COREMED POPIA COMPLIANCE POLICY

Effective Date: 26 March 2026

Last Updated: 26 March 2026

Approved Date: 7 April 2026

1. PURPOSE
This POPIA Compliance Policy sets out how CoreMed (“we”, “us”, “our”) ensures full compliance with the Protection of Personal Information Act, 4 of 2013 (POPIA). CoreMed is committed to processing personal information lawfully, responsibly, and in a manner that protects the privacy and rights of all data subjects.

2. SCOPE
This policy applies to: All personal information processed by CoreMed All employees, contractors, operators, and third parties acting on behalf of CoreMed All systems, platforms, and processes used to collect, store, or manage personal information This includes both general personal information and special personal information, including health-related data.

3. DEFINITIONS
For purposes of this policy: Personal Information: Information relating to an identifiable, living person or juristic entity Special Personal Information: Sensitive data including health, biometric, or medical information Data Subject: The individual to whom the information relates Responsible Party: CoreMed, as the entity determining the purpose and means of processing Operator: A third party processing data on behalf of CoreMed

4. CONDITIONS FOR LAWFUL PROCESSING
CoreMed adheres strictly to the eight conditions for lawful processing under POPIA: 4.1 Accountability CoreMed accepts full responsibility for compliance with POPIA principles. 4.2 Processing Limitation Personal information is processed: Lawfully and in a reasonable manner With consent or other lawful justification Only where adequate, relevant, and not excessive 4.3 Purpose Specification Information is collected for specific, explicitly defined purposes and not processed beyond those purposes. 4.4 Further Processing Limitation Further processing is strictly aligned with the original purpose of collection. 4.5 Information Quality CoreMed takes reasonable steps to ensure information is accurate, complete, and up to date. 4.6 Openness Data subjects are informed about: What data is collected Why it is collected How it is used 4.7 Security Safeguards CoreMed implements appropriate technical and organizational measures to secure personal information. 4.8 Data Subject Participation Data subjects are entitled to access, correct, and request deletion of their personal information.

5. SPECIAL PERSONAL INFORMATION (HEALTH DATA)
CoreMed processes health-related information under strict conditions: Only where necessary for service delivery With appropriate consent or legal justification With enhanced security safeguards With restricted access controls Unauthorized access or misuse of health data is strictly prohibited.

6. CONSENT
Where required, CoreMed obtains clear and informed consent before collecting or processing personal information. Consent must be: Voluntary Specific Informed Data subjects may withdraw consent at any time, subject to legal or operational limitations.

7. DATA SUBJECT RIGHTS
In accordance with POPIA, data subjects have the right to: Access their personal information Request correction or deletion Object to processing Withdraw consent Lodge a complaint with the Information Regulator CoreMed will respond to such requests within a reasonable timeframe.

8. SECURITY MEASURES
CoreMed implements strict security controls, including: Access control based on roles and permissions Encryption of sensitive data where appropriate Secure storage infrastructure Monitoring, logging, and intrusion detection Regular system assessments and updates All personnel are required to adhere to strict confidentiality obligations.

9. DATA BREACH MANAGEMENT
In the event of a data breach: CoreMed will take immediate steps to contain and assess the breach Affected data subjects will be notified where required The Information Regulator will be informed in accordance with POPIA Corrective measures will be implemented to prevent recurrence

10. THIRD-PARTY OPERATORS
CoreMed ensures that all operators: Are bound by written agreements Process data only on documented instructions Implement appropriate security measures Comply fully with POPIA requirements CoreMed remains accountable for all processing carried out on its behalf.

11. CROSS-BORDER DATA TRANSFERS
Personal information may only be transferred outside South Africa where: The recipient is subject to similar data protection laws, or Adequate safeguards and agreements are in place

12. DATA RETENTION AND DESTRUCTION
CoreMed retains personal information only for as long as necessary. When no longer required, data is: Securely deleted, or Irreversibly anonymized

13. INFORMATION OFFICER
CoreMed has appointed an Information Officer responsible for: Ensuring POPIA compliance Managing data subject requests Overseeing internal policies and procedures Liaising with the Information Regulator Details available upon request.

14. TRAINING AND AWARENESS
CoreMed ensures that all relevant personnel: Receive POPIA awareness training Understand their responsibilities Adhere to internal data protection policies

15. ENFORCEMENT
Failure to comply with this policy may result in: Disciplinary action Termination of contracts Legal action where applicable

16. UPDATES TO THIS POLICY
This policy may be updated from time to time to reflect legal or operational changes.

17. CONTACT
For POPIA-related queries: CoreMed Email: legal@coremed.co.za