1           Definitions

This Policy is based on the terms used in POPIA and the GDPR. This Policy should be legible and understandable to the general public. To ensure this we would like to first explain the terminology used. In this Policy, unless the context requires otherwise, the following capitalised terms shall have the meanings given to them –

1.1             "Affiliate" means, with respect to any entity, any other entity controlling, controlled by or under common Control with such entity. The term “Affiliate” shall also include a “subsidiary” of an entity with the term “subsidiary” meaning a subsidiary as defined in Section 3 of the South African Companies Act 71 of 2008, as amended, and including any foreign company, which if it were registered in terms of the South African Companies Act 71 of 2008, as amended, would fall within the ambit of such term;

1.2             "Applicable Privacy Laws" means POPIA and the GDPR;

1.3             "Artisan Biomed" means Artisan Biomed Proprietary Limited, a limited liability private company, registration number 2015/199843/07, duly incorporated in the Republic of South Africa with its registered address at St. Peters Square, Upper Level, Corner Anzio and Main Road, Observatory, Western Cape, 7925;

1.4             "Child" means any natural person under the age of 18 (eighteen) years and "Children" shall have a corresponding meaning;

1.5             "Data Protection Officer" means the data protection officer of CPGR whose details are set out in clause 11 below;

1.6             "Data Subject" or "you" means the client or user of this website who may be natural or juristic persons or any other person(s) in respect of whom CPGR Processes Personal Information or Personal Data;

1.7             "CPGR" or "we" or "us" or "our" means the Centre for Proteomic & Genomic Research, a non-profit company, registration number 2006/010411/08, duly incorporated in the Republic of South Africa with its registered address at St. Peters Square, Upper Level, Corner Anzio and Main Road, Observatory, Western Cape, 7925, and includes, Artisan Biomed being an Affiliate of CPGR;

1.8             "GDPR" means the General Data Protection Regulation (EU) 2016/679;

1.9             "Operator" means a person or entity who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party, and "Processor" shall have a corresponding meaning;

1.10           "Personal Information" means information relating to any identified or identifiable Data Subject, including but not limited to (i) views or opinions of another individual about the Data Subject; and (ii) information relating to such Data Subject's –

1.10.1             race, sex, gender, sexual orientation, pregnancy, marital status, nationality, ethnic or social origin, colour, age, physical or mental health, well-being, disability, religion, conscience, belief, cultural affiliation, language and birth;

1.10.2             education, medical, financial, criminal or employment history;

1.10.3             names, identity number and/or any other personal identifier, including any number(s), which may uniquely identify a Data Subject, account or client number, password, pin code, customer or Data Subject code or number, numeric, alpha, or alpha-numeric design or configuration of any nature, symbol, email address, domain name or IP address, physical address, cellular phone number, telephone number or other particular assignment;

1.10.4             blood type, fingerprint or any other biometric or genetic information;

1.10.5             personal opinions, views or preferences;

1.10.6             correspondence that is implicitly or expressly of a personal, private or confidential nature (or further correspondence that would reveal the contents of the original correspondence); and

1.10.7             corporate structure, composition and business operations (in circumstances where the Data Subject is a juristic person) irrespective of whether such information is in the public domain or not;

1.11           "Policy" means this data protection and privacy policy of CPGR;

1.12           "POPIA" means the Protection of Personal Information Act, No 4 of 2013;

1.13           "Processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including –

1.13.1             the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

1.13.2             dissemination by means of transmission, distribution or making available in any other form by electronic communications or other means; or

1.13.3             merging, linking, blocking, degradation, erasure or destruction.  For the purposes of this definition, "Process" has a corresponding meaning;

1.14           "Purpose" means the purpose as set out in clause 4.2 below;

1.15           "Regulator" means the Information Regulator established in terms of POPIA and/or the Data Protection Authorities in terms of the GDPR (as the case may be), the further details of whom are set out in clause 16;

1.16           "Responsible Party" means a public or private body or any other person which alone or in conjunction with others, determines the purpose of and means for Processing Personal Information, and a "Controller" shall have a corresponding meaning;

1.17           "Special Personal Information" means Personal Information concerning a Data Subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, biometric information or criminal behaviour;

1.18           "Third-Party" means independent contractor, agent, consultant, sub-contractor or other representative of CPGR; and

1.19           "Website" means the webpage available at: https://behappytobeyou.co.za.

2           introduction and use of this website

2.1             Data protection and privacy is a high priority for the management of CPGR. CPGR also aims to promote transparency and to give you more control over the way in which your Personal Information is Processed.

2.2             This Policy regulates the use and protection of Personal Information and Special Personal Information that CPGR Processes.

2.3             CPGR acknowledges the need to ensure that Personal Information is handled with care and is committed to ensuring that it complies with the requirements of POPIA and the GDPR for the Processing of Personal Information, and in particular, Special Personal Information.

2.4             This Website is owned and operated by the CPGR. The use of this Website is possible without any indication of Personal Information, however if a you want to use CPGR's services via our Website, then it may be necessary that we Process your Personal Information.

2.5             CPGR reserves the right, at our discretion, to modify or remove portions of this Policy at any time, but we shall communicate such changes to you in writing. This Policy is in addition to any other terms and conditions applicable to the Website. We do not make any representations about third party websites that may be linked to the Website. CPGR does not control third party websites and we are not responsible for their privacy statements. Please consult such third parties' own privacy statements.

3           application

3.1             CPGR in its capacity as Responsible Party and/or Operator, shall strive to observe, and comply with, its obligations under the POPIA and the GDPR as well as internationally accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

3.2             This Policy applies to Personal Information collected by CPGR in connection with the services offered. This includes information collected offline through our consumer call centres, direct marketing campaigns, sweepstakes and competitions, and online through our websites, branded pages on Third-Party platforms and applications accessed or used through such websites or Third-Party platforms which are operated by or on behalf of CPGR. This Policy is hereby incorporated into and forms part of the CPGR's terms and conditions of use. This Policy does not apply to the information practices of Third Party companies (including, without limitation, their websites, platforms and/or applications) which we do not own or control; or individuals that CPGR does not manage or employ. These Third-Party sites may have their own privacy policies and terms and conditions and we encourage you to read them before using those Third-Party sites.

4           Collection & use of personal information

4.1             Process of collecting Personal Information

4.1.1                We need to make you aware of the fact that we are Processing your Personal Information and inform you of the specific purpose for which we will be Processing such Personal Information.

4.1.2                CPGR will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects your privacy and will Process your Personal Information based on legitimate grounds in a manner that does not adversely affect you.

4.1.3                CPGR often collects Personal Information directly from you and/or from Third-Parties, and where CPGR obtains Personal Information from Third-Parties, CPGR will ensure that it obtains your consent to do so or will only Process the Personal Information without your consent where CPGR is permitted to do so in terms of the Applicable Laws.

4.1.4                An example of such Third Parties include other CPGR entities; our clients when CPGR handles Personal Information on their behalf; regulatory bodies; credit reference agencies; other companies providing services to CPGR and where CPGR makes use of publicly available sources of information.

4.2             Purpose

4.2.1                We will not use your Personal Information for any purpose other than the disclosed Purpose without your consent, unless CPGR is permitted or required to do so by Applicable Law.

4.2.2                Personal information about visitors to our site is collected only when knowingly and voluntarily submitted.

4.2.3                When you register with us, we may need to collect information, including Personal Information, to provide you with further services or to answer or forward any requests or enquiries about our services.

4.2.4                CPGR may use Personal Information for the following purposes –                  for the purposes of receiving further information about the B🙂2BU services;                  to provide you with service assistance and problem solutions or to contact you or send your notifications related specifically to the services we offer you;                  to contact you from time to time, where specific consent has been given to follow-up contacts by CPGR or to be put on CPGR mailing list;                  for such other purposes to which the Data Subject may consent from time to time;                  to use data analytics to improve our Website, products and services and other user experiences; and                  for such other purposes authorised in terms of applicable law.

5           How we collect Personal Information from you

5.1             Directly from you

We gather your Personal Information directly from you.

5.2             IP Addresses

Our web servers gather your IP address to assist with the diagnosis of problems or support issues with our services. Again, information is gathered in aggregate only and cannot be traced to an individual user.

5.3             Cookies and Applets

5.3.1                CPGR uses cookies and similar techniques when you access our Website. We use cookies to provide you with a better experience. These cookies and allow us to increase your security by storing your session ID and are a way of monitoring single user access. This aggregate, non-personal information is collated and provided to us to assist in analysing the usage of the site.

5.3.2                What are cookies?                  A cookie is small text file containing a string of alphanumeric characters (numbers and letters). These are sent from CPGR or our partners web servers and end up stored on your browser or on your device.                  We use different types of cookies –                     Session cookies: These are temporary cookies that disappear when you close your browser;                     Permanent or Persistent cookies: These are cookies that remain on your browser after you close your browser which can be removed manually. These may be used by your browser on subsequent visits to the Website until you delete them, or they expire;                     Pre-Cookies: These are cookies set by the Website you visit;                     Third-party: These are cookies set by a third-party website;

5.4             Links to other sites

We may provide links to Websites outside of our websites, as well as to third party Websites. These linked sites are not under our control, and we cannot accept responsibility for the conduct of companies linked to our website. Before disclosing your personal information on any other website, we advise you to examine the terms and conditions of using that Website and its privacy statement.

5.5             Type of Personal Information we Process

5.5.1                Registration is completely optional and takes place electronically. When you register with us, we will collect the following information from you –                  your full name;                  your email address;                  your address;                  your telephone numbers;                  your ethnicity;                  your age; and                  your home language.

5.6             It is very important that any Personal Information which CPGR holds about you is up to date and correct. Please keep us informed if your Personal Information changes during your relationship with us. You can do this by contacting our Data Protection Officer whose further information is set out in clause 14 below.

6           lawful basis for processing

6.1             In terms of POPIA and the GDPR, where CPGR is the Responsible Party, it can only Process a Data Subject's Personal Information where 

6.1.1                consent of the Data Subject (or a competent person where the Data Subject is a Child) is obtained;

6.1.2                Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party;

6.1.3                Processing complies with an obligation imposed by law on CPGR;

6.1.4                Processing protects a legitimate interest of the Data Subject;

6.1.5                Processing is necessary for pursuing the legitimate interests of CPGR or of a third party to whom the information is supplied

6.2             CPGR will only Process Personal Information where one of the legal basis referred to in paragraph 6.1 above are present.

6.3             Where required (i.e. where we are not relying on a legal ground listed in paragraphs 6.1.2 to 6.1.5 above), CPGR will obtain the Data Subject's consent prior to collecting, and in any case prior to using or disclosing, the Personal Information for any purpose.

6.4             CPGR will make the manner and reason for which the Personal Information will be Processed clear to the Data Subject.

6.5             Where CPGR is relying on a Data Subject's consent as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to CPGR's Processing of the Personal Information at any time. This will not affect the lawfulness of any Processing done prior to the withdrawal of consent or any Processing justified by a legal ground set out in paragraphs 6.1.2 to 6.1.5 above.

6.6             If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information, CPGR will ensure that the Personal Information is no longer Processed.

7           right to withdraw your consent

7.1             You have the right to withdraw your consent to Processing of your Personal Information at any time. If you withdraw your consent then we will not be able to provide the B🙂2BU services to you.

7.2             If you wish to exercise the right to withdraw the consent, you may at any time directly contact the Data Protection Officer of CPGR whose further information is set out in clause 14 below.

8           erasure and right to be forgotten

8.1             We shall only Process your Personal Information for the period necessary to achieve the Purpose, or as far as is permitted by any laws or regulations which CPGR is subject to.

8.2             If the storage is not applicable, or is the storage period prescribed by law expires, your Personal Information will be erased and accordance with the applicable legal requirements.

9           direct marketing

9.1             CPGR acknowledges that it may only use Personal Information to contact you for purposes of direct marketing from time to time where it is permissible to do so.

9.2             CPGR may use Personal Information to contact any you and/or market CPGR's services directly to you if you are one of our existing clients, you have requested to receive marketing material from CPGR or we have the your consent to market its services directly to you. 

9.3             If the Data Subject is an existing client, CPGR will only use his/her/its Personal Information if it had obtained the Personal Information through the provision of a service to the Data Subject and only in relation to similar services to the ones CPGR's previously provided to the Data Subject.

9.4             CPGR will ensure that a reasonable opportunity is given to the Data Subject to object to the use of their Personal Information for CPGR's marketing purposes when collecting the Personal Information and on the occasion of each communication to the Data Subject for purposes of direct marketing.

9.5             CPGR will not use your Personal Information to send you marketing materials if you have requested not to receive them. If you request that we stop Processing your Personal Information for marketing purposes, CPGR shall do so. We encourage that such requests to opt-out of marketing be made via forms and links provided for that purpose in the marketing materials sent to you.    

10        Security

10.1           We strive to ensure the security, integrity and privacy of your Personal Information submitted to our Website, and we review and update our security measures in light of current technologies. Unfortunately, no data transmission over the internet can be guaranteed to be totally secure.

10.2           However, we will endeavour to take all reasonable steps to protect your Personal Information you may transmit to us or from our online products and services. Once we do receive your transmission, we will also make our best efforts to ensure its security on our systems.

10.3           In addition, our employees, the contractors and any Third Parties who provide services related to our information systems are obliged to respect the confidentiality of any Personal Information held by us. However, we will not be held responsible for events arising from unauthorised access to your Personal Information.

11        special personal information and minors

11.1           Special Personal Information is sensitive Personal Information of a Data Subject. 

11.2           CPGR acknowledges that it is not allowed to Process Special Personal Information unless–

11.2.1             Processing is carried out in accordance with the Data Subject's express consent;

11.2.2             Processing is necessary for the establishment, exercise or defence of a right or obligation in law;

11.2.3             Processing is necessary to comply with an obligation of international public law;

11.2.4             Processing is for historical, statistical or research purposes, subject to stipulated safeguards;

11.2.5             information has deliberately been made public by the Data Subject; or

11.2.6             specific authorisation has been obtained in terms of POPIA or the GDPR (where applicable).

11.3           CPGR acknowledges that it may not Process any Personal Information concerning a Child and will only do so where it has obtained the consent of the parent or guardian of that Child or where it is permitted to do so in accordance with Applicable Laws. CPGR's services are not intended or design to attract Children.

11.4           If we learn that we have collected the Personal Information of a Child without first receiving verifiable parental or guardian consent, we will take steps to delete the Personal Information as soon as possible.

11.5           We encourage parents and guardians to stay informed about the internet activities of their Children, in order to ensure that no Personal Information is collected from a Child without parental or guardian consent.

12        storage of personal information

12.1           Copies of correspondence sent from the Website, that may contain your Personal Information, are stored as archives for record-keeping and back-up purposes only.

12.2           We do not keep Personal Information for longer than is necessary to achieve the Purpose.

12.3           CPGR will keep the Personal Information that it Processes on behalf of Data Subjects at its offices at St. Peters Square, Upper Level, Corner Anzio and Main Road, Observatory, Western Cape, 7925, or in a secure cloud facility.

12.4           CPGR's Third-Party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject's Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

12.5           CPGR will ensure that such Third-Party service providers will process the Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures and the Act.

12.6           CPGR may store your Personal Information using CPGR's own secure on-site servers or other internally hosted technology. Your personal data may also be stored by Third Parties, via cloud services or other technology, to whom CPGR has contracted with, to support CPGR's business operations.

12.7           These Third Parties do not use or have access to your Personal Information other than for cloud storage and retrieval, and CPGR requires such parties to employ at least the same level of security that CPGR uses to protect your personal data.

12.8           Your Personal Information may be stored and processed in South Africa or another country where CPGR, its affiliates and their service providers maintain servers and facilities and CPGR will take steps, including by way of contracts, to ensure that it continues to be protected regardless of its location in a manner consistent with the standards of protection required under applicable law.

13        automated decision-making

We do not make use of automated decision-making or profiling.

14        your data subject rights

14.1           We ensure that you may exercise your rights in accordance with applicable law.

14.2           For example, your rights as a data subject under the GDPR include –

14.2.1             the right of confirmation: you have the right to obtain confirmation from us as to whether or not your Personal Information is being Processed.

14.2.2             the right to information and access to Personal Information (access rights): you have the right to access your Personal Information in many circumstances;

14.2.3             the right to rectification: you can ask us to have inaccurate Personal Information fixed (changed);

14.2.4             the right to erasure: you can ask us to delete or erase Personal Information in certain circumstances (such as in accordance with Applicable Laws);

14.2.5             the right to withdraw consent: you can withdraw any consent to processing that you have given us and prevent further processing if there is no other legitimate ground upon which we can process your Personal Information;

14.2.6             the right to the restriction of processing: you can require certain Personal Information to be marked as restricted for processing in certain circumstances;

14.2.7             the right to data portability: you can ask us to transmit the Personal Information that you have provided to us to a third party;

14.2.8             the right to object to automated decision making, including profiling; and

14.2.9             the right to raise a complaint: you can raise a complaint about our processing with the data protection regulator or applicable authority in your country. Please refer to clause 16 in this regard.

14.3           If you wish to exercise any of your rights or learn more about your rights in the European Union, please contact our Data Protection Officer.

15        data protection officer

15.1           In terms of the GDPR, we are obliged to have a dedicated data protection officer.

15.2           At CPGR, the Data Protection Officer is –

Name: Ignus Crous

Address: St. Peters Square, Upper Level, Corner Anzio and Main Road, Observatory, Western Cape, 7925

Phone number: +27214475669

Email: info@behappytobeyou.co.za

Website: https://behappytobeyou.co.za

15.3           The primary role of the Data Protection Officer is to ensure that CPGR Processes Personal Data in compliance with this Policy.

15.4           You may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection.

16        complaints

16.1           If a Data Subject is unsatisfied with the manner in which CPGR addresses any complaint with regard to CPGR's Processing of Personal Information, the Data Subject can contact the office of the Regulator, the details of which are set out below –

16.1.1             In the Republic of South Africa

The Information Regulator

Address: SALU Building, 316 Thabo Sehume Street, Pretoria, South Africa

Website: http://justice.gov.za/inforeg/

Tel: 012 406 4818

Fax: 086 500 3351

Email:  inforeg@justice.gov.za

16.1.2             In the European Union

Please contact the relevant Data Protection Authority.

Please find a list here: https://edpb.europa.eu/about-edpb/board/members_en