Welcome to MEDHOLD GROUP

Privacy Policy in terms of the Protection of Personal Information Act, No. 4 2013 (South Africa)

This website has been designed to provide general information about Medhold Medical and its products. These pages are not intended to provide medical advice, nor do they provide instruction on the appropriate use of products produced or supplied by Medhold Medical.

Access to and use of this website is at the user’s own risk and is subject to the terms and conditions set forth herein and all applicable laws, statutes, and/or regulations. Medhold Medical may revise these terms and conditions from time to time by updating this posting.

Scope of policy
This policy applies to the business of Medhold Group wherever it is conducted, but based at the
registered office. It applies to paid staff.
Date approved by Information Officer: March 2021
Next policy review date: March 2022

1. Introduction
1.1 Purpose of policy
The purpose of this policy is to enable Medhold Group to:
· comply with the law in respect of the data it holds about individuals;
· follow good practice;
· protect Medhold Group’ staff and other individuals
· protect the organisation from the consequences of a breach of its responsibilities.
To recognise that:
– Section 14 of the Constitution of SA, 1996 provides that everyone has right to privacy;
– The right to privacy includes a right to protection against unlawful collection, retention,
dissemination and use of personal information.
1.2 Personal information
This policy applies to information relating to identifiable individuals, in terms of the Protection of
Personal Information Act, 2013 (hereinafter POPI Act).
1.3 Policy statement
Medhold Group will:
· comply with both the law and good practice
· respect individuals’ rights
· be open and honest with individuals whose data is held
· provide training and support for staff who handle personal data, so that they can act confidently
and consistently
Medhold Group recognises that its first priority under the POPI Act is to avoid causing harm to
individuals. In the main this means:
· keeping information securely in the right hands, and
· retention of good quality information.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which
their data may be used are taken into account. In addition to being open and transparent, Medhold
Group will seek to give individuals as much choice as is possible and reasonable over what data is
held and how it is used.
MEDHOLD GROUP
POPI Act Policy
1.4 Key risks
Medhold Group has identified the following potential key risks, which this policy is designed to
address:
· Breach of confidentiality (information being given out inappropriately)
· Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects
being insufficiently informed
· Failure to offer choice about data use (when appropriate)
· Breach of security by allowing unauthorised access
· Harm to individuals if personal data is not up to date

2 Information Officer Responsibilities
2.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and
Chapter 5, Part B.
2.2 Information Officer Responsibilities
The Information Officer has the following responsibilities:
· Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the
POPI Act, including but not limited to the following:
· Reviewing the POPI Act and periodic updates as published
· Ensuring that POPI Act induction training takes place for all staff
· Ensuring that periodic communication awareness on POPI Act responsibilities takes place
· Handling data subject access requests
· Approving unusual or controversial disclosures of personal data
· Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of
personal information
· Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are
in place
· Handling all aspects of relationship with the Regulator as foreseen in the POPI Act
Provide direction to any Deputy Information Officer if, and when, appointed.
2.3 Appointment
The appointment of the Medhold Group Information Officer will be authorised by the CEO.
Consideration will be given on an annual basis to the re-appointment or replacement of the
Information Officer; the need for any Deputy to assist the Information Officer.

3 Processing Limitation
3.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.
3.2 Processing Limitation
Medhold Group undertakes to comply with the POPI Act, Conditions 2 in terms of processing
limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).
3.3 Forms of consent
MEDHOLD GROUP
POPI Act Policy
Medhold Group undertakes to gain written consent where appropriate. Alternatively a recording
must be kept of verbal consent.
3.4 Nature of Personal Information
Medhold Group has identified all instances where personal information in the organisation is
processed as:
– Employee Files and records (including people interviewed but not successful & employees
who have resigned, died, boarded, retired or absconded)
– Customers Names, business email addresses, cell phones and land line numbers, physical
business addresses
– Suppliers Names, business email, cell phone and land line numbers, physical business
addresses
– Patient name (only where applicable for billing purposes)

4 Purpose specification
4.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 3.
4.2 Purpose specification
Medhold Group undertakes to comply with the POPI Act, Conditions 2 in terms of processing
limitation, sections 13 and 14, subject to the following stipulation (Retention periods).
Personal information will only be used for the purposes of conducting matters in the ordinary course
of Medhold Groups business.
4.3 Retention periods
Medhold Group will establish retention periods for at least the following categories of data:
· Employees: 7 years after leaving the Medhold Group
· Customers: 7 years after business cessation
· Suppliers: 7 years after business cessation
Personal information will be shredded if in paper form when retention period expires.

5 Further processing limitation
5.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.
5.2 Further processing limitation
Medhold Group undertakes to comply with the POPI Act, Conditions 2 in terms of processing
limitation, section 15.
Again Personal information will only be processed further for the purposes of conducting matters in
the ordinary course of Medhold Groups business. However there may be instances where Medhold
Group need to prevent or mitigate a serious and imminent threat to public health or safety, or the
life or health of a data subject (for example: due to a field modification instructions, product recall or
patient incident).

MEDHOLD GROUP
POPI Act Policy

6 Information quality
6.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5.
Medhold Group will comply with all of the aspects of Condition 5, section 16.
6.2 Accuracy
Medhold Group will regularly review its records to ensure that they remain accurate and consistent
and, in particular:
· IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data.
· Data on any individual will be held in as few places as necessary, and all staff will be discouraged
from establishing unnecessary additional data sets.
· Effective procedures will be in place so that all relevant systems are updated when information
about any individual changes.
· Staff who keep more detailed information about individuals will be given additional guidance on
accuracy in record keeping.
6.3 Updating
Medhold Group will review all personal information on a regular basis to ensure accuracy.
6.4 Archiving
Archived electronic records of Medhold Group are stored securely in Block B. Paper record archiving
takes place in Block B and in secure locked locations on site.

7 Openness
7.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6
section 17 to18.
7.2 Openness
In line with Conditions 6 and 8 of the Act, Medhold Group is committed to ensuring that in principle
Data Subjects are aware that their data is being processed and
· for what purpose it is being processed;
· what types of disclosure are likely; and
· how to exercise their rights in relation to the data.
7.3 Procedure
Data Subjects will generally be informed in the following ways:
· Staff: through this policy
· Customers, Suppliers and other interested parties: through Standard Business Terms and
Conditions and/or contracts
Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data
Subjects will be informed which fields are mandatory and why.

8 Security Safeguards
MEDHOLD GROUP
POPI Act Policy
8.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7,
section 19 to 22. This section of the policy only addresses security issues relating to
personal information.
8.2 Specific risks
Medhold Group has identified the following risks:
· Staff with access to personal information could misuse it.
· Staff may be tricked into giving away information, either about customers or fellow employees,
especially over the phone, or through “social engineering”.
8.3 Setting security levels
Access to information on the main Medhold Group computer system will be controlled by function.
Medhold Group has identified security levels required for each record held which contains Personal
Information by department.
8.4 Security measures
Medhold Group will ensure that all necessary physical and access controls are in place in terms of
access to personal information.
8.5 Business continuity
Medhold Group will ensure that adequate steps are taken to provide business continuity in the
event of an emergency.

9 Data Subject participation
9.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8,
sections 23 to 25.
9.2 Responsibility
Any data subject access requests will be handled by the POPI Act Information Officer in terms of
Condition 8.
9.3 Procedure for making request
Subject access requests must be in writing. All staff are required to pass on anything which might be
a data subject access request to the POPI Act Information Officer without delay.
Requests for access to personal information will be handled in compliance with the POPI Act and in
compliance with the Promotion of Access to Information Act (PAIA), as defined in the
Medhold Group PAIA Manual.
9.4 Provision for verifying identity
Where the individual making a data subject access request is not personally known to the POPI Act
Information Officer their identity will be verified before handing over any information.
9.5 Charging
Fees for access to personal information will be handled in compliance with the PAIA Act.
9.6 Procedure for granting access
MEDHOLD GROUP
POPI Act Policy
Procedures for access to personal information will be handled in compliance with the PAIA Act, as
defined in the Medhold Group PAIA Manual.

10 Processing of Special Personal Information
10.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26
to 33.
10.2 Processing of Special Personal Information
Medhold Group has the policy of adhering to the process of Special Personal Information which
relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership,
political persuasion, health or sex life or biometric information of a data
subject. Special personal information includes criminal behaviour relating to
alleged offences or proceedings dealing with alleged offences. Unless a general authorisation,
alternatively a specific authorisation relating to the different types of special personal information
applies, a responsible party is prohibited from processing special
personal information.

11 Prior Authorisation
11.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 6.
11.2 Prior Authorisation
Medhold Group has the policy of adhering to the process of Prior Authorisation in terms of sections
57 to 59.

12 Direct Marketing, Directories and Automated Decision Making
12.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.
12.2 Direct Marketing, Directories and Automated Decision Making
Medhold Group undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.
12.3 Opting in
Whenever data is first collected which might be used for any marketing purpose, this purpose will be
made clear, and the Data Subject will be given a clear opportunity to opt in.
12.4 Sharing lists
Medhold Group undertakes to obtain external lists only where it can be guaranteed that the list is up
to date and those on the list have been given an opportunity to opt out.
12.5 Electronic contact
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the
provision of the address made optional.
MEDHOLD GROUP
POPI Act Policy

13 Trans-border information flows
13.1 Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 9.
13.2 Trans border information flows
Medhold Group will ensure that the POPI Act Chapter 9, section 72 is fully complied with.
Medhold Group has identified Trans border flows which contain Personal Information.
Compliance with section 72 will be achieved through the use of the necessary contractual
commitments from the relevant third parties.

14 Staff training & acceptance of responsibilities
14.1 Scope
The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter
5, Part B.
14.2 Documentation
Information for staff is contained in this policy document and other materials made available by the
Information Officer.
14.3 Induction & Job Descriptions
The Medhold Group Information Officer will ensure that all staff who have access to any kind of
personal information will have their responsibilities outlined during their induction procedures and
included in their Job description responsibilities.
14.4 Continuing training
Medhold Group will provide opportunities for staff to explore POPI Act issues through training, team
meetings, and supervisions within their departments.
14.5 Procedure for staff signifying acceptance of policy
Medhold Group will ensure that all staff sign acceptance of this policy once they have had a chance
to understand the policy and their responsibilities in terms of the policy and the POPI Act.

15 Policy review
15.1 Responsibility
The Medhold Group Information Officer is responsible for an annual review to be completed prior to
the policy anniversary date.
15.2 Procedure
The Medhold Group Information Officer will ensure relevant stakeholders are consulted as part of
the annual review to be completed prior to the policy anniversary date.

16 Applicable Statutory forms
MEDHOLD GROUP
POPI Act Policy
The following forms are available for the Date Subject to use:
Form 1: Objection to the processing of Personal Information in terms of Section 11(3) of the POPI
Act, 2013
Form 2: Request for the correction or deletion of Personal Information or destroying or deletion of
record of Personal Information in terms of the POPI Act, 2013
Form 3: Application for the issue of a code of conduct in terms of Section 61 (1)(b) of the POPI Act,
2013
Form 4: Application for the consent of a data subject for the processing of Personal Information for
the purposes of direct marketing in terms of Section 69(2) of the POPI Act, 2013
Form 5: Complaint regarding interference with the protection of Personal Information/Complaint
regarding determination of an adjudicator in terms of Section 74 of the POPI Act, 2013