S.A.S.S

PRIVACY AND POPIA POLICY


PRIVACY POLICY


1. This Privacy Policy tells you how we will process and protect your Personal Information.

2. The South African Society of Ostomates (“SASS”, “we”, “us” or “our”) collects and processes the Personal Information of anyone who completes our survey on our website, chooses to receive our services, takes part in our organisations activities and become a member of our organisation.

3. By providing us with your Personal Information, you:
3.1. agree to this Policy and authorise us to process such information as set out herein; and

3.2. authorise SASS, our Service Providers and other third parties to Process your Personal Information for the purposes stated in this Policy.

4. Personal Information, in terms of the Protection of Personal Information Act, 4 of 2013 (“POPIA”), means “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person”. South Africa’s Constitution Act 108 of 1996, as amended, provides that everyone has the right to privacy. This includes the right to protection against the unlawful collection, retention, dissemination and use of your personal information.

5. Because of the sensitivity of some personal information, we ensure that the way we process your Personal Information complies fully with POPIA and have implemented reasonable organisational and technical controls as a result.


6. Our Privacy Policy terms may change from time to time. When we change them, the changes will be made on our website. Please ensure that you visit our website and regularly read this Privacy and POPIA Policy.

7. Collection of Personal Information

7.1. We may collect or obtain Personal Information about you in the following ways:

7.1.1. Through direct or active interactions with you;
7.1.2. In the course of our relationship with you;
7.1.3. Through automated or passive interactions with you;
7.1.4. When you visit or interact with our website;
7.1.5. From third parties;
7.1.6. Public sources;
7.1.7. Website usage information may be collected using “cookies” which allows us to collect standard internet visitor usage information.

7.2. Types of Personal Information we may collect:

7.2.1. Identity information;
7.2.2. Contact information;
7.2.3. Medical information;
7.2.4. Location information;
7.2.5. Lifestyle information; and
7.2.6. Personal preferences.

8. Legal Basis for Processing

8.1. When we process your personal information in connection with the purposes set out in this Privacy Statement, we may rely on one or more of the following legal bases, depending on the purpose for which the processing activity is undertaken and the nature of our relationship with you:

8.1.1. Your consent to the processing of your Personal Information;
8.1.2. Processing of the information is necessary for the performance of a contract or of a legal obligation;
8.1.3. Processing is necessary for the protection of our and your legitimate interests.

9. Purposes of Processing

9.1. We will primarily use your Personal Information only for the purpose for which it was originally collected. We will use your Personal Information for a secondary purpose only if such purpose constitutes a legitimate interest and is compatible with the primary purpose for which the Personal Information was collected.

9.2. You agree that we may process your Personal Information for the following, but not limited to, purposes, as relevant to our relationship with you:

9.2.1. Advocating for the rights of ostomates;
9.2.2. Undertaking our outreach and voluntary services, including the delivery of products supplied by third parties;
9.2.3. Complying with compulsory requirements under relevant laws;
9.2.4. To retain and make information available to you on our website;
9.2.5. To maintain and update our database;
9.2.6. To establish and verify your identity on the website;
9.2.7. Fraud prevention;
9.2.8. Membership;
9.2.9. Complying with information requests from the Information Regulator;
9.2.10. Transfer of information to an associated third party of ours;
9.2.11. To conduct research, surveys and other advocacy activities;
9.2.12. For security, administrative and legal purposes.

9.3. We will not intentionally collect and process the Personal Information of a child unless we have the permission of a guardian or competent person (as defined by POPIA).

10. Sharing of Personal Information

10.1. In order for us to carry out our obligations and for legitimate advocacy purposes, we may need to pass your personal information on to third parties, such as our legal team and ostomy related product suppliers. This Privacy Policy records your consent to us passing your Personal Information onto those third parties.

10.2. We will ensure that your Personal Information is processed in a lawful manner and that the third parties or we do not infringe your privacy rights. In the event that we ever outsource the processing of your Personal Information to a third party operator, we will ensure that the operator processes and protects your Personal Information using reasonable technical and organisational measures that are equal to or better than ours.

10.3. We may also disclose your Personal Information to third parties if we are under a duty to disclose or share such information in order to comply with any legal obligation or to protect the rights, property or safety of SASS, its members and others.

11. International Transfer of Personal Information

11.1. We will not ordinarily transfer any Personal Information collected from you outside the borders of South Africa.

11.2. In the event that we transfer or store your Personal Information outside South Africa, we will take all steps reasonably necessary to ensure that the third party who receives your Personal Information is subject to a law or binding agreement which provides an adequate level of protection.

12. Data Security, Retention, Accuracy and Restriction

12.1. We have implemented appropriate technical and organisational security measures to protect your Personal Information that is in our possession against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, in accordance with applicable law.

12.2. We will retain your personal information for as long as is necessary to fulfil the purpose for which it was collected unless a longer retention period is required to comply with legal obligations or another legitimate obligation, unless we have your consent to process it indefinitely.

12.3. The Personal Information provided to us should be accurate, complete and up-to-date. Should Personal Information change, the onus is on the provider of such data to notify us of the change and provide us with the accurate data.

12.4. We will restrict our processing of Personal Information to data which is sufficient for the fulfilment of the primary purpose and applicable legitimate purpose for which it was collected.

13. Your Rights under this Privacy Policy

13.1. You have the right to have your personal information processed lawfully. Your rights include the right:

13.1.1. To be notified that your Personal Information is being collected or that your Personal Information has been accessed or acquired by an unauthorised person e.g. where a hacker may have compromised our computer system;
13.1.2. To find out whether we hold your Personal Information and to request access to your Personal Information;
13.1.3. To request us, where necessary, to correct, destroy or delete your Personal Information;
13.1.4. To object, on reasonable grounds, to the processing of your Personal Information;
13.1.5. To object to the processing of your Personal Information for purposes of direct marketing, including by way of unsolicited communications;
13.1.6. Not to be subject, in certain circumstances, to a decision which is based solely on the automated processing of your Personal Information;
13.1.7. To submit a complaint to the Regulator if you believe that there has been interference with the protection of your Personal Information; and
13.1.8. To institute civil proceedings against us if you believe that we have interfered with the protection of your Personal Information.

14. Direct Marketing

14.1. We may process Personal Information for the purpose of direct marketing and providing you with information that may be of interest to you. We will only send you direct marketing materials if you have specifically opted-in to receive these materials, or if you are a member of ours, at all times in accordance with applicable laws.

14.2. You may unsubscribe at any time.

14.3. If you opt out of receiving marketing related communications from us, we may still send you administrative messages which is necessary as part of services.

15. Contact Details of the Information Regulator and Queries

15.1. You may contact our Information Officer at: info@sasstomates.org.za

15.2. You may contact the Information Regulator at:
https://www.justice.gov.za/inforeg/index.html
Tel: 012 406 4818
Fax: 086 500 3351
Email: inforeg@justice.gov.za

PROTECTION OF PERSONAL INFORMATION ACT

16. The purpose of the Protection of Personal Information Act (“POPIA”) is to promote the protection of personal information of individuals and businesses and to give effect to their right of privacy as provided for in the Constitution.

17. SASS needs personal information relating to both individual and juristic persons in order to carry out its advocacy mandate, services, organisational functions and meet its legal requirements. The manner in which this information is processed and the purpose for which it is processed is determined by SASS. SASS is accordingly a responsible party for the purposes of POPIA and will ensure that the personal information of a data subject:
17.1. Is processed lawfully, fairly and transparently;

17.2. Is processed only for the purposes it was collected;

17.3. Will not be processed for a secondary purpose unless that processing is compatible with the original purpose;

17.4. Is accurate; and

17.5. Is not excessive for the purpose for which it was collected.

18. Purpose

18.1. SASS will only process personal information that, among others:

18.1.1. Is necessary to enable us to perform our advocacy functions;
18.1.2. Is necessary for us to provide our services, including the delivery of third party products to ostomates;
18.1.3. Is necessary conclusion and management of various contracts;
18.1.4. Is necessary for marketing requirements; and

19. Categories of Data Subjects

19.1. Recipients, users, members;

19.2. Directors and employees;

19.3. Contractors, service providers and suppliers;

19.4. Debtors and creditors;

19.5. SASS does not generally do cross border transfers, but, in the unlikely event that cross border transfer of personal information is necessary and/or unavoidable, SASS shall ensure that the data protection and privacy laws of such countries to which personal information is transferred, are similar to the legislation in South Africa, and that the recipients of the personal information commit to the same standard of data protection as that which SASS has committed to.

20. Recipients of Personal Information are SASS, its third parties and their respective representatives.

21. Information Security Measures
21.1. We have implemented reasonable technical and organisational measures to ensure the safety of all information. These measures include:
21.1.1. Physical security measures
21.1.2. Access control measures
21.1.3. Encryption measures
21.1.4. Cyber security measures
21.1.5. Anti-virus measures
21.1.6. Security firewalls
21.1.7. Password control
21.1.8. Policies