1. INTRODUCTION
This Privacy Statement sets out how we use and protect any information that you give us and applies to all the SACRRA Tools and services. It covers data shared in hard copy, online, or stored in our computer systems.

The personal data, in any format, that we collect, and hold is important to us and is handled in accordance with this Statement. We are committed to ensuring that your privacy is protected and we will only collect data we need to deliver our services to you and to meet our responsibilities to you.

2. ABOUT US
The South African Credit and Risk Reporting Association (SACRRA) is a not-for-profit voluntary association of members who share the credit and risk performance data of their customers for purposes of making informed credit and risk decisions. We aim to give our members control of their data to enable them to comply with existing legislation and to adapt to an ever-changing business environment by providing tools and industry services on data formats, data quality and related challenges. Credit and risk data, also known as payment profile, is applied in all stages of the customer’s life cycle allowing our members greater insight into their customers and guarding them against undue risk while assisting sustainable business growth and financial inclusion.

We provide the framework to facilitate the sharing of complete and accurate credit and risk data at our Associate Member credit bureaus, enabling our members to comply with credit information sharing provisions of the National Credit Act (NCA) as well as the provisions for performing credit and risk
assessments and affordability calculations.

For all queries relating to this Privacy Statement and our handling of personal data please contact us on 087 701 3254. Alternatively, you can write to us at: sacrra@sacrra.org.za.

3. WHAT WE COLLECT
We may collect the following information from you when you engage with the SACRRA, complete application forms, assessment forms or surveys, receive services from us, or provide services to us, access the SACRRA Tools (which include but are not limited to the Data Transmission Hub or DTH; Data Master Application or DMA; Data Specification Matrix or DSM; or SACRRA Connect) or apply for employment or are voted in on the Governing Body:

• your name, date of birth, Identification Number and gender
• addresses (home and work), contact email addresses and contact telephone numbers (home, work and mobile), and website address
• your bank details
• employment status
• career details – current job/description of role/employer/salary/previous employment/start and end dates
• company name, trading name and addresses (physical and postal)
• current qualifications (where relevant to the SACRRA, e.g. completion of accredited degrees), study centre/university details, assessment information for qualifications, examination marks and results and exemption details including learning opportunities undertaken as part of continuous professional development
• date of joining the SACRRA, membership status and/or employment status
• contracting information with the SACRRA
• enquiries and contacts, you have made with the SACRRA
• information recorded in minutes of meetings held, action and decisions logs
• data related to election ballots and results
• username and password, you use to sign into the SACRRA Tools
• the IP address you use to log in
• personal data you supply when you are using the PSIber Human Resources Management System
• photos and video footage (where captured at our events)
• annual turnover / Income after investments and allocation
• Principal debt
• VAT number
• B-BBEE Certificate
• Product information
• NCR registration number and NCR primary business category
• Industry and business classification
• Business profile, overview and processes
• Primary credit bureau
• Microfinance South Africa (MFSA number)
• Data quality files and reports

Sensitive data that we may collect

• information you provide us when applying for special consideration e.g. extended payment terms
• information you provide us regarding any specific needs you have for attending our meetings/events
• For employment purposes we collect
• your nationality
• national ID number (or details of your alternative ID)
• Income tax number
• Race, gender and ethnicity
• citizen resident status
• home language spoken
• next of kin contact information (full name, relationship, contact number)
• Strength Finder profile report
• Curriculum Vitae
• if applicable, any disabilities that you may have
• evidence of your health (medical history, diagnosis or special requirements), where needed in terms of legislative compliance (e.g. COVID-19, doctor certificates for sick leave taken etc.)

4. HOW YOUR INFORMATION IS COLLECTED
We collect information from you, for example, when you:

• make enquiries with us
• submit an application for membership
• submit an assessment form under Regulation 19(13)
• respond to a vacancy advertisement and when being appointed
• submit a proposal on a Terms of Reference/Request for Proposal request
• register/sign up to and/or make use of any of our services or SACRRA Tools
• use our website (see our Cookies policy below)
  We may also collect information about you from third parties, such as:
• your employer
• partners that we work with
• Trade or employment references

5. WHAT WE DO WITH THE INFORMATION WE COLLECT
We require this information to assess your application and needs as well as to provide you with the required services, and in particular for the following reasons:

Membership/contractual purposes:

• to respond to your enquiries
• to administer your membership/non-membership and provide the value proposition/benefits set
• allow you access to the SACRRA Tools and services, as relevant
• to fulfil our obligations arising from any contracts entered into between you and the SACRRA, and
  for the general management thereof – this includes providing the products and services that we offer, where Terms and Conditions apply
• to administer and manage the relationship and related services to you
• to organise and deliver the SACRRA meetings and events, and fulfil any specific needs you may
  have or required under the SACRRA Constitution
• process payments from or to you
• maintain financial records and for auditing purposes
• to run elections and manage voting on resolutions, as needed
• notify and remind you when your membership is due for renewal
• provide you with information relating to your data submissions and compliance obligations, as relevant
• notify you of general progress updates, including sending you invitations to attend Annual General Meetings, General Member meetings and ad hoc meetings, as required
• provide you with news, products, services and membership updates
• invite you to provide feedback on our products and services, for example in surveys
• invite you to take part in research campaigns and surveys
• to notify you of changes to our membership offering
• monitor how you respond to our communications
• to allow us to monitor usage statistics as a basis for future improvements to relevant processes
• to monitor and improve our products and services 
• to verify your identity
• to enable us to track system use by a user

Legitimate interest purposes:

• internal record keeping
• to periodically conduct quality checks on the data we hold on you
• to meet security/health and safety requirements where you attend an event or meeting

Consent:

• using photo and video footage in post-event publicity/marketing collateral (please notify us when
  booking onto an event if you object to this)

6. MEMBERSHIP REGISTER, DATABASE AND ON-BOARDING SCHEDULE
When registering for membership you will automatically appear on the register. The Membership Register is for the SACRRA Office’s internal use only.

All company information for members and non-members will be recorded on the SACRRA Connect system and on-boarding schedule to enable SACRRA to facilitate and manage the data submissions, data quality and related reporting thereof.

All supplier information will be recorded in a Vendor Contract Management Framework for the SACRRA Office’s internal use only in line with procurement processes and requirements. Proposals may be shared with third parties, such as sub-committee representatives mandated by the Governing Body or the Executive Director for proposal evaluation purposes.

Certain company and on-boarding progress information will be shared with third-parties in line with legislation, management of the data submissions at approved hosting credit bureaus and related processes.

7. OUR LAWFUL BASES FOR PROCESSING YOUR INFORMATION
We will only use your personal information where one of the following applies:

• It is necessary for execution on a contract that we have with you, such as the fulfilment of a service.
• For our own (or a third party’s) legitimate interests provided your rights do not override these interests, such as:
• Sending appropriate targeted communications to you based on your data submissions
• Monitoring and improving our products and services
• Fulfilling the requirements of our Constitution
• Managing the data we hold
• Fraud prevention
• Enhancing the networking opportunities between members
• We need to comply with a legal or contractual obligation, such as Regulation 19(13).
• You have given us your consent, such as to send you communications or information about your SACRRA Membership or information you may find interesting. You can withdraw your consent from receiving information not relating to your Membership (such as industry or regulatory related information) anytime by sending an email to info@sacrra.org.za with subject line “unsubscribe”. Please be advised, changes to your preferences may take up to 10 days to fully action.

Your personal information will only be used for the purpose(s) it was collected. It will not be sold, shared, or distributed to third parties unless we have your permission or where it is necessary for one of the reasons listed above.

8. RECIPIENTS WHOM WE MAY SHARE YOUR DATA WITH
The following third parties may gain access to certain of your information in the course of us delivering
services and products to you which will be strictly governed by the SACRRA privacy and access policies
in place:

• Suppliers contracted to perform business functions on our behalf (for example the Data Transmission Hub supplier) or for the development and/or maintenance of the SACRRA Tools, including providers of third-party applications used for the purposes of delivering products/services to you (for example PSIber for employee management).
• Approved hosting credit bureaus for the purposes of data submissions and management thereof.
• Venues hosting the SACRRA meetings and/or events (where necessary to meet security and safety requirements, and fulfil any specific needs you may have).
• The SACRRA event/meeting sponsors or logistical administrators (we will only share your name, job title, company name and contact details as relevant for logistical arrangements, meeting invitations and/or voting platforms).
• Attendees at events/meetings (we will only share your name and company via an attendee or registration list).
• Regulatory bodies (where necessary for regulatory/audit requirements).
• Third party IT/cloud providers (where required and access will be limited and mostly related to IT infrastructure maintenance/software upgrades and/or support to our staff).

9. RETENTION OF YOUR INFORMATION
The SACRRA has a variety of obligations to keep the data that you provide us. These include ensuring that payments and data submissions are submitted and processed correctly including complying with any laws and rules that apply to us and to our members.

The SACRRA has a Record Retention Policy to ensure that your data is not held for longer than is necessary. We hold the information that you provide to us while you are an active and registered user but we may keep certain data (such as payment information) after you cancelled your registration, to meet our obligations but for no longer than required or permitted by law.

10. WHERE YOUR INFORMATION IS STORED
Your information is held securely within South Africa, however, if there is any transborder flows, we will ensure that the supplier meet at least the standards imposed by the Protection of Personal Information Act, No. 4 of 2013 or ensure that Data Processing Agreements are in place with these suppliers and/or any third parties and that they meet the SACRRA’s data protection standards.

In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities may be entitled to access your personal data.

11. KEEPING YOUR PERSONAL INFORMATION SECURE
In processing personal information it is important that the SACRRA establishes in what circumstances it acts as a responsible party and in what circumstances it acts as an operator.

The SACRRA may in certain circumstances be a responsible party, in others an operator and also where it acts in conjunction with others in determining the purpose and means for processing personal information it may act together with others as a responsible party.

In processing personal information, whether as a responsible party or an operator, SACRRA must comply with the conditions for the lawful processing of personal information. The distinction lies in the fact that a responsible party is liable to the data subject and must ensure that all of the conditions of lawful processing of personal information and measures that give effect to these conditions are complied with.

In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect from you.

The SACRRA Tools and website are maintained on secure environments. All our suppliers and contractors meet the standards we require. Restrictions are also in place so that users only have access to data that pertains to their roles. Staff training is undertaken regularly, and checks are made by IT staff and/or suppliers to ensure data quality is maintained.

Our email security system will block and hold messages that contain viruses and malware, spam messages or other inappropriate content. Where appropriate, senders will be informed that their message has been held by our system and if held in error the message can be released and successfully sent.

Unfortunately, no data transmission or storage system is completely secure. If you feel that the security of your information has been compromised, please contact us immediately and we will take the necessary steps required to meet our obligations under legislation.

12. WHAT WE USE COOKIES FOR
Cookies are text files with small pieces of data — like a username and password — that are used to identify your computer as you enter a website. The cookie can be accessed by both the web server and the user’s computer.

When visiting the SACRRA website, the cookies will allow you to:

• carry information across pages of the site;
• avoid having to re-enter information; and
• after member login, to access member only information and tools.

13. YOUR RIGHTS IN CONTROLLING YOUR PERSONAL INFORMATION
You have the following rights over the personal data about you that we are holding and processing:

• Right to be informed: This relates to us being transparent about how we will process and use the information you supply to us.
• Right of access: You may request details of the information we hold about you. Please refer to the
  PAIA manual regarding the process to be followed and form to be completed and submitted.
• Right to request information held is accurate and how to update it: If you believe that any information we are holding on you is incorrect or incomplete, please email us at info@sacrra.org.za.
• Right to removal: In certain circumstances, you may ask us to delete information about you and
  stop processing or publishing it. Please note that certain information will have to be retained
  according to certain legislation and/or audit requirements.
• Right to object: When subscribing as a Member, you consent to receive information relating to your
  membership and our services to you. You can unsubscribe from our mailings and remove your
  details at any time. If you wish to stop receiving certain general communications from us, please
  email us at info@sacrra.org.za.

14. COMPLAINTS
If you wish to lodge a complaint about how we have processed your personal information, and we cannot resolve it, then you have the right to lodge a complaint as reflected in the PAIA Manual or the Information Regulator (https://inforegulator.org.za/complaints/).