PAIA Manual ASSA ABLOY SOUTH AFRICA (PTY) LTD (“ASSA ABLOY”) including our South African subsidiaries Inhep Electronics Holdings (Pty) Ltd, HYYP (Pty) Ltd, Traka Africa (Pty) Ltd and other brands such as ABLOY, Traka, VingCard, Mul-T-Lock, Yale, IDS and HYYP that are trading under above mentioned subsidiaries. THE PROMOTION OF ACCESS TO INFORMATION MANUAL ("Manual") 1. PREAMBLE The Promotion of Access to Information Act, 2000 ("PAIA") came into operation on 9 March 2001. PAIA seeks, among other things, to give effect to the Constitutional right of access to any information held by the State or by any other person where such information is required for the exercise or protection of any right and gives natural and juristic persons the right of access to records held by either a private or public body, subject to certain limitations, in order to enable them to exercise or protect their rights. Where a request is made in terms of PAIA to a private body, that private body must disclose the information if the requester is able to show that the record is required for the exercise or protection of any rights, and provided that no grounds of refusal contained in PAIA are applicable. PAIA sets out the requisite procedural issues attached to information requests. Section 51 of PAIA obliges private bodies to compile a manual to enable a person to obtain access to information held by such body and stipulates the minimum requirements that the manual has to comply with. This Manual constitutes ASSA ABLOY’ PAIA manual. This Manual is compiled in accordance with section 51 of PAIA as amended by the Protection of Personal Information Act, 2013 ("POPIA"), which gives effect to everyone’s Constitutional right to privacy and largely commenced on 1 July 2020. POPIA promotes the protection of personal information processed by public and private bodies, including certain conditions so as to establish minimum requirements for the processing of personal information. POPIA amends certain provisions of PAIA, balancing the need for access to information against the need to ensure the protection of personal information by providing for the establishment of an Information Regulator to exercise certain powers and perform certain duties and functions in terms of POPIA and PAIA, providing for the issuing of codes of conduct and providing for the rights of persons regarding unsolicited electronic communications and automated decision making in order to regulate the flow of personal information and to provide for matters concerned therewith. This PAIA manual also includes information on the submission of objections to the processing of personal information and requests to delete or destroy personal information or records thereof in terms of POPIA. 2. ABOUT ASSA ABLOY Established in South Africa 21 years ago, ASSA ABLOY, South Africa is part of the international Swedish giant, ASSA ABLOY, global specialists in the manufacture and supply of secure, safe and convenient door opening systems and entrance solutions for a wide range of applications. The impressive, state-of-the-art range of locks, keyless locking mechanisms, access control, door automatics, door hardware and bespoke intrusion solutions meet increasingly complex demands across diverse market sectors including hotels, hospitals, universities, schools, airports, corporate environments, and homes as well as government facilities such as police stations, courts, correctional institutions, the defense industry, office parks and warehouses. 3. ORGANOGRAM For more details, please refer to www.assaabloyopeningsolutions.co.za/en/about-us/executive-team/. 4. CONTACT DETAILS Company contact details in terms of PAIA section 51: ASSA ABLOY South Africa (Pty) Ltd 176 Progress Road, Technikon, Roodepoort, Johannesburg 1724 P.O.Box 146, Roodepoort, 1725 Switchboard: +27 11 761 5000 Fax: +27 11 766 3570 E-mail: email@example.com Duly authorised persons: Legal entity Information Officer Data Privacy Protection Responsible ASSA ABLOY South Africa (Pty) Ltd Gerrit Viviers E-mail: informationOfficer@assaabloy.com Paul le Roux Telephone number: +27 11 761 5000 E-mail: firstname.lastname@example.org Subsidiaries (for purposes of POPIA) Inhep Electronics Holdings (Pty) Ltd Bridget Avis E-mail: informationOfficer@assaabloy.com Luwayne Dalais Telephone number: +27 31 705 1373 E-mail: Luwayne.email@example.com HYYP (Pty) Ltd Bridget Avis E-mail: informationOfficer@assaabloy.com Luwayne Dalais Telephone number: +27 31 705 1373 E-mail: Luwayne.firstname.lastname@example.org Traka Africa (Pty) Ltd Craig Williams E-mail: informationOfficer@assaabloy.com Ravin Singh Telephone number: +27 11 761 5000 E-mail: email@example.com 5. INFORMATION REGULATORS GUIDE An official Guide has been compiled which contains information to assist a person wishing to exercise a right of access to information in terms of PAIA and POPIA. This Guide is made available by the Information Regulator (established in terms of POPIA). Copies of the updated Guide are available from Information Regulator in the manner prescribed. Any enquiries regarding the Guide should be directed to: Postal Address: 33 Hoofd Street Forum III, 3rd Floor Braampark Braamfontein, Johannesburg Telephone Number: +27 (0) 10 023 5207 Fax Number: Details still to be published E-mail: firstname.lastname@example.org Website: https://www.justice.gov.za/inforeg/ 6. OBJECTIVES OF THIS MANUAL The objectives of this Manual are: to provide a list of all records held by the ASSA ABLOY South Africa (Pty) Ltd and its subsidiaries (ASSA ABLOY). to set out the requirements with regard to who may request information in terms of PAIA as well as the grounds on which a request may be denied. to define the manner and form in which a request for information must be submitted; and to comply with the additional requirements imposed by POPIA. 7. ENTRY POINT FOR REQUESTS PAIA provides that a person may only make a request for information if the information is required for the exercise or protection of a legitimate right. Information will therefore not be furnished unless a person provides sufficient particulars to enable ASSA ABLOY to identify the right that the requester is seeking to protect as well as an explanation as to why the requested information is required for the exercise or protection of that right. The exercise of an data subject’s rights is subject to justifiable limitations, including the reasonable protection of privacy, commercial confidentiality and effective, efficient and good governance. PAIA and the request procedure contained in this Manual may not be used for access to a record for criminal or civil proceedings, nor should information be requested after the commencement of such proceedings. The Information Officer has been delegated with the task of receiving and co-ordinating all requests for access to records in terms of PAIA, in order to ensure proper compliance with PAIA and POPIA. The Information Officer will facilitate the liaison with the internal legal team on all of these requests. All requests in terms of PAIA and this Manual must be addressed to the Information Officer using the details in paragraph 4 above. 8. RECORDS HELD BY ASSA ABLOY Personnel Information: These records include employment contracts of all ASSA ABLOY employees, employment policies and remuneration details. Business records of ASSA ABLOY: These records include: Financial records Health, Safety and Environmental records Human Resources in nature Legal services, compliance and risk related Minutes of meetings of the executive committee, departmental meetings and staff meetings. Strategic plans including business development and marketing Production / logistical records Operational policies Annual reports and other statutory reports Newsletters, press releases and other publications 9. AUTOMATICALLY AVAILABLE INFORMATION Information that is obtainable via ASSA ABLOY’ website about ASSA ABLOY is automatically available and need not be formally requested in terms of this Manual. 10. DISCLOSURES ON REQUEST Communications Press releases Product related information Human Resources ASSA ABLOY Code of Ethics Apprenticeship records* Employment Equity reports HR Reports* Training Reports Legal services and compliance Intellectual Property records Financial records Customer information* Audited Financial Statements* Tax records* Supplier records* Health, Safety and Environmental Health and Safety records* Facilities management Physical security, electronic access and time and attendance records* * Limited disclosure 11. INFORMATION AVAILABLE IN TERMS OF POPIA 11.1 Categories of personal information collected by ASSA ABLOY ASSA ABLOY may collect information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person. information relating to the education or the medical, financial, criminal or employment history of the person. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person. the biometric information of the person. the personal opinions, views or preferences of the person. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence. the views or opinions of another individual about the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person. 11.2 The purpose of processing personal information In terms of POPIA, personal information must be processed for a specified purpose. The purpose for which personal information is processed by ASSA ABLOY will depend on the nature of the personal information and the particular data subject. This purpose is ordinarily disclosed, explicitly or implicitly, at the time the personal information is collected. In general, personal information is processed for purposes of dealing with complaints under the CPA, procurement purposes, records management, security, employment and related matters. 11,3 A description of the categories of data subjects ASSA ABLOY holds information and records on the following categories of data subjects: Employees / personnel of ASSA ABLOY. Any third party with whom ASSA ABLOY conducts business. Contractors of ASSA ABLOY. Suppliers of ASSA ABLOY. This list of categories of data subjects is non-exhaustive. 11.4 The recipients or categories of recipients to whom the personal information may be supplied Depending on the nature of the personal information, ASSA ABLOY may supply information or records to the following categories of recipients: Statutory oversight bodies, regulators or judicial commissions of enquiry making a request for personal information. Any court, administrative or judicial forum, arbitration, statutory commission, or ombudsman making a request for personal information or discovery in terms of the applicable rules. South African Revenue Services, or another similar authority. Anyone making a successful application for access in terms of PAIA or POPIA; and Subject to the provisions of POPIA and other relevant legislation, ASSA ABLOY may share information about a client’s creditworthiness with any credit bureau or credit providers industry association or other association for an industry in which ASSA ABLOY operates. 11.5 Planned transborder flows of personal information If a data subject visits ASSA ABLOY’ website from a country other than South Africa, the various communications will necessarily result in the transfer of information across international boundaries. ASSA ABLOY may need to transfer a data subject's information to service providers in countries outside South Africa, in which case it will fully comply with applicable data protection legislation. These countries may not have data-protection laws which are similar to those of South Africa. 11.6 A general description of information security measures to be implemented by ASSA ABLOY ASSA ABLOY takes extensive information security measures to ensure the confidentiality, integrity and availability of personal information in our possession. ASSA ABLOY takes appropriate technical and organisational measures designed to ensure that personal information remains confidential and secure against unauthorised or unlawful processing and against accidental loss, destruction or damage. 12. INFORMATION AVAILABLE IN TERMS OF OTHER LEGISLATION Information is available in terms of certain provisions of the following legislation to the persons or entities specified in such legislation: Administration of Estates Act 66 of 1965 Basic Conditions of Employment Act 75 of 1997 CPA Companies Act 61 of 1973 Compensation for Occupational Injuries and Health Diseases Act 130 of 1993 Employment Equity Act 55 of 1998 Estate Agency Affairs Act 112 of 1976 Income Tax Act 58 of 1962 Insolvency Act No. 24 of 1936 Labour Relations Act 66 of 1995 Occupational Health & Safety Act 85 of 1993 Pension Funds Act 24 of 1956 Skills Development Act 97 of 1998 Skills Development Levies Act 9 of 1999 Stamp Duties Act 77 of 1968 Unemployment Contributions Act 4 of 2002 Unemployment Insurance Act 30 of 1966 Value Added Tax Act 89 of 1991 13. CATEGORIES OF RECORDS AVAILABLE UPON REQUEST ASSA ABLOY maintains records on the categories and subject matters listed below. Please note that recording a category or subject matter in this Manual does not imply that a request for access to such records would be granted. All requests for access will be evaluated on a case-by-case basis in accordance with the provisions of PAIA. Please note further that many of the records held by ASSA ABLOY are those of third parties, such as clients and employees, and ASSA ABLOY takes the protection of third-party confidential information very seriously. For further information on the grounds of refusal of access to a record please see paragraph 14.5 below. Requests for access to these records will be considered very carefully. Please ensure that requests for such records are carefully motivated. Category of records Records Internal records The records listed pertain to ASSA ABLOY own affairs Memoranda and Articles of Association Financial records Operational records Intellectual property Marketing records Internal correspondence Service records Statutory records Internal policies and procedures Minutes of meetings Personnel records For the purposes of this section, “personnel” means any person who works for or provides services to or on behalf of ASSA ABLOY and receives or is entitled to receive any remuneration and any other person who assists in carrying out or conducting the business of ASSA ABLOY. This includes partners, directors, all permanent, temporary and part-time staff as well as consultants and contract workers. Any personal records provided to us by our personnel Any records a third party has provided to us about any of their personnel Conditions of employment and other personnel-related contractual and quasi legal records Employment policies and procedures Internal evaluation and disciplinary records Other internal records and correspondence Client-related records Contracts with the client and between the client and other persons Other third-party records Records are kept in respect of other parties, including without limitation joint ventures and consortia to which ASSA ABLOY is a party, contractors and sub-contractors, suppliers, service providers, and providers of information regarding general market conditions. In addition, such other parties may possess records which can be said to belong to ASSA ABLOY. Personnel, client, or ASSA ABLOY records which are held by another party as opposed to being held by ASSA ABLOY; and Records held by ASSA ABLOY pertaining to other parties, including financial records, correspondence, contractual records, records provided by the other party, and records third parties have provided about the contractors or suppliers. Other records Information relating to ASSA ABLOY; and Research information belonging to ASSA ABLOY or carried out on behalf of a third party. 14. REQUEST PROCEDURE 14.1 Completion of the prescribed formAny request for access to a record from a public body in terms of PAIA must substantially correspond with the form included in Appendix A hereto.A request for access to information which does not comply with the formalities as prescribed by PAIA will be returned to you.POPIA provides that a data subject may, upon proof of identity, request ASSA ABLOY to confirm, free of charge, all the information it holds about the data subject and may request access to such information, including information about the identity of third parties who have or have had access to such information.POPIA also provides that where the data subject is required to pay a fee for services provided to him/her, ASSA ABLOY must provide the data subject with a written estimate of the payable amount before providing the service and may require that the data subject pays a deposit for all or part of the fee. Grounds for refusal of the data subject’s request are set out in PAIA and are discussed below.POPIA provides that a data subject may object, at any time, to the processing of personal information by ASSA ABLOY, on reasonable grounds relating to his/her particular situation, unless legislation provides for such processing. The data subject must complete the prescribed form attached hereto as Appendix C and submit it to the Information Officer at the postal or physical address, facsimile number or electronic mail address set out above. A data subject may also request ASSA ABLOY to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that ASSA ABLOY is no longer authorised to retain records in terms of POPIA's retention and restriction of records provisions. A data subject that wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information must submit a request to the Information Officer at the postal or physical address, facsimile number or electronic mail address set out above on the form attached hereto as Appendix D. 14.2 Proof of identity Proof of identity is required to authenticate your identity and the request. You will, in addition to this prescribed form, be required to submit acceptable proof of identity such as a certified copy of your identity document or other legal forms of identity. 14.3 Payment of the prescribed fees There are two categories of fees which are payable: The request fee: R50 The access fee: This is calculated by taking into account reproduction costs, search and preparation costs, as well as postal costs. These fees are set out in Appendix B. Section 54 of PAIA entitles ASSA ABLOY to levy a charge or to request a fee to enable it to recover the cost of processing a request and providing access to records. The fees that may be charged are set out in Regulation 9(2)(c) promulgated under PAIA. Where a decision to grant a request has been taken, the record will not be disclosed until the necessary fees have been paid in full. 14.4 Timelines for consideration of a request for access Requests will be processed within 30 (thirty) days, unless the request contains considerations that are of such a nature that an extension of the time limit is needed. Should an extension be required, you will be notified, together with reasons explaining why the extension is necessary. 14.6 Grounds for refusal of access and protection of information There are various grounds upon which a request for access to a record may be refused. These grounds include: the protection of personal information of a third person (who is a natural person) from unreasonable disclosure. the protection of commercial information of a third party (for example: trade secrets; financial, commercial, scientific or technical information that may harm the commercial or financial interests of a third party). if disclosure would result in the breach of a duty of confidence owed to a third party. if disclosure would jeopardise the safety of an individual or prejudice or impair certain property rights of a third person. if the record was produced during legal proceedings, unless that legal privilege has been waived. if the record contains trade secrets, financial or sensitive information or any information that would put ASSA ABLOY (at a disadvantage in negotiations or prejudice it in commercial competition); and/or if the record contains information about research being carried out or about to be carried out on behalf of a third party or by ASSA ABLOY. Section 70 PAIA contains an overriding provision. Disclosure of a record is compulsory if it would reveal (i) a substantial contravention of, or failure to comply with the law; or (ii) there is an imminent and serious public safety or environmental risk; and (iii) the public interest in the disclosure of the record in question clearly outweighs the harm contemplated by its disclosure. If the request for access to information affects a third party, then such third party must first be informed within 21 (twenty-one) days of receipt of the request. The third party would then have a further 21 (twenty-one) days to make representations and/or submissions regarding the granting of access to the record. 15. REMEDIES AVAILABLE TO A REQUESTER ON REFUSAL OF ACCESS If the Information Officer decides to grant you access to the particular record, such access must be granted within 30 (thirty) days of being informed of the decision. There is no internal appeal procedure that may be followed after a request to access information has been refused. The decision made by the Information Officer is final. In the event that you are not satisfied with the outcome of the request, you are entitled to apply to the Information Regulator or a court of competent jurisdiction to take the matter further. Where a third party is affected by the request for access and the Information Officer has decided to grant you access to the record, the third party has 30 (thirty) days in which to appeal the decision in a court of competent jurisdiction. If no appeal has been lodged by the third party within 30 (thirty) days, you must be granted access to the record. 16. AVAILABILITY OF THIS MANUAL Copies of this Manual are available for inspection, free of charge, at the offices of ASSA ABLOY and online via our websites.