1. In terms of this Privacy Policy (“this Policy”), any mention of “Generation Group”, “us”, “we” or “our” refers to Generation Education Pty Ltd. (“Responsible Party”) and SÍ Institute Pty Ltd. t/a GenEx Institute (“Operator”), and all related subsidiaries, associates and joint ventures.

2. The purpose of this Policy is to demonstrate the Generation Group’s commitment to safeguarding the privacy of all persons, including juristic persons, with who it interacts and to ensure that all Personal Information is used appropriately, lawfully, transparently and stored securely in accordance with applicable statutory requirements. Furthermore, this Policy serves to ensure that the Generation Group and its employees comply with the requirements imposed by the Protection of Personal Information Act, 4 of 2013.

3. This Policy will outline what constitutes Personal Information; how such information will be processed, stored, and destroyed; the rights afforded to you (the “Data Subject”) in terms of applicable law and how to enforce these rights should any of your Personal Information be misused or compromised.

4. This Policy applies to all Personal Information collected by the Generation Group in connection with the services it offers. This includes information collected offline by our employees and online through our website (https://www.generationschools.co.za), which includes the Learner Management System (“LMS”), the Student Information System (“SIS”) (collectively referred to as “the Platform”) and the services that we offer (“Services”).

5. This Policy does not apply to:

   1. Information collected by third party websites, platforms and/or applications (“Third Party Sites”) that we do not control; or
   2. Advertisements, banners, or promotions on Third Party Sites that we may sponsor or participate in.

6. For the purposes of this Policy, employees, students, parents, legal guardians and third parties refer to both existing and prospective employees, students, parents, legal guardians and third parties.

7. This Policy creates a legally binding agreement between us and you and will apply as soon as we collect your data, or you start using our website or Services. By using the website or services, you acknowledge that you have read and understood the terms of this Policy and consent to the collection, use and processing of your Personal Information in accordance therewith. Should you not agree with these terms but continue to use our website, platform or Services, you will be deemed to have given consent.

8. The Generation Group is committed to protecting and promoting the right to privacy and we, therefore, implement business practices that comply with the South African Protection of Personal Information Act 4 of 2013 (“POPI Act”), the UK General Data Protection Regulation 2016/679 (“UK GDPR”) read in conjunction with the Data Protection Act, 2018 and the General Data Protection Regulation (EU) 2016/679 (collectively referred to as “Applicable Law” in this Policy).

1. “CCTV” also known as video surveillance, is the use of video cameras to transmit a signal to a specific place, on a limited set of monitors.

2. “Child” means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself;

3. “Competent person” means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child and includes the parent and/or guardian of a child;

4. “Consent” means any voluntary, informed expression of will, whether expressed directly or tacitly, which signifies agreement to the processing of Personal Information;

5. “Data Subject” means the person to whom the Personal Information relates and in relation to the Generation Group, would include existing and prospective students and their parents and/or legal guardians, employees, visitors, and any other person with whom the Generation Group interacts from time to time;

6. “De-identify” in relation to Personal Information of a data subject means to delete information that-

   1. Identifies the data subject;

   2. Can be used or manipulated to identify the data subject; or

   3. Can be linked by a reasonably foreseeable method to other information that identifies the data subject.

7. “Information Officer” refers to the person responsible for ensuring that the Generation Group complies with the POPI Act;

8. “Learning Management System” (LMS) is a software application utilised for the administration, documentation, tracking, reporting, automation and delivery of educational courses, training programs, or learning and development programs;

9. “Operator” means a person who processes Personal Information on behalf of a responsible part in terms of an agreement;

10. “PAIA” means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);

11. “Personal Information” means any information that could be used to identify a living, natural person and includes-

    1. Race, gender, sex, pregnancy, marital status, national or ethnic origin, sexual orientation, age, physical or mental health, disability, religion, belief, culture, language, birth.

    2. Education, medical history, financial history, criminal history, employment history.

    3. Any identifying number, symbol, email address, physical address, telephone number or other particular assignment to a person.

    4. Biometric information, including physical, psychological, or behavioural characterisation.

    5. The personal opinions, views, or preferences of the person.

    6. Correspondence that is implicitly or explicitly of a confidential nature or further correspondence that would reveal the contents of the original correspondence.

    7. The opinion, views, preferences of another individual in respect of the person.

    8. The name of the person.

12. “Policy” means this Privacy Policy;

13. “POPI” means the Protection of Personal Information Act 2013 (Act No. 4 of 2013);

14. “Processing” means any operation or activity or set of operations, whether or not by automatic means, concerning Personal Information, including-

    1. the collection, receipt, recording, organisation, storage, adaption or alteration, consultation, or use;

    2. disclosure by transmission, distribution or making available in any other form; or

    3. merging, linking as well as restriction, erasure, or destruction of information.

15. “Recording” means any recorded Personal Information regardless of its form or medium, including but not limited to any writing, electronic information, marking, image, film, graph that is in the possession or under the control of the Generation Group, irrespective of whether it has been created by the Generation Group or not and regardless of when it came into existence;

16. “Restriction” means to withhold from circulation, use or publication of any Personal Information held or possessed by the Generation Group, but to not delete or destroy such information;

17. “SIS” refers to the Student Information System, a cloud-based administrative system that facilitates the capture, processing and management of staff, student, and their parents/legal guardian’s Personal Information for the purposes of academic tracking, recording, and reporting, internal communication between all stakeholders, and human resource management.

18. “Student” refers to an existing or prospective individual who is or will be attending Generations Schools or is registered with SÌ Institute and, for the purposes of this policy, can also be referred to as a “learner”.

1. The purpose of this policy is to demonstrate the Generation Group’s commitment to safeguarding personal information of all persons, including juristic persons, with who it interacts and to ensure that the Generation Group and its employees comply with the
   requirements imposed by the Protection of Personal Information Act 4 of 2013 and the UK/EU GDPR.

2. Without limiting the generality of the aforementioned purpose, the further purposes are to:

   1. establish an institution-wide policy that will provide direction with respect to the manner of compliance with the Protection of Personal Information Act 4 of 2013 and the UK/EU GDPR.

   2. give effect to the right to privacy and at the same time balance the right to privacy against other rights such as the right to access to information, and to protect important interests such as the free flow of information;

   3. regulate the manner in which personal information may be processed;

   4. establish measures to ensure respect for and to promote, enforce and fulfil the rights protected.

1. This Policy applies to all employees, parents, guardians and students at Generation Schools as well as any third party with whom the Generation Group interacts with from time to time.

2. This Policy applies to the processing of Personal Information at all campuses as well as at the Head Office.

1. The Generation Group only processes Personal Information with the express consent of the data subject or a competent person where the data subject is a child.

2. The Generation Group processes Personal Information without express consent if the processing:

   1. Is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;

   2. Complies with an obligation imposed by law;

   3. Protects a legitimate interest of the data subject; and/or

   4. Is necessary for pursuing the legitimate interests of the Generation Group or a third party to whom the information is supplied.

3. The data subject or competent person is entitled to withdraw his, her or its consent, at any time, provided that the lawfulness of the processing of Personal Information before such withdrawal or the processing of Personal Information in terms of point 5.2 will not be affected.

4. The data subject may object, at any time, to the processing of Personal Information in terms of points 5.2.3 and 5.2.4, in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing.

5. Should a data subject object to the processing of his, her or its Personal Information, the Generation Group will no longer be able to fulfil its function in accordance with the agreement concluded with the data subject.

6. The Generation Group collects Personal Information about a Data Subject from the following sources:

   1. Directly from the Data subject when he/she provides it to us, such as when a Data Subject applies to be enrolled with the Generation Group, signs up to use our website or services, contacts us or through the course of our relationship with the Data Subject;

   2. In the case of a child, from his/her parent or legal guardian or from another source to the extent that consent is given or authorised by the child’s parent/legal guardian;

   3. From public records or public sources, whereby the Data Subject has deliberately made the information public;

   4. From the Data Subject’s use of our website or interaction with any features or resources made available on or through our website;

   5. From any interaction with a third party via our website, provided the third party is authorised to share the Data Subject’s Personal Information with us as a result of a contractual agreement or as required in terms of applicable law;

   6. From the CCTV systems set up on our premises for security purposes. It must be noted that the CCTV system is not used for any other purpose, other than providing security and serving as evidence in the event of an incident. Additionally, CCTV cameras are located and positioned to give a general overview of what is happening in certain places but not to recognize individual persons.

   7. From other sources, provided this does not prejudice a legitimate interest of the Data Subject;

   8. From another source provided it is necessary-

      1. to comply with the law or any obligation imposed by law;

      2. to enforce legislation;

      3. for the conduct of any proceedings in any court or tribunal that have commenced or are reasonably contemplated;

      4. in the interests of national security;

      5. to maintain the legitimate interests of the Generation Group or of a third party to whom the information is supplied.

7. Where a Data Subject provides information, including Personal Information, about another individual other than him- or herself, the Data Subject warrants that he/she has obtained the individual’s consent to provide us with that information for the purpose for which the information is provided.

1. The Generation Group collects and processes Personal Information mainly to provide our employees, students, parents, legal guardians, and third parties with access to our services
   and products, to support our contractual relationship with you and for recruitment purposes.

2. The type of Personal Information collected is dependent on the need for which it is collected and will be processed for that specific purpose only.

3. We ensure that all Personal Information that is collected and processed is adequate, relevant, and not excessive and is collected in a manner that does not infringe the rights of the data subject.

4. The Generation Group takes reasonably practicable steps to ensure that the Personal Information collected is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which such Personal Information is collected or further processed.

5. Whenever possible, The Generation Group will inform employees, parents, legal guardians, students and third parties of what information they are required to provide and what information is optional.

6. Personal Information includes but is not limited to-

   1. General personal details which include a Data Subject’s name, surname, gender, date of birth, age, nationality, language preferences, marital status, identity number and passport number, employment history;

   2. Contact details which include a Data subject’s address, contact number, email address, postal code;

   3. User information which includes Personal Information included in correspondence, transaction documents, or obtained in the course of providing services;

   4. Educational information which includes previous and current academic records, academic qualifications, type of education, curriculum and subjects being studied, and any extracurricular activities.

   5. Consent records which include records of any consents you have given us in respect of using your Personal Information and any related information, such as the specific details of the consent. We will also record any withdrawals or refusals of consent.

   6. Payment details which include details related to any payments made, such as payment method, the information provided by payment gateway service provider, payment amount, date and reason for payment and related information.

   7. Data relating to our Platform, such as the type of device you use to access the Website, the operating system and browser, browser settings, IP address, dates, and times of connecting to and using the Platform and other technical communications information.

   8. Cookies and other technologies.

   9. Account details, such as your username, password, usage data, and aggregate statistical information.

   10. Views and opinions, which include any views and opinions that you choose to share with us, or publicly post about us on social media platforms or elsewhere.

   11. Personal Information concerning children and special Personal Information which includes the race, religious or philosophical beliefs, health, biometric. information, and/or criminal behaviour of a data subject, provided:

       1. The processing occurs with the consent of the competent person or data subject, respectively;

       2. The processing is necessary for the exercise or defence of a right or obligation in law;

       3. The processing is necessary to comply with law;

       4. The processing is for historical, statistical or research purposes;

       5. The information has been deliberately made public by the competent person or data subject, respectively; or

       6. The processing is authorised by Applicable Law.

1. We only process adequate and relevant Personal Information that we collect about you or that you provide to us, for the purposes for which it was collected and intended, which includes but is not limited to the following:

   1. To carry out our obligations and enforce our rights arising from any agreements entered between you and us, including for billing and collection;

   2. To operate and manage your account or your relationship with us;

   3. To monitor and analyse our business to ensure that it is operating properly, for financial management and business development purposes;

   4. To contact you by email, telephone, text message, push notifications or other means to notify you about changes to our Services or to inform you about our Services, unless you have opted-out of such communications (direct marketing);

   5. To carry out market research and surveys, business and statistical analysis and necessary audits;

   6. For fraud prevention;

   7. To perform other administrative and operational tasks like testing our processes and systems and ensuring that our security measures are appropriate and adequate; and

   8. To comply with our regulatory, legal, or other obligations.

2. In addition to the above purposes, we may use your Personal Information for other purposes if the law allows for it, if you consent to it, or if it is in the public interest to do so. All purposes for the processing of your Personal Information will be allowed in terms of Applicable Law.

1. The Generation Group aims and strives to secure the integrity and confidentiality of all Personal Information in its possession and under its control. We have put in place, appropriate security measures designed to protect Personal Information from being
   accidentally or unlawfully lost, accessed, used, altered, disclosed or destroyed. These measures are in accordance with Applicable Law.

2. All information provided to us is stored on our secured servers or those of our service providers and is encrypted using SSL technology. Where a data subject has received a temporary password generated by us or chosen one for himself or herself which enables access to certain parts of our platform, he or she is responsible for keeping this password confidential and should not share it with anyone else.

3. Generation Group takes reasonable measures to:

   1. Identify all reasonable foreseeable risks to personal information in our possession or under our control;

   2. Establish and maintain appropriate safeguards against the risks identified;

   3. Regularly verify the effectiveness of safeguards; and

   4. Ensure that the safeguards are reviewed and updated in response to new risks or deficiencies in previously implemented safeguards.

4. Additionally, we limit access to Personal Information to only authorised and necessary employees, agents, contractors and other third parties, who will only process such Personal Information on instruction.

5. The Generation Group takes all reasonable measures to ensure that anyone processing and storing Personal Information on our behalf (i.e., the operators of the SIS (Student Information System):

   1. Processes such information only with our knowledge or authorisation;

   2. Treats such Personal Information as confidential and does not disclose it, unless required by law or during the proper performance of their duties;

   3. Acts in accordance with an agreement entered with The Generation Group; and

   4. Maintain sufficient and proper security measures. In particular, incorporating the Laravel Framework into the development of the Student Information System (“SIS”) and the Learning Management Systems (“LMS”).

6. The internet is an open and often vulnerable system, The Generation Group cannot fully guarantee the security of your Personal Information transferred to us via the internet. Notwithstanding, we will implement all reasonable measures to protect Personal Information. Therefore, you acknowledge and agree that any transfer of Personal Information via the internet is at your own risk and you are responsible for ensuring that any Personal Information that you send is sent securely.

7. The Generation Group has established procedures to deal with any suspected or known data breach and will, in the event of a suspected data breach, notify the relevant Authority and the data subject, unless the identity of the data subject cannot be established.

8. If you want to report any concerns about our privacy practices or if you suspect any breach regarding your Personal Information, kindly notify us by sending an email to info@generationschools.co.za.

1. We take every reasonable step to ensure that your Personal Information is only processed and retained for the minimum period necessary to fulfil the purposes we collected it for, after which, it is destroyed or deleted, unless:

   1. Required or authorised otherwise in terms of law;

   2. The Generation Group reasonably requires the record for lawful purposes related to its functions or activities;

   3. Required by a contract between the parties thereto;

   4. The data subject or a competent person in the case if a child, consented to the retention of the record;

   5. The Personal Information is retained for historical, statistical or research purposes subject to the implementation of appropriate safeguards; or

   6. Necessary to establish, exercise or defend any legal rights.

2. The destruction or deletion of a record of Personal Information is done in a manner that prevents its reconstruction in an intelligible form.

3. We restrict the processing of Personal Information if the following applies, unless the information is processed for purposes of proof or with the required consent:

   1. Its accuracy is contested by the data subject, for a reasonable period enabling us to verify the accuracy of the information;

   2. We no longer need the information to achieve the purpose for which it was collected or subsequently processed, but it must be maintained for purposes of proof;

   3. The processing is unlawful, and the data subject is opposed to its destruction or deletion and requests the restriction of use instead; or

   4. The data subject requests for it to be transferred into another processing system.

1. 1. We may process your Personal Information to contact you to provide you with information regarding our Services that may be of interest to you, using the contact details that you have provided us.

   2. You may unsubscribe from any direct marketing communications at any time by clicking on the unsubscribe link that we include in every direct marketing communication or by contacting us and requesting us to do so.

1. After you unsubscribe, we will not send you any direct marketing communications, but we will continue to contact you when necessary, in connection with providing you with the Services or in connection with our business.

1. We take all efforts to ensure that your Personal Information is only shared with authorised and necessary employees and third parties to fulfil our services in terms of an agreement entered between you and The Generation Group. We make sure all employees and third parties are aware of and take their confidentiality obligations seriously. They are contractually bound to keep all confidential information confidential.

2. We will not sell, share, or rent your Personal Information to any third party or use your e-mail address for unsolicited mail. Any emails sent by us will only be in connection with the provision of our services and/or the marketing thereof.

3. We may share your Personal Information with and obtain information about you from relevant Third parties for the purposes listed in point 7.

4. We also may share your information with third-party vendors providing services to us in our operations, including:

   1. Our business partners or third-party product or service providers for reasons like data storage, payment processing etc. in terms of written agreements. The Generation Group uses cloud-based software (SIS Platform) to efficiently assist the school in its operations. Most information, including Personal Information, is processed and/or stored in these systems. These cloud-based software providers also have their own security policies, terms of use and privacy policies;

   2. Legal and regulatory authorities, upon their request, or for the purposes of reporting any breach of or as required for compliance with Applicable Law;

   3. Accountants, auditors, lawyers, and other external professional advisors in terms of written agreements with them;

   4. Any relevant party to the extent necessary for the establishment, exercise or defence of legal rights, criminal offences, threats to public security, etc.;

   5. Any relevant third party if we sell or transfer all or any portion of our business or assets; and

   6. Any relevant third party in the event of an acquisition or merger.

5. We may otherwise disclose your Personal Information when:

   1. We have a duty to disclose such information in terms of the law;

   2. We believe it is necessary to protect our rights; or

   3. Requested or authorised by you (Data Subject or a parent/legal guardian).

1. Due to the nature of the Services and us working with business partners and service providers in different countries, we may need to transfer Personal Information to and from the different countries for internal business purposes.

2. We may transfer your Personal Information to recipients in other countries. We will only transfer Personal Information to third parties in countries with adequate data protection laws or do so in terms of a written agreement with the recipient which imposes data protection requirements on that party as required by Applicable Law.

3. Please note that when you transfer any Personal Information directly to a third party in another country (i.e., we do not send your Personal Information to the third party), we are not responsible for that transfer of Personal Information (and such transfer is not based on or protected by this Policy). Any Personal Information that we receive from a third-party country will nevertheless be processed in terms of this Policy.

1. As available and except as limited under Applicable Law, you have the following rights in respect of your Personal Information. Should you wish to exercise any of the rights identified below, please contact us on info@generationschools.co.za.
   1. A data subject has the right to do the following, provided adequate proof of identity is furnished:
      1. Access their Personal Information held by us;
      2. Request us to confirm, free of charge, whether it holds Personal Information relating to the data subject or not; and
      3. Request us to provide a description of the Personal Information of the data subject held by us and identify the parties who have had access to the information.
   2. The Generation Group shall issue records to the data subject:
      1. Within a reasonable time;
      2. At a prescribed fee, if any
      3. In a reasonable manner and format and
      4. In an understandable form.
   3. A data subject has the right to request The Generation Group to:
      1. Correct or delete any incorrect, inaccurate, misleading, incomplete, or unlawfully obtained Personal Information about the data subject in its possession or under its control;
      2. Destroy or delete any records of Personal Information about the data subject that it is no longer authorised to retain;
      3. Produce a copy of your Personal Information and transmit it to another person.
      4. A Data Subject has the right to object, at any time, to the processing of Personal Information-
         1. Collected in terms of point 5.2.3 and 5.2.4, on reasonable grounds relating to his, her or its particular situation, unless provided otherwise by Law; or
         2. For the purposes of direct marketing.
      5. A data subject has the right to withdraw his, her or its consent given to process his, her or its Personal Information. However, we may continue processing a data subject’s Personal Information despite a withdrawal of consent if legally justified.
      6. A data subject has the right to lodge a complaint with the relevant authorities, indicated below, regarding the alleged interference with the protection of his, her or its Personal Information.

1. Unless required otherwise in terms of applicable law, we reserve the right to alter or amend this Policy from time to time as required by law or our internal business operations, without prior notice. Therefore, we advise you to check our website periodically to inform yourself of any changes. However, we will notify you of any material changes to this Policy.

If you have any queries about this notice or believe we have not adhered to it, or need further information about our privacy practices or wish to give or withdraw consent, exercise preferences or access or correct your Personal Information, please contact us at popi@tarokoschool.co.za

1. 1. 15.2. We will attend to your request promptly and will respond within a reasonable time. If you are dissatisfied with our handling of your request, we ask that you give us the opportunity to resolve the issue.

15.3. If you continue to be unhappy with how we have resolved your issue, you have a right to lodge a complaint with the applicable supervisory authority, as follows:

1. 1. 15.3.1. The Information Regulator (South Africa)

      Address: JD House
      27 Stiemens Street
      Braamfontein
      Johannesburg
      2001
      Postal Address: P.O Box 31533
      Braamfontein
      Johannesburg
      2017
      Tel: 012 406 4818
      Fax: 086 500 3351
      Email: inforeg@justice.gov.za
      Website: https://www.justice.gov.za/inforeg/

15.3.2. The Information Commissioner’s Office (United Kingdom)
Address: Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Fax: 01625 524510