[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 1 of 8
[OFFICIAL]
THUNGELA RESOURCES
DATA PRIVACY POLICY
IMPLEMENTATION
DATE 2023/07/01
NEXT REVIEW DATE
2025/07/01
DOC NO
TR.IM.POL.007
VERSION NUMBER: 4
NAME
POSITION
SIGNATURE
DATE
Nolene Singh
IM PMO and
Governance
Manager
Rajan Pillay
Head of IM
Deon Smith
CFO (on behalf of
Exco)
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414
2023/06/22
2023/06/22
2023/06/22
[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 2 of 8
[OFFICIAL]
1
CONTEXT:
Our Code of Conduct sets out the standards and expected behaviours which guide how we do
business. This makes clear that we must treat people with care and respect by respecting the privacy
of individuals, and by complying with all applicable laws on the collection, storage, use, retention,
transfer, and deletion (collectively referred to as “processing”) of personal data.
Thungela Resources is committed to ensuring that personal data is processed appropriately,
transparently, securely, and responsibly by the respective Thungela Resources entities and Functions
and by those processing personal data on their behalf, and that the processing of personal data is
underpinned by a robust governance framework.
The purpose of this Data Privacy Policy (“the Policy) is to set out the principles we must follow to
achieve our data privacy commitment. It outlines what we must do when processing personal data at
every level within Thungela Resources. It is designed to:
Increase awareness of regulatory, legal, and business requirements relating to privacy, which
impact how we process personal data.
Set out the standards that Thungela Resources is committed to following when we process
personal data.
Help Thungela Resources to meet our regulatory, legal, and business responsibilities when we
process personal data.
For a glossary of data privacy terms used in this Policy, please refer to the “Further Information” section
below. For ease of reading, we use generic language in describing the Group, and this is further
explained under “Terms” at the end of this document.
2
DOES THIS APPLY TO ME?
This Policy applies to all employees and directors of Thungela Resources, as well as contractors,
consultants, and external advisers (and their personnel) when they are acting on behalf of Thungela
Resources or any of its subsidiaries. We all have a responsibility to ensure that Thungela Resources
respects the privacy of individuals, that the systems and equipment that Thungela Resources uses to
process personal data are secure, and that personal data is processed in accordance with applicable
laws and regulations.
3
WHAT DO I NEED TO KNOW?
We must comply with privacy and data protection laws which regulate how we can lawfully collect, use,
retain, transfer, and store "personal data".
Personal data typically includes any information relating to an individual person who can be identified
from that information. This includes, for example, an individual’s name, passport details, or email
address.
Within Thungela Resources we routinely process personal data about our personnel, suppliers,
customers, consumers, and other individuals with whom we work in our daily business activities.
It is important that we all understand the importance of handling this information properly in accordance
with privacy laws and regulations which are in place to protect the privacy rights of the individuals
whose data we collect and hold. These laws and regulations typically impose obligations on us to
ensure that we only process personal data lawfully and fairly, take extra precautions when we process
particularly sensitive information about people (for example information about health conditions), and
that we establish an effective governance framework to ensure we make informed decisions about
how we use personal data.
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414
[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 3 of 8
[OFFICIAL]
Key Privacy Principles
We have built these requirements into this Data Privacy Policy though the following key Privacy
Principles which we expect everyone to comply with when processing personal data within Thungela
Resources:
1.
Appropriately
We must only process personal data where we have a lawful reason to do so. Whenever
we obtain personal data from or about an individual, we must make sure we have obtained it
lawfully, and that we are clear that we have a lawful basis for each of the processing activities
we want to use it for. We need to be mindful that certain types of personal information that is
particularly sensitive (such as information about health conditions, or racial or ethnic origin) can
only be lawfully processed in very limited cases, and therefore we need to take extra care when
handling this sensitive personal data.
We must process data in line with data subjects’ rights. Data subjects may have specific
legal rights relating to their personal data (e.g. to access their data, or to object to certain types
of processing activity). We must be aware of these rights and respond effectively if an
individual chooses to exercise them. (Refer to the Data Subject Rights Procedures for more
information.)
2.
Transparently
We must tell the data subject what we will do with their personal data. We must make
sure we provide a privacy notice to individuals, ideally at the point at which their personal data
is first collected (i.e. in forms, on websites, and as part of CCTV camera signage), where we
explain who we are, and what we intend to do with their personal information.
We must only process personal data for the specific purpose(s) for which it was
intended. If we want to use the personal data for any purpose beyond the lawful purposes which
we originally collected their data, we will need to inform the individual, and be satisfied that the
additional purposes are also lawful.
3.
Securely
We must keep personal data confidential and secure and protect it against accidental
and malicious loss, destruction, damage, and unauthorised disclosure. We all have a
duty to ensure we maintain effective security. For detailed information on our security
procedures and measures relating to all data including personal data, please refer to the
Information Security Policy.
We must not share personal data with people or organisations, including transferring
personal data internationally, unless there is a lawful basis to do so and that
appropriate measures are in place to protect personal data. We must ensure that each
organisation we intend to share personal data with is able to adequately protect the personal
data transferred to it. In many cases, we will expect a data sharing agreement to be put in
place with appropriate data protection clauses to regulate the arrangements and supporting
due diligence to be carried out. If the recipient is based overseas, additional controls may be
required. Refer to the Procedure detailed in the Thungela Resources Supply Chain Policy and
consult with Head of Legal on appropriate contractual arrangements (including data transfer
agreements).
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414
[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 4 of 8
[OFFICIAL]
4.
Responsibly
We must only collect the personal data which we need for the stated purpose(s) only.
We must not ask for more personal data than we need for the lawful purpose(s) for which it is
being collected (i.e. it must not be excessive). If we do not need the data to achieve our intended
business objective, we must not process that data.
We must ensure that all personal data we process is accurate and up to date. We should
update details once we become aware of changes to an individual's circumstances. We should
be wary of relying on information which may be incorrect because it is out of date (e.g. if we
have not had active engagement with the individual for a long period of time) and take steps
to update it.
We must only retain personal data for as long as it is required, considering the
purpose(s) for which it was collected. We should be proactive in deleting personal data
where we no longer need to process or retain it for a good use. For guidance on how long
personal data must be kept before deletion, contact the Data Protection Team via
trservicedesk@thungela.com.
4
WHAT DO I NEED TO DO?
All employees and contractors must take the time to familiarise themselves with this Policy, to read,
understand, and adhere to the Privacy principles set out above and the various Procedures mentioned
in this Policy and any updates made to it.
This Policy forms part of all employees’ and contractors contracts of employment/engagement and it
may be amended at any time.
4.1 Working with personal data
You must consider data privacy risk, and act in compliance with applicable Procedures, when
processing personal data. If you intend to undertake any of the following activities, consult with the
Data Protection Team who may trigger a data privacy review to ensure that data privacy risk is
assessed and that any data privacy requirements are embedded into your processing activity “by
design and default”.
Starting a new personal data processing activity (e.g. launch of a new project or program
involving the processing of personal data).
Changing a process or system that currently processes personal data.
Acquiring or decommissioning systems or applications that process personal data.
Transferring personal data to entities in other countries outside the existing Procedures or
systems.
Sharing personal data with any third party - this may include providing a third party with access
to personal data, appointing a contractor to provide an outsourced service to us, or responding
to a request for information from law enforcement agencies.
Engaging in a business activity that involves receiving personal data from a third party.
4.2 Data breach incidents
You must notify the Data Protection Team immediately if you think that personal data may have been
lost, disclosed, damaged, or accessed without permission - see the Monitoring and Reporting section
for further details. Notification is via trservicedesk@thungela.com.
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414
[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 5 of 8
[OFFICIAL]
4.3 Training and communication
You must attend training provided in relation to the matters set out in this Policy, its associated
Procedures and supporting tools. This may be made available to relevant persons through
communications, management engagement, briefings, and training.
All new employees and contractors must be made aware of this Policy and its requirements in their
induction.
Online and face-to-face training are provided to those individuals (e.g. employees, contractors and in
some cases third parties) whose roles routinely involve the processing of personal data, or whose roles
involve ensuring Thungela Resources complies with its legal and regulatory data protection
obligations. These ‘relevant’ individuals are defined by the Data Protection Team in conjunction with
Heads of Department.
5
MONITORING
AND
REPORTING:
5.1 Monitoring and assurance
Adherence to this Policy and implementation and evolution of its associated program is subject to regular
monitoring and assurance to enable the determination of any development or adaptation of Policy,
controls and training that may be required.
1st Line: Functions and Operations are responsible for ensuring compliance with this Policy.
2nd Line: IM are responsible for providing complementary expertise, support, monitoring, and
challenge relating to compliance with this Policy.
3rd Line: Thungela Internal Risk and Assurance is responsible for providing independent
assurance on the adequacy and effectiveness of the Policy controls in meeting the Policy
objectives.
5.2 Reporting of data breaches
Any (deliberate or inadvertent) loss, damage or unauthorised access/disclosure of personal data must
be immediately reported to the Data Protection Team (or other reporting mechanism, such as HAIBO:
speakup@tip-offs.com), to enable Thungela Resources to meet any legal obligations to report on such
breaches to the relevant authorities and/or affected data subjects. Notification is via
trservicedesk@thungela.com.
5.3 Consequences of breach
Any breach of this Policy will be taken seriously and may result in disciplinary action up to and including
dismissal.
At Thungela Resources we do not tolerate any form of retaliation against employees raising concerns
in good faith. Allegations of retaliation against or harassment or intimidation of an employee by others
because of a call to HAIBO will be investigated and appropriate action taken, including disciplinary action
up to and including dismissal of the employee(s) responsible for reprisals.
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414
[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 6 of 8
[OFFICIAL]
6
FURTHER INFORMATION:
Internal references
Supply Chain Policies and Standards
Whistleblowing Policy
Personal Data Retention Guidelines
Overview of Thungela Resources IM Policies, Standards and Guidelines:
Document Name
Number
TR IM Guideline for Electronic Devices for Directors
TR.FIN.CG.627
TR IM Guideline for Electronic Devices for Exco Members
TR.FIN.CG.628
TR IM Portfolio and Project Management Standard
TR.FIN.CS.685
TR IM Supply Chain Sourcing Governance Standard
TR.FIN.CS.686
TR IM Acceptable Use of Information Technology Policy
TR.IM.POL.002
TR IM Quick Guide - Acceptable IT Use
TR.IM.POL.002.GL.1
TR IM Software Asset Management Standard
TR.IM.POL.002.STD.1
TR IM Hardware Asset Standard
TR.IM.POL.002.STD.2
TR IM Physical & Environmental Protection Standard
TR.IM.POL.002.STD.3
TR IM Anti-Virus and Malware Standard
TR.IM.POL.002.STD.4
TR IM Network and Wireless security Standard
TR.IM.POL.002.STD.5
TR IM Disaster Recovery Standard
TR.IM.POL.002.STD.6
TR IM Vulnerability and Patch Management Standard
TR.IM.POL.002.STD.7
TR IM Change and Release Management Standard
TR.IM.POL.002.STD.8
TR IM Security Remote Working Standard
TR.IM.POL.002.STD.9
TR IM Data Privacy Policy
TR.IM.POL.007
TR IM Documents and Records Management Guidelines
TR.IM.POL.007.GL.1
TR IM Personal Data Retention Guidelines
TR.IM.POL.007.GL.2
TR IM Quick Guide - Data Privacy
TR.IM.POL.007.GL.3
TR IM Standard Guide - Data Privacy
TR.IM.POL.007.GL.4
TR IM Personal Data Breach Response Procedure
TR.IM.POL.007.PRO.1
TR IM Data Retention Procedure
TR.IM.POL.007.PRO.2
TR IM Data Subjects Rights Requests Procedure
TR.IM.POL.007.PRO.3
TR IM Privacy Review Procedure
TR.IM.POL.007.PRO.4
TR IM Information Security Policy
TR.IM.POL.017
TR IM Quick Guide - Information Security
TR.IM.POL.017.GL.1
TR IM Security USB Security Standard
TR.IM.POL.017.STD.1
TR IM Security Incident Management Standard
TR.IM.POL.017.STD.2
TR IM Security Access Control Standard
TR.IM.POL.017.STD.3
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414
[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 7 of 8
[OFFICIAL]
External references
Protection of Personal Information Act 4 of 2013
UK-General Data Protection Regulation (UK-GDPR)
Privacy Act 1988 (Cth) - Australia
If you need any further information, contact trservicedesk@thungela.com.
Glossary / list of abbreviations/definitions
Term
Definition
Data
Data or information which is stored electronically, on a computer, or in certain
paper- based filing systems.
“Thungela Resources”, the
“Thungela Resources, “we”,
“us”, and “our
In this Policy, and any related procedures or standards, references to “Thungela
Resources”, the “Thungela Resources, “we”, “us”, and “our” are to refer to either
Thungela Resources and its subsidiaries and/or those who work for them
generally, or where it is not necessary to refer to a particular entity, entities or
persons. The use of those generic terms is for convenience only, and is in no way
indicative of how the Thungela Resources or any entity within it is structured,
managed or controlled. Thungela Resources subsidiaries, and their
management, are responsible for their own day-to-day operations, including but
not limited to securing and maintaining all relevant licenses and permits,
operational adaptation and implementation of policies, management, training
and any applicable local grievance mechanisms. Thungela Resources produces
group-wide policies and procedures to ensure best uniform practices and
standardisation across the Thungela Resources but is not responsible for the
day to day implementation of such policies. Such policies and procedures
constitute prescribed minimum standards only. Group operating subsidiaries are
responsible for adapting those policies and procedures to reflect local conditions
where appropriate, and for implementation, oversight and monitoring within their
specific businesses.
Data Subjects
For the purpose of this Policy, this classification includes all living individuals
about whom we hold personal data. The nationality of the data subject does not
matter. All data subjects have legal rights in relation to their personal data.
Personal Data
Data or information relating to an identifiable natural person. An identifiable
natural person is one who can be identified directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data,
and an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural
person. Some jurisdictions define personal data more broadly to include data
relating to identifiable, existing legal entities.
Processing
Any activity that involves use of personal data. It includes obtaining, collecting,
recording, or holding the data, or carrying out any operation or set of operations
on the data including organising, amending, retrieving, using, disclosing,
erasing, or destroying it. Processing also includes transferring personal data to
third parties.
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414
[
Refer to the Thungela Document Management System for the latest version of the document. Copyright resides with the
company. Printed copies of this document are Uncontrolled and deemed valid only on the day of printing.
Page 8 of 8
[OFFICIAL]
7
RECORD OF REVISION
Frequency of Policy review
This policy will be reviewed July 2025 and on every second year thereafter.
Revision history for this document
Version
Date of Change
Main changes made
V1
27 Oct 2021
Refined policy to meet Thungela Resources requirements
V2
01 Sep 2022
No changes; first revision expired
V3
01 Jul 2023
Anglo email address changed to trservicedesk@thungela.com. TSA paragraph
removed. Updated standards table. Added UK-GDPR and Privacy Act 1988 (Cth)
Australia references in addition to POPIA. Group Legal changed to Head of Legal.
V4
21 Jul 2023
Changed Tip-offs email to HAIBO.
UpdatedFurther Information’ table and minor formatting
DocuSign Envelope ID: 78730B8A-E22E-42E9-B3E3-934B5AF5F414