RIGHT TO CARE NPC
DATA PROTECTION AND PRIVACY POLICY
1 DEFINITIONS
In this Policy (as defined below), unless the context requires otherwise, the following capitalised
terms shall have the meanings given to them
1.1 "Active Processing" means instances where RTC has directly been provided with the
Personal Information/Personal Data of Data Subjects, such as when Data Subjects submit
an enquiry in respect of our Products or Services, or when Data Subjects subscribe to
receiving information from RTC;
1.2 "Inactive Processing" means instances where RTC has not actively been provided with
the Personal Information/Personal Data of Data Subjects, such as when RTC deploys
Passive Processing Means to collect information from Data Subjects. These Passive
Processing Means allow RTC to Process certain kinds of Non-personally Identifiable
Information which can perhaps not be linked to Data Subjects;
1.3 "Anonymisation" means the Processing of Personal Information/Personal Data in such a
manner that the Personal Information/Personal Data can no longer be attributed to Data
Subjects without the use of additional information, provided that such additional information
is kept separately and is subject to technical and organisational measures to ensure that
the Personal Information/Personal Data are not attributed to Data Subjects;
1.4 "Applicable Laws" means any laws applicable to Personal Data and Personal Information
and includes any statute, regulation, notice, policy, directive, ruling or subordinate
legislation; the common law; any binding court order, judgement or ruling; any applicable
industry code, policy or standard enforceable by law; or any applicable direction, policy or
order that is given by any regulator, competent authority or organ of state or statutory
industry body;
1.5 "Child" means any natural person under the age of 18 years;
1.6 "Competent Person" means anyone who is legally competent to consent to any action or
decision being taken by any matter concerning a child, for example a parent or legal
guardian;
1.7 "Controller" means RTC, in circumstances where it Processes Personal Data (as defined
in Article 4 of the GDPR);
1.8 "Cookies" means small text files that store Non-personally Identifiable Information/Data
about Data Subjects, either temporarily in connection with a Data Subjects Internet Protocol
(IP) address (known as a temporary or session cookie, and deleted once a Data Subject
closes their browser window) or more permanently on the hard drive of a Data Subject’s
device (known as a permanent or persistent cookie). RTC’s Website(s) or Mobile
Application(s) may from time to time use session cookies so that Data Subject’s do not
have to fill in the same information from page to page within our Website(s) or Mobile
Application(s). If Data Subject’s elect not to receive cookies, they may be able to view
some, but not all, of the content on our Website(s) or Mobile Application(s);
1.9 "Customer(s)" means any natural person(s), or where applicable juristic person(s), who
have concluded an agreement with RTC, in terms of which such Customer procures the
Products and/or Services provided by RTC, whether for themselves or their own
customers/clients;
1.10 "Data Subject" means RTC’s Customer(s), Patient(s) or any Third Party in respect of
whom RTC processes Personal Information/Personal Data;
1.11 "Data Processing Infrastructure" means any and all systems, networks, servers,
workstations, laptops, mobile devices, web applications, mobile applications, cloud
storages, websites owned, controlled or operated by RTC;
1.12 "Embedded Scripts" means, programming code that is designed to collect information
about a Data Subject’s interactions with the relevant Website(s) or Mobile Application(s). It
is temporarily downloaded onto a Data Subject’s device from our web server or a Third-
Party Operator. This program is active only while a Data Subject is connected to the
relevant Website(s) or Mobile Application(s) and is deleted or deactivated thereafter;
1.13 "Electronic Means" means, in relation to the Processing of any Personal
Information/Personal Data, the use of any Website(s), Mobile Application(s), electronic mail
(email), text, voice, sound or image messages by RTC;
1.14 "Non-Electronic Means" means, in relation to the Processing of any Personal
Information/Personal Data, the use of traditional means of Processing, such as hard copy
documents, traditional filing systems deployed for the storage and retention of Personal
Information/Personal Data and face-to-face personal engagements with Data Subjects;
1.15 "Patient(s)" means any Data Subject who is a patient of RTC and procures or makes use
of any of its Products or Services;
1.16 "RTC" means Right To Care NPC (Registration Number: 2001/001745/08), which is a non-
profit company duly incorporated in accordance with the company laws of the Republic of
South Africa, and is the provider of various prevention, care and treatment services for HIV,
tuberculosis, sexually transmitted infections and Hepatitis C, as well as developer of
various healthcare intervention programmes;
1.17 "RTC Group Company" means any juristic entity forming part of the Right to Care Group
from time to time.
1.18 "GDPR" means the General Data Protection Regulation, which is a European law that
governs all collection and processing of personal data from individuals inside the European
Union;
1.19 "Mobile Application(s)" means the multi-device software application, whether in web-
based format or device-native format, to which this Privacy Policy relates and through which
Customer(s) and Patient(s) gain access to RTC’s Products and Services;
1.20 "Mobile Device Identifier" means device information if you access our Website(s) or
Mobile Application(s) through mobile devices. Certain features of the relevant Website(s)
or Mobile Application(s) may require collection of mobile phone numbers and we may
associate that phone number with the mobile device identifiers. Additionally, some mobile
phone service providers operate systems that pinpoint the physical location of devices that
use their service. Depending on the provider, RTC and/or our Third-Party Operators may
receive this information. If RTC associates any such passively collected information with
the Personal Information/Personal Data of Data Subjects, we will treat the combined
information as Personal Information/Personal Data as contemplated in this Policy;
1.21 "Non-personally Identifiable Information/Data" means any information/data which
cannot be linked to Data Subjects, such as an internet domain name, the type of web
browser used by a Data Subject, the type of operating system relied on by a Data Subject,
the date and time of a Data Subject’s visit to our Website(s) and Mobile Application(s), the
specific pages a Data Subject may have visited, and the address of the website which a
Data Subjects may have visited prior to entering or gaining access to RTC’s Website(s) or
Mobile Application(s);
1.22 "Operator" means a person or entity who Processes Personal Information/Data for a
Responsible Party;
1.23 "Passive Processing Means " means the use of technologies to facilitate the Inactive
Processing of Personal Information/Personal Data, namely the use of Cookies, Web
Beacons, Embedded Scripts and/or Mobile Device Identifiers;
1.24 "Personal Data" (as defined in Article 4 of the GDPR) means any information relating to
an identified or identifiable natural person ('data subject'); an identifiable natural person is
one who can be identified, directly or indirectly;
1.25 "Personal Information" shall have the same meaning as is given in section 1 of POPIA;
1.26 "Policy" means this Data Protection and Privacy Policy;
1.27 "POPIA" means the Protection of Personal Information Act, No 4 of 2013;
1.28 "Processing" means any operation or activity or any set of operations, whether or not by
automatic means, concerning Personal Information/Personal Data, including:
1.28.1 the collection, receipt, recording, organisation, collation, storage, updating or
modification, retrieval, alteration, consultation or use;
1.28.2 dissemination by means of transmission, distribution or making available in any other
form by electronic communications or other means; or
1.28.3 merging, linking, blocking, degradation, erasure or destruction. For the purposes of this
definition, "Process" has a corresponding meaning
1.29 "Profiling" means any form of automated Processing of Personal Information/Personal
Data consisting of the use of such Personal Information/Personal Data to evaluate certain
personal aspects relating a Data Subject or Data Subjects, in particular to analyse or predict
aspects concerning a Data Subjects behaviour, performance preferences, interests or
location;
1.30 "Regulator" means the Information Regulator established in terms of POPIA;
1.31 "Responsible Party" means in the context of this Policy, RTC ;
1.32 "Special Personal Information/Data" means Personal Information/Personal Data
concerning, amongst other aspects contemplated in terms of section 26 Part B of POPIA,
a Data Subject's, religious beliefs, race or ethnic origin, trade union membership, political
persuasion, health or sex life, biometric data, or criminal behaviour;
1.33 "Third-Party" means any Customer(s), Patient(s), Data Subject(s), employee(s),
independent contractor(s), agent(s), consultant(s), RTC Group Company, user of Right
RTC’s Products, Services, Website(s), Mobile Application(s) or any other digital interfaces;
1.34 "Website" means the website sourced at https://www.righttocare.org/
1.35 "Web Beacons" means small graphic images called web beacons, also known as “Internet
tags” or “clear gifs,”, which Web Beacons may be deployed in RTC’s Website(s) pages and
e-mail messages. Web beacons may be invisible to Data Subjects, but any electronic
image inserted into a web page or e-mail can act as a Web Beacon. RTC may use web
beacons or similar technologies for a number of purposes, including, without limitation, to
count the number of visitors to our Websites, Mobile Application(s), to monitor how users
navigate the Website(s) or Mobile Application(s), to count how many e-mails that we have
sent were actually opened or to count how many particular articles or links were actually
viewed by Data Subjects in certain circumstances.
2 INTRODUCTION
2.1 This Policy regulates the Processing of Personal Information/Personal Data by RTC and
sets forth the requirements with which RTC undertakes to comply when Processing
Personal Information/Personal Data pursuant to undertaking its operations and fulfilling its
contractual obligations in respect of Data Subjects and Third Parties in general.
2.2 RTC places a high premium on the privacy of every person or organisation with whom it
interacts or engages with and therefore acknowledges the need to ensure that Personal
Information/Personal Data is handled with a reasonable standard of care as may be
expected from it. RTC is therefore committed to ensuring that it complies with the
requirements of POPIA, and also with the terms of the GDPR to the extent that the GDPR
applies.
2.3 When a Data Subject or Third Party engages with RTC, whether it be physically or via any
digital, electronic interface such as RTC’s Website(s) or Mobile Application(s), the Data
Subject or Third Party acknowledges that they trust RTC to Process their Personal
Information/Personal Data, including the Personal Information/Personal Data of their
patients, dependents, beneficiaries, customers, agents or employees (as the case may
be).
2.4 All Data Subjects and Third Parties have the right to object to the processing of their
Personal Information/Personal Data. It is voluntary to accept the Terms and Conditions
to which this Policy relates. However, RTC does require the Data Subject or Third Partys
acceptance to enable the proper use of RTC’s Website(s), Mobile Application(s), the
Products and/or Services.
3 PURPOSE AND APPLICATION
3.1 The purpose of this Policy is not only to inform Data Subjects about how RTC Processes
their Personal Information/Personal Data, but also to establish a standard by which RTC
and its employees and representatives shall comply in as far as the Processing of Personal
Information/Personal Data is concerned.
3.2 RTC, in its capacity as a Responsible Party and/or Operator and/or Controller, as the case
may be, shall strive to observe and comply with its obligations under POPIA and the GDPR
(as may be applicable and to the extent necessary) when it Processes Personal
Information/Personal Data from or in respect of any Data Subject.
4 COLLECTING & PROCESSING OF PERSONAL INFORMATION/PERSONAL DATA
4.1 Whenever any Data Subject engages with RTC, whether it be physically (Non-Electronic
Means) or by Electronic Means, or through the use of its Products, Services, facilities,
Website(s) or Mobile Application(s), RTC will in effect be Processing the Data Subject’s
Personal Information/Personal Data.
4.2 It may be from time to time that RTC has collected a Data Subject’s Personal
Information/Personal Data from other sources. In the event that a Data Subject has
shared their Personal Information/Personal Data with any third parties, RTC will not be
responsible for any loss suffered by the Data Subject, their dependents, beneficiaries,
customers, agents or employees (as the case may be).
4.3 When a Data Subject provides RTC with the Personal Information of any other Third
Party, RTC will process the Personal Information/Personal Data of such Third Party in
line with this Policy, as well as the terms and conditions to which this Policy relates.
4.4 RTC will Process Personal Information/Personal Data in order to facilitate and enhance the
delivery of Products and Services to its Customers, foster a legally compliant workplace
environment, as well as safeguard the Personal Information/Personal Data relating any
Data Subjects which it in fact holds. In such an instance, the Data Subject providing RTC
with such Personal Information/Personal Data will confirm that they are a Competent
Person and that they have authority to give the requisite consent to enable RTC to process
such Personal Information/Personal Data.
4.5 RTC undertakes to process any Personal Information/Personal Data in a manner which
promotes the constitutional right to privacy, retains accountability and Data Subject
participation. In supplementation of the above, RTC will process Personal
Information/Personal Data for the following purposes:
4.5.1 To provide or manage any information, Products and Services requested by any
Customer(s), Data Subjects, Patient(s) or Third Parties;
4.5.2 To establish a Data Subject’s needs, wants and preferences in relation to the Products
and Services provided by RTC;
4.5.3 To help RTC identify Data Subjects when they engage with RTC;
4.5.4 To facilitate the delivery of Products and/or Services to Data Subjects;
4.5.5 To administer services on behalf of its Customers in relation to the Products and/or
Services delivered by RTC;
4.5.6 To allocate to Customers unique identifiers for the purpose of securely storing, retaining
and recalling such Customers Personal Information/Personal Data from time to time;
4.5.7 To facilitate the Anonymisation of Personal Information/Personal Data;
4.5.8 To maintain records of Data Subjects and specifically Customer records;
4.5.9 To maintain Third Party records;
4.5.10 For recruitment purposes;
4.5.11 For employment purposes;
4.5.12 For apprenticeship purposes;
4.5.13 For general administration purposes;
4.5.14 For legal and/or contractual purposes;
4.5.15 For health and safety purposes;
4.5.16 To monitor access, secure and manage any facilities owned or operated by RTC
regardless of location in South Africa;
4.5.17 To transact with Third Parties;
4.5.18 To improve the quality of RTC’s Products and Services;
4.5.19 To analyse the Personal Information/Personal Data collected for research and statistical
purposes;
4.5.20 To transfer Personal Information/Personal Data across the borders of South Africa to
other jurisdictions;
4.5.21 To carry out analysis and Data Subject Profiling as contemplated in this Policy;
4.5.22 To identify other products and services which might be of interest to Data Subjects in
general, as well as to inform them of such products and/or services.
4.6 When collecting Personal Information/Personal Data from a Data Subject, RTC shall
comply with the notification requirements as set out in Section 18 of POPIA, and to the
extent applicable, Articles 13 and 14 of the GDPR.
4.7 RTC will collect and Process Personal Information/Personal Data in compliance with the
conditions as set out in POPIA and/or the Processing principles in the GDPR (as the case
may be), to ensure that it protects the Data Subject's privacy.
4.8 RTC will not Process the Personal Information/Personal Data of a Data Subject for any
purpose other than for the purposes set forth in this Policy, unless RTC is permitted or
required to do so in terms of Applicable Laws or otherwise by law.
4.9 RTC may from time-to-time Process Personal Information/Personal Data by making use of
automated means (without deploying any human intervention in the decision-making
process) to make decisions about the Data Subject or for Data Subject Profiling. In this
instance it is specifically recorded that the Data Subject may object to or query the
outcomes of such a decision or the Processing of their Personal Information/Personal Data
for the purpose of Profiling.
4.10 In addition to the other provisions of this clause 4, it is expressly stated that the Personal
Information/Personal Data of Data Subjects may in certain instances be Processed through
Electronic or Non-Electronic Means and in deploying either Electronic or Non-Electronic
Means, the Personal Information/Personal Data of Data Subjects may either be Processed
through Active Processing or Inactive Processing.
4.11 In instances where RTC deploys Passive Processing Means in relation to the Processing
of Non-personally Identifiable Information/Data, and it turns out that such previously Non-
personally Identifiable Information/Data could be combined with other similar information
so as to render it Personal Information/Personal Data, RTC will undertake the Processing
of such Personal Information/Personal Data in accordance with this Policy.
5 PERSONAL INFORMATION/PERSONAL DATA FOR DIRECT MARKETING PURPOSES
5.1 RTC acknowledges that it may only use Personal Information/Personal Data to contact
Data Subjects for purposes of direct marketing where RTC has complied with the provisions
of POPIA and GDPR (where applicable) and when it is generally permissible to do so in
terms of Applicable Laws.
5.2 RTC will ensure that a reasonable opportunity is given to all Data Subjects to object (opt-
out) to the use of their Personal Information/Personal Data for RTC’s marketing purposes
when collecting the Personal Information/Personal Data and on the occasion of each
communication to the Data Subject for purposes of direct marketing.
6 STORAGE AND RETENTION OF PERSONAL INFORMATION/PERSONAL DATA
6.1 RTC will retain Personal Information/Data it has Processed, in an electronic or hardcopy
file format, with a Third-Party service provider appointed for this purpose (the provisions of
clause 9 below will apply in this regard).
6.2 Personal Information/Personal Data will only be retained by RTC for as long as necessary
to fulfil the purposes for which that Personal Information/Personal Data was collected
and/or as permitted in terms of Applicable Law.
6.3 It is specifically recorded that any Data Subject has the right to object to the Processing of
their Personal Information and RTC shall retain and store the Data Subject’s Personal
Information/Personal Data for the purposes of dealing with such an objection or enquiry as
soon and as swiftly as possible.
7 FAILURE TO PROVIDE PERSONAL INFORMATION
7.1 Where RTC is required to collect Personal Information/Personal Data from a Data Subject
by law or in order to fulfil a legitimate business purpose of RTC and the Data Subject fails
to provide such Personal Information/Personal Data, RTC may, on notice to the Data
Subject, decline to render services without any liability to the Data Subject.
8 SECURING PERSONAL INFORMATION/PERSONAL DATA
8.1 RTC has implemented appropriate, reasonable, physical, organisational, contractual and
technological security measures to secure the integrity and confidentiality of Personal
Information/Personal Data, including measures to protect against the loss or theft,
unauthorised access, disclosure, copying, use or modification of Personal
Information/Personal Data in compliance with Applicable Laws.
The access control and security measures shall apply to RTC’s entire Data Processing
Infrastructure.
8.2 In further compliance with Applicable Law, RTC will take steps to notify the relevant
Regulator(s) and/or any affected Data Subjects in the event of a security breach and will
provide such notification as soon as reasonably possible after becoming aware of any such
breach.
8.3 Notwithstanding any other provisions of this Policy, it should be acknowledged that the
transmission of Personal Information/Personal Data, whether it be physically in person, via
the internet or any other digital data transferring technology, is not completely secure.
Whilst RTC has taken all appropriate, reasonable measures contemplated in clause 8.1
above to secure the integrity and confidentiality of the Personal Information/Personal Data
its Processes, in order to guard against the loss of, damage to or unauthorized destruction
of Personal Information/Personal Data and unlawful access to or processing of Personal
Information/Personal Data, RTC in no way guarantees that its security system is 100%
secure or error-free. Therefore, RTC does not guarantee the security or accuracy of the
information (whether it be Personal Information/Personal Data or not) which it collects from
any Data Subject.
8.4 Any transmission of Personal Information/Personal Data will be solely at the own risk of
Data Subject. Once RTC has received the Personal Information/Personal Data, it will
deploy and use strict procedures and security features to try to prevent unauthorised
access to it. As indicated above, RTC reiterates that it restricts access to Personal
Information/Personal Data to Third Parties who have a legitimate operational reason for
having access to such Personal Information/Personal Data. RTC also maintains electronic
and procedural safeguards that comply with the Applicable Laws to protect your Personal
Information and accordingly its Data Processing Infrastructure from any unauthorized
access.
8.5 RTC shall not be held responsible and by accepting the terms and conditions to which this
Policy relates, any Data Subject agrees to indemnify and hold RTC harmless for any
security breaches (whether in relation to its Data Processing Infrastructure or not) which
may potentially expose the Personal Information/Personal Data in RTC’s possession to
unauthorized access and or the unlawful processing of such Personal Information/Personal
Data by any Third-Party.
9 PROVISION OF PERSONAL INFORMATION/PERSONAL DATA TO THIRD PARTIES
9.1 RTC may disclose Personal Information/Personal Data to Third-Party service providers
and/or Operators where necessary and to achieve the purpose(s) for which the Personal
Information/Personal Data was originally collected and Processed. RTC will enter into
written agreements with such Third-Party service providers and/or Operators to ensure that
they comply with Applicable Laws pursuant to the Processing of Personal
Information/Personal Data provided to it by RTC from time to time.
10 TRANSFER OF PERSONAL INFORMATION/PERSONAL DATA OUTSIDE OF SOUTH
AFRICA
10.1 RTC may, under certain circumstances, transfer Personal Information/Personal Data to a
jurisdiction outside of the Republic of South Africa in order to achieve the purpose(s) for
which the Personal Information/Data was collected and Processed, including for
Processing and storage by Third-Party service providers.
10.2 RTC will obtain the Data Subject's consent to transfer the Personal Information/Personal
Data to such foreign jurisdiction unless consent is not required by Applicable Law.
10.3 The Data Subject should also take note that, where the Personal Information/Personal Data
is transferred to a foreign jurisdiction, the Processing of Personal Information/Personal
Data in the foreign jurisdiction may be subject to the laws of that foreign jurisdiction.
11 ACCESS TO PERSONAL INFORMATION/PERSONAL DATA
11.1 A Data Subject has the right to a copy of the Personal Information/Personal Data which is
held by RTC (subject to a few limited exemptions as provided for under Applicable Law).
11.2 The Data Subject must make a written request (which can be by email) to the Information
Officer designated by RTC from time to time.
11.3 RTC will provide the Data Subject with any such Personal Information/Personal Data to the
extent required by Applicable Law and subject to and in accordance with the provisions of
RTC’s PAIA Manual (published in terms of section 51 of the Promotion of Access to
Information Act, 2000 (“PAIA”).
11.4 The Data Subject can challenge the accuracy or completeness of his/her/its Personal
Information/Personal Data in RTC’s records at any time in accordance with the process set
out in RTC’s PAIA Manual.
12 KEEPING PERSONAL INFORMATION/PERSONAL DATA ACCURATE
12.1 RTC will take reasonable steps to ensure that Personal Information/Personal Data that it
Processes is kept updated where reasonably possible. For this purpose, RTC has provided
a function on its Mobile Application(s) to enable Data Subjects to update their information.
12.2 RTC may not always expressly request the Data Subject to verify and update his/her/its
Personal Information/Personal Data and expects that the Data Subject will notify RTC from
time to time in writing:
12.2.1 of any updates or amendments required in respect of his/her/its Personal
Information/Personal Data;
12.2.2 where the Data Subject requires RTC to delete his/her/its Personal
Information/Personal Data; or
12.2.3 where the Data Subject wishes to restrict the Processing of his/her/its Personal
Information/Personal Data.
13 COSTS TO ACCESS PERSONAL INFORMATION/PERSONAL DATA
13.1 The prescribed fees to be paid for copies of the Data Subject's Personal
Information/Personal Data are listed in RTC’s PAIA Manual referred to at clause 11.3
above.
13.2 RTC reserves the right to make amendments to this Policy from time to time.
14 COMPLAINTS TO THE INFORMATION REGULATOR
14.1 In the event that any Data Subject or Third Party is of the view or belief that RTC has
Processed their Personal Information/Personal Data in a manner or for a purpose which is
contrary to the provisions of this Policy, the Data Subject is required to first attempt to
resolve the matter directly with RTC, failing which the Data Subject or Third Party shall
have the right to lodge a complaint with the Information Regulator, under the provisions of
POPIA.
14.2 The contact particulars of the Information Regulator are:
The Information Regulator (South Africa)
Forum III 3
rd
Floor Braampark
PO Box 31533
Braamfontein, Johannesburg, 2107
Tel No: +27 010 023 5207
Cell No: 082 746 4173
E-mail: inforeg@justice.gov.za
15 CONTACTING US
15.1 All comments, questions, concerns or complaints regarding Personal Information/Personal
Data or this Policy, should be forwarded to RTC’s Information Officer at the following email
address info@righttocare.org