1. INTRODUCTION

South Suez Capital Limited (“South Suez”) is regulated and licensed by the Financial Services Commission (“FSC”) in Mauritius to act as CIS (Collective Investment Scheme) Manager and is also licensed by the Financial Sector Conduct Authority (“FSCA”) in South Africa to act as a discretionary financial services provider.

In order to operate its business, South Suez and its affiliated entities collect, and process private data received from clients, employees and third parties.

Private Data means personal information including data relating to an individual who can be identified from those data or data or other information, including an opinion forming part of a database, whether or not recorded in a material form, about an individual whose identity is apparent or can reasonably be ascertained from the data, information or opinion.

“Personal Information” is defined in the Protection of Personal Information Act (Act no. 4 of 2013) (“POPIA”) as follows:

“Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –

  • (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;
  • (b) information relating to the education or the medical, financial, criminal, or the employment history of the person;
  • (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • (d) the biometric information of the person;
  • (e) the personal opinions, views or preferences of the person;
  • (f) correspondence sent by the person, that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • (g) the views or opinions of another individual about the person; and
  • (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”

The Mauritius Data Protection Act 2017 and the European Union’s General Data Protection Regulation (“GDPR”) are both in line to protect the personal information relating to their ‘data subjects’, which mean personal data relating to an identified or identifiable individual. Therefore, both have limited their definition of data subjects to human individuals, ensuring the protection of the personal information relating to natural persons not legal persons.

However, South Africa’s Protection of Personal Information Act provides provisions to protect both natural and juristic persons.

Furthermore, the Mauritius Data Protection Act 2017, GDPR and PoPIA contain many similarities but PoPIA has included the protection of data of legal/juristic persons while the other two are protecting only living individuals.

It should be noted that whenever there is a conflict between South African and Mauritian laws, regulations or guidelines, the Company will observe the highest standard of rigour between the two.

For the purpose of this Policy, Personal information includes the Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.

The Company needs your Personal Information to provide you with the following services:

  • (a) To establish a legal relationship with you;
  • (b) To populate the client account information required on the various on-boarding platforms to open your account; and
  • (c) To generate statements and capture contact information related to this discretionary mandate or account.

South Suez is subject to the Mauritian Data Protection Act 2017. It is registered as a Data Controller with the Mauritius Data Protection Office and is required to ensure that Private Data is treated confidentially, fairly, lawfully and correctly and is committed to achieving compliance with the Data Protection Act. The Mauritian Data Protection Act 2017 has been updated, amongst other things, to be in line with the standards of the European Union’s General Data Protection Regulation 2016/679.

The Company is also required in terms of the Financial Intelligence Centre Act, 38 of 2001 and the Company’s Risk Management and Compliance Programme to obtain Personal Information. The Personal Information forms part of the Company’s requirements when obtaining a discretionary mandate from you or opening an account to facilitate the relevant business activities.

2. PURPOSE

This policy (“the Policy”) outlines the way in which South Suez will use, store and otherwise process the Private Data which is provided by clients, employees and third parties. It also explains the protection measures put in place to preserve Private Data from unauthorised dissemination. We request that you read this policy carefully.

The objectives of the Policy are to ensure:

  1. 2.1 Proper procedures for the processing and management of Private Data are implemented; “Processing” is defined in POPIA as follows:”any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
    1. (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
    2. (b) dissemination by means of transmission, distribution or making available in any form; or
    3. (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;”
  2. 2.2 Best practices and a supportive culture and for the processing of Private Data are adopted;
  3. 2.3 All staffs understand their responsibilities when processing Private Data;
  4. 2.4 Requests from any person whose Private Data is kept or processed by South Suez is dealt with promptly and courteously;
  5. 2.5 Individuals are assured that their Private Data is processed in accordance with required regulations, that it is secure at all times and safe from unauthorised access, alteration, use or loss;
  6. 2.6 Any new IT system being implemented is assessed on whether it will hold Private Data, or if the IT system represents any risks, damage or impact to individuals’ data and that it meets the requirements of this Policy.

This Policy is subject to review by the Board of directors from time to time as may be required.

3. SCOPE AND REVIEW PERIOD

South Suez is required by law to maintain records for at least 7 years post any transaction and as required for our legitimate business purposes, to perform pursuant to our contractual obligations. Under South African law, the Company is required to keep your Personal Information for a five (5) year period following the date of termination of the business relationship. After this period, your Personal Information will be irreversibly destroyed. As a general principle we do not keep Private Data for longer than required by law or than needed. The Private Data will be deleted at least after we have ceased our business relationship and there is no more legal or regulatory requirement or business purpose for retaining the data.

We may from time to time review Private Data relating to you and held in our in our systems – including the contents of and other information related to your email and other communications with us – for compliance and business-protection purposes as described above. This may include reviews for the purposes of disclosure of information relevant to litigation and/or reviews of records relevant to internal or external regulatory or criminal investigations. To the extent permitted by applicable law these reviews will be conducted in a reasonable and proportionate way and approved at an appropriate level of management. They may ultimately involve disclosure of your Private Data to governmental agencies and litigation counterparties as described below. Your emails and other communications may also occasionally be accessed by persons other than the member of staff with whom they are exchanged for ordinary business management purposes (for example, where necessary when a staff member is out of the office or has left South Suez).

We will only process your Private Data as necessary so that we can pursue the purposes described above, and then only where we have concluded that our processing does not prejudice you or your privacy in a way that would override our legitimate interest in pursuing those purposes. In exceptional circumstances we may also be required by law to disclose or otherwise process your Private Data. We will tell you, when we ask you to provide information about yourself, if provision of the requested information is necessary for compliance with a legal obligation or, on the other hand, if it is purely voluntary and there will be no implications if you decline to provide the information. Otherwise, you should assume that we need the information for our business or compliance purposes (as described above). If you are uncertain as to our need for information that we request from you, please contact the South Suez representative asking for the information, with your query.

3.1 Private Data shared by Investors with South Suez

South Suez gathers Private Data on and from clients, employees and third parties including (but not limited to):

  • Personal mailing and contact information
  • Identification documents such as passport, Identity cards and driving licences
  • Utility bills, proof of address and bank reference
  • Declaration of source of wealth
  • Banking Details
  • Tax forms
  • Curriculum vitae and resumes

3.2 Private information shared by members of the public with South Suez

In the course of its business, South Suez may also receive personal mailing and contact information from members of the public that are not investors in South Suez funds. This information is acquired by various means, such as filling in forms on our website (or other forms that we ask you to complete), giving us a business card (or similar) or corresponding with us by telephone, post, email or otherwise. It may include, for example, your name, address, email address and telephone number; information about your business relationship with South Suez and information about your professional role, background and interests.

3.3 Information that our website and other systems collect about you

If you exchange emails, telephone conversations or other electronic communications with our employees and other staff members, our information technology systems will record details of those conversations.

If you visit our website and fill in the feedback form, our website will collate the information provided in the feedback form.

If you are used to downloading documents from our datasite (Merrill), it will automatically collect information about you and your visit to the website.

3.4 Using and disclosing private information shared by Investors with South Suez

South Suez operates a secured private server and keeps soft and hard copies of certain private investor information disclosed in KYC documents and legal subscription documents and agreements. This Private Data is shared with auditors, fund administrators and professional service providers which have strict compliance and highly secured data protection system. The sharing of this information complies with regulations in the jurisdictions in which South Suez operates and is subject to strict confidentiality obligations.

Your Personal Information is processed at Ground Floor, MCBQIQ, Royal Road, Pointe Aux Cannoniers, Mauritius (principal place of business) and C/o Schindlers Trust Mauritius Limited, 2nd Floor, Block B, Medine Mews, La Chaussee Street, Port Louis, Mauritius (registered office address). Storage of your Personal Information takes place at the registered office address and the principal place of business.

No third-party providers have direct access to your Personal Information unless specifically required by law and to satisfy client due diligence principles.

South Suez is also required by law to furnish certain information to the FSC, MRA and other regulatory bodies in Mauritius as well as the FSCA/FICA in South Africa. South Suez may also be required to disclose Private Data in order to:

  1. (a) Comply with Court orders, legal process or other judicial or investigative proceeding that produces a request for information;
  2. (b) Permit auditing of account information;
  3. (c) Fulfil or respond to a request from the investor or their authorised representative;
  4. (d) Sell or transfer South Suez business or assets;
  5. (e) Invest funds from investors;
  6. (f) Operate, manage, develop and promote our business and in particular, our relationship with the organisation you represent (if any) and related transactions – this includes, for example, marketing and billing/payment purposes; and
  7. (g) Protect our business from fraud, money laundering, breach of confidence, the f to f proprietary materials and other financial or business crimes.

Your Private Data will only be processed as necessary to fulfil the above purposes described above after making sure that it is not at the prejudice of you or your privacy in a way that would override our legitimate interest in pursuing those purposes. If you are uncertain as to our need for any information requested from you, please do not hesitate to contact us directly.

4. SAFEGUARDING PRIVATE INFORMATION SHARED BY INVESTORS AND MEMBERS OF THE PUBLIC WITH SOUTH SUEZ

South Suez keeps hard or soft copy of its files, which are secured behind locked doors. The premises are locked from the inside automatically 24/24. The premises are also equipped with security alarms. South Suez uses the third-party email management systems Mimecast and Office 365. Local servers are in a secured server cabinet with appropriate firewall and antivirus systems. Merrill Datasite is used as a platform to upload and share documents. Merrill Datasite is a secured platform which requires individual login and password details to have access. Such parties are accountable for ensuring the information is not shared with external parties.

All South Suez employees are bound by codes of professional conduct and an internal control framework to secure the confidentiality of information on our records. Employees can access their working station only with a login and password. The use of and access to Private Data is restricted to those employees who need to know that information to provide services to investors or members of the public. Any employee who is authorized to have access to Private Data is required to keep such information in a secure compartment or receptacle at the close of business each day. All electronic or computer files containing such information shall be secured and protected from access by unauthorized persons. Any conversations involving non-public Private Data, if appropriate at all, must be conducted by employees in private, and care must be taken to avoid any unauthorized persons overhearing or intercepting such conversations.

Where information is collected and processed on our behalf by service providers and administrators, we make sure that these data processors have the adequate resources to secure data storage. Adequate controls have been put in place to avoid leakage of data. Most of the data processors are either ISAE 3402 certified and/or ISO qualified.

5. DISCLOSURE OF YOUR INFORMATION

We may disclose information collected on you to the following parties:

  • the other members of South Suez;
  • your colleagues within the organisation that you represent;
  • service providers who host our website or other information technology systems or otherwise hold or process your information on our behalf, under strict conditions of confidentiality and security;
  • business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
  • a person who takes over our business and assets, or relevant parts of them;
  • tax authorities;
  • banks; and
  • to regulatory bodies, governmental agencies or litigation and prosecuting counterparties in any country or territory when required by law.

We will then ensure that we have proper safeguards in place to abide by our privacy undertakings to you.

6. YOUR RIGHTS

You have certain data protection rights and as such, you may:

  1. (a) access your personal information that we hold on you;
  2. (b) restrict the use of your personal data;
  3. (c) correct the data we hold on you. Should you believe that any of your Personal Information held by the Company is incorrect or incomplete, you have the right to request to view this information, rectify it or have it deleted. Please contact the Company’s Chief Compliance Officer on pkanhye@southsuez.com should this be required.
  4. (d) object to processing of your data. In addition, if you wish to complain about how the Company has handled your Personal Information, please contact the Chief Compliance Officer. The Company’s Compliance Department will investigate your complaint and contact you within two (2) business days of the complaint being lodged and work with you to resolve the matter; and
  5. (e) request that your data be deleted in some circumstances and as permitted under the law.

If you wish to exercise any of these rights, please send us an email on info@southsuez.com.

If your query relating to your Personal Information is not, in your opinion, adequately dealt with, you can contact the Information Regulator on 012 406 4818 or inforeg@justice.gov.za to file an official complaint.