1.1. Everyone has rights with regard to how their personal information is handled. During the course of its activities CAVI will process personal information about its staff, customers, suppliers and other third parties. CAVI recognises the need to treat such personal information in an appropriate and lawful manner. 1.2. Any breach of this policy amounts to serious misconduct and may result in disciplinary action.

2.1. The following definitions are relevant for the purposes of this Data Protection Policy ("Policy") and all the annexures attached hereto: 2.1.1. "CAVI" means CAVI Brands (Pty) Ltd and all of its subsidiary companies including Dermalogica. 2.1.2. "Data Subjects" include all living individuals and juristic persons (where applicable) about whom CAVI holds personal information. All data subjects have legal rights in relation to their personal information. 2.1.3. "IO" means the information officer appointed as such by CAVI in terms of section 56 of POPI and who will have the ultimate responsibility of ensuring that CAVI complies with the provisions of POPI. 2.1.4. "Operators" include any person who processes personal information on behalf of a responsible party. Employees of responsible parties are excluded from this definition but it could include suppliers or service providers which handle personal information on CAVI’s behalf. 2.1.5. "Personal Information" means information relating to an identifiable, living, natural person, and (where applicable) an identifiable, existing juristic person, including the name, race, gender, marital status, address and identifying number of a person, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person. 2.1.6. "POPI" means the Protection of Personal Information Act 4 of 2013. 2.1.7. "Processing" is any activity that involves use of personal information. It includes any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including: 2.1.7.1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; 2.1.7.2. dissemination by means of transmission, distribution or making available in any other form; or 2.1.7.2. merging, linking, as well as restriction, degradation, erasure or destruction of information. 2.1.8. "Processing Conditions" are the 8 conditions for the lawful processing of personal information set out in chapter 3 of POPI. 2.1.9. "Regulator" means the Information Regulator established in terms of section 39 of POPI. 2.1.10. "Responsible Parties" are the people who or organisations which, determine the purposes for which and the manner in which, any personal information is processed. They have a responsibility to establish practices and policies in line with POPI. CAVI is (generally) the responsible party of all personal information used in its business. 2.1.11. "Special Personal Information" includes personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings. 2.1.12. "Users" include employees whose work involves using personal information. Users have a duty to protect the information they handle by following CAVI’s data protection and security policies at all times.

3.1. This Policy applies to all users 3.2. The types of information that CAVI may be required to handle include details of current, past and prospective employees and clients, suppliers, customers, service providers and others that CAVI communicates with. The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in POPI and other regulations. POPI imposes restrictions on how CAVI may use that information. 3.3. This Policy sets out CAVI’s rules on personal information protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information. 3.4. Annexure B to this Policy sets out a list of ‘Do and Do Nots’ under POPI. 3.5. The IO is responsible for ensuring compliance with POPI and with this Policy. Any questions or concerns about the operation of this Policy should be referred in the first instance to the IO. 3.6. If you consider that the Policy has not been followed in respect of Personal Information about yourself or others you should raise the matter with your line manager or the IO.

4.1. The purpose of the Policy is to establish management direction and high-level objectives for regulating the manner in which Personal Information is processed and to provide for remedies in cases where Personal Information is not handled accordingly. Further purposes of the policy include: 4.1.1. the supplementation of CAVI’s existing policies and procedures and to align them with POPI; 4.1.2. compliance with the requirements of POPI; 4.1.3. the identification and codification of documents and ensuring adequate protection and maintenance of accuracy of documents where required; 4.1.4. providing a set framework and unified policy regarding the methods and procedures for the retention and destruction of documents; 4.1.5. insuring records that are no longer required or documents that are of no value are destroyed properly and in accordance with POPI; and 4.1.6. providing assistance to employees in understanding the requirements relating to the protection of Personal Information and the retention and destruction of documents.

5.1. All Responsible Parties who process Personal Information must comply with the following eight Processing Conditions: 5.1.1. Condition 1: Accountability 5.1.2. Condition 2: Processing Limitation; 5.1.3. Condition 3: Purpose Specification; 5.1.4. Condition 4: Further Processing Limitation; 5.1.5. Condition 5: Information Quality; 5.1.6. Condition 6: Openness; 5.1.7. Condition 7: Security Safeguards; and 5.1.8. Condition 8: Data Subject Participation. Condition 1: Accountability 5.2. CAVI must ensure that the Processing Conditions are complied with. 5.3. The IO is responsible for implementing this Policy and the related policies attached hereto and ensuring compliance therewith. 5.4. CAVI will designate specific individuals to monitor compliance with information security standards within each business area. 5.5. Training or awareness sessions for employees on information security will be conducted on a regular basis. Condition 2: Lawfulness of processing 5.6. Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. 5.7. This condition applies to electronic Personal Information and paper-based records stored in a non-automated filing system. 5.8. It is advisable to obtain voluntary, informed and specific consent from Data Subjects, where possible, before collecting their Personal Information. 5.9. A Data Subject may withdraw consent at any time and such withdrawal of consent should be noted. A Data Subject may also object at any time on reasonable grounds, to the processing of its Personal Information. CAVI may then no longer process the Personal Information, unless it is authorised to do so in terms of applicable laws. Condition 3: Purpose specification 5.10. Personal Information may only be processed for specific, explicitly defined and legitimate reasons relating to the functions or activities of CAVI, of which the individual is, as a general rule, made aware 5.11. Personal Information will only be collected to the extent that it is required for the specific purpose notified to the Data Subject. Any Personal Information which is not necessary for that purpose will not be collected in the first place. 5.12. Once collected, Personal Information will only be processed for the specific purposes notified to the Data Subject when the Personal Information was first collected or for any other purposes specifically permitted by POPI. This means that Personal Information will not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the Personal Information is processed, the Data Subject will be informed of the new purpose before any Processing occurs. 5.13. Records of Personal Information may only be kept for as long as necessary for achieving the purpose for which the information was collected or subsequently processed, unless: 5.13.1. retention of the record is required or authorised by law; 5.13.2. the Responsible Party reasonably requires the record for lawful purposes related to its functions or activities; 5.13.3. retention of the record is required by a contract between the parties thereto; or 5.13.4. the Data Subject or a competent person where the Data Subject is a child has consented to the retention of the record. 5.14. Personal Information will therefore not be kept longer than is necessary for the purpose for which it was collected. This means that Personal Information must be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form or be de-identified as soon as reasonably practicable after CAVI is no longer authorised to retain the record. For guidance on how long certain Personal Information is likely to be kept before being destroyed, contact the IO or consult the Document Retention Policy Condition 4: Further processing limitation 5.15. Further Processing of Personal Information must be compatible with purpose of collection, unless the Data Subject has consented to such further processing. 5.16. Where Personal Information is transferred to a third party for further Processing, the further Processing must be compatible with the purpose for which it was initially collected. 5.17. If Personal Information is to be used for any other purpose the further consent of the Data Subject must be obtained. Where this is not possible, the IO should be consulted. 5.18. Personal Information may only be disclosed to other recipients in accordance with the provisions of CAVI’s Personal Information Sharing Policy attached as Annexure C. Condition 5: Information quality 5.19. CAVI must take reasonably practicable steps to ensure that Personal Information is complete, accurate, not misleading and updated where necessary in light of the purpose for which such information is collected. 5.20. Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any Personal Information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date information will be destroyed. 5.21. The IO will develop processes for: 5.21.1. checking the accuracy and completeness of records containing Personal Information; 5.21.2. dealing with complaints relating to the timeliness and accuracy of Personal Information; 5.21.3. individuals to periodically verify and update their Personal Information; 5.21.4. making individuals aware of these processes; and 5.21.5. monitoring and tracking updates to Personal Information. 5.22. The IO will furthermore put procedures in place to verify that records containing Personal Information remain relevant, accurate and up-to-date. Condition 6: Openness 5.23. CAVI must take reasonably practicable steps to ensure that the Data Subject is aware of: 5.23.1. the information being collected and where the information is not collected from the Data Subject, the source from which it is collected; 5.23.2. the name and address of CAVI; 5.23.3. the purpose for which the information is being collected; 5.23.4. whether or not the supply of the information by that Data Subject is voluntary or mandatory; 5.23.5. the consequences of failure to provide the information; 5.23.6. any particular law authorising or requiring the collection of the information; 5.23.7. where applicable, the fact that the Responsible Party intends to transfer the information to a country or international organisation and the level of protection afforded to the information by that country or international organisation; 5.23.8. any further information such as the recipient or category of recipients of the information, the nature or category of the information and the existence of the right of access to and the right to rectify the information collected; 5.23.9. the existence of the right to object to the processing of Personal Information; and 5.23.10. the right to lodge a complaint to the Regulator and the contact details of the Regulator, or supervisory authority with jurisdiction, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable. Condition 7: Security safeguards 5.24. CAVI will keep all Personal Information secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure and conduct regular risk assessments to identify and manage all reasonably foreseeable internal and external risks to Personal Information under its control. 5.24.1. CAVI will appoint a third party specialist to secure the integrity of the Personal Information under CAVI’s control. Duty in Respect of Operators 5.25. Operators (i.e. third parties which may further process Personal Information collected by CAVI) include call centres, outsourced payroll administrators, marketing database companies, recruitment agencies, psychometric assessment centres, document management warehouses, external consultants, credit bureaus and persons who clear the payment instructions of CAVI’s clients. 5.26. CAVI will implement the following key obligations in respect of Operators: 5.26.1. The Operator may not process personal information on behalf of CAVI without the knowledge and authorisation of CAVI; 5.26.2. CAVI will ensure that the Operator implements the security measures required in terms of Condition 7: Security Safeguards; 5.26.3. There will be a written contract in place between CAVI and the Operator which requires the Operator to maintain the confidentiality and integrity of personal information processed on behalf of CAVI; 5.26.4. The written contract between CAVI and the Operator will comply with sections 19 to 21 of POPI; 5.26.5. If the third party is located outside of South Africa, CAVI will consult the IO; and 5.26.6. Any other mandatory provisions under POPI. Use of Close Circuit Television 5.27. The use of any Closed Circuit Television (CCTV) to monitor and record activities for the purposes of safety and security will comply with the provisions of the CCTV Policy (attached hereto as Annexure E.) Duties in Respect of Security Compromises 5.28. In the event that personal information has been compromised, or if there is a reasonable belief that a compromise has occurred, CAVI (or an Operator Processing Personal Information on its behalf) will comply with the Security Compromises Policy (attached hereto as Annexure F.) Condition 8: Data subject participation Request for Information 5.29. CAVI recognises that a Data Subject has the right to request CAVI to confirm, free of charge, whether or not it holds Personal Information about the Data Subject and request CAVI to provide a record or a description of the Personal Information held, including information about the identity of all third parties or categories of third parties, who have, or have had, access to the information at a prescribed fee. 5.30. All users will comply with CAVI’s Subject Access Request Policy attached hereto as Annexure D and CAVI’s PAIA manual in respect of any access to personal information requests by Data Subjects. Request to Correct or Delete 5.31. The Data Subject may request CAVI to: 5.31.1. correct or delete personal information relating to the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading or obtained unlawfully; or 5.31.2. destroy or delete a record of Personal Information about the Data Subject that the Responsible Party is no longer authorised to retain. 5.32. Where POPI applies, any such request must be made in terms of a form similar to Form 3 of the POPI Regulations. 5.33. CAVI will provide credible proof to the individual of the action that has been taken in response to the request. 5.34. If any changes to the Personal Information will have an impact on any decisions to be made about the individual, CAVI will inform all third parties to whom the information has been disclosed, including any credit bureaus, of such changes.

6.1. POPI is not intended to prevent the processing of Personal Information, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. 6.2. For Personal Information to be processed lawfully, certain requirements have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the Responsible Party (CAVI) or the party to whom the personal information is disclosed. In most cases when special personal information is being processed, the data subject's explicit consent to the processing of such information will be required. 6.3. Personal Information about users may be processed for legal, personnel, administrative and management purposes and to enable the Responsible Party (i.e. CAVI) to meet its legal obligations as an employer, for example to pay users, monitor their performance and to confer benefits in connection with their employment. Examples of when special personal information of users is likely to be processed are set out below: 6.3.1. information about an employee's physical or mental health or condition in order to monitor sick leave and take decisions as to the employee's fitness for work; 6.3.2. the employee's racial or ethnic origin or religious or similar information in order to monitor compliance with employment equity legislation; 6.3.3. fingerprints or images for security control; and 6.3.4. in order to comply with legal requirements and obligations to third parties. 6.4. Personal Information about customers, suppliers and other third parties may be processed in the normal course of business

7.1. Personal Information will be processed in line with Data Subjects' rights. Data Subjects have a right to: 7.1.1. request access to any Personal Information held about them by a Responsible Party; 7.1.2. prevent the Processing of their Personal Information for direct-marketing purposes; 7.1.3. ask to have inaccurate Personal Information amended; and 7.1.4. object to any decision that significantly affects them being taken solely by a computer or other automated process.

8.1. Users dealing with enquiries from third parties should be careful about disclosing any Personal Information held by CAVI. In particular they should: 8.1.1. check the identity of the person making the enquiry and whether they are legally entitled to receive the information they have requested; 8.1.2. suggest that the third party puts their request in writing so the third party's identity and entitlement to the information may be verified; 8.1.3. refer to the IO for assistance in difficult situations; and 8.1.4. where providing information to a third party, do so in accordance with the eight Processing Conditions.

This policy will be reviewed annually by the IO to ensure it is achieving its stated objectives.

POPI DO’S AND DONT’S DO’S 1.1. DO conduct an information retention audit by creating a matrix which clearly identifies the various categories of personal information held by each department of CAVI, including emails, and setting out a precise retention policy for each category. (The POPI Audit Questionnaire in Annexure A should be used for this purpose.) 1.2. DO designate someone as an IO and ensure this person is adequately trained and registered with the Regulator. 1.3. DO, where possible, obtain "voluntary, specific and informed" consent from a data subject, including customers of CAVI, prior to processing his information, including his name, race, gender, marital status, address, identity number, e-mail address, physical address, and telephone number. 1.4. DO assume that CAVI will probably only have one chance to obtain the prescribed consent. 1.5. DO ensure that CAVI obtains "optimum" consent. 1.6. DO remember that POPI applies to paper files, information held electronically, video/DVD, audiotapes, photographs, images recorded on CCTV cameras, biometric information such as fingerprints etc. 1.7. DO be careful about sensitive data, namely data concerning race, political opinion, religious belief, trade union membership, physical or mental health, sex life, and criminal offences. 1.8. DO ensure the integrity and safekeeping of personal information in CAVI’s possession or under its control, by among other things, taking steps to prevent the information being lost, damaged, or unlawfully accessed. 1.9. DO define the purpose of gathering and processing of information, collect personal information only for a specific, explicitly defined and lawful purpose that is related to a function or activity of CAVI, and hold personal information only when necessary. 1.10. DO process personal information in a lawful manner; personal information is processed lawfully when if it is adequate, relevant, and not excessive given the purpose for which it is processed. 1.11. DO take steps to notify the data subject that CAVI holds personal information about him and tell him why CAVI needs to do so. 1.12. DO check the rationale for any further processing and ensure further processing is compatible with the purpose for which the data was initially collected. 1.13. DO ensure that CAVI has a written contract (data processing agreement) in place when sharing personal information with other organisations or third parties and that these parties enter into a Non-Disclosure Agreement. 1.14. DO ensure that personal information is entered into records accurately and that the information is complete, up to date, and not misleading. 1.15. DO obtain parental consent when collecting personal information about persons under the age of 18. 1.16. DO ensure that any paper record is properly filed or disposed of. 1.17. DO accommodate data subject requests, including requests to disclose the identity of all third parties that have had access to their information (which request CAVI must execute free of charge) and provide a record of personal information (which request CAVI may execute at a reasonable fee). 1.18. DO hold personal information in such a way that it can be collected for inspection at short notice. 1.19. DO direct any official requests to see personal information to the IO. 1.20. DO, as far as possible, de-identify (anonymise) personal information for statistical analysis. 1.21. DO respect the rights of a data subject, which include the right to confidentiality, which requires that CAVI refuses requests from family, friends and employers for information about him, including references, unless the written consent of the data subject has been acquired. 1.22. DO retain records for required periods only as personal information must be destroyed, deleted, or "de-identified" as soon as the purpose for collecting the information has been achieved, unless it is a requirement of law to keep it for a longer period. A record of the information must be retained, however, if CAVI has used it to make a decision about the data subject, including the CVs of prospective employees, for long enough for the data subject to request access to it. (Refer to the company’s Document Retention Policy.) 1.23. DO review personal information kept in files, including FICA information relating to customers of CAVI, from time to time (at least annually) and dispose of unnecessary information as confidential waste. 1.24. DO consider providing "open references" for employees leaving CAVI only (which are shown to the employee before they are sent to third parties). 1.25. DO, when writing documents, bear in mind that the data subjects have a right to see information relating to them. 1.26. DO note that transborder data transfer (including to neighbouring countries) is stringently regulated; therefore, seek further advice from the IO when this is to be done. 1.27. DO process personal information for the purpose of direct marketing by means of any form of electronic communication only if the data subject has given its consent in a form similar to Form 4 of the POPI Regulations to the processing or is a customer of CAVI. 1.28. DO process the personal information of a data subject who is a customer of CAVI for electronic direct marketing purposes only: 1.28.1. if CAVI has obtained the contact details of the data subject in the context of the ‘sale’ of a service; 1.28.2. for the purpose of direct marketing of CAVI’s own similar services; and 1.28.3. if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of its electronic details at the time when the information was collected and in each subsequent communication. 1.29. DO approach a data subject whose consent is required and who has not previously withheld such consent only once in order to request the consent of that data subject. 1.30. DO include in any communication for the purpose of direct marketing: 1.30.1. details of the identity of CAVI; and 1.30.2. an address or other contact details to which the recipient may send a request that such communications cease (i.e. include an opt-out function). 1.31. DO make sure that any opt-outs are recorded appropriately. 1.32. DO take special care when accessing CAVI’s computer network remotely and ensure that data is encrypted. DON’TS 2.1. DO NOT ignore POPI. Ignorance may lead to a civil action for damages, regardless of whether intent or negligence can be proven on the part of CAVI, and to an enforcement notice being issued by the Regulator (non-compliance with an enforcement notice is an offence). 2.2. DO NOT use old mailing lists. 2.3. DO NOT reveal personal information to third parties without the data subject's permission or justification. 2.4. DO NOT take up references without the consent of the data subject, i.e. only ever approach individuals named by the data subject. 2.5. DO NOT verify qualifications of employees or job seekers without the consent of the data subject. 2.6. DO NOT hold personal information about a person without explicit consent or advice from the IO. 2.7. DO NOT print personal information without a good reason. 2.8. DO NOT place personal information about an individual on the Internet without his/her permission, unless it is a condition of his/her employment. 2.9. DO NOT send personal information outside South Africa (including our neighbouring countries) without taking advice from the IO. 2.10. DO NOT leave personal information insecure in any way, whether it is physical files or information held electronically. 2.11. DO NOT allow staff to take personal information (such as credit checks) home without particular care for security. 2.12. DO NOT process personal information on a computer that is not owned or supplied by CAVI. 2.13. DO NOT part with CAVI’s computers without advice on deletion of data from the IO. 2.14. DO NOT use email for sending confidential communications or unencrypted personal information, as it is relatively insecure. 2.15. DO NOT use personal information held for one purpose for a different purpose without permission from the data subject. 2.16. DO NOT delete or alter any personal information after the IO has received a request to inspect and/or disclose that personal information. 2.17. DO NOT mention anything in email correspondence that CAVI would not want a data subject to see; even deleted emails may be retrieved and revealed to those about whom they are written.

PERSONAL INFORMATION SHARING POLICY COMMITMENT CAVI takes the protection of personal information seriously and aims to comply with POPI. 2.APPLICABILITY 2.1. This Personal Information Sharing Policy (the policy) applies to all staff working for CAVI which includes all permanent and temporary staff, contractors, and agency workers who are subject to the conditions and scope of this policy. This policy is in addition to other requirements which may be necessary for specific operations and it is your responsibility to familiarise yourself with this policy. 2.2. "Personal information" means any information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. Personal information includes, for example, names and addresses, e-mail addresses, recruitment details, financial history and the like. It also includes opinions about individuals as well as facts and also applies to corporate contacts. 2.3. "Special personal information" is information such as religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour. OBLIGATIONS 3.1. Purpose definition and limitation 3.1.1. Personal information can only be collected and further processed for lawful, specific and explicitly defined purposes related to a function or activity of CAVI. 3.1.2. You will find an indication of such purposes in CAVI Data Protection Policy and website privacy policy. 3.1.3. After personal information has been collected by CAVI it cannot be processed for purposes which are incompatible with the original ones. 3.1.4. For example, this means that personal information processed by the HR department for HR purposes will likely not be able to be lawfully processed by the marketing department for marketing purposes. 3.2. Personal information to be kept confidential 3.2.1CAVI must keep personal information confidential and safe from undue disclosures. 3.2.2. That means that sharing personal information with an external third party is an exception to the confidentiality rule, and must be analysed in detail to ensure lawfulness, notably considering: 3.2.2.1. Whether the purpose for which the external third party requires the personal information is compatible to the original purpose for which the information was collected; 3.2.2.2. Whether sharing the personal information with the external third party will constitute a transborder flow of information; and 3.2.2.3. Whether sharing the personal information with the external third party will likely put the information at risk due to the poor security measures the third party has in place. PROCEDURES TO FOLLOW 4.1. To assist you in dealing with a request to share personal information, we include flowchart procedures as Appendix B hereto. 4.2. If you receive a request for personal information you must: 4.2.1 Notify the IO who will guide you or, as the case may be, lead the procedures; and 4.2.2. Follow the flowcharts attached. 4.3. If you are required to share personal information, you must consider whether the personal information is to be shared internally (i.e. within CAVI) or externally (i.e. with an agent, a public authority, an unconnected third party or other entities within CAVI). When you are certain of the type of request you received, please check the flowcharts attached for guidance on the specific steps to take. 4.4. If you are unsure which category the personal information sharing falls into, please contact the IO for further advice. 4.5. You should document at all times any questions asked, answers given and authorisation gained by any parties involved when dealing with a personal information sharing request. 4.6. Where you are asked to share personal information with unconnected third parties / public authorities, the IO will handle the process himself/herself. CUSTOMER INFORMATION Personal information relating to customers should not be shared with third parties without seeking further guidance from the IO. CONSEQUENCES OF NON-COMPLIANCE It is essential that all staff comply with all relevant parts of this policy. Any failure to comply with this policy could have serious consequences for CAVI and its employees. Failure to comply may lead to disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) for serious or repeated breaches; civil or criminal proceedings; and/or personal liability for those responsible. POLICY REVISION This policy has been reviewed and approved by the IO, and is subject to change without prior notice CONTACT DETAILS OF THE IO NAME: CORLIA BURGER Address: 11-13 St Andrews Road, Parktown, JHB, South Africa E-MAIL ADDRESS: CBU@CAVI.CO.ZA TELEPHONE NUMBER: 011 341 4900

SUBJECT ACCESS REQUEST POLICY 1. INTRODUCTION CAVI is required to comply with the requirements of POPI which gives data subjects the right to ask for a description of the personal information that CAVI holds about them. 2. APPLICATION AND CONSEQUENCES OF NON-COMPLIANCE WITH THIS POLICY 2.1. This policy applies to all staff of CAVI, which includes all permanent and temporary staff, contractors, and agency workers who are subject to the conditions and scope of this policy. Failure to comply may lead to disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) or termination of contract or engagement (as appropriate) for serious or repeated breaches of this policy. 2.2. It may also be the case that your conduct and or actions may be unlawful and CAVI reserves the right to inform the appropriate authorities. Actions may result in civil or criminal proceedings. Staff should note that in some cases they may be personally liable for their actions and or conduct. 3. PURPOSE OF THIS DOCUMENT 3.1. This document outlines the process for dealing with Subject Access Requests that are received by CAVI and covers: 3.1.1. How to identify a Subject Access Request; 3.1.2. Who is entitled to make one; 3.1.3. Who within CAVI.is responsible for dealing with them; 3.1.4. The timescale for responding to one; 3.1.5. How to assess whether a Subject Access Request is valid; 3.1.6. How to set the scope of, and conduct any search for, information in response to a Subject Access Request; 3.1.7. What information should be provided in response to the Subject Access Request; and 3.1.8. What information may be withheld from a response to the Subject Access Request. 3.2. This document provides guidance only and in the event of a Subject Access Request please contact the IO immediately - please see the list at the end of the note for contact details of the IO. 4. RECEIPT OF SUBJECT ACCESS REQUESTS 4.1. A Subject Access Request may be received by CAVI in any of a number of different forms, including a telephone call, email or letter requesting access to personal information. Subject Access Requests generally tend to originate from current or past employees, job applicants, clients or third parties acting on their behalf (particularly where criminal or civil proceedings are involved). 4.2. In the first instance, it may not always be clear that a data subject is making a Subject Access Request. Therefore, it is important to be familiar with this policy to be able to identify a Subject Access Request. 4.3. If you receive what you believe to be a Subject Access Request in any form then it is important that you forward a copy of the request to the IO immediately, who will manage the Subject Access Request. 4.4. In the case of a telephone call, it is best practice to inform the data subject that his/her/its request for information must be made in writing and cannot be processed otherwise. You should also notify the IO that the phone call has taken place. 4.5. Once you have passed the request on to the IO and have received an acknowledgement that it has been received, responsibility for processing the Subject Access Request will be managed by the IO and individuals from the relevant department within CAVI (as applicable). 5. TIME PERIOD FOR THE RESPONSE 5.1. CAVI must respond to a valid Subject Access Request within a reasonable period but always within 30 days. 5.2. Where a Subject Access Request is missing any of its required elements, it is essential that a prompt request for the missing parts is sent back to the data subject asking for the missing elements. 5.3. Once all of the requirements set out above have been met and the request has become a valid Subject Access Request, the stated period for providing a formal response must be complied with. 6. WHO IS ENTITLED TO MAKE A SUBJECT ACCESS REQUEST? 6.1. Any data subject is entitled to make a Subject Access Request to CAVI. CAVI will typically receive Subject Access Requests from: 6.1.1. its employees or former employees or job applicants; 6.1.2. an individual working for a supplier; 6.1.3. a customer who is an individual; or 6.1.4. an individual that has used CAVI’s website. 6.2. These individuals have a right to be informed by CAVI whether personal information about them is being processed. If personal data is being processed in almost any way by CAVI then the data subject is entitled to be given any of the following information: 6.2.2. a description of the personal information held; and 6.2.3. an indication of all the third parties or categories of third parties who have or have had of access to the information. 7. VALIDITY OF A SUBJECT ACCESS REQUEST 7.1. It is necessary to confirm that the Subject Access Request is valid. The validity of a Subject Access Request will depend on the format and content of the Request. A valid Subject Access Request: 7.1.1. is in writing to CAVI’s physical or postal address or e-mail address; 7.1.2. provides sufficient information to allow the identification of the individual requesting the personal information and the information requested; 7.1.3. indicates the form in which the information should be provided; 7.1.4. specifies an address or email address of the data subject in South Africa; and 7.1.5. includes sufficient identification of the individual to which the Subject Access Request relates. 8. IDENTIFICATION AND SEARCH TERMS 8.1. The IO must confirm the identity of the individual making the request - i.e. to confirm the person is who the person says it is. 8.2. Where the Subject Access Request is made by an employee or a former employee then this will normally be straightforward. The information to be requested will usually be the employee’s/former employee’s: 8.2.1. Employee ID; 8.2.2. Department; 8.2.3. Room or Desk number; and / or 8.2.4. Employee’s telephone extension. 8.3. Where the Subject Access Request is made by someone other than an employee or a former employee then you should send a letter requesting confirmation of identity and also requesting, if necessary, further information to be provided to assist in focussing the search for information. 9. SETTING THE SCOPE AND CONDUCTING THE SEARCH 9.1. Subject Access Requests sometimes clearly identify specific information sought by the individual. This permits a simple and targeted search for that information. 9.2. However, other requests are expressed more widely and may, for example, simply request all information held about them (e.g "Please send me a copy of all the information you have on me"). Such a wide-ranging request would be difficult and onerous to comply with given the volume of information that would have to be reviewed. 9.3. When a wide-ranging request is made then the first step is always to contact the individual and try to obtain clarifications about the information that they actually want. This may often result in a much more specific request leading to a much more targeted search. 9.4. Typically, requests may focus on copies of interview notes, employment application forms, personnel files, appraisal information, holiday and leave information, CCTV footage and emails. However, if the individual is not prepared to focus their request then you should use the "Default CAVI Search Parameters" set out below. 9.5. In most cases: 9.5.1. the search should include any centrally-held personnel files about the individual (such as CAVI’s employee personnel file); 9.5.2. general and non-specific requests (e.g. for the provision of "all" information held about an individual) are not acceptable. The request must relate to specific personal information; 9.5.3. if the search relates to emails then it should only apply to a limited number of email accounts over a limited period. Keyword searching may also be used; and 9.5.4. it is not necessary to restore back-up information in order to respond to the request unless the individual has a real need for specific information contained in the back-ups. 9.6. In general, when setting the parameters for a search, you must consider whether this constitutes a reasonable and proportionate search. This will generally depend on the circumstances but you should consider: 9.6.1. The likelihood that the information exists (i.e. is it just a "fishing expedition"?); 9.6.2. The value or importance of the information to the individual; 9.6.3. The cost of locating and reviewing the information; and 9.6.4. Whether the information is intended for use in litigation (while pending litigation doesn’t invalidate a Subject Access Request, it may be more appropriate for disclosure to be made during discovery). 10. THE DEFAULT SEARCH PARAMETERS FOR CAVI 10.1. The Default Search Parameters attempt to take into account the above to provide a reasonable and proportionate response so searches for a general request for access to personal information should generally be based on the following parameters (noting that the specific facts on each request may dictate other search factors), however this may vary from request to request: 10.1.1. A copy of the data subject’s personnel file should be provided (in the case of an employee or a former employee); 10.1.2. Pre-defined keywords should be used to search email; 10.1.3. There should be no restoration of back up data without the prior approval of the IO. 10.2. It is important to note that any emails sent internally about the Subject Access Request itself will usually not need to be included in the response, on the basis that they may be legally privileged. 11. IT DEPARTMENT ASSISTANCE FOR ELECTRONIC RECORDS 11.1. The search may require the assistance of other departments, such as the IT department for tracking. 11.2. The IO should define a specific form to be used when requesting assistance from other department, which should set out clearly: 11.2.1. the names of the inbox owners; 11.2.2. the date range (no longer than [12 months] from the date that the valid Subject Access Request was received); and 11.2.3. relevant search terms and parameters. 12. WHICH INFORMATION THAT IS FOUND IN THE SEARCH MUST BE DISCLOSED AND WHAT CAN CAVI REFUSE TO DISCLOSE? 12.1. A Subject Access Request only entitles the individual to access personal information about himself/herself. In general, personal information about an individual is required to be disclosed if it identifies that individual. 12.2. However, there are important exemptions which may apply. These exemptions apply to very specific information and are complex in its interpretation. The IO will analyse the retrieved personal information and shall apply any relevant exemption. 12.3. Such exemptions may, for example, include information: 12.3.1. That is subject to legal professional privilege; or 12.3.2. That reveals the identity of a third party individual. 13. OTHER INFORMATION TO BE INCLUDED IN THE RESPONSE The individual is also entitled to information about the third parties or categories of third parties who have or have had access to his / her personal information. 14. CONSEQUENCES OF NON-COMPLIANCE It is essential that all staff comply with all relevant parts of this policy. Any failure to comply with this policy could have serious consequences for CAVI and its employees. Failure to comply may lead to disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) for serious or repeated breaches; civil or criminal proceedings; and/or personal liability for those responsible. 15. POLICY REVISION This policy has been reviewed and approved by the IO, and is subject to change without prior notice. 16. CONTACT DETAILS OF THE IO Name: Corlia Burger Address: 11-13 St Andrews Road, Parktown, JHB, South Africa E-MAIL ADDRESS: cbu@cavi.co.za NUMBER: 011 341 4900

CCTV MONITORING POLICY 1. ABOUT THIS POLICY The purpose of this CCTV Monitoring Policy is to regulate the use by CAVI of Closed Circuit Television (CCTV) to monitor and record images for the purposes of safety and security. 2. APPLICATION AND CONSEQUENCES OF NON-COMPLIANCE WITH THIS POLICY 2.1. This policy applies to all staff of CAVI, which includes all permanent and temporary staff, contractors, and agency workers who are subject to the conditions and scope of this policy. Failure to comply may lead to disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) or termination of contract or engagement (as appropriate) for serious or repeated breaches of this policy. 2.2. It may also be the case that your conduct and or actions may be unlawful and CAVI reserves the right to inform the appropriate authorities. Actions may result in civil or criminal proceedings. Staff should note that in some cases they may be personally liable for their actions and or conduct. 3. GENERAL PRINCIPLES 3.1. CAVI is committed to enhancing the quality of life of its employees by integrating the best practices with regard to workplace safety with technology. A critical component of a comprehensive security program is the use of CCTV monitoring. 3.2. CCTV monitoring may be used in public areas by CAVI to deter crime and to assist in protecting employees and property. 3.3. Information obtained via CCTV monitoring will be used exclusively for security and law enforcement purposes. Information obtained by CCTV monitoring will only be released when so authorised by the IO. 3.4. CCTV monitoring of public areas for security purposes will be conducted in a manner consistent with existing CAVI policies and practices and will be limited to uses that do not violate the reasonable expectation of privacy of data subjects. 3.5. Images and related data collected by CCTV are the property of CAVI. 4. PROCEDURES 4.1. CAVI will post signage where appropriate. An example of an appropriate sign is:Images are being monitored and recorded for the purposes of crime prevention and public safety. This scheme is controlled by CAVI. For more information, call CAVI. 4.2. Individuals whose images are recorded have a right to view the images of themselves and to be provided with a copy of the images against the payment of a reasonable fee. 4.3. The CCTV systems used by CAVI will produce clear images which law enforcement bodies (such as the police) can use to investigate crime and that can easily be taken from the system when required. 4.4. CCTV cameras will be installed in positions where they can record clear images. 4.5. CCTV cameras will be positioned to avoid the capturing of images of persons not visiting the premises and residential housing. Any view given of housing will be no greater than what is available with unaided vision. 4.6. Images recorded by CCTV cameras will be securely stored and may only be accessed by authorised persons. 4.7.Images will not be provided to third parties other than law enforcement bodies. 4.8. Regular checks will be carried out to ensure that CCTV cameras are working properly and produce high-quality images. 4.9. CCTV monitoring will not be used in areas which workers would reasonably expect to be private, such as toilet areas and private offices. 4.10. The CCTV monitoring center will be configured so as to prevent the tampering with or duplicating of information. 4.11. Recorded images will be stored for a period not exceeding 14 days and will then be erased, unless retained as part of a criminal investigation or court proceedings or other legitimate use as approved by the IO. 5. CONSEQUENCES OF NON-COMPLIANCE It is essential that all staff comply with all relevant parts of this policy. Any failure to comply with this policy could have serious consequences for CAVI and its employees. Failure to comply may lead to: disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) for serious or repeated breaches; civil or criminal proceedings; and/or personal liability for those responsible. 6. POLICY REVISION This policy has been reviewed and approved by the IO, and is subject to change without prior notice. 7. CONTACT DETAILS OF THE IO Name: Corlia Burger Address: 11-13 St Andrews Road, Parktown, JHB, South Africa E-MAIL ADDRESS: cbu@cavi.co.za NUMBER: 011 341 4900 Fax: N/A

SECURITY COMPROMISE POLICY 1. OVERVIEW 1.1. Security compromises require centralised and swift management and this Security Compromises Policy (policy) outlines a framework for responding to such incidents. 1.2. It is essential for all staff to comply with this policy – security compromises must be notified to the Regulator and to the affected individuals. 2. APPLICATION AND CONSEQUENCES OF NON-COMPLIANCE WITH THIS POLICY 2.1. This policy applies to all staff of CAVI, which includes all permanent and temporary staff, contractors, and agency workers who are subject to the conditions and scope of this policy. Failure to comply may lead to disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) or termination of contract or engagement (as appropriate) for serious or repeated breaches of this policy. 2.2. It may also be the case that your conduct and or actions may be unlawful and CAVI reserves the right to inform the appropriate authorities. Actions may result in civil or criminal proceedings. Staff should note that in some cases they may be personally liable for their actions and or conduct. 3. KEY CONSIDERATIONS 3.1. CAVI has to comply with POPI and other applicable data protection legislation or contractual undertakings to ensure that measures are taken to keep data secure, including specific legal obligations around dealing with a security compromise. Such legal requirements must be observed in addition to the approach set out in this policy. 3.2. This policy includes guidelines on how to deal with security compromises, including: 3.2.1. Containment and initial assessment; 3.2.2. Risk evaluation; 3.2.3. Breach notification; 3.2.4. Remedial action; and 3.2.5. Incident response plan. 4. CONTAINMENT AND INITIAL ASSESSMENT 4.1. An important starting point with any security compromise is to consider what steps are required in order to contain it. For example, if the incident involves a form of intrusion (via either internal or external threats) into CAVI’s systems then containment action could include: 4.1.1. identification of where the intrusion itself is occurring on the systems; 4.1.2. closing down such weak points to contain the incident; and 4.1.3. prevention of further impact on data through the compromised systems. 4.2. Team: Using the risk classification outlined below, where the incident represents a risk that is categorised as a high or medium risk, then a security compromise management team should convene to address the incident. 4.3. Team authority and scope: The team should have appropriate representation from the IO and key departments such as, IT, information security, PR, legal, and should also have sufficient authority within CAVI to investigate and address the incident in accordance with this policy. 4.4. Legal professional privilege: Care should be taken to ensure that the investigation is carried out utilising to the maximum extent possible the protection of legal professional privilege. For example, engaging CAVI’s legal team and/or appropriate external counsel from the outset may greatly assist in preserving legal professional privilege. 4.5.Informing Stakeholders: The investigation team should consider which other internal stakeholders should be informed of the incident and at what stage in the investigation process they should be informed. 4.6. Confidentiality: The investigation team should also consider keeping the investigation confidential from those (internally or externally) that do not need to be made aware of the investigation (either wholly or in part). This will allow the investigation to continue unhindered particularly with regard to further scoping of the incident and any activity around it. This may include, for example, notifying an appropriate law enforcement authority. 5. ASSESSING THE RISKS 5.1. The investigation team should assess the risks arising from the security compromise. The key driver behind identifying the risk is to assess and consider any potential adverse consequences, for example to: 5.1.1. individuals; 5.1.2. clients, or 5.1.3. employees. 5.2. These consequences should consider how serious or substantial the harm might be to anyone within these categories. The risk assessment will inevitably require a classification of the incident (see below) in order to drive the level of response required. 6. INCIDENT CLASSIFICATION 6.1. Incidents should be classified according to severity of risk, considering the following: 6.1.1. Level 1: High risk of: 6.1.1.1. harm to individuals whose confidentiality or data has been breached; 6.1.1.2. reputation damage to CAVI; 6.1.1.3. legal action from individuals or regulators. 6.1.2. Level 2: Medium risk of: 6.1.2.1. harm to individuals whose confidentiality or data has been breached; 6.1.2.2. reputation damage to CAVI; 6.1.2.3. legal action from individuals or regulators. 6.1.3. Level 3: Low risk of: 6.1.3.1. harm to individuals whose confidentiality or data has been breached; 6.1.3.2. reputation damage to CAVI; 6.1.3.3. legal action from individuals or regulators. NOTE:• Incident classification will depend on CAVI’s policies on the level of sensitivity ascribed to the personal or other types of information. Sensitivity of information will also depend on the personal circumstances of the individuals concerned.• CAVI should define at the outset what information it considers to be of high sensitivity and ensure all staff members are aware of it, taking into account POPI’s provisions on special categories of personal information.• All security compromises or suspected security compromises must be treated seriously.• Do not do anything to the suspected computer/s or other systems equipment, including turning on or off, or shut down the network unless instructed to do so by CAVI’s Information Security team / Information Officer / legal team]. 6.2. In practice the investigation may have a particular insight into the risk level from addressing the security compromise containment and the initial stages of the assessment (see above). However, this particular stage to evaluate the risk will require the investigation team to focus on determining factors such as the following (non-exhaustive): 6.2.1. What information: 6.2.1.1. was impacted by the security compromise (risk materialised therefore high risk); or 6.2.1.2. could have been subject to impact (risk could have materialised therefore medium risk) as a result of the security compromise? 6.2.2. Who is affected and what is the likelihood of any harm as a result of the incident? 6.2.3. Where was the information being processed and handled? 6.2.4. Which CAVI department, area, business, subsidiary and/or office is responsible for such processing and handling? 6.2.5. What was determined to be the cause of the security compromise? 6.2.6. What was determined to be the extent or reach of the security compromise? 6.3. Regulatory reporting: The investigation will require consideration of the reporting requirements under POPI and other South African ancillary rules. For that, the IO should be involved from the outset. 6.4. Protective Measures: Other factors of the investigation will focus around whether or not the personal information involved in the incident was subject to specific protective measures. For example: 6.4.1. Was encryption used? 6.4.2. What levels of encryption were used? 6.4.3. Was the encryption technology and the standard used sufficient to safeguard the individuals against any risks as a result of the breach incident? 6.5. As part of the investigation team’s role they will need to establish exactly what information has been compromised and whether or not the incident took place within the control of CAVI or whether the risk materialised within the control of its third parties. In the case of third parties, the team will need to assess what obligations and responsibilities may flow under POPI and also the contract between CAVI and the third party. 7. NOTIFICATION OF SECURITY COMPROMISES 7.1. As a result of the investigations carried out during the evaluation of the risk (see above) CAVI may decide it is necessary to report the security compromise to third parties, which may include notifying the incident to: 7.1.1. The Regulator; 7.1.2. Individuals or juristic persons whose personal information was accessed or acquired in the compromise (unless their identity cannot be established); 7.1.3. Other entities or organisations if required by specific legislation - for example, the South African Police Service, the National Intelligence Agency; and 7.1.4. Other entities or organisations, on an optional basis - for example customers, if deemed appropriate by the public relations department, senior management and the IO. 7.2. The team should consider seeking appropriate expert advice on the notification requirements. 7.3. The notification to the Regulator and the affected individuals or juristic persons must be made as soon as reasonably possible after the discovery of the compromise, taking into account the time it takes to spend on the initial containment, risk assessment and incident classification stages. 7.4. Notification to the affected individuals may only be delayed if the South African Police Service, the National Intelligence Agency or the Regulator determines that notification will harm a criminal investigation. 7.5. As such, the notifications to the South African Police Service, the National Intelligence Agency or the Regulator will have to be submitted before the affected individuals, and it must include a specific question on whether the notification to the affected individuals should be delayed. 7.6. The notification to the affected individuals must be in writing and communicated to the individual in at least one of the following ways: 7.6.1. mail; 7.6.2. e-mail; 7.6.3. placement on the website of CAVI; 7.6.4. publication in the news media; or 7.6.5. as may be directed by the Regulator. 7.7. The notification must provide sufficient information to allow the affected individuals to take protective measures against the potential consequences of the compromise. This may include, if known, the identity of the unauthorised person who may have accessed or acquired the personal information. 8. EVALUATION AND RESPONSE 8.1. Evaluation: It is clearly essential for CAVI to conduct an appropriate investigation. CAVI must then analyse the risks arising from a security compromise and the effectiveness of the systems and controls within CAVI questioning why the particular weaknesses or failure points lead to the incident arising. For example, if the security compromise was caused entirely by or even in part attributed to a systemic problem within CAVI then simply containing the security compromise and then continuing on a "business as usual" approach would not be acceptable in the eyes of the Regulator. 8.2. Response and implementation: The investigatory team should ensure that the lessons learned from the incident should be incorporated into strengthening the existing controls and procedures around data management and security. 9. INCIDENT RESPONSE PLAN - CHECKLIST 9.1. CAVI should have, as an integral element of its security compromise response plan, a documented, methodical approach towards addressing the incident which should include factors such as the following: 9.2. Evaluation of Risk – Assessing what actually happened: 9.2.1. a determination of what information was involved 9.2.2. to establish the cause of the incident and the extent of the security compromise; 9.2.3. determine who is actually affected by the security compromise; and 9.2.4. consider the extent of which those affected by the security compromise will suffer any harm or otherwise assess the consequences as a result of the breach incident. 9.3. Containment and initial Assessment: 9.3.1. contain the security compromise; 9.3.2. assign responsibilities to investigate the incident; 9.3.3. assemble and authorise the investigation team; 9.3.4. notify defined internal stakeholders; 9.3..5. consider notification to any other third parties as may be required. 9.4. Notification: 9.4.1. allocate responsibilities; 9.4.2. seek expert assistance and advice; 9.4.3. notify the Regulator as soon as reasonably possible after discovering the compromise; 9.4.4. notify all affected individuals or juristic persons, if identifiable, unless told not to by the Regulator; 9.4.5. notify by methods such as: mail, email, press release or website publication; and 9.4.6. include sufficient information in the notification to allow the affected individuals to take protective action against the potential consequences of the compromise. 9.5. Remedial Action 9.5.1. ensure that the risk register for CAVI is updated with all incidents and suspects incidents (near-misses); 9.5.2. update policies and procedures to ensure there will be measures to prevent of future breach incidents of this type; 9.5.3. review any issues raised around service delivery/third party partners; 9.5.4. test the revised incident and response plan; and 9.5.5. finalise and implement the revise plan and conduct appropriate training. 10. CONSEQUENCES OF NON-COMPLIANCE It is essential that all staff comply with all relevant parts of this policy. Any failure to comply with this policy could have serious consequences for CAVI and its employees. Failure to comply may lead to disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) for serious or repeated breaches; civil or criminal proceedings; and/or personal liability for those responsible. 11. POLICY REVISION This policy has been reviewed and approved by the IO, and is subject to change without prior notice. 12. CONTACT DETAILS OF THE IO Name: Corlia Burger Address: 11-13 St Andrews Road, Parktown, JHB, South Africa E-MAIL ADDRESS: addresscbu@cavi.co.za NUMBER: 011 341 4900