for
Wyzetalk (Proprietary) Limited and Wyzetalk Holdings B.V
(with registration numbers 2011/118805/07 & KvK 76640353)
(hereinafter referred to as “the Company”)
PREPARED IN ACCORDANCE WITH SECTION 51 OF THE PROMOTION OF ACCESS TO INFORMATION ACT 2 OF 2000 AND TO ADDRESS THE REQUIREMENTS OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (a Private Body)
1. DEFINITIONS
The following words, unless otherwise defined, shall bear the same meaning as under PAIA and POPIA, as the case may be:
1.1. “Consent”: A voluntary, specific and informed expression of will in terms of which a Data Subject agrees to the processing of Personal Information relating to him or her or it.
1.2. “Constitution”: The Constitution of the Republic of South Africa, 1996.
1.3. “Data Subject”: The person to whom Personal Information relates, who may be a natural or juristic person;
1.4. “Information Officer”: The officer duly authorised and appointed by the CEO, whose further particulars appear in clause 7.2.2 of this Manual;
1.5. “Information Regulator”: The Information Regulator established in terms of section 39 of POPIA.
1.6. “Manual”: This Manual prepared in accordance with section 51 of PAIA and to address the requirements of POPIA.
1.7. “PAIA”: The Promotion of Access to Information Act 2 of 2000, as amended from time to time.
1.8. “Personal Information”: Means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person including, but not limited to:
1.8.1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
1.8.2. information relating to the education or the medical, financial, criminal or employment history of the person;
1.8.3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
1.8.4. the blood type or any other biometric information of the person;
1.8.5. the personal opinions, views or preferences of the person;
1.8.6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
1.8.7. the views or opinions of another individual about the person; and
1.8.8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person,
which may include Special Personal Information.
1.9. “Personal Requester”: A person who requests information about him-, her- or itself.
1.10. “POPIA”: The Protection of Personal Information Act 4 of 2013.
1.11. “Private Body”: A person who carries or has carried on any trade, business or profession in that capacity, a partnership or a juristic person, whether existing or terminated, but excluding a Public Body or as defined in PAIA.
1.12. “Processing”: Any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
1.12.1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
1.12.2. dissemination by means of transmission, distribution or making available in any other form; or
1.12.3. merging, linking, as well as blocking, degradation, erasure or destruction of information,
and “Processed” shall have a corresponding meaning;
1.13. “Public Body”: Any department or state or administration in the national, provincial or local sphere of government or functionary exercising public power or as defined in PAIA;
1.14. “Representative Requester”: A person who requests information relating to and on behalf of another person;
1.15. “Responsible Party”: A Public Body or Private Body (as the case may be) or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information;
1.16. “Requester”: Any person making a request for access to a record of the Company or a person acting on behalf of such a person;
1.17. “RSA”: The Republic of South Africa;
1.18. “Special Personal Information”: Shall bear the meaning ascribed to the term in POPIA; and
1.19. “Third Party Requester”: A person who requests records about another person.
2. INTRODUCTION
2.1. PAIA seeks to give effect to the constitutional right of access to information as contained in section 32 of the Constitution and to advance the values of transparency and accountability and establishes certain statutory rights of Requesters to access records of a Private Body if:
2.1.1. the record is required for the exercise or protection of any rights;
2.1.2. that Requester complies with all the procedural requirements; and
2.1.3. access is not refused in terms of any ground referred to in PAIA.
2.2. POPIA seeks to give effect to the constitutional right to privacy as contained in section 14 of the Bill of Rights and to safeguard Personal Information by regulating the manner in which it may be processed by Private Bodies. POPIA provides that Data Subjects have the right to have their Personal Information processed in accordance with the conditions for the lawful processing of Personal Information, which are set out in POPIA.
2.3. One of the requirements specified in PAIA is the compilation of an information manual that provides information including the types and categories of records held by a Private Body, the procedures to access records as well certain information relating to the processing of Personal Information.
3. SCOPE AND PURPOSE
3.1. This Manual serves as the Company’s information manual and provides reference to the records held by the Company as well as the Personal Information processed by the Company from time to time.
3.2. The purpose of this Manual is to:
3.2.1. ensure that the Company complies with PAIA by giving effect to the right to information;
3.2.2. set out the procedural requirements attached to requests for records in terms of PAIA, the requirements which requests must meet, as well as the grounds for refusing requests;
3.2.3. provide a non-exhaustive list of Personal Information, records and other details held or to be collected by the Company; and
3.2.4. record the conditions and terms for processing Personal Information.
3.3. This Manual is not exhaustive of, nor does it comprehensively deal with, every procedure provided for in PAIA and/or POPIA. A person seeking any record and/or Personal Information or any other specified information from the Company (“Applicant”) as referred to in POPIA and/or PAIA (as the case may be) as the “Requester”, under the control of the Company, must familiarise themself with the provisions of PAIA and/or POPIA before submitting a written request to the Company.
4. AMENDMENTS TO THIS MANUAL
4.1. Amendments to or a review of this Manual will take place on an ad hoc basis but in any event at least once a year.
5. THE MAIN ACTIVITIES OF THE COMPANY
5.1. A multi functional SaaS based solution for Employee Engagement for frontline employees.
6. APPLICABILITY AND AVAILABILITY OF THIS MANUAL
6.1. This Manual is available for inspection, free of charge, at the Company’s head offices as stipulated in clause 8 below, and is available through the Company’s website at .
7. PAIA PROVISIONS
7.1. Section 51 of PAIA requires Private Bodies to compile a Manual setting out the procedure and requirements to be adhered to in seeking to obtain access to records held by that Private Body.
7.2. This Manual will, subject to clause 4, be updated as and when the need arises and as soon as any amendments have been finalised, the latest version of the Manual will be made public:
7.2.1. through the Company’s website: ; or alternatively
7.2.2. on request from:
The Information Officer: Pieter Roodt
Address: Unit D10, Octo Place, Electron Road, Techno Park, Stellenbosch, Western Cape, South Africa, 7600
E-mail:
8. PARTICULARS REQUIRED IN TERMS OF SECTION 51(1)(a) OF PAIA
Our details are as follows:
| Company Name: | Wyzetalk (Proprietary) Limited |
|---|---|
| Registration Number: | 2011/118805/07 |
| Information Officer | Pieter Roodt |
| Street Address | Unit D10, Octo Place, Electron Road, Techno Park, Stellenbosch, Western Cape, South Africa, 7600 |
| Postal Address | Suite 491, Private Bag X5061, Stellenbosch, 7599 |
| Telephone | +27 12 880 6690 |
| Website | www.wyzetalk.com |
| info@wyzetalk.com |
9. GUIDE (Section 51(1)(b)(i) of PAIA)
9.1. The Information Regulator is required, in terms of section 10 of PAIA, to compile a guide (“Guide”) containing information that may reasonably be required by a person who wishes to exercise any right contemplated in PAIA. Any queries should be directed to:
The Information Regulator of South Africa
Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
E-mail: inforeg@justice.gov.za / complaints.IR@justice.gov.za
Website: https://www.justice.gov.za/inforeg/index.html
Tel: 012 406 4818
Fax: 086 500 3351
10. AUTOMATIC AVAILABILITY OF DOCUMENTS (Section 51(1)(b)(ii) of PAIA)
10.1. PAIA provides that certain records may automatically be made available. Should records be automatically available, a formal request for such records will not be necessary.
10.2. In terms of PAIA, Private Bodies are not obliged to make any records automatically available. This means that a Private Body is not obliged to make such disclosure. If a Private Body chooses to make such voluntary disclosure, it may do so by giving notice thereof in terms of section 52(2) of PAIA.
10.3. At this stage the Company has given no notice of any categories of records that are automatically available without a person having to request access in terms of PAIA.
11. LIST OF RECORDS (Section 51(1)(b)(iii) and (iv))
11.1. A list of the categories of records held by the Company appears in Schedule A annexed hereto. The categories of records are not exhaustive but are merely meant to give a broad indication of the records subject and categories held by the Company, without specification.
11.2. A list of the records held by the Company in accordance with legislation other than POPIA or PAIA appears in Schedule B annexed hereto.
12. WHO MAY REQUEST RECORDS
12.1. PAIA provides that a person may request records from a Private Body in terms thereof if that record is required for the exercise or protection of a right.
12.2. When making a request, the Requester must:
12.2.1. state that the record requested is required in order to exercise or protect a right;
12.2.2. identify the right and provide details of the nature of the right to be exercised or protected; and
12.2.3. explain why the requested record is required for the exercise or protection of that right.
13. REQUEST
13.1. A request for access to a record must be made on the prescribed form (a copy of which is annexed as Schedule C) (“Request”) delivered to the Information Officer at his address or e-mail address as provided for in this Manual.
13.2. The Requester must provide sufficient detail on the request form to enable the Information Officer to identify:
13.2.1. the record requested;
13.2.2. the identity of the Requester; and
13.2.3. the form of access required if the request is granted.
13.3. When completing a Request on the prescribed form, the Applicant/Requester should also indicate:
13.3.1. the preferred language, if applicable;
13.3.2. whether the Requester wishes to be informed of the decision in another manner, in addition to a written reply and the particulars thereof; and
13.3.3. an e-mail and/or postal address.
13.4. If a Request is made by a Representative Requester, then the Representative Requester must submit proof of the capacity in which the Representative Requester is making the request to the reasonable satisfaction of the Information Officer or Deputy Information Officer.
13.5. If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request verbally to the Information Officer.
13.6. Any Request must be directed to the Information Officer or any other authorised persons.
13.7. The Request on the prescribed form must be delivered to the Company by hand, via mail, or e-mail.
13.8. The Requester must pay the prescribed fee before any further processing of the Request can be effected/implemented.
14. PRESCRIBED FEES
14.1. PAIA makes provision for 2 types of fees, namely:
14.1.1. a request fee, which will be a standard fee; and
14.1.2. an access fee, which must be calculated by taking into account reproduction costs, search time, identification and preparation time and cost, as well as postal (delivery) costs.
14.2. When the request is received by the Information Officer, such officer must by notice require the Requester, other than a Personal Requester, to pay the prescribed request fee (if any), before further processing of the request.
14.3. If the search for the record has been made and the preparation of the record for disclosure, including any arrangement to make the record available as required in the request form, requires more than six hours, the Information Officer shall notify the Requester to pay as a deposit the prescribed portion of the access fee payable.
14.4. The Information Officer shall be entitled to withhold a record until the Requester has paid the required fee.
14.5. A Requester whose request for access to a record has been granted, is required to pay an access fee for the reproduction and for the search and preparation, and for any time reasonably required in excess of six hours to search for and prepare the record for disclosure, including making arrangements to make it available in the required form.
14.6. If a deposit has been paid in respect of a Request for access that is refused, then the Information Officer must repay the deposit to the Requester within a reasonable period after access has been refused.
15. DECISION ON REQUEST
15.1. The Company shall, within 30 days of receipt of a request form, or such shorter period as may be feasible in the circumstances, make a decision as to whether to grant or decline the Request and inform the Requester of its decision with adequate reasons for the refusal.
15.2. The 30 day period within which the Company has to decide whether to grant or refuse the Request, may be extended for a further period not exceeding 30 days, if the Request is for a large amount of records, the Request requires a search for or through a large number of records, or the Request requires a search for records held at other premises, as a result of which the required records cannot reasonably be obtained within the initial 30 day period.
15.3. The Company shall notify the Requester in writing should an extension of the prescribed period be required and the reasons for the extension.
16. GROUNDS FOR REFUSAL
16.1. The Company may or must refuse a Request on, amongst others, the grounds set out in Part 3, Chapter 4 of PAIA.
17. THE PRESCRIBED FORMS AND FEES
17.1. The prescribed forms and fees payable in respect of access to records are available on the website of the Information Regulator at https://inforegulator.org.za/ under the legislation section.
18. RECORDS THAT CANNOT BE FOUND
18.1. If the Company has searched for a record and believes that the record either does not exist or cannot be found, the Requester will be notified by way of an affidavit or written affirmation.
18.2. The affidavit or affirmation shall detail the steps which were taken to locate the requested record.
19. PROCESSING OF PERSONAL INFORMATION
19.1. In terms of the provisions of POPIA, the Company must inform Data Subjects formally of the manner in which it processes any Personal Information.
19.2. The type of Personal Information to be processed by the Company will depend on the purpose for which such Personal Information is processed. The Company will only process such Personal Information which it needs to fulfil the relevant purpose and as required by law.
20. PURPOSE OF PROCESSING OF PERSONAL INFORMATION (Section 51(1)(c)(i) of PAIA)
20.1. The Company processes the Personal Information of Data Subjects in the following ways:
20.1.1. executing and/or fulfilling its statutory obligations in terms of PAIA and/or the POPIA;
20.1.2. executing and/or fulfilling its statutory obligations in terms of other applicable legislation;
20.1.3. executing and/or fulfilling its contractual obligations;
20.1.4. administering employees and potential employees;
20.1.5. keeping accounts and records for business and statutory reporting obligations;
20.1.6. procurement processes; and
20.1.7. visitors to the Company’s business premises.
21. DESCRIPTION OF THE CATEGORIES OF DATA SUBJECTS AND OF THE INFORMATION OR CATEGORIES OF INFORMATION RELATING THERETO (Section 51(1)(c)(ii) of PAIA)
| Categories of Data Subjects | Personal Information that may be Processed |
|---|---|
| Employees and Job Applicants | Full names, ID/passport numbers, contact details, residential addresses, demographic information, employment history, qualifications, payroll and banking details, performance records, disciplinary records, attendance and leave data, and next-of-kin information. |
| Client Representatives and Users of the SaaS Platform | Full names, business contact information (email address, phone number), job titles, employer details, user credentials, communication history, form submissions, platform usage logs, consent preferences, and feedback or support records. |
| Website Visitors | IP address, device and browser type, usage data, cookies and tracking identifiers, location data (where enabled), and online identifiers used for analytics or security monitoring. |
| Suppliers, Service Providers, and Contractors | Company details, representative names and contact details, tax and banking information, vendor performance records, signed agreements, and security compliance documentation. |
| Shareholders, Directors, and Officers | Identity information, shareholding records, contact information, declarations of interest, and statutory filings or governance documentation. |
| Regulators, Auditors, and Legal Counterparties | Correspondence details, contact information, and any records necessary for audit, compliance, or legal purposes. |
| Members of the Public or Complainants | Contact details, correspondence content, complaint or enquiry information, and any related supporting documents voluntarily provided. |
21.1. The Company may process Personal Information for itself, directly from a data subject, employees, service suppliers, and product suppliers.
22. THE RECIPIENTS OR CATEGORIES OF RECIPIENTS TO WHOM THE PERSONAL INFORMATION MAY BE SUPPLIED (Section 51(1)(c)(iii) of PAIA)
22.1. The Company may supply the Personal Information of Data Subjects to service suppliers, who provide the following services:
22.1.1. administration (for example, clients, investments, medical aids, retirement funds);
22.1.2. accounting and/or auditing;
22.1.3. capturing and organising Personal Information;
22.1.4. compliance (including tax compliance);
22.1.5. due diligence reviews;
22.1.6. information and communication technologies (ICT);
22.1.7. storing of personal information; and
22.1.8. verification checks.
22.2. The Company may supply the Personal Information of Data Subjects to:
22.2.1. Courts, in terms of matters taken on judicial review;
22.2.2. enforcement agencies, for criminal investigation (for example, National Prosecuting Authority, South African Police Service);
22.2.3. people against whom complaints have been lodged; and
22.2.4. regulators, ombuds, or tribunals, in terms of matters that fall under their jurisdiction.
| Categories of Personal Information | Recipients or Categories of Recipients to whom the Personal Information may be supplied |
|---|---|
| Employee and Human Resources Records | • Statutory bodies such as the South African Revenue Service (SARS), Department of Employment and Labour, and compensation authorities, for tax and employment compliance. • Medical schemes, pension or benefit administrators. • Labour courts or tribunals in the event of disputes or proceedings. |
| Client and Platform User Information | • Authorised client administrators and internal company personnel supporting the SaaS platform. • Sub-processors and service providers (e.g., cloud hosting, analytics, customer-support systems) under written data-processing agreements. • Regulators, auditors, or courts where required by law or contract. |
| Financial and Transactional Information | • Auditors, accountants, and authorised financial institutions for reconciliation, statutory reporting, and audit verification. • Regulators such as the Financial Intelligence Centre (if applicable) for compliance with anti-money-laundering or financial regulations. |
| Corporate Governance and Shareholder Information | • Companies and Intellectual Property Commission (CIPC), external legal advisors, notaries, and auditors for governance or statutory filings. • Courts or arbitration forums in the event of corporate or shareholder disputes. |
| Website, Technical and Security Logs | • Cyber-security partners or forensic investigators in the event of an incident or breach. • Law-enforcement agencies such as the South African Police Service or National Prosecuting Authority for authorised investigations. • Regulators or tribunals investigating data-protection or information-security matters. |
| Complainant or Enquiry Correspondence | • Relevant internal departments for case resolution. • Respondents to a complaint, where legally permitted and necessary for due process. • Ombuds, tribunals, or courts for adjudication. |
23. PLANNED TRANSBORDER FLOWS OF PERSONAL INFORMATION (Section 51(1)(c)(iv) of PAIA)
23.1. The Company has not planned transborder flows of Personal Information.
23.2. If it becomes necessary to transfer Personal Information to another country for a lawful purpose, the Company will ensure that the person (both legal and natural) to whom the Personal Information will be transferred is subject to a law, binding company rules, and/or binding agreements, which provide a suitable level of protection, and the third party agrees to treat the Personal Information with the same level of protection as the Company is required to provide, in terms of the POPIA.
23.3. The cross border transfer of Personal Information may be done with the Data Subject’s Consent. However, if it is not reasonably practicable to obtain the Data Subject’s Consent, the Company will transfer the Personal Information if it will be for the Data Subject’s benefit, and the Data Subject would have provided Consent, if it had been reasonably practicable to obtain the Consent.
24. PERSONAL INFORMATION SECURITY (Section 51(1)(c)(v) of PAIA)
24.1. The Company is obliged to provide adequate protection in respect of the Personal Information it processes and to prevent unauthorised access, disclosure and use of any Personal Information.
24.2. The Company shall, on an on-going basis, review its security controls and related processes to ensure that the Personal Information of Data Subjects is secure and retained only for so long as is required by law or needed for record-keeping purposes.
24.3. The Company’s security policies and procedures include:
24.3.1. lawful and reasonable processing of Personal Information as contemplated in section 9 of POPIA;
24.3.2. limitation of access to Personal Information;
24.3.3. computer and network security;
24.3.4. investigation of and prompt response to breaches of security;
24.3.5. monitoring of access and usage of Personal Information;
24.3.6. physical security of hardware and premises where Personal Information is processed;
24.3.7. appropriate procedures in respect of retention and disposal of Personal Information;
24.3.8. secure communications; and
24.3.9. proper security arrangements in outsourcing of ancillary services or functions.
24.4. When the Company contracts with third parties in relation to the management of Personal Information, the Company imposes appropriate security, privacy and confidentiality obligations on them to ensure that the Personal Information under the Company’s control will be kept secure at all times.
24.5. The Company will ensure that anyone to whom it discloses any Personal Information, agrees to treat that Personal Information with the same level of protection as the Company is obliged to treat it.
CATEGORIES AND TYPES OF RECORDS HELD BY THE COMPANY
The following categories of records are held by the Company and access may be granted to such records upon proper request and payment of a fee in terms of PAIA and this Manual, unless the Company is entitled to refuse access to such records, or the records are exempted in terms of PAIA:
| Category | Information Category Description |
|---|---|
| 1. Company Incorporation and Governance Records | Memorandum of Incorporation (MOI), registration certificates, shareholder and director registers, share certificates, resolutions, minutes of Board and shareholder meetings, statutory returns, and correspondence with regulatory bodies (CIPC, KvK, SARS). |
| 2. Human Resources and Employment Records | Employee contracts, job descriptions, payroll and tax records, performance evaluations, leave records, disciplinary proceedings, training and competence registers, recruitment documentation (CVs / interview notes), and employment-equity and health-and-safety documentation. |
| 3. Client and Contractual Records | Client proposals, signed service agreements, Statements of Work (SOWs), project documentation, correspondence, billing and invoicing records, client contact details, and change or renewal documentation. |
| 4. Supplier and Third-Party Records | Supplier and contractor agreements, vendor onboarding questionnaires, B-BBEE and tax-clearance certificates, confidentiality agreements, performance evaluations, and payment records. |
| 5. Financial and Accounting Records | Annual financial statements, management accounts, general ledgers, asset registers, budgets, expense claims, VAT and tax returns, bank statements, and audit reports. |
| 6. Information Security and Technology Records | Policies and procedures (Information Security Policy, Access Control Policy, Incident Management Policy, etc.), system configurations, access logs, vulnerability and penetration-test reports, change-management records, and backup schedules. |
| 7. Data Protection and Compliance Records | POPIA and GDPR compliance documentation, Record of Processing Activities (RoPA), Data Retention and Disposal Schedules, Data Processing Agreements, consent records, breach logs, audit evidence, and risk registers. |
| 8. Marketing and Communications Records | Marketing materials, newsletters, client communications, consent lists, public-relations content, and records of promotional campaigns. |
| 9. Operational and Administrative Records | Internal policies and procedures, strategic plans, correspondence, meeting notes, property or asset leases, insurance policies, and maintenance schedules. |
| 10. Legal and Dispute Resolution Records | Contracts under review, legal opinions, correspondence with attorneys or counsel, dispute-resolution documents, settlement agreements, and litigation files. |
| 11. Health and Safety Records | Safety reports, incident logs, compliance certificates, and workplace-inspection documentation. |
| 12. Website and Platform Usage Records | Website analytics, cookie data, access logs, system-performance reports, and client portal content created or uploaded through the SaaS platform. |
SCHEDULE B
SUMMARY OF APPLICABLE LEGISLATION IN RESPECT OF WHICH RECORDS ARE TO BE KEPT
The Company retains records in accordance with the following current RSA legislation and any amendments thereto (only to the extent that the relevant statute is applicable and makes disclosure of records compulsory):
REQUEST FORM 2
How to request access to a record:
We have authorised and designated our Information Officer to deal with all matters relating to PAIA in order to comply with our obligations in terms of PAIA. To request access to a record, please complete Form 2 which is available from: .