We’re Here for You and Your Loved Ones
We’d love to hear from you. Reach out to our head office or directly to any of our homes or initiatives.
Privacy Policy
DATA PROTECTION, COOKIE AND PRIVACY POLICY
Last Modified
Lar Santa Isabel Pty Ltd (“Lar Santa
Isabel”) places a high premium on the privacy and personal information of our members,
employees, service providers, stakeholders, business
partners and any other third-party
with whom we engage or contract. Lar Santa Isabel is therefore committed to
ensure that it complies with the requirements of the Protection of Personal
Information Act, 4 of 2013 (“POPIA”) and other potentially applicable data
protection and privacy laws.
1. DEFINITIONS
In this Policy (as defined below), unless the context requires otherwise, the following capitalised terms shall have the meanings given to them —
1.1 “Active Processing” refers to instances
where the Company
has directly been provided with the Personal
Information/Personal Data of Data Subjects, such as when Data Subjects submit
an enquiry in respect of the Company’s products and/or services, or when Data
Subjects provide Personal Information/Personal Data to Lar Santa Isabel
pursuant to concluding any commercial agreement(s) with the Company;
1.2 “Applicable Laws” mean any laws applicable to Personal Data and Personal
Information and include any statute, regulation, notice, policy,
directive, ruling or subordinate legislation; the common law; any binding court
order, judgment or ruling, policy or standard enforceable by law; or any
applicable direction, policy or order that
is given by any regulator, competent authority or organ of state or statutory
industry body;
1.3 “Child” means
any natural person
under the age of 18 years;
1.4 “Competent Person” means anyone who is legally
competent to consent
to any action or decision
being taken by any matter concerning a child, for example a parent or legal guardian;
1.5 “Company”
means The Portuguese Welfare Society of South Africa, with registration number:
NPO No: 001-170 / PBO: 930 004 911
1.6
“Controller” means Lar
Santa Isabel, in circumstances where it Processes Personal Data (as
defined in Article 4 of the GDPR);
1.7 “Cookies” means small
text files that store either Non-personally Identifiable Information/Data or
Personal Information/Personal Data about Data Subjects, either temporarily in
connection with a Data Subjects Internet Protocol (IP) address (known as a temporary or session
cookie and deleted once a Data Subject closes their browser window) or more
permanently on the hard drive of a Data Subject’s device or for purposes of
remembering the Website(s) settings (known as a permanent or persistent cookie,
or flash cookies). The Company’s Website(s) and/or or Mobile Application(s) may from time to time make use of
sessions, persistent or flash cookies so that Data Subjects do not have to fill
in the same information from page to page within our Website(s) or Mobile
Application(s) and to enhance any Data Subject’s experience of the Company’s Website and/or Mobile
Application(s). If Data Subjects elect not to receive
cookies, they may be able to view some, but not all of the content on the Company’s
Website(s) or Mobile Application(s);
1.8 “Data Subject” means the person or any Third-Party who accesses the website of Lar Santa Isabel and Processes Personal Information/Personal Data;
1.9 “Embedded Scripts” means, programming code that is designed to collect information about a Data Subject’s interactions with the relevant Website(s) or Mobile Application(s). It is temporarily downloaded onto a Data Subject’s device from the Lar Santa Isabel’s web server or a Third-Party Operator. This program is active only while a Data Subject is connected to the relevant Website(s) or Mobile Application(s) and is deleted or deactivated thereafter;
1.10 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, more commonly referred to as the General Data Protection Regulation;
1.11 “Inactive Processing” refers to instances where Lar Santa Isabel has not actively been provided with the Personal Information/Personal Data of Data Subjects, such as when the Company deploys Passive Processing Means to collect information from Data Subjects. These Passive Processing Means allow the Company to Process certain kinds of Non-personally Identifiable Data which can perhaps not be linked to Data Subjects;
1.12 “Member” means any natural person who has concluded an agreement with the Company in terms of which such member enjoys pre-determined, tailored and personalized benefits against payment of monthly premiums of contributions;?
1.13 “Member Portal” means the digital portal to which a Member has access to manage their individual membership profile;
1.14 “Mobile Application” means the Company’s digital mobile application interface which enables Members to manage their individual membership profile;
1.15
“Mobile Device
Identifier” means device information that can be identified when accessing
the Company’s Website or Mobile Application(s) through mobile devices. Certain
features of the relevant Website(s) or Mobile Application(s) may require
collection of mobile phone numbers
and the Company may associate
that phone number with the
mobile device identifiers. Additionally, some mobile phone service providers
operate systems that pinpoint the physical location of devices that use their
service. Depending on the provider, the Company and/or our Third-Party
Operators may receive this information. If the Company
associates any such passively collected
information with the Personal
Information/Personal Data of Data Subjects, the Company will treat the combined information as Personal Information/Personal Data as contemplated in this Policy;
1.16 “Non-personally Identifiable Information/Data” means any information/data which cannot be linked to Data Subjects, such as an internet domain name, the type of web browser used by a Data Subject, the type of operating system relied on by a Data Subject, the date and time of a Data Subject’s visit to the Company’s Website and Mobile Application(s), the specific pages a Data Subject may have visited, and the address of the website which a Data Subjects may have visited prior to entering or gaining access to the Company’s Website or Mobile Application(s);
1.17 “Operator” means a person or entity who Processes Personal Information/Data for a Responsible Party;
1.18 “Passive Processing Means “ means the use of technologies to facilitate the Inactive Processing of Personal Information/Personal Data, namely the use of Cookies, Web Beacons, Embedded Scripts and/or Mobile Device Identifiers;
1.19 “Personal Data” (as defined in Article 4 of the GDPR) means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly;
1.20 “Personal Information” shall have the same meaning as in section 1 of POPIA and shall include an Account Number as defined in section 105(5) of POPIA;
1.21 “Policy” means this Data Protection and Privacy Policy;
1.22 “POPIA” means the Protection of Personal Information Act, No 4 of 2013;
1.23 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information/Personal Data, including:
1.23.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
1.23.2 dissemination by means of transmission, distribution or making available in any other form by electronic communications or other means; or
1.23.3 merging, linking, blocking, degradation, erasure or destruction. For the purposes of this definition, “Process” has a corresponding meaning and the terms “Processing” and “Process” shall include instances or activities of Active Processing, Inactive or Passive Processing of Personal Information/Personal Data and/or Non-Personally Identifiable Information/Data;
1.24 “Regulator(s)” means any applicable regulatory authority, including the Information Regulator established in terms of POPIA;
1.25 “Responsible Party” means in the context of this Policy, the Company;
1.26 “Special Personal Information/Data” means Personal Information/Personal Data concerning, amongst other aspects contemplated in terms of section 26 Part B of POPIA, a Data Subject’s religious beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric data, or criminal behaviour;
1.27 “Third Party” means any employee, independent contractor, agent, consultant, broker, managed healthcare services provider, sub-contractor, Regulator(s), user of the Company’s websites or mobile application interfaces, or other representative of the Company;
1.28 “Website” means the website owned and operated by the Company sourced at www.larstisabel.co.za;
1.29 “Web Beacons” means small graphic images called web beacons, also known as “Internet tags” or “clear gifs,”, which Web Beacons may be deployed in the Company’s Website pages and e-mail messages. Web beacons may be invisible to Data Subjects, but any electronic image inserted into a web page or e-mail can act as a Web Beacon. The Company may use web beacons or similar technologies for a number of purposes, including, without limitation, to count the number of visitors to its Website, Mobile Application(s), to monitor how users navigate the Website or Mobile Application(s), to count how many e-mails that the Company has sent were actually opened or to count how many particular articles or links were actually viewed by Data Subjects in certain circumstances.
2.
INTRODUCTION
2.1 This Policy regulates the Processing of Personal Information/Personal Data by the Company and sets forth the requirements with which the Company undertakes to comply when Processing Personal Information/Personal Data pursuant to undertaking its operations and fulfilling its contractual obligations in respect of Data Subjects and Third Parties in general.
2.2
The Company places a high premium on the privacy of every person or organisation with whom it interacts or engages and therefore acknowledges the need to ensure that Personal Information/Personal Data is handled with a reasonable standard of care as may be expected from it. The Company is therefore committed to ensuring that it complies with the requirements of POPIA, and also with the terms of the GDPR to the extent that the GDPR applies.
2.3 The core purpose of the GDPR is recorded as protecting the Personal Information/Personal Data belonging to citizens and residents of the European Union. Therefore, although the Company operates within the Republic of South Africa, the GDPR may apply to it in certain circumstances and in such circumstances, the Company will take appropriate compliance steps. At the time of publishing this Policy, the circumstances in respect of which the GDPR may be applicable to the Company are:
2.3.1 Instances where the Company offers goods or services to data subjects who are physically within the European Union; or
2.3.2 Instances where the Company monitors the online activities and/or behaviour of data subjects who visit the Company’s Website(s) from within the European Union.
2.4 When a Data Subject or Third Party engages with the Company, whether physically or via any digital, electronic interface such as the Company’s Website, Member Portal or Mobile Application, the Data Subject or Third Party acknowledges that they trust the Company to Process their Personal Information/Personal Data.
2.5 When accessing Company’s website, Data Subjects and Third Parties have the right to object to the processing of their Personal Information/Personal Data. It is voluntary to accept the Terms and Conditions to which this Policy relates. However, the Company does require the Data Subject or Third Party’s acceptance to enable the proper use of the Company’s Website, Member Portal or Mobile Application.
3. PURPOSE AND APPLICATION
3.1 The purpose of this Policy is not only to inform Data Subjects about how the Company Processes their Personal Information/Personal Data, but also to establish a standard by which the Company and its employees and representatives shall comply in as far as the Processing of Personal Information/Personal Data is concerned.
3.2 The Company, in its capacity as a Responsible Party and/or Operator and/or Controller, as the case may be, shall observe and comply with its obligations under POPIA and the GDPR (as may be applicable and to the extent necessary) when it Processes Personal Information/Personal Data from or in respect of any Data Subject.
4. COLLECTING AND PROCESSING OF PERSONAL INFORMATION/PERSONAL DATA
4.1 Whenever any Data Subject completes an application form, contacts the Company electronically, or uses one of the products, services, facilities, tools or utilities offered by the Company through its Website, Member Portal or Mobile Application, the Company will in effect be Processing the Data Subject’s Personal Information/Personal Data.
4.2 It may be from time to time that the Company has collected a Data Subject’s Personal Information/Personal Data from other sources. In the event that a Data Subject has shared their Personal Information/Personal Data with any Third Parties, the Company will not be responsible for any loss suffered by the Data Subject, their dependants, beneficiaries, spouse(s) or employees (as the case may be).
4.3 When a Data Subject provides the Company with the Personal Information of their dependant(s) either through the Website, Member Portal, Mobile Application or on their membership application, the Data Subject confirms having obtained consent to do so from his/her affiliated company or place of employment, and the Company will process the Personal Information/Personal Data of such affiliate(s) or place of employment(s) in line with this Policy, as well as the terms and conditions to which this Policy relates.
4.4 The Company will Process Personal Information/Personal Data in order to facilitate and enhance the delivery of products and services to its Members, foster a legally compliant workplace environment, as well as safeguard the Personal Information/Personal Data relating any Data Subjects which it in fact holds. In such an instance, the Data Subject providing the Company with such Personal Information/Personal Data will confirm that they are a Competent Person and that they have authority to give the requisite consent to enable the Company to process such Personal Information/Personal Data.
4.5 The Company undertakes to process any Personal Information/Personal Data in a manner which promotes the constitutional right to privacy, retains accountability and Data Subject participation. In supplementation of the above, the Company will process Personal Information/Personal Data for the following purposes:
4.5.1 To provide or manage any information, products and/or services requested by Data Subjects in general and our Members;
4.5.2 To establish a Data Subject’s needs, wants and preferences in relation to the products and/or services provided by the Company;
4.5.3 To help the Company identify Data Subjects when they contact the Company;
4.5.4 To facilitate the delivery of products and/or services to Members, including Disease Management;
4.5.5 To allocate to data subjects/affiliates/place of employment unique identifiers for the purpose of securely storing, retaining and recalling such Members’ Personal Information/Personal Data from time to time;
4.5.6 To maintain records of Data Subjects and specifically Member records;
4.5.7 To maintain Third-Party records;
4.5.8 For recruitment purposes;
4.5.9 For employment purposes;
4.5.10 For apprenticeship purposes;
4.5.11 For general administration purposes;
4.5.12 For legal and/or contractual purposes;
4.5.13 For health and safety purposes;
4.5.14 To retain the records of brokers;
4.5.15 To monitor access, secure and manage any facilities owned or operated by the Company regardless of location in South Africa;
4.5.16 To transact with Third Parties;
4.5.17 To improve the quality of the Company’s products and services;
4.5.18 To detect and prevent money laundering;
4.5.19 To analyse the Personal Information/Personal Data collected for research and statistical purposes;
4.5.20 To help recover bad debts;
4.5.21 To transfer Personal Information/Personal Data across the borders of South Africa to other jurisdiction if reasonably required;
4.5.22 To carry out analysis and company profiling;
4.6 When collecting Personal Information/Personal Data from a Data Subject, the Company shall comply with the notification requirements as set out in Section 18 of POPIA, and to the extent applicable, Articles 13 and 14 of the GDPR.
4.7 The Company will collect and Process Personal Information/Personal Data in compliance with the conditions as set out in POPIA and/or the Processing principles in the GDPR (as the case may be), to ensure that it protects the Data Subject’s privacy.
4.8 The Company will not Process the Personal Information/Personal Data of a Data Subject for any purpose other than for the purposes set forth in this Policy, unless the Company is permitted or required to do so in terms of Applicable Laws or otherwise by law.
4.9 The Company may from time-to-time Process Personal Information/Personal Data by
making use of automated means (without deploying any human intervention in the decision-making process) to make decisions about the Data Subject or their application. In this instance it is specifically recorded that the Data Subject may object to or query the outcomes of such a decision.
5. PERSONAL INFORMATION/PERSONAL DATA FOR DIRECT MARKETING PURPOSES
5.1 The Company acknowledges that it may only use Personal Information/Personal Data to contact Data Subjects for purposes of direct marketing where the Company has complied with the provisions of POPIA and GDPR (where applicable) and when it is generally permissible to do so in terms of Applicable Laws.
5.2 The Company will ensure that a reasonable opportunity is given to all Data Subjects to object (opt-out) to the use of their Personal Information/Personal Data for the Company’s marketing purposes when collecting the Personal Information/Personal Data and on the occasion of each communication to the Data Subject for purposes of direct marketing.
6. STORAGE AND RETENTION OF PERSONAL INFORMATION/PERSONAL DATA
6.1 The Company will retain Personal Information/Data it has Processed, in an electronic or hardcopy file format on its own accord and/or with a Third-Party service provider appointed for this purpose (the provisions of clause 9 below will apply in this regard).
6.2 Personal Information/Personal Data will only be retained by the Company for as long as necessary to fulfil the purposes for which that Personal Information/Personal Data was collected and/or as permitted in terms of Applicable Law.
6.3 It is specifically recorded that any Data Subject has the right to object to the Processing of their Personal Information and the Company shall retain and store the Data Subject’s Personal Information/Personal Data for the purposes of dealing with such an objection or enquiry as soon and as swiftly as possible. In the event the Data Subject objects to the Processing of their Personal Information you agree to forthwith vacate the website.
6.4 In amplification of the above, and in as far as the provisions of Article 17 of the GDPR are applicable to the Company’s processing of Personal Information/Personal Data of Data Subjects, any Data Subject shall have the right to procure from the Company the erasure of any Personal Information/Personal Data concerning the Data Subject. Such erasure will be given effect as soon as possibly pursuant to such a request and will be subject to the Data Subject satisfying the Company as to the applicability of any of the circumstances justifying such erasure under Article 17 of the GDPR.
7. FAILURE TO PROVIDE PERSONAL INFORMATION
7.1 Where the Company is required to collect Personal Information/Personal Data from a Data Subject by law or in order to fulfil a legitimate business purpose of the Company and the Data Subject fails to provide such Personal Information/Personal Data, the Company may, on notice to the Data Subject, decline to render services without any liability to the Data Subject.
8. SECURING PERSONAL INFORMATION/PERSONAL DATA
8.1 The Company has implemented appropriate, reasonable, physical, organisational, contractual and technological security measures to secure the integrity and confidentiality of Personal Information/Personal Data, including measures to protect against the loss or theft, unauthorised access, disclosure, copying, use or modification of Personal Information/Personal Data in compliance with Applicable Laws.
8.2 In further compliance with Applicable Law, the Company will take steps to notify the relevant Regulator(s) and/or any affected Data Subjects in the event of a security breach and will provide such notification as soon as reasonably possible after becoming aware of any such breach.
8.3 Notwithstanding any other provisions of this Policy, it should be acknowledged that the transmission of Personal Information/Personal Data, whether it be physically in person, via the internet or any other digital data transferring technology, is not completely secure. Although the Company has taken all appropriate, reasonable measures contemplated in clause 8.1 above to secure the integrity and confidentiality of the Personal Information/Personal Data it Processes, in order to guard against the loss of, damage to or unauthorised destruction of Personal Information/Personal Data and unlawful access to or processing of Personal Information/Personal Data, the Company in no way guarantees that its security system is completely secure or error free. Therefore, the Company does not guarantee the security or accuracy of the information (whether it be Personal Information/Personal Data or not) which it collects from any Data Subject.
8.4 Any transmission of Personal Information/Personal Data will be solely at the own risk of the Data Subject. Once the Company has received the Personal Information/Personal Data, it will deploy and use strict procedures and security features to try to prevent unauthorised access to it. As indicated above, the Company’s reiterates that it restricts access to Personal Information/Personal Data to Third Parties who have a legitimate operational reason for having access to such Personal Information/Personal Data. The Company also maintains electronic and procedural safeguards that comply with the
Applicable Laws to protect the Data Subject’s Personal Information from any unauthorised access.
8.5 The Company shall not be held responsible and by accepting the terms and conditions to which this Policy relates, any Data Subject agrees to indemnify and hold the Company harmless for any security breaches which may potentially expose the Personal Information/Personal Data in the Company’s possession to unauthorised access and or the unlawful Processing of such Personal Information/Personal Data by any Third Party.
9. PROVISION OF PERSONAL INFORMATION/PERSONAL DATA TO THIRD PARTIES
9.1 The Company may disclose Personal Information/Personal Data to Third-Party service providers where necessary and to achieve the purpose(s) for which the Personal Information/Personal Data was originally collected and Processed. The Company will enter into written agreements with such Third-Party service providers to ensure that they comply with Applicable Laws pursuant to the Processing of Personal Information/Personal Data provided to it by the Company from time to time.
9.2 In as far as the provisions of the GDPR may be applicable to the Company’s processing of Personal Information/Personal Data, the Data Subject has the right, under the provisions of Article 20 of the GDPR, to receive any Personal Information/Personal Data which the Data Subject has provided to the Company, in a structured, commonly used and machine-readable format, as well as to transmit that Personal Information/Personal Data to another third party. Such transmittal shall be subject to the conditions set forth in Article 20 and any transfer of a Data Subject’s Personal Information/Personal Data in this regard, will be subject to the Data Subject indemnifying the Company against any potential loss or damage which may be suffered by the Data Subject as a result of such transfer.
10. TRANSFER OF PERSONAL INFORMATION/PERSONAL DATA OUTSIDE OF SOUTH AFRICA
10.1 The Company may, under certain circumstances, transfer Personal Information/Personal Data to a jurisdiction outside of the Republic of South Africa in order to achieve the purpose(s) for which the Personal Information/Data was collected and Processed, including for Processing and storage by Third-Party service providers.
10.2 The Company will obtain the Data Subject’s consent to transfer the Personal Information/Personal Data to such foreign jurisdiction unless consent is not required by Applicable Law.
10.3 The Data Subject should also take note that, where the Personal Information/Personal Data is transferred to a foreign jurisdiction, the Processing of Personal Information/Personal Data in the foreign jurisdiction may be subject to the laws of that foreign jurisdiction.
11. ACCESS TO PERSONAL INFORMATION/PERSONAL DATA
11.1 A Data Subject has the right to a copy of the Personal Information/Personal Data which is held by the Company (subject to a few limited exemptions as provided for under Applicable Law).
11.2 The Data Subject must make a written request (which can be by email) to the Information Officer designated by the Company from time to time.
11.3 The Company will provide the Data Subject with any such Personal Information /Personal Data to the extent required by Applicable Law and subject to and in accordance with the provisions of the Companys PAIA Manual (published in terms of section 51 of the Promotion of Access to Information Act, 2000 (“PAIA”), which PAIA Manual can be sourced from the email [email protected].
11.4 The Data Subject can challenge the accuracy or completeness of his/her/its Personal Information/Personal Data in the Company’s records at any time in accordance with the process set out in the Company’s PAIA Manual.
12. KEEPING PERSONAL INFORMATION/PERSONAL DATA ACCURATE
12.1 The Company will take reasonable steps to ensure that Personal Information/Personal Data that it Processes is kept updated where reasonably possible. For this purpose, the Company has provided a function on its Member Portal? to enable Data Subjects to update their information.
12.2 The Company may not always expressly request the Data Subject to verify and update his/her/its Personal Information/Personal Data and expects that the Data Subject will notify the Company from time to time in writing:
12.2.1 of any updates or amendments required in respect of his/her/its Personal Information/Personal Data;
12.2.2 where the Data Subject requires the Company to delete his/her/its Personal Information/Personal Data; or
12.2.3 where the Data Subject wishes to restrict the Processing of his/her/its Personal Information/Personal Data.
13. COSTS TO ACCESS PERSONAL INFORMATION/PERSONAL DATA
The prescribed fees to be paid for copies of the Data Subject’s Personal Information/Personal Data are listed in the Company’s PAIA Manual referred to in clause 11.3 above.
13.1 The Company reserves the right to make amendments to this Policy from time to time.
14. COMPLAINTS TO THE INFORMATION REGULATOR
14.1 In the event that any Data Subject or Third Party is of the view or belief that the Company has Processed their Personal Information/Personal Data in a manner or for a purpose which is contrary to the provisions of this Policy, the Data Subject is required to first attempt to resolve the matter directly with the Company, failing which the Data Subject or Third Party shall have the right to lodge a complaint with the Information Regulator, under the provisions of POPIA.
14.2 The contact particulars of the Information Regulator are:
The Information Regulator (South Africa) Forum III 3rd Floor Braampark
PO Box 31533
Braamfontein, Johannesburg, 2107
Mr. Marks Thibela Chief Executive Officer
Tel No: +27 010 023 5207
Cell No: 082 746 4173
E-mail: [email protected]
15. CONTACTING US
All comments, questions, concerns or complaints regarding Personal Information/Personal Data or this Policy should be emailed to the Company’s Information Officer at [email protected].
16. EFFECTIVE DATE
The Policy shall apply and take effect on 1 APRIL 2025.
More than just a care facility, it is a community that celebrates the Portuguese language and culture.
