GRC Mint & GRC Mint Manufacturing Pty) Ltd *(GRC)

DATA PROTECTION TERMS AND CONDITIONS

1. The following shall have the applicable meanings:
1.1 “Customer” shall mean any person or legal entity to whom GRC provides Services.
1.2 “Data” shall mean any data, including personal information as defined in the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002), the Protection of Personal Information Act, 2013 (Act No. 4 of 2013), Personal Data and/or any equivalent legislation of the jurisdictions(s) where the obligations in terms of these Terms and
Conditions are being provided and/or performed, supplied to Rand Refinery by the Customer or processed on behalf of the Customer by GRC;
1.3 “Data Breach” shall mean any breach of security leading to unauthorised or unlawful destruction, loss, alteration or disclosure of Data;
1.4 “Data Protection Laws” shall mean all applicable laws relating to data protection, privacy and security when processing Data. This includes without limitation applicable international, regional, federal or national data protection, privacy, export or data security directives (e.g. directives of the European Union), laws, statures, regulations,
rulings, decisions, and other binding restrictions of or by any judicial or administrative body, whether domestic, foreign or international, including the Electronic Communications and Transactions Act, 2002 and the Protection of Personal
Information Act, 2013;
1.5 “Personal Data” shall mean personal data as defined in the Data Protection Laws, including any information relating to an identified or identifiable individual (including, but not limited to, name, postal address, email address, telephone number, date of birth, driver’s license number, identification number, financial account number, credit or debit card number, insurance ID or account number, health or medical information, consumer reports, background checks, biometric data, digital signatures, any code or password that could be used to gain access to financial resources or any other unique
identifier) that is Processed by GRC;
1.6 “Process” shall mean any operation or set of operations, performed on Data, by any means, such as by collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction and “Processing” shall have a corresponding meaning.
1.7 “Services” shall mean any service provided by GRC to the Customer.
1.8 Notwithstanding any other provision in these Terms and Conditions, the Customer agrees that, for GRC to provide the Services, the Customer’s Data may be:
1.8.1 held on a variety of systems, networks and facilities worldwide including systems and databases used by GRC help desks, service desks and/or network management centres used for providing the Service/s and/or used for billing, sales,
technical, commercial and/or procurement purposes;
1.8.2 located, hosted, managed, accessed, or transferred worldwide; and
1.8.3 provided or transferred by GRC to any sub-contractor or supplier worldwide to the extent necessary to allow that sub-contractor or supplier to perform its
obligations in respect of the Service/s.
1.9 The Customer shall advise GRC what Personal Data, if any, is included in the Data provided by the Customer (“Customer Personal Data”). Therefore:
1.9.1 GRC shall comply with any Data Protection Laws applicable to it in its Processing of Customer Personal Data.
1.9.2 GRC shall only Process Customer Personal Data to the extent necessary to provide the Services and will implement and take appropriate and reasonable technical and organisational measures in accordance with its security policies as amended from time to time to protect Customer Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access of Customer Personal Data transferred outside of South Africa, including to subcontractors or suppliers where required to provide the Services.
1.9.3 The Customer shall provide sufficient written notice and obtain sufficient written consent and authorisation, under any applicable laws, from any relevant data subject (as defined in terms of Data Protection Laws), to permit the Processing of any Customer Personal Data by GRC, its sub-contractors or suppliers.
1.10 The Customer agrees that GRC, to the extent permitted by law, shall not be liable for any complaint, claim or action brought by a data subject (as defined in terms of Data Protection Laws) arising from any action or omission by GRC to the extent that such action or omission:
1.10.1 resulted from any failure by the Customer to comply with this clause; or 1.10.2 resulted from GRC complying with any instructions of Customer or acting on behalf of the Customer in accordance with those instructions,
and the Customer shall indemnify, hold harmless and defend GRC from and against any such claims or actions brought against GRC.
1.11 GRC shall at all times strictly comply with all applicable Data Protection Laws, which may be in force from time to time.
1.12 GRC hereby warrants, represents, and undertakes that it:
1.12.1 shall not, at any time Process Data for any purpose other than with the express prior written consent of the Customer, and to the extent necessary to provide the Services.
1.12.2 shall ensure that all its systems and operations which it uses to provide the Services including all systems on which Data is Processed as part of providing the Services, shall at all times be of a minimum standard required by all applicable Data Protection Laws.
1.13 GRC shall take reasonable steps to identify all reasonably foreseeable internal and external risks posed to Data under GRC’s possession or control and establish and maintain appropriate safeguards against any risks identified including appropriate backups of data for disaster recovery measures.
1.14 GRC shall provide the Customer with prompt reasonably detailed written notice in case GRC discovers any Data Breach or any actual, pending or threatened enforcement proceeding, action, notification of breach, lawsuit against
Rand Refinery or a GRC sub-contractor, relating to Data. To the extent the Data Protection Laws require that an individual or authority be notified of a Data Breach, GRC shall at the Customer’s request and subject to the Customer’s.
prior approval of the content, form and timing, provide any notices to such an individual or governmental authority containing the information as mandated by the Data Protection Laws. GRC shall provide remediation services and other.
reasonable assistance to individuals impacted by the Data Breach directly or through a third party as required under the Data Protection Laws or required by governmental authorities or agreed by the Parties in writing. Upon Customer’s request, GRC shall cooperate and provide the Customer with information about the nature, circumstances and causes of the event at issue. GRC shall take all necessary actions to prevent further losses and otherwise limit the consequences of the event at issue.
1.13 At the Customer’s prior written request, GRC shall promptly return to the Customer all copies, whether in written, electronic or other form or media, of Customer Personal Data in its possession or securely dispose of all such copies and certify in writing to the Customer that such Customer Personal Data has been returned to Customer or disposed of securely. GRC shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Customer Personal Data.