Legal and Compliance

GTC recognises its accountability to its stakeholders under the regulatory requirements applicable to our business and we are committed to high standards of integrity and fair dealing in the conduct of our business. We are committed to complying with both the spirit and the letter of the applicable requirements.

The GTC corporate governance framework and process ensures compliance with regulatory requirements and we embrace the achievement of ‘treating customers fairly’.

Our compliance function assists management in undertaking business in compliance with regulatory requirements.

Our policies

Protection of personal information (POPI) policy
Objective

The objective of this policy is to protect GTC’s Systems and Applications’ information from threats,
whether internal or external, deliberate or accidental, to ensure business continuation, minimize
business damage and maximize business opportunities.
This policy establishes a general standard on the appropriate protection of personal information within
GTC. It provides principles regarding the right of individuals to privacy and to reasonable safeguards of
their personal information.

1. Scope
1.1 This policy applies to the key individuals, representatives and staff of GTC. The company and key
individuals (or management) are ultimately responsible for ensuring that information security is
properly managed. GTC IT compliance is responsible for:

1.1.1 the development and upkeep of this policy.
1.1.2 ensuring this policy is supported by appropriate documentation, such as procedural
instructions.
1.1.3 ensuring that documentation is relevant and kept up to date.
1.1.4 ensuring this policy and subsequent updates are communicated to relevant managers,
representatives, staff and associates, where applicable.

1.2 The company and all key individuals, representatives and staff are responsible for adhering to
this policy, and for reporting any security breaches or incidents to the IT Compliance.
1.3 External individuals who are contracted to handle specific IT systems and applications for GTC
must adhere to the same information security as that of GTC staff members and will confirm by
separate agreement that they have such security measures in place in respect of processing of
personal information.

2. Key principles
2.1 The company and each key individual, representative and staff member of GTC is committed to
the following principles:

2.1.1 To be transparent with regards to the standard operating procedures governing the
collection and processing of personal information.
2.1.2 To comply with all applicable regulatory requirements regarding the collection and
processing of personal information.
2.1.3 To collect personal information only by lawful and fair means and to process personal
information in a manner compatible with the purpose for which it was collected.
2.1.4 Where required by regulatory provisions, to inform individuals when personal information
is collected about them.
2.1.5 To treat sensitive personal information that is collected or processed with the highest of
care as prescribed by regulation.
2.1.6 Where required by regulatory provisions or guidelines, to obtain individuals’ consent to
process their personal information.
2.1.7 To strive to keep personal information accurate, complete and up to date and reliable for
their intended use.
2.1.8 To develop reasonable security safeguards against risks such as loss, unauthorized access,
destruction, use, amendment or disclosure of personal information.
2.1.9 To provide individuals with the opportunity to access the personal information relating to
them and, where applicable, to comply with requests to correct, amend or delete personal
information.
2.1.10 To share personal information, such as permitting access, transmission or publication, with
third parties only with a reasonable assurance that the recipient has suitable privacy and
security protection controls in place regarding personal information.
2.1.11 To comply with any restriction and/or requirement that applies to the transfer of personal
information internationally.

3. Monitoring
3.1 The management and compliance department of GTC is responsible for administering and
overseeing the implementation of this policy and, as applicable, supporting guidelines, standard
operating procedures, notices, consents and appropriate related documents and processes.
3.2 The company and key individuals, representatives and staff of GTC are to be trained according to
their functions in regulatory requirements, policies and guidelines that govern the protection of
personal information.
3.3 GTC will conduct periodic reviews and audits, where appropriate, to demonstrate compliance
with privacy regulation, policy and guidelines.

4. Operating controls
4.1 GTC has established appropriate privacy standard operating controls that are consistent with this
policy and regulatory requirements. These include:

4.1.1 Allocation of information security responsibilities;
4.1.2 Incident reporting and management;
4.1.3 User account / email account addition or removal;
4.1.4 Customer data amendment audit trail;
4.1.5 Secure online email archives;
4.1.6 Secure application sign-on;
4.1.7 Secure document and print functionality;
4.1.8 Software updates;
4.1.9 Unique system sign-on;
4.1.10 Information security training and education;
4.1.11 Network security controls;
4.1.12 Domain password policy;
4.1.13 Virus and Malware protection;
4.1.14 MDM – Mobile Device Management;
4.1.15 Data backup.

5. Implementation

5.1 This policy is implemented by GTC and will be adhered to by the company and all key individuals,
representatives and staff who are tasked with collecting and processing of personal information.
5.2 Non-compliance with this policy may result in disciplinary action and possible termination of
employment or mandate, where applicable.