DATA PROCESSING POLICY FOR TRANSUNION CUSTOMERS, CHANNEL PARTNERS AND RESELLERS

INTRODUCTION

  1. TransUnion is a credit bureau registered in accordance with the provisions of the NCA (Registration Number NCRCB4). Its operations are regulated by the NCA and by other applicable Laws. TransUnion protects the integrity of all information housed by it, keeping such information secure. TransUnion is sensitive to the issues regarding privacy of information.

  2. Furthermore, TransUnion is a member of the following industry associations –
    • Credit Bureau Association (“CBA”): A voluntary industry body in the Republic of South Africa, representing the majority of credit bureaus within South Africa. The CBA operates in the industry in accordance with the NCA, as regulated by the National Credit Regulator, and related laws. The CBA’s mandate is to provide a framework for a sustainable and well-functioning credit information system by facilitating fair practice within the credit bureau industry and by promoting transparency, accountability, high-quality credit reporting and sound business practices.
    • South African Credit and Risk Reporting Association (“SACRRA”): A not-for-profit voluntary association of members who share credit and risk performance data of their customers (which information is known as “Payment Profile Information”). SACRRA provides the framework to facilitate the sharing of Payment Profile Information at its associate member credit bureaus enabling its members to comply with credit information sharing provisions of the NCA as well as the provisions for performing credit and risk assessments and affordability calculations.

  3. TransUnion is committed to conducting its operations in an ethical manner and in compliance with all applicable Laws and association/industry policy directives and guidelines. To be able to successfully ensure this, it is vital that all entities doing business with TransUnion ascribe to the same standards. Accordingly, TransUnion has set out, in this policy, obligations that need to be adhered to when an entity requests and uses information from, or supplies information to TransUnion.

  4. This policy may be updated from time to time to reflect any amendments made to applicable Laws or association/industry policy directives and guidelines.

PURPOSE OF POLICY

To outline obligations for protecting the integrity and confidentiality of information that is transmitted to and from TransUnion’s systems, as required by applicable Laws and associations relevant to the credit industry.

APPLICATION OF POLICY

  1. This policy is applicable to all entities who (a) procure and/or use and/or process information from TransUnion (whether directly OR through an authorized TransUnion channel partner/reseller) and who (b) supply information to TransUnion (whether directly OR through an authorized TransUnion channel partner / reseller) - such parties referred to hereafter as an “Applicable Party”.

  2. The terms of this policy shall be deemed to form part of the Applicable Party’s contract with TransUnion or with a TransUnion channel partner / TransUnion reseller (as the case may be) as if specifically incorporated therein.  A breach of any obligation herein shall therefore be regarded as a breach of the contract concluded with TransUnion or the channel partner/reseller, and managed accordingly.

DEFINITIONS

For purposes of this policy, capitalised terms shall have the meanings ascribed to them below –

  1. “Laws” means all laws, regulations, by-laws, rules, directives, guidelines, circulars, orders and other requirements of any government or any government agency, body or authority, including any regulator or court;
  2. NCA” means the National Credit Act No. 34 of 2005 together with the Regulations;
  3. Payment Profile Information” means the payment history and financial information relating to a debt or credit transaction, including relevant payment dates, both negative and positive information and/or signs depicting action taken in respect of such debt or credit transaction;/li>
  4. “Regulations” means the National Credit Regulations promulgated in terms of the NCA from time to time;
  5. “TransUnion” means TransUnion Credit Bureau (Pty) Ltd, registration number 2004/007773/07, a private company with limited liability and duly registered with the NCR under registration number NCRCB4.

COMPLIANCE WITH LAWS AND ASSOCIATED BODIES

In its dealings with TransUnion and usage of TransUnion’s service offerings, the Applicable Party shall at all times comply with the requirements for the receipt, compilation and reporting of information as prescribed by the NCA and other applicable Laws and associated bodies.

SECURITY

  1. The Applicable Party shall ensure that all persons accessing TransUnion’s services on its behalf have been duly authorized by the Applicable Party to do so. In addition, the Applicable Party shall ensure that only it or its authorised representatives have access to any PIN and/or password PIN issued for the purposes of requesting TransUnion services. The Applicable Party shall be liable for transactions, fees and other costs arising out of the use by any person of TransUnion’s services via the PIN and/or Password whether or not such use is or has been authorised by the Applicable Party.

  2. The Applicable Party shall immediately notify TransUnion in writing of any breach or attempted breach of security of which the Applicable Party may become aware or ought to have become aware of and the Applicable Party shall take reasonable steps to prevent a recurrence thereof and to mitigate the effects of such breach. TransUnion shall be entitled to fully investigate such breach or attempted breach and the Applicable Party shall give TransUnion its full co-operation with such investigation. Furthermore, the Applicable Party shall be liable for transactions, fees and other costs arising out of the use by any person of the TransUnion services including use of such services arising from a security breach.

  3. The Applicable Party shall install, implement and maintain the necessary software and IT security systems to ensure that no destructive elements are introduced into TransUnion’s systems. Destructive Elements means code that –

    • is intentionally designed to disrupt, disable, harm or otherwise impede in any manner, including aesthetic disruptions or distortions, the operation of TransUnion’s software, hardware, computer systems or networks, or any other associate hardware, software, firmware, computer system or network used in relation to TransUnion’s services; or
    • would disable TransUnion’s software, hardware, computer systems or network or impair in any way their operation based on the elapsing of a period of time, exceeding the authorised number of copies, advancement to particular date or numeral; or
    • would permit an unauthorised person to access TransUnion’s software, hardware, computer systems or network of and/or of third parties to cause a disruption, disablement, harm or impairment, or which contains any other similar harmful, malicious or hidden procedures, routines or mechanisms which would cause such programs to cease functioning; or that can cause damage to data, storage media, programs, equipment or communications, or otherwise interfere with the operations thereof.

CONSENTS

The Applicable Party -

  1. shall ensure that prior to submitting to and/or requesting any information from TransUnion (whether directly or via a TransUnion channel partner or TransUnion reseller) it shall have validly obtained all consents (whether from natural or juristic persons – as applicable) that may be required in terms of the NCA or any other applicable Laws to submit, request and/or receive such information;

  2. shall obtain upfront, written, express, ongoing and lawfully valid consent in respect of any requests for TransUnion to provide monitoring and account management services; and

  3. shall retain and store all consents obtained and be able to make same available to TransUnion without delay if ever requested.

SUBMISSION OF DATA TO TRANSUNION

  1. The Applicable Party shall ensure that any information requested from or submitted to TransUnion, whether directly or indirectly -

    • shall contain, in relation to a natural person, the minimum criteria as set out in Regulation 19(1) of the NCA; and
    • shall contain, in relation to a juristic person, the juristic person’s registered and trading name; registration number, registered address, physical and postal address.

  2. When submitting any information to TransUnion, whether directly or indirectly, the Applicable Party shall -

    • be lawfully entitled to submit such information to TransUnion;
    • ensure that all information reported to TransUnion is accurate, up-to-date, relevant, complete, valid and not duplicated;
    • submit only information which falls in the permitted categories set out in Regulation 18(6) of the NCA;
    • before submitting adverse credit information, (a) ensure that the minimum monthly or such other instalment payments have not been paid for a period of at least three consecutive billing cycles in accordance with Regulation 19(7) of the NCA; and give its customers twenty business days’ written notice, as required by Regulation 19(4), of its intention to submit adverse information regarding the customer before such information is submitted to TransUnion.

  3. The Applicable Party shall under no circumstances submit the following information to TransUnion –

    • information in respect of a debt that has prescribed in terms of the Prescription Act, No. 68 of 1969, including any information relating to the collection or re-activation of such debt;
    • duplicate listings –
    • listings in relation to SABC television licences, e-Tolls, road traffic fines;
    • cost orders;
    • disputed adverse credit information – that is a default listing relating to an outstanding amount that had been disputed by a person prior to the date of the submission of the disputed adverse information (i.e. where such dispute had not been resolved at the time of listing). For purposes of this obligation, “disputed” refers to any instance where it can be proven that a person had communicated to the Applicable Party an uncertainty around being liable for the whole or part of the relevant debt, whether or not through the institution of legal proceedings; and
    • information which the Applicable Party had already submitted to TransUnion in respect of a person, which information the person had successfully challenged in accordance with the information challenge process provided for in the NCA. For purposes of clarity, the Applicable Party shall not be entitled to modify the successfully challenged information in any way so as to resubmit same.

  4. Cheques marked “Returned to Drawer” may only be listed where the listing is on the grounds of insufficient funds.

  5. The Applicable Party will fully and timeously co-operate with TransUnion’s requests for credible evidence related to an adverse credit listing when that listing has been challenged as part of any information challenge process provided for in the NCA. Should an Applicable Party fail to respond to TransUnion within the legislated period set out in the NCA, the adverse listing in dispute will be permanently removed from the relevant person’s credit profile.

USE OF INFORMATION

  1. All information received as part of services provided by TransUnion shall:

    • be used by the Applicable Party solely and exclusively for a purpose permitted in terms of the NCA. The Applicable Party shall not, whether directly or indirectly, sell or use any such information for any commercial purpose; and
    • be for the Applicable Party's exclusive one-time use, which usage shall be strictly related to the lawful purpose for which the service is intended.

  2. The Applicable Party shall only access a person’s information for the purposes of assessing an employment application where that person has (a) consented to such access; AND (b) is being considered for a position that requires honesty in dealing with cash or finances, and where the job description of such position has been clearly outlined in the applicable contract of employment.

  3. In the event that TransUnion is entitled to procure and supply payslip and salary information, the Applicable Party -

    • acknowledges that payslip and salary information may only be requested and used for lawful purposes.
    • shall, where it has requested such information from TransUnion, have obtained the prior written consent necessary to authorise TransUnion to access and retrieve a person’s payslip and salary information (a) from the relevant payroll companies, or (b) from TransUnion, for any lawful purpose (as the case may be); and
    • shall not share, distribute, alter or disseminate the payslip and salary information received by it from TransUnion to any third party whatsoever.

  4. The Applicable Party acknowledges that the information supplied to it pursuant to a testing request will contain information that is regulated by Laws. This test data shall be used by the Applicable Party solely and exclusively for the purpose of the test and the Applicable Party shall not share the test data with or distribute that data to any third party. The Applicable Party shall not, whether directly or indirectly, use the test data for internal business or operational purposes or sell/use the test data for any purpose whatsoever. The Applicable Party shall destroy the test data upon completion of the testing exercise shall provide TransUnion with written confirmation of the destruction. The Applicable Party shall furthermore be able to evidence the destruction to TransUnion should TransUnion request such evidence.

PAYMENT PROFILE INFORMATION

  1. Payment Profile Information may be requested by an Applicable Party who is a SACRRA member or is entitled to such information in terms of Regulation 19(13) and the related NCR guideline; provided that all SACRRA rules and standard operating procedures and/or the provisions of Regulation 19(13), regulating the supply of that information, are complied with (as may be applicable in the circumstances).

  2. Where supplying Payment Profile Information, the Applicable Party shall ensure compliance with Regulation 19(13), including the related NCR guideline, and/or, to the extent applicable, the SACRRA data access protocols and data access standard operating procedures as published and updated by SACRRA from time to time.

REMOVAL OF ADVERSE LISTINGS

  1. To the extent required by the NCA, adverse credit information must be removed from a person’s credit profile if that person has paid up the debt associated with that listing. The Applicable Party shall provide TransUnion with details regarding settlement of any obligations under a credit agreement within seven days of settlement of such obligation.

  2. To the extent required by the NCA, judgments must be removed from a person’s credit profile if that person has settled the capital amount of the judgment. The Applicable Party shall upon settlement by the person of the capital amount of a judgment advise TransUnion within seven days of settlement of such obligation

  3. An Applicable Party shall only be entitled to remove a default listing if it is factually incorrect, related to fraud or a duplicate listing.

  4. The Applicable Party shall not, unless lawfully entitled to do so, take an upfront fee in order to remove adverse credit information from a person’s credit profile.

INFORMATION REQUESTED IN RESPECT OF JURISTIC PERSONS AND THEIR PRINCIPALS.

The Applicable Party acknowledges that in the event that it requests information in relation to any juristic person/s, the relevant report to be provided to it may contain information relating to that juristic person’s directors, senior leadership and/or key stakeholders in the business (“Principals”). The Applicable Party shall be (a) fully authorised, as required by all applicable Laws, to obtain the information in respect of the Principals; and (ii) in the event that it requests information relating to both juristic persons and their Principals, be fully compliant with the requirements as set out in Regulation 18(5) of the NCA. It shall furthermore have obtained all required consents for obtaining and having sight of information regarding the Principals.