The Credit Bureau Association of South Africa has issued a code of conduct for the processing of credit information under the Protection of Personal Information Act, No.4 of 2013 (POPIA).

Here is an analysis I wrote for OneTrust DataGuidance, which may be helpful for GDPR, CPRA, CPA and CDPA.

Key points:

• Purpose limitation: Personal information which is processed for credit purposes will not be further processed in a manner that is incompatible with the original purpose for processing. The issues of compatibility between direct marketing and credit rating were also recently raised by a complaint filed by noyb.eu.
• Disclosure: Provide detailed privacy disclosure.
• Data Subject rights must be honored.
• Security safeguards and accountability program.

The code also distinguishes between the obligation of the credit bureau when collecting directly from individuals or as an operator (processor) for a credit provider.