Alien LEGAL Terms and Conditions

DATA PROTECTION POLICY The biometric information of the business

1. INTRODUCTION AND PURPOSE Alien Automation Technologies, as propriety limited, is committed to processing personal data in accordance with its responsibilities under the Protection of Personal Information Act (POPIA) and may be subject to similar information protection dispensations in other jurisdictions. These data protection laws impose strict guidelines to secure an employee’s right to privacy with regard to their personal information. Under these data protection principles, organizations are accountable for and must be able to demonstrate that any personal data they handle is:

1.1 Processed lawfully, with consent, transparently, and accessible to the data subject;

1.2 Collected for specified, explicit, and legitimate purposes;

1.3 The purposes for processing personal information are clear to the data subject;

1.4 Adequate, relevant, and limited to what is necessary;

1.5 Accurate and kept up to date or removed when asked to by the data subject;

1.6 Kept for no longer than is necessary where data subjects are identifiable;

1.7 Processed securely and protected against unauthorized or accidental loss, destruction, or damage; and,

1.8 The data subject is informed if a third party processes the personal data and provided with their contact information.

2. The Organisation is committed to protecting and safeguarding all personal information in its possession or under its control and to take appropriate and reasonable measures (technological as well as organizational) to ensure the integrity and confidentiality thereof in respect of all its business activities in accordance with the law as well as ongoing risk assessments.

This Data Protection Policy is intended to:

2.1 Ensure that the Organisation complies with legal standards for the receipt, processing, and storing of personal data of individuals and legal entities and explain how this should be achieved;

2.2 Ensure that the Organisation protects the rights of data subjects with respect of the privacy of personal information; and,

2.3 Protect the Organisation against the risks and consequences of data breaches.

3. DEFINITIONS

Organisation Alien Automation Technologies Pty Ltd. Information Officials This means Alien Automation Technologies Pty Ltd is responsible for data protection within the Organisation of service and third-party affiliates. Data Subject means the person (individual or legal entity) to whom the data relates. Responsible party This means the entity that determines the purpose and manner in which the personal information of a data subject is to be processed. Operator Means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. Personal information For the purpose of this policy, reference to ‘personal information’ shall include ‘special personal information’ as described hereunder Means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person;

(b) information relating to the education or the medical, financial, criminal, or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;

(d) the biometric information of the person;

(e) the personal opinions, views, or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and,

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person,

Special personal information Means –

a) the religious or philosophical beliefs, race or ethnic origin, political persuasion, health or sex life, or biometric information of a data subject; or,

(b) the criminal behaviour of a data subject to the extent that such information relates to—

(i) the alleged commission by a data subject of any offence; or

(ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings. Processing Means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;

(b) dissemination by means of transmission, distribution, or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure, or destruction of information. De-identify Means to delete any information that: identifies, or can be used/manipulated to identify, the data subject; or that can be linked to other information that identifies the data subject by a reasonably foreseeable method.

4. SCOPE

4.1 This policy applies to all personal information processed by the Organisation – whether by employees or by third-party Operators on its behalf. It will also apply to ancillary workers such as contractors, consultants, freelancers, etc. who may from time to time provide services to the Organisation and be exposed to personal information in its possession or under its control.

4.2 The Information Officer will be registered with the office of the Information Regulator and shall take responsibility for the Organisation’s ongoing compliance with this policy.

4.3 This policy shall be reviewed at least once annually.

5. GENERAL DATA PROTECTION PRINCIPLES

5.1 All personal data relating to data subjects and/or to the Organisation, shall be deemed confidential information and be handled as such.

5.2 The processing conditions for lawful processing of personal information as required in terms of POPIA, will be complied with (Paragraph 7).

5.3 The only person/s entitled to access data covered by this policy, will be those who need to access it for the execution of their direct work services or required outputs.

10.4 Under no circumstances will personal information be shared outside the scope of required work outputs, or informally. In the event of any doubt, an employee or Operator must first obtain authorisation from a senior manager or the Information Officer before accessing confidential information where any work output requiring access is unusual or out of the ordinary.

11.5 Employees will receive induction and on-the-job training in relation to all security standards applicable to such employee’s service delivery and work outputs involving personal information of data subjects.

12.6 Employees shall keep all personal data secure by taking sensible practical precautions and complying with all rules, practices, and protocols. This pertains to both physical and digital security including the use of passwords, communications, device security, remote access, physical access control, authorization protocols, etc.

13.7 The Organisation will develop and implement an Incident Response Scenario in case of a data breach or a security compromise. This must be communicated to relevant employees and Operators and must be strictly complied with.

6. THE RIGHTS OF DATA SUBJECTS

6.1 Data subjects have the right to know what personal information is held by the Organisation and for what purpose(s) it is processed.

6.2 Data subjects may request access to their personal information. They may also request amendments to or deletion of the information if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully and/or no longer authorised to be kept.

10.3 Data subjects may further object in the prescribed manner to the processing of their personal information (except where processing is based on an obligation in terms of the law, or to perform in terms of a contract to which the data subject is a party) or may withdraw consent previously given to process the information; this will effect any further processing.

11.4 Data Subject Access requests must be referred to the Information Officer via email, who will be responsible to attend to the request timeously and to communicate with the data subject in this regard. The identity of the data subject must always be verified before granting access to the information.

12.5 The Organisation may in certain circumstances be legally obliged to disclose personal information to law enforcement or similar institutions, without the consent of the data subject. This will however only be done after verifying that the request is lawful and legitimate.

13.6 Data subjects may lodge a complaint with the Information Regulator it they are concerned about the security of their personal information or its processing by the Organisation. Data subjects are however encouraged to first contact the Information Officer to report their concerns to the organisation directly, in terms of its relevant complaints’ procedure.

14.7 The Data Subject may institute legal proceedings regarding the alleged interference with the protection of personal information.

7. JUSTIFIED AND TRANSPARENT DATA PROCESSING

9.1 All processing of personal information by the Organisation and/or its Operators, must be done in accordance with the processing principles and conditions as set out in the relevant privacy legislation, specifically POPIA in South Africa.

10.2 All personal information processed by the Organisation must be done on one of the following lawful bases: consent of the data subject, contractual obligation, subscription obligation, legal obligation, the performance of a public task or to protect the legitimate interests of the Organisation and/or the data subject. It must be clearly recorded on what basis any and all personal information is being processed and the Information Officer must implement and coordinate an appropriate system to facilitate this and must ensure that it is regularly reviewed and updated.

11.3 The organisation’s legitimate business interests must always be balanced against the data subject’s privacy rights.

12.4 Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal information. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and such revocation must be clearly and accurately reflected in the Organisation’s systems.

13.5 The lawful processing of personal information must also be done in accordance with specific processing conditions:

14.6 Accountability

15.6.1 The Organisation as the Responsible Party determines the purpose, means, and processing of the personal information and must put measures are in place to ensure that all the processing conditions are complied with at the time of determining the purpose and means of processing and during the processing itself.

16.6.2 All employees (and Operators) shall continually be responsible for ensuring the safeguarding, protection, and avoidance of any unauthorised disclosure or breach of personal information in the execution of employment duties and services to the Organisation, or otherwise in the course of rendering services or being associated with the Organisation. Instructions and guidance in this regard may include this policy, departmental policies and procedures, instructions from management or from the Information Officer, training, and general communications.

17.6.3 Persons with particular responsibilities connected to data protection in the Organisation, are:

18.6.3.1 The Information Officer, who is responsible for:

• assessing, overseeing, coordinating, and ensuring data security and compliance with POPIA; • for arranging data protection training for employees; • for reviewing and approving agreements with third-party Operators; • for reporting to executive management about compliance with all technological and operational data protection standards and protocols; • to advise of any risk of breach at the earliest opportunity; and • to put measures in place to respond to any data breach or security compromise. The Information Officer may also initiate disciplinary proceedings against employees for breaches of rules and standards in this regard and must attend to all requests Internal or external) for access to personal information.

7.6.3.2 The IT Manager, who is responsible:

• To ensure that all systems, services, and equipment used for processing and/or storing data adhere to internationally acceptable standards of security and data safeguarding and are regularly updated to continue to comply with such standards. • To regularly issue appropriate and clear data protection rules and directives as may be required in relation to any aspect of the Organisation’s work – including password protocols, data access protocols, levels of persons who enjoy access to certain data sign-on procedures, log-on, and log-off procedures; the description of accessories, applications, and equipment that will or may be used, and/or that may not be used under any circumstances and the like.

7.7 Minimality / Processing Limitation

Processing of personal information must be limited to lawful and justified processing (on one of the bases as set out above) in a reasonable manner, that does not unnecessarily infringe on the privacy of the data subject. Only the minimum amount of personal information that is necessary for the stated purpose, must be collected and processed. There are also further specific limitations that apply to particular types of personal information / activities, such as cross-border transfer of information, direct marketing, automated decision making, directories, and special personal information. To comply with this condition, Alien Automation Technologies Pty Ltd will only collect and store information that is relevant, dated and current. Unnecessary information will be destroyed.

7.7.1 Purpose Specification

Personal information must be collected for a specific, explicitly defined, and lawful purpose related to a legitimate function/activity of the Organisation and this purpose should generally be disclosed to the data subject. Personal information should also not be retained for longer than is necessary for achieving the purpose for which the information was collected and processed unless certain exceptions apply. All records containing personal information must be securely destroyed at the end of the retention period, or the information must be de-identified.

7.7.2 Further processing limitation

Personal information that has been collected for a specific purpose, may not be processed further unless it is for a reason compatible to the original purpose, or if the data subject consent, or if specific circumstances exist that permit such further processing in terms of the law.

7.7.3 Information Quality

The Organisation must take reasonable steps to ensure that the personal information processed by it is complete, accurate, not misleading, and updated where necessary. Particular care should be taken that personal information is not unnecessarily duplicated and stored in different places, and that any updates are applied to all sets of the same information.

7.8 Openness / Transparency

Whenever the Organisation collects personal information (except if one or more of the exclusions in s18 of POPIA apply), it must take reasonable steps to notify the data subject of certain details relating to the processing of this information:

7.8.1 The information collected and the source of the information (if not from the data subject directly);

7.8.2 The purpose for which it is collected;

7.8.3 Whether the data subject is obliged to supply the information or if it is voluntary (e.g. what law if any prescribes, authorises or require the collection of the information);

7.8.4 The consequences of failure to provide the information;

7.8.5 If applicable, the responsible party intends to transfer the information trans-border and the level of protection afforded by the recipient;

7.8.6 Any further information, such as the recipients of the information its nature and category, and the right of the data subject to access and rectify the information collected, to object to the processing of the information, or to complain to the Regulator.

The Organisation complies with this condition by issuing specific and relevant Privacy Notices to data subjects when personal information is collected – such as job applicants, employees, members, training delegates, and trainers. Provision must also be made in respect of handling requests for access to information by data subjects and/or third parties – internally or externally. The Information Officer / Deputy Information Officer handles all such requests under POPIA as well as PAIA (the Promotion of Access to Information Act) and may implement procedures, policies, and processes in this regard.

7.8.7 Security safeguards

The Organisation is legally obliged to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss of or damage to or unauthorized destruction, unlawful access to or processing of such personal information. In order to do this, the Organisation will regularly conduct risk assessments to identify foreseeable internal/external risks and vulnerabilities to such personal information and will establish and maintain appropriate safeguards against these risks. Such safeguards include technological as well as organisational and physical measures and must have due regard to international best practices, specific industry standards, or applicable professional rules or regulations. These will be reviewed and updated on a regular basis and where applicable, communicated to relevant employees. The Organisation will also ensure that any third-party Operators that process personal information on its behalf, subscribe to and comply with the same level of security and that these obligations are set out in a mandatory written agreement with each Operator. Some of the pertinent security measures in the Organisation include:

7.8.8 Data classification, authorisation, and access

The Organisation will design a data classification system to determine who may have access to various types of personal information and implement appropriate security measures to ensure that access to unauthorised persons is restricted and to avoid sharing of the information. Paper- or other physical records are kept in a secure place where only authorized persons can view or access them. Offices of personnel such as HR, finance, and IT where sensitive personal information is usually kept, are particularly vulnerable and will be kept secure.

7.8.9 Secure processing and storage

Security measures include using up-to-date software, secure (off-premises) storage and having appropriate backup and recovery solutions in place for electronic data. Also, cyber security measures pertaining to password protocols, removable media use, data portability, device use and sharing, remote access, authorizations, encryption, email systems, and protecting against cyber-attacks of any kind.

7.8.10 Transferring personal information and communications

Personal information may not be transferred or sent to any person or entity not directly authorized to receive it. IT protocols will also be developed and implemented to ensure the proper encryption so that personal information is sent in protected form to authorized recipients.

7.8.11 Sharing personal information

The sharing of personal information with another employee or company representative will depend on whether that person has a job-related need to know the information and provided that aspects such as cross-border restrictions (where applicable) are adhered to. It must also comply with the Privacy Notice provided to the data subject and, of required, where the consent of the data subject has been obtained. Personal information may generally only be shared with third parties when certain safeguards and/or contractual arrangements have been put in place, in particular also containing provisions relating to data protection, and subject to the same restrictions as set out above.

7.8.12 Destruction of Data and disposal of personal information

When personal information is deleted or de-identified, it must be done so that the data is not recoverable or re-identifiable. Office equipment must be professionally wiped when disposed of or no longer in use. Paper records must be shredded when no longer needed. All electronic data will automatically be destroyed after 14 days after a customer unsubscribes.

7.8.13 All information that is destroyed must be recorded on the RAD Register.

7.9 Data Subject Participation

Data subjects have the right to be involved in the processing of their personal information and have certain rights in this regard, as outlined in par 6 above.

7.9.1 Account numbers

Failure by the organization to appropriately protect account numbers of data subjects could constitute a criminal offense if it ought to have known/foreseen risks in this regard, but failed to take reasonable steps to address those risks. Someone who knowingly or recklessly obtains, discloses, or procures the disclosure of an account number in an unauthorized manner, or who sells such a number, may also be guilty of a criminal offense.

7.9.2 Direct marketing

Marketing by electronic means to potential or existing customers is subject to strict privacy rules in terms of POPIA. Prior consent from potential recipients must be explicitly obtained (in the prescribed manner) before marketing material (including emails, newsletters, and texts) may be sent to them and they may only be approached once for such consent. The option to withdraw consent, opt-out or unsubscribe must also be very clearly indicated in each subsequent communication.

The limited exception for existing customers allows organizations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person if marketing similar products or services, and if giving the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

7.9.3 Automated decision-making and profiling

Automated decision-making relates to automated decisions being taken without human oversight or intervention, such as adverse credit decisions being taken automatically, or other adverse decisions and activities such as algorithmic processing and information and result outputs. This type of processing is prohibited under POPIA, but with some exceptions – such as when automated decision-making is governed by law or a code of conduct with suitable protections; or has been done in in connection with a contract according to the data subject’s request and appropriate protective measures have been taken. These protective measures include an opportunity for the data subject to make representations; after the organization has provided him/her/it with sufficient information about the underlying logic of the automated processing.

8. TRANSFERRING PERSONAL INFORMATION TO A COUNTRY OUTSIDE OF SOUTH AFRICA

The organization will as far as possible ensure that the transfer of personal information to a recipient in a foreign country only takes place if there are adequate/similar levels of data protection in place – by way of laws applicable to that country. The data subject may however nevertheless consent to the cross-border transfer of their personal information; or such a transfer may take place if it is necessary in connection with a contract between the organisation and the data subject, or a contract concluded in the data subject’s interest or to their benefit. The cross-border transfer of special personal information or personal information relating to children, may however be subject to prior authorisation from the Information Regulator if the foreign country does not provide an adequate level of protection as required in terms of POPIA.

9. DATA BREACHES / SECURITY COMPROMISES

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the Organisation must notify the Regulator; and the affected data subject(s) (unless the identity of such data subject cannot be established, or it will impede a criminal investigation). This notification and the Organisation’s response to a data breach, will be dealt with in terms of the Incident Response Protocol by the Information Officer, together with other departments and/or service providers such as IT, finance, legal, HR, security, etc. The Incident Response includes specific reporting protocols that operators may not make reports to data subjects or the Regulator directly but must report to the Organisation as the responsible party. Employees, Operators, and the like should not attempt to investigate such matters themselves but should immediately contact the Information Officer or delegated person and preserve all evidence relating to the potential security compromise or data breach. The Information Officer is responsible for ensuring that all relevant employees and Operators are made aware of the contents of the Incident Response protocols.

10. DATA PROTECTION IMPACT ASSESSMENTS AND PRIVACY BY DESIGN

The organization is committed to making data protection and privacy of data subjects a priority in all aspects of its business activities. To this end, the organization’s privacy strategy provides for continuous privacy- and data protection impact assessments as may be appropriate and for privacy considerations to form part of the development and implementation of all new projects, tools, programs, equipment, etc.

11. IMPLEMENTATION OF POLICY IN RESPECT OF EMPLOYEES

This data protection policy governs every employee of the Organisation during the course of his/her services to it, and to the extent applicable, after termination of employment. It is the responsibility of every employee to familiarise him/herself with the content of this policy and to remain up to date as to any changes to it issued by the Organisation. To the extent that this policy sets out workplace rules and standards governing the employee in the course of his/her work and services to the company, these shall form part of the company’s Disciplinary Code and Procedure and is hereby also incorporated into it. A breach of any rule in relation to the protection of personal data set out in this policy that constitutes misconduct shall be subject to disciplinary action and may lead to dismissal in appropriate circumstances. The imposition of any disciplinary sanction or dismissal shall not preclude the Organisation from instituting civil proceedings against an employee who acted in breach of this policy where such breach has resulted in liability, loss, reputational damage and/or other damages to the Organisation in the course of pursuing its commercial operations.

12. RELATED DOCUMENTS

This policy may be read together with other organizational policies and standards that deal with specific areas of the business, including: Internal • Alien Automation Technologies Pty Ltd Data Protection Policy • Alien Automation Technologies Pty Ltd Employee Privacy Policy (dealing with how the company processes the personal information of employees) • IT and Cyber Security policies, including password policy • Incident Response Protocol External • Privacy Notices to customers, clients, vendors, suppliers, applicants, members, etc. • Operators Agreements

13. POLICY AMENDMENTS

The Organisation’s management team may, from time to time, amend, supplement, modify or alter this policy. Policy last modified 17/09/2024.