Data Protection Policy

At NML, we respect the privacy of people and we protect the personal data we process. We balance our need to process personal data for our activities with the legal requirements to protect it.

1. Purpose

This policy describes the principles governing our processing of personal data. It also records our compliance strategy regarding personal data.

2. Application

This policy applies to all personal data processed in the course of our business and to all persons employed or engaged by us who process personal data.

3. Definitions

Controller

Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purpose of this policy, NML acts as a controller.

Data subject

An identified or identifiable natural person – one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

ISO

ISO International Organisation for Standardization

Personal data

Means information relating to a data subject which includes, but is not limited to: marital status; national origin; age; language; birth place; education; relevant financial history; identifying number (like an employee number, identity number or passport number); e-mail address; physical address (including residential address and/or work address); telephone number; biometric data (eg. fingerprints, signature or voice); race; gender; sex; pregnancy status; ethnic origin; social origin; colour; sexual orientation; physical health; mental health; well-being; disability; religion; belief; conscience; culture; medical history; criminal history; employment history; personal views, preferences and opinions; another’s views or opinions about you; full name and initials.

Processing

Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such  as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

4. Data Protection Laws

We are committed to protecting and respecting the privacy of our data subjects in accordance with the local data protection laws applicable to the jurisdictions in which we operate. As such, we have chosen to adopt a global approach to data protection compliance. This involves an 80% focus on complying with those requirements that are common to most data protection laws globally, and a 20% focus on complying with those that are specific to our relevant jurisdictions. The relevant local laws with which we will comply are:

  • General Data Protection Regulation 2016/679 (European Union); and
  • Protection of Personal Information Act 4 Of 2013 (South Africa).

5. Data Protection Requirements

In applying the relevant data protection laws, we will ensure that we:

  • enable data subject rights;
  • adhere to our data protection obligations as controller or processor; and
  • apply the data protection principles.

In terms of data subject rights, we will ensure that our data subjects can:

  • know why we process their personal data;
  • request access to their personal data that we process;
  • rectify any personal data of theirs that is incorrect;
  • erase their personal data from our systems, where required;
  • restrict our processing of their personal data, where required;
  • object to our processing of their personal data;
  • transfer their personal data from us to another controller in a structured and accessible format; and
  • be protected from us making automated decisions about them.

In terms of our obligations as controller, we will ensure that we:

  • implement appropriate and reasonable technical and organisational measures to protect personal data;
  • control our processors through a written contract;
  • co-operate with the relevant data protection authorities;
  • conduct data protection impact assessments, where required; and
  • consult with the relevant data protection authorities, where required.

Currently NML does not act as a processor for any parties. Should this change in future, we are committed to complying with the obligations imposed on a processor. We will ensure that we:

  • enter into a contract with the relevant controller;
  • appoint sub-processors only with the controller’s written authorisation;
  • process personal data only on the instructions of the controller;
  • keep records of our processing activities done on behalf of the controller; and
  • inform the relevant data protection authorities of irregularities, where required.

In terms of the data protection principles, we will ensure that we process personal data:

  • lawfully, fairly and transparently;
  • only for a specific purpose that is explicit and legitimate;
  • only as necessary for that purpose;
  • accurately, and is kept up to date;
  • for no longer than necessary to achieve the purpose; and
  • securely.

6. Codes and Standards

We take guidance from the following codes and standards, and consider it as being binding on us:

  • King IV (corporate governance)
  • ISO 27001 (information security management)
  • ISO 27701 (data privacy management)
  • ISO 31000 (risk management)

7. Compliance Strategy

This policy sets out our compliance strategy for data protection specifically. Our approach to compliance is to do what is reasonably practicable to comply with those aspects of data protection that apply to our business, under the applicable data protection law

We have identified the following areas as being key priorities in our compliance efforts:

  • monitoring and applying our data protection activities consistently across the company;
  • adopting compliance management software at the company;
  • adopting privacy by design and by default across the company;
  • managing our data processor relationships efficiently; and
  • digitising our data processing activities.

8. Governance of Data Protection

We have appointed and will maintain one Information Officer for the Company. The Information Officer is responsible for:

  • promoting compliance with data protection law within the Company;
  • ensuring awareness of data protection law within the Company;
  • managing and responding to data subject access requests;
  • managing and responding to data breaches or incidents;
  • assisting the relevant data protection authorities with their investigations;
  • developing, implementing and monitoring the compliance framework within the Company

The Information Officer will report to the Board of Directors.

9. Policy responsibility and administration

The data protection committee is responsible for overseeing data protection at NML It is responsible for ensuring that the policy is effective and relevant. Their contact information is: