PAIA Manual



  1. Introduction
  2. Contact Details
  3. The Act and Section 10 Guide 
  4. Records available in terms of any other legislation
  5. Description of the subjects on which Ricoh holds records and the categories of records held on each subject
  6. Categories of records which are available without request
  7. Request procedure in terms of the Act
  8. Fees payable
  9. Other Information as Prescribed
  10. Processing of Personal Information
  11. Virus And Malware Controls
  12. Personnel
  13. Additional Security Requirements
  14. Malicious Software
  15. Forms


1.1. Ricoh South Africa (Pty) Ltd, is a legal entity incorporated in the Republic of South Africa and operates as an IT Services and Consulting company and offers the business objective

1.2. This Manual has been compiled in accordance with the requirements of the Promotion of Access to Information Act of 2000. The Manual contains the information specified in section 51(1) of the Act, which is applicable to Ricoh as a private body. This information is as follows:
    1.2.1. the contact details of the head of Ricoh and the Information Officer;
    1.2.2. a description of the guide referred to in section 10 of the Act;
    1.2.3. the latest notice published by the Minister under section 52(2) of the Act;
    1.2.4. a description of the records of each Ricoh entity which are available in terms of any legislation other than the Act;
    1.2.5. a description of the data subjects on which each Ricoh entity holds records and the categories of records held on each data subject in sufficient detail to facilitate a request for access to a record; and
    1.2.6. other information as prescribed by regulation.

1.3. The Manual will be updated on a regular basis in accordance with the requirements of section 51(2) of the Act.

1.4. In this Manual, the following words bear the meaning set out below:

“Act” means the Promotion of Access to Information Act 2 of 2000 (as amended);
“B-BBEE”  means Board-Based Black Economic Empowerment and as defined in the Board-Based Black Economic Empowerment Act 53 of 2003;
“Business Objective” means the supply and maintenance of hardware, software and services within the print and digital services space;
“Customer” means a natural or juristic person who or which receives services from Ricoh;
“Employee” means any person who works for or provides services to or on behalf of Ricoh, and receives or is entitled to receive remuneration;
“Data Subject” means a natural or juristic person whose personal or special information is held by Ricoh.
“Guide” means the guide published by the Information Regulator in terms of section 10 of the Act;
“Head of Ricoh” means the Chief Executive Officer of Ricoh, or any person duly authorised by him or her to carry out the duties ascribed to the “head” of a private body by the Act in their capacity as Information Officer.
“Information Regulator” means the regulatory body established in terms of section 39 of POPIA;
“Manual” means this Manual which is published in accordance with section 51 of the Act;
“Minister” means the Cabinet member responsible for the administration of justice, presently the Minister of Justice and Constitutional Development;
“Personal Information” means the information of a data subject as defined in the Protection of Personal Information Act 4 of 2013, section 1 that being information relating to an identifiable, living, natural person, and where it is applicable, an identifiable existing juristic person, including, but not limited to—

    (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the  person;
    (b) information relating to the education or the medical, financial, criminal or employment history of the person;
    (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other assignment to the person;
    (d) the biometric information of the person;
    (e) the personal opinions, views, or preferences of the person;
    (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
    (g) the views or opinions of another individual about the person; and
    (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

“POPIA” means the Protection of Personal Information Act 4 of 2013;
“Requester” means any person or entity requesting access to a record that is under the control of Ricoh;
“Ricoh” means:
    -Ricoh South Africa (Pty) Ltd with registration number 1960/000915/07 a company incorporated in accordance with the  laws of the Republic of South Africa;
    -Ricoh Capital South Africa (Pty) Ltd with registration number 2011/109688/07 a company incorporated in accordance with the laws of the Republic of South Africa;
    -Ricoh South Africa Holdings (Pty) Ltd with registration number 2017/085305/07 a company incorporated in accordance with the laws of the Republic of South Africa; and
    -Ricoh South Africa Calico Holdings (Pty) Ltd with registration number 2017/085330/07 a company incorporated in accordance with the laws of the Republic of South Africa.

“Ricoh Group of Companies” means (a) Ricoh Company, Ltd (“RCL”); (b) RCL's subsidiaries; (c) any company over which RCL, or any holding company or subsidiary of RCL has control; and (d) any joint venture partners of any of the entities listed in (a) to (c) above. The terms ‘holding company’ and ‘subsidiary’ are used as defined in Section 1 of the Companies Act 71 of 2008.


The Chief Executive Officer of Ricoh is as stated below and is the head of Ricoh for the purposes of the Act and are the person (Information Officer) to whom requests for access to records should be addressed. 

Interim Chief Executive Officer: Dean Richards
E-mail address of the Interim Chief Executive
Information Officer: Setimela Kgosana
Mobile number: +27 (0) 63 69 88 77 0
Physical address: Equites Park, Meadowview, Corner Clulee Road and Gordon Avenue, Meadowview Ext 132, Sandton, 2065
Postal address: Equites Park, Meadowview, Corner Clulee Road and Gordon Avenue, Meadowview Ext 132, Sandton, 2065
Telephone: +27 (0) 11 723 5000



3.1. The Information Regulator has, in terms of section 10 of the Act, published a Guide to assist persons wishing to exercise any rights in terms of the Act.

3.2. The Guide may be obtained from the Information Regulator. Any person wishing to obtain the Guide may either access it through the website of the Information Regulator at or should contact the Information Regulator:

Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001.
Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
Private Bag X2700, Houghton, 2041
Telephone: +27 (0) 10 023 5200



4.1. Certain records held by Ricoh are available in terms of legislation other than the Act.
4.2. The specific records which are available in terms of such legislation are set out therein and these records may in certain instances only be accessed by the persons specified in the relevant legislation. The legislation is as follows:
    4.2.1. Basic Conditions of Employment Act 75 of 1997;
    4.2.2. Companies Act 71 of 2008;
    4.2.3. Compensation for Occupational Injuries and Diseases Act 130 of 1993;
    4.2.4. Competition Act 89 of 1998;
    4.2.5. Consumer Protection Act 68 of 2008;
    4.2.6. Cybercrimes Act 19 of 2020;
    4.2.7. Employment Equity Act 55 of 1998;
    4.2.8. Income Tax Act 58 of 1962;
    4.2.9. Labour Relations Act 66 of 1995;
    4.2.10. Legal Metrology Act 9 of 2014;
    4.2.11. Measurement Units and Measurement Standards Act 18 of 2006;
    4.2.12. Medical Schemes Act 131 of 1998;
    4.2.13. National Consumer Act 34 of 2005;
    4.2.14. National Regulator for Compulsory Specifications Act 5 of 2008;
    4.2.15. Occupational Health and Safety Act 85 of 1993;
    4.2.16. Pension Funds Act 24 of 1956;
    4.2.17. Protection of Personal Information Act 4 of 2013;
    4.2.18. Skills Development Act 97 of 1998;
    4.2.19. Skills Development Levies Act 9 of 1999;
    4.2.20. Unemployment Insurance Act 63 of 2001;
    4.2.21. Unemployment Insurance Contributions Act 4 of 2002;
    4.2.22. Value Added Tax Act 89 of 1991.


5.1. The procedure in terms of which such records may be requested from Ricoh is set out in Section 7 of this Manual. The records listed below will not in all instances be provided to a requester who requests them in terms of the Act. The requester should show that he or she has the right in terms of the Act to be given access to the records in question.

5.2. Categories of records and description of records held:

    5.2.1. Administration, Secretarial and Legal:

        (a) Shareholder records;
        (b) Share register;
        (c) Minutes of meetings of directors;
        (d) Records relating to the incorporation of Ricoh;
        (e) Minutes of meetings of committees and sub-committees;
        (f) Power of Attorney;
        (g) Record of litigation/arbitration proceedings;
        (h) Insurance policies; and
        (i) Trademark, copyright, patent, service mark certificates and registrations.

5.2.2. Management:

    (a) Minutes of meetings of Executive Committee;
    (b) Internal correspondence; and
    (c) Resolutions of the directors of Ricoh.

5.2.3. Finance:

    (a) Accounting records;
    (b) Tax records;
    (c) Debtors’ records;
    (d) Creditors’ records;
    (e) Insurance records;
    (f) Auditors’ reports;
    (g) Interim and annual financial statements;
    (h) Bank statements and other banking records for business;
    (i) Invoices issued in respect of debtors and billing information; and
    (j) Records regarding Ricoh’s financial commitments.

5.2.4. Human Resources:

    (a) List of employees;
    (b) Statistics regarding employees;
    (c) Employment contracts;
    (d) Conditions of employment;
    (e) Information relating to prospective employees;
    (f) Personnel records including personal details, disciplinary records, performance, and internal evaluation records;
    (g) CCMA records;(h) Registrations with Department of Labour: UIF, COIDA and Skills Development Levies Act;
    (i) Employee tax information;
    (j) Records of Unemployment Insurance Fund contributions;
    (k) Records regarding group life assurance and disability income protection;
    (l) Provident fund records;
    (m) Payroll records;
    (n) Health and safety records;
    (o) Workplace skills plans;
    (p) Codes of conduct;
    (q) Disciplinary code and procedure;
    (r) Grievance procedure;
    (s) Appeal procedure;
    (t) Remuneration policy;
    (u) Training schedules and material;
    (v) Internal policies and procedures regarding dismissals, performance appraisal, recruitment, selection, advertising of positions, appointments, retirement, promotions, leave, extended sick leave, study leave, salaries, overtime, bonuses, medical aid, health and safety, adoption leave and benefits, B-BBEE procurement, loans, working parents, black economic empowerment, smoking, use of Ricoh’s resources including telephones, motor vehicles and computers, sexual harassment, and HIV-AIDS; and
    (w) Correspondence relating to personnel.

5.2.5. Supplier:

    (a) Supplier lists and details of suppliers;(b) Agreements with suppliers.

5.2.6. Information Technology Department:
    (a) Computer software;
    (b) Support and maintenance agreements;
    (c) Records regarding computer systems and programmes; and
    (d) User Manuals and licenses.

5.2.7. Facilities:

    (a) Asset registers;
    (b) Lease agreements in respect of immovable property;
    (c) Records regarding insurance in respect of movable property;
    (d) Records regarding insurance in respect of immovable property;
    (e) Complete Safety, Health and Environment Risk Assessment;
    (f) Environmental Managements Plans; and
    (g) Inquiries, inspections, examinations by environmental authorities.

5.2.8. Procurement:

    (a) Records of tenders and vendor applications;
    (b) Policy and procedure of tenders;
    (c) Supply Services;
    (d) Supply services lists with freight providers and details of freight hauliers;
    (e) Claim process records;
    (f) Records of delivery and dispatch of company products;
    (g) Marketing Department; and
    (h) Marketing, advertising, and promotional material of products.

5.2.9. Research and Development:

    Records of reports, research, and development material on workplace use of technology.

5.2.10. Sales Department:

    (a) Records of agreements, invoices, rebate structures and pricing with customers and distributors;
    (b) Credit Applications; and
    (c) Customer and Distributor details.

5.2.11. Corporate Affairs:

    Records of all donations to education and society.

5.2.12. Miscellaneous: 

    (a) Internal correspondence; and
    (b) Ricoh publications.


6.1. Certain records are available without needing to be requested in terms of the request procedures set out in the Act and detailed in Section 7 of this manual. This information may be inspected, collected, purchased, or copied (at the prescribed fee for reproduction) at the offices of Ricoh. Certain information is also available on Ricoh’s website: The records include:

    6.1.1. Marketing brochures;

    6.1.2. Company and Product websites;

    6.1.3. Product content on Social Media;

    6.1.4. Product Information; and

    6.1.5. Usage Instructions.


7.1. A request for access to records held by Ricoh’s in terms of Regulation 7 of the Act must be made on Form 2: Request for Access to Records, a link to the document has been under clause 15 below. The request must be made to the Information Officer and sent to the address of Ricoh, and email address of the Information Officer, specified in Section 2 of this Manual.

7.2. A requester must provide sufficient detail on the prescribed form to allow Ricoh to identify the record or records which have been requested and the identity of the requester. If a request is made on behalf of another person or entity, the requester must submit details and proof of the capacity in which the requester is making the request, which must be reasonably satisfactory to Ricoh. The requester is also required to indicate the form of access to the relevant records that is required, and to provide his, her or its contact details in the Republic of South Africa. 

7.3. The requester must identify the right that he, she, or it is seeking to exercise by accessing records held by Ricoh and must explain why the record or records requested is or are required for the exercise or protection of that right.

7.4. Ricoh may, and must in certain instances, refuse access to records on any of the grounds set out in Chapter 4 of Part 3 of the Act which include: that access would result in the unreasonable disclosure of personal information about a third party, that it is necessary to protect the commercial information of a third party or Ricoh itself, that it is necessary to protect the confidential information of a third party, that it is necessary to protect the safety of individuals or property, that a record constitutes privileged information for the purpose of legal proceedings, and that it is necessary to protect the research information of a third party or Ricoh itself. Access to documents may also be refused on the basis of professional privilege.

7.5. Ricoh is required to inform a requester in writing of its decision in relation to a request. If the requester wishes to be informed of Ricoh’s decision in another manner as well, this must be set out in the request and the relevant details included, to allow Ricoh to inform the requester in the preferred manner.

7.6. Ricoh will make a decision in relation to a request for records within thirty (30) days of receiving it, unless third parties are required to be notified of the request or the thirty (30) day period is extended as provided for in the Act. Ricoh will notify the requester if the thirty (30) day period for processing a request is to be extended.

7.7. Where a request is refused, a requester may apply to the High Court within thirty (30) days of being informed of the refusal of the request, for an order compelling the record or records requested to be made available to the requester or for another appropriate order. The Court will determine whether the records should be made available or not. Notwithstanding the above, a requester may lodge a complaint to the Information Regulator, in writing, against the access fee to be paid or the form of access granted, as referred to in terms of section 63(3) and 74(2) – the format of the complaint is available on the Information Regulator’s website and can also be requested from Ricoh directly. The Information Regulator is required to give reasonable assistance as is necessary in the circumstances to enable a person, who wishes to make a complaint to the Information Regulator, to put the complaint in writing.


8.1. A requester has to pay a request fee of R50.00, other than where the requester is seeking access to a record containing personal information about him, her, their or itself. The requester may lodge a complaint to the Information Regulator as described above, against the access fee to be paid or the form of access granted. If the requester is seeking reproduction of a record containing personal information, then a fee may be charged. This request fee may be paid at the time a request is made, or the person authorised to deal with such requests on Ricoh’s behalf may notify the requester that he, she, them, or it needs to pay the request fee before processing the request any further. A requester may apply to Court to be exempted from the requirement to pay the request fee.

8.2. Where a request for access to a record or records held by Ricoh is granted, the requester also has to pay an access fee for the reproduction of the record or records, and for the search for and the preparation of the records for disclosure. Ricoh is entitled to withhold a record until the required access fees have been paid. The access fees which are payable are as follows:

8.2.1. Photocopy of an A4-size page or part thereof R1.10

8.2.2. Printed copy of an A4-size page or part thereof held on a computer or in electronic or machine-readable form R0.75

8.2.3. For a copy in a computer-readable form on USB R7.50

8.2.4. Transcription of visual images, for an A4-size page or part thereof R40.00

8.2.5. Copy of visual images R60.00

8.2.6. Transcription of an audio record, for an A4-size page or part thereof R20.00

8.2.7. Copy of an audio record R30.00

8.3. In addition, if the search for and preparation of the record or records requested takes more than six hours, Ricoh may charge R30.00 for each hour or part thereof which is required for the search for and preparation of the records.

8.4. If Ricoh is of the opinion that the search for and the preparation of the records requested will require more than six hours, Ricoh is entitled to ask for a deposit of one third of the access fees which will be payable in respect of the records requested by the requester. The requester may make an application to Court to be exempted from the requirement to pay this deposit. If a deposit is made and access to the records requested is subsequently refused, the deposit will be repaid to the requester.


The Minister has not prescribed that any further information must be contained in this manual.


The purposes for which the Companies process or will process Personal Information is to allow the Companies to ensure that it best aligns the consumer’s needs with the services available, or otherwise as is provided for under lawful processing in the Act.

10.1. Purpose of the Processing of Personal Information:
    10.1.1. Human Resources: To enable Ricoh to maintain appropriate human resources records in relation to members of staff, including recruitment and selection, administration of payroll, expenses, accounts, tax, travel and benefits, work management, professional development and     performance reviews, discipline, and superannuation. To enable Ricoh to operate a workplace whistleblowing channel to detect and prevent improper workplace conduct and crime prevention in accordance with relevant business conduct policies.
    10.1.2. Marketing: To enable Ricoh to maintain a customer relationship marketing database of individuals to whom information and promotional material may be sent in relation to products and services that may be of interest to them.
    10.1.3. Customer Services: To enable consumer care via call centres to be provided including integrating external and internal management consumer information across the Ricoh Group of Companies, embracing finance, manufacturing, sales, and procurement.
    10.1.4. IT Department: To enable IT administration to manage users of Ricoh network, allowing staff secure access to their IT systems, backing up information on Ricoh’s network, document management, email system and intranet service.
    10.1.5. Finance: To enable procurement of goods and services by Ricoh.

10.2. Categories of Data Subjects and Personal/Special Personal Information relating thereto. 

10.3. As per section 1 of POPIA, a data subject may either be a natural or a juristic person. The categories of data subjects in respect of which Ricoh process Personal/Special Information and the types of Personal Information relating thereto has been set out in detail as per this clause
10.3 here below:

Categories of Data Subject and Data.

    10.3.1. The personal data held by Human Resources will include: 

        (a) names and contact details of the data subject;
        (b) employment details;
        (c) financial details;
        (d) educational experience, business activities and skill set; and
        (e) family members (where provided as point of contact or next of kin);
        (f) social activities and hobbies (such as cultural, sports, professional, civic). 

    10.3.2. The personal data held by Marketing will include:

        (a) names and contact details of the data subject including email and telephone details;
        (b) country of residence;
        (c) nationality; and
        (d) goods or services provided. 

    10.3.3.The personal data held by Customer Services will include:  

        (a) names and contact details of the data subject;
        (b) educational experience, business activities and skill set; and
        (c) goods or services provided. 

    10.3.4. The personal data held by the IT department will include:

        (a) names and contact details of the data subject;
        (b) employment details; and
        (c) family members (where provided as point of contact). 

    10.3.5. The personal data held by Finance will include:

        (a) names and contact details of the data subject;
        (b) employment details; and
        (c) goods or services provided.

10.4. Recipients or categories of recipients of Personal/Special Information to whom Personal/Special Information may be supplied.

    10.4.1. Ricoh may provide a data subject's Personal/Special Information to recipients to which disclosure is required for regulatory compliance or otherwise as provided for within the provisions of the act, with reference to “processing’’:

‘Section 1: “processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

        (i) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
        (ii) dissemination by means of transmission, distribution or making available in any other form; or
        (iii) merging, linking, as well as restriction, degradation, erasure, or destruction of information;”

    10.4.2. Ricoh will not without grounds for lawful processing, disclose personal/special information of the data subject in contravention of the data subject’s right to privacy.

10.5. Planned Transborder flow of Personal Information:

Any international data transfers will be within the Ricoh Group of Companies, with confidentiality provisions being imposed and within the strict operation of intra-group data transfer agreements, ensuring the protection of data subjects’ rights and adherence to regulatory provisions. 

10.6. Description of the information security measures to be implemented by Ricoh to ensure the confidentiality, integrity and availability of the information which is to be processed – 

        10.6.1. Ricoh is committed to safeguarding the security of all personal data which it processes through day-to-day operations. To achieve this, Ricoh has developed and implemented technical and organisational measures that strive to safeguard this important asset. The measures form a robust Information Security protection program made up of data privacy and security policies and functional specific Standard Operating Procedures, which include the following measures: 

            (a) Information Security Policies and Standards Implement security requirements within the organisation and for staff and all Sub-processors, service providers, or agents who have access to Personal Data to maintain the integrity, confidentiality, resilience, and availability of Personal Data, to include, but not be limited to, the following:
            (i) Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);
            (ii) Prevent Personal Data processing systems being used without authorization (logical access control); 
            (iii) Ensure that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, while Processing or use and after storage, Personal Data cannot be read, copied, modified, or deleted without authorization (data access control);
            (iv) Ensure that Personal Data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified, with appropriate pseudonymization and encryption measures adopted to protect the confidentiality of data during transfer and storage (data transfer and storage control);
            (v) Ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing (entry control);
            (vi) Ensure that Personal Data are Processed solely in accordance with the processor’s Instructions (control of instructions);
            (vii) Ensure that Personal Data are protected against accidental destruction or loss, and appropriate measures adopted to support access to data and/or restoration of data in the event of a physical or technical incident impacting availability (availability control); and
            (viii) Ensure that Personal Data collected for different purposes can be processed separately (separation control).
                    (b) These rules shall be kept up to date and revised whenever relevant changes are made to any information system that uses or houses Personal Data, or to how that system is organised.
                    (c)These rules shall be routinely reviewed to evaluate efficacy and areas for improvement and where relevant adopt and apply changes as part of a continuous improvement programme. 

    10.6.2. Physical Security 

    (a) The transferee/data importer will maintain commercially reasonable security systems at all transferee/data importer sites at which an information system that uses or houses Personal Data is located. The Suppler reasonably and appropriately restrict access to such Personal Data. Physical access control shall be implemented for all data centres. Unauthorised access is prohibited through continuous onsite staff and security camera monitoring.
    (b) Organisational Security transferee/data importer shall ensure that it has implemented security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.
    (c) All Personal Data security incidents shall be managed in accordance with appropriate incident response procedures. 

    10.6.3. Network Security 

        The transferee/data importer shall maintain network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and routing protocols. 

    10.6.4. Access Control

        (a) Only authorised staff shall be permitted to grant, modify, or revoke access to an information system that uses or houses Personal Data.
        (b) User administration procedures shall be adopted which define user roles and their privileges, how access is granted, changed, and terminated; addresses appropriate segregation of duties; and defines the logging/monitoring requirements and mechanisms.
        (c) All employees of the transferee / data importer shall be assigned unique User-IDs.
        (d) Access rights shall be implemented adhering to the “least privilege” approach.
        (e) The transferee / data importer shall implement commercially reasonable physical and electronic security to create and protect passwords.


The transferee / data importer shall install and maintain industry standard (which shall comprise the latest version) anti-virus and malware protection software on the system. 


12.1. The transferee / data importer shall implement a security awareness program to train personnel about their security obligations. This program shall include training about data classification obligations, physical security controls, security practices and security incident reporting.

12.2. The transferee / data importer shall have clearly defined roles and responsibilities for its employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.

12.3. The transferee / data importer personnel shall strictly follow established security policies and procedures. Disciplinary process will be appropriately applied if employees commit a security breach. 


13.1. The transferee / data importer shall not delete or remove any proprietary notices contained within or relating to Personal Data. 

13.2. The transferee / data importer shall perform and maintain secure back-ups of all Personal Data and shall ensure that up-to-date back-ups are stored off-site. transferee / data importer shall ensure that such back-ups are available to transferor / data exporter(or to such other person as transferor / data exporter may direct) at no additional cost to transferor / data exporter, and that the data contained in the back-ups are available at all times upon request and are delivered to transferor / data exporter at no less than six (6) monthly intervals (or such other intervals as may be agreed in writing between the Parties). 

13.3. The transferee / data importer shall ensure that any system on which it holds any Personal Data, including back-up data, is a secure system that complies with all security requirements. 

13.4. If Personal Data is corrupted, lost or sufficiently degraded as a result of the transferee / data importer 's default so as to be unusable, transferor / data exporter may: 

13.4.1. require the transferee / data importer (at the transferee / data importer ’s expense) to restore or procure the restoration of Personal Data to the extent possible and transferee / data importer shall do so as soon as practicable but not later than five (5) days from the date of receipt of the transferee / data importer’s notice; and/or

    13.4.2. itself restore or procure the restoration of Personal Data and shall be repaid by the transferee / data importer any reasonable expenses incurred in doing so. 

    13.4.3. If at any time the transferee / data importer suspects or has reason to believe that Personal Data has or may become corrupted, lost, or sufficiently degraded in any way for any reason, then the transferee / data importer shall notify transferor / data exporter immediately and inform transferor / data exporter of the remedial action the transferee / data importer proposes to take. 


14.1. The transferee / data importer shall, as an enduring obligation and at no cost to transferee / data importer, use the latest versions of anti-virus definitions and software available from an industry accepted anti-virus software vendor (unless otherwise agreed in writing between the Parties) to check for, contain the spread of, and minimise the impact of Malicious Software in the relevant IT environment (or as otherwise agreed by the Parties). The transferee / data importer may be required to provide details of the version of anti-virus software being used in certain circumstances (e.g., in response to a specific threat).

14.2. Notwithstanding paragraph 14.1, if Malicious Software is found, the Parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Personal Data, assist each other to mitigate any losses and to restore the Services to their desired operating efficiency.

14.3. Any cost arising out of the actions of the Parties taken in compliance with the provisions of paragraphs 14.1 and 14.2 shall be borne by the Parties as follows:

    14.3.1. by the transferee / data importer where the Malicious Software originates from the transferee / data importer ’s software, the third-party software supplied by the transferee / data importer  (except where transferor / data exporter has waived the obligation) or Personal Data (whilst such Personal Data was under the control of the transferee / data importer  or any of its Sub processors) unless the transferee / data importer can demonstrate that such Malicious Software was present and not quarantined or otherwise identified by transferor / data exporter when provided to the transferee / data importer ; and 

    14.3.2. Otherwise by transferor / data exporter 

15. FORM




The Information Regulator reserves all rights and makes no warranty, either express or implied, with respect to the information and/or promotional material contained herein and is not responsible for any expenses, inconvenience, damage, whether special or consequential, or claims arising out of posting, time and costs incurred and or associated with this information and will not be liable for the latter. Specific exemption from any liability is claimed with regard to the following:

  • The Information Regulator does not endorse any third-party private service provider and will not bear any costs related to your transaction to compile the manual on your behalf.
  • Submission to the Information Regulator is free and the  Information Regulator does not charge any fees for advice or administration however all cost to lodge manuals is at the relevant private entities own cost e.g., registered mail etc.
  • Manuals are subject to review and comment with the possibility of manuals being rejected on the basis of not meeting the minimum requirements and the  Information Regulator is not liable for the amendment costs if any and resubmission if any of any manuals.