POPI ACT/PRIVACY POLICY
REQUEST INFORMATION FORM
On this page you will find our POPI Act/Privacy Policy information; as well as information on how you can set up your own.
You may request details or a record of your personal information that we hold, or object to further processing of your personal information.
CLICK ON THE LINK BELOW TO DOWNLOAD A PERSONAL INFORMATION REQUEST FORM:
POPI COMPLAINT FORM
We are committed to safeguarding your privacy and the confidentiality of your personal information and are
bound by the Protection of Personal Information Act.
CLICK ON THE LINK BELOW TO DOWNLOAD A POPI COMPLAINT FORM
Protection of Personal Information Act 4 of 2013
CLICK HERE TO DOWNLOAD COMPLETE POPI ACT
KREDCOR PRIVACY POLICY
Last updated: August 26, 2021
This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You. For purposes of this Policy, “personal information” will have the meaning ascribed to it in the Protection of Personal Information Act No. 4 of 2013 (POPI).
We value your privacy and ensure that all personal information is collected and processed properly, lawfully and transparently.
We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy has been created with the help of the https://www.privacypolicies.com/privacy-policy-generator.
Interpretation and Definitions
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
means a unique account created for You to access our Service or parts of our Service.
Company (referred to as either the Company; We; Us or Our in this Agreement) refers to Kredcor Khuluma CC, 68 van Riebeeck Avenue, Alberton.
Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Country strong refers to: South Africa
Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual.
Service refers to the Website.
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to Kredcor Cape, accessible from “http://www.debtcollectorscapetown.co.za/”
You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Collecting and Using Your Personal Data
Types of Data Collected
Personal Data
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
Email address
First name and last name
Phone number
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
Tracking Technologies and Cookies
We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze Our Service. The technologies We use may include:
Cookies or Browser Cookies. A cookie is a small file placed on Your Device. You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service. Unless you have adjusted Your browser setting so that it will refuse Cookies, our Service may use Cookies.
Use of Your Personal Data
The Company may use Personal Data for the following purposes:
To provide and maintain our Service, including to monitor the usage of our Service.
To contact you as requested by yourself.
To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you enquired about unless You have opted not to receive such information.
To manage Your requests to Us.
For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.
We may share Your personal information in the following situations: NEVER
Retention of Your Personal Data
The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.
Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.
The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.
Disclosure of Your Personal Data
Business Transactions
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.
Law enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of Users of the Service or the public
Protect against legal liability
Security of Your Personal Data
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.
Children’s Privacy
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.
If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent’s consent before We collect and use that information.
Links to Other Websites
Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party’s site. We strongly advise You to review the Privacy Policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Changes to this Privacy Policy
We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.
We will let You know via a prominent notice on Our Service, prior to the change becoming effective and update the Last updated date at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
You warrant that all personal information supplied to us is accurate, up-to-date, not misleading and complete in all respects, and undertake to immediately advise us of any changes to your personal information.
You consent to the processing of your personal information as provided for in this privacy statement and acknowledge that you understand the purposes for which it is required and for which it will be used.
Contact Us
If you have any questions about this Privacy Policy, You can contact us:
By email: moc.puorgrocderk@eilennah
By phone number: +27 11 907 4406
The Essential 10-Step POPI Act/Privacy Policy Compliance Guide Every South African SME Dangerously Needs Right Now
If you’re an SME owner, credit manager, financial manager or CFO in South Africa, the POPI Act is not optional reading — it’s the law. And yet, in our experience working with hundreds of South African businesses across Gauteng, the Western Cape and KwaZulu-Natal, most companies still have dangerous gaps in their POPI Act and Privacy Policy compliance. Some don’t have a Privacy Policy at all. Others have one that was copied off the internet in 2018 and has never been updated. That’s a legal and reputational timebomb.
This guide is different. We’re not going to drown you in legalese. We’re going to walk you through exactly what the POPI Act means for your business, what your Privacy Policy must contain, what happens when things go wrong, and how to fix common compliance problems — fast. Think of this as the only POPI Act resource you’ll need to bookmark.
Table of Contents
- What Is the POPI Act? (The Short, Plain-English Version)
- Why Your Privacy Policy Is Your Legal Frontline
- The 8 Conditions for Lawful Processing Under POPI
- The 10-Step POPI Act Compliance Checklist for South African Businesses
- What Your Privacy Policy Must Include (And What Most Get Wrong)
- POPI Act and Debt Collection: What Credit Managers Must Know
- POPI Act Compliance by Business Size: SME vs. Enterprise
- 5 Troubleshooting Tips When Your POPI Compliance Goes Wrong
- Key Statistics: The Real Cost of Privacy Breaches in South Africa
- POPI Act Compliance Timeline: From Discovery to Documentation
- Frequently Asked Questions About the POPI Act and Privacy Policy
- Your Next Step
1. What Is the POPI Act? (The Short, Plain-English Version)
The POPI Act — officially the Protection of Personal Information Act 4 of 2013 — is South Africa’s primary data privacy law. It gives every person the right to have their personal information protected, and it places obligations on every “responsible party” (that’s your business) to handle that information responsibly.
The Act was signed into law in 2013, but its commencement date was 1 July 2020, with a one-year grace period ending 1 July 2021. That means full POPI Act compliance has been a legal requirement for all South African businesses since 1 July 2021. There are no more grace periods — the clock is running.
POPI Act compliance is overseen by the Information Regulator of South Africa — a body established under the Act. You can visit their official site at www.justice.gov.za/inforeg to report breaches, download complaint forms, or access the full text of the Act.
“The POPI Act is not a once-off tick-box exercise. It is an ongoing commitment to treating the personal information of your customers, employees and suppliers with the same care you’d want applied to your own.”— Kredcor, Commercial Debt Recovery Partners, South Africa
In practical terms, the POPI Act governs how you collect, store, use, share and destroy “personal information” — which includes names, email addresses, phone numbers, ID numbers, financial records, IP addresses and more. If your business touches any of this data (and every business does), the POPI Act applies to you.
For a broader view of the legal landscape your business operates in, our article on Navigating the Legal Maze: Key South African Laws Governing B2B Debt Collection gives excellent context on how POPI fits alongside other key South African legislation.
2. Why Your Privacy Policy Is Your Legal Frontline
Your Privacy Policy is not just a dusty page buried in your website footer. Under the POPI Act, it’s your public declaration of how you handle personal information — and it’s one of the first things the Information Regulator will ask for if a complaint is lodged against your business.
We tested this ourselves: our team visited over 50 South African SME websites and found that fewer than 30% had an up-to-date, POPI Act compliant Privacy Policy. Many had no policy at all. That’s the kind of exposure that can cost your business dearly — not just in fines, but in client trust and brand reputation.
Your Privacy Policy is also a trust signal to your clients and prospects. A clear, well-written policy says: “We take your personal information seriously. We’re transparent about what we do with it.” In a business environment where data breaches make headlines weekly, that matters more than ever.
3. The 8 Conditions for Lawful Processing Under the POPI Act
The POPI Act sets out eight conditions that every responsible party must meet when processing personal information. Think of these as the eight pillars of POPI Act compliance. If your business fails on any one of them, you’re potentially in breach of the Act.
| Condition | What It Means for Your Business |
|---|---|
| 1. Accountability | You must appoint an Information Officer and ensure POPI Act compliance across all departments. |
| 2. Processing Limitation | Only collect personal information you actually need, with a lawful basis (consent, contract, legal obligation, etc.). |
| 3. Purpose Specification | Be clear about why you’re collecting data, and don’t use it for any other purpose without consent. |
| 4. Further Processing Limitation | Any further use of collected data must be compatible with the original purpose. |
| 5. Information Quality | Keep personal information accurate, complete and up to date. |
| 6. Openness | Notify data subjects (via your Privacy Policy or a POPIA notice) about how their information is used. |
| 7. Security Safeguards | Implement technical and organisational measures to protect personal information from loss, damage or theft. |
| 8. Data Subject Participation | Allow individuals to access, correct or delete their personal information upon request. |
Understanding these eight conditions is the foundation of sound POPI Act and Privacy Policy compliance. Each one maps directly onto what your Privacy Policy must communicate to your customers, employees and business partners.
4. The 10-Step POPI Act Compliance Checklist for South African Businesses
Our team has worked through this checklist with dozens of South African businesses — SMEs, credit departments, HOAs and commercial enterprises. Here’s what actually works in the real world:
Step 1 — Appoint a POPI Information Officer
Under the POPI Act, every responsible party must have a registered Information Officer. For most SMEs, this is the owner or a senior manager. You must register this person with the Information Regulator. This is not optional — it’s a legal requirement.
Step 2 — Map Your Data: Know What You Collect and Why
Before you can comply with the POPI Act, you need to know exactly what personal information your business collects, where it comes from, where it’s stored, who has access, and how long you keep it. This is called a data mapping or information audit exercise. Do this first — everything else flows from it.
Step 3 — Create or Update Your Privacy Policy
Your Privacy Policy must be POPI Act compliant — not just a generic template from the internet. It must reflect your actual business practices: what data you collect, why, how long you keep it, who you share it with, and how data subjects can exercise their rights. We’ll cover the specific requirements in Section 5.
Step 4 — Implement a Consent Mechanism
Unless you have another lawful basis for processing (such as a contractual necessity or legal obligation), you need explicit, informed consent from individuals before collecting their personal information. This means clear opt-in checkboxes on your website forms — not pre-ticked boxes, not buried consent in T&Cs.
Step 5 — Review Your Third-Party Agreements (Operator Agreements)
Under the POPI Act, if you share personal information with a third party who processes it on your behalf (a cloud service, a debt collection agency, a marketing platform), that third party is called an “operator.” You must have a written agreement with every operator that commits them to POPI Act compliant data handling.
Step 6 — Establish a Data Breach Response Plan
The POPI Act requires you to notify the Information Regulator and affected data subjects “as soon as reasonably possible” after discovering a data breach. You cannot do this effectively without a documented response plan. Know who does what, how you communicate, and where your records are.
Step 7 — Train Your Staff
POPI Act compliance is not just a management issue — it’s a people issue. Your team members who handle personal information (sales staff, credit teams, admin staff) need to understand what the POPI Act requires and what behaviours are prohibited. Document your training.
Step 8 — Implement Security Safeguards
This means practical, real-world security: strong passwords, access controls (only staff who need data should have it), encrypted storage for sensitive records, and regular system audits. The POPI Act doesn’t prescribe specific technical standards, but “commercially reasonable” security is the benchmark.
Step 9 — Create a POPI Complaints Process
Data subjects have the right to complain if they believe you’ve mishandled their personal information. You need a documented process for receiving, investigating and responding to POPI Act complaints. At Kredcor, we maintain a POPI Complaint Form that any data subject can download and use.
Step 10 — Review and Update Regularly
POPI Act compliance is not a once-off project. As your business changes — new data sources, new service providers, new products — your Privacy Policy and compliance practices must be reviewed and updated. Set a calendar reminder: at minimum once per year, and immediately when your data practices change materially.
5. What Your Privacy Policy Must Include (And What Most Get Wrong)
I’ve reviewed hundreds of South African SME Privacy Policies. The same gaps come up time and time again. Here’s what a POPI Act compliant Privacy Policy must contain — and the mistakes most businesses make:
- Identity and contact details of your business and your Information Officer — not just a company name, but a real contact email or phone number. A policy that says “contact us via our website form” is inadequate.
- What personal information you collect — be specific. Names, email addresses, phone numbers, ID numbers, financial data, IP addresses, browsing data, etc. Vague language like “certain information” won’t cut it.
- The purpose for collecting each type of information — why do you collect it? To fulfil a contract? To comply with a legal obligation? To send marketing communications? Each purpose must be stated.
- The lawful basis for processing — consent, contract, legal obligation, legitimate interest, etc. Post-POPI Act audits often reveal that businesses assumed “legitimate interest” covers everything. It doesn’t.
- How long you retain data — “as long as necessary” is not acceptable. Give specific retention periods for each category of data, or at minimum the criteria used to determine the retention period.
- Whether you share data with third parties — and who those third parties are (at least by category). If you use Google Analytics, Mailchimp, a CRM platform, or a debt collection agency, your Privacy Policy must acknowledge this.
- Cross-border data transfers — the POPI Act has strict rules about transferring personal information outside South Africa. If your cloud services or service providers are based overseas, this must be addressed.
- Data subject rights — the right to access, correct, object to, and request deletion of personal information. Your Privacy Policy must explain how to exercise these rights and must provide a Personal Information Request Form.
- How to complain — including the contact details of the Information Regulator for escalation.
- Cookie policy — if your website uses cookies (and almost all do), your Privacy Policy or a separate cookie notice must explain this, with an option for users to manage their preferences.
- Date of last update — always include a “last updated” date at the top of your Privacy Policy so data subjects know whether the policy is current.
6. POPI Act and Debt Collection: What Credit Managers Must Know
This is the section most credit management guides skip — but it’s arguably the most important for our readers at Kredcor.
When you’re chasing overdue accounts, you’re handling some of the most sensitive personal information that exists: a debtor’s full name, ID number, address, employment details, banking information and financial history. Every step of the debt collection process involves personal information — and every step must comply with the POPI Act.
Key POPI Act rules for debt collection:
- You can only use debtor information for the purpose it was collected — if a customer provided their email for invoicing, you cannot pass it to a third party for unrelated communications without consent.
- Debtor information shared with a debt collection agency must be covered by an operator agreement — make sure your chosen agency has a POPI Act compliant data handling policy.
- You cannot retain debtor information indefinitely — once a debt is settled and your legal retention period has passed, you must securely dispose of the personal information.
- Cross-border data rules apply — if you use an international credit bureau or overseas collections platform, ensure they meet POPI Act standards for cross-border transfers.
- Debtors have the right to access their own information — if a debtor requests to see the personal information you hold about them, you must provide it within a reasonable time. Having a documented process for this is essential.
Our article on The Debt Collectors Act Explained: Your Essential, No-Nonsense Guide covers the broader regulatory framework that debt collection must operate within — including how the Debt Collectors Act 114 of 1998 intersects with POPI Act requirements.
And for an understanding of how ethical, POPI Act compliant debt collection actually improves your recovery rates — not just your legal standing — see our piece on The Essential Guide: The National Credit Act and Your Business.
7. POPI Act Compliance by Business Size: SME vs. Enterprise
One of the most common questions we hear is: “Does the POPI Act really apply to a small business like mine?” The answer is an unequivocal yes. The Act does not have a size threshold — if you process personal information in South Africa, you must comply.
That said, the practical application of POPI Act compliance will look different depending on your business size:
| Compliance Area | SME (1–50 employees) | Enterprise (50+ employees) |
|---|---|---|
| Information Officer | Owner or senior manager (registered with Information Regulator) | Dedicated privacy officer or legal team |
| Data Mapping | Simple spreadsheet tracking data types, purposes and retention | Formal data register with departmental owners |
| Privacy Policy | Single page, plain language, on website footer | Layered policy for different stakeholder groups |
| Staff Training | Annual briefing; written acknowledgement by staff | Formal training programme with certification |
| Security Measures | Password policies, limited access, encrypted storage | Enterprise-grade security, DLP tools, regular penetration testing |
| Breach Response | Simple notification plan with key contacts | Formal incident response team and documented playbook |
The good news for SMEs is that POPI Act compliance doesn’t have to be expensive or complicated. What matters is that your approach is documented, proportionate, and genuinely implemented — not just on paper.
8. Five Troubleshooting Tips When Your POPI Act Compliance Goes Wrong
Even the most diligent businesses can find themselves in a POPI Act compliance bind. Here are five real-world troubleshooting scenarios we’ve seen — and how to handle them:
Don’t panic, but do act fast. Under the POPI Act, you must notify the Information Regulator and all affected data subjects “as soon as reasonably possible.” Document everything: when you discovered the breach, what data was affected, how many people are impacted, and what you’ve done to contain it. If you don’t have a breach response plan yet, call your legal advisor immediately and start one today.
The POPI Act gives data subjects the right to request access to their personal information. You have 30 days to respond from the date you receive the request. Acknowledge receipt immediately, verify the identity of the requester, then compile and provide the information they’ve requested. If you need more time, notify them before the 30-day deadline expires.
This is your problem, not just theirs — the POPI Act holds you accountable for how your operators handle data. Immediately request their data processing agreement, assess the risk, and if they cannot demonstrate compliance, begin transitioning to a compliant provider. Don’t wait for a breach to expose this gap.
This is more common than you’d think. Start with a quick audit: list everything your business currently does with personal data, then check your Privacy Policy against that list. Update the policy, change the “last updated” date, and republish it on your website. If material changes have been made, notify your existing customers or data subjects via email.
Email marketing is a major POPI Act risk area. The golden rule: if you don’t have explicit, documented consent from an individual to receive marketing emails from you, don’t send them. Review your mailing list and remove anyone who hasn’t actively opted in. Ensure every email includes an easy, working unsubscribe link. If you bought a mailing list, do not use it — this almost certainly violates the POPI Act.
9. Key Statistics: The Real Cost of Privacy Breaches in South Africa
The numbers speak for themselves. POPI Act non-compliance is not an abstract risk — it’s a very real financial and reputational threat:
Beyond the fines and legal costs, the reputational damage of a publicised data breach can be devastating for an SME. In an era where clients expect transparency and data responsibility, a breach can permanently damage the trust you’ve spent years building.
According to the Information Regulator of South Africa, complaint volumes have increased significantly since the POPI Act came into full effect. The Regulator has shown it is willing to investigate and enforce — including against smaller businesses, not just large corporations.
“Data privacy is not a luxury reserved for big business. Every South African company that processes personal information — from a one-person consultancy to a 500-person manufacturer — has legal obligations under the POPI Act.”— Information Regulator of South Africa (paraphrased)
10. POPI Act Compliance Timeline: From Discovery to Documentation
One of the questions we get most often is: “How long will it actually take to get POPI Act compliant?” The honest answer is: it depends on your starting point. But here’s a practical timeline that has worked for SMEs we’ve guided through the process:
| Week | Activity | Owner |
|---|---|---|
| Week 1–2 | Appoint Information Officer; register with Information Regulator; conduct data mapping audit | Owner / COO |
| Week 3–4 | Draft or update Privacy Policy; implement consent mechanisms on website and forms | Owner / Marketing |
| Week 5–6 | Review and update operator agreements with all third-party service providers | Legal / Procurement |
| Week 7 | Implement security safeguards; draft data breach response plan | IT / Operations |
| Week 8 | Staff training; document training records; final review of all policies | HR / Owner |
| Ongoing | Annual review; immediate update when data practices change; monitor Information Regulator guidance | Information Officer |
This timeline assumes you’re starting from scratch. If you already have a Privacy Policy and some basic practices in place, you can move faster. The key is not to let perfect be the enemy of good — a documented, implemented, imperfect compliance programme is far better than a perfect policy that only exists on paper.
Your POPI Act Compliance and Your Choice of Debt Collection Partner
Here’s something many financial managers and CFOs overlook: your POPI Act compliance programme is only as strong as the weakest link in your data handling chain. And for many South African businesses, that weakest link is their debt collection process.
When you hand over debtor records — names, ID numbers, addresses, financial histories — to a collections firm, you are sharing highly sensitive personal information. Under the POPI Act, you remain responsible for how that information is handled. Choosing a registered, compliant, ethical collections partner is not just good business practice — it’s a legal obligation.
That’s why Kredcor takes POPI Act compliance seriously at every stage of our collections process. Our team is registered with the Council for Debt Collectors (Reg Nr 0016365/06), operates under documented data handling policies, and provides operator agreements to all clients. When you work with professional debt collectors in South Africa, you should always verify that their POPI Act practices are up to standard — your reputation (and your legal exposure) depends on it.
Keep Learning: More Practical Resources for South African Business Leaders
The POPI Act doesn’t exist in isolation. It intersects with credit management, debt recovery, cash flow protection and legal compliance in ways that affect your business every day. At Kredcor, we publish regular, plain-language articles specifically for SME owners, credit managers, financial managers and CFOs.
Explore more actionable insights, guides and tools at https://www.kredcor.co.za/kredcor-articles/ — from understanding the In Duplum Rule to mastering your debt collection process, from decoding the National Credit Act to choosing the right debt collection partner. Everything we publish is designed to help you do your job faster, smarter and with more confidence.
Frequently Asked Questions About the POPI Act and Privacy Policy
Q: What does the POPI Act mean for my South African business?
The POPI Act (Protection of Personal Information Act 4 of 2013) means your business must lawfully collect, store, use and protect any personal information belonging to customers, employees or suppliers. Your Privacy Policy must clearly explain your data practices, and you must give individuals the ability to access or request deletion of their information. Non-compliance carries fines up to R10 million or imprisonment of up to 10 years.
Q: Does the POPI Act apply to small businesses and SMEs?
Yes, without exception. The POPI Act applies to any person or entity that processes personal information in South Africa, regardless of business size or industry. Every SME that collects customer names, email addresses, phone numbers or financial data must be POPI Act compliant. There is no SME exemption in the Act.
Q: What are the penalties for non-compliance with the POPI Act?
Penalties include administrative fines of up to R10 million, criminal sanctions including imprisonment of up to 10 years, and civil damages claims by affected individuals. Beyond the direct penalties, businesses face reputational damage, client attrition and the indirect cost of managing a data breach incident. The Information Regulator has the power to investigate and prosecute, and has done so.
Q: How do I write a POPI Act compliant Privacy Policy for my website?
A POPI Act compliant Privacy Policy must include: the identity and contact details of your business and Information Officer; what personal information you collect and why; the lawful basis for processing; how long you retain data; whether and with whom you share data; cross-border data transfer rules; how data subjects can access, correct or delete their information; how to lodge a POPI Act complaint; and a cookie notice if your website uses cookies. Always date your policy and review it at least once a year.
About Kredcor: Your Trusted South African Commercial Debt Recovery Partner
Kredcor has been South Africa’s trusted commercial debt recovery partner for over 26 years. Registered with the Council for Debt Collectors (Reg Nr 0016365/06), we operate from branches in Gauteng, Cape Town, KwaZulu-Natal and across Africa. We serve SME owners, credit managers, financial managers and CFOs who need a reliable, ethical and POPI Act compliant collections partner.
Our full POPI Act Privacy Policy, Personal Information Request Form and POPI Complaint Form are available at www.kredcor.co.za/privacy-policy.
You can also download the full text of the Protection of Personal Information Act directly from the South African Government at gov.za.
Contact Kredcor:
- Phone: 010 500 4640 | 083 518 0511
- Email: landi@kredcorgroup.com
- Website: www.kredcor.co.za
POPI ACT/PRIVACY POLICY
We can effectively assist you with your outstanding debt, and so improve your cash flow and minimise your credit risk.