Sanlam Investment Group’s Privacy Statement

1. INTRODUCTION
1.1. The Sanlam Investment Group (“SIG”) is a cluster of companies that forms part of the Sanlam Group. We respect your privacy and are committed to keeping your personal information secure and confidential.

1.2. This privacy statement explains how we process the personal information we collect from you and also informs you of your rights in terms of the Protection of Personal Information Act, Act No. 4 of 2013 (“POPIA”). You have the right to be notified that your personal information is being collected, which is why this privacy statement has been brought to your attention and is important to you.

1.3. Important: If you use our services and products, you agree that we may process your personal information as explained under this Privacy Statement. In the relevant agreement or terms and conditions pertaining to those services and products, you may provide us with your consent to process your personal information and agree that we may process it for the purposes as described in such agreement or terms and conditions (in addition to the purposes described in this privacy statement).

2. RESPONSIBLE PARTY

2.1. The legal entity in SIG that collected personal information from you or that determined the purpose for the processing of your personal information (alone or in conjunction with others) will be the responsible party for your personal information. We are responsible that your personal information is processed in compliance with the conditions for lawful processing set out in POPIA.

2.2. This privacy statement applies to all companies within SIG that are domiciled in South Africa. These companies and their addresses are as follows:

Amplify Investment Proprietary Limited55 Willie van Schoor Avenue,
Bellville, 7530
Denker Capital Proprietary Limited6th Floor, The Edge, 3 Howick
Close, Tyger Falls, Bellville
Graviton Financial Partners Proprietary Limited55 Willie van Schoor Avenue,
Bellville, 7530
Graviton Wealth Management Proprietary LimitedLords Office Estate, 276 West
Avenue, Centurion, 0157
Sanlam Collective Investments (RF) Propriety Limited2 Strand Road, Bellville, 7530
Sanlam Investment Management Proprietary
Limited (including all its business divisions)
55 Willie van Schoor Avenue,
Bellville, 7530
Sanlam Life Insurance Limited (onlyy those business
divisions in the SIG Cluster)
55 Willie van Schoor Avenue,
Bellville, 7530
Sanlam Multi-Manager International Proprietary
Limited
55 Willie van Schoor Avenue,
Bellville, 7530
Sanlam Private Wealth Proprietary LimitedThe Vineyards Office Estate,
Market Manor Farm 1, 99 Jip de
Jager Drive, Welgemoed, 7530
Sanlam Specialised Finance (‘Sanfin’) (which includes
all of the business divisions of Sanlam Life Insurance
Limited and legal entities including their subsidiaries
within Sanfin, including Sanlam Capital Markets
Proprietary Limited, Nelesco 569 Proprietary Limited
Sanpref Proprietary Limited and Sanlam Prefco
Proprietary Limited
5th Floor, Building 2, 11 Alice
Lane, Sandton
Satrix Investments Proprietary LimitedBuilding 2, 4th Floor, 11 Alice
Lane, Sandton, 2146
Satrix Managers (RF) Proprietary LimitedBuilding 2, 4th Floor, 11 Alice
Lane, Sandton, 2146

2.3. If you have any questions or wish to complain about the processing of your personal information, or if you wish to exercise any of your rights as a data subject, you can contact the SIG Information Officer at siginformationoffice@sanlaminvestments.com.

3. WHAT PERSONAL INFORMATION DO WE COLLECT?

3.1. Personal information is defined in POPIA and means information relating to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person. We “process” your personal information if we collect, use, store, make available, destroy, update, disclose, receive or otherwise deal with your personal information.

3.2. Depending on the type of business we conduct with you or the relationship you have with us, we may process the following types of personal information:

  • name
  • race (for employment purposes or as otherwise required by applicable law)
  • gender
  • marital status
  • nationality
  • age
  • language preference
  • date of birth
  • information relating to education, financial, criminal or employment history of a person
  • identifying numbers such as identity or passport number, tax identification numbers or tax
  • reference numbers
  • e-mail address
  • physical address
  • telephone number

3.3. We do not process special personal information in the ordinary course of business although special personal information such as alleged criminal history may be processed during enhanced due diligence screening for anti-money-laundering purposes and sanction screening. We will process other special personal information only if we obtain your consent or have another valid justification to do so.

3.4. Businesses that need to process the personal information of children will do so if the law permits this. In the normal course of our business, a competent person such as a parent or guardian will consent to the processing of the personal information of the child.

4. FOR WHAT PURPOSE DO WE COLLECT PERSONAL INFORMATION?

4.1. In order for us to provide clients with the financial products and services they have requested and to notify them of important changes to such products and services, we need to collect, use and disclose the personal information of clients, their representatives, controlling persons of entities, business contacts, staff of clients and service providers. We collect and use personal information in order to conclude a contract with clients and to carry out the obligations in terms of that contract (including managing the account and complying with instructions and requests). We also process contact information so that we can report to clients and keep clients informed of the status of any instruction.

4.2. We have regulatory obligations, including compliance with anti-money laundering legislation, to process your personal information. This includes verifying your identity or the identity of your beneficial owner and/or controlling persons. We are also required by various laws (among others the Collective Investments Schemes Control Act, 2002, the Financial Advisory and Intermediary Services Act, 2002, and the Financial Intelligence Centre Act, 2001 including any legislation
SIG Privacy Statement Version 2 / July 2021 2

which may amend or substitute such laws from time to time) to maintain a record of our dealings with clients.

4.3. We may use your personal information to pursue our legitimate interests such as to compile reports, to comply with requests for information from any internal or external auditor, or any regulatory or supervisory body, or to correspond with you. If we require funding from an investor, bank or other financing institution or if a third party is investing in or considers investing in us or any of our affiliated entities then we may, in our legitimate interest, provide information to such investor, bank or other financing institution.

4.4. You may refuse to provide us with your personal information in which case it is likely that we will not be able to provide you with a relevant service or would have to terminate our business relationship. The supply of certain items of personal information, especially those collected to comply with regulation, is legally mandatory.

4.5. We may further process your information if it is compatible with the purpose for which it was collected, for instance to:
4.5.1. Evaluate your application for products and services;
4.5.2. Evaluate your current and future needs and to suggest further products or services to
you;
4.5.3. Evaluate and improve the effectiveness of our business and products, services and
offerings;
4.5.4. Conduct market research and provide you with information about our products and
services from time to time via email, telephone or other means (for example invite you
to events);
4.5.5. Process your marketing preferences (where you have unsubscribed from certain direct
marketing communications, keeping a record of your information and request to ensure
that we do not send such direct marketing to you again);
4.5.6. For operational and further investment purposes;
4.5.7. Verify your identity for security purposes;
4.5.8. Meet legal and regulatory requirements or industry codes to which we may be subject,
for example comply with a lawful request for information received from a local or foreign
law enforcement agency, court, government or tax collection agency;
4.5.9. Use in connection with legal proceedings;
4.5.10. Conduct our internal audit (including security) functions which allow us to monitor our
systems and processes. This protects us and you from fraud, identity theft and
unauthorised access;
4.5.11. Conduct statistical and any operational, marketing, auditing, legal and record-keeping
requirements;
4.5.12. Detect and prevent any fraud and money laundering and/or in the interest of security
and crime prevention (which includes ongoing due diligence and sanction screening
against any sanction list we may determine in our sole discretion);
4.5.13. Assess and resolve any complaint;
4.5.14. Perform any risk analysis or for purposes of risk management to you or our business in
general;
4.5.15. Record and/or monitor and have access to your telephone calls (i.e. voice recordings),
correspondence and electronic communications to/with us (or any of our employees, agents or contractors) in order to accurately carry out your instructions and requests, to use as evidence and in the interests of crime prevention;
4.5.16. Trace your contact information through a tracing agent if you are uncontactable and/or to comply with any regulation or conduct standard relating to unclaimed assets; and
4.5.17. Prevent or control the spread of any disease.

5. HOW DO WE COLLECT YOUR PERSONAL INFORMATION?
5.1. Directly from the data subject: We will not collect your personal information without your consent, except where it is required or permitted by law. We collect most of the personal information we process directly from the data subject or an authorised representative of the data
SIG Privacy Statement Version 2 / July 2021 3

subject, for example when an application form or client take-on form is completed or an investment mandate is concluded.

5.2. From third party sources: We also collect or process personal information we obtain from third party sources or sources in the public domain. This may include, but is not limited to:
5.2.1.affiliates in the Sanlam Group;
5.2.2.client due diligence tools, and through identity verification and bank verification
processes;
5.2.3.sanction screening tools (which may include any sanction list we may determine in our
sole discretion);
5.2.4.collection of personal information by requesting information on source of funds or source
of wealth,
5.2.5.credit and fraud checks;
5.2.6.consumer credit information as defined in the National Credit Act, Act No. 34 of 2005 from
registered credit bureaux; 5.2.7.tracing agents;
5.2.8.personal information as required for the purposes of forensic investigations of whatsoever nature.
5.3. During the course of our business relationship with a data subject and in the course of performing a financial service to that data subject, we may obtain financial information from product providers where we invested on behalf of that data subject, such as the value of the investment with such product provider.

6. WHO RECEIVES YOUR PERSONAL INFORMATION?

6.1. The services we provide are of such a nature that it is often necessary that personal information needs to be shared with or transferred to third parties in order to perform our services to clients. This may be implicit in the service or because you requested us to transfer the personal information to the third party. (For example, if we need to open a bank account for a client, the bank will require personal information of that client). We also need to transfer personal information to third parties from time to time for legal or regulatory reasons. We may disclose your personal information to third parties for reasons set out in this privacy statement or where it is not unlawful to do so.

6.2. We may, depending on the type of service, transfer personal information to: an auditor, a local or foreign regulator (including but not limited to the Financial Sector Conduct Authority, Reserve Bank, South African Revenue Services, the Financial Intelligence Centre), a tax administrator, a legal advisor, a financial intermediary appointed by the data subject (either directly or indirectly through an information exchange platform), a forensic investigation service (internal or external), a service provider providing administrative support services or accounting services to you or us. We may provide your limited personal information to our fund managers, distribution and co- brand partners, or third parties that manage the funds you invest in, for purposes of fee calculations and distribution-related activities. We will ensure that such third parties are restricted by obligations of confidentiality to only use the information for the required purpose and that they will apply strict security measures to the personal information we share with them.

6.3. We will also share personal information for the purpose of client due diligence undertaken in compliance with anti-money laundering legislation with brokers, banks, custodians and other financial service providers. We may share personal information within the Sanlam Group for purposes of enhanced due diligence processes in compliance with anti-money laundering legislation to establish whether a client exists and has been verified by other Sanlam business units.

6.4. We may share the personal information of clients with affiliates of the Sanlam Group for purposes of cross-selling and gathering management information (business intelligence).
SIG Privacy Statement Version 2 / July 2021 4

7. THIRD PARTY COUNTRY TRANSFER

7.1. This privacy statement only applies to those companies within SIG that are incorporated in South Africa and operate in South Africa. Your information will therefore primarily be processed in South Africa.

7.2. We may enter personal information into our systems and the systems of our service providers and operators that may use technology or services outside South Africa. Your personal information may also for cloud storage purposes or through the use of any of our websites, be transferred or processed outside of the Republic of South Africa.

7.3. We may also, in the course of providing a service to you, engage with financial service providers, custodians, banks or regulators outside South Africa and then transfer your personal information to them for purposes of providing you with a financial service or to comply with applicable law.

7.4. Recipients of your information may be situated in countries which do not have data protection laws similar to South Africa. We will, however, use all reasonable endeavours to ensure that the contracts entered into with such third parties contain the necessary appropriate safeguards if personal information is processed outside South Africa or rely on other legally permitted safeguards.

8. MARKETING

8.1. We may contact you from time to time to inform you of similar services or products to the ones you are contracted for and that we think you may be interested in. We may also provide you with newsletters and market insights as part of our value-added client experience.

8.2. We share personal information with affiliates in the Sanlam Group (subject to applicable law and your indicated marketing preferences) so that they may offer you their products and services.

8.3. You may object to us processing your information for marketing purposes. You can unsubscribe from direct marketing by following the steps set out in the direct marketing you received or contacting the relevant contact centre or client relationship manager, as the case may be for the particular product or service.

9. YOUR RIGHTS AS A DATA SUBJECT

9.1. You have the right to have your personal information processed in accordance with the conditions for the lawful processing of personal information as set out in POPIA. You also have the rights as set out below which we need to make you aware of.
Right of Access

9.2. In terms of section 23 of POPIA, you are entitled to request us to:
9.2.1. confirm, free of charge, whether or not we hold personal information about you.
9.2.2. provide a record or a description of the personal information we hold, including information about the identity of all the third parties, or categories of third parties who have, or have had, access to the personal information.
9.3. You will need to provide us with adequate proof of identity before we respond to a request. If you request a record, we will respond within a reasonable time. We may charge the fee under applicable law for providing copies of records to you.
Right to request correction or deletion
9.4. You may request us, in terms of section 24 of POPIA, to correct or delete personal information in our possession or under our control that is inaccurate, irrelevant, excessive, out of date,
SIG Privacy Statement Version 2 / July 2021 5

incomplete, misleading or obtained unlawfully. You may also request us to destroy or delete a record of personal information about you that we are no longer authorised to retain.
9.5. We will as soon as reasonably practicable correct, destroy or delete, as the case may be – unless we are required or entitled under applicable laws to keep the information and inform you that we have done so.

9.6. If we do not believe that the information requires correction, we will provide you with credible evidence in support of the information. If we cannot reach agreement with you, you may request us to attach to the information we hold the request for correction so that it can be read together.

Right to object to processing

9.7. Where we process your information to protect your legitimate interest or to pursue the legitimate interest of a third party to whom the information is supplied or our own legitimate interest, you may object at any time to the processing of your personal information for these purposes, on reasonable grounds relating to your situation, unless applicable law provides for such processing.

9.8. You may also object at any time to the processing of your personal information for purposes of direct marketing or the receipt of direct marketing through unsolicited electronic communication.

Remedies for data subject

9.9. You have the right to complain to the Information Regulator as set out in paragraph 13 below.

10. HOW LONG DO WE RETAIN YOUR PERSONAL INFORMATION?

10.1. We generally only keep your personal information on our records for as long as we need it to provide you with services and to meet legal requirements related to record-keeping.
10.2. We will keep your personal information for as long as:
10.2.1. the law requires us to keep it;
10.2.2. a contract we have with you requires us to keep it;
10.2.3. you have consented to us keeping it;
10.2.4. we reasonably require it to achieve purposes set out in our contract with you or this
policy;
10.2.5. we require it for our lawful business purposes.
10.3. We may also keep your personal information for historical, statistical or research purposes if appropriate safeguards are in place. We may keep your personal information for longer if there is litigation or an investigation, or any tax or regulatory query.
10.4. If we have to keep information for longer periods than set out above (for example if it cannot be safely destructed), we will only process it for purposes of storage or for purposes of proof. We will also restrict access and processing of such information.

11. SECURITY BREACHES

In the event of a security compromise where your personal information has been accessed or acquired by an unauthorised person, we will notify you directly as soon possible as provided for in POPIA.

12. AUTOMATED DECISION MAKING

12.1. An automated decision is when your personal information is analysed to form a profile of a person or category of persons to make a decision without human intervention. We do not make automated decisions.
SIG Privacy Statement Version 2 / July 2021 6

12.2. If we make any automated decisions about you in future, you will have the right to query any decisions made and we will provide reasons for the decisions as far as reasonably possible.

13. THE INFORMATION REGULATOR

13.1. You may complain to the Information Regulator. Any person may submit a complaint to the Information Regulatory in the prescribed manner and form alleging interference with the protection of the personal information of a data subject. A data subject may also submit a complaint in respect of a determination of an adjudicator.
13.2. The address of the Information Regulator is as follows:
The Information Regulator (South Africa) 33 Hoofd Street
Forum III, 3rd Floor Braampark
PO Box 31533
Braamfontein, Johannesburg, 2017
Complaints email: complaints.IR@justice.gov.za General enquiries email: inforeg@justice.gov.za

14. UPDATES TO THIS PRIVACY STATEMENT

This privacy statement is dated as of 1 July 2021. We may update the privacy statement from time to time. The current privacy statement will be available on our website or available upon request from our office. Please check our website on a regular basis.