Contacts(available on Whatsapp): UK: +44 7902 531243 | Zim, Bulawayo: +263 78 711 1025 | +263 78 135 4416 info@rugaremedical.com

RUGARE MEDICAL DATA PROTECTION AND PRIVACY POLICY

Issued: 12/03/25
Effective: 08/04/25

1. INTRODUCTION

At Rugare Medical, we are committed to safeguarding the personal data and sensitive health information of all our patients, clients, partners, and employees. This Data Protection and Privacy Policy outlines our commitment to handling personal data responsibly, lawfully, and in full compliance with the Data Protection Act [Chapter 11:12], the Cyber and Data Protection Act, and the guidelines issued by POTRAZ.

We recognize that personal health information is among the most sensitive forms of data. As a result, we implement robust data governance frameworks and strive to uphold the highest standards of integrity and confidentiality in our data processing activities.

2. PURPOSE

This policy is designed to:

Provide a transparent overview of how Rugare Medical collects, uses, stores, shares, and protects personal data.

Outline the rights of data subjects and how they may exercise these rights.

Detail the responsibilities of Rugare Medical’s staff and management regarding data protection.

Demonstrate Rugare Medical’s commitment to data privacy in accordance with Zimbabwean law and international best practices.

3. SCOPE

This policy applies to:

All personal data processed by Rugare Medical, whether in digital, paper-based, or verbal form.

All departments, employees, contractors, third-party service providers, and partners who handle data on behalf of Rugare Medical.

All data subjects, including patients, employees, job applicants, suppliers, and stakeholders.

4. DEFINITIONS

Personal Data: Any information relating to an identified or identifiable individual.

Sensitive Data: Includes health records, biometric data, racial or ethnic origin, religious or philosophical beliefs, or any data deemed sensitive under applicable law.

Data Subject: A natural person whose personal data is collected and processed.

Data Controller: Rugare Medical, in its capacity as the entity that determines the purposes and means of processing personal data.

Data Processor: Any party that processes data on behalf of Rugare Medical.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

5. PRINCIPLES OF DATA PROCESSING

Rugare Medical adheres to the following principles when processing personal data:

Lawfulness, Fairness, and Transparency
Data is processed lawfully, fairly, and transparently in relation to the data subject.

Purpose Limitation
Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Data Minimization
Only data that is adequate, relevant, and limited to what is necessary is collected and processed.

Accuracy
Data is kept accurate and up to date, with every reasonable step taken to ensure that inaccurate data is corrected or deleted promptly.

Storage Limitation
Data is retained only for as long as necessary for the purposes for which it was collected.

Integrity and Confidentiality
Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, loss, destruction, or damage.

Accountability
Rugare Medical is responsible for compliance with these principles and is able to demonstrate such compliance.

6. LAWFUL BASIS FOR PROCESSING

Rugare Medical shall only process personal data where at least one of the following conditions is met:

The data subject has given explicit consent.

Processing is necessary for the performance of a contract with the data subject.

Processing is required to comply with a legal obligation.

Processing is necessary to protect the vital interests of the data subject or another person.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Processing is necessary for the legitimate interests of Rugare Medical, except where overridden by the data subject’s rights and freedoms.

7. RIGHTS OF DATA SUBJECTS

Rugare Medical respects the rights of individuals under the Data Protection Act. These include:

Right to Access: Individuals have the right to request access to their personal data held by Rugare Medical.

Right to Rectification: Individuals may request correction of inaccurate or incomplete data.

Right to Erasure: Individuals have the right to request deletion of their personal data under specific circumstances.

Right to Object: Individuals may object to the processing of their data for certain purposes.

Right to Restriction: Individuals can request the restriction of processing in certain cases.

Right to Data Portability: Where applicable, individuals have the right to receive their data in a structured, commonly used, and machine-readable format.

Right to Lodge a Complaint: Individuals may lodge a complaint with POTRAZ if they believe their data rights have been violated.

Requests must be submitted in writing to the Rugare Medical Data Protection Officer.

8. DATA SECURITY MEASURES

Rugare Medical implements appropriate technical and organizational measures, including:

Secure electronic medical records systems with encryption and authentication.

Regular staff training and awareness programs on data protection.

Physical security controls for sensitive documents.

Data breach notification procedures and regular risk assessments.

Access control policies, ensuring that only authorized personnel have access to sensitive data.

9. DATA TRANSFER OUTSIDE ZIMBABWE

Personal data may be transferred outside Zimbabwe only where:

Adequate protection is ensured in the recipient jurisdiction.

The data subject has provided explicit consent.

It is necessary for the performance of a contract or to protect the vital interests of the data subject.

10. DATA RETENTION POLICY

Data shall be retained for no longer than is necessary for the purposes for which it was collected. Medical records shall be retained in accordance with statutory health regulations or professional guidelines, after which they will be securely disposed of.

11. THIRD-PARTY PROCESSORS

Rugare Medical shall engage third-party processors only after due diligence and with appropriate data processing agreements in place. These agreements shall ensure the third party:

Processes data in accordance with the law.

Maintains data confidentiality and security.

Does not engage sub-processors without consent.

12. DATA BREACH NOTIFICATION

In the event of a data breach, Rugare Medical will:

Notify POTRAZ and affected individuals within 24–72 hours, depending on severity.

Provide details on the nature of the breach, affected data categories, mitigation steps, and contact points for further information.

Cooperate fully with regulators and implement remedial actions.

13. TRAINING AND AWARENESS

All Rugare Medical staff are required to undergo regular data protection training. New employees shall be trained during induction, with annual refreshers provided.

14. GOVERNANCE STRUCTURE

Rugare Medical shall appoint a Data Protection Officer (DPO) who will:

Monitor compliance with this policy and applicable laws.

Serve as a liaison between Rugare Medical, POTRAZ, and data subjects.

Maintain records of processing activities.

Advise management on data protection impact assessments.

15. REVIEW AND AMENDMENTS

This policy shall be reviewed annually or as required by legislative or organizational changes. Updates will be approved by senior management and communicated accordingly.

16. COMPLIANCE AND ENFORCEMENT

Non-compliance with this policy may result in disciplinary action, including termination of employment or contractual relationships. Rugare Medical shall fully cooperate with POTRAZ in investigations of data protection violations.