Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            POPIA Compliance in Credit Risk Management: Shared Responsibilities Between Trade Shield and Clients

            Created by Amy Sara Price, Modified on Tue, 15 Jul at 9:20 AM by Amy Sara Price

            This can be viewed on our WIKI site as well: https://wiki.tradeshield.ai/en/governance/popia/justification

            It is the responsibility of both Trade Shield and our Clients to process personal information lawfully, in accordance with the Protection of Personal Information Act (POPIA), 2013. Trade Shield provides configurable tools and guidance to assist Clients in collecting the necessary legal justification for processing their customers’ (referred to as Buyers) personal information. However, the ultimate responsibility for ensuring that appropriate justification is in place for all their buyers rests with the Client.

            We use the following mechanisms to obtain justification, both for ourselves and on behalf of our clients:

             

            Consent 

            • Collected during onboarding (Where Trade Shield's onboarding product is used)
            • Clients are responsible to ensure the details in the consent covers their processing details correctly
            • Trade Shield requests separate and specific consent for our portion of the data processing.
            • Consent is especially important before a contract exists, or where no contractual relationship is yet in place.

            Contract

            • When a Buyer signs the Client’s Terms and Conditions and the application is approved, then they enter into a binding agreement.
            • Trade Shield requires Clients to include a clause stating that ongoing processing of their data is a condition of having an (Credit) account.
            • This includes sharing Buyer data with Trade Shield and external financial institutions for credit risk assessment and monitoring.

             

            POPIA

             

            Important Trade Shield POPIA Resources

             

            Important Act References

            • Consent justification → Section 11 (Consent, justification, and objection).
            • Notification of processing → Section 18 (Notification to data subject).
            • Cross‑border transfers → Section 72.

             

            Trade Shield and Client Responsibilities

            Under the Protection of Personal Information Act (POPIA), both Trade Shield and its clients may act as either the Responsible Party or the Operator, depending on the specific data being processed and its intended use (Purpose).

            Clients act as the Responsible Party for personal information they collect from their customers (Buyers) and provide to Trade Shield for onboarding, credit risk assessment, or monitoring purposes. Where Trade Shield acts as an Operator, clients are responsible for ensuring a valid operator agreement is in place, as required under Section 21 of POPIA. Trade Shield has a Data Processing Agreement that can be used; however, the responsibility for obtaining a signed version lies with the client.

            Trade Shield is the Responsible Party for personal information it generates or acquires independently (e.g., derived credit insights, enriched risk data, aggregated behavioral indicators, or third-party data obtained through authorized sources). When this information is shared back with the Client, Trade Shield does so under its own obligations as a Responsible Party.

            • Both Trade Shield and the Client are expected to:
            • Ensure lawful justification for processing data (e.g., contract, consent, legitimate interest).
            • Provide data subject notification as required by Section 18.
            • Be transparent about what data is collected. Why is it needed? Who it will be shared with and how it will be stored.
            • Maintain operator agreements and safeguards where applicable (Section 21).
            • Respect data subject rights (access, correction, objection, deletion).
            • Ensure cross-border processing complies with Section 72 of POPIA.
            • Limited processing, to collect only the minimum data necessary to deliver on the prescribed purpose
            • Keep financial, contact, and registration data accurate and up-to-date.
            • To implement appropriate security safeguards, which include but are not limited to data encryption, access control, and secure storage (digital and physical).

             

            Consent

            Trade Shield uses consent as justification for data processing before the buyer signs the client's terms and conditions. This is not the primary method of justification, as it can be revoked and leave the client unaware of risk changes. It is in the client's interest (and we expect it) that buyer contracts include conditional permission that is bound to the account as primary justification.

             

            Requirements for Consent

            Summarized view of POPIA requirements for consent.

            • Specific (clear about what is being consented to),
            • Voluntary (not bundled with unrelated purposes),
            • Informed (includes who, what, why, how, and where),
            • Revocable(consists of a mechanism to revoke),
              • An Explicit action from the data subject is required, e.g., aTick Box, a signed document, etc.
            • Time-bound/contextual, where necessary.
              • Must receive consent before obtaining sensitive information from the buyer
              • Should have expiry through boundaries set either on time or by the purpose/justification

             

            Trade Shield Client Requirements

            Our client's privacy policy must include the necessary information for a Data Subject to know how to request changes to their information, revoke consent, and lodge a complaint to the Information Regulator.

             

            Input required by Customer.

            This is the normal information Trade Shield will need to configure the consent collection based on the default template.

            • Client Legal Name of Business
            • Client Legal Registered Address
            • Client Purpose for processing personal information, e.g., Customer onboarding / Credit Application / Due Diligence
            • Link to customer privacy policy (Must be publicly available)
            • List of other entities that might have access to the data from the customer side. (Apart from Trade Shield)
            • A categorical list of “other” personal information that the customer wants to collect consent for that is not included in the digital application.

             

            Consent to Process Personal Information (Template)

            {Customer Name}, located at {Customer Address}, requires your consent to collect and process your personal information in connection with {Customer Purpose}. Trade Shield (Pty) Ltd, located in Woodmead, Johannesburg, requires your consent to collect and process your personal information for Credit Risk Insights, Credit Assessments, Financial Analysis,and Due Diligence as part of the application and ongoing monitoring should your application be approved on behalf of {Customer Name}.

            This consent applies to your data as it appears in this application, as well as any corrections you make before submission. Additionally, credit reports and checks from authorized sources, such as credit bureaus and Credit Resellers, may be requested during the process.

            The information collected may include your contact details, business registration data, financial information, credit history, bank statement analysis, Audited Financials, Credit Reports, and any additional information provided below.

            Your personal information may be shared with trusted third parties within the boundaries of the described purpose. Where legally permitted, your data may be transferred or accessed outside of South Africa, in accordance with Section 72 of POPIA, which includes adequate protection mechanisms, contractual assurances, or recognized jurisdictional adequacy.

            If you are a sole proprietor or single director, you explicitly consent to your credit data being accessed as part of this process, including credit reports/checks.

             

            Here are the other parties with whom your data could be shared.

            • Inoxico – for commercial credit checks
            • VeriCred – for individual credit checks
            • CreditSafe – for international company reports
            • Moody’s – for financial health and benchmarking
            • TruID – for verified bank statement analysis
            • {Additional Client-listed Recipients} – for {respective purposes}

             

            Additional categories of personal data are collected for this process.

            • {Data Description 1}
            • {Data Description 2}

             

            You have the right to:

            • Request access to the personal data held about you.
            • Correct inaccurate or outdated information.
            • Withdraw your consent at any time, unless processing is required by law or contract.
            • Lodge a complaint with the Information Regulator of South Africa (www.inforegulator.org.za).

             

            For details on how your information will be protected and your rights managed, please refer to:

             

            Contract (Primary Justification)

            Trade Shield clients' contracts with their buyers must reflect lawful grounds for processing personal information. In your case, the lawful basis is "contractual necessity" and "legitimate interest", combined with disclosure to third parties (i.e., Trade Shield and other financial services).

             

            What the contractual clause should include

            • Specify the purpose of data processing.
              • Clearly state that personal information will be used for credit risk assessment, credit monitoring, and related financial services.
            • Define the data subjects and types of personal information
              • Identify the "buyer" or end-customer as the data subject.
              • Specify the typical data processed (Contact information, payment behavior, financial data, trade history, judgments, CIPC, etc).
            • Indicate the legal basis for processing.
              • Refer to the necessity of processing for the performance of the contract (credit facility), and the legitimate interest of credit risk mitigation, to ensure that the credit extension can be kept risk-adjusted.
            • Mention third-party disclosures
              • Include Trade Shield and other external financial service providers, such as credit Bureaus, as authorized recipients of data under the same justification.
            • Describe the ongoing nature of processing.
              • Make it clear that processing continues for the duration of the credit facility and as long as there is a justifiable business reason.
            • Ensure transparency and alignment with the responsible party’s PAIA Manual
              • State that data will be processed in accordance with the POPIA and PAIA compliance frameworks of the involved parties, which can be found on their respective websites.
            • Highlight data subject rights.
              • Mention that buyers have the right to access, correct, or object to the processing of their personal information, within the limits of the law. Where the information is received from authoritative sources, they will be assisted in requesting the same from the source.
            • Specify data retention and protection measures.
              • Briefly state that information will be stored securely and retained only as long as necessary.
            • Note that consent is not the only basis.
              • Clarify that consent is not required where processing is based on contract or legitimate interest, but data subject rights are still respected.

             

            Example Clause

            Important Notice: This is an example, and Trade Shield does not take any liability for this recommendation and our client's POPIA justification. Each party is responsible for ensuring their specific business context and purpose are properly articulated and approved by their Information Officer and Legal Team. This explains the Trade Shield requirement in our client's contracts and may need to be supplemented or modified to ensure holistic compliance.

             

            By accepting these terms and conditions, the Buyer acknowledges and agrees that [Client Company Name] may collect, process, and share personal and financial information on the Buyer as necessary to assess and manage the Buyer's creditworthiness and ongoing credit risk profile.

            This includes the right to disclose Buyer Information to trusted third-party service providers, including but not limited to Trade Shield (Pty) Ltd and authorized financial institutions, such as credit bureaus, for purposes such as credit risk evaluation, credit limit recommendations, trade behavior analysis, and related financial services.

            The Buyer acknowledges that such processing is necessary to perform the obligations of this agreement and is further justified by the legitimate interest of [Client Company Name] in managing credit risk responsibly.

            Buyer Information may include contact information, payment behavior, financial records, trade references, public registry data (e.g., CIPC), legal judgments, and other relevant indicators.

            Processing of this information will continue for as long as the Buyer maintains a credit facility with [Client Company Name], and thereafter only as reasonably required for legal, audit, or credit record-keeping purposes.

            All processing will be conducted in compliance with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA). The Buyer may review the applicable PAIA Manual at [Client PAIA URL] and the PAIA Manual of Trade Shield.

            The Buyer retains the right to access their personal information, request corrections, or raise reasonable objections to the processing of their information, subject to applicable law. Where information originates from external or public sources, the Buyer will be supported in addressing inaccuracies at the source.

            The Buyer acknowledges that this processing is a condition of receiving and maintaining access to a credit facility, and that consent is not the sole basis for such processing where lawful contractual or legitimate interests apply.

             

             

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0