ABRIDGED GENERAL PRIVACY NOTICE
1. INTRODUCTION 1.1 This Notice is an abridged version of the General Privacy Notice available on the BPOPF website which applies to all persons who provide and/or receive information with/from the BPOPF, in particular Personal Information.
1.2 The processing of Personal Data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with local Data Protection Laws and/ or specific data protection regulations implemented by BPOPF.
1.3 BPOPF confirms that it has implemented technical and organizational measures to promote the protection of Personal Data. However, absolute protection is not guaranteed. Where measures are breached, BPOPF shall endeavour to be transparent.
1.4 In all cases, the content herein shall be subject to the reasonable assessments of BPOPF from time to time, including its technical and cost limitations and other legitimate interests.

2. WHAT DATA PROTECTON STANDARDS DO WE ADHERE TO?
2.1 We comply with the Data Protection Act of Botswana, which provides that the personal information we hold about you must be:
• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

3. DATA COLLECTION
3.1 The exact type of data we collect will depend on the nature of the business relationship. Nevertheless, we collect data solely for business purposes.
3.2 Our systems may collect general data which is mostly anonymized but may be used to measure how the systems are working, monitor usage for audit purpose, ensure optimal user experience, etc.
3.3 Moreover, we may collect Personal Data through various means as required to comply with Retirement Funds Act and other laws in order for us to deliver products and services to our members. Personal Data is collected only where required by law and is used and disclosed only to fulfil legal requirements.
3.4 Each department within the BPOPF currently collects data of different categories, types and in different methods. A summary is contained in the General Privacy Notice

4. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
We may share your Personal Data with our employees, trustees, regulators/public authorities, and service providers. In these cases there would be a legitimate business need to know the information for the purposes described in this Notice. We assess and ensure that there is a need to know basis.

5. MEMBER PERSONAL DATA
5.1 Member Personal Data is mostly obtained from and/or shared with the Fund Administration Services Provider (currently NMG Botswana). All pension funds in Botswana are required by the Retirement Funds Act to appoint such a third party and their scope of services includes payment of benefits to dependents and beneficiaries. These dependents and beneficiaries may include minors, in which case additional protections and consents apply. Other notable recipients of Member Personal Data include regulators, public authorities, actuary and law firms.
5.2 Furthermore, BPOPF may obtain member information itself, for example through direct member engagement, use of tracing companies to find members/dependents/beneficiaries, and/or use of contractors to source KYC information.

6. HOW DO WE SECURE YOUR PERSONAL DATA?
6.1 BPOPF takes reasonable and appropriate administrative, technical and physical precautions.
6.2 Technical measures include:
6.2.1 regular I.T audit done by both internal and external resources
6.2.2 regular I.T Red-Teaming and Penetration testing done by independent external firms
6.2.3 use of high standard cloud-based technology
6.2.4 encryption technology
6.2.5 use of secure professional offsite storage facilities that adhere to international
6.2.6 dedicated on-site Records Management Unit
6.2.7 secure offices manned 24/7 by outsourced licensed security service providers

7. PURPOSE LIMITATION, DATA INTEGRITY AND RETENTION
7.1 We limit the collection, use and retention of your Personal Data to that which is relevant for the purposes described herein or other purposes consistent with reasonable expectations given the context of the collection. In addition, we take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. The period for which your Personal Data will be stored results from legal obligations specified in relevant laws (for example, laws concerning workers compensation or taxes), or as long as the Personal Data is necessary for the purposes of the legitimate interests pursued by BPOPF, and in cases where processing based on your consent, as long as that consent is valid.
7.2 The General Privacy Notice contains a non-exhaustive summary of the grounds for processing.

8. HOW CAN YOU ACCESS AND CORRECT YOUR PERSONAL DATA?
Depending on the applicable law, you may have various rights in respect to your personal information, such as a right of access, rectification, restriction of or objection to processing of your personal data, and portability to another controller and erasure. Please note that these rights are subject to limitations set out in law and our own business interests. In other cases there may be limits to our capacity to meet a request. When requesting access to your Personal Data, please note that we may request specific information from you so we can confirm your identity and search for and provide you with your Personal Data. You may access your personal information by contacting us using the contact information herein

9. YOUR OBLIGATIONS
Please keep your Personal Data up to date and inform us of any relevant/significant changes. You agree to inform your dependents, beneficiaries, emergency contacts or other persons whose Personal Data you provide to us about the content of this Notice and about the use (including transfer and disclosure) of their Personal Data as set out in this Notice. You further agree to follow applicable law regarding your handling of any Personal Data in the course of your relationship with us.

10. ROUTINE ERASURE AND BLOCKING OF PERSONAL DATA
The BPOPF shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the DPA or other legislators in laws or regulations to which the BPOPF is subject to. If the storage purpose is no longer applicable, or if a storage period prescribed by the Botswana legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.

11. RIGHTS OF THE DATA SUBJECT
o Right of confirmation
o Right of access
o Right to rectification
o Right to erasure
o Right of restriction of processing
o Right to data portability
o Right to object
o Automated individual decision-making, including profiling
o Right to withdraw data protection consent

12. PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfilment of the contract or the initiation of a contract.

13. PROVISION OF PERSONAL DATA AS STATUTORY OR CONTRACTUAL REQUIREMENT
In certain instances the provision of personal data is partly required by law (e.g. tax regulations or financial intelligence laws) or can also result from contractual provisions (e.g. information on the contractual partner). The non-provision of the personal data in these circumstances could mean we are unable to engage with the counter-party.

14. AUTOMATED DECISION-MAKING
The BPOPF does not, in the ordinary course of business, perform automatic decision-making or profiling.

15. CROSS-BORDER TRANSFERS
15.1 We comply with Botswana Data Protection Act to the extent that it requires local storage and processing of Personal Data.
15.2 In rare instances, it may be legally necessary to transfer information, including Personal Information outside Botswana for example:

• When our clients or service providers in other countries need KYC data of our staff or Board members in order to provide us services and comply with the laws of their own countries
• When our clients or service providers in other countries need KYC data of the businesses in which we have invested;
• When a legal dispute has an international element or some of the parties are in other countries
• When we need specialist services abroad