INSTITUTE OF ORTHOPAEDICS AND RHEUMATOLOGY
PRIVACY NOTICE
PRIVACY NOTICE TO USERS OF THIS WEBSITE
1. INTRODUCTION
The Institute of Orthopaedics and Rheumatology (“IOR”) is committed to ensuring the privacy of personal information of visitors to our website. This Privacy Notice (“this notice”) explains how we use or process your personal data (“personal information”) that we collect through your use of this website or information provided by you through this website.
Any references to “we”, “us” or “our” in this notice shall be to IOR; and references to “user”, “you” or “your” in this notice shall be to any user of this website.
2. OUR DETAILS
The data controller in respect of this website is the Institute of Orthopaedics and Rheumatology (Pty) Ltd, a private company registered in the Republic of South Africa with its registered address at Cnr Rokewood & Saffraan Avenue, Stellenbosch, 7600, South Africa.
3. THIRD-PARTY LINKS
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
4. WHAT PERSONAL INFORMATION WE COLLECT ABOUT YOU
Personal data or personal information means any information relating to a natural person which identifies the person or enables the identification of that person.
We collect information about you when you complete our online information request forms.
We may collect, use, store and transfer different kinds of personal data about you including your first name, last name, title, gender, occupation, address, e-mail address, telephone numbers, feedback and survey responses, selected communication preferences, which you provide voluntarily.
We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal information, but is not considered personal information in law as this information does not, directly or indirectly, reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal information so that it can, directly or indirectly, identify you, we treat the combined data as personal information which will be used in accordance with this notice.
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. This website is not intended for children and we do not knowingly collect data relating to children.
5. HOW WE COLLECT YOUR PERSONAL INFORMATION
We use different methods to collect personal information from and about you, including through:
- Direct interactions: You may provide certain personal information (such as your name, address, telephone and e-mail address) by filling in forms or by corresponding with us by post, phone, e-mail or otherwise. This includes personal data you provide when you register for e-mail alerts on this website; request information to be sent to you; complete and submit a survey; or provide feedback to us.
- Automated technologies or interactions: As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. Through analytics, we use anonymised aggregated data such as statistical or demographic data.
- Third parties: We may receive personal data about you or aggregated technical data from external services providers contracted by IOR to host or maintain certain sections of this website.
6. PURPOSES FOR WHICH WE USE YOUR PERSONAL INFORMATION
As summarised below, we only use your personal information to pursue our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests; to comply with a legal obligation; for any other purpose that you have agreed with us; or otherwise permitted by law.
Purpose | Lawful basis for processing |
To communicate with you in accordance with your selected preference, such as registering you for alerts; communicating alerts, surveys, financial and other information relating to the Company with you; responding to an information request by you. | To communicate with you in accordance with your preference. |
To manage our relationship with you, which may include: notifying you about changes to our terms or privacy policy; asking you to take a survey or provide feedback. |
Performance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services). |
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data, compliance with legal or regulatory obligations and establishing, exercising or defending our legal rights) |
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). Necessary to comply with a legal obligation. |
To deliver relevant website content to you and measure or understand the effectiveness of the information we present. | Necessary for our legitimate interests (to study how visitors use our website, to develop them, to grow our business and to inform our communication strategy). |
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences. | Necessary for our legitimate interests (to define types of visitors to our website and to keep our website updated and relevant). |
Marketing and advertising
Collection and use of Personal Data for client experience and marketing purposes
We may collect and use the following personal data for client experience and marketing purposes when you use a Service:
Personal data you provide directly to us: For our Services or activities, such as when you register with a Service, subscribe to our alerts, or contact us directly, we collect and use the following types of personal data:
- Contact information, such as your full name, email address, mobile phone number, and location address;
- IOR-related reviews and feedback; and
- Any other personal data you provide to us.
We may combine such personal data with personal data we already have about you to personalise and enhance your user experience.
Personal data we collect automatically: We collect certain personal data automatically when you use our Services, such as your computer’s internet protocol (IP) address, device and advertising identifiers, browser type, operating system, internet service provider, pages that you visit before and after using the Services, the date and time of your visit, information about the links you click and pages you view within the Services, and other standard server log information.
We may use cookies, pixel tags, Local Shared Objects, and similar technologies to collect this information automatically. Cookies are small bits of information stored by your computer’s web browser. Pixel tags are very small images or small pieces of data embedded in images, also known as “web beacons” or “clear GIFs,” that can recognise cookies, the time and date a page is viewed, a description of the page where the pixel tag is placed, and similar information from your computer or device. Local Shared Objects (sometimes referred to as “Flash Cookies”) are similar to standard cookies except that they can be larger and are downloaded to a computer or mobile device. You can refer to the cookies section below for more information.
We may also collect technical data to address and fix technical problems and improve our Services. Your device or browser settings may permit you to control the collection of this technical data. By enabling the collection of technical data in your device or browser, you are consenting to us collecting this technical data.
Personal data from Third-Party Services: If you access the Services from an advertisement on a third-party website, application, or other service we may receive information from the owner of the Third-Party Service related to you or that advertisement. For example, if you log in to our service using your Facebook or Google account, we may receive some information from those platforms (third-party data). We may combine the data we collect directly from you with information from third-party sources. This combined information helps us to better understand your preferences.
We use the personal data we collect online for the following purposes:
- To personalise and improve your patient and client experience with IOR and our service quality;
- To contact you and send you information about additional clinical services or general wellness from us or on behalf of our affiliates;
- To fulfil your requests for products, service quality, and information;
- To analyse the use of the Services and user data to understand and improve the Services;
- To conduct market research using your anonymised personal data;
- To prevent prohibited or illegal activities and otherwise in accordance with our Terms of Use; and
- For any other purposes disclosed to you at the time we collect your personal data or pursuant to your consent.
Sharing of Personal Data
We are committed to maintaining your trust, and we want you to understand when and with whom we may share the personal data we collect.
- Authorised third-party vendors and service providers. We may share your personal data with third-party vendors and service providers that help us with specialised services, including email deployment, business analytics, marketing (including but not limited to advertising, attribution, deep-linking, direct mail, mobile marketing, optimization and retargeting), performance monitoring, hosting, and data processing. These third-party vendors and service providers may not use your personal data for purposes other than those related to the services they are providing to us.
- Corporate affiliates. We may share your personal data with our affiliates.
- Legal purposes. We may disclose personal data to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims or government inquiries, and to protect and defend the rights, interests, health, safety, and security of IOR, our affiliates, patients, users, or the public.
If you choose to engage in public activities on the third party sites that we link to, you should be aware that any information you share there can be read, collected, or used by other users of these sites and forums. You should use caution in disclosing personal data while participating in these areas. We are not responsible for the personal data you choose to submit in public areas.
Your Choices
Depending on your browser, you will be asked to accept or reject cookies or disable cookies by adjusting your web browser settings. Because each web browser is different, please consult the instructions provided by your web browser (typically in the “help” section). Please note that you may need to take additional steps to refuse or disable Local Shared Objects and similar technologies. If you choose to refuse, disable, or delete these technologies, some of the functionality of the Services may no longer be available to you.
How to Opt-Out
You have the right to opt-out of our use of your personal data for marketing purposes. If you do not want us to use your personal data for marketing purposes, you can contact us at any time by:
- Sending an with the subject “unsubscribe”
Please include your name and contact details in your request, and specify that you would like to opt-out of marketing and advertising consent. We will process your request promptly in accordance with applicable law.
Third-party Marketing
Some of the Services may contain links to content maintained by third parties that we do not control. IOR is not responsible for these third parties' privacy practices, and their data processing practices are not covered by this Privacy Notice. We recommend you familiarise yourself with the privacy statements of any third party, which are usually linked on the homepage of their website.
We may use your de-identified data for third-party marketing purposes, but only in a way that does not directly identify you. Your name, address, date of birth, and other personal details will never be shared with third parties for marketing purposes. De-identified data may include information like general demographics or aggregated data used for marketing research. However, depending on what personal data the third party has stored and how you are using the services (e.g. being logged in to Meta’s Facebook and using the Facebook account to log in to IOR), the third party might be able to re-identify you.
Limiting Data Collection and Do Not Track
Limiting tracking and device access
We respect your wish to limit tracking and device access. You may choose settings depending on the type and version of your device, operating system, browser and mobile app. Limiting functions might lead to a degraded user experience and reduced service availability.
Cookie and Pixel Opt-Out: To opt out of interest-based advertising across browsers and devices from companies that participate in the Digital Advertising Alliance or Network Advertising Initiative opt-out programs, please visit their respective websites. You may also be able to opt out of interest-based advertising through the settings within the mobile app or your mobile device. Still, your opt-out choice may apply only to the browser or device you are using when you opt out, so you should opt out on each of your browsers and devices if you want to disable interest-based advertising for those browsers and devices. If you opt out, you will still receive ads that may not be as relevant to you and your interests, and your experience on our Services may be degraded.
Do-Not-Track Signals and Similar Mechanisms: Some web browsers transmit “do-not-track” signals to websites. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. We currently do not take action in response to these signals.
Mobile App settings: IOR mobile apps access, collect, use, and share your personal data as stated above. For some services, the mobile app requires access to your microphone and camera (e.g., telehealth consultation), your camera roll (uploading a profile picture) and other functions of your mobile device. You may enable or disable access via your device's settings. If you disable functions, your experience with our services may be limited, or some services might be unavailable.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
7. WHO WE SHARE YOUR PERSONAL INFORMATION
We may have to share your personal data with the persons set out below for the purposes set out in section 6 above. We require all such persons to respect the security of your personal information and to treat it in accordance with applicable law.
Internationally within Mediclinic
The Mediclinic Group is an international healthcare services group, with the Company’s registered office in the United Kingdom and its management offices based in South Africa. The Mediclinic Group has operating divisions, all of which are based outside the EU, in South Africa and Namibia (Mediclinic Southern Africa), Switzerland (Hirslanden) and the United Arab Emirates (Mediclinic Middle East). As such our information systems or those of service providers may be in different countries. This may result in the transfer of your personal information might end up in one of those information systems to another country, and that country may have a different level of data protection regulation than yours. By giving us personal information, you consent to this kind of transfer of your personal information. No matter what country your personal information is in, you can expect a similar degree of protection in respect of your personal information which will be processed in accordance with our privacy and data protection policy and applicable laws.
Agents or service providers
As set out in section 5 above, we outsource the processing of certain functions and/or information to third parties. When we do outsource the processing of your personal information to third parties or provide your personal information to third-party service providers, we oblige those third parties to protect your personal information with appropriate security measures in accordance with our standards and applicable law.
Business transfers
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this privacy notice.
Legal requirements
We reserve the right to disclose any personal information we have concerning you if we are compelled to do so by a court of law, requested to do so by a governmental entity, or if we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property in accordance with applicable laws. We also reserve the right to retain personal information collected and to process such personal information to comply with accounting, tax rules, regulations and any specific record retention laws.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
8. YOUR RIGHTS IN RELATION TO OUR USE OF YOUR PERSONAL INFORMATION
Subject to certain exceptions, you have rights under relevant data protection law in relation to our use of your personal information, including to:
- request access to your personal information held by us, together with an explanation of the categories of personal information being processed, the purposes of such processing, and the categories of third parties to whom the personal information may be disclosed;
- request a correction of your personal information if it is inaccurate or incomplete;
- request restriction of processing or object to certain uses of your personal information (which includes direct marketing, and processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling) and processing for purposes of scientific or historical research and statistics) on grounds relating to your particular situation;
- request the erasure of your personal information, or restrict its use, in certain circumstances (for example you can request that we erase your personal information where the personal information is no longer necessary for the purpose for which it was collected (unless certain exceptions apply); and
- withdraw any consents you have provided in respect of our use of your personal information.
If you have any questions about these rights, or you would like to exercise any of them, please contact our Data Protection Office via or write to us at The Institute of Orthopaedics and Rheumatology, Data Protection Office, P.O. Box 12687, Die Boord, Stellenbosch, 7613, South Africa.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We endeavour to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
9. HOW LONG WE KEEP YOUR PERSONAL INFORMATION
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, or as permitted by law.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
10. HOW WE SECURE YOUR PERSONAL INFORMATION
Your personal information shall be treated as confidential and collected, processed and stored by IOR and our service providers in a manner that ensures appropriate security thereof, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures, which include:
- identity and access management;
- infrastructure and operations security;
- vulnerability management;
- business continuity planning;
- disaster recovery planning; and
- security awareness.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
While IOR will use all reasonable endeavours to ensure the integrity, security and confidentiality of all personal information submitted and/or obtained from a user, it will not be held liable under any circumstances if such information is compromised, disseminated or otherwise disclosed through conduct outside the control of IOR such as hacking, infection by “viruses”, “Trojan Horses” or any other computer programming routines or software that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information.
11. CHANGES TO THIS PRIVACY NOTICE
We keep this Privacy Notice under regular review and we will place any updates on this webpage. This Privacy Notice was last updated on 30 Jun 2024.