KardioFit (Pty) Ltd, with its head office situated at 22 1st Avenue, Houghton Estate, Houghton, Johannesburg, South Africa, has developed the KardioFit Mobile Application (“KardioFit App” / “App” / “Application”). The KardioFit App is a healthcare App for individuals (“User”). This Service is provided by KardioFit to the individual at a monthly subscription fee and is intended for use, “as is”.
KardioFit enables the individual to record his/her biometric readings utilising inter alia any of a blood pressure monitor, glucose monitor and spirometer in a private setting and allows health professionals to monitor certain patient-related data for greater reliability of measures made and time saving (hereinafter referred to as the “Application”).
KardioFit protects the Personal Data that it processes and hereby undertakes, in this regard, to comply with applicable regulations on the protection of personal data, and in particular the Protection of Personal Information Act, No.4 of 2013, South Africa (” POPI Act”), as amended, and Regulation (EU) 2016/679 of 27 April 2016, referred to as the “GDPR” (hereinafter referred to as the “Applicable Regulations”).
Personal Data Processing
Processing of the Users’ Personal Data
Purposes and legal basis of processing
Certain Personal Data is collected by KardioFit for the following purposes:
KardioFit, is required to collect and process certain Personal Data of the User according to his/her use of the Application, namely:
User Status and Obligations
Such processing is carried out under the exclusive control of the User. Therefore, for such data processing, the User acts as the data controller, as defined in the Applicable Regulations.
The User undertakes to meet all of his/her obligations and to take into account the particularly sensitive nature of the health data he/she processes.
The User agrees and confirms that he/she shall apply the requisite degree of care in the processing and storage of his/her Personal Data, on the device within which it is captured.
KardioFit Status and Obligations
KardioFit provides the User with the tool required for the processing described above and provides him/her with a secure solution for hosting his/her Personal Data.
KardioFit undertakes to meet its obligations as a data processor, including the implementation of appropriate technical and organisational measures to secure the Personal Data.
KardioFit hereby acknowledges that it shall only act on the documented instructions of the User and that it shall notify him/her of any security breaches of which it may become aware.
Once the User ceases to use the Application, the User shall indicate to KardioFit, which will comply with such indication, whether he/she wants his/her Personal Data to be destroyed or to be returned to him/her or to a third party, and in what format.
KardioFit also hereby states that it keeps a record of all of the categories of processing activities performed on behalf of the User and that it shall provide the User with the necessary documentation to evidence its compliance with all of its obligations.
Retention Period of the Personal Data
KardioFit shall keep the Personal Data for the duration of use of the Application by the User. KardioFit shall retain the Personal Data for five (5) years after the User ceases to use the Application, in order to meet its legal obligations, notably in terms of prescription.
Personal Data Security
KardioFit processes the Personal Data collected in accordance with Applicable Regulations, and notably implements the appropriate safeguards to protect the confidentiality and integrity of the User’s Personal Data. KardioFit undertakes to take all useful and reasonable precautions to ensure the security of the Personal Data collected from the User and in particular to prevent them from being destroyed, lost or corrupted and to prevent access to them by unauthorised third parties.
The features of the Application are implemented in a secure environment ensuring the protection of all Personal Data and any potential communication with the User.
Each User is hereby reminded that he/she has, in accordance with Applicable Regulations, the right to access, rectify and delete his/her Personal Data. The User also has the right to request the limitation of the processing of his/her Personal Data and to object to such processing, as well as the right to the portability of his/her Personal Data. Lastly, the User may file a complaint with the competent supervisory authority (the office of the Information Regulator, South Africa).
These rights may be exercised by sending a letter to: KardioFit 22 1st Avenue, Houghton Estate, Houghton, Johannesburg, 2198, or an email to the following email address: email@example.com, with a copy of the User’s identity document. The User may also contact the KardioFit Data Protection Officer (DPO), at the following email address: firstname.lastname@example.org.
Disclosure of Personal Data
KardioFit will not sell, trade, rent or transfer the User’s Personal Data in any other way, without the User’s consent, which will have been given after the User has received prior information, except for the cases listed below:
Amendment of the Policy