AECI PRIVACY NOTICE
PERSONAL INFORMATION WE COLLECT
1. We will only collect personal information if it is reasonably necessary to pursue at least one of our functions and activities in the course of operating our manufacturing, sales and services businesses. In support of our core business, we also carry out the following related functions and activities:
- human resource activities, including recruitment, performance management, training and development, succession planning, and payroll and associated taxation and reporting activities;
- benefit provision and administration in relation to our pension fund, provident fund, life and vehicle
- insurance, and medical aid for our employees;
- captive insurance
- occupational health and safety activities;
- procurement and vendor management and supply chain activities;
- corporate administration;
- property management and security services; and
- Stake‐holder relations and engagement activities.
2. The personal information that we collect varies with the functions and activities that we engage in, but (without limitation) may include:
- contact and identification information: including names, date of birth, titles, marital status and gender,
identity numbers, email addresses, residential addresses, and telephone numbers;
- company registration numbers, tax numbers, banking details;
- financial and credit‐worthiness records, criminal and enforcement history, political exposure, sanctions
and adverse media information and opinions relevant to doing business with us;
- information received from prospective employees that is relevant to employment with us (see paragraph 3 below);
- historical and current medical information, including details of any claims brought under any relevant workers compensation scheme;
- performance reviews and assessments, development plans and career aspirations;
- details of complaints, grievances and tip‐offs that we receive; and
- such other information that we are required or authorised by or under South African law, to collect and keep.
3. In the course of carrying out recruitment activities, we may collect information regarding your educational and/or trade qualifications, skills, authorisations, career history, and job interests and such other information as may be routinely included in a curriculum vitae. We may also collect personal information during standard pre‐employment checks, such as criminal and background checks, health checks and psychometric testing.
4. From time to time, we may collect special personal information about you in order to conduct our functions and activities. However, we only collect special personal information if:
- the collection is reasonably necessary for one or more of our activities or functions; and
- we have your consent to the collection; or
- an exception applies (see paragraph 5 below).
5. POPIA lists a number of circumstances that permit the collection of special personal information about you without your consent. We only collect special personal information without your consent if one or more of those circumstances applies.
6. The special personal information that we collect may include:
- race or ethnic origin to the extent that it is necessary to comply with legal requirements or to advance
the interests of groups of persons disproportionately and adversely impacted by the effects of colonialism and Apartheid;
- trade union membership to the extent that it is necessary to comply with legal requirements;
- health information which we collect to ensure the wellbeing of our staff and for the purpose of the AECI Medical Aid Society;
- biometric and criminal background information which we collect to protect the security of our business.
7. We collect personal information of children in narrowly defined circumstances and only where consent of a competent person has been obtained or where legally required and entitled to do so in terms of South African Law:
- As dependent beneficiaries under the AECI Medical Aid Society for the purpose of administering the scheme;
- As nominated beneficiaries under any insurance policy, pension or provident fund for the purpose of recording the nomination on your behalf or locating the beneficiary;
- As recipients of corporate social investment, scholarship or other charitable contribution where the details are necessary to access the benefit or required as evidence that the benefit has been provided.
HOW WE COLLECT AND STORE PERSONAL INFORMATION
8. We will only collect personal information if it is reasonably necessary for us to carry out our functions and activities, and only by lawful and fair means that are not unreasonably intrusive.
9. In most cases, we will collect personal information directly from you. However, we may also collect personal information through the following means:
- publications and written correspondence, including newspapers, magazines, journals, letters, emails and SMS;
- telephone conversations, including reference checks;
- CCTV video and audio recordings; and
- social media, including (but not limited to) Facebook, Twitter and LinkedIn.
10. If you supply us with personal information of a third party, we accept that information on the condition that you have the right to provide that personal information to us to use for our functions and activities.
11. In order to carry out our functions and activities, we may collect personal information from third parties, including nominated referees, former employers, recruitment agencies, skills and qualification verification agencies, medical practitioners, credit‐bureaus, international sanctions, political exposure and adverse media watch‐lists.
12. We will only collect personal information from third parties if: (a) we are required or authorised by or under an South African Law to collect the information from someone other than the individual concerned; or (b) it is unreasonable or impracticable to collect the information directly from you.
13. We store hardcopy documents containing personal information in secured facilities.
14. Electronic documents are stored with security measures and protocols implemented to ensure the security and confidentiality of the documents and the personal information contained in them.
15. Where documents and personal information are stored in cloud‐based systems (for example SAP or Microsoft365), we ensure that we first identify the location of all servers, with preference given to in‐ country hosting services. In all cases, we ensure that all providers of cloud‐computing services have appropriate security measures in place.
PURPOSES FOR WHICH WE COLLECT, HOLD, USE AND DISCLOSE PERSONAL INFORMATION
16. We may collect and hold personal information if it is reasonably necessary to pursue at least one of our functions or activities in the course of our manufacturing, sales and services businesses, or if its collection and storage is required under South African law.
17. As described in paragraphs 4, 5 and 6 above, we may collect and hold special personal information that is reasonably necessary for us to pursue at least one of our functions and activities in the course of our business. Further, unless otherwise permitted in terms of POPIA, we will only collect and hold your special personal information if we have received your consent to do so.
18. AECI is a global group, with offices and/or operations/projects located in South Africa, the rest of the African continent, Mauritius, Europe, North and South America, Indonesia and Australia. We may share some personal information with different international offices within the AECI Group. For example, personal information may be distributed when our South African employees undertake training programmes and/or secondments at other operations/projects within the AECI Group. Personal information may also be distributed during the course of AECI’s talent review, culture surveys and for the purpose of ensuring that employees can communicate with one another. See further information about this at paragraphs 40‐43.
19. Generally, we will only use or disclose personal information for the purpose for which it was collected. For example, if we collect your personal information for the purpose of corporate administration, we will generally only use and disclose that information for that purpose.
20. From time to time, we may use or disclose personal information for compatible additional purposes if we receive your consent or if POPIA otherwise permits us to do so. POPIA permits us to use and disclose personal information for a compatible further purpose without your consent for instance if the information is available in or derived from a public record or has deliberately been made public by you, to comply with an obligation imposed by law, for the conduct of legal proceedings or where the processing is necessary to prevent or mitigate a serious and imminent threat to public health and safety or to your or another’s life or health.
21. From time to time, we may need to disclose personal information to third parties to carry out our functions and activities, including the following: (a) local and international consulates and/or government immigration departments regarding work visas, immigration agents and credit or background reporting agencies; (b) government organisations; (c) AECI’s Pension or Provident Fund and third‐party funds and their administrators; (e) our bankers and auditors, in relation to any shares granted and held by you under relevant payment and incentive programmes; (f) insurers (and their advisors) regarding applicable employee policies in place and/or in relation to insured incidents which occur in the workplace; (g) training and development providers, including occupational psychologists or other professionals qualified to undertake psychometric or other assessments; (h) consultants to conduct qualification and trade checks (whether on a national or international basis); (i) travel and accommodation services providers; (k) third parties (including, but not limited to Environmental, Labour, Health & Safety, Prudential Authorities and other government inspectors) conducting site access or assured role checks; (l) service providers undertaking surveys (for example a Culture Survey), or polling; (m) software and data management providers in relation to the hosting and processing of employment information (for example AECI Success Factors); and (n) other contractors; and (o) third party advisors, such as external lawyers.
22. Our websites use “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie, about your use of our website (including your IP address), will be transmitted to and stored by the service providers.
NOTIFICATION OF COLLECTION
25. At or before the time that we collect personal information about you, (or, if that is not practicable, as soon as practicable thereafter), unless excused from doing so under POPIA, we will take such steps as are reasonable in the circumstances to make you aware of this policy and any specific detail not provided in this policy regarding the information being collected (and where the information is not collected from you, the source from which it is collected), our name and address, the purpose for which the information is being collected, what information is required or optional, the consequences of the failure to provide the information, any particular law authorising or requiring the collection of the information, if the information will be transferred to another country or international organisation and the level of protection afforded to the information by that other country or international organisation.
26. In order to place you in a position to ensure that the processing of your personal information is reasonable, we may also need to take reasonable steps in the circumstances to notify you of the recipient or category of recipients of the information, nature or category of the information; the existence of the right of access to and the right to rectify the information collected, the existence of any right to object to the processing of personal information and the right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator.
QUALITY OF PERSONAL INFORMATION
27. We will endeavour to take reasonable steps to ensure that the personal information that we collect is complete, accurate and up‐to‐date. Further, we will endeavour to take reasonable steps to ensure that the personal information that we use or disclose is, having regard to the purpose of our use or disclosure, complete, accurate and up‐to‐date.
28. The reasonable steps described above that we may be required to undertake include: (a) ensuring that updated and new personal information is added promptly to relevant existing records; (b) reminding you to update your personal information when we engage with you; (c) providing self‐service options to update some of your own personal information that is held by us; (d) with respect to personal information in the form of an opinion, we may take the following steps to verify the accuracy of the opinion: (i) check that the opinion is from a reliable source; (ii) provide the opinion to you before we use or disclose it.
SECURITY OF PERSONAL INFORMATION
29. We will secure the integrity and confidentiality of your personal information by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of your personal information.
30. Measures may include identifying risks, establishing appropriate safeguards, verifying the safeguards are implemented and updating those safeguards where appropriate.
31. As described in paragraph 15 above, AECI ordinarily processes personal information necessary for us to pursue our functions and activities in the course of our manufacturing, sales and services business. In rare circumstances we may be required to process personal information on your behalf. In those circumstances we will only process that personal information for which you are responsible with your knowledge or authorisation and treat it as confidential and not disclose it unless we are obliged to do so under South African law or in the course of properly performing our obligations to you.
32. Where there are reasonable grounds to believe that your personal data has been accessed or acquired by an unauthorised person, we will notify the Information Regulator. We will also notify you unless we cannot identify you. Notification will be done in at least one of the following ways: mailed to your last known physical or postal address, sent by e‐mail to the your last known e‐mail address, placed in a prominent position on one or more of our websites, published in the news media or as may be directed by the Information Regulator.
RETENTION AND RESTRICTION
33. We will only retain records of your personal information for as long as is necessary to achieve the function or activity for which it was collected or otherwise lawfully processed. If we are obliged by South African law to retain the information for a longer period then we will do so or, if we have used the personal information to make a decision about you, then we will retain the records for a reasonable period to allow you to request access to that record. In certain circumstances, POPIA requires us to restrict processing. Records of personal information will be destroyed or deleted as soon after they ought not to be retained as is reasonably practicable.
ACCESS TO PERSONAL INFORMATION
34. You are entitled to enquire whether we hold personal information about you and to request it to be corrected. In certain circumstances you are also entitled to request the destruction of your personal information or to object to or have its further processing restricted. If you request access to records of your personal information we will, within a reasonable period of the request being made, give access to the information in the manner requested (this might attract a fee) unless we have good grounds to refuse the request.
35. Any requests by you in relation to your personal information should be made in writing and addressed to the Information Officer. The Information Officer may be contacted at: Telephone: +27 11 806 8700 Email: Information.Office@aeciworld.com.
36. In certain circumstances we may not comply with an access request in full or at all. This would occur only where we are entitled or obliged to refuse access, for example, where we cannot reliably establish your identity, where providing the information involves the unreasonable disclosure of personal information about someone else or might endanger the life or safety of a person or prejudice the security of property.
37. Where you have made a successful request for the correction of your personal information, if reasonably practical we will notify anyone to whom we have disclosed that information of the correction.
38. If you believe that we have not complied with POPIA or the Conditions for Lawful Processing in any way in relation to your personal information, you may make a written complaint to the Information Officer.
39. The Information Officer will review the complaint, consider our conduct in relation to the complaint and the requirements of POPIA, and will consider appropriate action. The Information Officer will inform you of his or her decision within 30 days of receiving the complaint.
40. If you are unhappy with the Information Officer’s determination, you may make a complaint to the Information Regulator.
DISCLOSURE TO OVERSEAS RECIPIENTS
41. Circumstances may arise where we may need to disclose personal information to overseas recipients. As mentioned in paragraph 18 above, AECI is a global Group, with further offices and/or operations/projects located in South Africa, the rest of the African continent, Mauritius, Europe, North and South America, Indonesia and Australia.
42. As part of our global operations, we may share some of your personal information with other entities within the Group, and to third parties outside of the Group.
44. Before disclosing personal information to any overseas recipient (whether within or outside AECI), we will take steps to ensure that the third party is subject to laws, binding corporate rules or a binding agreement that gives effect to the Conditions for Lawful Processing and contain provisions which prevent transfers to other countries which would not be permitted under this paragraph.
- competent person means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;
- consent means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well‐being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e‐mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
- processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
special personal information means personal information concerning—
(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion,
health or sex life or biometric information of a data subject; or
(b) the criminal behaviour of a data subject to the extent that such information relates to—
(i) the alleged commission by a data subject of any offence; or
(j) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such
APPROVAL AND REVIEW
This document is approved by the Board and reviewed annually.
Policy Number: IO1
Policy Owner: Information Officer
Author: Michael Brouckaert – Group Compliance Officer
Reviewer: Wynand Strydom – Acting Company Secretary
Date: June 2021.