the legal authority to do so) or if ordered to do so by an order of court.

5.4

Without limitation, personal information may be provided by VIRTU@LLY CLEAR to authorities legally
authorised to do so if the information is required by the State for the purposes of national security, defence
or public safety or the purpose of which is the prevention, investigation, or proof of criminal offences, the
prosecution of offenders or the criminal sentences or security measures provided that adequate
safeguards have been established in specific legislation for the protection of such personal information.

5.5

With regard to employees of VIRTU@LLY CLEAR, exceptions to the access requirements are permitted
for personal information required for management succession planning, business records, disciplinary
proceedings and other legitimate business activities where disclosure to the data subject would be likely to
jeopardize a legitimate activity in respect of which the personal information is processed or retained.

5.6

VIRTU@LLY CLEAR shall not keep personal information in a form which permits identification of a data
subject for any longer than is necessary for the purposes for which the personal information was collected
or in respect of which it may be further processed.

5.7

VIRTU@LLY CLEAR shall only process personal information if:

5.7.1

it complies with the provisions of 5.1; or

5.7.2

processing is necessary for the performance of a contract to which the data subject is a party; or

5.7.3

processing is required to respond to a request made by the data subject; or

5.7.4

processing is necessary for compliance with legal obligations to which VIRTU@LLY CLEAR is subject; or

5.7.5

processing is necessary in order to protect the vital interests of the data subject; or

5.7.6

processing is necessary to explore or provide new business products and/or services which may be of use
to VIRTU@LLY CLEAR, so long as these new products and/or services do not override the fundamental
rights or freedoms of the data subject.

5.8

VIRTU@LLY CLEAR shall implement appropriate technical and organizational measures to secure:

5.8.1

the integrity of personal information by safeguarding against the risk of loss of, or damage to, or destruction
of personal information; and

5.8.2

against the unauthorized or unlawful access to or processing of personal information.

5.9

VIRTU@LLY CLEAR shall in the processing of personal information have due regard to generally accepted
information security practices, procedures and standards which may apply or be required in terms of South
African Law and regulation, the rules of any professional association of which VIRTU@LLY CLEAR may be
a member, or industry practises relating specifically to the processing of personal information.

5.10

Where VIRTU@LLY CLEAR has reasonable grounds to believe that the personal information of a data
subject has been accessed or acquired by an unauthorised person, VIRTU@LLY CLEAR will do all things
commercially necessary to notify the data subject of the compromise.
Special Personal Information

5.11

Unless specifically permitted in terms of Law, VIRTU@LLY CLEAR shall not process personal information:

5.11.1

concerning a child who is subject to parental control in terms of the Law without the prior written consent of
a parent of the child or the child's legal guardian; or

5.11.2

concerning a data subject's religious or philosophical beliefs, race or ethnic origin, trade union
membership, political opinions, health, sexual life, or criminal behaviour, without the express written
consent of the data subject.
Disclosure of Personal Information to Authorised Third Parties

5.12

VIRTU@LLY CLEAR may be required to provide to authorised third parties personal information processed
on its information systems in circumstances where such information is required in terms of legislation, a
court order, subpoena, employment verification, governmental permission or licensing, insurance, medical
aid and other reasons.

5.13

VIRTU@LLY CLEAR shall ensure that all recipients of such information are known to or identifiable by
VIRTU@LLY CLEAR and the recipients shall undertake or to abide by or be obliged by law to uphold the
personal information protections and freedoms provided for in this policy.

5.14

Unless expressly required by law to the contrary, all disclosures of personal information to third parties
shall be notified to the data subject within a reasonable period and wherever possible prior to the provision
of the information.

5.15

VIRTU@LLY CLEAR shall be entitled to obtain a blanket consent to disclosure of personal information
contemplated in 5.14 from the data subject.
Monitoring of Communications

5.16

VIRTU@LLY CLEAR information systems are provided primarily for the purpose of VIRTU@LLY CLEAR
business.

5.17

VIRTU@LLY CLEAR shall monitor, access, retrieve, read and/or disclose communication where required
by law, or regulation.

5.18

VIRTU@LLY CLEAR shall monitor, access, retrieve, read and/or disclose communications where required
by a third party agreement provided that at least one of the parties to the communication has provided to
his or her consent to do so.

5.19

VIRTU@LLY CLEAR shall store all business communications and/or any other communications which it is
unable to distinguish as a private communication for the purposes of the retention of business records.

5.20

VIRTU@LLY CLEAR shall monitor addresses to and from which electronic communications are made,
websites visited, telephone numbers dialled, or any other information relating to the usage of its information
systems.

5.21

VIRTU@LLY CLEAR shall use all commercially reasonable measures necessary to prevent accidental loss
of business information and communication created, retained, stored or communicated using its
information systems.

5.22

To the extent that information or communications may be readily distinguished as "private", VIRTU@LLY
CLEAR shall not retain or store these communications and users shall be solely responsible for the
retention and storage thereof.

5.23

At any time, and without prior notice, VIRTU@LLY CLEAR may examine records of information or
communications, file directories created by users on personal computers or any other information stored on
VIRTU@LLY CLEAR information systems.

5.24

To the extent that any personal information is stored by VIRTU@LLY CLEAR, a person authorised by
VIRTU@LLY CLEAR may, in the course of these examinations, which are designed to assist in the
management of VIRTU@LLY CLEAR information systems, have sight of personal information.

5.25

Any person authorised by VIRTU@LLY CLEAR to examine information and who may as a result of this
have access to private information shall be bound to confidentiality provisions which prohibit the disclosure
of such personal information to any person other than persons specifically appointed by VIRTU@LLY
CLEAR to have sight of and to deal with any issues which may arise as a result of the sight of the personal
information.

6

REVIEW

The Information Officer shall:

• monitor and review the VIRTU@LLY CLEAR information systems regularly and to the extent necessary,
develop new policy and amend existing policy to enhance the information security of the VIRTU@LLY
CLEAR information systems;

• ensure that all new policy documents or amendments to existing policy shall be approved in accordance
with the provisions of this policy and, where appropriate, made available to subscribers to VIRTU@LLY
CLEAR services;

• maintain a revision history of this policy in the schedule forming part of this policy entitled "Version
Control".