The Credit Bureau Association of South Africa has issued a code of conduct for the processing of credit information under the Protection of Personal Information Act, No.4 of 2013 (POPIA).

Here is an analysis I wrote for OneTrust DataGuidance, which may be helpful for GDPR, CPRA, CPA and CDPA.

Key points:

  • Purpose limitation: Personal information which is processed for credit purposes will not be further processed in a manner that is incompatible with the original purpose for processing. The issues of compatibility between direct marketing and credit rating were also recently raised by a complaint filed by
  • Disclosure: Provide detailed privacy disclosure.
  • Data Subject rights must be honored.
  • Security safeguards and accountability program.

The code also distinguishes between the obligation of the credit bureau when collecting directly from individuals or as an operator (processor) for a credit provider.