Attention: Dr. Qinisile P. Cele
Instruction Date: 13 June 2025
Review Date: 14 June 2025
Remittance Date: 16 June 2025

DR. QINISILE P. CELE

RE: POLICY REVIEW - PREGGY CHECK PRIVACY POLICY
  1. We acknowledge receipt of your instruction to review the terms and conditions of the above-mentioned privacy policy.
  2. JURISDICTIONAL MISMATCH: POPIA AS PRIMARY LEGAL FRAMEWORK
    Issue:
    The current document frames POPIA (Protection of Personal Information Act) as the core legislative guideline. This is problematic because the policy is intended to find application to a global audience. Therefore, it cannot be drafted solely on the premise that the business will launch in South Africa, but should immediately be postured to address a global audience, including South Africa.
    Analysis:
    • POPIA is limited in jurisdiction and applies primarily to data subjects in South Africa or data processing done within South Africa.
    • Considering that PreggyCheck will process the personal data of international users, especially UAE, EU, UK, USA, etc, then the additional or alternative data privacy regulations should apply.
      Key Laws/Regulations that should be considered for global coverage are:
    • GDPR (General Data Protection Regulation): which is a European Union law focused on protecting the personal data of individuals within the EU and the European Economic Area. It contains stringent rules, and has extraterritorial application.
    • UAE Privacy Framework: It regulates any processing of personal data of individuals inside the UAE, which requires a legal basis for processing personal data.
      Recommendation:
    • There has to be a replacement of the document title and substance from POPIA-specific policy to Global Privacy Policy that references multiple legal regimes based on the user's location.
  3. TERMINOLOGY AND LEGAL DEFINITIONS
    Issue:
    • The terms used (e.g. “lawful basis”, “personal information”) mirror POPIA but don't fully align with international terminology like “legal basis for processing” under the GDPR (examples: Discovery limited, Nedbank, Shoprite Group)
    Recommendation:
    • The policy needs to introduce universally accepted definitions such as “personal data”, “data subject”, “processor” etc
    • The policy will need to include a disclaimer that country-specific rights apply depending on the users jurisdiction, and then specify where the processing takes place.
  4. CROSS-BORDER TRANSFERS
    Issue:
    • Cross-border transfer is vaguely described as using “POPIA-compliant agreements”. However, other legal frameworks require standard contractual clauses or explcit consent for data transfers.
    Recommendation:
    • The policy needs to include UAE PDPL (Personal Data Protection Law) laws that are referenced in the policy alongside POPIA and GDPR.
    • The updated policy must include:
      • Mechanisms such as the Standard Contractual Clauses under these legal frameworks
      • Measures ensuring adequate level of protection in third countries.
      • A clear statement that PreggyCheck uses global cloud infrastructure and commits to applicable data transfer mechanisms.
  5. DATA SUBJECT RIGHTS
    Issue:
    • The rights listed are very accurate under POPIA, but global users will expect broader rights, especially those under GDPR and the UAE PDPL.
    Recommendation:
    • The policy needs to provide a multi-jurisdictional rights section that summarises access, rectification, restriction, automated processing decisions etc.
  6. DATA TYPES AND SENSITIVITY
    Issue:
    • The policy clearly identifies health-related data, which under these legal frameworks is classified as “Special Category Data” or Protected Health Information”.
    Recommendation:
    • The policy ought to emphasise explicit consent for processing health-related data, as required under the above-mentioned legal frameworks.
  7. RETENTION AND DELETION
    Issue:
    • The current clause is reasonably framed; however, it lacks jurisdictional nuances.
    Recommendation:
    • The policy ought to reference legal basis for retention under the various regimes (e.g. under POPIA; medical related data is stored for a maximum of 10 years before deletion [similar to Medi Meta policy], and GDPR's storage limitation principle). The clause here needs to state how long data will be kept before it is deleted off your cloud storage.
  8. CONCLUSION

    The current clause as drafted is sufficient for the South African context. It however lacks a multi-jurisdictional approach – as this is the envisaged goal of PreggyCheck.

    Therefore, a holistically framed/drafted privacy policy for PreggyCheck becomes necessary so as to avoid breaching any data privacy laws of other countries or jurisdictions.

  9. CHANGES MADE

    As per your instruction to re-draft PreggyCheck Privacy Policy, here are the changes made to mirror an international company with multi-jurisdictional legal frameworks:

    Section Adjustment
    Title Changed to: "Global Privacy Policy" – compliant with UAE PDPL, POPIA, GDPR, and other applicable laws
    Introduction Clarifies that "PreggyCheck is a UAE-registered company committed to global data privacy compliance..."
    Definitions The policy now contains a comprehensive glossary of definitions for ease reference and better understanding for Users
    Applicable Laws Policy now contains a list: UAE PDPL (Federal Law 45 of 2021), POPIA (South Africa), and GDPR (EU/UK)
    Cross-border Transfers Policy now states that transfers are made under UAE PDPL and other laws requiring adequate protections and safeguards
    Health Data The policy now adds that such data is protected under UAE PDPL Article 4 & GDPR Article 9, and consent is always required
    Data Subject Rights Policy now specifically mentions the rights of users under the different legal frameworks
    South African Addendum We have created an annexed POPIA-specific notice or highlight RSA procedures in a dedicated section – in light of the launch of PreggyCheck
    Summary of the Legal Positioning
    Jurisdiction Applicability Action Taken
    UAE (Parent entity) PDPL governs the company Embed PDPL compliance throughout the policy
    South Africa (Launch) POPIA applies Policy now shows POPIA alignment in privacy notices and operations
    Global (Future use) GDPR (EU/UK) Policy is drafted with the future in mind with a solid compliance infrastructure