General Privacy Notice

1. Introduction

1.1 In this General Privacy Notice, ‘SPPA’ refers to Security and Property Protection Agency Co Ltd and all the words and expressions used in this Privacy Notice shall be interpreted and construed in line with the definitions used in SPPA’s General Data Protection Policy.

1.2 This General Privacy Notice should be read and interpreted in conjunction with and subject to SPPA’s General Data Protection Policy that governs all the
personal data processing activities of SPPA.

1.3 This General Privacy Notice is relevant to all persons (‘data subjects’) whose personal data is collected by SPPA in line with the requirements of the European General Data Protection Regulation 2016 (‘GDPR’) and the Mauritius Data Protection Act 2017 (‘DPA’).

1.4 Users of SPPA’s website as well as SPPA’s customers, potential customers,
stakeholders and commercial partners are likely to be data subjects in as much as SPPA may collect their personal information whether by automated or non- automated means.

2. Responsibilities

2.1 SPPA is responsible for ensuring that this General Privacy Notice is made available to data subjects prior to SPPA collecting/processing their personal data.

2.2 All Employees/Staff of SPPA who interact with data subjects are responsible for ensuring that:

2.2.1 this General Privacy Notice is drawn to the data subject’s attention prior to processing the latter’s personal data; and

2.2.2 they obtain the consent of the data subjects prior to the processing of their data wherever consent is required under either the GDPR or the DPA.

3. Privacy Statement

3.1 Who is SPPA and what does SPPA do?

3.1.1 SPPA is a public company duly registered and validly existing under the laws of Mauritius.

3.1.2 Security and Property Protection Agency Co Ltd (‘SPPA’) is a wholly owned subsidiary of Caudan Development Ltd (‘CDL’). CDL is listed on the Stock Exchange of Mauritius.

3.1.3 SPPA has its registered office situated at 8th Floor, Dias Pier Building, Le Caudan Waterfront, Port Louis, Mauritius and its administrative headquarters situated at Old Post Office Road, St Pierre 81406, Mauritius. SPPA’s other contact details are as follows:

Email address: info@caudansecurity.com

Telephone Number: +230 403 5000

Facsimile Number: +230 433 2022

3.1.4 More information on SPPA is contained in its General Data Protection Policy.

3.1.5 Although established, based and domiciled in Mauritius, SPPA has expanded its business activities beyond the jurisdiction of Mauritius including but not limited to parts of the European Union and the United Kingdom.

3.1.6 In the light of paragraph 3.1.5 above, SPPA is likely to process personal data both under the GDPR and the DPA.

3.1.7 The Board of Directors of SPPA has appointed a Data Protection Officer in Mauritius whose identity and contact details are as follows:

Data Protection Officer

Postal address: Caudan Security Services Headquarters

Old Post Office Road

St Pierre 81406

Mauritius

Email address: dpo@caudansecurity.com

Telephone Number: +230 403 5000

Facsimile Number: +230 433 2022

3.1.8 The personal data SPPA is likely to collect from you and process is:

(a) If you are a service provider or supplier of SPPA:

  • Name,
  • Registered Address,
  • Place of operation Address,
  • NIC (if individual) / BRN (if company),
  • Phone number,
  • E-mail address,
  • Bank account number,
  • Tax number,
  • VAT registration number.

(b) If you are a customer or potential customer of SPPA:

  • Name,
  • Address,
  • Registered Address (if company),
  • NIC (if individual) / BRN (if company),
  • Phone number,
  • E-mail address,
  • Bank account number,
  • Tax number,
  • VAT registration number.

(c) If you are an external consultant and/or any other professional having a business relationship with SPPA:

  • Name,
  • Address,
  • Registered Address (if company),
  • NIC (if individual) / BRN (if company),
  • Phone number,
  • E-mail address,
  • Bank account number,
  • Tax number,
  • VAT registration number.

(d) If you are a candidate for employment at SPPA:

  • Name,
  • Date of Birth,
  • Address,
  • Telephone numbers,
  • E-mail address,
  • NIC or Passport number,
  • Qualifications, CV and professional/personal referees.

(e) If you are a visitor of SPPA:

  • Video camera surveillance images,
  • NIC or Passport number.

3.1.9 The personal data SPPA collects will be used for the following purposes:

(a) If you are a service provider or supplier of SPPA:

  • Communication on the contract,
  • Honouring payment obligations,
  • Keeping records of past payments,
  • Pursuing or defending legal claims,
  • Accounting and auditing purposes.

(b) If you are a customer or a potential customer of SPPA:

  • Communication on the contract,
  • Processing payment obligations,
  • Keeping records of past payments and statements of account,
  • Pursuing or defending legal claims,
  • Accounting and auditing purposes.

(c) If you are an external consultant and/or any other professional having
a business relationship with SPPA:

  • Communication on the duties and tasks required by SPPA,
  • Honouring payment obligations,
  • Keeping records of past payments,
  • Pursuing or defending legal claims,
  • Accounting and auditing purposes.

(d) If you are a candidate for employment at SPPA:

  • Assessing the suitability of the candidate for the job applied for, Communication with the candidate.

(e) If you are a visitor of SPPA:

  • Ensuring security within the premises of SPPA,
  • Indicating possible criminal acts or threats to the public security.
  • Validating the identity of visitors.

3.1.10 SPPA’s legal basis for processing your personal data:

(a) If you are a service provider or supplier of SPPA:

  • The processing is required for contractual necessity, i.e. to fulfil legal obligations arising out of a contract entered into between SPPA and a service provider or supplier.

(b) If you are a customer or a potential customer of SPPA:

  • The processing is required for contractual necessity, i.e. to fulfil legal obligations arising out of a contract, or a potential contract to be entered into between SPPA and a customer.

(c) If you are an external consultant and/or any other professional having a business relationship with SPPA:

  • The processing is required for contractual necessity, i.e. to fulfil legal obligations arising out of a contract between SPPA and an external consultant and/or any other professional (e.g. Consultancy agreement, Retainer agreement, etc.).

(d) If you are a candidate for employment at SPPA:

  • The processing is necessary for the purpose of the legitimate interests pursued by SPPA.

(e) If you are a visitor of SPPA:

  • The processing is necessary for the purpose of the legitimate interests pursued by SPPA.

3.1.11 In any event, SPPA is committed to ensuring that the information it collects and uses is appropriate for the purpose for which it was collected, and does not constitute an invasion of your privacy.

3.1.12 In terms of being contacted for direct marketing purposes, SPPA will contact you for additional consent unless you have already consented to the same.

3.1.13 SPPA’s aim is not to be intrusive, and SPPA undertakes not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimize the risk of
unauthorized access or disclosure.

3.2 Consent

3.2.1 By using SPPA’s website (as a user of SPPA’s website) you are giving SPPA permission to process your personal data specifically for the purposes
identified above.

3.2.2 By placing an order for goods and/or services with SPPA (as a customer) or by requesting SPPA to provide you a quote (or any further information) in respect of SPPA’s goods and/or services (as a potential customer), you are giving SPPA permission to process your personal data specifically for the purposes identified above.

3.2.3 By entering into mutually- beneficial contractual and commercial partnerships with SPPA (as a commercial partner), you are giving SPPA permission to process your personal data specifically for the purposes identified above.

3.2.4 Subject to paragraph 3.2.8 below, further explicit and written consent will be requested from you for SPPA to process any of your sensitive or special
categories data.

3.2.5 Sensitive or special categories of personal data is information about racial origin, ethnic origin, political opinion, religious belief, philosophical belief, trade union membership, genetic data, biometric data, health data, criminal record, data concerning sex life and/or sexual orientation.

3.2.6 As a rule SPPA does not process sensitive or special categories personal data unless the same is absolutely necessary. When asking you for sensitive or special categories of personal data SPPA will always tell you why and how the information will be used and will also obtain your explicit written consent save and except where the same is permissible by law.

3.2.7 When you have been requested to and do submit written explicit consent, you may withdraw consent at any time by informing SPPA and/or SPPA’s Data
Protection Officer in writing of your wish to withdraw your consent without
having to assign any reason for your decision.

3.2.8 SPPA may exceptionally process sensitive or special categories personal data without your explicit written consent if such processing is required by law
and/or a Court order or where the information is already in the public domain.

3.3 Disclosure and transfer

3.3.1 SPPA may pass your personal data on to third-party service providers contracted to SPPA in the course of dealing with you. Any third parties that SPPA may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide you on SPPA’s behalf. When they no longer need your data to fulfil this service, they will dispose of the details in line with SPPA’s procedures.

3.3.2 Basically, SPPA will not pass on your personal data to third parties unless it has obtained your consent or such disclosure is necessary for the processing
activities of SPPA in furtherance of a contractual relationship to which you are
privy or from which you will be deriving a personal interest.

3.3.2 SPPA will not transfer your personal data to a different country without having carried out an adequacy test as explained in SPPA’s General Data Protection Policy and informed you about the adequacy of protection afforded to your personal data in that country.

3.4 Report of Breach

Whenever SPPA is on notice that a breach of personal data has been committed or reasonably suspects that a breach of personal data is likely to be committed, SPPA shall as soon as reasonably practicable inform the relevant supervisory authority about the same. You shall also be informed about the same where such a breach is likely to impact on your rights and freedoms as a data subject.

3.5 Retention Period

3.4.1 Subject to paragraph 3.4.2 below, SPPA will process and store your personal data for no longer that is required for the purpose for which it is initially collected.

3.4.2 Notwithstanding paragraph 3.4.1 above, SPPA may store your personal data for such period as may be necessary for SPPA’s compliance with legal
obligations and for SPPA’s legitimate interests such as the defense by SPPA of
legal claims that may be brought before it.

3.4.3 For further information about the retention period applicable to your personal data, please consult SPPA’s Retention of Records Procedure and Retention of Records Schedule.

3.6 Your rights as a data subject

At any point while SPPA is in possession of or processing your personal data, you, the data subject, have the following rights:

  • Right of access – you have the right to request a copy of the information that SPPA holds about you.
  • Right of rectification – you have a right to correct data that SPPA holds about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data SPPA holds about you to be erased from its records.
  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – you have the right to have the data SPPA holds about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
  • Right to judicial review: in the event that SPPA refuses your request under rights of access, SPPA will provide you with a reason as to why. You have the right to complain as outlined in clause 3.7 below.

3.7 Complaints

3.7.1 In the event that you wish to make a complaint about how your personal data is being processed by SPPA, or how your requests under clause 3.6 above have been handled, you have the right to lodge a complaint directly with the relevant supervisory authority and SPPA’s Data Protection Officer.

3.7.2 The supervisory authority in Mauritius is the Data Commissioner of the
Mauritius Data Protection Office whose contact details are as follows:

Postal address: Data Protection Office

Level 5, SICOM Tower

Wall Street

Ebène Cyber City, Ebène

Mauritius

Email address: dpo@govmu.org

Telephone number: +230 460 0251

Facsimile number: +230 489 7341

 

3.8 What does SPPA hold about you?

3.8.1 At any point in time, you can find out the personal data that the organisation holds about you, if any.

3.8.2 Upon a written request being received, SPPA can confirm what information it holds about you and how it is processed.

3.8.3 If SPPA does hold personal data about you, you can request the following information:

• Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the European Union.

• The purpose of the processing as well as the legal basis for processing.

• If the processing is based on the legitimate interests of SPPA or a third party, information about those interests.

• The categories of personal data collected, stored and processed.

• Recipient(s) or categories of recipients that the data is/will be
disclosed to.

• If SPPA intends to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. Please note that the supervisory authorities in the European Union have approved sending personal data to some countries because the latter  meet a minimum standard of data protection. In other cases, SPPA will ensure there are specific measures in place to secure your information by carrying out an adequacy test as explained in SPPA’s General Data Protection Policy.

• How long the data will be stored.

• Details of your rights to correct, erase, restrict or object to such processing.

• Information about your right to withdraw consent at any time.

• How to lodge a complaint with the relevant supervisory authority.

• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.

• The source of personal data if it wasn’t collected directly from you.

• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

3.8.4 When making a written request to SPPA pursuant to this clause 3.8, you will need to provide to SPPA an appropriate form of ID in order to access to the information set out at paragraph 3.8.3 above. An appropriate form of ID is either your National Identity Card or your passport (provided the same has not expired).

 

Ownership and Authorisation

Security and Property Protection Agency Co Ltd is the owner of this document.

This document and all other related documents referred to herein may, from time to time, be reviewed in line with any changes in the law.

This General Privacy Notice has been duly approved by the Board of Directors of Security and Property Protection Agency Co Ltd on 13th November 2020.

By order of the Board of Directors of Security and Property Protection Agency Co Ltd.

Made in good faith on 13th November 2020 at Old Post Office Road, St Pierre 81406, Republic
of Mauritius.