Privacy Policy


The right to privacy is an integral human right recognized and protected in the South African constitution and in the Protection of Personal Information Act 4 of 2013 (POPIA). As part of the ordinary running of the business, Grand Central Airport (Pty) Ltd may be required to process personal information. Accordingly, the Company is required to protect such personal information as set out in the provisions of the Act. This policy serves as Grand Central Airport (Pty) Ltd’s commitment to comply with the provisions of POPIA and to ensure that personal information is processed within the parameters of the law. It furthermore aims to provide insights and guidelines on how personal information of data subjects will be processed, in accordance with the Act. This policy is supplemented by the following Company policies:

a) Confidentiality and Non-disclosure Policy and Agreements

b) Electronic Communications/Computer Usage Policy

c) Retention of Records Policy


The following words and/or expressions shall, unless the context indicates otherwise, bear the meaning assigned to them below and in the POPI Act;

a) “Data subject” means the person to whom personal information relates;

b) “Employee” means a permanent, fixed-term or temporary employee of the Company;

c) “Operator” means a third party that processes personal information in terms of a mandate with the Company, without coming under the direct authority of the Company.

d) “Information Officer” means the person appointed by the Company who is responsible for the monitoring of compliance with the conditions for the lawful processing of Personal information; dealing with requests made in terms of the POPI Act; working with the Regulator in relation to investigations conducted in relation to prior authorisation by the Data subject and ensuring compliance by the Company with the provisions of the POPI Act.

e) ‘’Personal Information’’ Personal Information means personal information relating to any identifiable, living, natural person, and an identifiable, existing juristic person, including, but not limited to:

i) In the case of an individual:

  • name, address, contact details, date of birth, place of birth, identity number, passport number, bank details, details about employment, tax number and financial information;
  • vehicle registration;
  • dietary preferences;
  • financial history;
  • information about next of kin and or dependents;
  • information relating to education or employment history; and

Special Personal Information, which includes:

  • race, gender, pregnancy, national, ethnic or social origin, colour, physical or mental health, disability, criminal history, including offences committed or alleged to have been committed, membership of a trade union and biometric information, such as images, fingerprints and voiceprints, blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.

ii) In the case of a juristic person:

  • name, address, contact details, registration details, financials and related history, B-BBEE score card, registered address, description of operations, bank details, details about employees, business partners, customers, tax number, VAT number and other financial information; and –

iii) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.

iv) the views or opinions of another individual about the person; and

v) the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.

f) “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal information, including—

  • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • dissemination by means of transmission, distribution or making available in any other form; or
  • merging, linking, as well as restriction, degradation, erasure or destruction of information.


The Information Officer of Grand Central Airport (Pty) Ltd is Bernadine Kraft whose details are available below and who is responsible for compliance with the conditions of the lawful processing of personal information and other provisions of POPIA.

She is assisted by Marietjie Coetzee who will function as the Company’s Deputy Information Officer. Any request for personal information should be directed to the individuals below.

Information Officer:
Bernadine Kraft
+27 (0)11 805 3166

Deputy Information Officer:
Marietjie Coetzee
+27 (0)11 805 3166


4.1. Personal Information Collected by the Company

The Personal Information that will be collected by the Company in the ordinary course of business includes:

a) Personal information of employees, which is required for conducting the business and for statutory bodies, such as SARS and Department of Labour.

b) Information that is adequate, necessary, and relevant to enable the Company to effectively render a service to clients or assist in any other manner required.

c) Electronic communications sent to the Company.

d) Information submitted to the Company in response to a vacancy advertisement.

4.2. Protection of Personal Information

a) All electronic files or data shall be backed up by the IT Division which is also responsible for system security that protects third party access and physical threats. The IT Division is responsible for Electronic Information Security.

b) The Company uses a variety of security measures and technologies to help protect Personal information from unauthorized access, use, disclosure, alteration or destruction in line with applicable personal information protection and privacy laws.

c) The transmission of information via the internet or a mobile phone network connection may not be completely secure and any transmission is at the Data subject’s risk.

d) Despite the security measures the Company has in place to protect Personal information of a Data subject (firewalls, password access and encryption methods), the Data subject acknowledges that it may be accessed by an unauthorized third party, e.g., because of an illegal activity.

e) Any data breaches will be reported to the Information Regulator as soon as reasonably possible and in accordance with POPIA.

4.3. The Usage of Personal Information

Personal information will only be used for the purpose for which it was collected and as agreed/consented to. This may include:

a) In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.

b) Providing services to clients and to carry out the transactions requested, as mandated in the relevant operator agreement.

c) Confirming, verifying, and updating client or employee details.

d) For the detection and prevention of fraud, crime, money laundering or other malpractices;

e) For audit and record keeping purposes.

f) In connection with legal proceedings.

4.4. Retention of Personal Information

Personal Information relating to the Company, its employees, or affiliates, whether in hard or soft copy format, shall be protected, handled, and disposed of in accordance with the provisions of POPIA. Records of personal information will not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless— a) Retention of the record is required or authorized by law.

b) The Company reasonably requires the record for lawful purposes related to its functions or activities.

c) Retention of the record is required by a contract between the parties thereto; or

d) The data subject or a competent person where the data subject is a child has consented to the retention of the record.

The Company will destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after it is no longer authorized to retain the record in terms of the above. Destruction of records will be done in accordance with POPIA.

4.5. Requests for and sharing of Personal Information

The Company may share Personal information of a Data subject with the following third parties:

a) Company approved operators with whom an agreement has been put in place for the processing of information and provision of services to the Company. This includes those who provide the Company with technology services, HR, and payroll support, etc.

b) Professional or legal advisors, training providers, auditors and business partners.

c) Regulators, government and law enforcement authorities, for instance SARS or the Department of Labour.

Unless an agreement already exists, requests for information by a third party (not listed above) must be in writing and should be submitted to the Information Officer for review. All staff are required to pass on anything which might be a subject access request to the Information Officer without delay.

Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA), as defined in the PAIA Manual.


Employees and clients will be required to consent to the use and storage of their personal information through:

a) An employment contract or addendum thereto.

b) A Service Level Agreement or Operators Agreement.

Employees and clients have the right to access the personal information the Company holds about them. They also have the right to ask the Company to update, correct or delete their personal information on reasonable grounds. Any objections to the storage or processing of a data subject’s personal information should be directed to the Information Officer.