Authorised Financial Service Provider FSP 45262 011-315-1000

Data Retention, Storage and Disposal Policy


In this Policy (as defined below), unless the context requires otherwise, the following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings –

  • Company” means QuickTrade Proprietary Limited, a limited liability private company duly incorporated in the Republic of South Africa with registration number 2014/062267/07. Any reference to “We” / “Our” / “Us” shall be reference to the Company;
  • Data Retention Matrix” means the retention schedule attached to this Policy as Annexure “A“;
  • data subject” means the person (natural or juristic, where applicable) to whom the personal information relates;
  • de-identify” in relation to personal information of a data subject, means to delete any information that: (a) identifies the data subject; (b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or (c) can be linked by a reasonably foreseeable method to other information that identifies the data subject;
  • Designated Manager” means the employee appointed in respect of each Division to oversee the records management function from the receipt or creation of the record until disposal;
  • destruction” means the process of destroying or deleting a record, beyond any possible reconstruction;
  • Division” means each business unit within the Company;
  • ECTA” means the Electronic Communications and Transactions Act No. 25 of 2002;
  • Information Manager” means the employee appointed as the Company’s information officer, responsible for ensuring the Company’s compliance with POPIA and PAIA, and overall responsibility for this Policy;
  • PAIA” means the Promotion of Access to Information Act No. 2 of 2000;
  • personal information” has the meaning set out in section 1 of POPIA, and includes “special personal information” as defined in section 26 of POPIA;
  • Policy” means the record retention and disposal policy contained in this document, as amended and updated from time to time;
  • POPIA” means the Protection of Personal Information Act No. 4 of 2013;
  • process” means any operation or activity whether or not by automatic means, concerning records including collecting, receiving, recording, organising, collating, storing, updating, modifying, retrieving, altering, consulting or using, disseminating, distributing or making available and merging, linking, blocking, degrading, erasing, destroying records;
  • record” means any recorded information –
    • regardless of form or medium, including any of the following:
      • writing on any material;
      • information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
      • label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
      • book, map, plan, graph or drawing;
      • photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
    • in the possession or under the control of the Company;
    • whether or not it was created by the Company; and
    • regardless of when it came into existence;
  • records management” is a process of ensuring proper creation, maintenance, use and disposal of records throughout their lifecycle to achieve efficient, transparent and accountable governance;
  • records system” means an information system for capturing, managing and providing access to records and may consist of records management software or non-technical processes for records management;
  • restriction” means to withhold from circulation, use or publication any record, but not to delete or destroy such record; and
  • special personal information” means any personal information that is more sensitive than ordinary personal information and which requires a higher level of protection including personal information about sexual orientation, criminal behaviour, ethnicity, trade union membership and political views.


  • The Company must comply with its obligations under certain laws whenever it processes personal information relating to data subjects, including its employees, workers, customers, suppliers and any other individuals we interact with.
  • This includes the obligation not to process any personal information which permits the identification of data subjects for any longer than is necessary and the purpose of this policy is to assist us to comply with that obligation. This Policy should be read alongside the Data Retention Matrix to this Policy and which provides guideline data retention periods for various different types of personal information we hold.
  • Compliance with this policy will also assist us to comply with our ‘data minimisation’ and accuracy obligations under data retention and disposal laws which require us to ensure that we do not retain personal information which is irrelevant, excessive, inaccurate or out of date.
  • A failure to comply with data retention and disposal laws could result in enforcement action against the Company, which may include substantial fines, significant reputational damage and potential legal claims from individuals. It can also have personal consequences for individuals in certain circumstances i.e. criminal fines/imprisonment or director disqualification.
  • Compliance with this Policy will also assist in reducing the Company’s information storage costs and the burden of responding to requests made by data subjects under data protection laws such as access and erasure requests.
  • We are also required under data protection laws to inform data subjects about how long we will retain their personal information in our privacy notices.
  • This Policy is for internal-use only and cannot be shared with third parties, customers or regulators without prior authorisation from our Data Protection Manager.
  • purpose of this policy
    • The primary purpose of this Policy is to ensure that records, irrespective of the format or medium thereof, that are received or created by the Company in the performance of its functions and in the execution of its business activities, are managed in such a manner that promotes good governance and compliance with applicable legislation.
    • The objectives of this Policy are –
      • To ensure that all records:
        • are retained in an appropriate manner, having regard to the content of the record;
        • are retained for an appropriate period of time, having regard to statutory obligations, business requirements and industry best practices;
        • which are required for evidentiary purposes, are kept in a manner that ensures their admissibility;
        • containing personal information and special personal information are retained and destroyed / deidentified in the manner required by law;
      • To ensure that the operational business needs of the Company are met in respect of records; and
      • To ensure that record management and destruction is done in an orderly and efficient manner and is properly recorded.
    • Records shall be controlled as specified in this Policy because they provide evidence of conformity to requirements and of the effective operation of the quality management system. Various statutes which specify minimum retention periods for certain records must be considered. As a general rule the retention of records should be kept at minimum (statutory) levels. Documents not required for retention purposes (legally or operationally) should be disposed of in accordance with the process described in this Policy.
    • Keeping records for longer than required may lead to increased operational expenses. On the other hand, the untimely destruction of records could adversely affect the Company’s business operations, the ability of the Company to defend or institute litigious claims, cause the Company to be in breach of statutory or regulatory requirements and have a negative impact on the Company’s reputation.
    • Records management, through the proper control of the content, storage and volume of records, reduces vulnerability to legal challenge or financial loss and promotes best value in terms of human and space resources through greater co-ordination of information and storage systems.


  • This Policy applies to all the Company staff, contractors, consultants, advisors and service providers that may deal with the Company records and covers all records in whatever medium such records are contained.
  • This Policy covers all records which are processed by the Company including those listed in the Data Retention Matrix, irrespective of the media on which such records are created or stored. This includes –
    • Paper or hardcopy records;
    • Electronic or softcopy records (word documents, database, emails, spreadsheets, power-point presentations etc.)
    • Scanned images, photographs, external storage media (CD-ROMS, flash drives, video tapes).
  • This Policy impacts upon the Company’s work practices for all those who:
    • create records;
    • have access to records;
    • have any other responsibilities for records, for example storage and maintenance responsibilities;
    • have management responsibility for staff engaged in any of these activities, or manage, or have design input into record systems including information technology infrastructure.
  • This Policy therefore applies to –
    • all persons within the Company’s organisation including employees (permanent, fixed-term and part-time) and also to all agents, subsidiaries, consultants, contractors, advisors and service providers who have access to any the Company records; and
    • records located anywhere including at the Company’s premises, at the homes of employees, on the premises of service providers and at offsite storage facilities.
  • Each employee, contractor, consultant, advisor, service provider or any other third party who has access to or control over any of the Company records must return all such records to the Company upon the end of their employment or service with the Company or the expiration of the relevant services agreement with the Company.


  • Records management and record systems that facilitate the use of records are a responsibility shared by all Divisions and employees. Divisions are required to appoint a Designated Manager to ensure adherence to record management principles prescribed by this Policy.
  • All Designated Managers are ultimately responsible for the identification, storage, protection, retrieval and disposition of records within their respective Divisions and are expected to make themselves familiar with the requirements for record management as prescribed by this Policy as well as any applicable legislation.
  • The Information Manager (contactable via phone on 011 315 1000 or email at will retain a record of the training provided to personnel to ensure that they understand the Company’s data retention and destruction obligations, their own responsibilities and the internal processes they need to follow. The Information Manager retains ultimate responsibility for the implementation of this Policy.
  • All Designated Managers are ultimately responsible for ensuring that all information assets containing personal information that are under the control of the relevant Division are retained and destroyed in accordance with this Policy and the Data Retention Matrix. They must implement measures to ensure that they can identify when a retention period is due to expire, so that they can carry out a review and determine whether the personal information should be deleted or destroyed. In addition, Designated Managers should carry out periodic reviews at least annually of the personal information contained in the information assets that are within their control (even if that personal information is not covered by a retention period contained in the Data Retention Matrix), to determine whether it is being retained and destroyed in accordance with this Policy. Designated Managers may delegate routine tasks, where appropriate.
  • This policy applies to all Company personnel (“you” or “your”) and it sets out what we expect from you to assist the Company to comply with its data retention and destruction obligations under data retention and destruction laws. All Company personnel play a vital role and you must read and ensure that you fully understand and comply with this Policy in relation to all personal information which you process on our behalf and you must attend all related training provided.
  • Your compliance with this Policy is mandatory. Any breach of this Policy may result in disciplinary action. Compliance with this Policy may be monitored and audited by the Company [internal audit team] who will review and make recommendations on the implementation of the Policy.
  • records and record systems
    • All records, whether hard copy or soft copy, should possess the following characteristics –
      • Authenticity – records must be able to be proved to: (i) have been generated or communicated by the person or system purported to have generated or sent such record; (ii) be what the record purports to be; and (iii) have been sent or generated when purported to have been done so;
      • Reliability – records must: (i) contain content which can be regarded as a complete and accurate representation of the activities or facts to which they attest; and (ii) be capable of being depended on for subsequent activities or transactions.
      • Integrity – records should be complete, unaltered and protected from unauthorised alteration; and
      • Usability – records should be easily located, retrievable, interpreted and presented within a reasonable time period.
    • All record systems should possess the following characteristics –
      • Reliability – record systems should: (i) be capable of continuous operation; (ii) present records in a usable way; (iii) store records for as long as they are required in a secure manner; (iv) enable access to authorised persons; and (v) allow for disposition.
      • Security – with regard to the risk associated with a record, appropriate measures such as access control, personnel validation, monitoring and authorised destruction procedures should be implemented to prevent unauthorised alteration, access, concealment or destruction of records;
      • Compliant – any regulatory requirements or industry standards should be complied with and record systems should be assessed regularly for such compliance;
      • Comprehensive – record systems should be able to manage all relevant records;
      • Systematic – the generation, capturing and management of records should be systematic by virtue of the operation and design of the record system.
    • In determining the appropriate storage mechanism / record system for a particular record, the Data Retention Matrix should be consulted as well as the Information Manager. Regardless of the method of storage, any record system should possess the characteristics set out in paragraph 6.2 above. The Data Retention Matrix sets out the required format for specified types of records. The actual storage mechanisms need to take cognisance of a number of factors including –
      • the content of the record – does it contain personal information or confidential information;
      • the purpose of the record – does it need to be easily accessible;
      • cost of storage; and
      • level of security required. In this regard, physical security and technical security are of equal importance.
    • In respect of paper / hard copy records, the following should be considered when determining the appropriate storage mechanism –
      • protection against loss due to theft, fire or water damage;
      • location of records which are hosted offsite;
      • access control to files containing records, especially those containing sensitive information;
      • transport to and from offsite storage facilities;
      • good filing practices – ensuring that records are kept in an organised and orderly manner which allows for easy retrievability and use; and
      • Whether a third party is responsible for storage and if so, if there is a written agreement in place with such third party which is aligned with the requirements of this Policy and applicable legislation.
    • In respect of electronic / soft copy records, the storage of such records should be carried out in accordance with the Company [Information Security Policy] for access controls and for details on the format or encryption of relevant records in order to secure their confidentiality, integrity and accessibility of the records. Further, the following should be considered when determining the appropriate storage mechanism:
      • the temperature, humidity and magnetic fields where servers are located;
      • password protection, antivirus and access control mechanisms;
      • location of records which are hosted offsite;
      • back-up requirements and redundancy; and
      • whether a third party is responsible for storage and if so, if there is a written agreement in place with such third party which is aligned with the requirements of this Policy and applicable legislation.
    • Where any third party service provider stores records or otherwise processes records on behalf of the Company, a written agreement must be in place with such service provider which obliges the service provider to comply with any instructions of the Company in relation to records, to implement security safeguards consistent with the requirements of this Policy, to assist the Company with complying with any regulatory or business requirements in relation to access to records, to allow the Company to audit the premises and record systems in place and to, at the Company’s request, destroy or return any records and certify such destruction or return to the Company.


  • The Company is required under data protection laws to ensure that information assets containing personal information are not retained in a form which enables the identification of individuals for any longer than is necessary for the purposes for which the personal information have been collected. We must be able to justify our retention of personal information to the authority responsible for enforcing data protection laws in South Africa (i.e. the Information Regulator).
  • In practice what this means is that the Company must not retain the personal information contained within information assets for any longer than is necessary:
    • For the operational purpose that the personal information was collected for, and which the relevant data subject has been informed of (i.e. in relevant privacy notices);
    • In order to comply with any applicable statutory or regulatory retention requirements; or
    • To enable the Company to exercise its legal rights and/or defend against legal claims.
  • Where a statutory or regulatory retention requirement applies, or where data is relevant to an actual or potential legal claim, only the specific personal information which is required to be retained in order to meet the statutory/regulatory retention requirement or for a legal claim, should be retained for those purposes.
  • Personal information may also be retained for a longer period if it is solely for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, in accordance with the regulatory framework, subject to the implementation of appropriate technical and organisational measures which are required by data protection laws, in order to safeguard the rights and freedoms of the Data Subject. If you believe that personal information should be retained for these purposes, please contact the Information Manager.
  • We must take a proportionate approach to data retention, balancing our needs with the impact of retention on data subjects’ privacy. We also need to comply with all other aspects of data protection laws in relation to the personal information we retain, including ensuring that its retention is fair and lawful and that it is secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
  • We must ensure that any request received from a Data Subject asking us to delete or destroy their personal information is dealt with in accordance with data protection laws.
  • Each Designated Manager must ensure that effective processes are in place to ensure that the personal information within their control is retained, archived and deleted or destroyed in accordance with this Policy and the Data Retention Matrix.


  • A record may only be destroyed if the relevant record retention period has expired and no exceptions to such destruction applies (including a legal requirement to maintain the record or a specific hold has been placed on the destruction of the records in question). In which case, the record must first be reviewed and the relevant action to be taken must be agreed upon between the Designated Manager and the Information Manager. The following actions may be taken pursuant to such review:
    • Destruction of the record;
    • Retention of the record for a further period; or
    • Archiving of the record.
  • Recording the Disposal Decision:
    • As a first step, the nature and contents of any record being considered for disposal should be ascertained. No record should be designated for disposal unless this has been done. Depending on the complexity of the document, this should only be done by individuals who possess sufficient operational knowledge to enable them to identify the record concerned and its function within the Company. Typically, the review should be done by the Designated Manager in consultation with other relevant stakeholders (such as legal advisers, the Information Manager, external audit or regulatory bodies).
    • Any decision regarding whether to destroy a record should take the following into account:
      • Applicable legislative and regulatory requirements;
      • Costs associated with continued storage versus costs of destruction;
      • The legal and reputational risks associated with retaining, destroying or losing control over the record;
      • Whether the record has any long-term historical, statistical or research value; and
      • Whether the record may be required for investigations, litigation or similar proceedings;
    • Destruction should be documented by keeping a register of the record destroyed, the date and the name of the Designated Manager that authorised the destruction. When and why a document is destroyed is particularly important in the event of a claim against the Company. The Company shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed. The prescribed data destruction record template is contained in Annexure “B” to this Policy.
  • Factors to Consider before Destroying Records
    • The destruction of a record should not take place other than in accordance with this Policy. Before destroying a record, it must be confirmed with the Designated Manager and Information Manager that:
      • there are no pending access requests in terms of PAIA or POPIA in relation to the record;
      • there is no restriction on processing in relation to the record;
      • the record is no longer required by any part of the business;
      • there is no legal or regulatory reason to maintain the record;
      • the record will not be required for the purposes of proof or in any litigation or investigation; and
      • there is no improper motive for the destruction of the record (for example, to destroy evidence).
    • The Company shall maintain and enforce a detailed list of approved destruction methods appropriate for each type of record archived whether in physical storage media such as CDROMs, DVDs, backup tapes, hard drives, mobile devices, portable drives or in database records or backup files.
  • Destruction of Hard Copy Records


Personal information or confidential or restricted information must be disposed of in a manner that maintains the confidentiality of the record. While records not containing personal information or other confidential information can be thrown into bins, confidential records (including those containing personal information) must be shredded and/or placed in paper rubbish bins designated for collection by an approved disposal service provider. All copies of paper records marked for destruction, whether made for security or back-up purposes, must be destroyed in the same manner.

  • Destruction of Soft Copy / Electronic Records

Electronic records contained on servers or storage devices shall be destroyed by the physical destruction of that media or by completely wiping the electronic record such that it can never be reconstructed. Personal data records or confirmation and restricted records must be disposed of as confidential waste and in some cases, where records are not fully destroyed but are anonymised instead, appropriate steps need to be taken to ensure that the process of anonymisation (i.e. the process of turning a record into a form which does not identify the persons to whom the information relates). A record of destruction must be certified and all back-up copies of the electronic records should also be destroyed in the same manner.

  • Destruction Exceptions and Litigation Holds

There may be valid reason for a record not to be destroyed in accordance with the destruction requirements of this Policy. In this case, an exception request should be lodged with the Information Manager specifying the reason for the exception, which may include a client or business requirement, a legal requirement or there may be a vital historical purpose for such record/s being retained. In addition, a litigation hold may also be issued (by the Company Legal Department) in respect of any information or records that form part of or are related to any litigation proceeding, which records should be retained and not destroyed in accordance with this Policy. Such litigation hold may be retained in place for the relevant records to be preserved for as long as the litigation proceeding is under way or the threat of pending litigation, regulatory action or government action or order is applicable.


  • The legal framework in respect of electronic communications, including the use of electronic copies as opposed to hard copies, is largely set out in the ECTA.
  • The ECTA applies in respect of any electronic transaction or data message and recognises that information is not without legal force and effect merely on the grounds that it is wholly or partly in the form of a data message. In other words, the ECTA applies to all electronic records.
  • In assessing the evidentiary weight given to an electronic record, regard must be had to –
    • The reliability of the manner in which the electronic record was generated, stored and communicated;
    • The reliability of the manner in which the integrity of the electronic record was maintained;
    • The manner in which the originator was identified; and
    • Any other relevant factor.
  • In terms of the ECTA, where the law requires that information be presented or retained in its original form, the requirement of originality is met by retaining an electronic record if –
    • the record is in the format in which it was generated, sent or received, or in a format which can be demonstrated to preserve the integrity of the information (i.e. that the information has remained unaltered, complete and accurate);
    • information contained in the record is accessible to be usable for subsequent reference; and
    • that information is capable of being displayed and or produced to the person to whom it is to be presented.
  • In light of the above, it is extremely important to take all reasonable steps to ensure the reliability and integrity of any electronic record system used by the Company. It is also important to maintain evidence of the steps taken to preserve the integrity and authenticity of records stored electronically.
  • records containing personal information
    • The Company is obliged to respect the privacy of all data subjects. This includes complying with the provisions of POPIA insofar as they relate to records containing personal information.
    • All records should be assessed to determine whether they contain any personal information or special personal information. If you are unsure about whether a record contains this information, please contact the Information Manager.
    • In terms of POPIA, the Company may not retain personal information for a period longer than is necessary to achieve the purpose for which it was collected or processed and is required to delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances –
      • where the retention of the record is required or authorised by law;
      • the Company requires the record to fulfil our lawful functions or activities;
      • retention of the record is required by a contract between the parties thereto;
      • the data subject (or competent person, where the data subject is a child) has consented to such longer retention; or
      • the record is retained for historical, research or statistical purposes provided safeguards are put in place to prevent use for any other purpose.
    • When the Company is no longer authorised to retain a record containing personal information, we are obliged to destroy, delete or de-identify such record. Any destruction or deletion of a record must be done in a manner that prevents its reconstruction in an intelligible form.
    • In instances where the Company utilises personal information for decision-making purposes, an additional requirement is imposed on the Company, namely that the records be retained for the period prescribed by law or code of conduct, in the absence of which, for such period which will allow a data subject a reasonable opportunity to access the records.
    • Restricted Processing
      • In certain instances, the Company is required to place a restriction on the processing of personal information.
        • In terms of POPIA, the instances where the Company must place a restriction on the processing are where –
          • the accuracy of such information is contested by the data subject;
          • the personal information is no longer required to achieve the purpose for which it was collected or subsequently processed (but has to be maintained for purposes of proof);
          • the processing is unlawful, and the data subject requests the restriction of use; or
          • the data subject requests to transmit the data into another automated processing system.


  • Companies Act 71 of 2008 (the “Companies Act”)
    • The Companies Act specifically states that where a document, record or statement is required to be retained in terms of the Companies Act, it is sufficient if an electronic original or reproduction of that document is retained subject to the requirements in ECTA (see paragraph 4 above).
    • In terms of Section 24 of the Companies Act, the following records are to be kept for a period of 7 years: (i) any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Companies Act; (ii) notice and minutes of all shareholders meetings, including resolutions adopted and documents made available to holders of securities; (iii) copies of reports presented at the annual general meeting of the company; (iv) copies of annual financial statements required by the Companies Act; (v) copies of accounting records; (vi) record of directors and past directors, after the director has retired from the company; (vii) written communication to holders of securities; and (viii) minutes and resolutions of directors’ meetings, audit committee and directors’ committees.
    • Copies of the following documents must be retained for an indefinite period: (i) Registration certificate; (ii) Memorandum of Incorporation and alterations and amendments; (iii) Rules; (iv) Securities register and uncertified securities register; (v) Register of company secretary and auditors; and (vi) with regard to regulated companies, the Register of disclosure of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued.
    • The Companies Act requires that the abovementioned records must be accessible at or from the company’s registered office or another location, or other locations, within South Africa.
  • Tax Administration Act 28 of 2011 (“TAA”)


Section 29 of the TAA requires that a person must keep the records, books of account or documents that – (i) enable the person to observe the requirements of the TAA; (ii) are specifically required under a tax Act; and (iii) enable SARS to be satisfied that the person has observed these requirements, for a minimum period of 5 years. These records must be kept in the Republic of South Africa in order to be available for inspection by a SARS official.

  • The National Credit Act 34 of 2005
    • In terms of section 170 of the National Credit Act 34 of 2005 (the “National Credit Act“) and regulation 55 and 56 promulgated in terms of the National Credit Act, all credit related records are required to be retained for a minimum period of 3 years.
    • Where a third party is appointed to maintain the records, as required by the National Credit Act, the party making the appointment is not absolved of any responsibility to maintain the records in accordance with National Credit Act and that party must ensure that any records maintained by the third party will be available without any undue delay.
    • Credit-related records include applications for credit; application for credit declined; reasons for decline of application for credit; pre-agreement statement and quote; credit agreements entered into with consumers; documentation in support of steps taken in relation to the assessment of the proposed consumer, record of payments made and documentation in support of any steps taken after default by consumer.
    • Records to be retained in respect of operations include a record of income, expenses and cash flow; credit transaction flows and management accounts and financial statements.
    • With regard to credit applications and agreements, same are to be retained for a minimum period of 3 years from the date of termination of the credit agreement or in the case of an application for credit that is refused or not granted for any reason, from date of receipt of the application. Other credit-related records are to be retained for a minimum of 3 years from the earlier of the date on which the registrant created, signed or received the document.
  • The Consumer Protection Act 68 of 2008
    • In so far as the Company acts as an intermediary and its activities in relation thereto are not regulated by other legislation, the Consumer Protection Act 68 of 2008 (the “Consumer Protection Act“) requires in terms of section 27(3)(b) read with regulation 9 and 10, that a record be retained for a minimum period of 3 years of the information that an intermediary is required to give to a consumer in terms of the Consumer Protection Act such as the intermediary’s full names, physical business address, postal address, phone numbers, cellular telephone number, facsimile number, email address and any registration number assigned or issued to the intermediary by any regulatory body; registration number; the contact details of its public officers and specification of the exact service to be rendered by the intermediary. Similarly, a record is to be kept of any written instruction given or sent by a consumer to the intermediary and where a transaction is concluded, a record of advice furnished to a consumer which must reflect the basis on which the advice was given.
    • Further to this, should the Company run promotional competitions, section 36(11)(b) read with regulation 11 requires that a record of all information relating to the promotional competition is to be retained for a minimum of 3 years. Information relating to the promotional competition includes –
      • full details of the promoter, including identity or registration numbers, addresses and contact numbers;
      • the rules of the promotional competition;
      • a copy of the offer to participate in a promotional competition;
      • the names and identity numbers of the persons responsible for conducting the promotional competition;
      • a full list of all the prizes offered in the promotional competition;
      • a representative selection of materials marketing the promotional competition or an electronic copy thereof which must be easily accessible in a generally available format;
      • a list of all instances when the promotional competition was marketed, including details on the dates, the medium used and places where the marketing took place;
      • the names and identity numbers of the persons responsible for conducting the selection of prize winners in the promotional competition;
      • an acknowledgment of receipt of the prize signed by the prize winner, or legal guardian where applicable, and his or her identity number, and the date of receipt of the prize, or where this is not possible, proof by the promoter that the prize was sent by post or other electronic means to the winner using his or her provided details;
      • declarations by the persons responsible for conducting the competition made under oath or affirmation that the prize winners were to their best knowledge not directors, members, partners, employees, agents or consultants of or any other person who directly or indirectly controls or is controlled by the promoter or marketing service providers in respect of the promotional competition, or the spouses, life partners, business partners or immediate family members;
      • the basis on which the prize winners were determined;
      • a summary describing the proceedings to determine the winners, including the names of the persons participating in determining the prize winners, the date and place where that determination took place and whether those proceedings were open to the general public;
      • whether an independent person oversaw the determination of the prize winners, and his or her name and identity number;
      • the means by which the prize winners were announced and the frequency thereof;
      • a list of the names and identity numbers of the prize winners; a list of the dates when the prizes were handed over or paid to the prize winners; and
      • in the event that a prize winner could not be contacted, the steps taken by the promoter to contact the winner or otherwise inform the winner of his or her winning a prize and in the event that a prize winner did not receive or accept his or her prize, the reason for his or her not so receiving or accepting the prize, and the steps taken by the promoter to hand over or pay the prize to that prize winner.
    • The Financial Advisory and Intermediary Services Act 37 of 2002
      • In terms of section 18 of the Financial Advisory and Intermediary Services Act 37 of 2002 (the “Financial Advisory and Intermediary Services Act“), records must be maintained for a minimum period of 5 years of all known premature cancellations of transactions or financial products by clients of the provider; complaints received together with an indication whether or not such complaint has been resolved; the continued compliance with the requirements referred to in section 8; cases of non-compliance with the Financial Advisory and Intermediary Services Act and the reasons for such non-compliance and the continued compliance by representatives with the requirements referred to in section 13(1) and (2).
      • Furthermore, section 3 of the General Code of Conduct for Authorized Financial Services Providers and Representatives requires a retention period of 5 years for records pertaining to verbal and written communications concerning a financial service rendered to a client as well as any other material documentation relating to the client or financial services rendered to the client. Such client records and documentation are to be kept safe from destruction for a period of 5 years after termination, to the knowledge of the provider, of the product concerned, or after the rendering of the financial service concerned.
      • Financial service providers are not required to keep the records themselves but must ensure that they are available for inspection within seven days of the registrar’s request.
    • The Financial Intelligence Centre Act 38 of 2001
      • In terms of sections 22 and 23 of the Financial Intelligence Centre Act 38 of 2001 (the “Financial Intelligence Centre Act“) whenever an accountable institution establishes a business relationship or concludes a transaction with a client, the accountable institution must keep record of the identity of the client or if the client is acting on behalf of another person, the identity of the person on whose behalf the client is acting and the client’s authority to act on behalf of that other person or if another person is acting on behalf of the client, the identity of that other person and that other person’s authority to act on behalf of the client; the manner in which the identity of the aforesaid persons was established; the nature of that business relationship or transaction and any document or copy of a document obtained by the accountable institution.
      • In the case of a business relationship, the records must reflect the information obtained concerning (i) the nature of the business relationship; (ii) the intended purpose of the business relationship; and (iii) the source of the funds which the prospective client is expected to use in concluding transactions in the course of the business relationship.
      • A record of every transaction must be retained, whether the transaction is a single transaction or concluded in the course of a business relationship, that are reasonably necessary to enable that transaction to be readily reconstructed. The records must reflect the amount involved and the currency in which it was denominated; the date on which the transaction was concluded; the parties to the transaction; the nature of the transaction; business correspondence and where account facilities are provided to clients, the identifying particulars of all accounts and the account files at the accountable institution that are related to the transaction.
      • The records may be retained in electronic format and must be retained for a minimum period of 5 years from the termination of the business relationship or in the case of a transaction, from the date the transaction is concluded.
    • Data retention matrix
      • All records must be characterised by their nature and purpose and must be retained in accordance with the requirements specified in the Data Retention Matrix, unless an exception applies.
      • The Data Retention Matrix indicates –
        • the minimum retention period (derived from statute or business needs as indicated in the Data Retention Matrix);
        • the format in which the record must be retained;
        • the place of storage; and
        • the method of destruction.
      • The retention periods listed in the Data Retention Matrix are examples of the minimum periods as prescribed by the relevant legislation. The Data Retention Matrix covers only certain records used in our business. Unless otherwise stated, the retention period is the minimum number of years from the date of the last entry in the record. Where there is no statutory requirement, the retention is based on the conservative period of 5 years used in general practice. Where different legislation is applicable to the same record, the longer retention period has been selected.
      • Notwithstanding the Data Retention Matrix, guidance on each specific record should first be sought from the Information Manager, prior to the default position being implemented.
      • Each Division operating outside South Africa must define its own records retention schedule in accordance with local legislation and register same with the Information Officer. In the absence of any country specific retention schedule, the Data Retention Matrix will apply.
    • effective date and CHANGES TO THIS POLICY
      • The effective date of this Policy is 14 July 2020
      • We reserve the right to change this Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Policy. We last revised this policy in July 2020.
      • Any changes to this Policy must be approved by the Compliance Officer.
    • enforcement and reporting of breaches of this policy
      • Any noncompliance with the terms of this Policy could have serious legal and reputational repercussions for the Company and my cause significant damage to the Company. Therefore, any noncompliance could lead to disciplinary action being taken against the relevant employees.
      • Should any employee become aware of any noncompliance with the terms of this Policy, they are required to immediately report this to their relevant line managers, who in turn should report this to the Information Manager. Such reports may also be sent to the following email address:

1. ISO 15489-1 Second Edition 2016-04-15, Information and Documentation – Records management – Part 1: Concepts and Principles (“ISO 15489:2016”).

2. ISO 15489:2016

3. The Information Regulator means the body empowered to monitor and enforce compliance by public and private bodies with the provisions of the PAIA and POPIA.

Annexure “A”

Data Retention Matrix

Statutorily prescribed retention periods and regulatory retention periods:

2. Standard practice retention periods

The retention periods below apply generally to the extent that there are no statutorily prescribed retention periods or regulatory periods. In other words, the following guideline retention periods are standard practice of the Company.


Date of Destruction Type of Record Destroyed Location Where Record is Stored   Method Used to Destroy the Record Serial Number of Hard Drive or Storage Devices Destroyed, where applicable.
Please visit for more information regarding the Coronavirus in South Africa.