Privacy Policy
Introduction
This is one Privacy Notice for Arjo Huntleigh South Africa (Pty) Ltd, an integral part of the Arjo group of organisations focusing on our business interests in South Africa. This Privacy Notice relates to the processing of personal data of representatives of customers suppliers, leads and Arjo Academy platform users. Arjo Huntleigh South Africa (Pty) Ltd. provides information to the relevant stakeholders about the who, what, why, when, where and how of our data processing activities, as well as setting out what rights individuals have in relation to these processing activities.
Who is processing the personal data?
As indicated above, the data controller for the processing of your personal data is Arjo Huntleigh South Africa (Pty) Ltd. To make this notice easier to read, Arjo, Inc. is referred to as Arjo for the rest of this document. As the data controller, if you have any questions, comments or queries about your personal data, we can be contacted using the details below:
James Stone
Data Compliance Manager
The designated Information Officer for Arjo Huntleigh South Africa (Pty) Ltd (Registration Number 0005106/2023-2024-IRRT/PR) is:
Daleen Oosthuizen
Finance Director
What personal data are we processing?
The type of personal data we may process about you depends on the type of data subject and the nature of our relationship with you, as well as the location where you are. The processing of your personal data could include the following:
Customer representatives, supplier representatives, leads, prospects and contacts:
- Identifiers –
- Name
- Job title
- Contact data –
- Phone number
- Email address
- Location data –
- Address
- IP address
- Financial data –
- Banking details
Webinar platform users:
- Identifiers –
- Name
- Job title
- Contact data –
- Email address
- Location data –
- Address
- IP address
- Audio / visual data –
- Photos (only when provided by the platform user).
Please note, the contact and location information processed relates to data used in a professional capacity and may come directly from you or from the facility you are working for. In some instances, customers provide us patient information which is processed only where necessary to fulfil the purpose for which it was provided.
Why are we processing personal data?
Arjo processes personal data for the reasons listed below.
Representatives of customers, contacts and suppliers:
- Managing the production and distribution of our products and equipment via our logistics supply chain.
- To fulfil our customer orders and requests, as well as to provide support to customer representatives in the event of a complaint or issue or handling claims.
- To manage our legal, regulatory and statutory obligations as well as to maintain accurate and reliable administrative and accounting records, which include managing queries, concerns and investigations.
Leads and prospects:
- The pursuit of our commercial interests through marketing activities.
No automated decision-making is undertaken, with the exception of monitoring the success of marketing activities and when using the MyArjo portal. This includes generating a profile based on the use of our online resources which performs an evaluation. This information is only used to better inform how Arjo can support you and manage the layout of the MyArjo portal. The information is only used for these purposes and no individual data protection or statutory rights are infringed in this process. Any evaluation is subject to human review. If you have any questions or concerns about the potential use of automated decision-making, please contact dataprivacy@arjo.com.
Please note, no personal data is sold in any circumstance.
Which lawful basis do we use for processing personal data?
Arjo only process personal data if there is a legal basis for the processing. For the processing described in this privacy notice, Arjo uses the following lawful basis for processing:
Lawful basis for processing |
Processing activities |
Your explicit consent. You are able to withdraw your consent at any time. You can do this by contacting dataprivacy@arjo.com. |
Marketing activities including direct marketing. |
Your implicit consent to fulfil our legal obligation or if processing is in our legitimate interests (dependant upon the legislative framework that is applicable). |
Activities linked to our regulatory and statutory requirements. Marketing activities including managing our relationship with you as a contact of Arjo. Processing of customer representatives’ personal data is necessary to manage and distribute products and equipment via our logistics supply chain and to fulfil our customer orders and requests. |
Where we rely on a legal obligation to justify the processing of your personal data, this is to ensure that our regulatory and statutory requirements are fulfilled. This is important in order to maintain the quality of the service and products that many stakeholders rely on.
There may also be times when legitimate interest is the appropriate justification for processing your personal data. In this situation, we have undertaken a legitimate interests assessment where the needs, expectations, rights and freedoms of all parties have been considered. Before relying on legitimate interest, we have made sure that our interests are compelling enough and will not cause any unwarranted harm.
For how long do we process your personal data?
We save information for as long as the information is necessary to fulfil the purposes for which the information was collected. The information can be saved for a longer period of time if it is required by applicable law, such as the European Union Medical Device Regulation. Arjo have established routines to ensure that we do not store unnecessary information about you.
Information regarding representatives of customers and contacts
- Most commercial, customer or financial information, relating to e.g. purchase, order and order history, is retained for five years.
- As a global organisation in a highly regulated field, we need to retain information relating to production, distribution, quality, or performance of any of our products for 15 years in accordance with strict European and global regulatory obligations. The personal data contained to these records is usually limited to low-risk personal data where there is any personal data at all.
- Information relating to a customer service case is saved until the matter is resolved and retained in a de-identified format for 15 years.
- Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.
Information regarding prospects and leads
- Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.
Where are we processing personal data and who do we transfer personal data to?
We may on occasion transfer your personal data outside of the country in which we gather your personal data. This may be done through the use of a particular processor. Where this is relevant, we have undertaken privacy impact assessments and transfer impact assessments to identify appropriate additional measures to implement, prior to establishing data processing agreements including approved standard contractual clauses. In the event that the contractual and organisational measures are still inadequate, we will seek your explicit consent to undertake the proposed processing.
Most of our data processing takes place in the EEA.
We use different systems and platforms to manage the data we process, and a list of the key data processors are listed below:
- Advanced Applications.
- AWS.
- CEVA.
- Digital Space.
- ON24.
- Salesforce.
- Tech Mahindra.
- Other subsidiaries of the Arjo group as part of global functions.
Additionally, we use Microsoft Office storage and productivity tools to process personal data in the course of our commercial, production, logistical, operational, research and administrative activities.
We may also share personal data with partners and in line with our regulatory or statutory obligations. In all instances, data will only be shared in line with an appropriate lawful basis for processing. Data sharing is frequently undertaken following a privacy impact assessment and a transfer risk assessment to ensure the necessary safeguards and control measures are in place prior to any data sharing.
How are we processing personal data?
Arjo have adapted the following to enable secure and compliance towards handling and processing data:
- Arjo have an IT policy, Information Security Directive, Data Privacy and Acceptable Use of IT devices Directive.
- Access management based on least privilege with access reviews performed on a quarterly basis, additionally each user will have unique and individual usernames where none are shared.
- Admin access only given to system and database owners who have the correct skills and training, normally senior IT staff.
- Robust change management process.
- All systems for which the hosting solution is determined by Arjo can only be accessed via our VPN solution. In all cases, all data and systems are encrypted at rest and in transit and require a unique username and password to access the data each user is authorised to access.
- All Third Parties that host or work on Arjo systems are subject to a Risk Assessment on a yearly basis.
- Arjo also have an overall Incident management process which is run by our Service Management team.
- Patch management; as part of our service management.
- Pen testing and vulnerability management.
- IT audits performed by a third party annually.
What are your rights in relation to this data processing?
Depending upon the data protection laws of the country you are in or the legal entity processing your personal data, you may have rights including:
- Your right of access – You have the right to ask us for copies of your personal information that we process about you. Through this copy you will be able to understand which of your personal data we have and process. The right of access is applicable when a record contains information where an individual can be identified, and the information is about them. This means that records that are accessible to you will have the personal data about other people redacted where appropriate, in order to protect their right to privacy. Your personal data will be redacted if someone else requests access to a record containing your personal data. Legislation provides other exemptions that may be applicable such as records where legal privilege needs to be observed or there is an obligation of confidentiality in specific circumstances. Any exemption applied will have a relevant legal basis and will be explained to you were necessary.
- Your right to be informed – You have the right to be informed of how we process your personal data. This Privacy Notice is an initial means of informing you about the processing of your personal data. Additional methods of keeping you informed include through FAQs, contractual agreements and through discussions – if you have a question about how we are processing your personal data, you can contact us by writing to dataprivacy@arjo.com.
- Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Any request to rectify your personal data will also be transferred and actioned by any processor with whom your personal data has been shared. This process is managed by us and will not require any additional action from you for your right to be exercised in full.
- Your right to erasure – You have the right to ask us to erase your personal information when the information is no longer necessary to fulfil the purpose of processing the information or keeping it or if you retract your consent. Arjo is obliged to keep extensive records in accordance with our legal obligations. As such, Arjo may not be able to delete every record that is processed about you, however this will be explained where relevant. Any request to be forgotten will also be managed by Arjo with any processor that is processing your personal data on our behalf.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances such as if the personal data is not relevant to fulfil our legal obligations.
- Your right to object to processing – You have the right to object to the processing of your personal data. The right can be invoked when the legal basis is legitimate interest, including profiling. If an objection is made, Arjo must show compelling legitimate interests to continue processing personal data for that specific purpose.
- Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation. This enables you to transfer it in a machine-readable format to another recipient. The right to data portability applies to personal data that is processed based on your consent or to perform a contract. It applies only to such personal data that you have provided Arjo with yourself.
- Your right regarding automated decision-making – You have the right to request that a review of any profiling that is undertaken using your personal data to be undertaken by a human.
- Your right to withdraw consent – You have the right to withdraw consent where this is the lawful basis established for the processing of your personal data i.e. when collected for certain marketing activities.
For more information about your specific data protection rights, please visit the website of the Information Regulator.
You are not required to pay any charge for exercising your rights in most instances. If you make a request, we have one month to respond to you.
Relevant forms for the outcome of a request and a request for information can be obtained from the Arjo website. Please contact us using any of the details below if you wish to make a request.
Arjo Huntleigh South Africa (Pty) Ltd
2 Willem Cruywagen Avenue Klerksoord, Akasia
Finally, you have the right to complain to a data protection authority. For Arjo Huntleigh South Africa (Pty) Ltd, the relevant supervisory authority is the Information Regulator and can be reached using the details below:
Information Regulator
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
+27 10 023 5200
enquiries@inforegulator.org.za.