CGM CUSTOMER DATA PROCESSING AGREEMENT

All definitions in this document correspond to those found in the Protection of Personal Information Act ("POPIA")

Consent to process Personal Information

In my role as a Responsible Person, I hereby appoint CompuGroup Medical South Africa (Pty) Ltd ("CGM") in my role as a Responsible Person to capture, store, and otherwise process Personal Information relating to myself, my medical Practice, my Practice staff, and the Practice's Patients (collectively Data Subjects). Such processing will be performed purely for the purpose of providing the products and services to the Practice outlined in my contract with CGM, and for the purpose of supporting an integrated digital healthcare offering to my Patients.

CGM may process the Practice's name, practitioner names, practitioner ID numbers, Practice staff names, address, contact numbers, e-mail addresses, contact person details, Practice number, Practice speciality, VAT number, and banking details. CGM will also store copies of my interactions with CGM's sales, support, and accounts staff, as well as my CGM account records.

I understand that for the purpose of providing products and services to my Practice, CGM will need to process my and my Practice's Personal Information, as described above, including storing such information on the CGM Group's secure central servers in Germany via CGM's secure international network, and on its own private iteration of SAP.

CGM may process a Patient's name, medical aid name and number, dependant names, genders, and ages, ID number, age, diagnosis, treatment information, and general health records.

I understand that CGM will not transmit my Patients' Personal Information outside the borders of South Africa.

I give permission for such processing.

Consent for Sharing of Practice and Patient Personal Information

I also give permission for CGM to share my, my Practice's and Patients' Personal Information with certain third parties — including, but not limited to pharmacies, pathology laboratories, medical schemes, and administrators for the purpose of providing an integrated digital service to my Practice and Patients. CGM will ensure that all third parties with whom it shares any of my Practice's or Patients' Personal Information have signed Data Processing agreements with CGM confirming their alignment with POPIA.

CGM Personal Information security measures

I understand that all CGM staff who process my Practice's and Patients' Personal Information, or provide installation or support and maintenance services for my CGM products and services have signed Personal Information security agreements, and that all of their interactions with our Personal Information will be governed by these agreements. I understand that all transmission of Personal Information by CGM occurs within CGM's secure network, or else in either password protected or encrypted form to ensure security.

I understand that CGM's staff will only ever have access to my Practice's computer system when actively granted access by my Practice for the specific purpose of maintenance or support. Any copies of my Practice's database required for migration or repair purposes may only be stored by CGM on encrypted hard drives, and the Personal Information may only be retained in a personally identifiable form for as long as required to satisfy the purpose of its sharing.

I understand that in order to ensure that its record of my Practice's Personal Information is accurate, up to date, complete, clear, and consistent, CGM may periodically check its records against those held by third parties such as Medpages — a verified source of healthcare provider contact information with whom CGM has a Data Processing Agreement.

Should my contract with CGM come to an end, CGM will delete all identifiable Personal Information relating to my Practice and my Patients that it has in its possession other than that which it is required to retain in an identifiable form for legal reasons for any period, and a record of the fact that information about my Practice has been deleted.

Practice Personal Information security measures

I understand that it is my responsibility to ensure that my Practice has adequate Personal Information security protections in place, particularly if I have my CGM products installed on a local server, rather than in CGM's secure cloud environment. I undertake to ensure that my IT provider has loaded adequate anti-virus and anti-malware programmes and firewalls onto my Practice's computer systems, and that sufficiently complex passwords are set up and consistently used in my Practice to protect the Personal Information of my Patients and my Practice.

I understand that unless I have contracted with CGM for storage and backup of my Practice's database on CGM's secure cloud platform, it is my responsibility to ensure that my Practice makes at least two weekly backups of our Practice database, and check that the backups are accurate, complete, and uncorrupted. I understand that at least one of these backups should be stored off-site.

I hereby indemnify CGM from any liability relating to any breach of my locally installed Practice database.

Informed consent from Patients

I understand that it is my responsibility to obtain my Patients' informed consent for CGM (as a Data Operator appointed by me, as a Responsible Person) to process their Personal Information. CGM will process their Personal Information or share it with third parties for the purpose of switching their claims to medical schemes, transmitting pathology results from pathology laboratories to my Practice, switching e-scripts, providing a platform for secure video consultations, providing customer support to my Practice, and doing maintenance or support to my Practice's patient database when instructed by me.

Requests for access to Personal Information

I instruct that any requests by third parties to CGM for the sharing of Personal Information relating to my Practice, or Patients which is not specifically required for the purpose of providing integrated healthcare which CGM facilitates on my instruction, will require the express, prior, specific consent of the Data Subject unless allowed by law.

I request that CGM notify me immediately of any request by one of my Patients for access to Personal Information held by CGM about them, and to only provide such Personal Information after ascertaining the identity of the applicant, and as required by the Promotion of Access to Information Act. Personal Information breaches

I instruct CGM to inform me immediately in the event of any Personal Information breach of my Practice or my Patients' Personal Information that comes to its attention. CGM must provide me with sufficient information to allow my Practice to meet any obligations to report such a breach to the Information Regulator and to the Data Subjects. CGM must also cooperate with me in taking reasonable steps on my request to assist with the investigation, mitigation and remediation of such a Personal Information breach.

I undertake to inform CGM of any breach of Personal Information at my Practice on any system carrying a CGM solution, and agree to cooperate with CGM to investigate, mitigate, and remedy the consequences of any such breach.