PAIA MANUAL for the EFT Corporation Group of Companies in South Africa, including EFT Corporation South Africa (Pty) Ltd (Registration No.: 2014/247261/07), EFT Corp Technologies (Registration No.: 2017/471522/07), and EFT Payment Solutions (Registration No.: 2013/099677/07; FSP No.: 45133), and all other South African subsidiaries and/or affiliates (“the Company”).

1. Introduction To The Company

The Company is Africa’s leading PCI-compliant payment solutions provider, offering end-to-end services for retail and financial institutions across the continent. For over 23 years, we have set the standard with our secure and robust infrastructure. Our diverse portfolio includes transaction switching, ATM and POS acquiring, card issuing, internet and mobile banking, and hosting solutions, all designed to simplify and secure digital transactions. We are committed to upholding the constitutional right to access information while ensuring confidentiality, protecting privacy, and adhering to South African laws.

2. Company Contact Details

If you have any questions or concerns regarding your personal information and our data practices, please feel free to reach out to our Information Officer/ Deputy Information Officer, using the following contact details:

Email:                                     compliance@eftcorp.com

Physical Address:                 Waterfall Corporate Campus, Ground Floor, office 1 Waterfall City, Waterfall, 1682; AND

Physical Address:                 1st Floor Golfers Cnr, Design Quarter, Fourways, Johannesburg, 2055.

Website:                                 www.eftcorp.com

3. About This Manual

3.1  Background:

PAIA gives effect to the right to access to information in terms of Section 32 of the Constitution. This section provides everyone the right to access to information held by the state or any or private body when the information is required for the exercise or protection of any rights.

This right is extended in POPIA as it grants the data subject the right to request access to information or records, in accordance with the provisions of PAIA from any responsible party.

3.2  PAIA Manual:

Section 51 of PAIA requires all private bodies to compile a PAIA Manual that provides an outline of the type of records and the personal information the Company holds and explains how to submit requests for access to these records in terms of the PAIA. For the purposes of PAIA, the Company is a private body.

PAIA grants a requestor access to records of a private body, if the record is required for the exercise or protection of any rights.

3.3  Availability of this Manual

Company website:              www.eftcorp.com

May also be obtained via request from compliance@eftcorp.com.

3.4  How to obtain access to the PAIA Guide:

Should you require clarity or assistance with PAIA, we refer you to the Guide that has been published by the Information Regulator. Please direct any queries to:

The Information Regulator

Email:                                     enquiries@informationregulator.org.za

Physical Address:                 JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Telephone:                            010 023 5200

Website:                                 www.informationregulator.org.za

4. Records Of The Company

4.1  Subject and categories of records held

This paragraph serves as a reference to the records that the Company holds. It is recorded that the accessibility of the records listed below, may be subject to the grounds of refusal and do not imply that they are automatically available. The information is classified and grouped according to records relating to the subjects and categories outlined below:

4.1.2  Human Resources:

4.1.2.1  Personal records provided by employees;

4.1.2.2  Records provided by a third party relating to employees;

4.1.2.3  Conditions of employment and other employee-related contractual and quasi-legal records;

4.1.2.4  Internal evaluation records and other internal records;

4.1.2.5  Correspondence relating to employees;

4.1.2.6  Training schedules and material;

4.1.2.7  Records in respect of the company’s workforce, employment equity plan and other records relevant to compliance with the Employment Equity Act 55 of 1998;

4.1.2.8  Amount of remuneration paid or due by him to the employee;

4.1.2.9  The amount of employee’s tax deducted or withheld from the remuneration paid or due;

4.1.2.10  The income tax reference number of that employee.

4.1.3  Marketing:

4.1.3.1  Any promotional material for public viewing;

4.1.3.2  Product information;

4.1.3.3  Brand information, marketing communication and other strategies.

4.1.4  Finance:

4.1.4.1  Accounting records;

4.1.4.2  Financial statements;

4.1.4.3  Amounts received by that registered business during a year of assessment.

4.1.5  Client Records:

4.1.5.1  Full names, physical address, postal address and contact details;

4.1.5.2  ID number and registration number;

4.1.5.3  Contact details of public officer in case of a juristic person;

4.1.5.4  Service rendered;

4.1.5.5  The nature of that business relationship or transaction;

4.1.5.6  In the case of a transaction, the amount involved and the parties to that transaction;

4.1.5.7  All accounts that are involved in the transactions concluded by that accountable institution in the course of that business relationship and that single transaction;

4.1.5.8  The name of the person who obtained the identity of the person transacting on behalf of the accountable institution;

4.1.5.9  Any document or copy of a document obtained by the accountable institution.

4.1.6  Corporate Governance:

4.1.6.1  Minutes of meetings;

4.1.6.2  Internal policy documents, procedure documents, committee by-laws, terms of reference and all other governance instruments;

4.1.6.3  Enterprise-wide risk management records.

4.1.7  Information Technology and Systems:

4.1.7.1  Transaction logs and system access records;

4.1.7.2  Compliance documentation, access control and audit trails;

4.1.7.3  Client and partner information, API integrations, and IT infrastructure;

4.1.7.4  Incident reports, risk assessments, and performance metrics.

4.1.8  Legal Records:

4.1.8.1  All agreements that are binding to the organisation, including across departments and business unit;

4.1.8.2  Litigation, other claims and intellectual property documents;

4.1.8.3  Applicable statutory documents such as but not limited to certificates of incorporation and certificates to commence business;

4.1.8.4  Share certificates and shareholder agreements.

4.2  Categories of data subjects

4.2.1  This paragraph serves as a reference to the categories of data subjects and the personal information processed in relation to that category of data subject:

4.2.2  Shareholders:

4.2.2.1  Shareholders’ personal information.

4.2.3  Directors:

4.2.3.1  Directors’ personal information

4.2.4  Clients (includes potential and previous clients):

4.2.4.1  Client personal information;

4.2.4.2  Client bank details;

4.2.4.3  Client location information;

4.2.4.4  Client biometric data;

4.2.4.5  Client third-party information, such as from credit bureaux and the Companies and Intellectual Property Commission (CIPC).

4.2.5  Product suppliers:

4.2.5.1  Product supplier personal information;

4.2.5.2  Product supplier contracts;

4.2.5.3  Product supplier bank details.

4.2.6  Job applications:

4.2.6.1  Personal information of job applicants;

4.2.6.2  Criminal checks;

4.2.6.3  Background information.

4.2.7  Key individuals:

4.2.7.1  Background checks;

4.2.7.2  Personal information (e.g. name, ID, etc.);

4.2.7.3  Employment history;

4.2.7.4  Training records

4.2.8  Employees (includes current and former):

4.2.8.1  Employee personal information (e.g. name, ID, etc.);

4.2.8.2  Employee education and psychometrics records;

4.2.8.3  Employee medical information;

4.2.8.4  Employee bank details;

4.2.8.5  Health and safety records;

4.2.8.6  Employee beneficiary information;

4.2.8.7  Employee pension and provident fund information.

4.2.9  Outsourced service providers:

4.2.9.1  Bank details;

4.2.9.2  Personal information (company registration number, contact number).

4.3  Records held in terms of South African legislation

The Company holds records as required in terms of the following legislation:

• Arbitration Act, 1965 (Act 42 of 1965);
• Basic Conditions of Employment Act, 1997 (Act 75 of 1997);
• Broad-Based Black Economic Empowerment Act, 2003 (Act 53 of 2003);
• Code of Advertising Practice of the Advertising Standards Authority (ASA);
• Companies Act, 2008 (Act 71 of 2008);
• Compensation for Occupational Injuries and Diseases Act, 1993 (Act 130 of 1993);
• Competition Act, 1998 (Act 89 of 1998);
• Conduct of Financial Institutions Bill ;
• Consumer Protection Act (Act 68 of 2008);
• Copyright Act, 1975 (Act 98 of 1978);
• Disaster Management Act (Act 57 of 2002);
• Electronic Communications & Transactions Act, 2002 (Act 25 of 2002);
• Electronic Communications Act, 2005 (Act 36 of 2005);
• Employment Equity Act, 1998 (Act 55 of 1998);
• Employment Equity Amendment Bill;
• Financial Advisory and Intermediary Services Act, 2002 (Act 37 of 2002);
• Financial Institutions (Protection of Funds) Act;
• Financial Institutions (Protection of Funds) Act, 2001 (Act 28 of 2001);
• Financial Intelligence Centre Act, 2001 (Act 38 of 2001);
• Financial Sector Regulation Act, 2017;
• Income Tax Act, 1962 (Act 58 of 1962);
• Insolvency Act, 1936 (Act 24 of 1936);
• King Report and Code on Corporate Governance in South Africa (King III), 2009 / King IV on Corporate Governance in South Africa (2016);
• Labour Relations Act, 1995 (Act 66 of 1995);
• National Payment System Act, 1998 (Act 78 of 1998);
• Occupational Health and Safety Act, 1993 (Act 85 of 1993);
• Prevention and Combating of Corrupt Activities Act, 2004 (Act 12 of 2004);
• Prevention of Organised Crime Act, 1998 (Act 121 of 1998);
• Promotion of Access to Information Act, 2000 (Act 2 of 2000);
• Promotion of Equality & Prevention of Unfair Discrimination Act, 2000 (Act 4 of 2000);
• Protected Disclosures Act, 2000 (Act 26 of 2000);
• Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (Act 33 of 2004);
• Protection of Personal Information Act (POPIA), (Act 4 of 2013);
• Skills Development Act, 1998 (Act 97 of 1998);
• Skills Development Levies Act, 1999 (Act 9 of 1999);
• South African Reserve Bank Act, 1989 (Act 90 of 1989);
• Tax Administration Act, 2011 (Act 28 of 2011);
• Unemployment Insurance Act, 2001 (Act 63 of 2001) ;
• Unemployment Insurance Contributions Act, 2002 (Act 4 of 2002);
• Value-Added Tax Act, 1991 (Act 89 of 1991).

4.4  Records that are automatically available – Section 15 of PAIA

The documents referred to above that are electronically available via the website can be accessed by visiting: https://eftcorp.com/. Alternatively, a request can be made by addressing an email to the Information Officer / Deputy Information Officer.

5. The Request Procedure:

5.1  The following procedural requirements serve as guidelines for requestors. The requester must comply with all the procedural requirements contained in PAIA relating to the request for access to a record.

5.2  The requester must submit:

5.2.1  The prescribed form enclosed in Annexure A – Form 1;

5.2.2  Proof of identity of the requester;

5.2.3  Proof of capacity in which the requester is making the request and proof of authorisation to make that request (if applicable); and

5.2.4  Payment of request fee and deposit (if applicable).

5.3  The prescribed form must be completed with sufficient detail to at least enable the Information Officer to identify –

5.3.1  The record requested and the requester;

5.3.2  Which form of access is required;

5.3.3  A postal address or fax number of the requester in the Republic;

5.3.4  The right the requester is seeking to exercise or protect and the reason why the requested record is required for the exercise or protection of that right; and

5.3.5  The manner in which the requester wishes to be notified of the request.

5.4  If a request is made on behalf of another person, the requester must submit proof of the capacity in which the requester is making the request to the reasonable satisfaction of the Information Officer.

5.5  The requester must state the nature of the right for which access to the requested records is required. The courts have indicated that access to the records must be “necessary” for the exercise or protection of the right so stated. This right of access may not be used to access records under criminal or civil proceedings, or where such proceedings have commenced. This right of access only applies to records in existence at the time of request.

5.6  If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request orally, which must then be reduced into writing by the person assisting the requester.

6. Fees

6.1  There are two types of fees in terms of PAIA:

6.1.1  A request fee, which will be a standard fee, R50.00 fifty rand only; and

6.1.2  An access fee, which must be calculated by considering reproduction costs, search and preparation time and cost, as well as postal costs.

6.2  A requester who seeks access to a record containing personal information about that requester is not required to pay the request fee. Every other requester, who is not a personal requester, must pay the required request fee.

6.3  When the request is received by the Information Officer, the Information Officer shall by notice require the requester (other than a personal requester) to pay the prescribed request fee (if any) before further processing of the request.

6.4  If the search for the record has been made and the preparation of the record for disclosure, including arrangement to make it available in the requested form, requires more than the hours prescribed in the regulations of PAIA for this purpose, the Information Officer shall notify the requester to pay as a deposit the prescribed portion of the access fee which would be payable if the request is granted.

6.5  The Information Officer shall withhold a record until the requester has paid the fees as indicated in Annexure B.

6.6  A requester whose request for access to a record has been granted, must pay an access fee for reproduction and for search and preparation, and for any time reasonably required more than the prescribed hours to search for and prepare the record for disclosure including planning to make it available in the request form.

6.7  If a deposit has been paid in respect of a request for access, which is refused, then the Information Officer concerned will repay the deposit to the requester.

7. Timelines For Consideration

7.1  Once your request is received, it will be assessed and processed within 30 (thirty) days, unless the request contains considerations that necessitate an extension of the 30-day time limit.

7.2  If an extension is required, you will be notified with the reasons for the extension.

8. Decision On Access Requests

8.1  Granting Access

If access is granted, the notice must include:

• The access fee (if applicable);
• The form in which access will be provided;
• Information on the right to challenge the access fee or the form of access by lodging an application with a court, along with the procedure to do so.

8.2  Refusing Access

If access is refused, the notice must:

• Provide adequate reasons for refusal, citing relevant legal provisions (excluding any reference to the content of the record);
• Inform the requester of the right to challenge the refusal by lodging an application with a court, including the procedure and time limits.

8.3  Grounds for refusal

Key grounds for refusal include the mandatory protection of:

• The privacy of third parties (natural persons), where disclosure would unreasonably reveal personal information;
• The commercial information of third parties, including trade secrets or information that could harm their financial or commercial interests;
• Information provided in confidence by third parties, if disclosure could disadvantage them in negotiations or competition;
• Confidential information protected under agreements;
• The safety of individuals or protection of property;
• Privileged records in legal proceedings;
• The Company’s own commercial interests, including trade secrets or other sensitive information;
• Proprietary computer programs owned by The Company;
• Research information, where disclosure would compromise The Company, a researcher, or the subject of research.

8.4  Partial Refusal

Where a record contains both disclosable and non-disclosable information, The Company will provide access to the portions that can be reasonably severed from the rest. Disclosed parts are subject to applicable provisions, such as access fees, while withheld parts are subject to refusal procedures, including notification of reasons.

8.5  Deemed Refusal

If The Company fails to respond within 30 days (or the extended period) after receiving a request and payment of the fee, the request will be deemed refused.

9. Remedies Available:

The Company does not have any internal appeal procedures that may be followed once a request to access information has been refused.  As a result, kindly note that in all cases, the decision of the Information Officer is final.  If you are not satisfied with the outcome of your request, you can apply to the Information Regulator for relief.

Download Access Request Form Here: Access request form

Download Prescribed Fees Here: Prescribed Fees