PRIVACY POLICY

This Privacy Policy (“Policy”) constitutes the formal policy of Fluorovizion Holdings (Pty) Ltd, any of its holding companies, all of its subsidiary companies from time to time, and any other entities owned and managed by one or more of the same directors (hereinafter collectively “the Group”). For the purposes of this Policy, the Group conducts business at Joules House, 804 Hammets Crossing Office Park, 2 Selbourne Road, Johannesburg North, 2188.

 

  1. INTRODUCTION

The Protection of Personal Information Act 4 of 2013 (“POPIA”) gives effect to the constitutional right to privacy, including data privacy, which is enshrined in section 14 of the Bill of Rights of the Constitution of the Republic of South Africa. This right to privacy needs to be balanced with other rights of access to certain information which are also specified in the Constitution. POPIA, in conjunction with the Promotion of Access to Information Act 2 of 2000 (“PAIA”) seek to promote these rights and balance competing interests.

This Policy sets out the Groups practices with regards to how we collect, use, store and share your Personal Information which the Group, its service providers or its personnel accesses and processes whether through online communication facilities, including the Group’s website, electronic mail, or social media platforms.

  1. OBJECTIVE AND PURPOSE

The Group supplies a range of reputable, internationally acclaimed medical and surgical products to a range of medical institutions across South Africa and across South African borders to Namibia. The Group further facilitates the training of the medical professionals who use these products to ensure the highest level of safety and care for all patients.

The Group is accountable both locally and globally to regulatory authorities and oversight bodies applicable to the medical devices industry. The processing of Personal Information may also occur across international waters and therefore the Group is also subject to the European Union General Data Protection Regulations: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“the GDPR”) and any other relevant international standards. As a result, the Group recognises the need for and is committed to applying the highest level of ethics and compliance standards to its operations and will foster a culture of compliance throughout the workplace.

The Group processes a range of Personal Information of various persons, including but not limited to employees, directors, shareholders, corporates, trusts, trustees, beneficiaries, hospitals, medical professionals, patients, contractors, vendors, visitors and even the general public through its online platforms, which information it is obliged to safeguard and protect.

This Policy sets out the Group’s processing activities and establishes privacy measures and standards that will be applied to all Personal Information connected to the Group’s business.

The Group is committed to protecting the privacy of all persons, both natural and juristic, whose Personal Information is processed by it and will ensure that it is processed appropriately, in a transparent manner, and according to applicable law.

  1. SCOPE OF THE POLICY

This Policy applies to:

  • all current and future employees; all subsidiaries, business units, departments, and third-party service providers (whether existing or future) and all other individuals directly or indirectly associated with any one or all of the entities of the Group;
  • all of the Group’s online platforms and facilities regardless of who owns, hosts, or establishes them;
  • all persons who make use of the aforementioned online platforms and facilities whether to access or use Personal Information or, to input Personal Information as a data subject (as defined in POPIA);
  • all Personal Information processed by or on behalf of the Group as a Responsible Party or Operator as defined and provided for in POPIA; and
  • all Personal Information processed using any of the Group’s online platforms.

All service providers and persons acting on behalf of the Group are obliged to adhere to the requirements of POPIA and the Group will endeavour to, as far as possible, conduct internal due diligence to ensure that it does business with compliant individuals and entities.

  1. INFORMATION COLLECTION

 

The Group collects Personal Information through online platforms or services and offline services, mainly for the purposes of doing business, promoting products and the Group, and improving on our service delivery.

The type of information collected may depend on the need for which it is collected, and it will be processed for that specific purpose only.

As far as possible, the Group will collect information directly from you after obtaining your consent, however, if you provide information to us on behalf of another individual, you represent that you have the necessary authority and capacity to do so.

Online platforms are not directed at individuals who are under the age of 18 or who do not otherwise have the requisite capacity to make decisions or manage their own affairs. Where Personal Information has been submitted by a minor or incapacitated individual and you would like such information to be removed or deleted, please follow the “Contact Us” section of this Policy set out below.

All information collected, obtained, and retained by the Group subject to an individual’s consent will be for a set purpose and impose a duty of safeguarding the privacy and protection of the information on the Group and all authorised personnel who have access thereto.

 

A. ONLINE COLLECTION

 

i. Group Website

We may automatically collect and use information in the following ways as you navigate around our website:

  • Through your browser

Your web browser is the application software that you use to access the internet, for example, Safari or Google Chrome. Most browsers collect information such as your Media Access Control (MAC) address, IP address, computer type, screen resolution, browser speed, operating system name and version and Internet browser type and version. We may collect similar information, such as your device type and identifier if you access our website through a mobile device. We use this information to ensure that our website functions efficiently. Your browser also collects more personalised information on you, for example, your browsing history, which you can delete.

 

  • Using cookies

The Group uses “cookie” technology on its website to improve your browser experience. The website uses essential cookies for the operation of the Group’s website that are, by default, set to indicate consent by the user, which consent can be denied by the user by selecting the relevant disable/enable tabs in the “Cookie Table” displayed to the user. The website deletes information gathered by the essential cookies immediately at the end of the browser session of the website. The Group’s website requests users to grant, by an affirmative action, specific, informed, and unambiguous consent, before using cookies on the user’s device or collecting and storing information about the user and is transparent about the types of cookies stored and the periods that the information will be stored. First party cookies are those sent to your browser by the server of the website you are visiting. They allow website owners to collect analytics data such as the number of visitors per month, the average duration of the visit and popular pages visited. This data is used to review and improve our website performance. The browser is able to remember language preferences, username and passwords.

Third party cookies are those sent to your browser by servers other than the website you are visiting and are mainly used for cross-site tracking, retargeting, and online-advertising purposes. Cookies of this type are the sharing buttons across the site, which allow visitors to share content onto social networks. Cookies are currently set by Facebook, Instagram and LinkedIn. To implement these buttons and connect them to the relevant social networks and external sites, these are scripts from outside of our website. You should be aware that these sites are likely to be collecting information about what you are doing all around the internet, including this website.

  • Cookies (or browser cookies): a cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our website. Unless you have adjusted your browser settings so that it will refuse cookies, our system will issue cookies when you direct your browser to our website. View our Cookie Policy here.  

 

  • Web Beacons: Pages of the website may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Group to, for example, count users who have visited those pages, record the popularity of certain website content, or verify system and server integrity. The collection of the data is anonymous.
  • Anonymous Data

The Group’s website monitors user experience while using the website and collects anonymous connection statistics. This data is used solely to improve the Group’s website service and add value to the user when they visit the site. The Group may automatically collect and store certain information which includes but is not limited to the following:

  • Technical information, including a user’s Internet Protocol (IP) address which is used to connect to their computer and internet operating system and browser type and platform for the system administration; and
  • Information about a user’s use of our website including details of their visits such as pages viewed and the resources that they accessed. Such information includes traffic data, location data and other communication data.
  • Contact us

If you have any queries, or you would like to comment on the online or other services of the Group, you may complete the contact form on our website where you will need to input your e-mail address and other contact information, enter your message or request and click “send”. An email will be sent to the Group. We shall endeavour to respond to you, as soon as possible, but no later than 48 hours after successful transmission of your message if no communication regarding a delay has been received by you. When you request our services, you may be asked to provide us with additional information. We strive to collect only that Personal Information that is necessary for the intended purpose of collection. We will use this Personal Information to fulfil your inquiry, to provide services and information to you as we reasonably think appropriate, and for any other purposes set out in this Policy.

 

  • Links to other websites

The Group’s website will contain links to or from other websites, for example, links to the websites of our suppliers. A user must read and familiarise themselves with the privacy and security policies of these websites as the Group is not responsible for the privacy and security thereof. The inclusion of links will be for convenience or information purposes only and does not mean that the Group endorses those websites and their content.

ii. Social Media Platforms

The Group uses various social media platforms to promote its business and connect with its customers, including Facebook, Instagram, and LinkedIn. Users who engage on these platforms acknowledge that they are public platforms where they may be identifiable from profile images or by name. Individuals are encouraged by the Group to put in place restrictive privacy settings on their personal profiles to prevent unsolicited activity and communications on their profiles. The Group does not endorse the posting of prejudicial or abusive content which shall not be construed as forming the views of the Group and/or its directors and associates and such content will immediately be removed once it has come to the Group’s attention.

 

B. OFFLINE COLLECTION

 i. Patient Stickers

These are provided to the Group or certain of its personnel for the purposes of linking the use of a product which the Group distributes to a particular sale. Information may include patient initials; name and surname; spouse initials and surname; postal address; residential area/address; home and work contact numbers; medical aid scheme, plan and number; the number of dependants; gender; date of birth; identity number; hospital name; date and time of admission; hospital ward; surgeon name; theatre nurse name; procedure performed; and products used on the patient. This information is provided to us by hospitals that collect the information directly from patients. The Group processes this information as an Operator (as defined under POPIA) and will have in place the requisite agreements with hospitals and hospital groups that will govern the Group’s processing activities.

ii. Training Initiatives

These include product demonstrations and training of doctors who attend these Group initiatives from time to time. Detailed compliance information is captured from the first engagement to the conclusion of the particular event. Personal Information may include CVs of Doctors; email and other communications; qualifications; education and experience; contact information; flight, accommodation and car rental details including applicable dates and times; and photographic and videographic content of events. In all cases, the necessary consents will be in place. For the purposes of product evaluations and training, certain procedures may be recorded. The express consent of the patient is obtained before the procedure takes place and the content is only made available as consented to by the patient which may include publication on the Group’s website, on social media platforms or by specific healthcare professionals and relevant personnel of the manufacturer during a product evaluation.

iii. Marketing

The Group will mostly retain the contact information of persons who have consented to receive regular marketing and promotional content from the Group and purchase histories of customers. Consents and a readily accessible “opt-out” option will be in place.

iv. Direct Sales

Various information will be exchanged with sales personnel of the Group to conclude sales, including contact information, email and other communications, names and other details of doctors and hospitals and patient stickers referred to above.

 

v. Compliance

The Group is required to keep detailed records of wide-ranging information to demonstrate an arms-length relationship with their customers. This includes keeping records of all the above information which is captured in an access-controlled filing system for audit purposes.

SPECIAL PERSONAL INFORMATION

 Save for patient stickers, and engagements with Doctors, the Group will not collect Special Personal Information of individuals including religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasions, health or sex life, biometric information and criminal behaviour. Individuals are requested not to volunteer this information unless specifically and directly requested by trusted personnel of the Group, whether through our online services or otherwise.

Individuals are encouraged to enquire as to the trustworthiness of a particular requester/collector and/or the purpose for collection before providing this information to the Group. This Special Personal Information will never be requested of you through any of our online services.

Other sensitive information which the Group may require through our online services may include contact and location information which will require consent and/or include an opt-out function for the provision of marketing and promotional materials.   

An entity of the Group may not be able to carry out its legislative or compliance mandate and provide its services, procure services or employ an individual or entity without their Personal Information being provided.       

 

  1. PURPOSE SPECIFICATION
  • As far as possible, the use and sharing of your Personal Information will be described to you at the point of collection. Whether the information is voluntary or mandatory, and the options available to you to “opt-out” where possible, will also be disclosed at that time.
  • Other than consent, the other legal bases for the justifiable use of your Personal Information provided under POPIA include the conclusion or performance of a contract with you; compliance with a legal obligation; the protection of a legitimate interest of yours; or for our legitimate business purposes or that of the third-party with whom your information is shared.
  • The Group collects Personal Information for many reasons including but not limited to the following:
  • to supply medical products, provide training or demonstration on correct usage and services in connection therewith;
  • to facilitate the development of new products and improve on existing products to meet the needs and demands of customers;
  • to facilitate product assessment programs for medical education;
  • for audit and record-keeping purposes to ensure that the Group is at all times compliant with legal, regulatory and/or contractual requirements;
  • to enable the Group to fulfil general compliance functions which require a high level of recording to demonstrate that business has been done lawfully, in a transparent manner and with the health and safety of patients as a top priority;
  • to keep records of all statutory/regulatory information which the Group is expected to report on/act upon;
  • to carry out or fulfil contractual and legal obligations;
  • to receive payment for products that have been supplied and delivered by the Group; to confirm and verify identity;
  • for the detection and prevention of fraud, crime, money laundering or other malpractice;
  • to detect and prevent cyber-attacks or identity theft;
  • to provide functional, customer-related service;
  • to respond to customer inquiries, requests and complaints;
  • to send you important information regarding our relationship with you, changes to the business or its policies, terms and conditions, or products and services;
  • to enhance, improve and modify our online services, in particular, our website;
  • to identify market and usage trends;
  • to better understand your preferences, needs and interests to deliver better products, online content, marketing campaigns and promotional materials;
  • to personalise our interactions with you;
  • to conduct market or customer satisfaction research;
  • to determine the effectiveness of marketing campaigns so they may be adapted and improved;
  • for the purposes of and in connection with legal proceedings;
  • for the purposes of employment with the Group;
  • to allow for authorised and permissible client/supplier/vendor/employee communications;
  • to facilitate authorised and permissible day-to-day email and other electronic communications;
  • to keep records of service providers and vendors the Group does business with, their product and service offerings, and for payment connected thereto;

The above list is not exhaustive but has been captured with as much detail as possible. The Group will process information for the purposes of running its day-to-day business operations and meeting its legal and compliance obligations in respect thereof.

Where Personal Information is not collected directly from you, it may be collected indirectly from other sources in the following circumstances:

  • the information is a matter of public record or has been made public by you;
  • you or a competent person have consented;
  • collection from such source does not prejudice your legitimate interests;
  • it is necessary for law enforcement or national security, for the collection of revenue, for the conduct of legal proceedings, to maintain the legitimate interests of the Group or a third party, for example, to fulfil the Group’s legislative mandate and/or sector-specific obligations; or
  • compliance would prejudice lawful collection or is not reasonably practicable in the particular circumstances.

The data subject has the right to withdraw their consent at any time and to object to the processing of their Personal Information on reasonable grounds in terms of section 11 of POPIA.

  1. LEGISLATIVE MANDATE

The Group is legally required in terms of existing legislation, to collect and keep records on, certain Personal Information. The Group will keep and maintain records as required in terms of, inter alia, the following: The

  • Tax Administration Act No. 28 of 2011;
  • Income Tax Act No. 58 of 1962;
  • Value Added Tax Act No. 89 of 1991;
  • Unemployment Insurance Act 63 of 2001;
  • Auditing Profession Act No. 26 of 2005;
  • National Credit Act No. 34 of 2005;
  • Companies Act No. 71 of 2008;
  • Close Corporations Act No. 79 of 1984;
  • Electronic Communication and Transaction Act No. 25 of 2005;
  • Insolvency Act No. 24 of 1936 (where applicable);

The above includes any records which may be required under any Regulations applicable to that Act. The Group will maintain a register of legal record-keeping required in terms of all applicable legislation.

  1. CONSEQUENCES OF A REFUSAL TO PROVIDE PERSONAL INFORMATION

A failure to provide mandatory Personal Information will result in the following consequences for data subjects:

The above consequences are not exhaustive and the Group will exercise its reasonable discretion having due regard to the circumstances. The Group will at all times advise the data subject of the remedies available to it. 

  1. RIGHTS OF DATA SUBJECTS

In addition to your rights to object to the processing of your Personal Information on reasonable grounds and to withdraw your consent to as stated in 5 herein, you also have the right to:

  • request access to the Personal Information the Group holds about them;
  • request that the Group update or correct their Personal Information;
  • request the deletion of their Personal Information if it is inaccurate, irrelevant, excessive, outdated, incomplete, misleading, has been unlawfully obtained, or where the Group is no longer authorised to keep it;
  • object to the processing of your Personal Information for purposes of direct marketing other than by means of unsolicited communications;
  • complain to the Group about the way it uses their Personal Information and, if unsatisfied with the handling of the complaint, to lodge a formal complaint with the Information Regulator, the details of whom must be provided; and
  • the right to query a decision that the Group has made about them solely by automated means.

These rights are not absolute and must be balanced against other competing rights. These rights may be limited owing to the nature of any legislative or public interest mandate, or they may be subject to an exception that may impact these rights. Where a further interest which the Group is mandated to protect, substantially outweighs to a substantial degree, the interference with your rights, the Group will as far as possible, explain the limitation or exception being relied upon and its impact on your rights.

  1. SAFEGUARDING OF PERSONAL INFORMATION

POPIA and the GDPR require that the Group adequately protect the Personal Information that it holds and avoid unauthorised access to and use of your Personal Information.

The Group will secure the integrity and confidentiality of your Personal Information in its possession and under its control by taking appropriate reasonable technical and organisational security measures to prevent (a) loss of damage to or unauthorised destruction of Personal Information; and (b) unlawful access to or processing of Personal Information. The Group’s security systems, processes, procedures and controls are designed to maintain confidentiality, prevent loss, unauthorised access and damage to Personal Information by unauthorised parties. The Group conducts regular and continuous vulnerability and risk assessments to improve its security posture and provide assurance to all stakeholders.

The Group will continuously review its security controls and processes to ensure that all Personal Information is secure.

Measures employed by the Group to protect Personal Information includes, but is not limited to, robust IT security, regular IT security checks and back-ups, ongoing risk assessments, restricted access by authorised personnel only, password controls, locked filing cabinets with the key held by senior management, electronic alarm systems on each wing of the building, manned access into the office park, and security guard patrols.

The transmission of information via the internet is not completely secure. Although we have implemented all security measures to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted to our website. Any transmission of Personal Information is at your own risk.

  1. DISCLOSURE OF PERSONAL INFORMATION TO THIRD PARTIES

The Group may, from time to time, share or disclose Personal Information with third parties, but only if:

  • you have consented;
  • an agreement is in place with the Group and the third party;
  • it is necessary to fulfil the Groups’ legislative mandate;
  • it is required by law (including laws outside of your country of residence);
  • the Group has a public duty to disclose it;
  • your legitimate interests require disclosure; and/or
  • it is required for legitimate business purposes.

Third parties may include, but are not limited to:

  • information regulators including foreign information regulators;
  • other regulators including foreign regulators;
  • registered auditors including foreign auditors;
  • law enforcement agencies including foreign law enforcement agencies; and
  • verification agents.

In addition to the above, for legitimate business purposes, the Group will need to share your Personal Information with certain third-party service providers who may include those who provide services such as website hosting and moderating, mobile application hosting, payment processing, order processing and fulfilment, IT services, legal and auditing services, e-mail and direct mail delivery services, storage services, customer service, data analysis, infrastructure provision and any other reasonable services on which the Group relies to conduct its business and provide its online services.

The Group will, as far as possible, take adequate measures to ensure that third parties with whom Personal Information is disclosed, comply with data protection laws, including POPIA and that they will protect the information disclosed. The Group will conduct internal due diligence and, where applicable, put in place appropriate contractual arrangements for this purpose.

  1. TRANSBORDER DISCLOSURES

Where necessary and appropriate, Personal Information may be transferred and processed across borders. Circumstances in which this might be applicable includes, but is not limited to, disclosures for:

  • business purposes, for example where clinical trials are applicable, third-party suppliers are located outside of South Africa;
  • sharing with other regulators outside of South Africa to fulfil a legislative mandate; or
  • law enforcement agencies for investigation purposes.

The Group acknowledges that these countries may not have the same level of protection as that which is afforded by POPIA, however, the Group will put in place appropriate contractual arrangements and, as far as possible, conduct its own internal due diligence measures to protect your information. The Group will do its best to ensure that any third parties will treat your information at least with the same level of privacy and protection as that which is provided by the Group.

  1. RETENTION OF PERSONAL INFORMATION

Personal Information is retained and destroyed as required or authorised by law, a contract or for the operational and business requirements of the Group. The existence of any ongoing or anticipated legal proceedings or a regulatory audit or investigation will also result in records being retained longer.

Generally, information is retained for a period of 5 years and thereafter, is destroyed. Personal Information on which is linked to clinical trials, or which relates to foreign entities is generally kept indefinitely but within reason, meaning records would be destroyed if an entity were to cease existing, or where so much time has passed that information linked to a clinical trial would no longer be relevant.

The Group will only keep Personal Information for as long as is necessary to achieve the purpose for which it was collected, or to comply with a legal record-keeping obligation.

  1. INFORMATION OFFICERS (‘IOs’) AND DEPUTY INFORMATION OFFICERS (‘DIOs’)

As required by POPIA, each entity within the Group will have a formally appointed IO who may then delegate some or all of their responsibilities to any other duly authorised DIO/DIOs.

The IO/DIO is responsible, inter alia, for:

  • encouraging and ensuring compliance with POPIA;
  • working with regulators in the event of any investigations;
  • conducting a preliminary Personal Information impact assessment;
  • developing, implementing, monitoring and maintaining this policy and compliance framework;
  • ensuring that this policy and compliance framework is supported by appropriate documentation which must be relevant and kept up to date;
  • ensuring the communication of the policy and compliance framework and any subsequent updates throughout the organisation;
  • developing, implementing and maintaining a Protection of Personal Information Act (“PAIA”) Manual in terms of the Protection of Personal Information Act No. 2 of 2000 and making it available;
  • dealing with requests for access to information;
  • developing internal measures together with adequate systems to effectively process requests for access to information; and
  • conducting internal awareness sessions on POPIA, any POPIA regulations, applicable codes of conduct, or other information obtained from the Regulator.

APPOINTED IOS AND DIOS

The following persons are appointed as IOs and DIOs for the purposes of PAIA and POPIA and are contactable through any of the channels provided below:

Information Officer:       Joey Moodley (Group CEO)

Telephone number:         (011) 462 9553

Fax number:                     (011) 462 9298

Email address:                 JoeyM@fvz.co.za

Postal address:                PO Box 1257,  Ferndale, 2160

Physical address:          804 Hammets Crossing Office Park, 2 Selbourne Road,  Johannesburg North, 2188                       

Group Website:             www.fvzholdings.com

Group Email:                  Compliance@fvzholdings.com                   Info@fvzholdings.com

Johannesburg:               Belinda Menges

Telephone number:        (011) 462 9553

Fax number:                    (011) 462 9298

Email address:                 BelindaM@fvz.co.za

Johannesburg:              Ceiri Bouwer

Telephone number:        (011) 462 9553

Fax number:                    (011) 462 9298

Email address:                CeiriB@fvz.co.za

Johannesburg:               Stephen White

Telephone number:        (011) 462 9553

Fax number:                    (011) 462 9298

Email address:                StephenW@fvz.co.za

Johannesburg:               Carola Sander

Telephone number:        (011) 462 9553

Fax number:                    (011) 462 9298

Email address:                CarolaS@fvz.co.za

Johannesburg:               Mike Poxon

Telephone number:        (011) 462 9553

Fax number:                    (011) 462 9298

Email address:                MikeP@fvz.co.za

Durban:                      Bryant Theunissen

Telephone number:   (031) 701 6949

Fax number:               (031) 701 8065

Email address:           BryantT@fvz.co.za

Physical address:      Bal Vista Shop 43, 22 Sandra Road, Ballito, 4420

Cape Town:                  Martin Scheepers

Telephone number:        (021) 914 7502

Email address:                MartinS@fvz.co.za

Physical address:            Unit 3, The Reserve 1, Kruis Road, Brackenfell, 7560

14. CONTACT US

Should you wish to contact us regarding any queries or concerns about this Policy, please contact the Information Officer or any of his Deputies at compliance@fvzholdings.com, or you may use any of the contact details above, or you may contact us through our website.

Should you wish to contact us regarding the exercise of any of your rights under POPIA and PAIA, to report a breach, or if you have any other questions regarding the Group’s POPIA compliance programme, please contact the Deputy Information officers at their details above. Please note that you may have to follow the necessary processes and procedures or complete the necessary forms where you require access to, amendment or deletion of Personal Information, or to report an incident or breach regarding Personal Information.

Should you wish to lodge a complaint with the Information Regulator, you can email your complaint to POPIAComplaints@inforegulator.org.za, or, visit their website for detailed contact information.

 

15. CHANGES TO THIS POLICY

The Group may amend this Policy from time to time by publication of a notice on the Group’s website. Please check the Group website periodically to keep abreast of any changes.