South Africa Privacy Centre

Introduction
 

This privacy notice explains how we use and share personal information in our credit bureau business.

TransUnion Credit Bureau (Pty) Limited ("TransUnion") is a registered credit bureau. We strive to ensure your privacy is protected. This Privacy Policy outlines how we collect, use, process, disclose, transfer and retain your personal information.

We comply with the National Credit Act, 2005 (No.34 of 2005) ("NCA"), the Protection of Personal Information Act, 2013 (No. 4 of 2013) ("POPIA"), and the principles outlined in Sections 50 and 51 of the Electronic Communications and Transactions Act, 2002 (No.25 of 2002) governing your right to keep your personal information private.

In this Privacy Policy, "Consumer Credit Information" means consumer credit information defined in Section 70 of the NCA.

You can find more detailed information at the TransUnion Privacy Centre or in other privacy information you may have received.
 

In Brief
 

TransUnion strives to protect privacy as we collect, use, process, disclose, transfer and retain personal information.

If your personal information is used unlawfully or infringes on your privacy, you have the right to object.

This notice covers the following topics:

1. Who we are and how to contact us
2. How we use personal data
3. The kinds of personal data we use and where we get personal data
4. How long we keep personal data
5. Our legal basis for handling personal data
6. Who we share personal data with
7. Where we store and send personal data
8. Your rights concerning your personal data
9. Where to lodge a complaint

1.  Who we are and how to contact us
 

Information for Good^®
 

We are in an era of rapid digital transformation where consumers demand more access to seamless, personalised products and services online. But the currency of personal information that fuels this platform economic boom poses threats to individuals and endangers corporate security.

Now more than ever — and likely more so in the future — consumers and corporates need new levels of trust and transparency.

As a global information and insights company, TransUnion seeks to make trust possible. We do this by curating an accurate and comprehensive picture of each consumer so they are safely and reliably represented in the marketplace. This enables businesses and consumers to transact with confidence and achieve great things. We call this Information for Good.

We are a group of companies with registered offices at TransUnion, 10th Floor, 11 Alice Lane, Sandton, Johannesburg, 2196.  Although we are part of a larger group, this notice covers only the activities of TransUnion companies within the Republic of South Africa.

Contact details

Contact us about personal information issues, including the contents of this notice via:

• Post: PO Box 4522 Johannesburg 2000
• Telephone:   Contact Centre: 0861 482 482
• Email: TUAPrivacy@transunion.com

Please refer to our Customer Service Privacy Notice for information on how we handle your personal information with complaints and enquiries.
 

2.  How we use personal information
 

TransUnion limits the use and disclosure of personal information to the terms of the National Credit Act 34 of 2005 (NCA), Protection of Personal Information Act 4 of 2013 (POPIA) or any other applicable laws.

Many of our products and services rely on personal information. For example:

Credit reporting: TransUnion compiles consumer credit information in credit reports from applications to (for example) credit providers or services providers for credit or services.

Credit services:  We may provide your information to organisations you deal with directly, such as credit risk assessors.

Example: credit risk assessment

If you apply for credit from one of our clients, they send us your data so we can find you in our databases and reply with information about your credit history. They use that information to assess your creditworthiness.

Fraud detection services: We may provide personal information to organisations other than those you deal with directly.

Example: fraud alerts

If we receive numerous identity verification checks against an individual in a short space of time, this could indicate someone is attempting identity theft or another form of fraud. In this case, we provide real-time fraud alerts to clients subscribed to that service.

If you have provided your details to an organisation to confirm your identity, we may retain those details and link them to other details we hold about you. Then, if a fraudster tries to use your details to apply for credit with a different organisation, we can raise a potential fraud alert.

Development and testing:  We sometimes use personal information to improve, develop, monitor, maintain and test our products, systems and security measures. Where possible, we create pseudonyms or make the data anonymous beforehand.

Legal and regulatory: We may use your personal information when responding to complaints or enquiries from you or a regulator about how we’ve used your personal information.
 

3.  The kinds of personal information we use and where we get personal information
 

Information in your credit report includes:

• Identifying information, such as first name, surname, ID number, physical and postal address, contact numbers, marital status, spouse details, and current employer and occupation
• An account history or payment profile is a 24-month record of all your accounts with credit or service providers and a history of how you pay these accounts
• Enquiries include a list of credit or service providers allowed by you or permitted in terms of the NCA to receive your credit report
• Public records include publicly available information as permitted by law, such as judgements, administration orders, sequestrations and rehabilitation
• Default data is a record of any failure to pay money owed
• Other includes any information permitted under the NCA
   

Information not included in your credit report:

• Race, creed, colour, ancestry, ethnicity, religion, sexual orientation or political affiliations
• Medical history or status
• Major purchases paid in full with cash or cheques
   

Sources for information

We may collect your personal information, or obtain information originating from the following sources:

• An organ of state, a court or judicial officer
• Any person who supplies goods, services or utilities to consumers
• A person providing long-term and short-term insurance
• Entities involved in fraud investigation
• Educational institutions
• Debt collectors to whom a credit provider ceded or sold book debt
• Other registered credit bureaus
   

The information we need

To verify information, credit providers need to include:

• Your initials or full name and surname
• Your South African identity number (if you have one) or your passport number and date of birth. Without this information, they cannot lawfully grant credit.

Any further information requested by credit providers must be necessary and relevant to your application. No law forces you to give information, but a credit provider cannot consider your credit application if you do not provide the information required.

4.  How long we keep personal information

Simply put, we keep personal information for as long as necessary. More technically, we retain it to fulfil the purpose(s) of its provision, to comply with applicable laws, and for as long as your consent to such purpose(s) remains valid after termination of our relationship.

The Regulations to the NCA require we use various categories of information only for the maximum periods prescribed for credit scoring or credit assessment.

We keep specific data indefinitely to verify the integrity of the information we may need to process in the future. We store this information securely and do not use it for any other purpose.

5.  Our legal basis for handling personal information

Required by the NCA

The Protection of Personal Information Act (POPIA) allows personal information usage where necessary for legitimate purposes without undue adverse impact. We base most of our processing of activities on the requirements placed on us by the NCA.  For more details, refer to the relevant privacy notices in the links above.

Consent

In most instances, consumer consent to use personal information comes to TransUnion via our clients and data suppliers.

You need to agree on who can use your personal information and how. To do this, persons and organisations who have your information must notify you they have your data and how they plan to use it.

We strive to ensure our clients and data suppliers honour their contractual obligation to get all legally required consents before accessing personal information in our credit reports.

Contracts

If you sign up for one of our online services, we need to use personal information to provide the services as set out in the Terms & Conditions. We also use this basis for processing some of our staff data. Refer to the privacy notice on the relevant website for details.

Compliance

We only access, use and disclose personal information without consent in exceptional circumstances where necessary to:

• Comply with the law or a legal process served on us
• Comply with requests for information from police or government authorities
• Protect and defend our rights or property (including the enforcement of agreements)
• Protect the public interest
• Act in urgent circumstances to protect the personal safety of our employees or members of the public
   

6.  Who we share personal information with
 

Our clients and reseller bureaus

We share personal information with our clients for the purposes described above. Our clients have privacy notices providing details on how they use the data we supply.

These clients typically operate in the following sectors:

• Financial services (including banks, loans, credit cards, mortgages, pensions, and investments and savings providers)
• Insurance
• Retail (including car sales/leasing and online retailers)
• Telecommunications
• Marketing agencies acting for other organisations
• Auto dealers
• Commercial
• Collections

If our clients appoint an intermediary to act on their behalf, they too will receive the data.

Our group of companies

As stated, we share personal information among TransUnion RSA companies where appropriate. We have set out a list of current such companies below.

Service providers

Our clients and we might provide information to third parties that help us achieve the purposes described above. For example:

• Cloud-based services, such as Salesforce, help host, manage and analyse our databases.
• Cloud-based technologies, such as Microsoft Office 365, support our ordinary business operations.
• Printing companies to produce and send direct mail or other correspondence.
• Payment service providers to help with payments made by individuals.
• Market research companies to help us better understand our customers.
• A specialist sub-contractor operates our CCTV system.
• Services Providers that assists us with providing our services to you.

These service providers cannot use your information for their purposes or on behalf of other organisations unless you agree otherwise.
 

7.  Where we store and send personal information
 

We sometimes make use of Service Providers that are situated outside of South Africa, e.g. India, UK and US.  We will not transfer personal information to a country lacking laws that provide an adequate level of information protection — unless we have an agreement with the recipient requiring measures that offer a similar level of protection as POPIA in South Africa.
 

8.  How the personal information is used
 

We provide data and analytics that help our clients make decisions about lending and other matters, but their data, knowledge, processes and practices play a significant role in those decisions.

For example, when we sell our services to credit or loan providers, we do not decide whether they should grant you credit or a loan — this is for the lender to decide.
 

9.  Your rights concerning personal information
 

We outline your rights regarding the personal information we hold about you below.

Access: You can access all information that we hold about you by contacting us through TUAPrivacy@transunion.com

Correction/Destruction/Deletion: If the information we hold about you is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, you have a right to ask us to correct it or delete it.

Objection to processing: You may object (on reasonable grounds) to processing your personal information unless legislation provides for such processing.

Objection to direct marketing: You may object to us using your personal information for direct marketing, and if you do, we will stop.

10.  Where to lodge a complaint
 

We strive to deliver the highest levels of customer service. However, if you are ever unhappy with us, please contact us so we can investigate.

• Location: 10^th Floor, 11 Alice Lane, Sandton, 2196
• Postal Address: PO Box 4522, Johannesburg, 2000
• Telephone: 0861 482 482

You can also contact our Information Officer or Deputy Information Officer at TUAPrivacy@transunion.com

You may complain to the Information Regulator:

• Physical Address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg
• Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
• Email: POPIAComplaints@inforegulator.org.za.
• Site: www.inforegulator.org.za