Data Subjects will be informed of the purpose of the processing carried out. All Personal Information will be collected from our Data Subjects during the on boarding process and will be used to monitor the ongoing performance of the account and mitigate any risks.

If any processing does not concern you or your entity or if there is information missing, your Personal Information will be deleted or amended, as necessary. We processes your Personal Information under the following circumstances:

1.1. Your data is processed to ensure compliance with financial and legal obligations as set out in applicable regulations.

We monitor your transactions to manage, prevent and detect risks and fraud and to ensure compliance with any local laws. We will process your data for the following purposes:

• Monitor accounts to mitigate risks and to prevent fraud
• Analytics & reporting purpose
• Storage for audit purpose
• Ensure compliance with applicable legislation

1.2. Your data is processed for the performance of a contract.

The purpose is to meet our obligations in terms of the contract and support you including management of your account by automatically categorizing your transaction data.

1.3. Your data is processed to meet our legitimate interest.

We monitor your transactions to manage, prevent and detect risks and fraud. In addition, your data may be processed for the following activities:

• Customer servicing
• Prevention of Fraud & regulation violations
• Marketing and Communication
• Physical and Environmental security
• IT Support activities
• HR Management
• Risk Management
• Procurement Management
• Legal Activities
• Finance Activities
• Other Support Activities

1.4. Your data is processed if you have given your consent.

You agree and consent that we may process, record and/or disclose your personal information, including details of any transactions on your account, in line with our terms and conditions. Your Personal Information may be amended or your consent may be withdrawn at any time by submitting a request via email to customerservice@rcsgroup.co.za

1.5 Automated Decision Making

You agree and consent that we may make an automated decision which affects you, which decision may be made
solely on the basis of the automated processing of your personal information, such as, but not limited to, your credit
worthiness or location. You have the right to request information about the underlying logic of the automated
processing of the information, and the right to make representations to us about any such decision.

Generally, any information falling within the definitions of “personal information”, “special personal information” and “consumer credit information” as defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”) and the National Credit Act 34 of 2005 respectively (“Applicable Legislation”), which can include:

• Professional contract details
• Personal contact information
• ID, Signature, Personal life
• Race, Health conditions, Sensitive payment data, criminal records
• Financial data
• Education
• Employment

RCS Cards (Pty) Ltd, Golf Park 6, Golf Park, Raapenberg Road. Mowbray, 7700.

Personal Information is collected directly from prospective and existing Data Subject, as well as from credit bureaus to enrich customer data or from third parties with the Data Subject’s consent.

Personal Information may be shared with your consent to approved 3rd parties and subcontractors who support certain business functions, which cannot be fulfilled internally.

Personal Information can also be disclosed:

• Where there is a legal obligation or right in terms of industry codes, to disclose the information.
• Where it is necessary to protect our rights.

Personal Information will be retained in accordance with Applicable Legislation for the intended collection purpose and use and will be destroyed once the retention period is reached.

The Data Subject’s personal information is voluntarily collected from the Data Subject for the purpose of the services offered by the responsible party.

If the Data Subject does not provide us with the requested personal information, we will not be able to provide you with the services requested.

We may transfer your personal information to third parties, including credit bureaus, for the purposes of providing our services to you. Where your personal information is transferred to third parties outside of the borders of the Republic of South Africa, the level of protection afforded to your personal information in these third parties will depend on the privacy laws and regulations of that country.

We take the security of your personal information seriously and have implemented appropriate, reasonable technical and organizational measures to protect it from unauthorized access, loss, or damage, as required by POPIA Condition 7.

• Our security measures include, but are not limited to, the following:
• Access controls, such as passwords and multi-factor authentication, to limit access to personal information to authorized personnel only.
• Encryption of personal information both in transit and at rest.
• Regular backups and disaster recovery procedures to ensure the availability and integrity of personal information.
• Monitoring and logging of system activity to detect and respond to security incidents.
• Regular security assessments and audits to identify and address vulnerabilities.

We will promptly investigate any suspected security incidents and take appropriate action to mitigate any harm and prevent future incidents.

We will regularly review and update our security measures to ensure they remain appropriate and effective.

We will only share your personal information with third parties who have agreed to comply with our security measures and who have a legitimate need to access it.

We will notify you and the relevant authorities as required by law in the event of a security breach that affects your personal information.

You have the right to object to the processing of your personal information for certain purposes.

You have the right to object to the processing of their personal information for certain purposes.

You have the right to lodge a complaint with the Information Regulator, if you believe that we have not complied with the applicable privacy laws. The Information Regulator may be contacted at 010 023 5200 and emailed at POPIAComplaints@inforegulator.org.za. We reserve the right to modify this Privacy Policy from time to time to reflect changes in our practices and applicable laws. If we make any changes to this Privacy Policy, we will post the updated policy on our website.

If you have any questions or concerns about this Privacy Policy, please contact us at legal@rcsgroup.co.za