Bankmed Privacy Statement

This document reflects the Privacy Statement for Bankmed, administered by Discovery Health (Pty) Ltd.

1. Definitions

The Scheme refers to Bankmed Medical Scheme, registration number 1279, registered with the Council for Medical Schemes. The registered office of the Scheme is at WeWork Rosebank (The Link), 1F, 173 Oxford Road, Rosebank, Johannesburg.

Administrator refers to Discovery Health (Pty) Ltd, registration number 1997/013480/07, an authorised financial services provider, the administrator and managed care organisation for Bankmed Medical Scheme and a subsidiary of Discovery Limited (registration number 1999/007789/06).

We, us, our refer collectively to the Scheme and the Administrator.

You and your refer to:

• the member and the dependants on the medical scheme which may include your spouse, children, and other dependants, collectively "your dependants" as the case may be, or

• an employer group participating in the Scheme for its employees, where relevant.

Your Personal Information refers to Personal Information about you, your dependants, and your employees (as relevant). It includes information about race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the individual amongst other things.

Process(ing) (of) information means the lawful and reasonable automated or manual activity of collecting, recording, organising, storing, updating, distributing, and removing or deleting Personal Information to ensure that such processing is adequate, relevant, and not excessive given the purpose for which it is processed.

Competent person means anyone who is legally competent to consent to any action or decision being taken for any matter concerning a member or dependant for example a parent, legal guardian or a legal representative appointed by a court to manage the finances, property, or estate of another person unable to do so because of mental or physical incapacity.

1. This Privacy Statement explains how Bankmed and its administrator and managed care service provider, currently Discovery Health (Pty) Ltd) (we/us) obtain, use, disclose and otherwise process Personal Information, which may include health and financial information ("Personal Information"), in a manner that is compliant, ethical, adheres to industry best practice and applicable protection of Personal Information legislation as enacted from time to time.

2. This Privacy Statement applies to you if you engage with us physically through our offices, or virtually through our website (https://www.bankmed.co.za), email, mobile applications such as the Bankmed App, social media platforms, over the phone, or otherwise as may be the case from time to time.

3. When you engage with us, you entrust us with Personal Information about you.

4. We are committed to protecting your right to privacy. We will keep your Personal Information confidential. 5. We take protecting your Personal Information seriously and are continuously developing and updating our security systems, processes and data governance policies.

6. Any other party, including the administrator and managed care service provider, that may have access to your Personal Information via Bankmed, is prohibited from using such information for any other purpose not approved by Bankmed. The administrator and managed care service provider, in particular, can only use the information strictly in compliance with the agreement between Bankmed and the administrator and managed care service provider.

7. We have a duty to take all reasonably practicable steps to ensure your Personal Information is complete, accurate, not misleading and updated on a regular basis. To enable this, we will always endeavour to obtain Personal Information from you directly. Where we are unable to do so, we will make use of verifiable independent third-party data sources. Thus, your Personal Information comprises information you may have given to us yourself or we may have collected from other sources.

8. You have the right to object to the processing of your Personal Information and have a choice whether or not to accept these terms and conditions. However, it is important to note that we require your acceptance to activate and service your medical scheme membership. If you do not accept these terms and conditions, we cannot activate and service your medical scheme membership.

9. Any information, including Personal Information relating to yourself and your dependents and/or beneficiaries, supplied to us or collected from other sources ("your Personal Information") will be kept confidential.

10. You understand and/or acknowledge that when you provide us with your Personal Information, your dependant/s and/or beneficiaries have provided you with the appropriate permission to disclose their Personal Information to us for the purposes set out below and any other related purposes. You agree to indemnify us against any loss or damage (whether direct or indirect) that such person may suffer because of the unauthorised use of their Personal Information given by you to us.

11. In the event that you are providing information and signing consent on behalf of a minor (person younger than 18 years old) you confirm that you are a competent person and their parent or legal guardian and that you give consent for us to process their Personal Information for the purposes covered in this Privacy Statement.

12. If you share your Personal Information with any third parties, we will not be responsible for how they use this information nor be responsible for any loss suffered by you or your employees (where applicable).

13. You understand that when you include your spouse and/or dependents on your application, we will process their Personal Information for the activation of the membership/benefit and to pursue their legitimate interest. Furthermore, we will process their information for the purposes set out in this Privacy Statement.

Each party accepts responsibility to the extent that the processing activities of Personal Information fall under the control of that party, and agrees to indemnify the other party/ies against any loss or damage, direct or indirect, that a member or his/her dependant may suffer because of any unauthorised use of the member's or dependant's Personal Information, or if a breach of the member's or dependant's Personal Information occur, but only if the processing of that Personal Information is controlled by that party. Bankmed Privacy Statement September 2024 Page 3 of 6

15. You understand, accept and consent that we may process, collate, store, collect and/or disclose your Personal Information and/or depersonalised/anonymised information or for the following purposes:

15.1. To verify the accuracy, correctness and completeness of any information provided to us in the course of processing an application for membership or providing services related to the membership;

15.2. To administer and manage your health plan and products, benefits, and services across all Bankmed authorised service providers, which includes assessing and paying claims, determining, and collecting premiums and providing any information, services or benefits that you are entitled to;

15.3. For the provision of managed care services to you or any dependant/s on your health plan;

15.4. For the provision of relevant information to a contracted third party who requires this information to provide a healthcare service to you or any dependant/s on your health plan;

15.5. For the collection of any amount owing by such member in respect of himself or his dependants (collection of debt);

15.6. To profile and analyse risk;

15.7. Resolve or manage complaints or queries;

15.8. Improve our existing products and services, and develop new products and services for Bankmed through research and development;

15.9. Improve customer experience and service efficiency by conducting surveys and analysing your service interactions;

15.10. Give you rewards in relation to products you hold;

15.11. Ensure you get access to health treatments and other benefits when required and as stipulated by the benefit rules of the products you have taken out and help you to navigate the healthcare system or the services of any healthcare or other providers when relevant (To ensure this, we may share your medical information with third parties, such as your treating doctor, with your consent, where required);

15.12. Through cookies on the Bankmed website, authenticate you, provide security against the fraudulent use of login details and for the protection of the Bankmed and its administrator's websites, and perform analytics to improve your experience;

15.13. To share your Personal Information with external health providers for them to assess or evaluate certain clinical information, in the event that you are subject to such a clinical assessment;

15.14. To investigate and/or remedy fraud, waste and abuse;

15.15. To support the early identification of medical conditions and/or other lifestyle risks and to encourage you to change your lifestyle to lessen the impact of such conditions; or

15.16. To provide personalised advice to you about risks to your health, how you may become healthier (such as by seeing a Healthcare Professional, having additional tests done or activating benefits) and the rewards and incentives which you may receive as a result of undertaking these activities. We will provide this advice to you based on market and behavioural research and analysis carried out using your personal, special and or depersonalised information. We may communicate this advice to you using the Bankmed App or other communication channels;

15.17. For academic research and analysis only where this is specifically approved by Bankmed;

15.18. To provide to third party financial services providers which may offer services, benefits or products to members and/or prospective members.

16. Examples of when and how we will obtain and share your Personal Information include:

16.1. Obtaining your Personal Information from other relevant sources, including any entity that is related to the administrator, medical practitioners, contracted service providers, health information exchanges, employers, credit bureaus or industry regulatory bodies ("Sources"), and further processing of such Information to consider your membership application, to conduct underwriting or risk assessments, or to consider a claim for medical expenses;

16.2. We may (at any time and on an ongoing basis) verify with the Sources that your Personal Information is true, correct and complete. This, amongst other things, will allow the Scheme and the administrator (although to a limited extent) to ensure that a member is not a member of more than one medical scheme as this is prohibited by the Medical Schemes Act;

16.3. If you have joined as a member of an employer group, getting from and sharing with your employer information that is relevant to your application;

16.4. Communicating with you regarding any changes in your health plan, including your contributions or changes and enhancements to the benefits you are entitled to on the health plan you have selected;

16.5. Transferring your Personal Information outside the borders of the Republic of South Africa where appropriate, if you provide an e-mail address which is hosted outside the borders of South Africa, to administer certain services such as cloud services, or for processing, storage or academic research (where such research is specifically approved by Bankmed). We will ensure that anyone to whom we pass your Personal Information agrees to treat your information with the same level of protection as we are obliged to;

16.6. Sharing your Personal Information to be processed by healthcare providers via a health information exchange in order to improve members' treatment and healthcare outcomes;

16.7. Utilising external health specialists to assess or evaluate certain clinical information. Your Personal Information will be shared with such specialist/s in the event that you or your dependant/s are subject to such a clinical assessment;

16.8. In the event of any member ceasing to be a member, any amount still owing by such member in respect of himself or his dependants shall be a debt due to the Scheme and recoverable by it. Therefore, for the provision of information to a contracted third party who performs a debt collection service to the Scheme, where you owe the Scheme an outstanding debt;

16.9. In the event of any active Bankmed member owing any amount in respect of himself or his dependants shall be debt due to the Scheme and recoverable by it. Therefore, for the provision of information to a contracted third party who performs a debt collection service to the Scheme, where you owe the Scheme an outstanding debt; Furthermore, the value of the debt owing may also be communicated to your employer for purposes of notifying you of debt as well as possible payroll deduction where you owe the Scheme an outstanding debt (subject to Section 34(1) of the Basic Conditions of Employment Act 75 of 1997).

17. By signing this application form, you expressly consent that we can obtain and share information about your creditworthiness, or the creditworthiness of any payer of your contribution, with any credit bureau or credit providers' industry association or industry body. This includes information about credit history, financial history, judgments, default history and sharing of information for purposes of risk analysis, tracing and any related purposes.

18. Your Personal Information may be shared with third parties such as academics and researchers, including those outside South Africa. We ensure that the academics and researchers will keep your Personal Information confidential and all data will be made anonymous to the extent possible and where appropriate. No Personal Information will be made available to an academic or research party unless that party has agreed to abide by strict confidentiality protocols that we require. If we and/or the academic and researcher publish the results of this research, you will not be identifiable.

19. We may process your information using automated means (without human intervention in the decisionmaking process) to make a decision about you or your application for any product or service. You may query the decision made about you.

20. If asked to do so, we will share your Personal Information with a third party if:

20.1. you have already given your consent for the disclosure of this information to such third party; or

20.2. if a contractual relationship exists in terms of which we are obliged to provide the information to such third party.

21. You consent and agree that:

21.1. We may process your information, including Personal and Special Information, to adhere to South African legislative reporting obligations and to conduct sanction screening against all mandatory and non-mandatory sanctions lists and to perform transaction monitoring activities;

21.2. We may communicate such Personal Information to local and international Regulatory Bodies if you are matched to one of these sanctions lists;

21.3. We may communicate such Personal Information to other relevant governance structures of the Scheme or its administrator or any of its relevant entities if any Legislative reportable matters are identified.

22. Should you wish to share your information for any other reason, we will do so only with your permission. Bankmed Privacy Statement September 2024 Page 5 of 6

23. You have the right to know what Personal Information the Scheme holds about you. If you wish to access this information, please complete the PAIA Access Request Form available on www.bankmed.co.za and specify the information you would like. We will take all reasonable steps to confirm your identity before providing details of your Personal Information in respect of this request. We are entitled to charge a fee for this service and will let you know what it is at the time of your request.

24. You have the right to contact and ask us to update, correct or delete your Personal Information. Bankmed and its administrator have the right to communicate with you electronically about any changes on your health plan, including your contributions or changes to the benefits you are entitled to on the health plan you have chosen.

25. You have the right to update, correct or delete your Personal Information. To do this log into www.bankmed.co.za:

25.1. Click on the 'Your Details' tab at the top of the page;

25.2. Then click on the 'Update your Details' tab (This applies for dependant details as well);

25.3. Follow the prompts to check that your details are listed correctly;

25.4. Update your details if they are outdated or incorrect.

26. You agree that we may retain your Personal Information until such time as you request us to destroy it (unless we are obliged by law to retain it, regardless of such request, for the pursuit of our legitimate business purpose). Where we cannot delete your Personal Information, we will take all practical steps to anonymise it.

27. Bankmed and its administrator and managed care service provider are required to collect and retain information in terms of the following legislation (amongst others):

27.1. The Medical Schemes Act, 1998 27.2. The Consumer Protection Act, 2008

27.3. The Protection of Personal Information Act, 2013

27.4. Electronic Communications and Transactions Act, 2002 2

7.5. Promotion of Access to Information Act, 2000

28. Legislation specific to the administrator and managed care service provider only:

28.1. Financial Advisory and Intermediary Services Act, 2002

28.2. Companies Act, 2008

29. You agree that Bankmed and its administrator may transfer your Personal Information outside South Africa:

29.1. if you give us an email address that is hosted outside South Africa; or

29.2. for processing, storage or academic research, only where this is specifically approved by Bankmed; or

29.3. to administer certain services, for example, cloud services.

30. When we share your information to administer certain services, we will ensure that any country, company or person that we pass your Personal Information to agrees to treat your information with the same level of protection as we are obliged to do in South Africa. Unless you specifically give us consent to share your Personal Information with such person (or company).

31. If we become involved in a proposed or actual amalgamation, transfer or merger, acquisition or any form of sale of any assets, as appropriate, we have the right to share your Personal Information with third parties in connection with the transaction. In the case of such an event, the new entity will have access to your Personal Information.

32. Bankmed may change this Privacy Statement at any time. It is your responsibility to check our website regularly to ensure that you are aware of these changes. By continuing to be a member, you agree that the latest version will apply to you. The most updated version will always be available on the Bankmed website (www.bankmed.co.za):

32.1. Scroll to the bottom of the webpage once you have logged in and select the 'Legal' tab; or

32.2. Click on the link below to access the document: https://www.bankmed.co.za/wcm/medical-schemes/bankmed/assets/bankmed-privacystatement.pdf

33. If you believe that Bankmed or its administrator or managed care provider have used your Personal Information contrary to this Privacy Statement, you have the right to lodge a complaint with the Information Regulator, under POPIA. However, we encourage you to first follow our internal complaints process to resolve the complaint. We explain the complaints and disputes process on the Bankmed website. You may click on this link to access the complaints and escalations process: https://www.bankmed.co.za/medicalschemes_za/bankmed/web/health/linked_content/documents/latest_ info/complaints_and_escalations.pdf

If, thereafter, you feel that we have not resolved your complaint adequately kindly contact the Information Regulator at:

E-m ail: POPIAComplaints@inforegulator.org.za
Telephone: +27 (0) 10 023 5200