1. Responsible body and Data Protection office

Sasol is the data controller and therefore responsible for collection and processing of your personal data. The physical address of Sasol’s head office is Sasol Place, 50 Katherine Street, Sandton, South Africa, 2196. If you have any questions regarding our data processing activities, your rights or any of the contents of this privacy statement, please contact our Chief Privacy Officer at privacy@sasol.com.

2. Our lawful reasons for processing your personal data

At Sasol, we respect your privacy and value the trust which you place in us. As a result, we will only process your data when we have a valid reason do so. Our lawful reasons for processing your personal data will most commonly include:

1. Performance of a contract, which includes processing of personal data required to enter into a contract with you or the organisation for whom you work, alternatively for purposes of concluding a contract of employment with you and/or the conducting of pre-contractual measures including but not limited to, background checks and assessing your fitness and suitability for the position applied for at Sasol;

2. Compliance with a legal obligation placed on Sasol;

3. Where it is necessary for our legitimate interests (or those of a third party) and your privacy right(s) do not override those interests;

4. We may also use your personal data in the following situations, which are likely to be rare:

4.1. where we need to protect your (or someone else’s) interests, or

4.2. where it is necessary in the public interest or for official purposes;

5. Under limited circumstances we may also process your personal data based on your consent; and

6. Operational reasons that include access control, Investigations and access permit/card process (screening) when visiting any Sasol sites or premises.

In regard to specific processing activities, we may provide supplementary privacy notices to facilitate transparency, where the lawful basis, purpose or processing activities may need further elaboration.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason, that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you (by means of direct communication to you, a revised privacy statement or other appropriate means) and we will explain the legal basis which allows us to do so.

3. The personal data we hold

Based on the lawful reasons above, we may collect, store, and use the following categories of personal data about you:

1. basic information, such as your name, your employer, your title or position and your relationship to a person;
2. contact information, such as your physical address, email address and phone number(s);
3. financial information, such as bank account details;
4. technical information (including your IP address), such as information from your visits to our website or any applications or in relation to materials and communications we send to you electronically;
5. information you provide to us for the purposes of attending meetings and events, including access and dietary requirements;
6. information you provide to us when answering any surveys you may participate in, for example, our customer satisfaction surveys;
7. identification and background information provided by you or collected by us as part of our business acceptance processes;
8. identification and background information collected or generated by us as part of our conflict-of-interest management processes (including gift, entertainment and hospitality declaration processes);
9. identification, background and employment information, professional experience and affiliations, and medical and health information as part of your application for employment with Sasol;
10. personal data provided to us by or on behalf of our clients or generated by us in the course of providing services which may include special categories of data;
11. details of your visits to any of our offices;
12. publicly available information in order to facilitate our business dealings with you or your employer; and
13. any other information relating to you which you may provide to us.

4. How we use particularly sensitive personal data

“Special categories” of particularly sensitive personal data are afforded higher levels of protection. Reference to Special categories of data includes race or ethnic origin, trade union membership, political persuasion, health or medical information and criminal behaviour.

We will only collect, store and/or use your personal data which falls within this category, if we have a valid justification for processing. As required by applicable law(s), we have appropriate policies and safeguards in place, when processing these categories of information.

We may process special categories of personal data under the following justifications:

1. in limited circumstances, with your explicit written consent;

2. where we need to carry out our legal obligations or exercise rights in connection with any contract we may have with you or the organisation for whom you work; or

3. where it is needed in the public interest.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your (or someone else’s) interests and you are not capable of giving your consent, or where you have already made the information public.

5. Data Sharing

We may have to share your personal data with various internal Sasol functions and various entities within the Sasol group (e.g., Sasol Forensic Services, Sasol Security Services, Sasol HR, Sasol Group Ethics, etc.), as well as various third parties, including third-party service providers who are engaged to perform services on our behalf such as product or service delivery, credit reference checks, or business scoring.

Where appropriate, before disclosing personal data to a third party, we shall contractually mandate the third party to take adequate precautions to protect that data and to comply with applicable law.

In the event of a merger / acquisition / sale or company re-structure, your personal data may be part of the transferred assets and is likely to be disclosed to the purchaser / new company.

Sharing Data with third parties

All our third-party service providers and all Sasol entities are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable legal requirements.

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group, such as:

(a) professional registrations;

(b) insolvency administrators;

(c) legal and other advisors to Sasol; and

(d) other independent service providers.

The above list is not exhaustive.

Transferring data globally

Sasol has designed and implemented its data collection and handling policies, processes and procedures with the most stringent global privacy and data protection laws and regulations in mind. Accordingly, we take into account the highest legal standards when processing and transferring your data.

We are a global organisation with offices and sites in multiple locations around the world. Accordingly, we may transfer your personal data to Sasol locations to any Sasol legal entity worldwide, or to third parties / business partners who are located in various countries around the world. The global nature of our organisation means your personal data may be sent to countries in which standards of privacy protection differ from the standards of your country of residence. Please note, we have implemented measures to safeguard your personal data should it be transferred to another country. Such measures include (where your data is transferred outside the European Union / European Economic Area), the Standard Contractual Clauses (“SCCs”) published by the European Commission. Should you so wish, you may obtain from Sasol’s Chief Privacy Officer, further details on the SCCs and our other safeguards.

6. Data security

Sasol strives to secure the confidentiality, integrity and availability of your personal data by taking appropriate and reasonable, technical and organisational measures to prevent loss of, damage to, unauthorised use or destruction, and unlawful access to, or processing of your personal data. To this extent, we have due regard to generally accepted information security practices and procedures, and a dedicated information security team, which constantly reviews and improves our personal data security measures.

We endeavour to secure your personal data stored on Sasol information systems and held in hard copy. Personal data contained in hard copy (paper) format is kept secure and safe in warehouses or lockable cupboards.

7. Data retention

We will only retain your personal data, in accordance with our records retention policies. We will retain personal data for as long as it is necessary to fulfil the purposes for which we collected it or where we are legally entitled / obligated to do so. This includes for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the purpose for which we process personal data, the volume, the nature, and sensitivity of the personal data. We further consider the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal data in accordance with our records management policies and applicable laws.

8. Processing you can expect from us via various touch points

1.Data processed when you visit our website

1.1. Processed data collected:

If you visit our websites, your browser automatically transmits the following data:

• Date, time and duration of the time you have spent viewing a page
• Name of your Internet Service Provider
• The referring website
• The IP (Internet Protocol) address of your device / workstation / computer
• Your internet browser type and version
• The operating system of your device / workstation / computer

1.2. Purposes of data processing:

It is necessary to store data for a limited period of time to be able to effectively deliver the website to your browser with the necessary functionality. With the help of this data, we also obtain statistical information on how our websites are used. We also collect the data to secure, prevent and track access, or misuse of our websites and IT systems.

2.Cookies and tracking technologies on the Sasol website

When you visit our website, we collect data with the help of cookies, which are small text files that are stored on your device. Cookies usually contain a cookie ID i.e., a unique identification feature that can be used to identify your device. They may store information such as your IP address or other identifier, and information about the content you view, allowing them to remember your preferences and settings. Depending on the kind of the cookie, different data is collected and processed.

It is our policy to use cookies only with the consent of the users of our website, except where the use is strictly necessary for the operation of the website. Below we describe how we may use cookies for the operation of our website.

2.1. Types and purpose of cookies used

Our website only uses two types of cookies: technically strictly necessary cookies and analytics cookies.

2.1.1. Technically necessary cookies

Technically strictly necessary cookies are essential for the website to function. They cannot be deactivated in our systems, but you can set your browser to block or warn you about these cookies. Note that in this case the full functionality of the website may no longer be available.

2.1.2. Analytics cookies

Where you have permitted the use of analytics cookies, we use Google Analytics 4, a web analytics service provided by Google LLC. The data controller for users in the EEA, UK and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). We use Google Analytics 4 to collect statistical information about how our website is used without personally identifying you. Google Analytics services involve the use of cookies that collect information such as your IP address or other identifiers, browser information, and information about the content you view.

Google Analytics 4 has IP anonymisation enabled by default. Due to IP anonymisation, your IP address will be truncated by Google within the EEA, UK and Switzerland. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States of America (“USA”) and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

We only collect the following data elements through Google Analytics 4:

- Approximate location (country and region only)

- Events (e.g., user journey, click path)

- IP address (in shortened form)

- Language setting

- Referrer URL

- Device brand (such as iPhone, LG, or Samsung)

- Device category (such as desktop, mobile or tablet)

- Platform (such as web, iOS, or Android)

- Browser (such as Chrome, Safari or Edge)

The information collected by means of the cookies about your use of this website is generally transferred to a Google server in the USA and stored there. Google Analytics 4 cookies may retain information for up to two years. For more information about Google Analytics 4 services, please click here .

2.1.3. Cookies list

Technically necessary cookies

Cookie name	Description	Cookies used	Lifespan
CookieConsent	This cookie stores the user's consent state for the current domain.	Third-party	session

Performance cookies

Cookie name	Description	Cookies used	Lifespan
_ga	This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the site's analytics reports.	First-party	1 year 1 month
_gid	This cookie is set by Google Analytics. It stores and update a unique value for each page visited and is used to count and track pageviews.	First-party	1 day
_ga_2BZRKCZB2L	This cookie is used by Google Analytics to persist session state.	First-party	1 year 1 month

Targeting cookies

Cookie name	Description	Cookies used	Lifespan
guest_id	This cookie is set by Twitter to identify and track the website visitor.	Third-party	1 year 1 month
VISITOR_INFO1_LIVE	This cookie is set by Youtube to keep track of user preferences for Youtube videos embedded in sites; it can also determine whether the website visitor is using the new or old version of the Youtube interface.	Third-party	6 months
personalization_id	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.	Third-party	1 year 1 month
YSC	This cookie is set by YouTube to track views of embedded videos.	Third-party	Session
VISITOR_PRIVACY_METADATA	YouTube sets this cookie to store the user's cookie consent state for the current domain.	Third-party	6 months
_ttp More info	TikTok set this cookie to track and improve the performance of advertising campaigns, as well as to personalise the user experience.	Third-party	1 year

2.2. Controlling options:

When you first visit our website, you will be shown a banner in which you can choose whether you want to accept or reject cookies, except for cookies that are technically essential.

If you wish, you can also use your web browser settings to specify how your device should handle cookies. On some devices, you can control this via the device settings. Please note that if you choose not to receive cookies, the full functionality of the website may no longer be available. Every browser and device are different, so you should check the settings menu of your browser or device to see how you can change your settings and cookie preferences. Information on how to manage cookie settings in specific browsers can be found on the websites of the providers of the various web browsers (Chrome, Firefox, Internet Explorer, Safari, etc).

Links to Sasol Social media pages

Sasol has links to its various Social media pages. If you visit these platforms, the privacy policy / notice / statement and terms and conditions of the specific platform apply.

3. Data collected when you contact us

3.1. Processed data:

When you contact us via a contact form, via email or phone, we process the personal data you communicate to us, e.g., your name, your email address and your request. The data will be stored in a Sasol repository. The data marked as mandatory has to be provided in order to action your request. Refusal to provide certain information may result in Sasol being unable to action your request.

3.2. Purposes of data processing:

We use your data in order to process and respond to your request.

3.3. Legal basis:

We process data to take steps to fulfil your request, as it relates to our business activity.

3.4. Retention period:

We store your data as long as it is necessary to fulfil the purposes mentioned above. Should the business activity referred to above result in the conclusion of a contract or other business relationship to which you are party, your personal data may be stored as necessary according to that contract.

I. Your rights and duties

1. Privacy a fundamental right

At Sasol we respect your fundamental right to Privacy. Your trust and confidence are of paramount importance to us. Please see your privacy rights below, relating to the use of your personal data which may be exercised under certain circumstances.

1.1. Right to withdraw your consent:

You may withdraw your consent to the processing of your personal data at any time. Please note that the revocation does not affect the legality of the data processed thus far. However, we may be obliged by law to retain your personal data despite the withdrawal of your consent. As far as we process personal data for direct marketing purposes you have the right to object at any time.

1.2. Right to object:

You may object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.

1.3. Right to access:

This right enables you to access the personal data we hold about you and to check that we are lawfully processing it.

1.4. Right to correction

The right enables you to have any incomplete or inaccurate information we hold about you corrected.

1.5. Right to data portability

Under certain circumstances you may have the right to request the facilitation of a transfer of your personal data to another party.

1.6. Right to Deletion

This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.

2.Your Duties

As the party responsible for the lawful processing and security of your personal data, we endeavour to treat your personal data according to this privacy statement, applicable law and international best practice. In order to facilitate the protection of your personal data, you have the following duties:

• duty to inform us when there are changes to your personal data;
• duty to safeguard your personal data; and
• duty confirm your identity in order to action your rights.

3.Contact point for asserting your rights:

Should you wish to exercise any of the privacy rights above, you can direct your queries to privacy@sasol.com.

Our dedicated team would appreciate any comment or complaint, on this privacy statement, or our privacy practices as a whole, to assist us with ensuring we respect your privacy as you would reasonably expect.

J. Right to contact a supervisory authority:

You can file a claim with the respective data privacy supervisory authorities if you believe that our data processing does not meet the legal requirements, or we did not facilitate the exercise of your rights accordingly. Contact details for your local data protection regulator can be found on the internet, as follows:

• if you are in the European Union: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• if you are in the United Kingdom: https://ico.org.uk/
• If you are in the United States: https://www.ftc.gov/
• if you are in South Africa: https://inforegulator.org.za
• if you are in Singapore: https://www.pdpc.gov.sg/
• If you are in Japan: https://www.ppc.go.jp/en/
• If you are in China: http://www.cac.gov.cn/
• If you are in Hong Kong: https://www.pcpd.org.hk/

You can also request them from the Sasol Chief Privacy Officer using the email address provided above.

K. Updates

We reserve the right, at our sole discretion, to modify, add or remove sections of this privacy statement at any time.

This privacy statement (and any updates to or amended versions of this privacy statement) may be published on Sasol's website as well as any other channels we may find appropriate.

Last update: April 2024