.svg){kind=icon}
Protection of personal information statement
Issued: July 2021
1. Definitions
In this Policy (as defined below), unless the context requires otherwise, the following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings –
1.1 “Child” means any natural person under the age of 18 (eighteen) years;
1.2 “Data Breach” means an actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information under the control of or in the possession of Komatsu;
1.3 “Data Subject” means the Komatsu employees, clients or suppliers or any other persons in respect of whom Komatsu Processes Personal Information, who may be either natural or juristic persons or any other person(s);
1.4 “Direct Marketing” means to approach a person, either in person or by mail or electronic communication, for the direct or indirect purpose of (a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or (b) requesting the data subject to make a donation of any kind for any reason;
1.5 “Employees” means any employee of Komatsu;
1.6 “Operator” means a person or entity who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party;
1.7 “Personal Information” means information relating to any Data Subject, including but not limited to (i) views or opinions of another individual about the Data Subject; and (ii) information relating to such Data Subject’s –
1.7.1 race, sex, gender, sexual orientation, pregnancy, marital status, nationality, ethnic or social origin, colour, age, physical or mental health, well-being, disability, religion, conscience, belief, cultural affiliation, language and birth;
1.7.2 education, medical, financial, criminal or employment history;
1.7.3 names, identity number and/or any other personal identifier, including any number(s), which may uniquely identify a Data Subject, account or client number, password, pin code, numeric, alpha, or alpha-numeric design or configuration of any nature, symbol, email address, domain name or IP address, physical address, cellular phone number, telephone number or other assignment;
1.7.4 blood type, fingerprint or any other biometric information;
1.7.5 personal opinions, views or preferences;
1.7.6 correspondence that is implicitly or expressly of a personal, private or confidential nature (or further correspondence that would reveal the contents of the original correspondence); and
1.7.7 information relating to corporate structure, composition and business operations (in circumstances where the Data Subject is a juristic person);
1.8 “Komatsu” means the Komatsu Africa Holdings (Pty) Ltd and its subsidiary Komatsu South Africa (Pty) Ltd;
1.9 “Policy” means this Data Protection Policy;
1.10 “POPIA” means the Protection of Personal Information Act, No 4 of 2013;
1.11 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including –
1.11.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
1.11.2 dissemination by means of transmission, distribution or making available in any other form by electronic communications or other means; or
1.11.3 merging, linking, blocking, degradation, erasure or destruction. For the purposes of this definition, “Process” has a corresponding meaning;
1.12 “Record” means any recorded information –
1.12.1 regardless of form or medium, including any of the following:
1.12.1.1 writing on any material;
1.12.1.2 information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded, or stored;
1.12.1.3 label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
1.12.1.4 book, map, plan, graph or drawing;
1.12.1.5 photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
1.12.2 in the possession or under the control of Komatsu;
1.12.3 whether or not it was created by Komatsu; and
1.12.4 regardless of when it came into existence;
1.13 “Regulator” means the Information Regulator established in terms of POPIA;
1.14 “Responsible Party” means a public or private body or any other person which alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;
1.15 “Special Personal Information” means Personal Information concerning a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, biometric information or criminal behaviour; and
1.16 “Third Party” means any independent contractor, agent, consultant, sub-contractor or other representative of Komatsu.
2. Introduction
2.1 This Policy regulates the use and protection of Personal Information that Komatsu Processes.
2.2 Komatsu acknowledges the need to ensure that Personal Information is handled with care and is committed to ensuring that it complies with the requirements of POPIA for the Processing of Personal Information.
3. Purpose of this policy
3.1 POPIA imposes obligations on both public and private bodies for the Processing of Personal Information.
3.2 The purpose of this Policy is to inform Data Subjects about how Komatsu Processes their Personal Information by, inter alia, collecting or collating, receiving, recording, storing, updating, distributing, erasing or destroying, disclosing and/or generally using the Data Subject’s Personal Information.
3.3 This Policy explains how Komatsu Processes the Personal Information of Data Subjects, the choices Data Subjects have regarding its use and disclosure, and how Data Subjects may correct the Personal Information which Komatsu have on record for the relevant Data Subjects.
4. Application of POPIA
4.1 Komatsu, in its capacity as Responsible Party [and/or Operator], shall strive to observe, and comply with, its obligations under the POPIA as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of any Data Subject.
4.2 This Policy applies to Personal Information collected by Komatsu in connection with the services which it offers and provides. This includes information collected offline through our websites, branded pages on Third Party platforms and applications accessed or used through such websites or Third-Party platforms which are operated by or on behalf of Komatsu. This Privacy Policy does not apply to the information practices of Third-Party companies (including, without limitation, their websites, platforms and/or applications) which we do not own or control; or individuals that Komatsu does not manage or employ. These Third-Party sites may have their own privacy policies and terms and conditions and we encourage you to read them before using those Third Party sites.
5. What information and activities does POPIA apply to?
5.1 POPIA applies to the Processing of Personal Information of natural (i.e. living) and juristic (i.e. legal) persons (referred to as Data Subjects) by all Responsible Parties domiciled in the Republic of South Africa and those that are not domiciled in the Republic of South Africa but make use of means within the Republic of South Africa to process Personal Information.
5.2 POPIA applies to any Personal Information entered into a record by automated or non-automated means, provided that where the recorded Personal Information is Processed by non-automated means, it forms part of a filing system.
5.3 POPIA also provides that if there are any other pieces of legislation which contain more extensive protections for the Processing of Personal Information, that piece of legislation will apply.
6. What is personal information?
6.1 Personal Information, for the purposes of this Policy, is any form of information that identifies a Data Subject. This information may include but is not limited to a Data Subject’s name, race, gender, pregnancy, marital status, mailing address, phone number, email address, education, employment history, and their financial history (such as their credit history).
7. Special personal information and personal information of children
7.1 Special Personal Information is sensitive Personal Information of a Data Subject and Komatsu acknowledges that it is not allowed to Process Special Personal Information other than in the specific circumstances prescribed under POPIA and/or generally if such –
7.1.1 Processing is carried out in accordance with the Data Subject’s express consent;
7.1.2 Processing is necessary for the establishment, exercise or defence of a right or obligation in law;
7.1.3 Processing is necessary to comply with an obligation of international public law;
7.1.4 Processing is for historical, statistical or research purposes, subject to stipulated safeguards;
7.1.5 information has deliberately been made public by the Data Subject; or
7.1.6 specific authorisation has been obtained in terms of POPIA.
7.2 Komatsu acknowledges that it may not Process any Personal Information concerning a Child and will only do so where it has obtained the consent of the parent or guardian of that Child or where it is permitted to do so in accordance with applicable laws.
8. Personal information of Komatsu employees
8.1 Komatsu Processes the Personal Information of its Employees for employment-related purposes in accordance with the requirements of POPIA and in terms of Komatsu internal policies and procedures.
9. Collecting personal information
9.1 Komatsu will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects the Data Subject’s privacy and will Process the Personal Information based on lawful grounds in a manner that does not adversely affect the Data Subject in question.
9.2 Komatsu collects Personal Information directly from Data Subjects, unless an exception is applicable (such as, for example, where the Data Subject has made the Personal Information public, has authorised a Third Party to provide the Komatsu with their Personal Information or the Personal Information is contained in or derived from a public record).
9.3 Komatsu will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects the Data Subject’s privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect the Data Subject in question.
9.4 Where Komatsu obtains Personal Information from Third Parties, Komatsu will ensure that it does so in compliance with POPIA.
9.5 Examples of such Third Parties may include –
9.5.1 recruitment agencies;
9.5.2 credit reference agencies; or
9.5.3 other companies providing services to Komatsu.
10. When and how does Komatsu obtain consent?
10.1 In certain cases, Komatsu obtains the consent of Data Subjects in order to Process the Personal Information of such Data Subjects. Data Subjects may provide their consent to Komatsu either electronically or in writing.
10.2 Komatsu may also rely on other lawful grounds for its Processing of Personal Information including to carry out actions in relation to the conclusion or performance of a contract to which the Data Subject is a party or to carry out an obligation imposed on the Komatsu in terms of applicable law (as further detailed in section 12 below).
10.3 Komatsu will inform Data Subjects of the manner and reason for which their Personal Information will be Processed before Komatsu obtains their consent.
10.4 Where Komatsu is relying on a Data Subject’s consent as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to Komatsu’s Processing of the Personal Information as set out in paragraph 21.2.4 below. This will not affect the lawfulness of any Processing carried out prior to the withdrawal of consent or any Processing justified by any other legal ground provided under POPIA.
10.5 If the consent is withdrawn or if there is a justified objection to the use or the Processing of such Personal Information, Komatsu will ensure that the Personal Information is no longer Processed.
11. Lawful processing of personal information
11.1 Komatsu will generally only Process a Data Subject’s Personal Information where –
11.1.1 consent of the Data Subject (or a competent person where the Data Subject is a Child) is obtained;
11.1.2 Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party;
11.1.3 Processing is necessary for the fulfilment of an employment contract to which the Data Subject is a party;
11.1.4 Processing complies with an obligation imposed by law on Komatsu;
11.1.5 Processing protects a legitimate interest of the Data Subject; and/or
11.1.6 Processing is necessary for pursuing the legitimate interests of Komatsu or of a Third Party to whom the Personal Information is supplied.
12. Purposes for the processing of personal information
12.1 Komatsu will only Process a Data Subject’s Personal Information for a specific, lawful and clear purpose (or for specific, lawful and clear purposes) and will ensure that it makes the Data Subject aware of such reasons and purpose(s) as far as possible.
12.2 Komatsu may use Personal Information for, without limitation, the following purposes as set out in the table below –
12.2.1 Personal Information is Processed as part of the “Know Your Customer” / “KYC” process as per the requirements of the Financial Intelligence Centre Act, No. 38 of 2001;
12.2.2 Operating and managing Komatsu’s business operations;
12.2.3 Onboarding and vetting customers;
12.2.4 Undertaking marketing activities;
12.2.5 Personal Information is Processed in order to conduct due diligence processes on, inter-alia, potential service providers, customers or other third parties;
12.2.6 Personal Information is Processed in order to comply with obligations imposed on the Komatsu under the Based Black Economic Empowerment Act, No. 53 of 2003 (“BEE Act”) read together with the Department of Trade and Industry’s Codes of Good Practice on Broad-Based Black Economic Empowerment published in terms of Government Gazette No. 36928 on 11 October 2013 under section 9(1) of the BEE Act, as amended or reissued from time to time;
12.2.7 Personal Information of suppliers or potential suppliers is Processed by the Komatsu for procurement and supply purposes;
12.2.8 Personal Information is Processed in connection with the execution of payment processing functions;
12.2.9 Personal Information is Processed in connection with internal audit purposes (i.e. ensuring that the appropriate internal controls are in place in order to mitigate the relevant risks, as well as to carry out any investigations where this is required);
12.2.10 Personal Information is Processed for employment-related purposes such as recruiting staff, administering payroll, assessing credit and criminal history, and determining Employment Equity Act, No. 55 of 1998 statistics and to ensure that it is complying with its legal obligations under the applicable laws, including, but not limited to –
- the Labour Relations Act, No. 66 of 1995;
- the Basic Conditions of Employment Act, No. 75 of 1997;
- the Skills Development Act, No. 97 of 1998;
- the Unemployment Insurance Act, No. 63 of 2001;
- the Occupational Health and Safety Act, No. 85 of 1993; and
- the Compensation for Occupational Injuries and Diseases Act, No. 130 of 1993;
12.2.11 To respond to any correspondence that the Data Subject may send to Komatsu, including via email or by telephone;
12.2.12 For such other purposes to which the Data Subject may consent from time to time; and
12.2.13 For such other purposes authorised in terms of applicable law.
12.2.14 For providing customer support through the use of Komtrax.
13. Storing your personal information
13.1 Personal Information that we collect from you is stored in a secure environment and is not available to any person outside Komatsu (except as set out in this Privacy Policy).
13.2 Personal Information may also be stored by Third Parties, via cloud services or other technology, with whom Komatsu has contracted with, to support Komatsu’s business operations.
13.3 Komatsu’s Third-Party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.
13.4 Komatsu will ensure that such Third-Party service providers will Process the Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures and POPIA.
13.5 These Third Parties do not use or have access to Personal Information other than for purposes specified by Komatsu, and Komatsu requires such parties to employ at least the same level of security that Komatsu uses to protect the Personal Information.
13.6 Personal Information may be Processed in the Republic of South Africa or another country where Third Party service providers maintain servers and facilities and Komatsu will take steps, including by way of contracts, to ensure that it continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under POPIA and applicable law.
14. How long will Komatsu utilise or retain personal information?
14.1 Komatsu may keep a record of a Data Subject’s Personal Information, correspondence or comments on file, in an electronic or hardcopy file format.
14.2 Komatsu will not keep your Personal Information longer than the period for which it is required based on the purpose for which the Komatsu is Processing such Personal Information, unless Komatsu are required by law to do so, or you have consented to us keeping such information for a longer period.
14.3 Where Komatsu retains Personal Information for longer periods for statistical, historical or research purposes, Komatsu will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and the applicable laws.
14.4 Once the purpose for which the Personal Information was initially collected and processed no longer applies or becomes obsolete, Komatsu will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that a person cannot re-identify such Personal Information.
14.5 In instances where we de-identify your Personal Information, Komatsu may use such de-identified information indefinitely without further notice to you.
14.6 When Komatsu is no longer authorised to retain a record containing Personal Information, it shall destroy, delete or de-identify such record. Any destruction or deletion of a record shall be done in a manner that prevents its reconstruction in an intelligible form.
15. Restricted processing
15.1 In terms of POPIA, Komatsu is required to place a restriction on the Processing of Personal Information where –
15.1.1 the accuracy of such information is contested by the Data Subject;
15.1.2 the Personal Information is no longer required to achieve the purpose for which it was collected or subsequently Processed (but has to be maintained for purposes of proof);
15.1.3 the Processing is unlawful and the Data Subject requests the restriction of use; or
15.1.4 the Data Subject requests to transmit the data into another automated Processing system.
16. Failure to provide personal information
16.1 Should Komatsu need to collect Personal Information by law or under the terms of a contract and a Data Subject fails to provide the Personal Information when requested, the Komatsu may then be consequently unable to perform the contract or abide by the obligation in law.
16.2 In such a case, the Komatsu may have to decline to provide or receive the relevant services and will notify the Data Subject accordingly.
17. Using your personal information to make automated decisions about you
17.1 An automated decision is a decision which is made about you which (i) is based solely on the automated analysis of your personal information without any human intervention in the decision-making process; (ii) is based on personal information that provides a profile on you, for example credit-worthiness, work performance, reliability, health, location, conduct or personal preferences; and (iii) results in legal consequences for you or which affects you to a substantial degree.
17.2 Komatsu acknowledges that in terms of POPIA, automated decision making is prohibited unless specific exceptions apply, e.g. – where we have taken steps and/or put in place appropriate measures to protect your legitimate interests, including giving the Data Subject the opportunity to make representations about the decision about you and to provide sufficient information for the purposes of the automated decision to be taken.
17.3 Komatsu may use the Data Subject’s Personal Information to make automated decisions in relation to or in connection with the Data Subject’s contract with Komatsu, to the extent that such automated decision-making complies with POPIA and other applicable laws.
17.4 The Data Subject has the right to query any such decisions made, and Komatsu will provide reasons for the automated decisions as far as reasonably possible.
18. Safe-keeping of personal information
18.1 Komatsu shall preserve the security of Personal Information and prevent its alteration, loss and damage, or access by non-authorised third parties.
18.2 Komatsu will ensure the security and integrity of Personal Information in its possession or under its control with appropriate, reasonable technical and organisational measures to prevent loss, unlawful access and unauthorised destruction of Personal Information.
18.3 Komatsu has implemented physical, organisational, contractual and technological security measures in line with industry standards to keep all Personal Information secure, including measures protecting any Personal Information from loss or theft, and unauthorised access, disclosure, copying, use or modification.
18.4 Furthermore, Komatsu maintains and regularly verifies that the security measures are effective and continually updates same in response to new risks.
19. Data breaches
19.1 A Data Breach refers to any incident in terms of which reasonable grounds exist to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.
19.2 A Data Breach can happen for many reasons, which include:
19.2.1 loss or theft of data or equipment on which Personal Information is stored;
19.2.2 where someone outside of Komatsu obtains unauthorised access to Personal Information or Special Personal Information;
19.2.3 equipment failure;
19.2.4 human error;
19.2.5 deliberate attacks on systems, such as hacking, viruses or phishing scams; and/or
19.2.6 alteration of Personal Information without permission and loss of availability of Personal Information.
19.3 Komatsu will address any Data Breach in accordance with the terms of POPIA. In this regard, Komatsu ensures that adequate controls are in place so that –
19.3.1 Data Breaches are identified, investigated and timeously reported in accordance with the Komatsu procedures for same and that actions which are proportionate, consistent and transparent are taken;
19.3.2 internal assessments are carried out in order to ensure that the impact of any Data Breaches is addressed in order to minimise and mitigate any risk in relation to affected Personal Information under Komatsu’s control; and
19.3.3 all Data Breaches are recorded and regularly reported.
19.4 Komatsu will notify the Regulator and the affected Data Subject (unless the law requires that we delay notification to the Data Subject) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of that Data Subject’s Personal Information.
19.5 Komatsu will provide such notification as soon as reasonably possible after it has become aware of any Data Breach in respect of such Data Subject’s Personal Information.
19.6 Where Komatsu acts as an ‘Operator’ for purposes of POPIA and should any Data Breach affect the data of Data Subjects whose information Komatsu Processes as an Operator, Komatsu shall (in terms of POPIA) notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of relevant Data Subjects has been accessed or acquired by any unauthorised person.
20. Provision of personal information to third party service providers
20.1 Komatsu may, where required to do so, disclose certain Personal Information to Third Parties and will enter into written agreements with such Third Parties to ensure that they Process any Personal Information in accordance with the provisions of this Policy and POPIA.
20.2 Komatsu notes that such Third Parties may assist Komatsu with the purposes listed in paragraph 12.2 above – for example, Third Parties may be used, inter alia, to:
20.2.1 assist Komatsu with human resource and payroll related processes;
20.2.2 assist Komatsu with legal, technical and financial due diligence and audit processes;
20.2.3 provide outsourced services to the Komatsu including in respect of its IT and data storage requirements;
20.2.4 assist Komatsu with regulatory compliance processes; and
20.2.5 notify the Data Subjects of any pertinent information concerning Komatsu.
20.3 Komatsu may also send Personal Information to a foreign jurisdiction outside of the Republic of South Africa, including for Processing and storage by Third Parties.
20.4 As a global organization with global IT systems, your personal information may be transferred to other Komatsu offices in Komatsu’s worldwide organization. Komatsu has internal policies and appropriate data transfer agreements in place to ensure an equivalent level of protection is in place across Komatsu’s worldwide organization.
20.5 When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa, Komatsu will comply with the requirements under POPIA for the lawful transfer of such Personal Information to any foreign jurisdiction.
20.6 The Data Subject should also take note that the Processing of Personal Information in a foreign jurisdiction may be subject to the laws of the country in which the Personal Information is held, and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.
21. Keeping personal information accurate
21.1 Komatsu is required to take reasonably practicable steps to ensure that Personal Information is complete, accurate, not misleading and up to date and accordingly, Komatsu will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up to date as reasonably possible, including where appropriate, the Komatsu may expressly request the Data Subject to verify and update his/her/its Personal Information.
21.2 Komatsu, however, expects that the Data Subject will notify Komatsu from time to time in writing of any updates required in respect of his/her/its Personal Information.
22. Access to personal information
22.1 POPIA read with the relevant provisions of the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA”) confers on natural persons and where applicable, juristic persons whose Personal Information is processed, certain rights. Komatsu’s PAIA Manual can be found at www.komatsu.co.za. These rights include –
22.2 a right of access: a Data Subject having provided adequate proof of identity has the right to: (i) request a Responsible Party to confirm whether any Personal Information is held about the Data Subject; and/or (ii) request from a Responsible Party a description of the Personal Information held by the Responsible Party including information about Third Parties who have or have had access to the Personal Information. A Data Subject may request:
22.2.1 Komatsu to confirm, free of charge, whether it holds any Personal Information about him/her/it; and
22.2.2 to obtain from Komatsu, at a prescribed fee (if any), the record or description of Personal Information concerning him/her/it and any information regarding the recipients or categories of recipients who have or had access to the Personal Information. Such record or description is to be provided:
22.2.3 a right to request correction or deletion: a Data Subject may also request the Komatsu to –
22.2.3.1 correct or delete Personal Information about the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
22.2.3.2 destroy or delete a record of Personal Information about the Data Subject that the Komatsu is no longer authorised to retain records in terms of POPIA’s retention and restriction of records provisions.
22.2.3.3 On receipt of such a request, Komatsu is required to, as soon as is reasonably practicable –
22.2.3.4 correct the information;
22.2.3.5 delete or destroy the information;
22.2.3.6 provide the Data Subject with evidence in support of the information; or
22.2.3.7 where the Data Subject and Responsible Party cannot reach agreement on the request and if the Data Subject requests this, Komatsu will take reasonable steps to attach to the information an indication that correction has been requested but has not been made;
22.2.4 a right to withdraw consent and to object to processing: any Data Subject that has previously consented to the Processing of his/her/its Personal Information has the right to withdraw his/her/its consent and may do so upon providing the Komatsu with notice to such effect at the address set out in paragraph 28. Furthermore, a Data Subject may object, on reasonable grounds, to the Processing of Personal Information relating to him/her/it.
22.3 Komatsu shall respond to these requests under certain conditions imposed by POPIA and PAIA. Komatsu will provide the Data Subject with any such Personal Information to the extent required by POPIA and any of Komatsu’s policies and procedures which apply in terms of PAIA.
22.4 The Data Subject can challenge the accuracy or completeness of his/her/its Personal Information in Komatsu’s records at any time in accordance with the process set out in Komatsu’s PAIA Manual which can be found at www.komatsu.com/en-za.
22.5 If a Data Subject successfully demonstrates that their Personal Information in Komatsu’s records is inaccurate or incomplete, Komatsu will ensure that such Personal Information is amended or deleted as required (including by any Third Parties).
23. Time period to respond to requests
23.1 Komatsu will respond to each written request of a Data Subject not later than 30 days after receipt of such requests. Under certain circumstances, the Komatsu may, however, extend the original period of 30 days once for a further period of not more than 30 days.
23.2 A Data Subject has the right to make a complaint to the Komatsu in respect of this time limit by contacting Komatsu using the contact details provided in paragraph 26 below.
24. Costs to access to personal information
24.1 The prescribed fees to be paid for copies of the Data Subject’s Personal Information are listed in Komatsu’s PAIA Manual which can be found at www.komatsu.com/en-za.
25. Changes to this policy
25.1 Komatsu reserves the right to make amendments to this Policy from time to time and will use reasonable efforts to notify Data Subjects of such amendments.
25.2 The current version of this Policy will govern the respective rights and obligations between you and Komatsu.
26. Pertinent information
26.1 All comments, questions, concerns or complaints regarding your Personal Information or this Policy, should be forwarded to us as follows —
Physical address: 17 Brickfield Road, Sunnyrock, Germiston, 1401
Postal address: PO Box 196, Isando, 1600
Information officer:
Name: Ismail Laher
Position: Senior Manager: Internal Audit
T: 011 923 1000
E: ksazamb_compliance@global.komatsu
Deputy information officer:
Name: Ehsaan Moosa
Position: Financial Director
T: 011 923 1000
E: ksazamb_compliance@global.komatsu
26.2 If a Data Subject is unsatisfied with the way Komatsu addresses any complaint with regard to Komatsu’s Processing of Personal Information, the Data Subject can contact the office of the Regulator, the details of which are set out below –
Website: http://justice.gov.za/inforeg/
Tel: 012 406 4818
Fax: 086 500 3351
Email: inforeg@justice.gov.za