Privacy Policy – prelink

1. DEFINITIONS

In this Policy (as defined below), unless the context requires otherwise, the following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings –

1.1 “Child” means any natural person under the age of 18 (eighteen) years;

1.2 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information under the control of or in the possession of GENCODE CC;

1.3 “Data Subject” has the meaning ascribed thereto under POPIA Act No. 4 of 2013;

1.4 “Direct Marketing” means to approach a person, by electronic communication, telephone communication, face to face, marketing material, social media, websites, applications (web based and/or mobile) and/or the internet, for the purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject;

1.5 “Employees” means any employee of the GENCODE CC;

1.6 “Operator” means a person or entity who Processes Personal Information for a

Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party;

1.7 “Personal Information” has the meaning ascribed thereto under POPIA and specifically includes any form of information that can be used to identify a Data Subject;

1.8 “Policy” means this Privacy Policy;

1.9 “POPIA” means the Protection of Personal Information Act No. 4 of 2013;

1.10 “Processing” has the meaning ascribed thereto under POPIA. “Process” has a

corresponding meaning;

1.11 “Regulator” means the Information Regulator established in terms of the Act;

1.12 “Responsible Party” means a public or private body or any other person which alone or in conjunction with others, determines the purpose of and means for Processing Personal Information;

1.13 “Special Personal Information” means Personal Information concerning a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, biometric information or criminal behaviour; and

1.14 “Third Party” means any independent contractor, agent, consultant, sub-contractor, or other representative of GENCODE CC.

2. PURPOSE OF THIS POLICY

2.1 The purpose of this Policy is to inform Data Subjects about why and how GENCODE CC Processes their Personal Information.

2.2 GENCODE CC, in its capacity as Responsible Party and/or Data Processor, shall strive to observe, and comply with its obligations under POPIA as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

2.3 This Policy applies to Personal Information collected by GENCODE CC in connection with the goods and services which GENCODE CC provides and offers. This includes Personal Information collected directly from you as a Data Subject, as well as Personal Information we collect indirectly though our service providers who collect your information on our behalf.

2.4 This Privacy Policy does not apply to the information practices of Third-Party companies who we may engage with in relation to our business operations (including, without limitation, their websites, platforms and/or applications) which we do not own or control; or individuals that GENCODE CC does not manage or employ. These Third-Party sites may have their own privacy policies and terms and conditions, and we encourage you to read them before using them.

3. PROCESS OF COLLECTING PERSONAL INFORMATION

3.1 GENCODE CC collects Personal Information directly from Data Subjects, unless an exception is applicable (such as, for example, where a data subject provides the data via a laboratory testing facility, via mobile booking site or via documented request from a registered physician, where the Data Subject has made the Personal Information public or the Personal Information is contained in or derived from a public record).

3.2 GENCODE CC will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects the Data Subject’s privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect the Data Subject in question.

3.3 GENCODE CC often collects Personal Information directly from the Data Subject and/or in some cases, from Third Party software vendors and laboratory clients. Where GENCODE CC obtains Personal Information from Third Parties, GENCODE CC will ensure that the 3rd party software vendor obtains the consent of the Data Subject to do so or will only Process the Personal Information without the Data Subject’s consent where GENCODE CC is permitted to do so in terms of clause 3.1 above.

3.4 Examples of such Third Parties include: (i) our customers when GENCODE CC handles Personal Information on their behalf; (ii) recruitment agencies; (iii) other companies providing services to GENCODE CC; (iv) Laboratory test facilities and (v)Medical Diagnostic Software providers.

4. LAWFUL PROCESSING OF PERSONAL INFORMATION

4.1 Where GENCODE CC is the Responsible Party, it will only Process a Data Subject’s Personal Information (other than for Special Personal Information) where –

4.1.1 consent of the Data Subject (or a competent person, where the Data Subject is a Child) is obtained;

4.1.2 Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party;

4.1.3 Processing complies with an obligation imposed by law on GENCODE CC;

4.1.4 Processing protects a legitimate interest of the Data Subject; and/or

4.1.5 Processing is necessary for pursuing the legitimate interests of GENCODE CC or of a third party to whom the information is supplied.

4.2 GENCODE CC will only Process Personal Information where one of the legal bases referred to in paragraph 4.1 above are present.

4.3 Where required (i.e., where we are not relying on a legal ground listed in paragraph 4.1 above), GENCODE CC will obtain the Data Subject’s consent prior to collecting, and in any case prior to using or disclosing, the Personal Information for any purpose.

4.4 GENCODE CC will make the method and purpose for which the Personal Information will be Processed clear to the Data Subject.

4.5 Where GENCODE CC is relying on a Data Subject’s consent as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to GENCODE CC’s Processing of the Personal Information at any time. However, this will not affect the lawfulness of any Processing carried out prior to the withdrawal of consent or any Processing justified by any other legal ground provided under POPIA.

4.6 If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information, GENCODE CC will ensure that the Personal Information is no longer Processed.

5. SPECIAL PERSONAL INFORMATION AND PERSONAL INFORMATION OF CHILDREN

5.1 Special Personal Information is sensitive Personal Information of a Data Subject and GENCODE CC acknowledges that it will generally not Process Special Personal Information unless –

5.1.1 Processing is carried out in accordance with the Data Subject’s consent;

5.1.2 Processing is necessary for the establishment, exercise or defence of a right or obligation in law;

5.1.3 Processing is for historical, statistical or research purposes, subject to stipulated safeguards;

5.1.4 information has deliberately been made public by the Data Subject; or

5.1.5 specific authorisation applies in terms of POPIA.

5.2 GENCODE CC acknowledges that it may not Process any Personal Information concerning a Child and will only do so where it has obtained the consent of the parent or guardian of that Child or where it is permitted to do so in accordance with applicable laws.

6. PURPOSE FOR PROCESSING PERSONAL INFORMATION

6.1 GENCODE CC understands its obligation to make Data Subjects aware of the fact that it is Processing their Personal Information and inform them of the purpose for which GENCODE CC Processes such Personal Information.

6.2 GENCODE CC will only Process a Data Subject’s Personal Information for a specific, lawful and clear purpose (or for specific, lawful and clear purposes) and will ensure that it makes the Data Subject aware of such purpose(s) as far as possible.

6.3 It will ensure that there is a legal basis for the Processing of any Personal Information. Further, GENCODE CC will ensure that Processing will relate only to the purpose for and of which the Data Subject has been made aware (and where relevant, consented to) and will not Process any Personal Information for any other purpose(s).

6.4 GENCODE CC will generally use Personal Information for purposes required to operate and manage its normal business operations and these purposes include one or more of the following non-exhaustive purposes –

6.4.1 for purposes of carrying out its business to process and store medical diagnostic data, including engaging with the South African department of Health and the National Institute for Communicable Diseases of South Africa in order send data relating to Notifiable Medical Conditions (NMC);

6.4.2 for the purposes of engaging with and providing its products or services to customers and where relevant, for purposes of doing appropriate customer onboarding and credit vetting;

6.4.3 for the purposes of engaging with customers and consumers to address queries, provide support services and address order, installation and technical queries and issues;

6.4.4 for purposes of sending data directly to data subjects to share test results via email and/or SMS

6.4.5 for purposes of onboarding suppliers as approved suppliers of GENCODE CC. For this purpose, GENCODE CC will also Process a supplier’s Personal Information for purposes of performing credit checks, and this may include engaging third-party credit vetting agencies;

6.4.6 for purposes of monitoring the use of GENCODE CC’s electronic systems and online platforms by customers and consumers, or where anyone accesses GENCODE CC’s websites and requests information or requires that GENCODE CC contact them or where website users provide GENCODE CC with their personal information via GENCODE CC’s websites to log their interest with GENCODE CC products or effect an order for quotation via GENCODE CC’s website or via email;

6.4.7 For the purposes of provisioning, operating and maintenance of its products and services to its customers and consumers, GENCODE CC will, from time to time, engage third party service providers (who will Process the Data Subject’s Personal Information on behalf of GENCODE CC) to facilitate this;

6.4.8 for purposes of Processing Personal Information collected via GENCODE CC’s websites and portals;

6.4.9 for purposes of preventing, discovering and investigating non-compliance with this Policy and other GENCODE CC policies, and investigating fraud, or other related matters;

6.4.10 in connection with the execution of payment processing functions, including payment of GENCODE CC’s suppliers’ invoices;

6.4.11 to provide a service to GENCODE CC customers in terms of relevant services agreements;

6.4.12 for employment-related purposes such as recruitment, administering payroll and carrying out background checks;

6.4.13 in connection with internal audit purposes (i.e., ensuring that the appropriate internal controls are in place in order to mitigate the relevant risks, as well as to carry out any investigations where this is required);

6.4.14 in connection with external audit purposes. For this purpose, GENCODE CC engages external service providers and, in so doing, shares Personal Information of the Data Subjects with third parties;

6.4.15 to respond to any correspondence that GENCODE CC’s commercial customer may send to GENCODE CC, including via email or by telephone;

6.4.16 to contact the Data Subject for direct marketing purposes subject to the provisions of section 10 below;

6.4.17 in order to address customer complaints in respect of GENCODE CC’s products and services;

6.4.18 for such other purposes to which the Data Subject may consent from time to time; and

6.4.19 for such other purposes as authorised in terms of applicable law.

7. KEEPING PERSONAL INFORMATION ACCURATE

7.1 GENCODE CC will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up to date as reasonably possible depending on the purpose for which Personal Information is collected or further processed.

7.2 GENCODE CC may not always expressly request the Data Subject to verify and update his/her/its Personal Information unless this process is specifically necessary.

7.3 GENCODE CC, however, expects that the Data Subject will notify GENCODE CC from time to time in writing of any updates required in respect of his/her/its Personal Information.

8. STORAGE AND PROCESSING OF PERSONAL INFORMATION BY GENCODE CC AND THIRD-PARTY SERVICE PROVIDERS

8.1 GENCODE CC may store your Personal Information in hardcopy format and/or in electronic format using GENCODE CC’s secure Cloud Service agreement or other internally hosted technology. Your Personal Information may also be stored by Third Parties, or other GENCODE CC group companies, via cloud services or other technology, with whom GENCODE CC has contracted with, to support GENCODE CC’s business operations.

8.2 GENCODE CC’s Third-Party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject’s Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

8.3 GENCODE CC will ensure that such Third-Party service providers will process the Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures and POPIA.

8.4 These Third Parties do not use or have access to your Personal Information other than for purposes specified by us, and GENCODE CC requires such parties to employ at least the same level of security that GENCODE CC uses to protect your personal data.

8.5 Your Personal Information may be Processed in South Africa or another country where GENCODE CC, its affiliates and their Third-Party service providers maintain servers and facilities and GENCODE CC will take steps, including by way of contracts, to ensure that it continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under applicable law.

9. HOW WE USE COOKIES

9.1 Our website uses cookies – which are small text files sent by a web server to store on a web browser. These cookies are used to ensure that our website functions properly, it stores user preferences when needed and collects anonymous statistics on website usage.

9.2 First party cookies:

Please list ones in use

9.3 Third party cookies:

Please list if any

9.4 You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting, you may be unable to access certain parts of the website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to the website. If you accept a “cookie” or fail to deny the use of “cookies”, you agree that we may use your personal information collected using “cookies” (subject to the provisions of this Policy). Where you either reject or decline cookies, you are informed that you may not be able to fully experience the interactive features of the website.

10. USE OF PERSONAL INFORMATION ON OUR WEBSITE AND FOR MARKETING PURPOSES

10.1 Website users may share personal information with GENCODE CC via our website, including their contact details, email and payment information, to determine whether GENCODE CC products are available in the area where they live or work and if available, to place an order via our website, in which case GENCODE CC may share your contact details with the laboratory service provider that you have selected to perform the medical diagnostic tests.

The provisions of this Policy apply to the personal information which is shared with GENCODE CC on the company website and patient booking website.

10.2 Where GENCODE CC carries out any marketing activities, it will comply with its obligations under POPIA.

10.3 GENCODE CC may use Personal Information to market GENCODE CC’s services directly to the Data Subject(s) if the Data Subject is one of GENCODE CC’s existing customers, the Data Subject has requested to receive marketing material from GENCODE CC or GENCODE CC has the Data Subject’s consent to market its services directly to the Data Subject.

10.4 GENCODE CC will ensure that a reasonable opportunity is given to the Data Subject to object to the use of their Personal Information for GENCODE CC’s marketing purposes when collecting the Personal Information and to “unsubscribe” or ‘opt out” of receiving marketing material on each occasion of GENCODE CC providing a marketing communication.

10.5 GENCODE CC will not use your Personal Information to send you marketing materials if you have requested not to receive them and if you have requested that GENCODE CC stop Processing your Personal Information for marketing purposes, GENCODE CC shall do so.

11. RETENTION OF PERSONAL INFORMATION

11.1 GENCODE CC may keep records of the Personal Information it has collected, correspondence, or comments in an electronic or hardcopy file format.

11.2 In terms of POPIA, GENCODE CC may not retain Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or processed and is required to delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances –

11.2.1 where the retention of the record is required or authorised by law;

11.2.2 GENCODE CC requires the record to fulfil its lawful functions or activities;

11.2.3 retention of the record is required by a contract between the parties thereto;

11.2.4 the data subject (or competent person, where the data subject is a child) has consented to such longer retention; or

11.2.5 the record is retained for historical, research or statistical purposes provided safeguards are put in place to prevent use for any other purpose. Accordingly, GENCODE CC will, subject to the exceptions noted in this Policy, retain Personal Information for as long as necessary to fulfil the purposes for which that Personal Information was collected and/or as permitted or required by applicable law.

11.3 Where GENCODE CC retains Personal Information for longer periods for statistical, historical or research purposes, GENCODE CC will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and applicable laws.

11.4 Once the purpose for which the Personal Information was initially collected and processed no longer applies or becomes obsolete, GENCODE CC will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that a person cannot re-identify such Personal Information. In instances where we de-identify your Personal Information, GENCODE CC may use such de-identified information indefinitely.

12. FAILURE TO PROVIDE PERSONAL INFORMATION

12.1 Should GENCODE CC need to collect Personal Information by law or under the terms of a contract that GENCODE CC may have with you and you fail to provide the personal data when requested, we may be unable to perform the contract we have or are attempting to enter into with you.

12.2 In such a case, GENCODE CC may have to decline to provide or receive the relevant services, and you will be notified where this is the case.

13. SAFE-KEEPING OF PERSONAL INFORMATION

13.1 GENCODE CC shall preserve the security of Personal Information and strive to take steps to prevent its alteration, loss and damage, or access by non-authorised third parties.

13.2 GENCODE CC will ensure the security and integrity of Personal Information in its possession or under its control with appropriate, reasonable technical and organisational measures to prevent loss, unlawful access and unauthorised destruction of Personal Information.

13.3 GENCODE CC has implemented physical, organisational, contractual, and technological security measures (having regard to generally accepted information security practices or industry specific requirements or professional rules) to keep all Personal Information secure, including measures protecting any Personal Information from loss or theft, and unauthorised access, disclosure, copying, use or modification. Further, GENCODE CC maintains and regularly verifies that the security measures are effective and regularly updates same in response to new risks.

14. BREACHES OF PERSONAL INFORMATION

14.1 A Data Breach refers to any incident in terms of which reasonable grounds exist to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.

14.2 A Data Breach can happen for many reasons, which include:

(a) loss or theft of data or equipment on which Personal Information is stored;

(b) inappropriate access controls allowing unauthorised use;

(c) equipment failure;

(d) human error;

(e) unforeseen circumstances, such as a fire or flood;

(f) deliberate attacks on systems, such as hacking, viruses or phishing scams; and/or

(g) alteration of Personal Information without permission and loss of availability of Personal Information.

14.3 GENCODE CC will address any Data Breach in accordance with the terms of POPIA.

14.4 GENCODE CC will notify the Regulator and the affected Data Subject (unless the applicable law requires that we delay notification to the Data Subject) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of that Data Subject’s Personal Information.

14.5 GENCODE CC will provide such notification as soon as reasonably possible after it has become aware of any Data Breach in respect of such Data Subject’s Personal Information.

14.6 Where GENCODE CC acts as an ‘Operator’ for purposes of POPIA and should any Data Breach affect the data of Data Subjects whose information GENCODE CC Processes as an Operator, GENCODE CC shall (in terms of POPIA) notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of relevant Data Subjects has been accessed or acquired by any unauthorised person.

15. PROVISION OF PERSONAL INFORMATION TO THIRD PARTY SERVICE PROVIDERS

15.1 GENCODE CC may disclose Personal Information to Third Parties and will enter into written agreements with such Third Parties to ensure that they Process any Personal Information in accordance with the provisions of this Policy, and POPIA.

15.2 GENCODE CC notes that such Third Parties may assist GENCODE CC with the purposes listed in paragraph 6.3 above – for example, service providers may be used, inter alia,

15.2.1 for data storage;

15.2.2 to assist GENCODE CC with auditing processes (external auditors); and/or

15.2.3 to notify the Data Subjects of any pertinent information concerning the Data Subject or GENCODE CC.

15.3 GENCODE CC will disclose Personal Information with the consent of the Data Subject or if GENCODE CC is permitted to do so without such consent in accordance with applicable laws.

15.4 Further, GENCODE CC may also send Personal Information to a foreign jurisdiction outside of the Republic of South Africa, including for Processing and storage by Third Parties or other GENCODE CC group companies.

15.5 When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa, GENCODE CC will obtain the necessary consent to transfer the Personal Information to such foreign jurisdiction or may transfer the Personal Information where GENCODE CC is permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under POPIA.

15.6 The Data Subject should also take note that the Processing of Personal Information in a foreign jurisdiction may be subject to the laws of the country in which the Personal Information is held, and may be subject to disclosure to the governments, courts of law,

enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

16. ACCESS TO PERSONAL INFORMATION

16.1 POPIA read with the relevant provisions of the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA”) confers certain access rights on Data Subjects. The GENCODE CC’s PAIA Manual can be found at https://www.prelink.co.za/files/Gencode CC-paia-popi-manual.pdf

(“PAIA Manual”). These rights include –

16.1.1 a right of access: a Data Subject having provided adequate proof of identity has the right to: (i) request a Responsible Party to confirm whether any Personal Information is held about the Data Subject; and/or (ii) request from a Responsible Party a description of the Personal Information held by the Responsible Party including information about Third Parties who have or have had access to the Personal Information.

A Data Subject may request:

16.1.1.1 GENCODE CC to confirm, free of charge, whether it holds any Personal Information about him/her/it; and

16.1.1.2 to obtain from GENCODE CC the record or description of Personal Information concerning him/her/it and any information regarding the recipients or categories of recipients who have or had access to the Personal Information. Such record or description is to be provided: (a) within a reasonable time; and (b) in a reasonable manner and format and in a form that is generally understandable.

16.1.2 a right to request correction or deletion: a Data Subject may also request of GENCODE CC to –

16.1.2.1 correct or delete Personal Information about the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

16.1.2.2 destroy or delete a record of Personal Information about the Data Subject that the GENCODE CC is no longer authorised to retain records in terms of POPIA’s retention and restriction of records provisions.

On receipt of such a request, GENCODE CC is required to, as soon as is reasonably practicable –

16.1.2.2.1 correct the information;

16.1.2.2.2 delete or destroy the information;

16.1.2.2.3 provide the Data Subject with evidence in support of the information; or

16.1.2.2.4 where the Data Subject and Responsible Party cannot reach agreement on the

request and if the Data Subject request this, GENCODE CC will take reasonable steps

to attach to the information an indication that correction has been requested but

has not been made;

16.1.3 a right to withdraw consent and to object to processing: a Data Subject that has previously consented to the Processing of his/her/its Personal Information has the right to withdraw such consent and may do so by providing the GENCODE CC with notice to such effect at the address set out in paragraph 19. Further, a Data Subject may object, on reasonable grounds, to the Processing of Personal Information relating to him/her/it.

16.2 Accordingly, GENCODE CC may request the Data Subject to provide sufficient identification to permit access to, or provide information regarding the existence, use or disclosure of the Data Subject’s Personal Information. Any such identifying information shall only be used for the purpose of facilitating access to or information regarding the Personal Information.

16.3 The Data Subject can request in writing to review any Personal Information about the Data Subject that GENCODE CC holds including Personal Information that GENCODE CC has collected, utilised or disclosed.

16.4 GENCODE CC shall respond to these requests in accordance with POPIA and PAIA and provide the Data Subject with any such Personal Information to the extent required by law and any of GENCODE CC’s policies and procedures which apply in terms of the PAIA.

16.5 The Data Subject can challenge the accuracy or completeness of his/her/its Personal Information in GENCODE CC’s records at any time in accordance with the process set out in the PAIA Manual for accessing information.

16.6 If a Data Subject successfully demonstrates that their Personal Information in GENCODE CC’s records is inaccurate or incomplete, GENCODE CC will ensure that such Personal Information is amended or deleted as required (including by any Third Parties).

16.7 GENCODE CC will respond to each written request of a Data Subject not later than 30 days after receipt of such requests. Under certain circumstances, the GENCODE CC may, however, extend the original period of 30 days once for a further period of up to 30 days.

16.8 A Data Subject has the right to make a complaint to GENCODE CC in respect of this time limit by contacting GENCODE CC using the contact details provided in paragraph 17 below. The prescribed fees to be paid for copies of the Data Subject’s Personal Information are referenced in the PAIA Manual.

17. CHANGES TO THIS POLICY

17.1 GENCODE CC reserves the right to make amendments to this Policy from time to time and will use reasonable efforts to notify Data Subjects of such amendments.

17.2 The current version of this Policy will govern the respective rights and obligations between you and GENCODE CC each time that you access and use our site.

18. CONTACT US

18.1 All comments, questions, concerns or complaints regarding your Personal Information or this Policy, should be forwarded to our Information Officer, Mr. Nolan D. France, at email: [email protected]; Address: Harmelia Wellness Institute, 40 Shelton Avenue, Harmelia, Edenvale, 1609.

18.2 If required, the Data Subject can contact the office of the Regulator, the details of which are:

http://justice.gov.za/inforeg/

Tel: 012 406 4818

Fax: 086 500 3351

[email protected]