1. Introduction
   • 1.1 Purpose of the Manual
   • 1.2 Company Details
2. Contact Details
   • 2.1 Information Officer
3. Guide on How to Use the Act
   • 3.1 Availability of the Guide
4. Records Available Under the Act
   • 4.1 Voluntary Disclosure and Automatically Available Records
   • 4.2 Records Accessible on Request
     • 4.2.1 Customer Records
     • 4.2.2 Employee Records
     • 4.2.3 Financial Records
     • 4.2.4 Operational Records
     • 4.2.5 Technical Data
5. Procedure for Requesting Access
   • 5.1 Form of Request
   • 5.2 Fees
   • 5.3 Response Time
6. Grounds for Refusal of Access
   • 6.1 Applicable Legislation
7. Remedies Available if Request for Information is Denied
   • 7.1 Internal Remedies
   • 7.2 External Remedies
8. Availability of the Manual
   • 8.1 Locations and Formats

PAIA Manual for Weltel Group of Companies

1. Introduction

Purpose: This document is created under the Promotion of Access to Information Act, No. 2 of 2000 (PAIA) to assist the public, including our customers and partners, in accessing records held by Weltel Group of Companies. This manual facilitates the process of requesting access to information as prescribed by the Act.

Business Names: Weltel CC Registration number: CC-98-020920-23, WTRV Trust: IT1457/2013, Pantele: 2015/241867/07

Physical Address: 27 Parfit Street, Parkwes, Bloemfontein, 9301

Postal Address: P.O. Box 32433, Fichardtpark, Bloemfontein, 9317

Telephone: 0860 994 075

Email: info@weltel.co.za

Website: www.weltel.co.za

2. Contact Details

Information Officer: JC van Tonder

Position: Technical Director

Telephone: 0825234664 / 0860994075

Email: kobus@weltel.co.za

3. Guide on How to Use the Act

Availability of the Guide: A guide on how to use the PAIA is available from the South African Human Rights Commission (SAHRC). It can be obtained from the SAHRC website or directly from their offices. This guide contains necessary information on using the Act to access records.

4. Records Available Under the Act

Voluntary Disclosure and Automatically Available Records:

Marketing Materials: Brochures, newsletters, and promotions available on our website or at our offices.

Service Information: Details about the services we provide, including VoIP solutions, CCTV solutions, Print solutions, Access control solutions, time and attendance solutions, Internet solutions, Network solutions, PC and server maintenance solutions and any ancillary maintenance services, accessible through our website.

Records Accessible on Request:

Customer Records: Includes personal information, service contracts, billing information, and communications.

Employee Records: Personal details, employment contracts, performance reviews, and payroll information.

Financial Records: Company financial statements, tax records, and audit reports.

Operational Records: Information on suppliers, service logs, maintenance records, and equipment records.

Technical Data: Data related to network operations, customer technical service data, and security protocols.

5. Procedure for Requesting Access

Form of Request: Requests for access to records must be made using the prescribed form, which can be collected at our offices. The completed form must be sent to the Information Officer.

Fees: A request fee may be required for the processing of the request. Additional fees may be charged for reproduction and search efforts, as detailed in the fee structure available upon request.

Response Time: Weltel aims to respond to all requests within 30 days of receiving a complete and valid request. This period may be extended under certain legally permissible circumstances.

6. Grounds for Refusal of Access

Applicable Legislation: Access to records may be refused under specific provisions of PAIA, including but not limited to, protection of privacy, confidential information of third parties, and records protected by legal privilege.

7. Remedies Available if Request for Information is Denied

Internal Remedies: If a request is denied, the requester may appeal the decision internally by contacting the Information Officer.

External Remedies: Appeals can be made to the Information Regulator or, subsequently, through the courts within South Africa.

8. Availability of the Manual

Locations and Formats: This manual is available for inspection free of charge at our offices and can be downloaded from our website. Copies can also be obtained at a nominal fee to cover the cost of reproduction.

Data Protection Policy Weltel Group of Companies

1. Introduction
   • 1 Purpose
   • 2 Scope
2. Principles of Data Processing
   • 1 Lawfulness, Fairness, and Transparency
   • 2 Purpose Limitation
   • 3 Data Minimization
   • 4 Accuracy
   • 5 Storage Limitation
   • 6 Integrity and Confidentiality
3. Rights of Data Subjects
   • 1 Access
   • 2 Correction
   • 3 Deletion
   • 4 Restriction of Processing
   • 5 Objection
   • 6 Data Portability
4. Data Collection Processes
   • 1 Customer Interaction
   • 2 Technical Service Data
   • 3 Administrative Data
5. Data Usage
   • 1 Service Provisioning
   • 2 Billing and Payments
   • 3 Customer Service
6. Data Sharing and Disclosure
   • 1 Internal Transfers
   • 2 Third-Party Sharing
7. Data Security Measures
   • 1 Technical Safeguards
   • 2 Organizational Measures
8. Data Breach Notification
   • 1 Incident Response Plan
   • 2 Notification Procedures
9. Employee Training and Compliance Monitoring
   • 1 Regular Training
   • 2 Compliance Audits
10. Review and Updates
    • 1 Policy Updates
11. Contact Details of Information Officer
    • 1 Information Officer

Data Protection Policy for Weltel Group of Companies

1. Introduction

Purpose: This policy establishes the principles and responsibilities Weltel Group adheres to in processing personal information, in compliance with the Protection of Personal Information Act (POPIA).

Scope: This policy applies to all departments, employees, and third-party service providers of Weltel Group who handles personal information.

2. Principles of Data Processing

Lawfulness, Fairness, and Transparency: Processing personal information in a lawful, fair, and transparent manner with respect to individual rights.

Purpose Limitation: Collecting and processing information solely for predefined legitimate purposes, which are clearly stated to data subjects at the time of collection.

Data Minimization: Limiting the collection of personal information to what is directly relevant and necessary to accomplish the specified purpose.

Accuracy: Keeping personal information accurate, complete, and up-to-date.

Storage Limitation: Retaining personal information only as long as necessary for the stated purpose or as required by law.

Integrity and Confidentiality: Ensuring the confidentiality and security of personal information, preventing unauthorized access and use.

3. Rights of Data Subjects

Access: The right to access their personal information.

Correction: The right to correct inaccurate or incomplete information.

Deletion: The right to have their information erased.

Restriction of Processing: The right to request that processing be paused if certain

conditions apply.

Objection: The right to object to certain types of processing, such as direct marketing.

Data Portability: The right to receive their data in a format that can be transferred to another controller.

4. Data Collection Processes

Customer Interaction: Information collected via sales calls, emails, or direct interactions is used for preparing service proposals and managing accounts.

Technical Service Data: Collection of technical data during installations or service setups, including network configurations, device specifications, and operational data.

Administrative Data: Information gathered through administrative interactions, primarily for billing, customer support, and service management

5. Data Usage

Service Provisioning: Using collected data to tailor and deliver services effectively, including network management and customer support.

Billing and Payments: Processing data for invoicing, credit checks, and payment follow-ups.

Customer Service: Utilizing contact information and service history to provide ongoing support and manage service tickets.

6. Data Sharing and Disclosure

Internal Transfers: Sharing information between departments as necessary for service provision and corporate administration.

Third-Party Sharing: Disclosing information to service partners under contract and with appropriate safeguards in place.

7. Data Security Measures

Technical Safeguards: Use of encryption, firewalls, and access controls to protect personal information from unauthorized access.

Organizational Measures: Regular training on data protection principles for all staff, and clear data handling protocols.

8. Data Breach Notification

Incident Response Plan: Immediate response procedures, including investigation, containment, and assessment of breach impact.

Notification Procedures: Notifying affected individuals and the Information Regulator within stipulated timelines if the breach poses a risk to the rights of data subjects.

9. Employee Training and Compliance Monitoring

Regular Training: Ensuring all employees understand their data protection responsibilities and the specifics of this policy.

Compliance Audits: Conducting audits to ensure ongoing adherence to this policy, with corrective actions implemented as needed.

10. Review and Updates

Policy Updates: Reviewing and updating this policy annually or more frequently if significant changes occur in processing activities or legal requirements.

11. Contact Details of Information Officer

Information Officer: JC van Tonder is responsible for overseeing data protection strategy and implementation to ensure compliance with POPIA.

Data Breach Incident Response Plan for Weltel Group of companies

1. Purpose and Scope

Purpose: To outline the procedures for responding to a data breach involving personal, financial, or operational data in a way that minimizes harm and complies with applicable data protection laws.

Scope: Applies to all types of data breaches affecting any digital or physical records managed by Weltel Group of companies.

2. Definition of a Data Breach

A data breach involves the unauthorized access, disclosure, alteration, loss, or destruction of personal data held by the company. This includes data breaches caused by external attacks, insider threats, or accidental actions.

3. Data Breach Response Team

Composition: The team includes the Information Officer (team leader), IT Security Manager, Legal Advisor, Communications Manager, and other relevant department heads.

Responsibilities: Each team member has predefined roles, such as assessing the breach, managing technical responses, handling legal compliance, and managing communications.

4. Detection and Reporting

Detection: Procedures for detecting a breach include monitoring security alerts, audit logs, and employee reports.

Initial Reporting: Any potential breach must be immediately reported to the Information Officer and IT Security Manager, who will activate the Data Breach Response Team.

5. Assessment and Investigation

Initial Assessment: Determine the scope and impact of the breach, including the types of data involved, the number of individuals affected, and the potential consequences.

Investigation: Conduct a thorough investigation to understand how the breach occurred and identify any vulnerabilities that were exploited.

6. Containment and Mitigation

Short-term Measures: Take immediate steps to contain the breach, such as isolating affected systems, revoking or changing access credentials, and taking affected systems offline.

Long-term Measures: Implement changes to prevent future breaches, such as updating security protocols, enhancing monitoring tools, and training employees.

7. Notification

Regulatory Notification: Notify the Information Regulator within 72 hours of breach discovery, if required by law.

Affected Individuals: Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms. Notifications should describe the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.

Public Communications: Prepare a public statement or press release if necessary, detailing the breach (while not compromising the investigation) and the steps taken to address it.

8. Documentation

Breach Documentation: Document all actions taken from detection to resolution, including decisions made and the rationale for each decision.

Review and Evaluation: After managing the breach, review the effectiveness of the response and update the incident response plan and other relevant policies accordingly.

9. Recovery and Follow-up

Systems Recovery: Restore systems to normal operations, ensuring they are no longer compromised.

Ongoing Monitoring: Increase security monitoring to detect any further issues.

Follow-up Actions: Address any legal or regulatory issues arising from the breach.