Under POPIA, individuals (data subjects) have the following rights regarding their personal information:

• Individuals have the right to request access to their personal information held by the Company.
• Individuals have the right to request the correction of inaccurate or incomplete information.
• Individuals have the right to request the deletion of personal information under certain circumstances.
• Individuals may object to the processing of their personal information, in whole or in part.
• Individuals may request that processing be restricted in certain situations, for example, if they contest the accuracy of their data.
• Where applicable, individuals may request that their personal information be transferred to another party in a structured, commonly used format.

To exercise these rights, data subjects can contact the Information Officer at the contact details listed above.

The Company may share personal information with third parties under the following circumstances:

• Third-party service providers engaged in areas such as IT support, payroll, legal, auditing, and marketing.
• Where the Company is required by law to disclose personal information (e.g., to regulators, law enforcement agencies, or in legal proceedings).
• In the event of a sale, merger, or acquisition, personal information may be transferred to the new entity.

In any case, personal information will only be shared with third parties in compliance with POPIA and the conditions for lawful processing.

The Company has procedures in place to handle data breaches, including:

• Incident Reporting: Employees must immediately report any suspected data breach to the Information Officer.
• Containment: Steps will be taken to mitigate any harm caused by the breach.
• Notification: In the event of a breach, data subjects and the Information Regulator will be notified where required under POPIA.
• Investigation: The Company will investigate the cause of the breach and implement measures to prevent future occurrences.

CRH-Africa Automotive (Pty) Ltd will ensure that all employees involved in processing personal information are trained on the requirements of POPIA and are aware of their responsibilities regarding personal data protection.

Training and awareness programs will be conducted regularly to keep staff informed about best practices in managing personal information securely.