POPIA Compliance in Credit Risk Management: Shared Responsibilities Between Trade Shield and Clients

Created by Amy Sara Price, Modified on Mon, 8 Jun at 8:58 PM by Amy Sara Price

Trade Shield  |  Knowledge Centre COMPLIANCE

POPIA Compliance in Credit Risk Management

Shared Responsibilities Between Trade Shield and Clients   ⓘ Reference Article

It is the responsibility of both Trade Shield and our Clients to process personal information lawfully, in accordance with the Protection of Personal Information Act (POPIA), 2013. Trade Shield provides configurable tools and guidance to assist Clients in collecting the necessary legal justification for processing their buyers' personal information. However, the ultimate responsibility for ensuring appropriate justification is in place rests with the Client.

ⓘ Also Available: This article can also be viewed on our WIKI site at wiki.tradeshield.ai/en/governance/popia/justification

1

Justification Mechanisms

Trade Shield uses the following mechanisms to obtain justification — both for ourselves and on behalf of our clients:

CONSENT
  • Collected during onboarding (where Trade Shield's onboarding product is used)
  • Clients are responsible for ensuring the consent details cover their processing correctly
  • Trade Shield requests separate and specific consent for our portion of the data processing
  • Especially important before a contract exists, or where no contractual relationship is yet in place
CONTRACT
  • When a buyer signs the Client's Terms & Conditions and the application is approved, they enter a binding agreement
  • Trade Shield requires Clients to include a clause stating that ongoing processing is a condition of holding a credit account
  • This includes sharing buyer data with Trade Shield and external financial institutions for credit risk assessment and monitoring

⚠ Note: Consent is not the primary method of justification as it can be revoked. It is in the client's interest — and we expect it — that buyer contracts include conditional permission bound to the account as primary justification.

2

Important POPIA Resources

Trade Shield POPIA Resources

Important Act References

Consent justificationSection 11 — Consent, justification, and objection
Notification of processingSection 18 — Notification to data subject
Cross-border transfersSection 72
3

Trade Shield & Client Responsibilities

Under POPIA, both Trade Shield and its clients may act as either the Responsible Party or the Operator, depending on the specific data being processed and its intended use.

PartyRoleKey Responsibility
ClientResponsible PartyFor personal information collected from buyers and provided to Trade Shield for onboarding, credit risk assessment, or monitoring. Must ensure a valid operator agreement (Section 21) is in place. Responsible for obtaining a signed Data Processing Agreement.
Trade ShieldResponsible PartyFor personal information generated or acquired independently — e.g., derived credit insights, enriched risk data, aggregated behavioural indicators, or third-party data from authorised sources. When shared back with the Client, Trade Shield does so under its own obligations.

Both parties are expected to:

✓ Ensure lawful justification for processing data (contract, consent, legitimate interest)
✓ Provide data subject notification as required by Section 18
✓ Be transparent about what data is collected, why, who it will be shared with, and how it will be stored
✓ Maintain operator agreements and safeguards (Section 21)
✓ Respect data subject rights — access, correction, objection, and deletion
✓ Ensure cross-border processing complies with Section 72 of POPIA
✓ Collect only the minimum data necessary for the prescribed purpose (data minimisation)
✓ Keep financial, contact, and registration data accurate and up-to-date
✓ Implement appropriate security safeguards — data encryption, access control, and secure storage
6

Contract as Primary Justification

Trade Shield clients' contracts with their buyers must reflect lawful grounds for processing personal information. The lawful basis is contractual necessity and legitimate interest, combined with disclosure to third parties.

What the contractual clause must include:

ElementDetail
PurposeClearly state personal information will be used for credit risk assessment, credit monitoring, and related financial services
Data Subjects & TypesIdentify the buyer as the data subject; specify typical data: contact info, payment behaviour, financial data, trade history, CIPC, judgments, etc.
Legal BasisContractual necessity and legitimate interest in credit risk mitigation
Third-Party DisclosureInclude Trade Shield and external financial service providers (credit bureaus) as authorised recipients under the same justification
Ongoing NatureProcessing continues for the duration of the credit facility and as long as there is a justifiable business reason
POPIA/PAIA AlignmentReference to compliance frameworks; link to relevant PAIA manuals
Data Subject RightsRight to access, correct, or object to processing, within the limits of the law
Retention & ProtectionInformation stored securely and retained only as long as necessary
Consent ClarificationClarify that consent is not required where processing is based on contract or legitimate interest — but data subject rights are still respected
7

Example Contractual Clause

⚠ Important Notice: This is an example only. Trade Shield does not take liability for this recommendation. Each party is responsible for ensuring their specific business context and purpose are properly articulated and approved by their Information Officer and Legal Team. This may need to be supplemented or modified to ensure holistic compliance.

By accepting these terms and conditions, the Buyer acknowledges and agrees that [Client Company Name] may collect, process, and share personal and financial information on the Buyer as necessary to assess and manage the Buyer's creditworthiness and ongoing credit risk profile.

This includes the right to disclose Buyer Information to trusted third-party service providers, including but not limited to Trade Shield (Pty) Ltd and authorised financial institutions, such as credit bureaus, for purposes such as credit risk evaluation, credit limit recommendations, trade behaviour analysis, and related financial services.

The Buyer acknowledges that such processing is necessary to perform the obligations of this agreement and is further justified by the legitimate interest of [Client Company Name] in managing credit risk responsibly.

Buyer Information may include contact information, payment behaviour, financial records, trade references, public registry data (e.g., CIPC), legal judgments, and other relevant indicators.

Processing of this information will continue for as long as the Buyer maintains a credit facility with [Client Company Name], and thereafter only as reasonably required for legal, audit, or credit record-keeping purposes.

All processing will be conducted in compliance with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA). The Buyer may review the applicable PAIA Manual at [Client PAIA URL] and the PAIA Manual of Trade Shield.

The Buyer retains the right to access their personal information, request corrections, or raise reasonable objections to the processing of their information, subject to applicable law. Where information originates from external or public sources, the Buyer will be supported in addressing inaccuracies at the source.

The Buyer acknowledges that this processing is a condition of receiving and maintaining access to a credit facility, and that consent is not the sole basis for such processing where lawful contractual or legitimate interests apply.

Need more help?

The support team is ready to assist

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article