PAIA Manual

MANUAL for Club Corporate Travel (PTY) LTD T/A DestiniPrepared in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA) and the Protection of Personal Information Act 4 of 2013 (POPIA)

Date of Compilation: 26 September 2025
Date of Revision: 26 September 2025

1. Introduction

This Manual is published in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000 ("PAIA"). PAIA gives effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights.

This Manual also serves to provide information on how Club Corporate Travel (Pty) Ltd T/A Destini ("Destini") processes personal information, in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA"). The purpose of this Manual is to assist potential requesters in understanding the types of information we hold and the procedures for requesting access to that information and for exercising their rights under POPIA.
‍

2. Contact Details (Section 51(1)(a) of PAIA)

Company Name: Club Corporate Travel (Pty) Ltd T/A Destini
Registration Number: 2003/011060/07
Physical Address: Rosebank Corner, 191 Jan Smuts Avenue, Parktown North, Johannesburg, 2193, South Africa
Telephone Number: 011 268 4411
Website: www.destini.travel
Information Officer: Wayne Kruger
Email of Information Officer: wayne@nexct.co
‍
The designated Information Officer is responsible for overseeing compliance with both PAIA and POPIA, fulfilling the roles and responsibilities assigned under both Acts.
‍

3. The Information Regulator's Guide (Section 51(1)(b) of PAIA)

The Information Regulator has compiled a guide in terms of Section 10 of PAIA that provides information on how to exercise your rights under PAIA. This guide is available on the Information Regulator's website. Any queries regarding this guide should be directed to:
‍

The Information Regulator (South Africa)
Website: https://inforegulator.org.za/
Email: inforeg@justice.gov.za

4. Records Available Without a Formal PAIA Request

The following categories of records are automatically available for inspection, purchase, or photocopying without the need to submit a formal PAIA request:
‍

Marketing and promotional materials freely available on our website.
This PAIA Manual.
Publicly available company information and press releases.

5. Records Held by the Company (Section 51(1)(d) of PAIA)

We hold records on the following subjects and in the following categories. Access to these records is not automatic and must be requested in accordance with the procedure outlined in this manual.
‍

Subject	Categories of Records
Client and Traveller Records	Client service level agreements, booking forms and records, travel itineraries, copies of passports and visas, payment records, correspondence with clients and travellers.
Financial Records	Financial statements, accounting records, tax records (VAT, PAYE), banking records, asset registers, invoices, and statements of account.
Human Resources	Employment contracts, employee personal information, payroll records, leave records, performance management records, disciplinary records, training records.
Supplier and Service Provider Records	Contracts with third-party suppliers (airlines, hotels, GDS providers), supplier contact and banking details, statements of account.
Company Secretarial	Memorandum of Incorporation, company registration documents, share registers, minutes of meetings of directors and shareholders.
Information Technology	IT policies and procedures, network diagrams, software licenses, user access records.

6. Personal Information Processing (POPIA Compliance)

6.1 Purpose of Processing Personal Information (Section 51(1)(c)(i) of PAIA)

‍We process personal information for the following purposes:
‍

To provide and manage corporate travel services for our clients and their travellers.
To facilitate bookings with third-party travel suppliers.
To manage client accounts, process payments, and for general financial administration.
To communicate with clients and travellers regarding bookings and services.
For human resources and employee administration purposes.
To comply with our legal and regulatory obligations.
For marketing and business development purposes, subject to obtaining the necessary consent.
‍

6.2 Categories of Data Subjects and Information Processed (Section 51(1)(c)(ii) of PAIA)
‍

Categories of Data Subjects	Personal Information that may be processed
Employees of Corporate Clients (Travellers)	Full name, contact details, identity/passport number, date of birth, gender, nationality, visa information, travel preferences, frequent flyer details, emergency contact details, payment information, and where applicable, health information.
Corporate Client Contact Persons	Full name, job title, work contact details (email, phone number).
Our Employees	Full name, contact details, identity number, tax information, banking details, employment history, qualifications, medical aid and pension fund details, beneficiary information.
Supplier Contact Persons	Full name, job title, work contact details, banking details for payment purposes.

6.3 Recipients of Personal Information (Section 51(1)(c)(iii) of PAIA)

We may supply personal information to the following categories of recipients:

Third-party travel suppliers (e.g., airlines, hotels, car rental companies).
Global Distribution Systems (GDS).
Visa and immigration service providers.
Our technology service providers (e.g., hosting providers, software developers).
Regulatory bodies (e.g., SARS, Department of Labour).
Our professional advisors (e.g., auditors, legal counsel).
Financial institutions and payment gateways.

6.4 Transborder Data Flows (Section 51(1)(c)(iv) of PAIA)

To facilitate international travel, we transfer personal information to third-party suppliers located outside of the Republic of South Africa. We ensure that such transfers are conducted in compliance with Chapter 9 of POPIA, either to countries with adequate data protection laws or under the protection of a binding agreement that upholds POPIA's principles.

6.5 General Description of Security Measures (Section 51(1)(c)(v) of PAIA)

We have implemented appropriate and reasonable technical and organizational security measures to protect the personal information we hold. These measures include, but are not limited to:

Physical access controls to our premises.
Logical access controls to our IT systems.
Data encryption for sensitive information.
Firewalls, anti-virus, and anti-malware solutions.
Regular security assessments and vulnerability testing.
Data protection and information security policies for our staff.
Confidentiality agreements with employees and third-party operators.

7. Procedure for Requesting Access (Section 51(1)(e) of PAIA)

To request access to a record, a requester must complete the prescribed Form 2 (Request for Access to Record), which is available on the Information Regulator's website or from our Information Officer. The completed form, along with proof of identity and payment of the prescribed request fee, must be submitted to our Information Officer at the contact details provided in Section 2 of this manual.

We will notify the requester in writing within 30 days of receipt of a compliant request whether access has been granted or denied. This period may be extended once for a further 30 days under certain circumstances, in which case we will notify the requester of the extension.

8. Grounds for Refusal of Access

Access to a record may be refused on grounds stipulated in Chapter 4 of Part 3 of PAIA. These grounds are in place to protect the rights and interests of third parties, the company, and public safety. The primary grounds for refusal include, but are not limited to:
‍

Section 63: Mandatory Protection of Privacy of a Third Party: We must refuse access if disclosure would involve the unreasonable disclosure of personal information about a third party.
‍
Section 64: Mandatory Protection of Commercial Information of a Third Party: We must refuse access to a third party's trade secrets or other financial, commercial, scientific, or technical information if disclosure would likely cause harm to their commercial or financial interests.
‍
Section 65: Mandatory Protection of Certain Confidential Information of a Third Party: We must refuse access to information supplied in confidence by a third party if its disclosure could prejudice them in negotiations or commercial competition.
‍
Section 66: Mandatory Protection of Safety of Individuals and Property: We must refuse access if disclosure could endanger the life or physical safety of an individual. We may also refuse access if it would likely prejudice the security of property or witness protection schemes.
‍
Section 67: Mandatory Protection of Records Privileged from Legal Proceedings: We must refuse access to a record if it is privileged from production in legal proceedings, unless the privilege has been waived.
‍
Section 68: Commercial Information of Destini: We may refuse access to our own trade secrets or other financial, commercial, scientific, or technical information if its disclosure would likely cause harm to our commercial or financial interests.
‍
Section 69: Mandatory Protection of Research Information: We must refuse access to research information of a third party and may refuse access to our own research information if disclosure would likely cause serious disadvantage.
‍

These grounds for refusal are subject to the public interest override in Section 70 of PAIA, which mandates disclosure if it would reveal evidence of a substantial contravention of the law or an imminent and serious public safety or environmental risk, and the public interest in the disclosure clearly outweighs the harm.
‍

9. Prescribed Fees (Section 51(1)(f) of PAIA)

The following fees are prescribed under PAIA for requests made to a private body. Please note that all fees are inclusive of VAT.
‍

Item	Description	Amount
1.	Request Fee: A non-refundable fee payable by every requester, other than a personal requester (a person requesting their own personal information).	R140.00
2.	Access Fees (if request is granted):
	For every photocopy of an A4-size page or part thereof.	R2.00
	For every printed copy of an A4-size page or part thereof held on a computer.	R2.00
	For a copy in a computer-readable form on a flash drive (requester to provide).	R40.00
	For a copy in a computer-readable form on a CD (requester to provide).	R40.00
	For a copy in a computer-readable form on a CD (provided by us).	R60.00
	For a transcription of visual images, per A4-size page.	Fee depends on quotation from service provider.
	For a copy of visual images.	Fee depends on quotation from service provider.
	For a transcription of an audio record, per A4-size page.	R24.00
	For a copy of an audio record on a flash drive or CD (requester to provide).	R40.00
	For search and preparation of the record for disclosure (per hour or part thereof, excluding the first hour).	R145.00
3.	Deposit: If the search for and preparation of the record is anticipated to exceed six hours, the requester will be required to pay a deposit of one-third of the total estimated access fee.	One-third of the estimated access fee.
4.	Postage: The actual postage or courier fee is payable by the requester.	Actual cost.

10. Your Rights as a Data Subject under POPIA

Under POPIA, you have specific rights in relation to your personal information that we process. These rights include:
‍

Right to be Notified: To be notified that your personal information is being collected and if your information has been accessed by an unauthorized party.
‍
Right of Access: To request confirmation of whether we hold personal information about you and to request a copy of that information.
‍
Right to Correction, Deletion or Destruction: To request the correction of inaccurate, irrelevant, outdated, or misleading information, and to request the deletion or destruction of information we are no longer authorized to retain.
‍
Right to Object: To object, on reasonable grounds, to the processing of your personal information.
‍
Right to Withdraw Consent: To withdraw your consent for processing at any time, where consent is the lawful basis for processing.
‍

To exercise these rights, you must submit a request in writing to our Information Officer. You may be required to use the prescribed forms (e.g., POPIA Form 1 for objection, POPIA Form 2 for correction/deletion) and provide adequate proof of your identity.

11. Data Retention and Destruction

Destini is committed to the POPIA principle of not retaining personal information for longer than is necessary to fulfil the purpose for which it was collected, unless a longer retention period is required or permitted by law (e.g., for tax or financial record-keeping purposes) or you have consented to us retaining the information for a longer period.

We maintain an internal Data Retention Schedule that specifies the retention periods for the various categories of records we hold. For example:
‍

Financial and Tax Records: Retained for a minimum of 5 years as required by the Companies Act and SARS.
‍
Client and Traveller Records: Retained for a minimum of 5 years as required by the Companies Act and SARS.
‍
Human Resources Records: Retained for a minimum of 5 years as required by the Companies Act and SARS.
‍

Once records are no longer required, they are securely and permanently destroyed or de-identified in a manner that prevents reconstruction.

12. Data Breach Notification Procedure

In the event of a security compromise where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorized party, we will notify the Information Regulator and affected data subjects as soon as reasonably possible.

The notification to data subjects will be in writing and communicated via email, a notice on our website, or other appropriate channels. The notification will provide sufficient information to allow individuals to take protective measures, including:
‍

A description of the possible consequences of the breach.
A description of the measures we have taken or intend to take to address the breach.
A recommendation of measures the data subject can take to mitigate potential adverse effects.
The identity of the unauthorized party, if known.

13. Remedies and Appeal Process

If your request for access to a record is refused by our Information Officer, or if you are not satisfied with the decision, your remedy is to lodge a complaint with the Information Regulator. As a private body, Destini does not have a mandatory internal appeal procedure under PAIA.

A complaint must be lodged with the Information Regulator within 180 days of the decision. This is done by completing the prescribed PAIA Form 5 and submitting it to the Regulator at:

Email: PAIAComplaints@inforegulator.org.za

14. Availability of the Manual

This Manual is available for inspection at our offices during normal business hours and is also available on our website at www.destini.travel.
‍