PAIA Manual

IMPORTANT NOTICE:

Dear Reader: Please take note that this page’s URL still currently displays “PROATIA Manual.” Please note that the content on this page has been fully updated to the current 2026 PAIA Manual in line with our latest policy documentation. The URL and page name will be revised shortly.

1. Definitions

TERM	DEFINITION
CEO	Chief Executive Officer
Client	Any natural or juristic person that received or receives services from the company
Complainant	Any person who lodges a complaint with the Information Regulator
Complaint	(a) A matter reported to the Information Regulator in terms of section 74(1) and (2) of the Act; (b) A complaint referred to in section 76(1)(e) and 92(1) of the Act; (c) A matter reported or referred to the Information Regulator in terms of other legislation that regulates the mandate of the Information Regulator
Conditions for Lawful Processing	The conditions for the lawful processing of personal information as fully set out in chapter 3 of POPI and in section 12 of this manual
Data Subject	The person to whom Personal Information relates
Day	A calendar day, unless the last day of a specified period happens to fall on a Sunday or public holiday, in which case it is calculated exclusive of that Sunday or public holiday (Interpretation Act, 1957 - Act No. 33 of 1957)
DIO	Deputy Information Officer
Information Officer/IO	The individual who is identified herein and legally appointed to ensure compliance with POPIA and PAIA
Manual	This manual
Minister	Minister of Justice and Correctional Services
Office Hours	(a) For the Information Regulator: 08:00–16:00, Monday to Friday (excluding public holidays); (b) For designated offices: Hours during which the offices operate
PAIA	The Promotion of Access to Information Act, No. 2 of 2000
Personal Information	Information relating to an identifiable living person, or an identifiable existing juristic person, including but not limited to race, gender, contact info, biometrics, correspondence, opinions, and identifiers
Personnel	Any person who works for or provides services to or on behalf of the company and receives or is entitled to receive remuneration, including permanent, temporary and part-time staff, directors, and contractors
POPI/POPIA	The Protection of Personal Information Act, No. 4 of 2013
POPI Regulations	Regulations promulgated in terms of section 112(2) of POPI
Private Body	(a) A natural person conducting business; (b) A business partnership; (c) A juristic person not being a public body
Processing	Any operation or activity concerning personal information, including collection, storage, dissemination, or destruction
Regulator	Information Regulator established in terms of POPIA
Republic	Republic of South Africa
Signature	Any legally accepted form of signature, including electronic signature where applicable
Writing	As referred to in section 12 of the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)

2. Purpose of the PAIA Manual

This PAIA Manual is useful for the public to:

2.1 Check the categories of records held by a body which are available without a person having to submit a formal PAIA request.

2.2 Have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records, and the categories of records held on each subject.

2.3 Know the description of the records of the body which are available in accordance with any other legislation.

2.4 Access all the relevant contact details of the IO and DIO who will assist the public with the records that they intend to access.

2.5 Know the description of the guide on how to use PAIA, as updated by the Regulator, and how to obtain access to it.

2.6 Know if the body will process personal information, the purpose of processing of personal information, and the description of the categories of data subjects and of the information or categories of information relating thereto.

2.7 Know the recipients or categories of recipients to whom the personal information may be supplied.

2.8 Know if the body has planned to transfer or process personal information outside of the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied.

2.9 Know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.

3. Key Contact Details for Access to Information of The Company

3.1 Chief Information Officer

Name	Ayanda Kotobe
Contact Number	011 691 9300
Email Address	ayanda.kotobe@rsgroup.com

3.2 Deputy Information Officer

Name	Dewet Joubert
Contact Number	011 691 9300
Email Address	dewet.joubert@rsgroup.com

3.3 General contacts for access to information

Email Address	sales.za@rsgroup.com

3.4 National or Head Office

Physical Address	Kyalami Business Park, 20 Indianapolis St, Kyalami Estate, Midrand, 1684
Contact Number	011 691 9300
Email	ayanda.kotobe@rsgroup.com
Website	https://za.rs-online.com/web
Company Name	RS Components SA
Company registration num	1996 / 000489 / 10

4. Guide on how to use PAIA and how to Obtain Access to the guide

4.1 The Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised guide on how to use PAIA (“guide”), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA.

4.2 The guide is available in each of the official languages and in braille.

4.3 The aforesaid guide contains the description of:

4.3.1 The objects of PAIA and POPIA;
4.3.2 The postal and street address, phone and fax number and, if available, email address of:
- 4.3.2.1 The IO of every public body, and
- 4.3.2.2 Every DIO of every public and private body designated in terms of section 17(1) of PAIA and section 56 of POPIA¹;
4.3.3 The manner and form of a request for:
- 4.3.3.1 Access to a record of a public body contemplated in section 11².
- 4.3.3.2 Access to a record of a private body contemplated in section 50³.
- 4.3.3.3 An internal appeal.
- 4.3.3.4 A complaint to the Regulator.
- 4.3.2.5 An application with a court against a decision by the IO of a public body, a decision on internal appeal or a decision by the Regulator or a decision of the head of a private body.
4.3.4 The provisions of sections 14¹ and 51² requiring a public body and private body, respectively, to compile a manual, and how to obtain access to a manual;
4.3.5 The provisions of sections 15³ and 52⁴ providing for the voluntary disclosure of categories of records by a public body and private body, respectively;
4.3.6 The notices issued in terms of sections 22⁵ and 54⁶ regarding fees to be paid in relation to requests for access;
4.3.7 The regulations made in terms of section 92⁷;
4.3.8 The assistance available from the IO of a public body in terms of PAIA and POPIA;
4.3.9 The assistance available from the Regulator in terms of PAIA and POPIA; and
4.3.10 All remedies in law available regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA, including the manner of lodging.

4.4 Members of the public can inspect or make copies of the guide from the offices of the public and private bodies, including the office of the Regulator, during normal working hours.

4.5 The guide can also be obtained:

4.5.1 Upon request to the IO.
4.5.2 From the website of the Regulator (www.inforegulator.org.za.)

4.6 A copy of the guide is also available in the following three official languages, for public inspection during normal office hours:

4.6.1 English.
4.6.2 Afrikaans.
¹Section 56(a) of POPIA - Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of POPIA
² Section 11 of PAIA – A requester must be given access to a record of a public body if the requester complies with all the procedural requirements in PAIA relating to a request for access to that record, and if access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.
³Section 50 of PAIA – A requester must be given access to any record of a private body if:
(a) that record is required for the exercise or protection of any rights;
(b) that person complies with the procedural requirements in PAIA relating to a request for access to that record; and
(c) access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.
⁴Section 14 of PAIA – The Information Officer of a public body must update and publish the manual referred to in subsection (1) at intervals of not more than 12 months.
⁵Section 51 of PAIA – The Information Officer of a private body must update and publish the manual referred to in subsection (1) at intervals of not more than 12 months.
⁶Section 15 of PAIA – The Information Officer of a public body must update and publish any notice issued under subsection (2) at intervals of not more than 12 months.
⁷Section 52 of PAIA – The head of a private body must update and publish any notice issued under subsection (2) at intervals of not more than 12 months.
⁸Section 22 of PAIA – If access to a record is granted, the notice must state the access fee (if any) required to be paid by the requester.
⁹Section 54 of PAIA – If access to a record is granted, the notice must state the access fee (if any) required to be paid by the requester.
¹⁰Section 92(11) of PAIA – The Information Regulator must update and publish the guide referred to in subsection (1) at intervals of not more than two years.

5. Guide on Information Regulator

5.1 A guide to PAIA and how to access information in terms of PAIA has been published pursuant to section 10 of PAIA.

5.2 The guide contains information required by an individual who may wish to exercise their rights in terms of PAIA.

5.3 Should you wish to access the guide, you may request a copy from the IO by contacting him/her using the details specified above.

5.4 You may also inspect the guide at the company’s offices during ordinary working hours.

5.5 You may also request a copy of the guide from the Information Regulator at the following details:

Postal Address	P O Box 31533, Braamfontein, Johannesburg, 2017
Contact Number	+27 (10) 023-5200
Website	www.inforegulator.org.za
Email	PAIAComplaints@inforegulator.org.za

6. Latest Notices in terms of Section 52(2) of PAIA

At this stage, no notice(s) has/have been published on the categories of records that are available without having to request access to them in terms of PAIA.

7. Availability of Certain Records in terms of PAIA

7.1 Categories of records of The Company which are available without a person having to request access:

Category of Records	Types of the Record	Available on Website	Available on Request
PAIA Manual	Company’s current PAIA Manual	X	X
Company overview	Company profile, Overview of the Company’s services, parcel tracking, industry hub contact details and office locations.	X	X
Policies (public-facing)	Privacy Policy, Website Cookies Policy,	X	X
Public marketing materials	Corporate brochures, capability statements, non-confidential marketing materials, brand and partnership announcements	X	X
POPIA and PAIA awareness training certificates	Records of internal or external training / awareness sessions on data protection (POPIA) and access to information (PAIA)	-	X
Contact information for IO	Name, designation, email address, telephone number, physical address of the Information Officer.	X	X

7.2 Description of the records/subjects of The Company which are available in accordance with any other legislation:

Category of Records	Applicable Legislation	Department/Subject Area
Memorandum of Incorporation, company registration documents, minutes of board meetings, share register	Companies Act, 71 of 2008	Finance
Employment contracts, employee attendance records, payroll information, leave records	Basic Conditions of Employment Act, 75 of 1997	Human Resources (HR)
Disciplinary records, grievance procedures, union agreements, Commission for Conciliation, Mediation and Arbitration (CCMA) documentation	Labour Relations Act, 66 of 1995	HR
Employment Equity (EE) plans, EE reports, committee meeting minutes	Employment Equity Act, 55 of 1998	HR
Tax returns, IRP5 certificates, Pay-As-You-Earn (PAYE) records, employee tax submissions	Income Tax Act, 58 of 1962	Finance
Workplace Skills Plans (WSPs), annual training reports, learnership agreements	Skills Development Act, 97 of 1998	Training and Development
Unemployment Insurance Fund (UIF) contribution records, declarations, employee benefit claim records	Unemployment Insurance Act, 63 of 2001	HR
Health and safety audits, incident reports, risk assessments, safety committee records	Occupational Health and Safety Act, 85 of 1993	Occupational Health and Safety
Value-Added Tax (VAT) returns, input/output tax records, SARS correspondence	Value-Added Tax Act, 89 of 1991	Finance
Workers Compensation Assistance (WCA) claims, injury-on-duty reports, compensation records	Compensation for Occupational Injuries and Diseases Act, 130 of 1993	Occupational Health and Safety
B-BBEE certificates, ownership and supplier development records	Broad-Based Black Economic Empowerment Act, 53 of 2003	HR
Client agreements, sales contracts, returns records, warranty documentation.	Consumer Protection Act, 68 of 2008	Client Services/ Marketing
Import/export permits, customs declarations, tariff codes	Customs and Excise Act, 91 of 1964	Operations
Fire safety certificate, emergency preparedness documentation.	Fire Brigade Services Act, 99 of 1987	Health and Safety
Licensing records, regulatory submissions, compliance reports, policies and procedures.	Financial Advisory and Intermediary Services Act (FAIS), 37 of 2002	Legal and Compliance
Data subject consent forms, privacy notices, PAIA Manual, operator agreements, processing activity records	Protection of Personal Information Act, 4 of 2013	Legal and Compliance
Regulatory correspondence, compliance monitoring records, governance documentation	Financial Sector Regulation Act, 9 of 2017	Compliance
PAIA Manual, access request logs, training records	Promotion of Access to Information Act, 2 of 2000	Legal and Compliance
CCTV footage retention logs (if CCTV is used)	Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA), 70 of 2002	IT
Electronic communications policies, e-signature consents, website terms and conditions	Electronic Communications and Transactions Act, 25 of 2002	Information Technology (IT)
Document retention and disposal schedules, archive logs (including contracts, delivery logs, farm production records, rental agreements)	National Archives and Records Service Act, 43 of 1996	Records Management
Cybersecurity incident logs, data breach reports, user monitoring records, system misuse investigations	Cybercrimes Act, 19 of 2020	Information Technology (IT) / Legal & Compliance

*Although we have used our best endeavours to supply a list of applicable legislation, it is possible that this list may be incomplete. Whenever it comes to our attention that existing or new legislation allows a Requester access on a basis other than as set out in PAIA, we shall update the list accordingly. If a Requester believes that a right of access to a record exists in terms of other legislation listed above or any other legislation, the Requester is required to indicate what legislative right the request is based on, to allow the Information Officer the opportunity of considering the request in light thereof.

7.3 The company holds and/or processes the following records for the purposes of PAIA and POPIA:

7.3.1 PAIA: PAIA Manual; PAIA guides; PAIA records; PAIA submission records; awareness training.
7.3.2 POPIA: Including, but not limited to, the following: IO Registration Certificate; data breach records; retention records; awareness training.
7.3.3 Further information which may be made available upon request.

7.4 The above-mentioned records may be requested; however, it should be noted that there is no guarantee that the request will be honoured. Each request will be evaluated in terms of PAIA and any other applicable legislation.

8. Request Process

8.1 An individual who wishes to place a request must comply with all the procedures laid down in PAIA.

8.2 The requester must complete Form 02 of PAIA Forms (Request for Access to Record) herein, is attached hereto and submit it to the IO at the details specified herein.

8.3 The prescribed form as well as payment of a request fee and a deposit (if applicable) must be submitted to the IO at/via the postal or physical address, fax number or email address as is stated herein.

8.4 The prescribed form must be completed with enough particularity to enable the IO to determine:

8.4.1 The record(s) requested;
8.4.2 The identity of the requestor;
8.4.3 What form of access is required; and
8.4.4 The postal address or fax number of the requestor.

8.5 The requestor must state that the records are required for the requestor to exercise or protect a right, and clearly state what the nature of the right is so to be exercised or protected. An explanation of why the records are requested is required to exercise or protect the right.

8.6 The request for access will be dealt with within 30 (thirty) days from date of receipt, unless the requestor has set out special grounds that satisfies the IO that the request be dealt with sooner.

8.7 The period of 30 (thirty) days may be extended by not more than 30 (thirty) additional days, if the request is for a large quantity of information, or if the request requires a search for information held at another office of the company and the information cannot be reasonably obtained within 30 (thirty) days. The IO will notify the requestor in writing should an extension be necessary.

8.8 The IO must communicate a response to the request for access using Form 03 of PAIA Forms (Outcome of Request and of Fees Payable) herein.This communication shall inform the requestor of:

8.8.1 The decision; and
8.8.2 Fees payable.

8.9 In the event that the IO is of the opinion that the searching and preparation of the record for disclosure would amount to more than six (6) hours, he/she shall inform the requestor to pay a deposit not exceeding one third of the amount payable.

8.10 Should the requestor have any difficulty with the form or the process laid out herein, the requestor should contact the IO for assistance.

8.11 An oral request can be made to the IO should the requestor be unable to complete the form due to illiteracy or a disability. The IO will then complete the form on behalf of the requestor and provide a copy of the form to the requestor.

8.12 Form 2 of POPIA Forms (Request for Correction or Deletion) herein, is used by a data subject to request the correction of inaccurate, outdated, incomplete, irrelevant, or misleading personal information, and/or the deletion or destruction of personal information that is no longer necessary or unlawfully obtained, in accordance with Section 24(1) of POPIA. It ensures that responsible parties maintain accurate and lawful records of personal data.

8.13 Form 3 of POPIA Forms (Application for the Issue of a Code of Conduct) herein is used by an industry body, profession, or class of entities to apply for the issuance of a Code of Conduct under Section 61(1)(b) of POPIA. It allows industries to self-regulate how personal information is processed within their sector, in line with the conditions for lawful processing.

8.14 Form 4 of POPIA Forms (Request for Consent – Direct Marketing) herein enables a responsible party to formally request a data subject’s consent to receive direct marketing communications via unsolicited electronic means (e.g., SMS, email), as required under Section 69(2) of POPIA. It ensures that individuals have control over whether and how they are marketed to.

8.15 Form 5 of POPIA Forms (Complaint Regarding Interference with Personal Information) herein allows a data subject or complainant to submit a complaint to the IR concerning unlawful interference with personal information; or a determination made by an adjudicator under POPIA. It provides an avenue for recourse and investigation in cases of non-compliance with data protection obligations.

9. Grounds for Refusal

9.1 Mandatory protection of the privacy of a third party who is a natural person, including a deceased person, where such disclosure of personal information would be unreasonable.

9.2 Mandatory protection of the commercial information of a third party, if the records contain:

9.2.1 Trade secrets of that third party;
9.2.2 Financial, commercial, scientific or technical information of the third party, the disclosure of which could likely cause harm to the financial or commercial interests of that third party; and/or
9.2.3 Information disclosed in confidence by a third party to the company, the disclosure of which could put that third party at a disadvantage in contractual or other negotiations or prejudice the third party in commercial competition.

9.3 Mandatory protection of confidential information of third parties if it is protected in terms of any agreement.

9.4 Mandatory protection of the safety of individuals and the protection of property.

9.5 Mandatory protection of records that would be regarded as privileged in legal proceedings.

9.6 Protection of the commercial information of the company, which may include:

9.6.1 Trade secrets;
9.6.2 Financial/commercial, scientific or technical information, the disclosure of which could likely cause harm to the financial or commercial interests of the company;
9.6.3 Information which, if disclosed, could put the company at a disadvantage in contractual or other negotiations or prejudice the company in commercial competition; and/or
9.6.4 Computer programs which are owned by the company, and which are protected by copyright and intellectual property laws.

9.7 Research information of the company or a third party, if such disclosure would place the research or the researcher at a serious disadvantage.

9.8 Requests for records that are clearly frivolous or vexatious, or which involve an unreasonable diversion of resources.

10. Remedies Should a Request be Refused

10.1 If the company does not have an internal appeal procedure in light of a denial of a request, decisions made by the IO is final.

10.2 The requestor may in accordance with sections 56(3) (c) and 78 of PAIA, apply to a court for relief within 180 (one-hundred-and-eighty) days of notification of the decision for appropriate relief.

11. Fees

The following fees shall be payable upon request by a requestor:

Details	Fee
Request fee (payable on every request)	R140.00 once-off
Photocopy of an A4 page or part thereof	R2.00 per page
Printed copy of an A4 page or part thereof	R2.00 per page
Hard copy on flash drive (flash drive to be provided by requestor)	R40.00 once-off
Hard copy on a compact disc (compact disc to be provided by requestor)	R40.00 once-off
Hard copy on a compact disc (compact disc to be provided by the company)	R60.00 once-off
Transcription of visual images per A4 page	As per quotation of service provider
Copy of visual images	As per quotation of service provider
Transcription of an audio record	R24.00 per A4 page
Copy of an audio record on flash drive (flash drive to be provided by requestor)	R40.00 once-off
Copy of an audio on a compact disc (compact disc to be provided by requestor)	R40.00 once-off
Copy of an audio on a compact disc (compact disc to be provided by the company)	R60.00 once-off
Base/starting rate to search for and prepare the record for disclosure	R145.00 per hour for each hour or part thereof, excluding the first hour, reasonably required for such search and preparation (cannot exceed R435.00 per request)
Rate to search for and prepare the record for disclosure	R435.00 per hour for each hour or part thereof, excluding the first hour, reasonably required for such search and preparation (cannot exceed total cost)
Postage, email or any other electronic transfer	Actual expense, if any

12. Processing of Personal Information

12.1 The purposes for processing personal information include:

12.1.1. To respond to enquiries, requests, complaints, or claims received from clients, prospective investors, business partners, regulators, service providers, suppliers, or other stakeholders, including enquiries relating to investment products, asset management services, investment performance information, regulatory disclosures, governance matters, and general business operations.

12.1.2. To administer and manage financial transactions and relationships, including the processing of fees, invoicing, billing, reconciliations, distributions, refunds (where applicable), financial reporting, credit control, and other financial administration activities relating to investment management and advisory services.

12.1.3. For security, access control, risk management, compliance, and identity verification purposes, including verifying the personal information of employees, clients, investors, contractors, visitors, and service providers; managing physical and electronic access to offices, systems, and platforms; and monitoring CCTV footage at business premises where applicable.

12.1.4. To communicate with clients, investors, custodians, regulators, service providers, financial institutions, and employees, and to carry out instructions or service requests, including client onboarding, investment instructions, reporting, regulatory correspondence, operational communications, and contractual administration.

12.1.5. To conduct client and investor relationship management activities, including client servicing, feedback initiatives, satisfaction surveys, stakeholder engagement, and the provision of information relating to investment products, services, market updates, and business developments, subject to applicable consent and marketing requirements.

12.1.6. For any other related business purposes aligned with our service offering.

12.2. Description of the categories of data subjects and of the information or categories of information relating thereto:

Categories of Data Subjects	Personal Information that may be Processed
Clients / Customers	Names and surnames, job titles, company name, contact details (email address, telephone number, business address), billing and payment information, contractual information, order and transaction history, correspondence, meeting notes, queries, feedback, complaints, and records relating to products or services supplied.
Suppliers / Service Providers	Names, surnames, company name, registration or VAT number, contact details, bank and payment details, quotations, purchase orders, invoices, contracts, compliance documentation, correspondence, and records relating to the sourcing, manufacture, logistics, or supply of goods and services.
Employees	Name, surname, ID number, tax number, contact details, residential address, bank details, employment agreements, payroll and benefits information, leave and attendance records, performance evaluations, disciplinary records, qualifications, demographic information (for Employment Equity compliance), training records, and access or equipment usage logs if necessary for operational or security purposes.
Job Applicants	Name, surname, contact details, CV, qualifications, previous employment history, references, criminal or credit checks (where relevant to the role), and portfolio or work samples where relevant.
Visitors to Premises	Name, contact details, date and time of entry, visitor log information, CCTV footage (for access control and security), and health and safety acknowledgements where required.
Regulators / Authorities	Names, designations, and contact details of officials; correspondence, submissions, and reports to regulatory or statutory bodies such as the Department of Health, SARS, Labour Inspectorate, the Information Regulator, and other relevant government authorities.
Website Users / Online Enquiries	Names, surnames, company name, registration or VAT number, contact details, bank and payment details, quotations, purchase orders, invoices, contracts, compliance documentation, correspondence, and records relating to the sourcing, manufacture, logistics, or supply of goods and services.

13. The Recipients or Categories of Recipients to whom the Personal Information may be Supplied

Category of Personal Information	Recipients or Categories of Recipients to whom the Personal Information may be Supplied
Identity information (e.g., ID numbers, names) for background or criminal checks.	South African Police Services (SAPS), accredited background check agencies; relevant for employees and job applicants.
Qualifications, for qualification verifications	South African Qualifications Authority or professional accreditation bodies relevant to hospitality or culinary roles.
Credit and payment history, for credit information	Financial institutions, banks, payment service providers, auditors, credit bureaux (where applicable); relevant to clients, investors, suppliers or employees.
Employment history and references (for background checks)	Previous employers, recruitment agencies, background screening companies; relevant for job applicants.
Tax numbers, VAT numbers, payroll and employment details.	South African Revenue Service (SARS)
Security clearance information (for restricted access areas)	Security service providers, regulatory bodies; relevant for logistics depots, farms with restricted areas, or rental properties requiring controlled access.
Skills development and training records	Sector Education and Training Authorities (SETAs); relevant for logistics drivers, warehouse staff, farm workers, and trust/rental administration personnel undergoing training programs.
CCTV footage and security incident records	Authorised security service providers, law enforcement authorities (if required); relevant for warehouses, logistics hubs, farms, office premises, and rental properties.

14. Planned Transborder Flows of Personal Information

The Company may transfer or store certain categories of personal information outside the Republic of South Africa, primarily through the use of cloud-based service providers, payment gateways, marketing platforms, and IT hosting providers. These service providers may be located in jurisdictions such as the United States of America, the European Union, and other regions where global service providers host their systems.

Categories of personal information transferred may include:

Name, surname, ID number, contact details, payroll and benefits information, employment agreements, training records, and other relevant HR data. This may be transferred to international payroll, HR, or IT service providers where applicable.
Supplier and Service Provider Information: Name, company name, contact details, bank details, invoices, contracts, and compliance documentation. This information may be shared with approved international service providers for payment processing, ordering systems, or operational support.
Cloud Storage and IT System Data: Personal and operational information stored or processed via cloud platforms or IT systems.
The Company will only transfer personal information across borders where the recipient country ensures adequate levels of protection or where binding agreements provide safeguards in line with Section 72 of POPIA.

14.1 General description of information security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information:

14.1.1. Compliance with applicable legislation, including the Protection of Personal Information Act (POPIA), the Promotion of Access to Information Act (PAIA), Companies Act, and Employment legislation, to ensure lawful and secure handling of personal information.
14.1.2. Operator agreements with third-party providers include confidentiality undertakings, breach notification obligations, and restrictions on further disclosure.
14.1.3. Access control and authentication measures, including password protection, role-based access, and multi-factor authentication to limit access to authorised personnel only.
14.1.4. Physical and electronic safeguards, secure storage of physical records, CCTV and security monitoring of IT infrastructure.
14.1.5. Organizational measures include employee POPIA training, retention and disposal schedules, incident response and data breach management plan in place to ensure timely response and reporting.
14.1.6. These safeguards are continuously reviewed and enhanced to address new risks, changing business processes, and advancements in technology.

15. Availability of the Manual

15.1 A copy of the manual is available:

15.1.1. At (https://za.rs-online.com/web/) or any head office of The Company for public inspection during normal business hours;
15.1.2. To any person upon request and upon the payment of a reasonable prescribed fee; and
15.1.3. To the Information Regulator upon request.

15.2. A fee for a copy of the manual, as contemplated in Annexure B of the Regulations, shall be payable per each A4-size photocopy made.

16. Objection to the Processing of Personal information by a Data Subject

16.1 A data subject who wishes to object to the processing of personal information in terms of section 11(3)(a) or section 11(3)(b) of the Act, must submit the objection to a responsible party at any time during office hours of a responsible party and free of charge.

16.2 A data subject who wishes to object to the processing of personal information must do so on a form substantially similar to Form 3 herein, free of charge and reasonably accessible to a data subject by hand, fax, post, email, SMS, or WhatsApp and or in any manner expedient to a data subject in terms of section 11(3)(a) of the Act.

16.3 A responsible party must, when collecting personal information of a data subject, notify the data subject, in terms of section 18(1)(h)(iv) of the Act, of their right to object, as referred to in section 11(3) of the Act.

16.4 If an objection to the processing of personal information of a data subject is made telephonically, such an objection shall be electronically recorded by a responsible party and upon request, be made available to the data subject in any manner, including the transcription thereof.

17. Request for Correction/Deletion of Personal Information or Destruction/Deletion of Record of Personal Information

17.1. A data subject has the right, in terms of section 24 of the Act, to request, where necessary, the correction, destruction, or deletion of his, her or its personal information.

17.2. A data subject, who wishes to request a correction or deletion of his, her, or its personal information, as provided for in section 24(1)(a) of the Act, has the right to request correction or deletion of personal information at any time and free of charge, if the personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

17.3. A data subject who wishes to request the destruction or deletion of a record of his, her, or its personal information in terms of section 24(1)(b) of the Act, has the right to request the destruction or deletion of a record of his, her or its personal information at any time and free of charge, if a responsible party is no longer authorised to retain such information in terms of section 14 of the Act.

17.4. A request for correction to or deletion of personal information, as referred to in sub-regulation 12.11.2 or a request for the destruction or deletion of a record of personal information, as referred to in sub-regulation 12.11.3 must be submitted to a responsible party on a form which is substantially similar to Form 2 of POPIA Forms herein free of charge and reasonably accessible to a data subject by hand, fax, post, email, SMS, WhatsApp message or in any manner expedient to a data subject.

17.5. A request for a correction or deletion of personal information by telephonic means shall be recorded by a responsible party and such recording must, upon request, be made available to a data subject in any manner, including the transcription thereof which shall be free of charge.

17.6. A responsible party must, within 30 (thirty) days of receipt of the outcome of the request referred to in sub-regulation 12.11.2 or 12.11.3, notify a data subject, in writing, of the action taken as a result of the request.