top of page
Thrive Africa Logo MAIN.png

Data Protection Policy

African Alliance is committed to protecting your personal data and to informing you of your rights with respect to your personal data.

In providing services to its clients, African Alliance may control and/or process personal information that clients provide to any of the group’s affiliates in the conduct of its business.

For the purposes of EU General Data Protection Regulation, this policy applies when we act as the controller and/or processor of personal data of EU residents and it improves the way we handle private information, for the benefit of all our clients.

In South Africa, the Protection of Personal Information Act No 4 of 2013, as amended, governs the collection, use, disclosure and retention of personal information.

The reference to ‘personal data’ in this Notice and Policy includes ‘personal information’ as contemplated under the Protection of Personal Information Act No 4 of 2013, as amended.

In general, the majority of the personal data collected on our clients is provided by you directly (or by your intermediary), and typical data provided by third parties may include the results of checks on your identity or address.

Your personal data is collected, stored and processed for purposes of giving effect to the agreements entered into between you and African Alliance.

As a result of the services which any member of the African Alliance Group (“African Alliance”) provides, or has provided, to you, we may need or have needed, to share information containing personal data on you with various third parties, including banks, custodians, lawyers, accountants, auditors, third party entities engaged by yourself or any other African Alliance company for giving effect to services you engaged African Alliance to perform. All data shared within the African Alliance Group is purely to facilitate any dealings you may have with the other entities within the Group.

This Privacy Policy sets out how we process your personal data to give you transparency. It also informs you of your rights regarding your personal data and how you can control the use of your personal data. This policy does not apply to information collected, stored, shared, or distributed by third-party sites.

 

Applicable Legislation

  • European General Data Protection Regulation

 

The European General Data Protection Regulation 2016/679 (the “GDPR”), effective 25 May 2018 applies across the European Union and is also applicable to controllers and/or processors outside the European Union where goods or services are offered to data subjects in the European Union.

  • Protection of Personal Information Act

 

The Protection of Personal Information Act No 4 of 2013, as amended (“POPIA”), effective 1 July 2021 applies to any person, business or entity processing personal information in South Africa.

What is Personal Data?

 

Personal data under GDPR is defined as information relating to a natural individual or juristic person who can be identified or identifiable from that data. 

 

Personal data includes, among other data, your name(s), address(es), email address(es), telephone number(s), bank account number(s), and passport number(s).

 

Personal information under POPIA is defined as information which relates to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. This includes, but is not limited to, your name, sex, gender, address, contact details, identity number and medical or health information, as may be applicable.

 

What is Processing?

 

Data controllers are those companies within African Alliance which, alone or jointly with others, determine the purposes and means of the processing of personal data. Data controllers are responsible for ensuring that your personal data is processed in compliance with data protection laws and to provide you with our privacy notice and policy.

 

When we collect, store, transfer or use in any way for any purpose or delete your personal data, we are processing it.

 

As a result of administration services provided by Pivot Limited (Pivot), an African Alliance Group subsidiary, to various African Alliance companies and funds under their management, Pivot is a data controller and processor registered with the Data Protection Office of Mauritius, and is subject to the rules as set out in the Data Protection Act 2017 in the collection, storage or processing of personal data in Mauritius.

 

What Personal Data Do We Collect?

 

In order for African Alliance to provide services to its clients, run its business and discharge regulatory and legal obligations it needs to process client personal data. Without processing this personal data we may not be in a position to provide our services and administer the business.

In general African Alliance commonly collects:

  • Photographic ID & documents to verify both your identity and residential address in order to satisfy applicable anti-money laundering regulations, including but not limited to that of shareholders and persons authorised to represent you (where applicable);

  • Your contact details, including but not limited to, telephone numbers, address and email address in order to communicate with you;

  • Where, as part of our services to you, we are remitting funds we will request that you provide us with  your bank details;

  • Details of beneficiaries of investments held with us,

 

We usually collect personal information about you from you directly but in certain circumstances we may collect personal data on you from other sources such as third parties, your advisors, or from publicly or privately available records. In particular, we may use third party risk assessment vetting as part of our anti-money laundering screening process to comply with anti-money laundering legislation at or around the time we take on a client and periodically thereafter.

 

Where we collect any additional personal data pertaining to you from any third parties you will be informed of that at the time we collect it, together with the reasons why.

 

Where we process your personal data for reasons not already communicated to you or as set out herein, we will notify you of same in advance and to the extent we are obliged to obtain your consent for such processing, we will request your consent accordingly.

 

We limit the circumstances under which we may collect special categories of personal data, such as the data subject’s physical or mental health condition, to the extent applicable or required to provide services to the data subject. In the event that such data needs to be collected or and/or processed, we will provide such additional protection as is prescribed under the applicable laws.

 

In the event that personal data relating to a child under the age of 16 (under GDPR) and 18 (under POPIA) is provided to us, especially in cases where the data being provided does not enable us to readily ascertain that it relates to a child, you should ensure that verifiable consent is given by the child’s parent or guardian.

 

Why Do We Process Your Personal Data?

 

We will collect and use your personal data where:

  • The use is necessary for the performance of a mandate or contract with you;

  • The use is necessary for us to comply with a relevant legal obligation;

  • The use is in our legitimate interests such as managing our relationships with clients, monitoring data security with clients, and managing our compliance and legal obligations; and/or

  • You have consented to us using your personal data.

 

How Do We Use Personal Data?

We process personal data primarily for the purpose of providing a contracted service(s) to you or an entity to which you are connected  and depending on the services you require of us we process your personal data, which use may include:

  • To perform due diligence and comply with legal and/or regulatory obligations (including anti money laundering legislation);

  • To perform our client take on process and client reviews;

  • For keeping documents in safe custody;

  • To instruct or give effect to payments, trades and investments;

  • At termination of any relationship involving a data subject;

  • To conduct internal reviews and compile internal reports;

  • For record keeping purposes;

  • To generate reports for you or in compliance with any request from an auditor, or a regulatory or supervisory body;

  • In the establishment of bank accounts and interaction with banks;

  • To communicate with you regarding the services we provide to you (for example any changes);

  • To otherwise fulfil your instructions, provide the service that we are engaged to provide, or comply with our obligations.

 

In the event you refuse to provide us with your personal data, we would likely not be able to provide you with our services.

Where you provide a service to African Alliance we will process contact details of your representatives, agents or employees in order to communicate with you/them.

 

Storing and Deleting Your Personal Data

 

Your personal data will be kept securely by African Alliance. This information will be held for the period stated in applicable law and/or for as long as is required to perform our contract with you, after which it will be securely destroyed. We may keep it longer where:

  • There is litigation or an investigation or has been requested by a supervisory body or other law enforcement agency;

  • It may be required to assist with the mitigation of any future tax or regulatory query into the transactions or other affairs undertaken by an entity or trust to which we provide services, (ensuring that rights and freedoms of our clients, our staff as well as African Alliance are safeguarded);

 

Further retention is at your request (in which case there may be a charge).

 

We may be required by applicable Anti Money Laundering legislation to retain personal data processed for our due diligence on you and your financial transactions history for a period of five years after our business relationship ends. Where regulatory requirements require us to keep data on you for a longer period we will do so.

 

Using Your Personal Data for Marketing

 

Where we market our services and/or products, we strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

 

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

 

You may receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

 

We may contact you by email, telephone, or post with regard to your activities with us.

 

Your Right to Access and Correct Your Personal Data

 

You have a right to access the personal data that we hold on you, as provided in applicable legislation or in terms of our Promotion of Access to Information Policy. If you would like a copy of the personal information that we hold on you please email us your request or write to us at the address below. You also have a right to require that any inaccurate personal data that we hold on you is corrected. If you find that any of your personal data is incorrect please email us or write to us at the address below and we will correct it without delay.

 

Your Right for Your Personal Data ‘to be Forgotten’

 

Under GDPR, you have the right to obtain the erasure of personal data without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

  • you withdraw consent on which the processing is based, and where there is no other legal ground for the processing;

  • you object to the processing and there are no overriding legitimate grounds for the processing;

  • your personal data has been unlawfully processed;

  • your personal data has to be erased for compliance with a legal obligation to which the controller is subject.

 

Where we have made the personal data public and are obliged pursuant to the above to erase the personal data, we shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.

The above shall not apply to the extent that use  is necessary, amongst others:

  • for exercising the right of freedom of expression and information;

  • for compliance with a legal obligation to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;

  • for the establishment, exercise or defence of legal claim;

 

For further information on your rights including the “right to be forgotten” or if you wish to exercise your right to make a complaint to the regulatory authorities, please refer to the link below.

 

Under POPIA you have a right to object to the processing of your personal data where that processing is carried out for our legitimate interests by contacting us below.

 

How Long is Personal Data Retained

 

We are required to ensure that your personal data is accurate and maintained in a secure environment for a period of time no longer than necessary for the purposes for which we are processing your personal data. We generally keep personal data collected via the website in accordance with the timeframes set out in any relevant legislation which applies to the personal data provided to us. However, in some cases we may need to keep personal data for longer (e.g., where we are required to do so in accordance with legal, regulatory, tax or accounting requirements, or dealing with complaints, legal challenges or prospective litigation).

Sharing and Transferring Your Personal Data

 

We will never sell your personal data.

 

We may share your personal data within the African Alliance Group, or with various third parties, including banks, custodians, lawyers, accountants, auditors, outsourced IT service providers, third party entities engaged by yourself or any other African Alliance Group company, and regulatory or legal authorities for the purpose of providing our contracted services to you or as required by regulations or law.

 

We take all reasonable steps to ensure that personal data transfers are kept confidential and secure as required by data protection laws.

 

We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will diligently comply with your reasonable requests to transfer your personal data to other service provider(s).

 

Data Security

 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

 

Data Breach Response Plan

 

In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 (seventy-two) hours after having become aware of it, notify the personal data breach to the applicable regulator, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

 

Where the notification to the regulator is not made within 72 (seventy-two) hours, it shall be accompanied by reasons for the delay.

 

The notification referred to above shall at least:

  • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

  • communicate the name and contact details of the Data Protection / Information Officer or other contact point where more information can be obtained;

  • describe the likely consequences of the personal data breach;

  • describe the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

 

Any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken shall be documented in a data breach register.

 

The relevant data subject will also be notified in writing of the data breach. This notification will be sent via electronic communication to the data subjects last known email address. The notification will contain sufficient information to allow the data subject to take protective measures against further compromise, including:

  • communicate the name and contact details of the Data Protection / Information Officer or other contact point where more information can be obtained;

  • describe the likely consequences of the personal data breach;

  • describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;

  • describe any other measure the data subject can take to prevent further consequences of the breach.

 

International Transfers

 

In the provision of our services, we may have to transfer your personal data to external third parties in other countries.

 

Whenever we transfer your personal data to other countries, we ensure that the required degree of protection is afforded to it under the laws of that country.  We ensure that any of our third party service providers to whom a data transfer is made has appropriate safeguards in place to protection your personal information.

 

We have taken appropriate safeguards to require that your personal information will constantly remain protected in accordance with this policy.

 

Changes to this Privacy Policy

 

We will place any update to this privacy policy on our website.

 

Data Protection / Information Officer and How to Contact Us

 

If you have any questions or concerns about personal data or this privacy policy or you wish to make a complaint about how we have processed your personal data, or you wish to exercise any of your rights as a data subject please contact us in writing to or by post at the following address:

Data Protection Officer

 

Pivot Limited (Mauritius)

Email: dataprotectionofficer@pivotlimited.com

Address: 1st Floor, 32 Ebène Heights, Cybercity, Ebène, Mauritius

Information Officer

 

African Alliance (South Africa)

Laurinda da Camara (Information Officer)

Jonine Meadon (Deputy Information Officer)

Email: legalnotices@africanalliance.com

Address: Building 4 Illovo Edge Office Block, 9 Harries Road, Illovo, Sandton, 2196 South Africa

 

Alternatively, please feel free to discuss with your key account manager.

 

Complaints - Information Regulator 

 

Whereas we would appreciate the opportunity to first address any complaints regarding our processing of your personal data, you have the right to complain to the Information Regulator, whose contact details are:

The Information Regulator (South Africa)

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

P.O. Box 31533, Braamfontein, Johannesburg, 2017

Complaints email: complaints.IR@justice.gov.za

General enquiries email: inforeg@justice.gov.za

GDPR Supervisory Authority

 

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

bottom of page