• Supplier hosts the Supplier Data
• Supplier is a Sub-processor of Client Information
• Client Information includes Personal Data
• The Sub-processor is located in South Africa
• The Sub-processor is located outside of the EEA
• Where GDPR applies to the Client, the Client must rely on a derogation to transfer Client Information to the Sub-processor based outside of the EEA in accordance with Article 49 GDPR

The Supplier Data that GBG uses to provide South Africa Identity is supplied by GBG’s Data Supplier. GBG is obliged under the terms of its agreement with its Data Supplier to ensure that all End Users agree to comply with the following provisions:

1. DEFINITIONS
1.1. In these Additional Terms, the following definitions shall apply, in addition to the definitions set out in the General Terms:

“Customer Due Diligence” has the same meaning it has in the FIC Act, 2001 as amended and for purposes of this Appendix also include Know Your Client and Client Identification and verification.
“Permitted Purpose” means performing electronic identity and/or address verification.
“the POPI Act” means the Protection of Personal Information Act, 4 of 2013 together with the POPI Regulations, as amended;
“POPI Regulations” means the regulations to the POPI Act, once promulgated and such other regulations promulgated in terms of the POPI Act from time to time;
“Prescribed Information” shall bear the meaning set out in Section 18(4) of the POPI Regulations read with Section 18(5) of the POPI Regulations where applicable;
“Processing” shall bear the meaning set out in Section 1 of the POPI Act and “Process” shall bear a similar meaning.
“the FIC Act” means the Financial Intelligence Centre Act, 2001 as amended.

2. USE OF THE SERVICE
2.1 The End User may only use South Africa Identity for the Permitted Purpose in accordance with the terms contained within these Additional Terms/
2.2 The End User must not under any circumstances disclose South Africa Identity to any third party without the Data Supplier’s prior consent.
2.3 The End User acknowledges that the Supplier Data is provided “as is” without any warranties of any kind, whether express or implied.
2.4 The End User acknowledges that it shall familiarize itself with the provisions of the FIC Act and other relevant anti-money laundering legislation, the POCA, the POPI Act and their respective Regulations and shall abide by all these applicable laws, insofar as they apply to the End User.
2.5 The End User acknowledges that it shall at all times comply with the requirements for the Processing of Personal Information, Prescribed Information and Consumer Credit Information as prescribed by POPI, the FIC Act and other anti-money laundering legislation, regulations and formal guidelines and directives not to comprise the Data Supplier in any way, manner or form; and/or other applicable legislation.
2.6 The End User acknowledges that it shall comply with the Customer Due Diligence requirements, the Risk Management and Compliance Programme and the record keeping provisions as contained in the FIC Act.
2.7 The End User acknowledges that the Data Supplier will retain electronic copies of records submitted for a period of five (5) years.

3. EXCLUSION OF WARRANTY/IES
3.1 The End User acknowledges and agrees that the data is provided “as is”, “as available” and with all faults and is provided without any covenants, promises or guarantees as to accuracy, functionality, performance, merchantability, system integration, data accuracy or fitness for any purpose. Any conditions, terms or warranties as to the same implied or imposed by statue or common law are hereby excluded to the fullest extent permitted by law.

4. DATA PROTECTION AND COMPLIANCE WITH RELEVANT LAWS
4.1 The Supplier Data used to provide this element of the Service is hosted by the Data Supplier. In order to perform the Services, the Data Supplier shall act as Sub-processor of Client Information (including any Personal Data supplied) for the sole purpose of delivering this element of the Service. The End User authorises GBG to appoint the Data Supplier as Sub-Processor for the purposes specified in this clause 4.1.
4.2 The Data Supplier is based in South Africa which is located outside of the EEA. Where GDPR applies to the Client, the Client acknowledges that prior to submitting Client Information to GBG for processing it shall determine, and is solely liable for ensuring that it can rely on a derogation to transfer Client Information to the Sub-processor based outside of the EEA in accordance with Article 49 GDPR.

5. TERMINATION
5.1 Notwithstanding the termination provisions between GBG and the End User in the General Terms, under the terms of GBG’s agreement with its South Africa Identity Data Supplier, the supply of South Africa Identity can be terminated on 6 months written notice.