The Credit Bureau Association of South Africa has issued a code of conduct for the processing of credit information under the Protection of Personal Information Act, No.4 of 2013 (POPIA).
Here is an analysis I wrote for OneTrust DataGuidance, which may be helpful for GDPR, CPRA, CPA and CDPA.
- Purpose limitation: Personal information which is processed for credit purposes will not be further processed in a manner that is incompatible with the original purpose for processing. The issues of compatibility between direct marketing and credit rating were also recently raised by a complaint filed by noyb.eu.
- Disclosure: Provide detailed privacy disclosure.
- Data Subject rights must be honored.
- Security safeguards and accountability program.
The code also distinguishes between the obligation of the credit bureau when collecting directly from individuals or as an operator (processor) for a credit provider.