The protection of your personal data is important to Castigroup (Pty) Ltd; its subsidiaries and affiliates (collectively referred to as "Castigroup"). Please take note of the following information pertaining to the collection and processing of your personal data based on your interactions with us, doing business with us, our products, and services, or whilst contacting us via various channels, including making use of our online platforms.

Castigroup collects, uses, and allows access to your personal data in accordance with the laws pertaining to data privacy. In this privacy policy, personal data (“data”) refers to all information that can be used to determine who you are (including juristic persons in South Africa), for example your name, your e-mail address, IP address and Identity number.

A. Responsible body and Data Protection office

Castigroup (also referred to as “we, us, our” in this document), is the data controller and therefore responsible for collection and processing of your personal data. The physical address of the head office of Castigroup is Foyer 3, 1st Floor Colosseum Building, Century Way, Century City, Cape Town, 7441. If you have any questions regarding our data processing activities, your rights or any of the contents of this privacy notice please contact [email protected]

B. Our lawful reasons for processing your personal data

At Castigroup we respect your privacy and value the trust which you place in us. As a result, we will only process your data when we have a valid reason to do so. Our lawful reasons for processing your personal data will most commonly include:
1. Performance of contract, which includes processing of personal data required to enter into
a contract with you or the organisation for whom you work;
2. Compliance with a legal obligation on Castigroup;
3. Where it is necessary for our legitimate interests (or those of a third party) and your privacy right(s) do not override those interests;
4. We may also use your personal data in the following situations, which are likely to be rare:
4.1. where we need to protect your (or someone else’s) interests, or
4.2. where it is necessary for the public interest or for official purposes;
5. Under limited circumstances we may also process your personal information based on your consent; and Operational reasons that include Access Control, Investigations and Access Permit/Card process (screening) when visiting one of the Castigroup sites or premises. Regarding specific processing activities, we may provide supplementary privacy notices to facilitate transparency, where the lawful basis, purpose or processing activities may need further elaboration.

We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason, that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you (by means of direct communication to you, revised privacy notice or other appropriate means) and we will explain the legal basis which allows us to do so.

We respect your information in compliance with the Protection of Personal Information Act. By providing your details you hereby agree that personal information provided to Castigroup may be processed and, shared with the professionals associated with the process, may be stored electronically or physically and that your personal information may be used for purposes of future services and/or to remain on the mailing list for articles/newsflashes to be sent and you agree to receive any marketing material telephonically, per email or WhatsApp or otherwise.

C. The personal data we hold

Based on the lawful reasons above, we may collect, store, and use the following categories of personal data about you:
1. basic information, such as your name, your employer, your title or position and your relationship to a person;

2. contact information, such as your physical address, email address and phone

3. financial information, such as bank account details;

4. technical information (including your IP address), such as information from your visits to our website or any applications or in relation to materials and communications we send to you electronically;

5. information you provide to us for the purposes of attending meetings and events, including access and dietary requirements;
6. identification and background information provided by you or collected by us as part of our business acceptance processes;

7. personal data provided to us by or on behalf of our clients or generated by us in the course or providing services which may include special categories of data;

8. details of your visits to any of our offices;

9. publicly available information in order to facilitate our business dealings with you or your employer; and

10. any other information relating to you that you may provide to us.

D. How we use particularly sensitive personal data

“Special categories” of particularly sensitive personal data are afforded higher levels of protection. Reference to Special categories of data includes race or ethnic origin, trade
union membership, political persuasion, health or medical information and criminal behaviour.
We will only collect, store and/or use your personal data which falls within this category if we have a valid justification for processing. As required by applicable law(s), we have appropriate policies and safeguards in place, when processing these categories of information.
We may process special categories of personal data under the following justifications:

1. in limited circumstances, with your explicit written consent;
2. where we need to carry out our legal obligations or exercise rights in connection with any contract, we may have with you or the organisation for whom you work;
3. where it is needed in the public interest.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your (or someone else’s) interests and you are not capable of giving your consent, or where you have already made the information public.

E. Data Sharing

We may have to share your personal data with various internal Castigroup functions and various entities within Castigroup, as well as various third parties, including third-party service providers who are engaged to perform services on our behalf such as product or service delivery, credit reference checks, or business scoring.

Where appropriate, before disclosing personal data to a third party, we shall contractually mandate the third party to take adequate precautions to protect that data and to comply with applicable law.

In the event of a merger/acquisition or company re-structure, your personal data may be part of the transferred assets and are likely to be disclosed to the new company. Sharing Data with third parties

All our third-party service providers and all Castigroup entities are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable legal requirements.

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group, such as:
(a) professional registrations;

(b) insolvency administrators;

(c) legal and other advisors to Castigroup; and

(d) other independent service providers.

The above list is not exhaustive.

Transferring data globally

We may transfer your data globally, to perform any contract that we may have with you or for other legitimate reasons. All personal data will be transferred according to applicable data privacy laws and our privacy policy. Details of such safeguards can be obtained from the Castigroup Information Officer.

F. Data security

Castigroup strives to secure the confidentiality, integrity, and availability of your personal data by taking appropriate and reasonable, technical, and organisational measures to prevent loss of, damage to, unauthorised use or destruction; and unlawful access to, or processing of your personal data. To this extent, we have due regard to generally accepted information security practices and procedures, and a dedicated information security team, which constantly reviews and improves our personal data security measures.

We endeavour to secure your personal data stored on Castigroup information systems and held in hard copy. Personal data contained in hard copy (paper) format is kept secure and safe in warehouses or lockable cupboards.

G. Data retention

We will only retain your personal data, in accordance with our records management policy.
We will retain information for as long as it is necessary to fulfil the purposes for which we collected it or where we are legally entitled/obligated to do so. This includes for the
purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the purpose for which we process personal data, the volume, the nature, and sensitivity of the personal data. We further consider the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once we no longer have a lawful basis to process your personal data, we will securely destroy your data in accordance with our records management policy and applicable laws.

H. Processing you can expect from us via various touch points

1. Data processed when you visit our website
1.1. Processed data collected:

If you visit our websites your browser automatically transmits the following data:

• Date, time and duration of the time you have spent viewing a page

• Name of your Internet Service Provider

• The referring website

• The IP (Internet Protocol) address of your device/workstation/computer

• Your internet browser type and version

• The operating system of your device/workstation/computer

1.2. Purposes of data processing:

It is necessary to store data for a limited time period to be able to effectively deliver the website to your browser with the necessary functionality. With the help of this data, we
also obtain statistical information on how our websites are used. We also collect the data to secure, prevent and track access, or misuse of our websites and IT systems.

2. Cookies
2.1. Processed data:

When you visit our website, we collect data with the help of cookies. Cookies are small text files that are stored on your device. Cookies usually contain a cookie ID i.e., a
unique identification feature that can be used to identify your browser.
Depending on the kind of the cookie, different data is collected and processed.

Our website uses Analysis cookies: With the help of these cookies, we track your user behaviour when you use our websites, e.g., which parts of the websites you use, how
often you visit our websites. We use third party cookies only.

2.2. Purposes of data processing:

Analysis cookies help us generate statistics on how our websites are used, for instance, the number of requests, duration of the visits, which parts of our websites are the most
popular. This helps us to measure how effective our presence on the Internet is, to evaluate the activity on the websites and coordinate website content and functionality to
improve the user experience.

2.3. Retention period and controlling options:

Some of the cookies are deleted after the browser is closed (session cookies), while others remain permanently on your device and allow us to recognise your browser (permanent
cookies). You are able to disable the storage of cookies or selectively accept certain cookies in your browser. Please use the Help functions of your browser to learn how to change these settings. Note this may result in limited functionality of our website.

2.4. Google Analytics
2.4.1. Processed data:
On our website, we use "Google Analytics" a web analytics service of Google Inc. ("Google"). Google Analytics uses cookies on your device which assists in evaluating the use of our website (more information can be found here: The data collected with the help of cookies is usually transferred to a Google server and stored there.
See the Google Privacy statement [] for more information.

2.4.2. Purposes of data processing:
On our behalf, Google uses the data collected through Google Analytics to evaluate the use of our website, to compile reports on the website activities and to provide further information related to the use of the website.

2.4.3. Legal basis:
Data is processed based on your consent. You consent by clicking the button on our cookie banner.

2.4.4. Retention period and controlling options:

Data is stored for a period of 14 months. You can prevent the storage of the Google Analytics cookies by a corresponding setting in your browser. This may restrict the functionality of our website. You may also prevent the collection of data generated by cookies and use of the website (including your IP address) by Google and the processing of such data by Google by not selecting Marketing cookies located on our cookie banner, this will place an opt-out-cookie on your browser.
Learn more by clicking on the following link:

3. Links to Castigroup Social Media pages

Castigroup has links to its various social media pages. If you visit these websites the Privacy Policy and Terms and Conditions of the specific website apply.

4. Data collected when you contact us
4.1. Processed data:

When you contact us via a contact form, via email or phone, we process the personal data you communicate to us, e.g., your name, your email address, and your request. The data will be stored in a Castigroup repository. The data marked as mandatory must be provided to action your request. Refusal to provide certain information may result in Castigroup being unable to action your request.

4.2. Purposes of data processing:

We use your data to process and respond to your request.

4.3. Legal basis:

We process data to take steps to fulfil your request, as it relates to our business activity.

4.4. Retention period:
We store your data as long as it is necessary to fulfil the purposes mentioned above. Should the business activity referred to above result in the conclusion of a contract or
other business relationship which you are party, your data may be stored as necessary according to that contract.

I. Your rights and duties

1. Privacy a fundamental right
At Castigroup we respect your fundamental right to Privacy. Your trust and confidence are of paramount importance to us. Please see your privacy rights below, relating to the use of your personal data which may be exercised under certain circumstances.

1.1. Right to withdraw your consent:
You may withdraw your consent to the processing of your personal data at any time.
Please note that the revocation does not affect the legality of the data processed thus far.
As far as we process personal data for direct marketing purposes you have the right to object at any time.

1.2. Right to object:
You may object to the processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to
object to processing on this ground.

1.3. Right to access:
This right enables you to access the personal data we hold about you and to check that we are lawfully processing it.

1.4. Right to correction
The right enables you to have any incomplete or inaccurate information we hold about you corrected.

1.5. Right to data portability
Under certain circumstances, you may have the right to request the facilitation of a transfer of your personal data to another party.

1.6. Right to Deletion
This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.

2. Your Duties
As the party responsible for the lawful processing and security of your personal, we endeavour to treat your personal data according to this privacy policy, applicable law and
international best practice. In order to facilitate the protection of your personal data, you have the following duties:
2.1. duty to inform us when there are changes to your personal data;
2.2. duty to safeguard your personal data; and
2.3. duty confirm your identity in order to action your rights.

3. Contact point for asserting your rights:

Should you wish to exercise any of the privacy rights above, you can direct your queries to [email protected]

Our dedicated team would appreciate any comment or complaint, on this privacy policy, or our privacy practices as whole, to assist us with ensuring we respect your privacy as you would reasonably expect.

J. Right to contact a supervisory authority:

You can file a claim with the respective data privacy supervisory authorities if you believe that our data processing does not meet the legal requirements, or we did not facilitate the
exercise of your rights accordingly. Contact details for your local Information Regulator can be found on the internet or by requesting them from the Castigroup
Information Privacy Officer.

K. Updates

We reserve the right, at our sole discretion, to modify, add or remove sections of this privacy notice at any time and we will notify you of any changes.
This privacy notice (and any updates to or amended versions of this privacy notice) will be published on Castigroup's website as well as any other channels we may find appropriate.