POPIA and Debt Collection

POPIA and Debt Collection: What Debt Collectors Are (and Aren’t) Allowed to Do With Debtor Data — The Essential Guide

Leave a Comment / Articles / By

If you’re an SME owner, credit manager, financial manager, or CFO in South Africa, the intersection of POPIA and debt collection is one you simply cannot afford to misunderstand. The Protection of Personal Information Act (POPIA) completely changed the rules around how debtor data is collected, stored, used, shared, and deleted — and the penalties for getting it wrong are eye-watering. We’re talking fines of up to R10 million, and in serious cases, imprisonment of up to 10 years.

This guide cuts through the legal jargon and tells you, in plain language, exactly what debt collectors are — and critically, are not — allowed to do with your debtors’ personal data in South Africa.

📋 Table of Contents

  1. The Short Answer: POPIA and Debt Collection in a Nutshell
  2. What Is POPIA and Why Does It Matter for Debt Collection?
  3. The 8 Conditions of POPIA Every Debt Collector Must Know
  4. What Debt Collectors ARE Allowed to Do With Debtor Data
  5. What Debt Collectors Are NOT Allowed to Do With Debtor Data
  6. The 2025 POPIA Amendment Regulations: What Changed?
  7. POPIA Penalties: What’s At Stake for Your Business
  8. 5 Troubleshooting Tips: Fixing Common POPIA Compliance Gaps
  9. Our Team’s Experience: What Compliant Debt Collection Actually Looks Like
  10. How POPIA Intersects With the Debt Collectors Act and the NCA
  11. Practical POPIA Compliance Checklist for SME Owners and Credit Managers
  12. Frequently Asked Questions

1. The Short Answer: POPIA and Debt Collection in a Nutshell

Under POPIA and debt collection law in South Africa, debt collectors may collect, store, and use a debtor’s personal information only for the specific purpose of recovering a legitimate, documented debt — and only with appropriate legal justification. They may not share that data with unauthorised third parties, use it for any unrelated purpose, contact a debtor at unreasonable hours, make threats, or retain the data longer than necessary. Non-compliance carries fines of up to R10 million and potential imprisonment.

That’s the executive summary. But the detail — and the practical compliance steps — is where the real value lies. So let’s dig in.

2. What Is POPIA and Why Does It Matter for Debt Collection?

POPIA — the Protection of Personal Information Act 4 of 2013 — is South Africa’s primary data privacy law. It came fully into force on 1 July 2021, with full compliance expected from that date. The Act governs how any person or organisation — including debt collection agencies, creditors, credit managers, and SMEs — may collect, process, store, share, and destroy personal information.

In the world of POPIA and debt collection, “personal information” is broad. It covers:

  • Names, addresses, identity numbers, and contact details
  • Financial information including bank account numbers, salary details, and credit history
  • Employment information
  • Online identifiers such as email addresses and IP addresses
  • Health and biometric data (relevant in some collection contexts)

Every time your credit department sends a debtor file to an external debt collector, you are transferring personal information. Every time a collector emails, calls, or SMSes a debtor, they are processing personal data. Every time a debtor’s account is listed with a credit bureau, personal data is being shared. POPIA governs all of it.

“Protecting privacy is not optional — it is a legal requirement. And in the context of debt collection, non-compliance is not just an ethical failure; it is a direct business risk.” — Industry compliance commentary, South Africa 2025

For authoritative reference, the full text of POPIA is available at the South African Government website, and the Information Regulator — the body responsible for enforcing POPIA — can be found at the Information Regulator’s official website.

To understand how POPIA sits alongside other laws that govern debt recovery, read our in-depth article: Navigating the Legal Maze: Key South African Laws Governing B2B Debt Collection.

3. The 8 Conditions of POPIA Every Debt Collector Must Know

POPIA is structured around 8 conditions for lawful processing of personal information. In the context of POPIA and debt collection, every interaction with a debtor’s data must satisfy these conditions.

Think of them as the non-negotiable ground rules:

  1. Accountability — Someone in your organisation (or at your collection agency) must be formally responsible for POPIA compliance. This is your Information Officer.
  2. Processing Limitation — Data may only be collected for a specific, legitimate purpose. In debt collection, that purpose is recovering the outstanding amount — nothing more.
  3. Purpose Specification — You must tell the debtor why you are collecting their data when you collect it. You cannot use it later for a different purpose without fresh justification.
  4. Further Processing Limitation — Any further use of the data must be compatible with the original purpose. You cannot take a debtor’s email address obtained for collection purposes and add them to a marketing list.
  5. Information Quality — You must take reasonable steps to ensure the debtor’s information is accurate and up to date.
  6. Openness — You must maintain a PAIA (Promotion of Access to Information Act) manual and be transparent about your data processing practices.
  7. Security Safeguards — Personal data must be protected against loss, damage, and unauthorised access. This includes cybersecurity measures such as encryption.
  8. Data Subject Participation — Debtors have the right to access their own data, request corrections, and object to processing.

⚠️ Important: All 8 conditions apply simultaneously. You cannot be compliant with 7 and ignore the 8th. The Information Regulator is empowered to investigate any condition independently.

4. What Debt Collectors ARE Allowed to Do With Debtor Data

Let’s be clear about what is lawful when it comes to POPIA and debt collection. A legitimate, registered debt collector operating under the Debt Collectors Act 114 of 1998 may lawfully:

  • Collect and process personal information for the purpose of recovering a documented, legitimate debt — provided a legal basis for processing exists (such as a contractual obligation or a legitimate interest).
  • Retain debtor information for as long as is reasonably necessary to pursue the collection and to maintain records required by law or for legal proceedings.
  • Share debtor information with credit bureaus for the purpose of listing a default — this is a recognised, legitimate purpose under the National Credit Act and does not require the debtor’s consent, but notification may be required.
  • Transfer a debtor file to attorneys or other authorised legal professionals for the purpose of commencing or continuing legal collection action — provided adequate data processing agreements are in place.
  • Use contact details to communicate with debtors during reasonable hours, through reasonable channels, about the specific debt.
  • Trace a debtor who has relocated or is uncontactable, through legitimate tracing channels — a recognised purpose under the NCA’s regulations.
  • Verify identity to confirm they are speaking with the correct debtor, using appropriate verification questions.
  • Use technology and software to manage debtor data — provided that software is POPIA-compliant and the data is adequately secured.

The key principle: the processing must be proportionatepurposeful, and properly justified.

5. What Debt Collectors Are NOT Allowed to Do With Debtor Data

This is where most compliance failures happen.

When we talk about POPIA and debt collection, the prohibited conduct list is long — and some of it might surprise you:

  • Share debtor data with unauthorised third parties — passing a debtor’s personal information to someone with no legitimate role in the collection process is a direct POPIA violation. This includes sharing data with the debtor’s employer without legal justification.
  • Use debtor data for unrelated purposes — data obtained for debt collection cannot be repurposed for marketing, research, or any other secondary use without fresh consent or a separate legal basis.
  • Retain data indefinitely — once a debt is resolved, settled, or prescribed, the personal data must be deleted or de-identified within a reasonable period, unless a legal obligation requires its retention.
  • Contact debtors at unreasonable hours — POPIA intersects with the Debt Collectors Act’s Code of Conduct here. Calling at midnight or repeatedly throughout a weekend is both a POPIA issue (harassment) and an Act violation.
  • Disclose a person’s debt to family members, neighbours, or colleagues without the debtor’s consent — this constitutes an unlawful disclosure of personal (financial) information.
  • Threaten debtors with consequences that are not lawfully permissible — misrepresenting legal consequences is a breach of the Debt Collectors Act and may constitute unlawful processing under POPIA.
  • Use deceptive tactics to obtain debtor contact details — pretending to be an employer, lawyer, or acquaintance to extract contact information is a POPIA violation.
  • Transfer debtor data across borders without ensuring the recipient country offers adequate data protection, or without the debtor’s consent or a recognised adequacy mechanism.
  • Ignore a debtor’s objection to direct marketing processing — if a debtor objects to being contacted for marketing purposes (as distinct from the collection itself), that objection must be respected.
  • Store debtor data insecurely — unencrypted spreadsheets emailed around the office, unprotected cloud folders, or unlocked filing cabinets are all POPIA risks.

“One of the most common violations we see in the industry is the sharing of debtor lists between agencies or the selling of debtor data without appropriate authorisation. This is not a grey area — it is illegal under POPIA and exposes every party in the chain to liability.” — Kredcor Compliance Team

Understanding what is and isn’t ethical in debt collection practice goes hand-in-hand with POPIA compliance. Read more in our article: The Importance of Ethical Debt Collection in South Africa.

6. The 2025 POPIA Amendment Regulations: What Changed?

On 17 April 2025, the Information Regulator published the POPIA Amendment Regulations 2025 in the Government Gazette (GG52523 No6126). These amendments took immediate effect and introduced several important changes that directly affect POPIA and debt collection practice in South Africa:

Key Changes for Debt Collectors and Creditors:

  • Objection rights strengthened: Debtors (data subjects) now have a stronger, more accessible right to object to the processing of their personal data. Responsible parties — including debt collectors — must now ensure that objections can be submitted free of charge and through a wide range of accessible channels, including email, WhatsApp, SMS, post, and fax.
  • Information Officers have new responsibilities: The amendments introduce expanded duties for Information Officers, meaning the person in your organisation designated to manage POPIA compliance has more formal obligations.
  • Instalment payments for administrative fines: The Regulator can now allow fines to be paid in instalments — which, while a relief to some, signals that enforcement and collection of fines is being taken more seriously.
  • Consent for direct marketing simplified but tightened: Obtaining consent for direct marketing has been simplified procedurally, but the threshold for valid consent has been tightened. Collected business contact details cannot be assumed to constitute marketing consent.
  • Clearer complaint definitions: The amendments add definitions for “complainant,” “complaint,” and procedural timelines, making it easier for debtors (and your own clients) to formally complain to the Regulator about misuse of their data.

What this means practically: If you are handing over debtor files to a collection agency, or if you are a collection agency receiving files, you need to check your data processing agreements and your debtor communication processes to ensure you meet the new objection-channel requirements. This is not optional.

7. POPIA Penalties: What’s At Stake for Your Business

The consequences of non-compliance with POPIA in the context of debt collection are severe enough to threaten the survival of an SME. The Information Regulator is actively enforcing the Act, and enforcement efforts are expected to intensify through 2025 and 2026.

Type of PenaltyMaximum Sanction
Administrative fine (Regulator-imposed)Up to R10 million
Criminal fine (court-imposed, serious offences)Up to R10 million
Imprisonment (responsible individuals)Up to 10 years
Civil claims by affected data subjectsUnlimited (damages-based)
Reputational damage and loss of client trustIncalculable

A notable real-world example: in 2021, Debt-IN Consultants, a South African debt recovery agency, suffered a major data breach in which cybercriminals accessed over 1.4 million personal records, including banking details and ID numbers. This breach became a landmark case study in the importance of security safeguards under POPIA and debt collection compliance.

The lesson is simple: the cost of compliance is always less than the cost of a breach — financial, legal, and reputational.

8. Five Troubleshooting Tips: Fixing Common POPIA Compliance Gaps

Our team at Kredcor has worked with SMEs, credit managers, and CFOs across South Africa for over 26 years. I’ve personally reviewed hundreds of client onboarding processes and debtor files. Here are the five most common POPIA compliance gaps we see — and how to fix them:

🔧 Troubleshooting Tip 1: “We don’t have a signed data processing agreement with our debt collector.”

The problem: When you hand your debtor file to a third-party collection agency, you are sharing personal data with an “operator” under POPIA. Without a written data processing agreement, you are exposed — even if the agency is the one that mishandles the data, you as the “responsible party” retain liability.

The fix: Before handing over any debtor file, ensure you have a signed, POPIA-compliant data processing agreement in place with your collection agency. This agreement must specify: the purpose of processing, the types of data involved, security requirements, and the procedure for data deletion on termination. Ask your collection agency for theirs — a reputable firm will have one ready.

🔧 Troubleshooting Tip 2: “Our credit application form doesn’t mention POPIA.”

The problem: Your credit application is the moment you first collect a business (and potentially a personal guarantor’s) information. If it doesn’t include a POPIA disclosure — explaining why you’re collecting the data, how it will be used, and who it may be shared with — you are collecting data without proper notice, which is a processing limitation violation.

The fix: Update your credit application to include a clear POPIA consent and disclosure clause. This should inform the applicant that their data may be shared with credit bureaus, tracing agents, and debt collection agencies in the event of non-payment. Have your attorney review it. At Kredcor, we can assist our clients in reviewing their credit applications as part of our complementary services.

🔧 Troubleshooting Tip 3: “We keep old debtor files forever — just in case.”

The problem: POPIA requires that personal information is retained only for as long as it is necessary for the original purpose, or as required by law. Keeping debtor files “just in case” beyond what is legally justified is a retention violation — and those old files, often poorly secured, are a data breach waiting to happen.

The fix: Implement a data retention schedule. For debt collection purposes, the relevant period is generally tied to the prescription period of the debt (3 years for most commercial debts under the Prescription Act) plus a reasonable buffer for any possible legal proceedings. After this period, files should be formally destroyed or de-identified in a documented process.

🔧 Troubleshooting Tip 4: “A debtor asked to see their data and we didn’t know what to do.”

The problem: Under POPIA, debtors have the right to request access to the personal information you hold about them. Ignoring or delaying this request without good reason is a violation. Since the 2025 amendments, objection and access channels must be free of charge and easily accessible.

The fix: Designate an Information Officer and set up a simple internal procedure for handling data access requests. This should include: who receives the request, how the data is located, who reviews the response for compliance, and what the turnaround time is. The default timeframe under POPIA is 30 days.

🔧 Troubleshooting Tip 5: “Our debtor data lives in an unsecured shared folder / WhatsApp group / old email.”

The problem: This is the single most common — and most dangerous — POPIA and debt collection gap we encounter. Debtor lists being emailed in unencrypted spreadsheets, shared via WhatsApp groups with multiple recipients, or stored in unsecured cloud folders represent a massive data breach risk. The 2021 Debt-IN breach should be a cautionary tale for every South African business handling debtor data.

The fix: Implement minimum-viable data security for debtor information: password-protect Excel files containing personal data; use encrypted file transfer when sharing with collection agencies; restrict access to debtor data to only those who need it; and ensure your IT provider has documented what security measures are in place. The test is simple — ask yourself: “If this file was accessed by a criminal, what damage would result?” If the answer is significant, your security is not sufficient.

9. Our Team’s Experience: What Compliant Debt Collection Actually Looks Like

We tested various onboarding processes when we reviewed how client debtor data was being transferred to our team at Kredcor. What we found was sobering: a significant number of clients were sending debtor files via unencrypted email, often with no data processing agreement in place, and with personal data fields that went well beyond what was needed for the collection purpose — sometimes including health information, family details, or salary specifics that had no bearing on the debt.

Our team’s experience over more than 26 years of compliant B2B debt collection in South Africa has taught us that POPIA and debt collection compliance is not a once-off tick-box exercise. It is a living, ongoing process that requires:

  • Regular staff training on data handling protocols
  • Documented data processing agreements with every third-party partner
  • Periodic reviews of what data is being collected, retained, and why
  • A clear, tested incident response plan in case of a data breach
  • An Information Officer who is genuinely empowered — not just a title on paper

We found that businesses that treat POPIA compliance as a business advantage — not a burden — actually collect debt more effectively. Why? Because compliant, professional conduct builds the kind of firm but respectful debtor relationships that lead to payment arrangements and settlements, rather than escalation and legal costs.

“I tested a debtor contact process that was not POPIA-compliant. The debtor immediately raised the issue, refused further contact, and the matter became far more costly to resolve. Compliance is not just about avoiding fines — it’s about outcomes.” — Adriaan Louw, Kredcor Gauteng

10. How POPIA Intersects With the Debt Collectors Act and the NCA

POPIA and debt collection do not operate in a vacuum. POPIA sits alongside — and in some cases overlaps with — several other key pieces of legislation that govern debt recovery in South Africa:

The Debt Collectors Act 114 of 1998

The Debt Collectors Act regulates who may collect debt, how they must register with the Council for Debt Collectors, and what conduct is permissible. Its Code of Conduct addresses issues such as contact hours, prohibited communications, and the requirement for honest representation. Many of the Act’s conduct requirements mirror POPIA’s processing limitation and information quality conditions — so a debt collector who violates the Act is often also violating POPIA. Read our full breakdown: The Debt Collectors Act Explained: Your Essential, No-Nonsense Guide.

The National Credit Act 34 of 2005 (NCA)

The NCA governs consumer credit agreements and mandates specific processes — including the Section 129 notice — before legal action can be taken. The NCA also governs credit bureau listings, which involve the sharing of personal data with third parties. POPIA requires that such sharing has a lawful basis, which the NCA provides — but only where the correct NCA procedures have been followed first.

The Prescription Act 68 of 1969

A debt that has prescribed (typically after three years without acknowledgement or payment) cannot lawfully be pursued. Holding personal data for the purpose of collecting a prescribed debt has no valid legal basis under POPIA — making such data retention a potential POPIA violation.

The key takeaway for SME owners and credit managers: these laws are designed to work together. Non-compliance with one often implies non-compliance with another, which compounds your exposure significantly.

11. Practical POPIA Compliance Checklist for SME Owners and Credit Managers

Use this checklist to do a quick audit of your current POPIA and debt collection compliance position:

  • We have appointed a formally designated Information Officer
  • Our credit application includes a clear POPIA disclosure and consent clause
  • We have signed data processing agreements with all third-party debt collectors and credit bureaus
  • Debtor data is transmitted securely (encrypted, not via unprotected email or WhatsApp)
  • We have a documented data retention schedule — debtor files are not kept indefinitely
  • We can respond to a debtor’s data access request within 30 days
  • Our debt collection agency is registered with the Council for Debt Collectors
  • We have a documented data breach response plan
  • Staff who handle debtor data have received POPIA training in the last 12 months
  • We do not use debtor contact details obtained for collection purposes for any other purpose
  • We have updated our processes to comply with the April 2025 POPIA Amendment Regulations

💡 Pro Tip: If you ticked fewer than 8 of these boxes, your POPIA and debt collection compliance position needs attention — before the Information Regulator’s attention finds you first.

Working With Compliant Debt Collectors in South Africa

Choosing the right debt collection partner is one of the most important compliance decisions your business can make. When you hand over a debtor file, your POPIA obligations don’t end — they transfer, with residual liability remaining on your side. This makes it essential to work only with registered, audited, and genuinely compliant debt collectors in South Africa.

At Kredcor, we have maintained an unblemished 26-year record with both the Council for Debt Collectors and the Association of Debt Recovery Agents (ADRA). Our data handling practices are fully POPIA-compliant, our data processing agreements are in place with every client, and our team is trained and retrained on evolving compliance requirements. When you work with Kredcor, your debtor data is in safe, legal, and professional hands.

For more expert, actionable content on debt collection, credit management, and compliance in South Africa, we invite you to explore our full library of resources at Kredcor Articles — your go-to destination for practical, up-to-date guidance on every aspect of B2B debt recovery.

❓ Frequently Asked Questions: POPIA and Debt Collection

Q1: Can a debt collector share my debtor’s personal information with a credit bureau without their consent?

A: Yes, in most cases — but only if the correct procedures are followed. Listing a default with a credit bureau is a recognised lawful purpose under the National Credit Act, which provides the legal basis under POPIA. However, the debtor must typically have been given prior notice (for example, through a Section 129 notice for consumer credit), and the data shared must be accurate, relevant, and not excessive. Sharing inaccurate or inflated information is both an NCA violation and a POPIA violation (breaching the information quality condition). Unregistered collectors sharing debtor data with bureaus without proper authority is unlawful.

Q2: What happens if a debtor requests that a debt collector stop contacting them — does POPIA support this?

A: This is a nuanced area. Under POPIA’s direct marketing provisions, a data subject can object to their data being used for direct marketing, and that objection must be respected immediately and free of charge (reinforced by the 2025 POPIA amendments). However, a debt collector communicating with a debtor for the specific purpose of recovering a legitimate, documented debt is not typically engaging in “direct marketing” — they have a separate legal basis (legitimate interest or contractual obligation).

A request to “stop contacting me” in a collection context does not automatically extinguish the debt, nor does it necessarily remove the collector’s right to communicate. What it does do is raise the bar: communication must be strictly proportionate, through appropriate channels, and at reasonable times. If a debtor disputes the debt, that is a separate legal process with different implications.

Q3: As an SME owner, am I liable if my debt collector misuses debtor data?

A: Potentially, yes. Under POPIA, the “responsible party” — the entity that determines why and how personal data is processed — retains accountability even when they use an “operator” (a third-party processor, such as a collection agency) to process that data on their behalf. If your collection agency has a data breach or misuses debtor data, and you do not have a proper written data processing agreement in place, you may share in the liability. This is why choosing a POPIA-compliant, registered collection agency and having a signed processing agreement is not just good practice — it is your legal protection.

Q4: How long can a debt collector legally hold onto a debtor’s personal information?

A: POPIA requires that personal data is kept only for as long as it is necessary for the original purpose, or as required by a legal obligation. In the context of debt collection, the relevant benchmark is typically the prescription period for the debt — three years for most commercial debts under the Prescription Act — plus a reasonable buffer for any potential legal proceedings or appeals. Once the debt is resolved, settled, or prescribed, and there is no ongoing legal obligation to retain the records, the personal data should be formally deleted or de-identified. There is no lawful basis under POPIA and debt collection law to retain debtor data indefinitely “just in case.”

Would you need to read some client testimonials, or are you ready to contact us now?

By Kredcor — South Africa’s Commercial Debt Recovery Partners | Registered with the Council for Debt Collectors (Reg Nr 0016365/06) | 26+ Years of Compliant Collections

Updated: March 2026 | Reading time: approximately 12 minutes

Leave a Comment

Your email address will not be published. Required fields are marked *

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Save
We use cookies to enhance your experience while using our website. To learn more about the cookies we use and the data we collect, please check our Privacy Settings.
I Accept