DATA PROCESSING AGREEMENT

1 DEFINITIONS

1.1 “Applicable Law(s)” means, as amended from time to time and to the extent it applies to a Party (including, as applicable, affiliates and sub-contractors of a Party), or the Processing and wherever occurring in any relevant jurisdiction, (a) any statute, regulation, notice, policy, directive, ruling or subordinate legislation (including treaties, multinational conventions and the like having the force of law); (b) all relevant judgments, rulings and orders handed down by any competent court situated within the Republic of South Africa; (c) the common law; (d) any applicable industry code or policy enforceable by law, and (e) any applicable direction, policy or order that is given by any regulator, competent authority or organ of state or industry body;
1.2 “Client” means the client in terms of the Main Agreement(s) to which this Agreement relates;
1.3 “Confidential Information” means any and all confidential information (whether in oral, written or electronic form) given, including technical information, other information or Personal Information imparted in confidence or disclosed by one party to the other or otherwise obtained by one party relating to the other’s business, finance or technology, know-how, intellectual property, assets, strategy, products, including without limitation information relating to data processes, management, financial, marketing, technical and other arrangements or operations of any affiliate, person, firm, or organization associated with that party;
1.4 “Data Subject” means any person to which specific Personal Information relates, as contemplated in POPIA, and whose Personal Information is processed by the Service Provider in the fulfilment of their obligations in terms of the Main Agreement;
1.5 “Data” means any data, including Personal Information, irrespective of the media or form and includes: (i) all data that is in the possession of the Parties, and all data concerning or indexing such data (regardless of whether or not owned by the Parties, or generated or compiled by the Parties and (ii) all other records, data, files, input materials, reports, forms and other such items
that may be received, computed, developed, used or stored by any third party or any of its employees, contractors or agents from, for or on behalf of the Parties, all of which are confidential for purposes of this Agreement;
1.6 “Main Agreement(s)” means any commercial agreement(s), including the corporate rate agreement, in terms of which the Service Provider provides the Services contemplated therein to the Client;
1.7 “Service Provider” means The Capital Apartments and Hotels (Pty) Ltd, the provider of the Services contemplated in terms of the Main Agreement;
1.8 “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

• information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
• information relating to the education or the medical, financial, criminal or employment history of the person;
• any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
• the biometric information of the person;
• the personal opinions, views or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
• the views or opinions of another individual about the person; and
• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person; and shall, where applicable, include Special Personal Information, and only insofar as the Personal Information is Processed by the Service Provider in the course of the provision of the Services;

1.9 “Processing” or “Process” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:

• the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
• dissemination by means of transmission, distribution or making available in any other form; or
• merging, linking, as well as restriction, degradation, erasure or destruction of information;

1.10 “POPIA” means the Protection of Personal Information Act 4 of 2013 as amended from time to time;
1.11 “Regulator” means the appropriate Information Regulator as defined under POPIA;
1.12 “Services” means the Services contemplated in terms of the Main Agreement;
1.13 “Special Personal Information” means:

• personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or
• the criminal behaviour of a Data Subject to the extent that such information relates to:

1.13..1 the alleged commission by a Data Subject of any offence; or
1.13..2 any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.
1.14 “Staff” means any employee, independent contractor, agent, consultant, subcontractor or other representative of either the Client or the Service Provider; and

2. LEGAL EFFECT OF THIS AGREEMENT AND OBLIGATIONS OF THE PARTIES

The Parties acknowledge that pursuant to the conclusion of any Main Agreement(s), they expressly accept the terms of this Agreement without the need for this Agreement to be independently signed by the Parties. The terms and conditions of this Agreement are to be read with the terms and conditions of any Main Agreement(s), as if specifically incorporated therein and in the event of any conflict between any provisions of the Main Agreement(s) and this Agreement, the provisions of this Agreement will prevail. As such, the Parties acknowledge that pursuant to the conclusion of any Main Agreement(s), they will have access to, and be required to Process, Data relating to one another, as well as one another’s Data Subjects, including their mutual client(s). Accordingly, the Parties warrant and undertake to and in favour of one another that they shall –

2.1 treat the Data Personal Information as strictly confidential in accordance with the provisions contained in clause 3;
2.2 only Process the Data and Personal Information in accordance with Applicable Laws, in terms of the provisions of the Main Agreement and this Agreement;
2.3 not disclose or otherwise make available the Data to any third party (including sub-contractors and Staff) other than authorised Staff who require access to such Data strictly in order for the Parties to comply with their contractual obligations towards one another as well as to carry out their obligations under this Agreement, as well as in terms of Applicable Laws;
2.4 ensure that all Staff and any other persons having access to the Data are bound by appropriate and legally binding confidentiality and non-disclosure obligations in relation to the Data and especially any Personal Information forming part thereof, on substantially the same terms and conditions as set forth in clause 3;
2.5 take appropriate, reasonable technical and organisational security measures to ensure that the integrity of the Data in their possession or under their control is secure and that such Data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access, by –
2.5.1. having regard to any requirement set forth in law; stipulated in industry rules or in codes of conduct or by a professional body;
2.5.2. having regard to generally accepted information security practices and procedures which apply to (i) the Parties respective businesses and operations; and (ii) to the Parties, as may be appropriate to discharge their obligations in terms of this Agreement;
2.5.3. having regard to appropriate, reasonable, technical and organisational measures being in place to ensure that the Data in their possession or under their control remains available to one another as and when it may be required;
2.5.4. complying with the specific requirements as may be set forth in any instruction relating to the Main Agreement or any other specific directions or requirement,
2.5.5. identifying all reasonably foreseeable internal and external risks and taking all necessary steps to —
2.5.5.1. identify all reasonably foreseeable internal and external risks to Data in their possession or under their control;
2.5.5.2. regularly verify that the safeguards which they have in place have been effectively implemented;
2.5.5.3. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards; and
2.5.6. agreeing to reasonable amendments to this clause from time to time, to the extent that Applicable Laws generally require such amendments for the benefit of Data Subjects;
2.6. not sell, alienate or otherwise part with the Data or any of the records housing the Data, nor shall it use the Data for any direct marketing, advertising, research or statistical purposes, unless expressly authorised to do so in terms of any other agreement between them, as well as this Agreement.

3. CONFIDENTIAL INFORMATION

3.1. Each party undertakes in favour of the other to:
3.1.1. except as permitted by this Agreement, not to disclose or publish any Confidential Information in any manner for any reason or purpose whatsoever without the prior written consent of the other Party and provided that in the event of the Confidential Information being proprietary to a third party, it shall also be incumbent on the disclosing Party to obtain the consent of such third party;
3.1.2. except as permitted by this Agreement, not to utilise, employ, exploit or in any other than as is provided for in this Agreement, and provided that in the event of the Confidential Information being proprietary to a third party, it shall also be incumbent on the relevant Party to obtain the consent of such third party;
3.1.3. to restrict the dissemination of the Confidential Information to only those of its Staff who are actively involved in activities for which use of Confidential Information is authorised and then only on a “need to know” basis and both Parties shall initiate, maintain and monitor internal security procedures to prevent unauthorised disclosure by its Staff; and
3.1.4. to take all practical steps, both before and after disclosure, to impress upon its Staff who are given access to Confidential Information the secret and confidential nature thereof.
3.2. The obligations of the Parties with respect to each item of Confidential Information shall endure for an indefinite period from receipt of that item of Confidential Information. The obligations referred to in this clause 3 shall endure notwithstanding any termination of this Agreement, any other agreement entered into between the Parties or any discussions between the Parties.
3.3. In addition to the provisions of clause 4, the Client hereby indemnifies and holds the Service Provider harmless from any and all losses arising from, or in connection with, any claim or action arising from the Service Provider’s breach of any obligation with respect to Confidential Information.

4. INDEMNITY

4.1. The Client hereby indemnifies the Service Provider in respect of all losses, claims, damages, costs, expenses, fines and penalties arising from and in connection with the Service Provider’s (including its Staff) actions and/or omissions relating to this Agreement.

5. NOTIFICATION OF A DATA SECURITY BREACH

The Parties shall-
5.1. notify one another in writing immediately of becoming aware of or having reasonable grounds to believe that the Data, and especially Personal Information, of a Data Subject has been accessed or acquired by an unauthorised person and take all appropriate steps to limit the compromise of Data and to restore the integrity of the affected information systems as quickly as possible;
5.2. as soon as reasonably possible thereafter, the Parties shall be required to engage with one another to discuss the security breach, to report all relevant facts relating to the compromise and to identify the steps to be taken to mitigate the extent of the compromise and loss occasioned by the compromise;
5.3. provide one another with details of the Data affected by the compromise, including but not limited to, the identity of Data Subjects, the nature and extent of the compromise, and, where possible, details of the identity of the unauthorized person/s who are known to or who may reasonably be suspected of, having accessed or acquired the Data;
5.4. immediately upon notifying one another as set forth in clause 5.1, each Party shall –
5.4.1. at its own cost, take all necessary steps to mitigate the continuation of the compromise, the repetition of a similar compromise, and mitigate the extent of the loss occasioned by the compromise of Data;
5.4.2. implement all measures reasonably necessary to restore the integrity of their information system/s;
5.4.3. provide one another with a report on their progress in resolving the compromise at reasonable intervals following the initial notification, until such time as the compromise is resolved to the Parties satisfaction;
5.4.4. upon request, or otherwise if required by law, notify the Regulator and/or the affected Data Subjects. Any such notification shall be in a form prescribed by the Regulator, as the case may be, if applicable and contain such information as is required in terms of section 22 of POPIA. Notwithstanding the aforegoing, a notification to a Data Subject shall always include sufficient information to allow the Data Subject to take protective measures against the potential consequences of the compromise.

6. ACCESS TO DATA

The Parties shall-
6.1. assist one another to comply with any requests for access to Data and/or Personal Information received from Data Subjects and, upon request, the Parties shall promptly provide one another with a copy of any Data / Personal Information held by them in relation to a specified Data Subject;
6.2. upon request, provide reasonable evidence of their compliance with its obligations under this Agreement;
6.3. not Process the Data / Personal Information otherwise than in accordance with the Main Agreement, as well as this Agreement.

7. LAWFUL PROCESSING OF DATA

The Parties-
7.1. shall only Process the Data / Personal Information of Data Subjects provided to them by one another for a specific, lawful purpose strictly in accordance with the underlying purpose of the Main Agreement concluded between the Parties;
7.2. if required to collect information from Data Subjects in the execution of their respective obligations towards one another, shall do so in a manner that does not infringe the privacy of the Data Subject, in accordance with any legislation governing the collection of Data / Personal Information from the Data Subject;
7.3. shall, on the written instruction, assist one another in updating Data / Personal Information provided, to ensure that the Data / Personal Information remains complete, accurate and up to date.

8. DISCLOSURE REQUIRED BY LAW, REGULATION OR COURT ORDER

In the event that the Parties are required to disclose or Process any Data / Personal Information required by Applicable Laws, or if the Processing of such Data / Personal Information is required to enable a public body to properly perform a public law duty to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party, is necessary for pursuing the legitimate
interests of either Party, a third party to whom the information is supplied, or a Data Subject, or complies with an obligation imposed by law on either Party, they –
8.1. will advise one another thereof prior to disclosure or Processing, if possible. If it is not possible to advise one another prior to disclosure
or Processing, the Parties shall advise one another immediately after such disclosure or Processing;
8.2. will take such steps to limit the extent of the disclosure or Processing to the extent that it lawfully and reasonably practically can;
8.3. will afford one another a reasonable opportunity, if possible and permitted, to intervene in the proceedings; and
8.4. will comply with one another’s requests as to the manner and terms of any such disclosure, if possible and permitted.

9. SEPARATION OF DATA / PERSONAL INFORMATION

9.1. Unless otherwise specifically recorded in any agreement between the Client and the Service Provider, neither Party shall, not itself or via any of its subcontractors or Staff, Process Data / Personal Information provided with, nor combine or merge such Data / Personal Information with the information (whether Personal Information or not) of another party.

10. RETURN / RETENTION / TRANSMISSION OF DATA / PERSONAL INFORMATION

10.1. Either Party may, at any time on written request to the other Party, require that any Data / Personal Information shared between the Parties in terms of this Agreement, or any other agreement between the parties, be returned (or destroyed in certain circumstances) to it and may, in addition, require that the relevant Party furnish a written statement to the effect that upon such return (or
destruction), it has not retained in its possession or under its control, whether directly or indirectly, any such Data / Personal Information or material.
10.2. Any request referred to in clause 10.1 above, is to be responded to, or actioned, within a reasonable time.
10.3. The Parties shall ensure that all Data / Personal Information communicated, including any digital communication or any Data / Personal Information stored in digital form shall be secured against being accessed or read by unauthorized parties, using appropriate security safeguards, having due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

11. DATA PROCESSING TERMS

11.1. In supplementation of the above provisions of this Agreement, as well as any relevant provisions of the Main Agreement(s), the Service Provider undertakes to process any and all Data (including Personal Information) in accordance with the technical and organizational measures set forth in Annexure A. The Service Provider reserves the right to amend these measures from time-totime. Any such changes will not impact the Service Provider’s compliance with applicable data protection laws and will be
communicated to the Client. In such circumstances, the Client’s continued use of the services contemplated in this Agreement will confirm the Client’s acceptance of the relevant changes.

ANNEXURE A: DATA PROCESSING TERMS

The Service Provider shall maintain and enforce the following key Technical and Organisational Measures (“TOMs”) as outlined in this annexure:
(A) Data Privacy and Protection Measures
1. Governance and Operating Model
1.1. The Service Provider is committed to demonstrating accountability when it processes personal information and has implemented an organisational structure, and roles and responsibilities for managing and providing oversight over the processing of personal information.
1.2. Governance structures have been implemented to ensure that data privacy and protection matters are reviewed by appropriate senior management of the Service Provider. Ultimate accountability for data protection is held by the highest level of management in the Service Provider and is supported by designated roles throughout the business.
2. Policies, processes and Guidelines
2.1. The Service Provider has implemented and communicated its policies, processes, standards and guidelines that detail how employees are expected to process personal information.
2.2. The Service Provider has defined and communicated privacy notices that provide information about how personal information is processed.
3. Data Protection by Design
The Service Provider is committed to implementing reasonable measures to support the Client’s ability to comply with applicable data protection laws. As far as possible, the principles of data protection by design and by default are applied during the development and delivery of the Service Provider’s services.
4. Data Landscape
4.1. The Service Provider has implemented processes to identify, record, assess and maintain an accurate understanding of the personal information that it processes.
4.2. The Service Provider maintains a record of the personal information processed in accordance with applicable data protection laws and this Agreement.
5. Information Lifecycle Management
5.1. The Service Provider has implemented policies and processes to ensure that personal information is processed appropriately throughout its lifecycle (from collection through to use, retention, disclosure and destruction).
5.2. Applicable data protection Laws provide data subjects with specific rights in relation to their personal information. The Service Provider is committed to upholding these rights and ensuring that it supports the Client in responding to data subject requests in a transparent, fair, ethical and lawful way.
5.3. The Service Provider maintains a record of all data subject requests received and the actions taken to respond to these requests. The Service Provider will provide support to the Client in responding to data subject requests throughout the duration of this Agreement.
5.4. The Service Provider only retains personal information where there is a legitimate business purpose and in accordance with this Agreement. The Service Provider destroys, deletes or de-identifies personal information when the retention period lapses and there is no legitimate business reason to retain the personal information for a longer period.
5.5. The Service Provider keeps the personal information processed on behalf of the Client in accordance with the terms of this Agreement and will destroy, delete, de-identify or return personal information when requested, to the Client, and where there are no further obligations to retain the personal information under applicable law.
5.6. The Service Provider has measures in place to ensure that personal information is accurate, complete and up to date.
5.7. The Service Provider has appropriate mechanisms in place, as outlined in this Agreement to support the lawful transfer personal information outside of the Republic of South Africa where it was originally collected and have appropriate agreements in place with the Client, its subsidiaries, affiliates, and sub-operators to support cross-border transfers, regardless of geographical location.
6. Data Protection Training and Awareness
The Service Provider requires all employees to complete data protection training on a regular basis. All data protection policies, processes, standards and guidelines are available to employees and communicated regularly.
7. Breach Response and Notification
7.1. The Service Provider has policies, processes and procedures for identifying, detecting, responding, recovering and notifying appropriate stakeholders in the event of a data breach. This includes mechanisms for performing a root cause analysis and undertaking corrective actions.
7.2. The Service Provider is committed to ensuring that it notifies the Client immediately in the event of a data breach in compliance with applicable data protection laws and this Agreement.
7.3. The Service Provider maintains a record of all personal information breaches and the actions taken to respond to these events and may provide this on request to the Client.
8. Third Party Management
8.1. The Service Provider is accountable for the actions of its operators (i.e. sub-operators) who process data on its behalf and assesses the ability of their operators to protect data at the time of selection and on a periodic basis thereafter in accordance with its policies.
8.2. The Service Provider’s operators are required to sign appropriate agreements that govern the processing and protection of data and require the same obligations, as outlined in this Agreement, to be transferred to any further operators who the Service Provider may engage in accordance with this Agreement. The Service Provider has ensured that data processing agreements are in place with all its operators (or sub-operators), that uphold the same standard of care as outlined in this Agreement.
9. Monitor and Assess
The Service Provider reports on the design and operational effectiveness of its data protection activities to its senior management teams on a periodic basis.
(B) Information Security Measures
The Service Provider is committed to ensuring that information security control is implemented and properly managed, in order to protect the confidentiality, integrity and availability of personal information processed on behalf of and under the instruction of the Client.
1. Information Security
1.1. Roles and responsibilities for information security have been formally assigned.
2. Human Resources
2.1. The Service Provider performs background and employment screening for its employees, to the extent permitted under applicable law, to ensure their suitability for hiring and handling company and the Client’s data (including personal information). The extent of the screening is proportional to the business requirements and classification of information that the employee will have access to.
2.2. The Service Provider requires that Service Provider employees (including contractors and temporary employees) agree to maintain the confidentiality of Service Provider’s internal data and the Client’s data (including personal information).
2.3. The Service Provider’s employees are required to complete information security awareness training on a regular basis. Information security policies and supporting procedures, processes and guidelines are made available to employees and employees receive relevant information about trends, threats and best practices.
3. Asset Management
3.1. The Service Provider has an acceptable use policy that supports the proper and effective use and protection of its corporate assets, including computer and telecommunication resources, data, services, and IT infrastructure.
3.2. The Service Provider has an information classification policy that describes the appropriate technical and organisational controls for handling information based on its classification. Information and assets are protected in line with the classification label.
4. Access Controls
4.1. The Service Provider has an access control policy, supporting procedures and logical and physical access measures, to ensure that only authorised persons have access to information based on the principles of least privilege.
4.2. Access reviews are periodically performed on IT assets, applications, systems and databases to ensure only authorised individuals have access to the Client’s Data.
5. Physical and Environmental Security
The Service Provider has implemented reasonable and appropriate measures to prevent unauthorised physical access, damage or interference with its information, applications, systems, databases and infrastructure.
6. Operational Security
6.1. The Service Provider has a policy and supporting procedures for managing changes to business processes, applications, systems, databases and infrastructure.
6.2. The Service Provider has established a threat and vulnerability management program supported by industry standard tools for identifying, managing and mitigating risks to company information including the personal information of employees and the Client. This includes anti-virus and anti-malware tools, regular scanning of environments, patching protocols and management of remediation and improvement activities.
6.3. The Service Provider applies reasonable efforts to maintain audit logging on applications and systems. Logs are periodically reviewed and are available for investigation purposes. Access to logs is strictly limited to authorised personnel only.
7. System Acquisition, Development and Maintenance
7.1. The Service Provider has policies and supporting standards and procedures to ensure that security by design principles are applied within the software development lifecycle.
8. Third Party Management
8.1. Service Provider has policies and supporting procedures to ensure that information assets are protected when it engages third party Service Providers or operators (sub-operators). This includes requirements for information security due diligence and information security risk assessments to be performed.
8.2. The Service Provider has undertaken reasonable efforts to ensure that appropriate written agreements are in place with operators who have access to the Client’s information, applications, systems, databases and infrastructure. These agreements include security standards for ensuring the confidentiality, integrity and availability of the Service Provider’s information.
9. Information Security Incident Management
The Service Provider has policies, processes and procedures for identifying, detecting, responding, recovering and notifying appropriate stakeholders in the event of an information security incident, including personal information breaches. This includes mechanisms for performing a root cause analysis and undertaking corrective actions.
10. Business Continuity
The Service Provider has established business continuity and disaster recovery plans.
11. Compliance
Service Provider has established roles and responsibilities for identifying laws and regulations that affect the Service Provider’s business operations. Responsibility for compliance with laws and regulations are established.