PAIA MANUAL — KOPANONG PLATFORMS (PTY) LTD

Prepared in accordance with section 51 of the Promotion of Access to Information Act 2 of 2000, as amended, read with the Protection of Personal Information Act 4 of 2013 and the regulations published in respect of both Acts.

1. INTERPRETATION

In this Manual, unless the context indicates otherwise:

Words importing the singular include the plural; any gender includes the other genders; and a reference to a natural person includes a juristic person where the context allows.

2. PURPOSE OF THIS MANUAL

This Manual is published to:

(a) inform the public of the records held by Kopanong and how they may be requested under PAIA;

(b) describe the records of Kopanong that are voluntarily made available without a formal PAIA request;

(c) provide the contact details of Kopanong’s Information Officer;

(d) inform data subjects, in accordance with the POPIA-related content required of a section 51 manual after the amendments introduced by POPIA, of the personal information Kopanong processes, the purposes thereof, the categories of data subjects, the recipients to whom personal information may be supplied, whether Kopanong conducts trans-border flows of personal information, and the security measures Kopanong applies; and

(e) explain how data subjects may exercise their rights of access, correction, deletion, objection and withdrawal of consent under POPIA.

3. AVAILABILITY OF THE MANUAL

A copy of this Manual is available:

(a) at https://kreshe.co.za/legal/paia-manual;

(b) by email request to the Information Officer at the address in section 4;

(c) for inspection at Kopanong’s registered office during normal business hours by prior appointment; and

(d) to the Regulator on request.

A reasonable fee, as set out in the PAIA Regulations, may be charged for a printed copy of the Manual.

4. CONTACT DETAILS

4.1 Head of the Private Body and Information Officer

4.2 Kopanong Platforms (Pty) Ltd

5. GUIDE ON HOW TO USE PAIA

The Information Regulator has, in terms of section 10(1) of PAIA, published a Guide on how to use PAIA. The Guide is available at www.inforegulator.org.za and on request to the Information Officer.

The Guide describes:

(a) the objects of PAIA and POPIA;

(b) the manner and form in which a request for access to a record of a private body must be made under section 53 of PAIA;

(c) the assistance available from the Information Officer and the Regulator;

(d) the remedies available where access is refused, including internal appeals (where applicable to public bodies), complaints to the Regulator and applications to court.

6. RECORDS AVAILABLE WITHOUT A FORMAL REQUEST

The following records are made available by Kopanong without the need to submit a formal PAIA request:

(a) information published on https://kopanongplatforms.co.za and https://kreshe.co.za, including descriptions of the Kreshe platform, pricing where published, contact details, the names of the directors, and this Manual;

(b) the Privacy Policy applicable to the Kreshe platform;

(c) the Website Terms of Use applicable to kreshe.co.za;

(d) Kopanong’s CIPC registration documents to the extent that they are publicly available through CIPC’s own disclosure infrastructure; and

(e) any other records that the Information Officer determines, from time to time, may be released without a formal request.

Records that are voluntarily disclosed under this section remain subject to the Information Officer’s discretion to require a formal request where appropriate.

7. SCHEDULE OF RECORDS HELD BY KOPANONG

This section sets out the categories of records Kopanong holds, in accordance with section 51(1)(b) of PAIA. Access to the records listed below is subject to the grounds for refusal in section 14 of this Manual.

7.1 Corporate and statutory records

• CIPC registration documents (Memorandum of Incorporation, CoR forms, Securities Register)
• Beneficial Ownership filings
• SARS registration and tax records
• Annual Returns
• Director resolutions and minutes
• Share certificates and the Securities Register
• Information Regulator (POPIA) Information Officer registration

7.2 Customer records (crèche customers — corporate level)

For the avoidance of doubt: Kopanong is the Responsible Party for records relating to its corporate relationship with its crèche customers (account onboarding, billing, contractual records). Kopanong is the Operator for the personal information processed by crèche customers through the Kreshe platform (children, parents, practitioners, transport drivers); the records of those data subjects are held on behalf of, and under the instruction of, the crèche, which remains the Responsible Party for that data.

Records in this category include:

• Master Services Agreements signed with each crèche
• Operator Agreements concluded with each crèche under section 21 of POPIA
• Onboarding records (principal contact details, crèche registration documents, banking details where relevant)
• Subscription and billing records
• Support tickets and customer correspondence
• Records of incidents and breach notifications, where applicable

7.3 Operator records (held on behalf of crèche customers)

Records processed on the Kreshe platform as Operator for and on behalf of crèche customers include the categories described in the Privacy Policy, namely:

• Children’s profile information (name, date of birth, gender, photo where applicable, allergies, medical notes provided by the parent, daily activity logs)
• Parent / guardian information (name, contact details, billing information, communication records)
• Practitioner / staff information (name, contact details, qualifications where uploaded, employment information provided by the crèche)
• Attendance, admissions, classroom register and reporting data
• Financial records of the crèche (invoices, receipts, parent collections data) — held as Operator under instruction

These records are released only with the written authorisation of the Responsible Party (the crèche), unless disclosure is required by law or by an order of court.

7.4 Personnel records

• Employment contracts and conditions of service
• Independent contractor agreements
• Personal records provided by personnel (where applicable)
• Performance and disciplinary records
• Training records

7.5 Operational and financial records

• Books of account (in terms of the Companies Act 71 of 2008 and the Tax Administration Act 28 of 2011)
• VAT records (Value-Added Tax Act 89 of 1991)
• Bank statements
• Supplier and service-provider contracts, including data-processing addenda concluded with cloud, database and infrastructure providers, and agreements concluded with payment integrators
• Insurance records

7.6 Information technology and security records

• System architecture and infrastructure documentation
• Access logs and audit trails
• Security incident records
• Backup and disaster recovery records
• Code repositories and software development records

7.7 Marketing, brand and intellectual property records

• Brand assets and brand kit
• Trade-mark applications and registrations
• Domain registrations (kopanongplatforms.co.za, kreshe.co.za)
• Marketing collateral and campaign records
• Customer communications logs

7.8 Internal policies and correspondence

• Internal information security policies
• Incident response procedures
• Privacy and data protection policies
• Internal correspondence, memoranda and email records

8. RECORDS HELD UNDER OTHER LEGISLATION

Kopanong retains records as required by, and in accordance with, the following South African legislation, as amended from time to time:

This list is not exhaustive. Kopanong retains records for the periods prescribed by the applicable legislation or, in the absence of a prescribed period, for such period as is reasonable having regard to the purpose of the record.

9. PROCESSING OF PERSONAL INFORMATION (POPIA-INCORPORATED CONTENT)

This section is included in compliance with the POPIA-related content required of a section 51 PAIA manual after the amendment of PAIA by POPIA. Comprehensive detail is set out in Kopanong’s Privacy Policy, available at https://kreshe.co.za/legal/privacy-policy.

9.1 Compliance with POPIA

Kopanong processes personal information in accordance with the eight conditions for lawful processing in Chapter 3 of POPIA, namely accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.

9.2 Capacity in which Kopanong processes

Kopanong processes personal information in two capacities:

(a) as Responsible Party for personal information of its own employees, contractors, suppliers, and the principal users of crèche customers in their corporate and contracting capacity (billing, account management, support); and

(b) as Operator, in terms of section 1 read with section 21 of POPIA, for personal information processed through the Kreshe platform on behalf of crèche customers. Each crèche customer is the Responsible Party for the children, parents, practitioners and transport drivers whose data is processed at that crèche through Kreshe. Kopanong processes that data only on the documented instruction of the crèche, in terms of an Operator Agreement and the Master Services Agreement entered into with that crèche.

9.3 Purposes of processing

Kopanong processes personal information for the following purposes:

(a) providing the Kreshe platform to crèche customers;

(b) onboarding, billing, account management and customer support;

(c) communications with customers and prospective customers about the Kreshe platform;

(d) compliance with applicable laws including POPIA, the Companies Act and tax legislation;

(e) information security, fraud prevention, system integrity and audit;

(f) internal analytics, troubleshooting, testing and product improvement; and

(g) staff administration and employment administration.

9.4 Categories of data subjects

(a) employees and contractors of Kopanong;

(b) personnel of crèche customers (principals, practitioners and transport drivers), insofar as they hold administrative accounts on the Kreshe platform;

(c) prospective customers and website visitors who submit contact forms or sign up for newsletters;

(d) suppliers and service providers; and

(e) data subjects of crèche customers, namely children, parents and guardians, processed by Kopanong as Operator on behalf of the crèche.

9.5 Recipients

Personal information may be disclosed to:

(a) the relevant crèche customer, in respect of data Kopanong processes as Operator on its behalf;

(b) Kopanong’s sub-operators and service providers, under written agreements that limit them to processing on Kopanong’s documented instruction. Categories include:

• cloud hosting, database and infrastructure providers;
• email and customer-communication providers;
• customer support tooling providers;
• payment integrators (for parent-to-crèche payment facilitation, who process payment data as Responsible Parties under the National Payment System);
• analytics and product-improvement providers, where applicable;
• security, monitoring and fraud-prevention service providers;

(c) regulators, courts and law-enforcement agencies, where required by law; and

(d) professional advisors (legal, accounting, tax) under confidentiality.

A current list of named sub-operators is maintained internally and will be made available on written request to the Information Officer.

9.6 Trans-border flow of personal information

Kopanong may transfer personal information to recipients outside the Republic of South Africa. Where it does so, Kopanong complies with section 72 of POPIA, which permits cross-border transfers where:

(a) the recipient country, or the contractual arrangement governing the transfer, provides a level of protection substantially similar to POPIA;

(b) the data subject has consented; or

(c) the transfer is necessary for the performance or conclusion of a contract.

Where Kopanong relies on the adequacy basis in section 72(1)(a), the transfer is supported by a binding written agreement incorporating the European Commission Standard Contractual Clauses or equivalent contractual safeguards recognised under POPIA.

In addition, and given the criminal sanctions in section 107 of POPIA, Kopanong has applied for prior authorisation in terms of section 57(1)(d) of POPIA with the Information Regulator in respect of the cross-border processing of children’s personal information.

9.7 Security measures

Kopanong applies the technical and organisational measures required by section 19 of POPIA, including:

(a) encryption of personal information in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);

(b) role-based access controls, multi-factor authentication for administrative accounts, and least-privilege principles;

(c) regular review of security controls, vulnerability scanning and patching;

(d) audit logging of access to personal information;

(e) backup, business continuity and disaster recovery procedures;

(f) personnel screening and confidentiality undertakings; and

(g) breach detection, response and notification procedures aligned with section 22 of POPIA.

Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, Kopanong will notify the Regulator and the affected data subjects in accordance with section 22 of POPIA.

10. HOW TO REQUEST ACCESS TO A RECORD

10.1 PAIA requests

A request for access to a record under PAIA must be made on the prescribed Form 02 (Annexure A to this Manual) and submitted to the Information Officer at the contact details in section 4.

The requester must:

(a) provide sufficient particulars to enable the record to be identified;

(b) provide proof of identity;

(c) where the request is made on behalf of another person, provide proof of the authority in which the request is made;

(d) identify the right that the requester is seeking to exercise or protect, and explain why the record is required for that purpose (in terms of section 50(1)(a) of PAIA);

(e) indicate the form and manner in which access is required; and

(f) pay the prescribed request fee where applicable (see section 12).

10.2 POPIA requests by data subjects

A data subject (or someone acting on their behalf with appropriate authority) may, in addition to the PAIA route described above:

(a) request confirmation of whether Kopanong holds personal information about them and access to such information, in terms of section 23 of POPIA;

(b) request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained, in terms of section 24 of POPIA, on the prescribed Form 2 (Annexure B to this Manual);

(c) object to the processing of personal information on reasonable grounds in terms of section 11(3) of POPIA, on the prescribed Form 1 (Annexure B to this Manual); and

(d) withdraw consent previously given in terms of section 11(2)(b) of POPIA, where processing is based on consent.

For convenience, Kopanong has consolidated the POPIA-related rights above into a single Data Subject Request Form available at https://kreshe.co.za/legal/data-subject-request. Use of the consolidated form is voluntary; the prescribed forms in Annexure B remain available and acceptable.

10.3 Where data is held by Kopanong as Operator

Where the record requested contains personal information that Kopanong holds as Operator on behalf of a crèche, Kopanong will, within a reasonable time, refer the request to the relevant crèche (as Responsible Party) and notify the requester accordingly. Direct requests to the crèche may be more efficient.

11. APPLICABLE TIME-PERIODS

Kopanong will respond to:

(a) PAIA requests within 30 days of receipt of a complete request and payment of the prescribed request fee. This period may be extended once, by a further period of not more than 30 days, in the circumstances contemplated in section 57 of PAIA (large volumes of records, records held off-site, or where compliance within the original period would unreasonably interfere with Kopanong’s activities).

(b) POPIA requests for access under section 23 within a reasonable time, having regard to the nature of the request, and in any event within 30 days unless extended for good cause.

(c) POPIA requests for correction, deletion or objection: Kopanong will, on receipt, consider the request and either give effect to it, refuse it, or contest the request in writing within a reasonable time, in accordance with section 24 of POPIA.

12. FEES

PAIA distinguishes between:

(a) a request fee, payable on submission of a request before the request is processed; and

(b) an access fee, payable when access is granted, calculated based on the form of access requested and the time reasonably required to search for and prepare the record.

Kopanong applies the fees prescribed by the PAIA Regulations from time to time. The current prescribed fees are set out below:

Personal requesters (requesting their own information) are not required to pay the request fee. POPIA confirmation of whether Kopanong holds personal information about a data subject is free under section 23(2) of POPIA. Where access to that information attracts a fee, Kopanong will provide a written estimate before proceeding and may require payment of a deposit.

Where this Manual is reproduced and provided in printed form, a fee calculated in accordance with item 2 above applies per A4 page.

13. OUTCOME OF A REQUEST

Kopanong will notify the requester of its decision in writing.

If the request is granted, the notice will state:

(a) the access fee payable;

(b) the form in which access will be given; and

(c) the right of the requester to lodge an internal appeal (in the case of a public body) or to apply to court if dissatisfied.

If the request is refused, the notice will state:

(a) adequate reasons for the refusal, including the provisions of PAIA relied upon; and

(b) that the requester may apply to court for appropriate relief in terms of section 78 of PAIA, or lodge a complaint with the Information Regulator in terms of section 77A of PAIA (as amended).

The notice will be issued in the manner of correspondence indicated by the requester on Form 02.

14. GROUNDS FOR REFUSAL

In terms of sections 62 to 69 of PAIA, Kopanong may refuse access to a record on one or more of the following grounds:

(a) protection of the privacy of a third party who is a natural person (s 63);

(b) protection of commercial information of a third party (s 64);

(c) protection of certain confidential information of a third party (s 65);

(d) protection of the safety of individuals and of property (s 66);

(e) protection of records privileged from production in legal proceedings (s 67);

(f) protection of Kopanong’s own commercial information (s 68);

(g) protection of research information of a third party or of Kopanong (s 69); and

(h) any other ground legally available.

Notwithstanding the grounds above, a request must be granted under section 70 of PAIA where disclosure would reveal evidence of a substantial contravention of, or failure to comply with, the law, or of an imminent and serious public-safety or environmental risk, and the public interest in disclosure clearly outweighs the harm.

15. REMEDIES

A requester who is dissatisfied with the Information Officer’s decision may:

(a) lodge a complaint with the Information Regulator in terms of section 77A of PAIA, within 180 days of the decision;

Information Regulator JD House, 27 Stiemens Street Braamfontein, Johannesburg, 2001 Email: PAIAComplaints@inforegulator.org.za

(b) apply to a competent court for appropriate relief in terms of section 78 of PAIA, within 180 days of the decision (or, where a complaint to the Regulator was lodged, within 180 days of the Regulator’s outcome).

16. UPDATING THIS MANUAL

This Manual will be reviewed and updated at least annually, and sooner where there is a material change to:

(a) Kopanong’s records, processing activities or service providers;

(b) the contact details of the Information Officer or Kopanong;

(c) the legislative or regulatory framework applicable to PAIA or POPIA; or

(d) the prescribed forms and fees.

The current version of this Manual is the version published at https://kreshe.co.za/legal/paia-manual at the time of access.

ANNEXURE A — FORM 2: REQUEST FOR ACCESS TO RECORD

Prescribed under regulation 7 of the Regulations Regarding the Promotion of Access to Information, GG 187 of 9 March 2018, as amended.

FORM 2

REQUEST FOR ACCESS TO RECORD

[Regulation 7]

NOTE:

1. Proof of identity must be attached by the requester.
2. If the request is made on behalf of another person, proof of such authorisation must be attached to this form.

TO: The Information Officer Kopanong Platforms (Pty) Ltd 1792 Ext 3, Qalabotjha, Villiers, Free State, 9840 E-mail: info-officer@kopanongplatforms.co.za

Mark with an “X”:

☐ Request is made in my own name ☐ Request is made on behalf of another person

PERSONAL INFORMATION

IF ACTING ON BEHALF OF ANOTHER PERSON

PARTICULARS OF RECORD REQUESTED

Provide full particulars of the record to which access is requested, including any reference number known to you, to enable the record to be located. Use a separate page if needed; sign each additional page.

TYPE OF RECORD (mark with an “X”)

☐ Record is in written or printed form ☐ Record comprises virtual images (photographs, slides, video, sketches) ☐ Record consists of recorded words or information reproducible in sound ☐ Record is held on a computer or in electronic / machine-readable form

FORM OF ACCESS (mark with an “X”)

☐ Printed copy of the record ☐ Written or printed transcription of virtual images ☐ Transcription of soundtrack ☐ Copy of record on flash drive ☐ Copy of record on compact disc ☐ Copy of record saved on cloud storage server

MANNER OF ACCESS (mark with an “X”)

☐ Personal inspection at registered address of private body ☐ Postal services to postal address ☐ Postal services to street address ☐ Courier service to street address ☐ Facsimile of information in written or printed format ☐ E-mail of information (including soundtracks if possible) ☐ Cloud share / file transfer

Preferred language: _______________ (If the record is not available in the language you prefer, access may be granted in the language in which the record is available.)

PARTICULARS OF RIGHT TO BE EXERCISED OR PROTECTED

FEES

(a) A request fee must be paid before the request will be considered. (b) You will be notified of the amount of the access fee. (c) The access fee depends on the form of access required and the reasonable time required to search for and prepare the record. (d) If you qualify for exemption from the payment of any fee, please state the reason for exemption:

Preferred manner of correspondence: ☐ Postal address ☐ Facsimile ☐ Electronic communication (specify): _______________

Signed at _______________ this _____ day of _______________ 20_____

Signature of requester / person on whose behalf request is made

FOR OFFICIAL USE

Signature of Information Officer

ANNEXURE B — POPIA FORM 1: OBJECTION TO PROCESSING

Prescribed under regulation 2(1) of the Regulations Relating to the Protection of Personal Information, GG 42110, GNR 1383 of 14 December 2018.

FORM 1

OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

[Regulation 2(1)]

NOTE:

1. Affidavits or other documentary evidence in support of the objection must be attached.
2. If the space provided is inadequate, submit information as an annexure to this Form and sign each page.

Reference Number: _______________

A — DETAILS OF DATA SUBJECT

B — DETAILS OF RESPONSIBLE PARTY

C — REASONS FOR OBJECTION

Please provide detailed reasons for the objection.

Signed at _______________ this _____ day of _______________ 20_____

Signature of Data Subject (applicant)

ANNEXURE B (CONTINUED) — POPIA FORM 2: REQUEST FOR CORRECTION OR DELETION

Prescribed under regulation 3(2) of the Regulations Relating to the Protection of Personal Information.

FORM 2

REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

[Regulation 3(2)]

NOTE:

• Affidavits or other documentary evidence in support of the request must be attached.
• If the space provided is inadequate, submit information as an annexure and sign each page.

Reference Number: _______________

Mark the appropriate box with an “X”. Request for:

☐ Correction or deletion of the personal information about the data subject which is in the possession or under the control of the Responsible Party.

☐ Destroying or deletion of a record of personal information about the data subject which is in the possession or under the control of the Responsible Party and who is no longer authorised to retain the record of information.

A — DETAILS OF DATA SUBJECT

B — DETAILS OF RESPONSIBLE PARTY

C — REASONS

Reasons for correction or deletion of the personal information / destruction or deletion of a record of personal information. Delete whichever is not applicable. Please provide detailed reasons.

Signed at _______________ this _____ day of _______________ 20_____

Signature of Data Subject

ANNEXURE C — FORM 3: OUTCOME OF REQUEST AND FEES PAYABLE

Prescribed under regulation 8 of the PAIA Regulations.

This form is completed by the Information Officer in response to a request, not by the requester. It records:

• the reference number of the request;
• whether the request has been approved or denied (with reasons if denied);
• the form of access being granted;
• the manner of submission;
• the fees payable, calculated in accordance with section 12 of this Manual;
• the deposit (if any) where the search is reasonably expected to exceed six hours;
• the bank account into which fees are to be paid; and
• the signature and date of the Information Officer.

The full template is held internally and issued to the requester within the time limits in section 11 of this Manual.

End of Manual.