1. INTRODUCTION

1.1 In our continued commitment to protect individual and corporate Personal Information, we as Nissan South Africa Proprietary Limited ("Nissan/we/us/our") have compiled this Privacy Policy ("Policy") to ensure compliance with the Applicable Laws and regulations when Processing Personal Information.

1.2 Personal Information may only be processed in accordance with this Policy and the Applicable Laws. This Policy must be read together with the Nissan South Africa Privacy Statement (https://www.nissan.co.za/privacy-statement.html).

1.3 We recognise that everyone has the right to privacy which includes protection against the unlawful collection, retention, dissemination and use of Personal Information. Consequently, this Policy sets out to achieve the following –

1.3.1 establish the principles that govern the lawful processing of Personal Information and promote ethical standards including, but not limited to, protecting confidential information, guarding against security threats and maintaining best practices

1.3.2 provide a description of how Personal Information may be collected, Processed and stored as well as a Data Subject’s rights in relation thereto;

1.3.3 protect the Personal Information rights of Nissan, our Employees, Dealers, customers, service providers, suppliers and partners and/or affiliates;

1.3.4 clarify the practices and procedures that will enable us to monitor and audit compliance with the Policy and set out the consequences of non-compliance; and

1.3.5 minimise the inherent risks of non-compliance, including but not limited to reputational damage and regulatory sanctions.

1.4 This policy is not intended to reproduce laws or regulations but rather set out guidelines for our conduct in any operations which involve the Processing of Personal Information.

2. APPLICATION OF POLICY

This Policy must be complied with and adhered to by –

2.1 Nissan and all our Dealers;

2.2 all of our Employees, including any contractors, graduates and interns where applicable;

2.3 all of our suppliers and service providers where appointed as Operators or where Processing Personal Information of Nissan or its customers.

3. RESPONSIBLE PARTY AND PERSONAL INFORMATION

3.1 The Responsible Party is the party responsible for processing Personal Information.

3.2 The Responsible Party must ensure compliance with all Applicable Laws and regulations, including without limitation, POPI.

3.3 The Responsible Party must implement measures that give effect to the lawful processing conditions and to ensure compliance therewith.

3.4 The Responsible Party may make use a number of sub-contractors, third parties and affiliates to process Personal Information on their behalf (“Operators”) and in doing so must ensure compliance with the Applicable Laws, as further detailed under paragraph 7.

3.5 Operators are also required to ensure compliance with all applicable laws and regulations and must implement measures that give effect to the lawful processing conditions and to ensure compliance therewith.

3.6 Where appropriate and permissible in law, the Responsible Party may share Personal Information with third parties located outside of South Africa, as further detailed under paragraph 8.

4. SPECIAL PERSONAL INFORMATION

4.1 Special Personal Information relates to Personal Information concerning –

4.1.1 a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual orientation or biometric information; or

4.1.2 any criminal investigation or ongoing legal proceedings against the Data Subject.

4.2 A Responsible Party may only Process Special Personal Information if it has –

4.2.1 the Data Subject’s Consent;

4.2.2 lawful basis;

4.2.3 public interest grounds; or

4.2.4 where it is publicly available.

5. SECURITY SAFEGUARDS

5.1 The Responsible Party and/or Operator is required to implement reasonable security safeguards and measures to ensure Personal Information is protected against loss, damage or unauthorised access.

5.2 It is recommended that the Responsible Party and/or Operator implement technology controls for their information systems, such as firewalls, user verification, strong data encryption, and separation of roles, systems and data and to enforce a “need to know” policy, for access to any data or systems.

5.3 The Responsible Party and/or Operator should utilise industry “good practice” standards to support the maintenance of a robust information security management system.

6. HOW LONG CAN PERSONAL INFORMATION BE RETAINED FOR?

6.1 The Responsible Party may not retain Personal Information longer than the period for which it was originally needed, unless where the Responsible Party is required by law to do so, or the Data Subject has Consented to the retention of such information for a longer period.

6.2 The Responsible Party may also retain Personal Information to the extent and duration that the Responsible Party has a Legitimate Interest to Process the Personal Information depending on, amongst others, the nature and lifespan of the services or products purchased from the Responsible Party.

6.3 The Responsible Party must, upon the Data Subject’s request, promptly return or destroy any and all of the Data Subject’s Personal Information in its possession or control, save for that which it is legally obliged to retain.

7. USE OF OPERATORS TO PROCESS INFORMATION

7.1 When Operators are used to Process Personal Information on behalf of the Responsible Party, the Responsible Party must enter into agreements that will provide for the protection of the Data Subject’s Personal Information in line with the Applicable Laws.

7.2 An Operator must Process Personal Information only with the knowledge or authorisation of the Responsible Party and treat Personal Information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.

8. CROSS-BORDER INFORMATION TRANSFERS

Where the Responsible Party transfers Personal Information about a Data Subject to a company outside of South Africa, the Responsible Party must ensure that –

8.1 the company receiving the information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection of the Data Subject’s Personal Information;
8.2 the Responsible Party has obtained the Data Subject’s Consent if need be; or
8.3 there is a contractual necessity/obligation to transfer the Personal Information.

9. DATA SUBJECT RIGHTS

9.1 The Data Subject has a number of rights under law which, in certain circumstances, they may exercise in relation to their Personal Information being processed by the Responsible Party.

9.2 These rights include –

9.2.1 the right to access a copy of the Personal Information that the Responsible Party has about the Data Subject;

9.2.2 the right to correction of inaccurate Personal Information held by the Responsible Party;

9.2.3 the right to restrict the Responsible Party’s use of their Personal Information;

9.2.4 the right to request that their Personal Information be deleted; and

9.2.5 the right to object to the Responsible Party’s use of their Personal Information.

9.3 Further information on these rights can be found at the Information Regulator's website at https://www.justice.gov.za/inforeg.

9.4 The Responsible Party must ensure it has implemented the necessary procedures to be able to give effect to these rights.

9.5 Nissan Employees will be required to follow the process as set out in Procedure for Data Subject Objection to, Correction or Deletion of Personal Information Processed by NSA in the event of receiving a request under this paragraph 9 from a Data Subject (https://nissan4u.nissan.co.za/POPI/Procedure%20for%20Data%20Subject%20O bjection%20to,%20Correction%20or%20Deletion%20of%20PI.pdf)

10. INFORMATION OFFICER

10.1 The Responsible Party must designate an Information Officer who shall be responsible for –

10.1.1 the administration of this Policy and ensuring the lawful Processing of Personal Information by the Responsible Party;

10.1.2 dealing with requests made to the Responsible Party for access to Personal Information held by the Responsible Party;

10.1.3 liaising with local regulators; and

10.1.4 providing training to the Responsible Party’s employees.

11. SECURITY BREACH

11.1 Where there are reasonable grounds to believe that Personal Information has been accessed or acquired by an unauthorised person, the Responsible Party is required to notify the Information Regulator and the affected Data Subject/s.

11.2 The Responsible Party must outline a process for notifying affected individuals of a privacy breach in accordance with the requirements of the Applicable Laws.

11.3 Nissan Employees will be required to follow the process as set out in Nissan Privacy Incident Procedure in the event of a security breach (https://nissan4u.nissan.co.za/POPI/Nissan%20Privacy%20Incident%20Procedur e.pdf)

12. DIRECT MARKETING

12.1 Under POPI, Direct Marketing may only be sent to a Data Subject where the Data Subject -

a) has Consented to being sent Direct Marketing; or

b) is an existing customer of the Responsible Party.

12.2 The Responsible Party may only approach a Data Subject, who has not previously withheld their consent, once in order to request their consent for processing their Personal Information for Direct Marketing purposes.

12.3 Where the Data Subject is an existing customer of the Responsible Party and

a) the Responsible Party has obtained their contact details in the context of the sale of a product or service;

b) the Responsible Party will be marketing its own similar products or services to the Data Subject; and

c) where the Responsible Party has not previously opted out of receiving Direct Marketing

the Responsible Party may process the Data Subject’s Personal Information for Direct Marketing purposes.

12.4 The Responsible Party must implement the necessary procedures and measures to monitor and track opt-outs from Direct Marketing by Data Subjects in order to ensure compliance with the provisions under POPI.

13. CONSEQUENCES OF NON-COMPLIANCE

13.1 Nissan reserves the right to exercise any appropriate form of legal action against any party which may cause us harm and/or damages by way of non-compliance with this Policy. Parties also risk statutory penalties.

13.2 Any contravention(s) of this Policy by an Employee may result in disciplinary action being instituted against such Employee, which action may include dismissal or termination of employment and any other legal action that may be available to Nissan.

14. POLICY REVISION

14.1 This Policy is subject to review and amendment without prior notice. However, Nissan undertakes to ensure that any amendments hereto are communicated on our publicly available platforms such as our website, for the benefit of our Employees, Dealers, suppliers, service providers and any other persons whom may be affected by this Policy.

ANNEXURE A

1. INTERPRETATION

For the purposes of this Policy, the following definitions apply –

1.1 “Applicable Laws” means POPI, the EU General Data Protection Regulation 2016/679 and any applicable data protection laws that may be in force in South Africa from time to time;

1.2 "Consent" means an informed, unconditional, specific and voluntary expression of will in terms of which permission is given for the Processing of Personal Information;

1.3 "Data Subject" means the natural or juristic person to whom Personal Information relates;

1.4 “Dealer” means a juristic entity duly appointed as a Nissan or Datsun Dealer by Nissan;

1.5 “Direct Marketing” means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of -

(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or

(b) requesting the Data Subject to make a donation of any kind for any reason.

1.6 "Employee" means any such person as defined in the Labour Relations Act 66 of 1995, under the employ of Nissan, and any other such person who may conduct work for or on behalf of Nissan on a once off or ongoing basis, as the case may be;

1.7 "Information Officer" means the person/s designated by the Responsible Party to direct compliance with POPI within the Responsible Party;

1.8 "Information Regulator" means the body established in terms of section 39 of POPI;

1.9 "Legitimate Interests" – means where Processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights;

1.10 "Nissan" means Nissan South Africa Proprietary Limited, a private company duly incorporated under the laws of South Africa with registration number 1963/007428/07 and registered office at Ernest Oppenheimer Street, Rosslyn, South Africa, and all its branches and/or franchises across the Republic of South Africa;

1.11 "Operator" means any person who Processes Personal Information for or on behalf of the Responsible Party in terms of a contract or mandate concluded between Nissan and such person;

1.12 "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, and includes the meaning given to it in the POPI;

1.13 "POPI" means the Protection of Personal Information Act, 4 of 2013, as amended, and all regulations promulgated thereunder;

1.14 "Process/Processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, and includes the meaning given to it in the POPI;

1.15 “Responsible Party” means the party responsible for determining the purpose of and means for Processing Personal Information and may include Nissan, a Dealer or any other person;

1.16 “South Africa” means the Republic of South Africa.