1. INTRODUCTION

1.1 The protection and security of your personal information (the User’s) is of the utmost importance to us. This Privacy Policy describes how your personal information is collected, used, and shared when you visit any of our user platforms including, but not limited to, email communications, social media platforms and/or websites. In the policy, the reference of one such platform is inclusive of all such platforms.

1.2 For the avoidance of doubt, this Policy is incorporated by reference into the general terms and conditions governing your use of our platforms (“Terms of Service”). This means that the Privacy Policy forms part of the Terms and Conditions.

1.3 By using our platform, you are accepting the terms of this Policy and consenting to the collection, processing, further processing and storage of your information (including your personal information) as contemplated in this Policy.

1.4 You declare and guarantee that you are the owner or have the necessary rights to the information that you share with us and that at the date of its transmission:

• (i) the information is exact and true,
• (ii) the use of the information does not contravene any of our policies and will not be damaging to any third party.

2. CHANGES TO THIS POLICY

2.1 You understand that we are entitled to change or amend this Policy at any time. It is your responsibility to refer to this Policy from time to time in order to remain up to date regarding any such amendments.

2.2 Where you continue to make use of and interact with our platforms following an amendment to this Policy, such amendments are deemed to have been accepted by you.

3. DATA COLLECTION AND WHAT WE DO WITH IT

3.1 Athlete Connect collects Personal Data directly from you via our platforms as well as from other available sources to the extent relevant and permitted under the Protection of Personal Information Act 4 of 2013 (“POPIA”), and any other applicable law.

3.2 The data we collect from you is that data necessary for us to perform our core business, including but not limited to, connect athletes with:

• 3.2.1 prospective agents;
• 3.2.2 sporting institutions;
• 3.2.3 identify athletes to potential recruiters;
• 3.2.4 Any other such third party, nationally or internationally, as may be necessary and/or specifically consented to by you; and/or
• 3.2.5 to communicate with athletes directly.

3.3 The information referred to above includes, but is not limited to an athlete’s:

• 3.3.1 Name and Surname;
• 3.3.2 Electronic mail address (or such other necessary communications details);
• 3.3.3 School;
• 3.3.4 Date of birth;
• 3.3.5 Age group;
• 3.3.6 Height and weight; and
• 3.3.7 Particulars of an athlete’s position or specific performance.

3.4 Some data collected may occur automatically during the course of use of our platforms known as, “Device Information”, and is included when referring to Personal Information in this Policy. We collect Device Information using the following technologies:

3.5 “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

3.6 “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

3.7 “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.

3.8 We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our users browse and interact with our platforms, and to assess the success of our marketing and advertising campaigns).

DISCLAIMER

1. We do not guarantee, represent or warrant that your use of our services will be uninterrupted, timely, secure or error-free.
2. We do not warrant that the results that may be obtained from the use of the service will be accurate or reliable.
3. You agree that from time to time we may remove the service for indefinite periods of time or cancel the service at any time, without notice to you.
4. You expressly agree that your use of, or inability to use, our service(s) is at your sole risk.
5. In no case shall Athlete Connect, our directors, officers, employees, affiliates, agents, contractors, interns, suppliers, service providers or licensors be liable for any injury, loss, claim, or any direct, indirect, incidental, punitive, special, or consequential damages of any kind, including, without limitation lost profits, lost revenue, lost savings, loss of data, replacement costs, or any similar damages, whether based in contract, tort (including negligence), strict liability or otherwise, arising from your use of any of our service, or for any other claim related in any way to your use of our service, including, but not limited to, any errors or omissions in any content, or any loss or damage of any kind incurred as a result of the use of the service or any content posted, transmitted, or otherwise made available via our service, even if advised of their possibility. Because some states or jurisdictions do not allow the exclusion or the limitation of liability for consequential or incidental damages, in such states or jurisdictions, our liability shall be limited to the maximum extent permitted by law.
6. You agree and understand that use of our services is in no way a guarantee of success with regards to, inter alia, being connected to agents for the purpose or receiving offers from professional bodies/unions/or otherwise.
7. Athlete Connect accepts no liability whatsoever for any loss, damage (whether direct, indirect, special or consequential) and/or expenses of any nature whatsoever which may arise as a result of, or which may be attributable directly or indirectly from information made available on our platforms, or actions or transaction resulting therefrom.

PERSONAL INFORMATION PROCESSING: A GUIDELINE

1. INTRODUCTION

   1. Data Protection Legislation regulates the manner in which Personal Information may be Processed by Athlete Connect. The concept of Processing is broad, and includes any operation or activity concerning the collection, receipt, storage, updating, use, distribution and destruction of Personal Information.
   2. Athlete Connect is required to ensure that it Processes Personal Information in compliance with the conditions for lawful Processing set out in POPIA when it Processes Personal Information.
   3. In order to ensure that Athlete Connect fulfils its obligations under applicable Data Protection Legislation, including POPIA, this Policy sets out how Athlete Connect (and other persons Processing Personal Information on Athlete Connect SA's behalf) must collect, store, update, destroy and otherwise Process Personal Information.

2. SCOPE & CONSENT

   1. All Employees are responsible for ensuring that they comply with this Guideline and that they implement appropriate practices, processes and controls to ensure compliance.
   2. All Data Subjects (as defined by POPIA) consent to the processing and/or storage of their personal information and special personal information (where applicable) in accordance with the provisions of this policy, which aligns to the provisions of POPIA.

3. PROCESSING CONDITIONS

   1. Athlete Connect adheres to the conditions relating to the Processing of Personal Information set out in POPIA, which require that Personal Information is:
      1. Processed lawfully, in a reasonable manner, and if given the purpose for which it is Processed, it is adequate, relevant and not excessive (Processing limitation);
      2. collected with the Data Subject's knowledge of the purpose for which their Personal Information is collected (Purpose Specification);
      3. Processed in a manner compatible with the purpose for which it was originally collected (Further Processing Limitation);
      4. complete, accurate, not misleading and updated where necessary (Information Quality);
      5. not Processed in a manner that is obscured from the Data Subject (Openness);
      6. protected by appropriate and reasonable technical and organisational security measures (Security Safeguards); and
      7. accessible to the Data Subject (Data Subject participation).
   2. Athlete Connect is responsible for and must be able to demonstrate compliance with the data protection conditions listed above (Accountability).
   3. Accordingly, Athlete Connect must ensure that it adheres to the conditions of lawful Processing.

4. PROCESSING LIMITATION

   1. POPIA restricts the manner in which a person may Process Personal Information. Processing must be adequate, relevant and not excessive given the purpose for which the Personal Information is Processed. These restrictions are not intended to prevent Processing, but to ensure that Athlete Connect Processes Personal Information lawfully and in a reasonable manner that does not infringe the privacy of the Data Subject.
   2. Processing is allowed under specific circumstances, some of which are set out below:
      1. the Data Subject Consents to the Processing;
      2. Processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is party;
      3. Processing complies with an obligation imposed by law on the Responsible Party;
      4. Processing protects a legitimate interest of the Data Subject;
      5. Processing is necessary for the proper performance of a public law duty by a public body; and
      6. Processing is necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom the information is supplied.
   3. Athlete Connect and Athlete Connect's Employees must identify and document the legal ground being relied on for each Processing activity.
   4. Athlete Connect may only Process Personal Information when performing its job duties, subject to the other requirements set out in this paragraph 4 being complied with. Athlete Connect cannot Process Personal Information for any reason unrelated to its business activities.
   5. Athlete Connect may not collect excessive Personal Information. It will ensure that any Personal Information collected is adequate and relevant for the intended purposes.
   6. You must ensure that when Personal Information is no longer needed for specified purposes, it is deleted or de-identified (anonymised).
   7. A Data Subject Consents to the Processing of their Personal Information if they indicate agreement either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are insufficient.
   8. Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal Information for a different and incompatible purpose which was not disclosed when the Data Subject first Consented.
   9. Athlete Connect will need to evidence Consent captured and keep records of all Consents (both given and withdrawn by a Data Subject) so that Athlete Connect can demonstrate compliance with Consent requirements.
   10. Before Athlete Connect processes Special Personal Information, it must ensure that it can identify the lawful basis for Processing such information. For example, Processing of Special Personal Information can take place if:
       1. Processing is carried out with the Consent of a Data Subject;
       2. Processing is necessary for the establishment, exercise, or defence of a right or obligation in law;
       3. Processing is necessary to comply with an obligation of international public law;
       4. Processing is for historical, statistical or research purposes to the extent that:
          1. the purpose serves a public interest and the Processing is necessary for the purpose concerned; or
          2. it appears to be impossible or would involve a disproportionate effort to ask for Consent, and sufficient guarantees are provided for to ensure that the Processing does not adversely affect the individual privacy of the Data Subject to a disproportionate extent;
       5. information has deliberately been made public by the Data Subject; or
       6. the specific authorisation requirements set out in POPIA are complied with, if the information relates to a Data Subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, criminal behaviour, or biometric information.

5. PURPOSE SPECIFICATION

5.1 Athlete Connect may only collect, store, update, destroy, or otherwise Process Personal Information for specified purposes related to Athlete Connect's functions.
5.2 Athlete Connect will need to ensure that the Data Subject is aware of the purpose for which Athlete Connect is collecting Personal Information. Athlete Connect may only Process Personal Information for the purpose known by the Data Subject and not for any incompatible purpose.
5.3 Athlete Connect cannot use Personal Information for new, different or incompatible purposes from those disclosed to the Data Subject when the Personal Information was first obtained unless Athlete Connect has informed the Data Subject of the new purposes and they have Consented, where necessary.
5.4 Personal Information must not be retained any longer than is necessary for achieving the specific purpose for which it was collected.

6. FURTHER PROCESSING LIMITATION

6.1 Any further Processing of Personal Information is compatible with the purpose for which it was originally collected.
6.2 To establish whether further Processing is compatible with the purpose of collection, consider:

• the nature of the information concerned;
• the manner in which the information has been collected;
• the relationship between the purpose of the intended further Processing and the purpose for which the information was originally collected;
• the consequences of the intended further Processing for the Data Subject; and
• any contractual rights and obligations between the Data Subject and Athlete Connect SA.

6.3 Athlete Connect cannot use Personal Information for new, different or incompatible purposes from that disclosed when it was first collected unless they have informed the Data Subject of the new purposes and they have Consented where necessary. Where Consent is relied on as a basis for the further Processing, such Consent must be recorded and retained a proof and basis for the further Processing.
6.4 Should Athlete Connect SA wish to Process Personal Information for a different or incompatible purpose (to the original purpose), consult the Information Officer.

7. INFORMATION QUALITY

7.1 Personal Information must be complete, accurate and not misleading, and kept up to date. It must be corrected or deleted without delay when inaccurate.
7.2 Athlete Connect will, where necessary, and taking into consideration the purpose for which the Personal Information was collected, take reasonable steps to ensure that the Personal Information Athlete Connect holds and uses is complete, accurate, not misleading and is updated.

8. OPENNESS

8.1 Athlete Connect must take reasonably practicable steps to ensure the Data Subject is aware of various matters related to the collection of Personal Information, including, but not limited to:

• the type of Personal Information collected, the source from which it is collected;
• Athlete Connect 's details (name and address);
• the purpose for which the Personal Information is collected;
• whether the supply of the Personal Information is voluntary or mandatory;
• the consequences for failing to provide the Personal Information;
• any law, including Data Protection Legislation, which requires the collection of the Personal Information;
• whether Athlete Connect intends to transfer the Personal Information to another country and the level of protection afforded to that Personal Information in that country;
• the recipients of the Personal Information;
• the Data Subject's right to access, rectify, or object to the collection or Processing of the Personal Information;
• the right to lodge a complaint with the appropriate Regulator.

8.2 Whenever Athlete Connect collects Personal Information directly from Data Subjects, Athlete Connect SA must provide the Data Subject with all the aforementioned information.
This information must be presented when the Data Subject first provides the Personal Information, this can be done by providing the Data Subject with Athlete Connect 's Privacy Policy. In relation to Personal Information which is obtained for employment purposes, the aforementioned information will be provided prior to or at the commencement of the employment relationship.
8.3 When Personal Information is collected indirectly (for example, from a third party or publicly available source), Athlete Connect must provide the Data Subject with all the above information as soon as reasonably possible after collecting or receiving the information, this can be done by providing the Data Subject with Athlete Connect SA's Privacy Policy. Athlete Connect must also check that the Personal Information was collected by the third party in accordance with applicable Data Protection Legislation and on a basis which contemplates Athlete Connect SA's proposed Processing of that Personal Information.
8.4 Athlete Connect must maintain documentation of all Processing operations in sufficient detail to facilitate a request for access to the Records of Processing operations.
8.5 Athlete Connect must keep and maintain accurate corporate Records reflecting Athlete Connect SA's Processing including Records of Data Subjects' Consents and procedures for obtaining Consents.
8.6 If Athlete Connect has used a Record of Personal Information to make a decision about a Data Subject, then that Record must be retained in accordance with Athlete Connect SA's Record Retention Policy.

9. SECURITY SAFEGUARDS

1. 1. 9.1 Protecting Personal Information
      1. 9.1.1 Appropriate and reasonable technical and organisational measures must be taken to secure the integrity and confidentiality of Personal Information to prevent the loss of, damage to, unauthorised destruction of, and unlawful access to, or Processing of Personal Information.
      2. 9.1.2 Athlete Connect will endeavour to identify all reasonably foreseeable internal and external risks to the security of Personal Information in Athlete Connect SA's possession or under its control. Athlete Connect SA will develop, implement, and maintain safeguards appropriate to its size, scope and business, Athlete Connect's available resources, the amount of Personal Information that it owns or maintains on behalf of others, and identified risks. Athlete Connect will regularly evaluate and test the effectiveness of those safeguards to ensure security of its Processing of Personal Information and update them when new risks are identified. Athlete Connect is responsible for protecting the Personal Information that is Processed by Athlete Connect (to the extent that You are involved in the Processing of this Personal Information).
      3. 9.1.3 Athlete Connect must adhere to the security measures imposed by Athlete Connect against unlawful or unauthorised Processing of Personal Information and against the accidental loss of, or damage to, Personal Information. Athlete Connect SA will exercise particular care in protecting Special Personal Information from loss and unauthorised access, use, or disclosure.
      4. 9.1.4 Athlete Connect will follow all procedures and measures which Athlete Connect puts in place to maintain the security of all Personal Information from the point of collection to the point of destruction. It may only transfer Personal Information to third-party service providers (Operators) who agree to comply with Data Protection Legislation and who agree to put adequate measures in place, as requested.
      5. 9.1.5 It must maintain data security by protecting the confidentiality and integrity of the Personal Information, bearing in mind that:
         1. 9.1.5.1 confidentiality means that only people who have a need to know and are authorised to use the Personal Information can access it; and
         2. 9.1.5.2 integrity means that Personal Information is protected against loss, damage or unauthorised destruction.
      6. 9.1.6 It must comply with, and not attempt to circumvent, the administrative, operational, physical, and technical safeguards and standards that Athlete Connect SA implements and maintains to protect Personal Information.
      7. 9.1.7 Anyone who Processes Personal Information on behalf of Athlete Connect is required to Process Personal Information only with the knowledge or authorisation of Athlete Connect and to treat Personal Information which comes to their knowledge as confidential. Athlete Connect is required to conclude a written agreement with all third parties who Process Personal Information on our behalf. Please refer any queries you may have in this regard to the Information Officer.
   2. 9.2 Reporting a Personal Information breach: Athlete Connect will follow the data breach policies it implements for this purpose.
2. 10. DATA SUBJECT PARTICIPATION
   1. 10.1 Data Subjects have rights when it comes to how Athlete Connect handles their Personal Information. These include the right to:
      1. 10.1.1 be notified that Personal Information is being collected;
      2. 10.1.2 be notified of a Personal Information breach;
      3. 10.1.3 access Personal Information held by Athlete Connect;
      4. 10.1.4 request the correction, destruction or deletion of Personal Information;
      5. 10.1.5 object to Processing;
      6. 10.1.6 restrict Athlete Connect's Processing of the Data Subject's Personal Information;
      7. 10.1.7 object to direct marketing;
      8. 10.1.8 request that Athlete Connect transfers their Personal Information to a third party in an easily accessible format;
      9. 10.1.9 object to automated decision making; and
      10. 10.1.10 submit a complaint to the appropriate Regulator.
   2. 10.3 Athlete Connect SA must verify the identity of an individual making a request under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Information without proper authorisation).
   3. 10.4 Athlete Connect SA must immediately forward any external Data Subject requests to the Information Officer.
3. 11. SPECIAL PERSONAL INFORMATION
   1. 11.1 Special Personal Information includes:
      1. 11.1.1 the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject;
      2. 11.1.2 the criminal behaviour of a Data Subject to the extent that such information relates to:
         1. 11.1.2.1 the alleged commission of any offence by a Data Subject; or
         2. 11.1.2.2 any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.
   2. 11.2 Special Personal Information may only be Processed:
      1. 11.2.1 with the Consent of the Data Subject;
      2. 11.2.2 if Processing is necessary for the establishment, exercise or defence of a right or obligation in law;
      3. 11.2.3 if Processing is necessary to comply with an obligation of international public law;
      4. 11.2.4 if Processing is for historical, statistical or research purposes to the extent that:
         1. 11.2.4.1 the purpose serves a public interest and the Processing is necessary for the purpose concerned; or
         2. 11.2.4.2 it appears to be impossible or would involve a disproportionate effort to ask for Consent,
         3. 11.2.4.3 and sufficient guarantees are provided for, to ensure that the Processing does not adversely affect the individual privacy of the Data Subject to a disproportionate extent;
      5. 11.2.5 information has deliberately been made public by the Data Subject; or
      6. 11.2.6 the authorisation requirements set out in POPIA apply.
   3. 11.3 It is Athlete Connect SA's policy to keep the Processing of Special Personal Information to a minimum and for as short a period as is practical. Instances where Athlete Connect SA Processes this type of information include, for example, as part of employment-related background checks. In this instance, Special Personal Information must be Processed with the explicit Consent of the Data Subject, which must be recorded and retained as proof for Processing Special Personal Information or as part of Covid-19 screening procedures. In this instance, Special Personal Information is Processed to comply with an obligation in law.
   4. 11.4 If in doubt about whether You are permitted to Process Special Personal Information, consult the Information Officer.

12. CHILDREN

12.1 Athlete Connect may in certain instances Process Personal Information of children (people under the age of 18 years) including in the course of providing services to Athlete Connect clients or as part of employee administration. In such cases, the Processing of Personal Information of children is conducted with the Consent of a competent person or to comply with an obligation in law.

12.2 Athlete Connect will not knowingly collect Personal Information of children without express Consent to do so or without a legal obligation to do so.

12.3 For any questions in respect of the Processing of Personal Information of children, consult the Information Officer.

13. ACCOUNTABILITY

13.1 Athlete Connect is responsible for, and must be able to demonstrate, compliance with the conditions of lawful Processing of Personal Information. In this regard, Athlete Connect is required to have adequate resources and controls in place to ensure and to document compliance including:

• 13.1.1 appointing a suitably qualified Information Officer accountable for data privacy;
• 13.1.2 integrating the conditions of lawful Processing into internal documents including this Policy and all other Data Protection Policies and Guidelines;
• 13.1.3 regularly training Athlete Connect Employees on Data Protection Legislation, this Policy, other Data Protection Policies and Guidelines and data protection matters including, for example, Data Subject's rights, Consent, the conditions of lawful Processing, and Personal Information breaches. Athlete Connect must maintain a Record of training attendance by Athlete Connect Employees; and
• 13.1.4 regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

14. CHANGES TO THIS GUIDELINE

14.1 We keep this Guideline under regular review. In the event that there are material changes to Data Protection Legislation or other applicable laws or if Athlete Connect wishes to enhance any aspect of this Guideline, amendments will be made as necessary.

14.2 This Guideline does not override any applicable Data Protection Legislation.