PART A: PROTECTION OF PERSONAL INFORMATION IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013
INTRODUCTION
SURGI CLIN is a company that provides medical equipment and related services and, in doing so, processes personal information as a responsible party in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”).
POPIA requires SURGI CLIN to process personal information lawfully and in a reasonable manner that does not infringe the privacy of data subjects, to process information only for a specific, explicitly defined and lawful purpose, and to inform data subjects of the manner in which their personal information is collected, used, retained, shared, secured, and, where appropriate, destroyed.
SURGI CLIN guarantees its commitment to protect its client’s privacy and ensuring that their personal information is used appropriately, transparently, securely, and in accordance with applicable laws.
This Policy explains how SURGI CLIN processes personal information, the purposes for which such information is processed, the safeguards applied to it, the rights of data subjects, and the retention and destruction standards applicable to records and documents. The Policy must be made available to data subjects on request and, where applicable, through SURGI CLIN’s usual communication channels and compliance documentation.
PERSONAL INFORMATION COLLECTED
Section 9 of POPI states that “Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.”
SURGI CLIN collects and processes personal information only to the extent that it is adequate, relevant and not excessive for the purpose for which it is processed. The categories of information collected will depend on the nature of the relationship, the products or services requested, legal or regulatory obligations, and the operational needs of the business. Where required by POPIA, SURGI CLIN will notify the data subject what information is mandatory, what is voluntary, and the consequences of failing to provide the information.
Examples of personal information we collect include, but is not limited to:
- The Client’s Identity number, name, surname, address, postal code, marital status, and number of dependants;
- Description of the client’s residence, business, assets; financial information, banking details, etc-.
- Client registration number, employee details, telephone numbers, vehicle registration number.
- Any other personal information that is needed for Surgi Clin to complete a client’s mandate.
SURGI CLIN may process personal information for marketing purposes only where this is permitted by POPIA. Direct marketing by unsolicited electronic communications will only take place where the data subject has given the required consent or where another lawful basis expressly permitted by section 69 of POPIA applies, and every such communication must contain a functioning opt-out mechanism.
SURGI CLIN aims to have agreements in place with all product suppliers, insurers, and third-party service providers to ensure a mutual understanding with regard to the protection of the client’s personal information. SURGI CLIN suppliers will be subject to the same regulations as applicable to SURGI CLIN.
SURGI CLIN may, where lawful and necessary, verify or supplement information supplied by a data subject with information received from service providers, counterparties, regulators, public records, or other lawful sources in order to maintain accurate records, assess risk, perform contractual obligations, prevent fraud, comply with law, or improve service delivery.
To the extent that SURGI CLIN processes special personal information, including health information, such processing will only take place where it is authorised by POPIA, required for the establishment, exercise or defence of a right or obligation in law, necessary for medical purposes or healthcare administration, required by law, or otherwise lawfully permitted.
For purposes of this Policy, clients include potential and existing clients.
THE USAGE OF PERSONAL INFORMATION
The Client’s Personal Information will only be used for the purpose for which it was collected and as agreed.
This may include:
- Providing products or services to clients
- Conducting credit reference searches or- verification;
- Confirming, verifying, and updating client details;
- Conducting market or customer satisfaction research;
- For audit and record-keeping purposes;
- In connection with legal proceedings;
- Providing SURGI CLIN services to clients, to render the services requested, and to maintain and constantly improve the relationship;
- Providing communication in respect of SURGI CLIN and regulatory matters that may affect clients; and
- In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.
Personal information may be processed only where a lawful basis in section 11 of POPIA applies. Depending on the circumstances, SURGI CLIN may process personal information because the data subject has consented, the processing is necessary to conclude or perform a contract, the processing complies with an obligation imposed by law, the processing protects a legitimate interest of the data subject, the processing is necessary for the proper performance of a public law duty by a public body, or the processing is necessary for pursuing the legitimate interests of SURGI CLIN or of a third party to whom the information is supplied.
DISCLOSURE OF PERSONAL INFORMATION
- SURGI CLIN may disclose a client’s personal information to any of the SURGI CLIN companies or subsidiaries, joint venture companies, and or approved product- or third-party service providers whose services or products clients elect to use. SURGI CLIN has agreements in place to ensure that compliance with confidentiality and privacy conditions.
- SURGI CLIN may also share client personal information with and obtain information about clients from third parties for the reasons already discussed above.
- SURGI CLIN may also disclose a client’s information where it has a duty or a right to disclose in terms of applicable legislation, the law, or where it may be deemed necessary in order to protect SURGI CLIN rights.
SURGI CLIN recognises that the disclosure or publication of personal information without a lawful basis may infringe POPIA and the constitutional right to privacy. Personal information may therefore not be shared internally or externally unless there is a clear lawful justification, and only the minimum information reasonably necessary for the purpose may be disclosed.
SAFEGUARDING CLIENT INFORMATION
It is a requirement of POPI to adequately protect personal information. SURGI CLIN will continuously review its security controls and processes to ensure that personal information is secure.
The following procedures are in place in order to protect personal information:
LAWFUL BASIS FOR PROCESSING will be established by SURGI CLIN on a case-by-case basis in accordance with POPIA. Where consent is relied upon, it will be obtained in a form and manner appropriate to the processing activity. Where consent is not the lawful basis, SURGI CLIN will rely on another lawful ground recognised by POPIA.
If there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, SURGI CLIN will investigate the incident and, where required by section 22 of POPIA, notify the Information Regulator and affected data subjects as soon as reasonably possible, including sufficient information to enable protective steps to be taken.
ACCESS AND CORRECTION OF PERSONAL INFORMATION
Data subjects have the right, subject to POPIA and any other applicable law, to request access to personal information held by SURGI CLIN, to request the correction, deletion or destruction of personal information or a record thereof where appropriate, and to object to processing on lawful grounds. SURGI CLIN must provide accessible procedures to enable these requests to be made free of charge and must communicate the outcome in writing within 30 days, or within such extended period as may be permitted by law. SURGI CLIN will take reasonable steps to verify identity before giving access to or amending personal information.
Requests and objections may be submitted using the prescribed POPIA forms where applicable, or through other reasonable and accessible channels made available by SURGI CLIN, including email and such further communication channels as may reasonably be convenient to data subjects in terms of the amended POPIA Regulations.
The details of SURGI CLIN’s Information Officer are set out below. The Information Officer must be duly designated and, where required, registered with the Information Regulator, and is responsible for encouraging compliance with POPIA, maintaining the compliance framework, supporting data subject requests, and liaising with the Information Regulator.
| Information Officer | : Wynand Albert Eksteen |
| Telephone Number | : 012 807 4587 |
| : chantelle@surgiclin.co.za |
Head Office Details
| Telephone | : 012 807 4587 |
| : chantelle@surgiclin.co.za | |
| Physical | : Scientia Technopark, Unit 6, Meiring Naude Road, Pretoria |
| Website | : www.surgiclin.co.za |
CROSS-TERRITORY TRANSFER OF INFORMATION
SURGI CLIN may transfer personal information outside the Republic of South Africa only where such transfer is lawful in terms of section 72 of POPIA, including where the recipient is subject to a law, binding corporate rules or binding agreement that provides an adequate level of protection, the data subject consents to the transfer, the transfer is necessary for the performance or conclusion of a contract, or the transfer otherwise falls within a recognised exception in POPIA.
AMENDMENTS TO THIS POLICY
Amendments to, or a review of this Policy, will take place on an ad hoc basis or at least once a year. Clients are advised to access SURGI CLIN’s website periodically to keep abreast of any changes. Where material changes take place, clients will be notified directly or changes will be stipulated on the SURGI CLIN website.
If SURGI CLIN searches for a record and it is believed that the record either does not exist or cannot be found, the requester will be notified by way of an affidavit or affirmation. This will include the steps that were taken in the attempt to locate the record.
PART B: POLICY ON THE RETENTION & CONFIDENTIALITY OF DOCUMENTS, INFORMATION AND ELECTRONIC TRANSACTIONS
- These are dealt with in terms of PAIA, which gives effect to the constitutional right of access to information held by the State or any person (natural and juristic) that is required for the exercise or protection of rights. Private bodies, like the Company, must however refuse access to records if disclosure would constitute an action for breach of the duty of secrecy owed to a third party.
- In terms hereof, requests must be made in writing on the prescribed form to the Deputy Information Officer. The requesting party has to state the reason for wanting the information and has to pay a prescribed fee.
- The Company’s manual in terms of PAIA, which contains the prescribed forms and details of prescribed fees, is available on the intranet and the SURGI CLIN website www.surgiclin.co.za
Companies Act, No 71 of 2008
With regard to the Companies Act, No 71 of 2008 and the Companies Amendment Act No 3 of 2011, hard copies of the documents mentioned below must be retained for 7 years:
- Any documents, accounts, books, writing, records, or other information that a company is required to keep in terms of the Act;
- Notice and minutes of all shareholders meeting, including resolutions, adopted and documents made available to holders of securities;
- Copies of reports presented at the annual general meeting of the company;
- Copies of annual financial statements required by the Act;
- Copies of accounting records as required by the Act;- Record of directors and past directors, after the director has retired from the company;
- Written communication to holders of securities and
- Minutes and resolutions of directors’ meetings, audit committee, and directors’ committees.
Copies of the documents mentioned below must be retained indefinitely:
- Registration certificate ;
- Memorandum of Incorporation and alterations and amendments;
- Rules;
- Securities register and uncertified securities register;
- Register of company secretary and auditors and
- Regulated companies (companies to which chapter 5, part B, C, and Takeover Regulations apply) – Register of disclosure of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued.
Consumer Protection Act, No 68 of 2008
The Consumer Protection Act seeks to promote a fair, accessible, and sustainable marketplace and therefore requires a retention period of 3 years for information provided to a consumer by an intermediary such as:
- Full names, physical address, postal address, and contact details;
- ID number and registration number;
- Contact details of public officer in case of a juristic person;
- Service rendered;
- Intermediary fee;
- Cost to be recovered from the consumer;
- Frequency of accounting to the consumer;
- Amounts, sums, values, charges, fees, remuneration specified in monetary terms;
- Disclosure in writing of a conflict of interest by the intermediary in relevance to goods or service to be provided;
- Record of advice furnished to the consumer reflecting the basis on which the advice was given;
- Written instruction sent by the intermediary to the consumer;- Conducting a promotional competition refer to Section 36(11)(b) and Regulation 11 of Promotional Competitions;
- Documents Section 45 and Regulation 31 for Auctions.
National Credit Act, No 34 of 2005
The National Credit Act aims to promote a fair and transparent credit industry which requires the retention of certain documents for a specified period.
Retention for 3 years from the earliest of the dates of which the registrant created, signed, or received the document or from the date of termination of the agreement or in the case of an application for credit that is refused or not granted for any reason, from the date of receipt of the application which applies to the documents mentioned below:
Regulation 55(1)(b):
- Records of registered activities such as an application for credit declined;
- Reason for the decline of the application for credit;
- Pre-agreement statements and quotes;
- Documentation in support of steps taken in terms of section 81(2) of the Act;
- Record of payments made;
- Documentation in support of steps taken after default by the consumer.
Regulation 55(1)(c) in respect of operations:
- Record of income, expenses, and cash flow;
- Credit transaction flows;
- Management accounts and financial statements.
Regulation 55(1)(d) with regard to the Credit Bureau:
- All documents relating to disputes, inclusive of but not limited to, documents from the consumer;
- Documents from the entity responsible for disputed information;
- Documents pertaining to the investigation of the dispute;
- Correspondence addressed to and received from sources of information as set out in section 70(2) of the Act and Regulation 18(7) pertaining to the issues of the disputed information.
Regulation 55(1)(a) with regard to Debt Counsellors:
- Application for debt review;
- Copies of all documents submitted by the consumer;
- Copy of rejection letter;
- Debt restructuring proposal;
- Copy of any order made by the tribunal and/or the court and a copy of the clearance certificate.
Regulation 56 with regard to section 170 of the Act:
- Application for credit;
- Credit agreement entered into with the consumer.
Regulation 17(1) with regard to Credit Bureau information:
Documents with a required retention period of the earlier of 10 years or a rehabilitation order being granted:
- Sequestrations
- Administration orders.
Documents with a required retention period of 5 years:
- Rehabilitation orders
- Payment profile.
Documents with a required retention period of the earlier of 5 years or until judgment is rescinded by a court or abandoned by the credit provider in terms of section 86 of the Magistrate’s Court Act No 32 of 1944:
- Civil Court Judgments
Documents with a required retention period of 2 years:
- Enquiries.
Documents with a required retention period of 1.5 years:
- Details and results of disputes lodged by the consumers.
Documents with a required retention period of 1 year:
- Adverse information.
Documents with an unlimited required retention period:
- Liquidation.
Documents required to be retained until a clearance certificate is issued:
- Debt restructuring.
Financial Advisory and Intermediary Services Act, No 37 of 2002:
Section 18 of the Act requires a retention period of 5 years, except to the extent that it is exempted by the registrar for the below mentioned documents:
- Known premature cancellations of transactions or financial products of the provider by clients;
- Complaints received together with an indication whether or not any such complaint has been resolved;
- The continued compliance with this Act and the reasons for such noncompliance;
- And the continued compliance by representatives with the requirements referred to in section 13(1) and (2).
The General Code of Conduct for Authorized Financial Services Provider and Representatives requires a retention period of 5 years for the below mentioned documents:
- Proper procedures to record verbal and written communications relating to a financial service rendered to a client as are contemplated in the Act, this Code, or any other Code drafted in terms of section 15 of the Act;
- Store and retrieve such records and any other material documentation relating to the client or financial services rendered to the client;
- And keep such client records and documentation safe from destruction;
- All such records must be kept for a period after termination to the knowledge of the provider of the product concerned or in any other case after the rendering of the financial service concerned.
Financial Intelligence Centre Act, No 38 of 2001:
Section 22 and 23 of the Act require a retention period of 5 years for the documents and records of the activities mentioned below:
- Whenever an accountable transaction is concluded with a client, the institution must keep a record of the identity of the client;
- If the client is acting on behalf of another person, the identity of the person on whose behalf the client is acting and the client’s authority to act on behalf of that other person;- If another person is acting on behalf of the client, the identity of that person and that other person’s authority to act on behalf of the client;
- The manner in which the identity of the persons referred to above was established;
- The nature of that business relationship or transaction;
- In the case of a transaction, the amount involved and the parties to that transaction;
- All accounts that are involved in the transactions concluded by that accountable institution in the course of that business relationship and that single transaction;
- The name of the person who obtained the identity of the person transacting on behalf of the accountable institution;
- Any document or copy of a document obtained by the accountable institution.
These documents may also be kept in electronic format.
Compensation for Occupational Injuries and Diseases Act, No 130 of 1993:
Section 81(1) and (2) of the Compensation for Occupational Injuries and Diseases Act requires a retention period of 4 years for the documents mentioned below:
- Register, record, or reproduction of the earnings, time worked, payment for piece work and overtime, and other prescribed particulars of all the employees.
Section 20(2) documents with a required retention period of 3 years:
- Health and safety committee recommendations made to an employer in terms of issues affecting the health of employees and of any report made to an inspector in terms of the recommendation;
- Records of incidents reported at work.
Asbestos Regulations, 2001, regulation 16(1) requires a retention period of minimum of 40 years for the documents mentioned below:
- Records of assessment and air monitoring, and the asbestos inventory;
- Medical surveillance records;
Hazardous Biological Agents Regulations, 2001, Regulations 9(1) and (2):
- Records of risk assessments and air monitoring;
- Medical surveillance records.
Lead Regulations, 2001, Regulation 10:
- Records of assessments and air monitoring;- Medical surveillance records.
Noise-induced Hearing Loss Regulations, 2003, Regulation 11:
- All records of assessment and noise monitoring;
- All medical surveillance records, including the baseline audiogram of every employee.
Hazardous Chemical Substance Regulations, 1995, Regulation 9 requires a retention period of 30 years for the documents mentioned below:
- Records of assessments and air monitoring;
- Medical surveillance records.
Basic Conditions of Employment Act, No 75 of 1997:
The Basic Conditions of Employment Act requires a retention period of 3 years for the documents mentioned below:
Section 29(4):
- Written particulars of an employee after termination of employment;
Section 31:
- Employee’s name and occupation;
- Time worked by each employee;
- Remuneration paid to each employee;
- Date of birth of any employee under the age of 18 years.
Employment Equity Act, No 55 of 1998:
Section 26 and the General Administrative Regulations, 2009, Regulation 3(2) requires a retention period of 3 years for the documents mentioned below:
- Records in respect of the company’s workforce, employment equity plan, and other records relevant to compliance with the Act;
Section 21 and Regulations 4(10) and (11) require a retention period of 3 years for the report which is sent to the Director General as indicated in the Act.
Labour Relations Act, No 66 of 1995:
Sections 53(4), 98(4), and 99 require a retention period of 3 years for the documents mentioned below:
- The Bargaining Council must retain books of account, supporting vouchers, income and expenditure statements, balance sheets, auditor’s reports, and minutes of the meetings;
- Registered Trade Unions and registered employer’s organizations must retain books of account, supporting vouchers, records of subscriptions or levies paid by its members, income and expenditure statements, balance sheets, auditor’s reports, and minutes of the meetings;
- Registered Trade Unions and employer’s organizations must retain the ballot papers;
- Records to be retained by the employer are the collective agreements and arbitration awards.
Sections 99, 205(3), Schedule 8 of Section 5, and Schedule 3 of Section 8(a) require an indefinite retention period for the documents mentioned below:
- Registered Trade Unions and registered employer’s organizations must retain a list of their members;
- An employer must retain prescribed details of any strike, lock-out, or protest action Involving its employees;
- Records of each employee specifying the nature of any disciplinary transgressions, the actions taken by the employer, and the reasons for the actions;
- The Commission must retain books of accounts, records of income and expenditure, assets, and liabilities.
Unemployment Insurance Act, No 63 of 2002:
The Unemployment Insurance Act, applies to all employees and employers except:
- Workers working less than 24 hours per month;
- Learners;
- Public servants;
- Foreigners working on a contract basis;
- Workers who get a monthly State (old age) pension;
- Workers who only earn a commission.
Section 56(2)(c) requires a retention period of 5 years, from the date of submission, for the documents mentioned below:- Employers must retain personal records of each of their current employees in terms of their names, identification number, monthly remuneration, and address where the employee is employed.
Tax Administration Act, No 28 of 2011:
Section 29 of the Tax Administration Act, states that records of documents must be retained to:
- Enable a person to observe the requirements of the Act;
- Are specifically required under a Tax Act by the Commissioner by the public notice;
- Will enable SARS to be satisfied that the person has observed these requirements.
Section 29(3)(a) requires a retention period of 5 years, from the date of submission for taxpayers that have submitted a return and an indefinite retention period until the return is submitted, then a 5-year period applies for taxpayers who were meant to submit a return, but have not
Section 29(3)(b) requires a retention period of 5 years from the end of the relevant tax period for taxpayers who were not required to submit a return, but had capital gains/losses or engaged in any other activity that is subject to tax or would be subject to tax but for the application of a threshold or exemption.
Section 32(a) and (b) require a retention period of 5 years but records must be retained until the audit is concluded or the assessment or decision becomes final, for documents indicating that a person has been notified or is aware that the records are subject to an audit or investigation and the person who has lodged an objection or appeal against an assessment or decision under the TAA.
Income Tax Act, No 58 of 1962:
Schedule 4, paragraph 14(1)(a)-(d) of the Income Tax Act requires a retention period of 5 years from the date of submission for documents pertaining to each employee that the employer shall keep:
- Amount of remuneration paid or due by him to the employee;
- The amount of employees’ tax deducted or withheld from the remuneration paid or due;- The income tax reference number of that employee;
- Any further prescribed information;
- Employer Reconciliation return.
Schedule 6, paragraph 14(a)-(d) requires a retention period of 5 years from the date of submission or 5 years from the end of the relevant tax year, depending on the type of transaction for documents pertaining to:
- Amounts received by that registered micro business during a year of assessment;
- Dividends declared by that registered micro business during a year of assessment;
- Each asset as at the end of a year of assessment with cost price of more than R 10 000;
- Each liability as at the end of a year of assessment that exceeded R 10 000.
Value Added Tax Act, No 89 of 1991:
Section 15(9), 16(2), and 55(1)(a) of the Value Added Tax Act and Interpretation Note 31, 30 March requires a retention period of 5 years from the date of submission of the return for the documents mentioned below:
- Where a vendor’s basis of accounting is changed the vendor shall prepare lists of debtors and creditors showing the amounts owing to the creditors at the end of the tax period immediately preceding the changeover period;
- Importation of goods, bill of entry, other documents prescribed by the Custom and Excise Act, and proof that the VAT charge has been paid to SARS;
- Vendors are obliged to retain records of all goods and services, rate of tax applicable to the supply, list of suppliers or agents, invoices and tax invoices, credit and debit notes, bank statements, deposit slips, stock lists, and paid cheques;
- Documentary proof substantiating the zero-rating of supplies;
- Where a tax invoice, credit or debit note, has been issued in relation to a supply by an agent or a bill of entry as described in the Customs and Excise Act, the agent shall maintain sufficient records to enable the name, address and VAT registration number of the principal to be ascertained.
This policy should be read together with POPIA, the Regulations Relating to the Protection of Personal Information as amended in 2025, relevant guidance notes issued by the Information Regulator (including guidance on direct marketing), PAIA where access requests are involved, and applicable South African case law dealing with privacy, disclosure, and the lawful processing of personal information.

