PRIVACY STATEMENT

Allan & Gill Gray Philanthropies’ commitment to data privacy and security

Allan & Gill Gray Philanthropies (“AGGP”) is a philanthropic group with a mission to attack poverty by investing in, nurturing and empowering entrepreneurs and leaders who benefit society by helping accelerate meaningful employment creation while embodying the values and behaviours of ethical leadership. This is in fulfilment of our vision of an empowered and productively engaged African citizenry thriving in ethical societies with dignity and hope.

We recognise that in the pursuit of our vision and mission, we will be processing personal information of employees and any other person or entity contracting or partnering with a member of the AGGP group which includes, but is not limited to: strategic partners, fellows, programme participants, learners, grantees, scholarship recipients, interns, volunteers, consultants, contractors and suppliers.

We have, therefore, adopted a data protection policy in line with our values and industry best practice. We recognise the significant threat of, among other things, cybercrime, and identity theft and to that end, we prioritise our security safeguards to protect your personal information and to ensure that we process your personal information in an appropriate manner and for legitimate purposes.

The purpose of this Privacy Statement is to outline the governing principles and our practices regarding the processing and protection of your personal information. Kindly note that the name of the specific AGGP entity which processes your personal information will depend on the type of philanthropic activity or programme offering, and we will duly inform you of the relevant AGGP member which will be the contracting party. By using the AGGP website (including the secure site), you are accepting the terms of this Privacy Statement.

We are committed to protecting and respecting your privacy in accordance with the local data protection laws applicable to the jurisdictions in which we operate.

As such, we have chosen to adopt a global approach to data protection compliance. The relevant local laws with which we will comply are:

• Protection of Personal Information Act, 4 Of 2013 (South Africa):

• Data Protection Act 24 of 2019 (Kenya); and

• Law N° 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy.

A. Acceptance

Acceptance required

You must accept all the terms of this Privacy Statement when entering into any agreement or partnership with a member of AGGP. If there is anything in this Privacy Statement that you do not agree with, then you may not contract with us. By accepting this Privacy Statement, you are deemed to have read, understood, accepted, and agreed to be bound by all of its terms.

Legal capacity

You may access our website if you are younger than 18 years old. You may not transact if you are younger than 18 years old or do not have legal capacity to conclude legally binding contracts, unless you have the consent of a competent person.

Your obligations

You may withdraw your consent at any time by contacting us at info@jgfellowship.org. Please note that withdrawing consent may limit your ability to participate in certain programmes or services, depending on the nature of the processing.

B. What is personal information?

Personal information is any information from which you can be identified.

The Personal information we collect can be categorised as follows:

• Your personal identification information which may include your name, passport details, IP address, publicly available personal data, and any other information required to verify your identity or to carry out legally mandated checks.

• Your contract information (which may include postal address and e-mail and your home and mobile telephone numbers).

• Your family relationships (which may include your marital status, the identity of your spouse and the number of children that you have).

• Your professional and employment information (which may include your level of education and professional qualifications, your employment, employer’s name and details of directorships and other offices which you may hold).

• Marketing and communication preferences in which you may be interested.

• Business details.

• Details about your engagement with us e.g. event attendance, correspondence and meetings.

Special personal information includes data such as your race, health status, biometric data, or beliefs. Where we process such data, we do so only in accordance with Sections 26–28 of the POPIA and applicable international laws, and only where lawful justification exists (e.g., with explicit consent or for employment-related purposes).

C. How do we retrieve your personal information?

Directly from you

We ordinarily collect your personal information from you as part of the onboarding process, which is either via our online site or through correspondence in person, via email or telephone. The type of information which we require depends on the nature of the specific programme or project and our internal, legal and regulatory requirements as it may change from time to time.

Cookies

There are, however, instances where personal information is not retrieved directly from you when you navigate our website and other online channels. This is done using “cookies”. Cookies contain specific information related to your use of websites. We use cookies to give you a better experience online. The information collected using cookies might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. This information does not directly identify you, but can give you a more personalized web experience. For all optional type of cookies, we will obtain your consent before these cookies can be used or stored on your device. By accessing any website of any entity in the AGGP, you agree that our compulsory cookies will apply regardless of the device you use to access the websites.

Optional cookies will only be used with your prior affirmative consent, in accordance with applicable cookie laws.

Third-party sources

We may collect additional information from you from third parties, such as:

1. Agents or representatives who are duly authorised to disclose your personal information.

2. Verification agencies for the purposes of general background checking.

3. Educational and other institutions which you have authorised to disclose your personal information.

D. The reasons for processing your personal information

AGGP will only collect, process and store your personal information, with your consent, for legitimate purposes or in situations where it is in our legitimate interest, and which will not cause you undue prejudice. In summary, this includes the following:

• Procurement of your consent. This is where you have consented to the processing of the personal information as part of onboarding. We may be required by law to collect certain personal information. Should you voluntarily withhold or withdraw consent, this may restrict your ability to participate in programmes or projects and, depending on the personal information which you are not consenting to being processed, your overall ability to participate in such programmes or projects.

• Fulfilment of our contract with you. This is where the processing of your personal information is necessary for participation in our philanthropic activities and programmes, which includes communicating to you about any changes to programmes or funding arrangements, dealing with complaints or disputes, and the recovery of any money owing to us.

• Compliance with legal obligations. This is where we need to process your personal information to comply with any binding legal obligations imposed on us by the relevant governmental or regulatory authority.

• It is in our legitimate interests. This includes adhering to local and international best practice guidelines in respect of our philanthropic activities or performing the relevant IT due diligence testing to detect malicious data and cyber threats.

E. Where will we process your personal information?

Due to having entity in multiple jurisdictions and depending on the purpose for which you have provided us with your personal information, we may process your personal information in South Africa or in countries where we have entities located or where our third-party service providers operate. We will only process and transfer personal information to countries that were are satisfied will provide adequate data protection, and we ensure our third-party service providers comply with the minimum data protection standard of our group.

F. How is your personal information protected?

The security of your personal information is important to us and we take reasonable steps to keep your personal information safe and to prevent loss, destruction of and damage or unlawful access to your personal information by unauthorised parties. Our security measures include encryption of personal data in transit and at rest, regular penetration testing, multifactor authentication, and access controls. We also conduct periodic risk assessments and security audits. We require the same level of security to be implemented and maintained by our service providers and other third parties. However, you must not share or send us any personal information through unauthorised channels, as these are not a secure way of communication and carry a risk of interception and unauthorised access. You should only share personal information through our authorised channels.

G. The sharing of your personal information

Employees or independent contractors

We may need to disclose personal information to our employees or independent contractors who require the personal information to perform their roles. These include the following departments: Human Resources, Finance, Information Technology, Legal and responsible management.

Change of ownership

If we undergo a change in ownership, or a merger with, acquisition by, or sale of assets to another entity, we may assign our rights to the personal information we process to a successor, purchaser or separate entity. We will disclose the transfer on our website. If you are concerned about your personal information migrating to a new owner, you may request us to delete your personal information. Any successor entity will be required to uphold the same or equivalent data protection standards as outlined in this Privacy Statement.

Third parties

AGGP will protect your personal information and will not sell, rent or trade your personal information to any person. There will, however, be instances where AGGP will have an obligation to share your personal information, which includes the following:

• Should it be requested by any regulatory authority exercising its statutory duties;

• Should such disclosure be in the public interest or for a legitimate purpose;

• By an order of court;

• In order to protect the legitimate interests of AGGP in exercising its rights or the protection of its reputation and property;

• To fulfil our legal and regulatory obligations in terms of any applicable law;

• If it is requested by third parties in terms of the South African Promotion of Access to Information Act, 2000 (”PAIA”) which regulates and sets out the procedure for such a request and under which circumstances such access may be refused. For information on or to access the PAIA manual, as well as the prescribed request form and fees payable should you wish to exercise your right of access to information, please visit https://www.jgfellowship.org/wp-content/uploads/2022/01/AGGP-PAIA-Manual_21-10-2022_JGF.pdf

You further acknowledge that we may disclose your personal information within the AGGP group, and you expressly consent to this.

H. Storage and destruction of your personal information

We will retain your personal information for the duration that you are a participant or partner or service provider in respect of our AGGP programmes or activities, or otherwise contracted with a member of AGGP. After such agreements or arrangements cease, we may keep your data up to a maximum period of five years:

• To comply with retention requirements imposed by any law; and

• For prudent record-keeping for our various philanthropic programmes and activities.

We may be required to retain your personal information for longer than five years, should it be the subject of any litigation or for other legal reasons. We may also keep your information for research or statistical purposes with the necessary security controls in place. We ensure that when personal information is no longer needed, it is securely deleted or anonymized in a manner that prevents reconstruction or re-identification.

I. Accurate and up-to-date information

We try to keep the personal information we collect as accurate, complete and up to date as possible. From time to time, we may request you to update your personal information. You are able to review or update any personal information that we have on record for you by emailing or phoning us, or in person at our offices.

Please note that to better protect you and safeguard your personal information, we take steps to verify your identity before making any corrections to your personal information.

J. Your rights

You have the right to have your personal information processed according to the conditions for lawful processing of personal information as set out in chapter 3 of the South African Protection of Personal Information Act, 2013 which includes the rights of:

• Notification – the right to be notified that personal information about you is being collected or that it has been accessed or acquired by an unauthorised person.

• Access – the right to establish where we hold your personal information and to request access to such personal information.

• Rectification – the right to request, where necessary, the correction, destruction or deletion of your personal information.

• Objection – the right to object, on reasonable grounds in relation to your particular situation, to the processing of your personal information. This includes the right to object to the processing of your personal information for direct marketing.

• Profiling – the right not to be subject, under certain circumstances, to a decision which is made solely on the basis of the automated processing of your personal information intended to provide a profile of you.

• Complaints – the right to submit a complaint to the Information Regulator regarding alleged interference with the protection of your personal information.

• Civil proceedings – the right to institute civil proceedings regarding alleged interference with the protection of your personal information.

Please keep in mind that these rights are not unlimited. We are required by any relevant law to limit your right to exercise some of these rights. Examples of such instances include (among others) where required by:

• Tax laws;

• Anti-money laundering and fraud-prevention laws;

• Pension fund laws; and

• Insurance laws.

L. Limitation

We are not responsible for, give no warranties, nor make any representations regarding the privacy policies or practices of linked or any third-party websites.

M. Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant regulatory authority and affected individuals without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Our breach response procedures are aligned with Section 22 of the POPIA.

N. Enquiries

If you have any questions or concerns based on this Privacy Statement or regarding the way in which we handle personal information, please contact the Deputy Information Officer at: compliance@allangillgrayphilanthropies.org.