POPIA Compliance

The Protection of Personal Information Act (POPIA), Act 4 of 2013, is South Africa's comprehensive data protection legislation. It gives effect to the constitutional right to privacy, as enshrined in Section 14 of the Constitution of the Republic of South Africa, 1996. POPIA regulates the processing of personal information by both public and private bodies and establishes minimum standards for the lawful processing of personal information.

How POPIA Applies to Our Services

As a credit intelligence and screening company, Somor CredIntel processes significant volumes of personal information — including ID numbers, credit data, employment details, and property records. POPIA applies to every aspect of our operations, from the initial collection of personal information through to its storage, use, sharing, and eventual deletion. We are legally obligated to process this information in accordance with POPIA's conditions for lawful processing.

Somor CredIntel is fully committed to compliance with POPIA. We recognise that the personal information entrusted to us is sensitive and requires the highest standards of care. Our commitment includes:

Accountability

We take full responsibility for the personal information we process and have appointed an Information Officer registered with the Information Regulator to oversee POPIA compliance.

Lawful Processing

We process personal information only when we have a lawful basis to do so, whether that be consent, a contractual necessity, a legal obligation, or a legitimate interest.

Minimisation

We collect only the minimum personal information necessary to fulfil the specific purpose for which it is required. We do not collect information speculatively or for purposes beyond the scope of our services.

Transparency

We are transparent about what personal information we collect, why we collect it, how we use it, and with whom we share it. This page, together with our Privacy Policy, provides full disclosure.

Continuous Improvement

We continuously review and improve our data protection practices, systems, and policies to ensure ongoing compliance with POPIA and international best practices.

In compliance with Section 55 of POPIA, Somor CredIntel has designated an Information Officer responsible for ensuring compliance with the Act. The Information Officer is registered with the Information Regulator of South Africa.

Information Officer

The designated Information Officer can be contacted for any POPIA-related queries, data subject requests, or complaints.

Email

info@somorcredintel.co.za

Phone

+27 (0) 11 000 0000

Postal Address

Johannesburg, South Africa

Duties of the Information Officer

The Information Officer is responsible for: encouraging compliance with POPIA conditions; dealing with requests made pursuant to the Promotion of Access to Information Act (PAIA); working with the Information Regulator during investigations; and ensuring that internal awareness sessions and training on POPIA are conducted.

Somor CredIntel processes the following categories of personal information in the ordinary course of business:

Identification Data

Full names, South African ID numbers, date of birth, gender, photographs, and copies of identity documents.

Contact Information

Residential and postal addresses, email addresses, mobile and landline telephone numbers.

Financial and Credit Data

Credit scores, credit reports, payment histories, outstanding debts, judgments, defaults, adverse listings, debt-to-income ratios, and affordability assessments.

Employment Data

Employer names and contact details, employment status, job titles, salary information, payslips, and bank statements.

Property and Rental Data

Property ownership records, Deeds Office data, rental history, previous tenancy information, eviction records, and lease agreement details.

Special Personal Information

In certain limited circumstances, we may process special categories of personal information (such as biometric data for identity verification) only where legally permitted and with appropriate safeguards.

We process personal information for the following specific, explicitly defined, and lawful purposes:

Credit Bureau Checks

To access and compile credit information from registered credit bureaus for the purpose of assessing creditworthiness and financial standing.

Tenant Screening

To verify the identity, employment, income, and rental history of prospective tenants to assist landlords and property managers in making informed tenancy decisions.

Landlord Vetting

To verify property ownership and landlord identity through Deeds Office records and other verification methods, protecting tenants from rental fraud.

Fraud Prevention

To detect and prevent fraudulent applications, forged documents, identity theft, and rental scams in the South African property market.

Client Service Delivery

To process service requests, communicate screening results, handle queries, and provide ongoing support to our clients.

Legal Compliance

To comply with our obligations under the NCA, POPIA, FICA, PAIA, and other applicable legislation.

POPIA requires that all processing of personal information must have a lawful basis. Somor CredIntel relies on the following legal bases:

Consent (Section 11(1)(a))

The data subject or a competent person where the data subject is a child has given consent for the processing. This is our primary legal basis for credit checks and tenant screenings. Consent must be voluntary, specific, and informed.

Legitimate Interest (Section 11(1)(f))

Processing is necessary for the legitimate interests of the responsible party or a third party to whom the information is supplied. We rely on this basis for fraud prevention, risk assessment, and the general operation of our screening services.

Legal Obligation (Section 11(1)(b))

Processing is necessary for the responsible party to comply with an obligation imposed by law or to give effect to a contractual obligation. We rely on this basis for FICA compliance, NCA record-keeping, and responding to lawful requests from regulatory authorities.

Contractual Necessity (Section 11(1)(c))

Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject to enter into a contract. This applies where a tenant has applied for a rental property and a screening is required as part of the application process.

Personal information processed by Somor CredIntel may be disclosed to the following categories of recipients:

Clients

The party who requested the screening service receives the resulting screening report containing the personal information of the subject.

Credit Bureaus

Registered South African credit bureaus (TransUnion, Experian, Compuscan, XDS, and others) to obtain and verify credit information.

Deeds Office

The South African Deeds Office for property ownership verification.

Employers

Employers of screening subjects for employment and income verification purposes.

Regulatory Authorities

The Information Regulator, National Credit Regulator, Financial Intelligence Centre, and other regulatory bodies as required by law.

Service Providers

Trusted third-party service providers who assist us in delivering our services, subject to contractual data protection obligations.

Somor CredIntel primarily operates within South Africa and stores personal information on servers located within the Republic. In the event that personal information must be transferred to a third party in a foreign country, we will ensure that:

Adequate Protection

The recipient country has an adequate level of data protection as determined by the Information Regulator, or the transfer is subject to appropriate safeguards including binding corporate rules or standard contractual clauses.

Consent

The data subject has provided explicit consent to the transfer, following full disclosure of the potential risks of the transfer.

Necessity

The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request.

Current Position

At present, Somor CredIntel does not routinely transfer personal information outside of South Africa. Should this change, this page will be updated accordingly.

POPIA grants data subjects (the individuals whose personal information we process) the following eight rights:

1. Right to Access

You have the right to request access to your personal information held by Somor CredIntel. You may request confirmation of whether we hold your personal information, a description of the information, and a copy of the record.

2. Right to Correction

You have the right to request the correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained personal information. We may also be required to supplement a record that is incomplete.

3. Right to Deletion

You may request the deletion of your personal information where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful.

4. Right to Object

You have the right to object, on reasonable grounds, to the processing of your personal information. Where processing is based on legitimate interest, you may object and we must desist from processing unless we can demonstrate compelling legitimate grounds.

5. Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal must be in writing or in a manner prescribed by Somor CredIntel. Processing prior to withdrawal remains lawful.

6. Right to Complain

You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your personal information has been processed in violation of POPIA. The Information Regulator can be contacted at inforeg@justice.gov.za or via www.justice.gov.za/inforeg.html.

7. Right to Be Notified

You have the right to be notified if your personal information has been accessed or acquired by an unauthorised person. Somor CredIntel will notify both the Information Regulator and affected data subjects in the event of a data breach, as required by POPIA.

8. Right Regarding Automated Decision-Making

You have the right not to be subject to a decision that has legal or similarly significant effects based solely on automated processing, unless certain exceptions apply. Where automated decision-making is used, you may request that the decision be reviewed by a natural person.

Somor CredIntel implements comprehensive technical and organisational measures to secure personal information against unauthorised access, loss, damage, or destruction:

Technical Measures

TLS 1.2+ encryption for data in transit; AES-256 encryption for data at rest; firewalls and intrusion detection systems; regular vulnerability assessments and penetration testing; secure API endpoints with authentication and rate limiting; automated security patching and updates.

Organisational Measures

Role-based access controls and least-privilege principles; mandatory employee data protection training; confidentiality agreements for all staff and contractors; documented data handling procedures; regular compliance audits and assessments; incident response plan and breach notification procedures.

Physical Measures

Secure data centre facilities with physical access controls; CCTV monitoring and environmental controls; secure document storage and disposal procedures.

If you believe that Somor CredIntel has processed your personal information in violation of POPIA, or if you wish to exercise any of your data subject rights, you may:

Contact Us Directly

Submit your complaint or request in writing to info@somorcredintel.co.za or call +27 (0) 11 000 0000. We will acknowledge receipt within 7 business days and provide a substantive response within 30 business days.

Contact the Information Regulator

You may lodge a complaint directly with the Information Regulator of South Africa. The Regulator can investigate complaints, issue enforcement notices, and impose administrative fines.

Information Regulator Contact Details

Email: inforeg@justice.gov.za | Website: www.justice.gov.za/inforeg.html | Physical Address: JDP House, 140 Witch-Hazel Avenue, Eco Glades 2, Centurion, Gauteng, South Africa.