Privacy Policy

THE PROTECTION OF PERSONAL INFORMATION (POPI) ACT POLICY

The Protection of Personal Information (POPI) Act requires us to inform clients how we use and disclose Their personal
information obtained from them. We are committed to protecting our clients privacy and will ensure that the clients personal
information is used appropriately, transparently and according to applicable law. Your right to privacy and security is very
important to us. We, MRA Insurance Brokers treat personal information obtained as private and confidential and are committed
to providing you with secure access to our services.

This Privacy Policy tells you how we will process and protect your personal information. It should be read together with our Terms
of Service, which outlines what services we provide, how we provide our services and what we do with your personal information.
It is important that you read, understand and accept our Terms of Service if you would like to use our services.
Personal Information, in terms of the Protection of Personal Information Act, 4 of 2013 (“POPIA”), means “information relating
to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person”. South Africa’s
Constitution, Act 108 of 1996, provides that everyone has the right to privacy. This includes the right to protection against the
unlawful collection, retention, dissemination and use of your personal information. Because of the sensitivity of some personal
information, we ensure that the way we process your personal information complies fully with POPIA.

This Privacy Policy applies to any of your personal information that we collect and process through our websites,
www.hrabrokers.co.za and or which you authorise us to collect from third parties.

You will see that some of the words listed in this Privacy Policy are in italics. Those words are defined in POPIA and those
definitions apply to this Privacy Policy. For example, under POPIA, you are defined as a data subject.

Our Privacy Policy terms may change from time to time. When we change them, the changes will be made on our website.
Please ensure that you visit our website and regularly read this Privacy Policy. Although we do not promise to do so, we may
give you notice of any changes we think are important.

1. Your rights under this Privacy Policy

You have the right to have your personal information processed lawfully. Your rights include the right:
• to be notified that your personal information is being collected or that your personal information has been accessed or
acquired by an unauthorised person e.g. where a hacker may have compromised our computer system;
• to find out whether we hold your personal information and to request access to your personal information;
• to request us, where necessary, to correct, destroy or delete your personal information;
• to object, on reasonable grounds, to the processing of your personal information;
• to object to the processing of your personal information for purposes of direct marketing, including by way of unsolicited
communications;
• not to be subject, in certain circumstances, to a decision which is based solely on the automated processing of your personal
information;
• to submit a complaint to the Regulator if you believe that there has been interference with the protection of your personal
information, or if you believe that an independent adjudicator who may be resolving your complaint against us, has not decided
the matter correctly; and
• to institute civil proceedings against us if you believe that we have interfered with the protection of your personal information.

2. Types of personal information collected and how we collect it.

We collect and process clients personal information mainly to provide our clients with access to the services and products of
the providers with whom we have contractual agreements in place and to help us improve our services to our clients. The type
of information we collect may depend on the need for which it is collected and will be processed for that specific purpose only.
Where possible, we will inform the client what information is required to be provided to us and what information is optional.
We collect and process your personal information mainly to provide you with access to our services and products (and all other
activities and processes incidental thereto), to help us improve our offerings to you and for certain other purposes explained
below. The type of information we collect will depend on the purpose for which it is collected and used (processed). We will
only collect information that we need for that specific purpose.

Examples of the personal information that we collect are as follows (but it is not limited to the examples provided):
Some of your information that we hold may include, your first and last name, identity number, email address, a home, postal or
other physical address, other contact information, your title, birth date, gender, marital status, details of a driving license,
occupation, qualifications, past employment, residency status, insurance (including previous insurance and claims experience),
income, expenditure, family history, medical information, telephone recordings of conversations, emails, your banking details,
premiums paid and information relating to claims and other investigations (including reports and photos).
We collect information directly from you, where you provide us with your personal details, for example when you purchase a
product or services from us or when you submit enquiries to us or contact us. Where possible, we will inform you what
information you are required to provide to us and what information is optional.

We also collect information about you from other sources as explained below.
With your consent, we may also supplement the information that you provide to us with information we receive from other
companies such as Product Providers or other Financial Services Providers, in order to offer you a more consistent and
personalized experience in your interactions with us.

We will not intentionally collect and process the personal information of a child unless we have the permission of a
competent person. The examples of Collection are summarized below (but it is not limited to the examples provided) –
• Our computer systems,
• Our website,
• Insurance, Customer Due Diligence and other Proposal and Application Forms,
• Previous and current Insurance or other Policies or Schedules
• Claim Forms
• Telephone Calls,
• Emails,
• Credit Reference Agency via the relevant Product Provider/s,
• Business Partners such as Product Providers, Assessors, Brokers etc.
• Social Media Platforms such as What’s Up, Face Book etc.

3. How we use your information

Given our aim to provide you with ongoing financial services, we would like to use your information to keep you informed
about other financial products and services which may be of particular interest to you.
You may also give and withdraw consent and tell us what your communication preferences are.

We do not and will not sell personal information to a third party. We may disclose your personal information to our service or
product providers who are involved in the delivery of products or services to you. We have agreements in place to ensure that
they comply with these privacy terms.

We may share your personal information with, and obtain information about you from (read with examples of collection):
• Third parties for the purposes listed above, for example contracted product providers or insurers, astute, credit reference
and fraud prevention agencies, law enforcement agencies, banks etc.,
• Other insurers to prevent fraudulent claims,
• Other companies (as mentioned above) when we believe it will enhance the services and products, we can offer to you,
but only where you have not objected to such sharing,
• Other third parties from whom you have chosen to receive marketing information.
• Third parties or services providers such as IT providers, system administrators, collection agencies etc. that enables us to
operate as a Close Corporation, a Financial Services Provider and an Accountable or Non-Accountable Institution.

4. How consent is obtained

In order to use our services, you need to accurately complete an number of internal forms and documents available from us.
These forms requires that you to provide us with certain personal information which includes, but is not limited to, your names,
email address, your identity number, proof of address, contact numbers, and proof of banking.

We also obtain your consent when you complete the forms allowing us to proceed with the business transaction.

5. How we use your personal information

5.1 The personal information that we collect from you will be used to provide the following services:
We will use your personal information only for the purposes for which it was collected or agreed with you, note examples
below (but it is not limited to the examples provided):

• To provide our products or services to you, to carry out the transaction you requested and to maintain our relationship,
• For underwriting purposes,
• To assess and process claims and to take recovery action,
• For collection of premiums via Collection Agencies
• To conduct credit reference searches or verification (including credit scoring, assessment and management)
• To confirm and verify your identity for security purposes and update your details,
• To perform customer due diligence or enhanced customer due diligence processes as required by the money laundering and
terrorist financing legislative framework.
• For operational purposes, and where applicable, credit scoring and assessment and credit management,
• For purposes of claim checks,
• For the detection and prevention of fraud, crime, money laundering or other malpractice,
• For debt tracing or debt recovery,
• To conduct market or customer satisfaction research or for statistical analysis,
• Resolving complaints,
• For audit and record keeping purposes, and
• In connection with legal proceedings.

We will also use your personal information to comply with legal and regulatory requirements or industry codes to which we
subscribe, or which apply to us, or when it is otherwise allowed by law. We will only transfer your personal information outside
the borders of South Africa with your consent and where the privacy legislation is of a high standard. We do not use your
personal information for marketing purposes without your consent.

6. Retention, amendment, and destruction of personal information

We only retain your personal information for a period necessary to achieve the purpose we collected it for, unless the longer
retention of your personal information is required or authorised by law. Once we 5 have achieved that purpose we will, as soon
as reasonably practicable, destroy or delete the record of your personal information in accordance with the provisions of
POPIA.

We are legally obliged to provide adequate protection for the personal information we hold and to stop unauthorized access
and use of personal information. We will, on an ongoing basis, continue to review our security and risk management controls
and related processes to ensure that your personal information is secure.
Our risk management (security) policies and procedures cover:

• Physical security,
• Computer and network security,
• Access to personal information,
• Secure communications,
• Security in contracting out activities or functions,
• Retention and disposal of information,
• Acceptable usage of personal information,
• Governance and regulatory issues,
• Monitoring access and usage of private information,
• Investigating and reacting to security incidents.

When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them (our
confidentiality agreements) to ensure that personal information that we remain responsible for, is kept secure.
We will ensure that anyone to whom we pass your personal information agrees to treat your information with the same level of
protection as we are obliged to.

Personal Information is securely stored on administrative systems, computer systems, servers (in and outside South Africa),
laptops, filing cabinets and one drive (cloud).

Your personal information is stored for a minimum of five years after the cancellation or termination of the transaction or
business relationship in accordance with applicable legislation. We will take reasonable steps to destroy or de-identify your
personal information when the law no longer requires us to retain or keep it.
It’s important that your personal information is up to date and accurate.

7. Transfer of personal information to third parties

7.1. For us to carry out our obligations in terms of the services concluded between ourselves and you, we may need to
pass your personal information on to third parties, such as our product providers. This Privacy Policy records your
consent to us passing your personal information onto those third parties.
7.2. We will ensure that your personal information is processed in a lawful manner and that the third parties or we do not
infringe your privacy rights. In the event that we ever outsource the processing 6 of your personal information to a
third party operator, we will ensure that the operator processes and protects your personal information using
reasonable technical and organisational measures that are equal to or better than ours.

8. Where we store your personal information
8.1. Protecting your personal Information is very important to us. We store your information on a Structured Query
Language (“SQL”) Database within Cloud hosted environments within a secure data centre, we ensure that all
necessary best practice security is used to safeguard all access.

9. Transborder transfer of personal information

9.1. We will not transfer any personal information collected from you outside the borders of South Africa.
9.2. In the event that we transfer or store your personal information outside South Africa, we will take all steps
reasonably necessary to ensure that the third party who receives your personal information is subject to a law,
binding corporate rules or binding agreement which provides an adequate level of protection.

10. Information Security

10.1. We promise that we will secure the integrity and confidentiality of your personal information in our possession or
under our control. We will do this by taking appropriate, reasonable technical and organisational measures to prevent
loss of, damage to or unauthorised destruction of your personal information; and unlawful access to or processing of
your personal information.
10.2. We have installed firewall network security systems to protect all your personal information that is stored in the
cloud and on our premises. We have put in place managed security services which maintain and manage our firewalls
and servers.
10.3. We have also restricted the number of persons who can access your personal information to only our staff members
that are required to work on your personal information.
10.4. While we will take every reasonable measure to protect your personal information, it is very important that you
maintain control over your account and or information. You should prevent anyone from accessing your account or
information by not disclosing your account details i.e. usernames, passwords or any information associated with your
account.

Policy amendments

We may amend and/or update these standard terms and conditions at any time. Users are encouraged to frequently
check our website for the purposes of familiarizing themselves with these standard terms and conditions, particularly
in so far as they relate to the protection of personal information. Users acknowledge and agree that it is their
responsibility to review these standard terms and conditions periodically and become aware of any amendments
and/or updates.

11. The law governing this privacy policy.

This privacy policy is governed by the laws of the Republic of South Africa. Any dispute arising out of this privacy policy will be
resolved in a South African court.
Every person whose personal information we process has the following rights:
• You have the right to request copies of your personal information, subject to the terms and conditions described in our
Promotion of Access to Information (“PAIA”) manual and our POPIA Policy which is available on request.
• You have the right to request that we correct any information you believe is inaccurate,
• You have the right to request that we erase your personal information, under certain conditions,
• You have the right to object to us processing your personal information, under certain conditions
• You have the right to lodge a complaint with the Information Regulator whose contact details is in our PAIA Manual and
POPIA Policy.
If you wish to object to the processing of personal information or if you wish to request for correction or deletion of
personal information, then please complete Form 1 or Form 2 at the end of this privacy notice.

12. How to contact us

12.1. If you have questions and/or comments about our privacy policy or need to protect any of your rights set out in this
policy, please contact our information officer on email address info@hrabrokers.co.za or telephone number
0132431995.
12.2. Our physical address is 34a John Magagula Street, Middelburg, Mpumalanga.