Privacy policy

Experian South Africa (“Experian”, “we”, “us” or “our”) is a leading information services company, which means we look after vast volumes of Personal Information. We are committed to using Personal Information responsibly to make a positive difference to you, and society at large. We have provided this Privacy notice to communicate all the processing activities you can expect from us, how we secure your Personal Information, your rights under applicable Data privacy legislation and how you can exercise these privacy rights. This notice is applicable in all instances where Experian determines the manner and purpose for which information is processed, i.e. when we are the Responsible Party.

This notice applies to all potential, current and former vendors, clients, consumers  and suppliers (“You” or “your”) of Experian and explains how we how we collect, use and process your information as dictated by the circumstances of your relationship with us.  This notice does not form part of any contract you have concluded with us, although Experian may refer to this privacy notice in your contract with Experian. We may update this notice at any time but if we do so, we will make a copy of the amended notice available to you as soon as reasonably practical. We may also notify you in other ways from time to time about the processing of your personal information.

We respect your right to privacy and are committed to being transparent about how we collect and use your Personal Information. Should you have any queries on this privacy notice or your privacy rights in general, you may contact our Africa Data Privacy Office at informationofficerafrica@experian.com. Should your query not be resolved to your satisfaction, you may contact the General Legal Counsel at africalegal@experian.com.

The responsible party is Experian South Africa.

Dual Head office:

• Ballyoaks Office Park, 35 Ballyclare Drive, Bryanston, Sandton and Experian House
• 3 Neutron Avenue, Techno Park, Stellenbosch

For any enquiries on this privacy notice, please contact our privacy office via: informationofficerafrica@experian.com

Experian strives to comply with all applicable Data Privacy legislation. To ensure we respect your right to Privacy, we endeavour to adhere to the following principles when processing Personal Information. Personal Information that we hold about you must be:

• used in a lawful, fair, and transparent manner;
• collected for lawful purposes and only used in processing activities that are compatible with the lawful purposes;
• limited to what is necessary for achieving lawful purposes;
• accurate and up to date;
• only retained for the period necessary to achieve our purposes for collection and meet any applicable legal obligations; and
• protected from unauthorised access, use or disclosure.

"Consumer Credit Information" means information concerning—

• An individual’s credit history, including applications for credit, credit agreements to which the person is or has been a party, pattern of payment or default under any such credit agreements, debt re-arrangement in terms of the National Credit Act, incidence of enforcement actions with respect to any such credit agreement, the circumstances of termination of any such credit agreement, and related matters;
• a person’s financial history, including the person’s past and current income, assets and debts, and other matters within the scope of that person’s financial means, prospects, and obligations, as defined in section 78(3) of the National Credit Act and related matters;
• a person’s education, employment, career, professional or business history, including the circumstances of termination of any employment, career, professional or business relationship, and related matters; or
• a person’s identity, including the person’s name, date of birth, identity number, marital status and family relationships, past and current addresses and other contact details, and related matters.

“Information Incorporated in a business’ Credit Report” means all information which is included in a business’ credit report, including

• identifying information like company name, registration number, physical address, postal address, tax number;
• information that is publicly available as permitted by law such as judgments, sequestrations, and rehabilitation;
• account history/payment profile which is a record of all your accounts with credit/service providers and a history of how you pay these;
• active and non-active directors’ details;
• principal bureau data (including credit score);
• properties owned;
• previous enquiries.

“Information Incorporated in a consumer’s Credit Report” means all information which is included in a consumer's credit report, including

• identifying information such as your name, surname, identity number, physical and postal address, contact numbers (current ad historic), marital status, past and current employer(s), and occupation;
• credit and services account history/payment profile which is a record of all your accounts with credit/service providers and a history of how you pay these;
• previous enquiries on your credit report by credit/service providers that you authorised or permitted in terms of the NCA to receive your credit report;
• Educational background and qualifications
• information that is publicly available as permitted by law such as judgments, sequestrations, and rehabilitation;
• Financial information including any information which may relate to potential for fraud, financial crime, or possible identity theft;
• Records of ownership including information such as records of properties, CIPC status and companies owned;
• records of any defaults recorded on your credit profile when you fail to make the payment of money owed. Default data is submitted by the credit/service providers to the credit bureaus such as Experian;
• debt restructuring orders;
• “Trace and Collection Notices” which include notices placed on a Consumer Credit Report by a credit provider who is an Experian Subscriber.

“Responsible Party”, also known as a “controller”, determines the purposes and the means for processing Personal Information i.e. determines how to collect, store, and use your Personal Information.  

"Personal Information", also known as "personal data", refers to information about an identifiable person (including natural and juristic persons, such as companies and trusts). Information which identifies or relates directly to you is referred as your Personal Information. Personal Information include Consumer Credit Information. 

“Processing”, Experian may collect, receive, record, organise, collate, store, update, change, retrieve, read, process, analyse, use and share your Personal Information in the ways set out in this privacy notice.  When we do one or more of these actions with your Personal Information, we are “Processing" your Personal Information.

“Special Personal Information” categories of particularly sensitive Personal Information, such as information your health or sex life, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, criminal behaviour or trade union membership and biometric information, require higher levels of protection. We minimise the processing Special Personal Information to what is strictly necessary to achieve a lawful purpose. We will only process Special Personal Information when we a clear legal justification for processing as required by applicable laws and our internal policies. Experian has implemented appropriate policies and safeguards to ensure we apply the strictest privacy standards when we process Special Personal Information. 

When processing Personal Information of a consumer in terms of the NCA, Experian limits the collection of Personal Information to include only what is permitted in terms of the NCA and which is necessary to our clients for credit/service application to enable them to make meaningful and accurate decisions. We also collect Personal Information of our customers and vendors to comply with contractual obligations, legal requirements or for operational business purposes. Furthermore, we ensure that our retention policies are compliant with applicable legal requirements. 

Our sources of Personal Information are:

• The Data subject i.e. the individual or organization to whom the Personal Information relates
• an organ of State, a court or judicial officer;
• any person who supplies goods, services or utilities to consumers, whether for cash or on credit;
• a person providing long term and short-term insurance;
• entities involved in fraud investigation;
• educational institutions;
• debt collectors to whom book debt was ceded or sold by a credit provider;
• other registered credit bureau.

We need to collect and process certain personal information to conduct our precontract vetting process, deliver the product(s) or service(s) you have requested and to facilitate the best possible experience when you engage with us or use our products and services.

We will also collect information about you and the devices you use to access our website, or we may ask third parties to do this for us, in these cases we do so by using technologies such as cookies.

** See definitions

We will only use your Personal Information for the purposes for which we collected it, or a purpose that is reasonably compatible with the original purposes for collection, as indicated above.

We will only process your Personal Information in accordance with applicable Data Privacy laws, which require that we must satisfy at least one prescribed legal basis for processing. Depending on the context of the processing activity, we rely on a number of different conditions for the activities we carry out. The legal basis we rely on include:

• where we need to perform under an agreement that we have concluded with you, e.g.  to meet our obligations in terms of a contract we have concluded;
• where the law requires us to do so;
• where you have consented to such processing; or
• where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those legitimate interests.

In rare cases, we may process your Personal Information where:

• we need to protect your interests (or another person's interests);
• we need to do so in the public interest; or
• Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your Personal Information. 

As a register Credit Bureau, Experian is required by law to collect and process your Consumer Credit Information (which qualifies as Personal Information) if you are a “consumer” under the NCA. In this instance you do not have to provide such your Consumer Credit Information, as it will be collected directly from original sources of Consumer Credit Information.

When you engage with our website, staff, products, or services:

• Website: The collection of certain Personal Information via essential cookies is necessary for the effective functionality for our website. In these instances, we will communicate this to you when you first arrive at our website. We obtain your consent when we use non-essential cookies, or technology similar to cookies, and/or collect information about the device you use to access our website. Sometimes we work with third parties who carry out these activities on our behalf. You will be asked to consent to the use of non-essential cookies before using our website, but you are not obliged to provide such consent. The processing of information via non-essential cookies is voluntary.
• Engagement with our staff: When you contact Experian for assistance, we will ask you to provide some Personal Information such as a copy of your ID for verification purposes. The provision of this information is not mandatory but a failure to provide such information may negatively affect the quality of service you receive.
• Products or services: When you enquire about or apply for Experian products or services, we will ask you to provide some Personal Information for us to enter into an agreement and provide the products and services accordingly. This information is necessary for us to manage our relationship and effectively meet our obligations Failure to provide information needed may result in our inability to enter into an agreement and / or perform accordingly.

We take the necessary technical and organisational measures to secure the integrity of information we are responsible for, using accepted technological standards to prevent unauthorised access to or disclosure of your Personal Information. We take all reasonable measures to protect your Personal Information from misuse, loss, alteration, or destruction.

We have put in place appropriate security measures to protect your Personal Information from accidental loss, unauthorised use, alteration, access, or disclosure. In addition, we limit access to your Personal Information to those employees, agents, contractors and other third parties who have a business need to access the information. They will only process your Personal Information on our instructions and are subject to a duty of confidentiality.

We review our information collection, storage and processing practices, including physical security measures from time to time, to keep up to date with good industry practice and standards. 

Experian has implemented procedures to address any suspected data breaches and will notify you and any applicable regulator of a breach where Experian is legally required to do so within the period in which Experian is required to issue such a notification.

We will only retain your Personal Information for as long as necessary to achieve the purposes for which it was collected and processed. Meaning we'll keep your Personal Information for as long as we need it to provide the Experian products and services you have requested, or as long as necessary to provide marketing services for our clients, and no longer. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

Experian retains your Personal Information in our credit information database in accordance with the data retention periods prescribed by the NCA. For examples, the NCA Regulations require that we that we display and use various categories of your information only for the maximum periods prescribed for the purpose of credit scoring or credit assessment. We ensure that this information is not displayed for these purposes beyond the maximum periods prescribed.

We retain certain elements of your information as long as is necessary, for the purpose of verifying the integrity of information that we may be required to process in the future or for information quality purposes (i.e. to prevent the re-loading of incorrect information). This information is securely stored and not used for any other purpose than information quality in support of our regulatory obligation to ensure the data we have is relevant and accurate and not duplicated. 

Our reasons for retention may vary from one record or piece of information to the next and depends on the purposes for the storage and related operational business requirements and / or legal obligations, therefore the amount of time we keep your Personal Information for may vary.

In all cases, our need to use your personal information will be reassessed on a regular basis, and information which is no longer required for any purposes will be disposed of. 

As a general rule, we will only share your Personal Information with those that need access to the information for us to achieve the purpose for which we have collected it, or to comply with an obligation imposed by law. Internally, we will only share your Personal Information on a “need-to-know” basis, i.e. with Employees who need access to the information to perform a task on our behalf.

 Where consent is required by the NCA, Experian will only release Consumer Credit Information upon receipt of the consumer’s consent. Experian is obliged to comply with Section 68 of the NCA pursuant to which we use a consumer or a prospective consumer’s information only for the purpose permitted in terms of the NCA or other applicable legislation. Experian will report or release that information only to the consumer, prospective consumer or to another person:

• to the extent permitted or required by the NCA or other applicable legislation;
• as directed by the instructions of the consumer or prospective consumer; or
• an order of a court or tribunal.

Internally, we will only share your Personal Information on a “need-to-know” basis, i.e. with parties who need access to the information to perform a task on our behalf, which includes:

• other divisions or companies within the group of companies to which we belong so as to provide joint content and services like registration, for transactions and customer support, to help detect and prevent potentially illegal acts and violations of our policies, and to guide decisions about our products, services, and communications;
• an affiliate, in which case we will seek to require the affiliates to honour our privacy policy;
• our service providers under contract who help supply certain goods or help with parts of our business operations, including fraud prevention, bill collection, marketing, technology services (our contracts dictate that these goods suppliers or service providers only use your information in connection with the goods they supply or services they perform for us and not for their own benefit).      

We store our personal information in South Africa.

We may also or alternatively store your Personal Information on and transfer your personal information to a central database located in outside of the borders of South Africa, for the performance centralized functions for our Group of companies.

If the location of the central database is located in a country that does not have substantially similar laws which provide the same level of protection to your Personal Information, we will take the necessary steps to ensure that your personal information is adequately protected in that jurisdiction.

We may engage service providers to support our business and they may be based or use data centres outside of South Africa. Whenever your Personal Information is transferred cross border, it will receive a similar level of protection as described in this notice.

This section is only to be used to exercise your privacy rights as provided for in Privacy legislation. All credit bureau information is governed by the NCA, and any requests which relate to bureau information should be dealt with using the NCA consumer dispute process. For more information on our dispute process, click Disputes Process.

You may have rights under applicable Data Privacy laws in relation to your Personal Information, which you may exercise under certain circumstance. To exercise these rights, kindly follow the links relating to the right which will provide you with access to the prescribed form as provided for under each right below, fill it in its entirety and send to informationofficerafrica@experian.com. For hard copy exercise of your rights, you may also request the prescribed forms from the aforementioned email address or Experian call centre (details found under the contact us section) or reception.

You may have the right to:

• Request for confirmation of Personal Information we hold about you. This right enables you to get confirmation on the categories of Information we hold about you.
  We hold information on most consumers in South Africa. To confirm what categories of information we hold on you, please go to My Credit Check and My Credit Expert  to access a copy of your free credit report.
• Request access to your Personal Information (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Information that Experian has about you. Click here to request access the Personal Information we hold about you.
  Should you wish to access credit bureau information as regulated by the NCA, please go to My Credit Check and My Credit Expert  to access a copy of your free credit report.
• Request correction of the Personal Information that we hold about you. This enables you to ensure that any incomplete or inaccurate data that the Experian holds about is corrected. Click here to request correction of your Personal Information.
  This excludes any request relating to credit bureau information as regulated by the NCA. To dispute credit bureau information, please go to My Credit Check and My Credit Expert and use the dispute information function on the platform.
• Request erasure of your Personal Information. This enables you to request that Experian delete or remove Personal Information where there is no lawful basis for us continuing to process it. You also have the right to ask us to delete or remove your Personal Information where you have successfully exercised your right to object to processing (described below), or where we are required to erase or anonymise your Personal Information to comply with applicable law. Experian may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you (for example where the data is processed in terms of the NCA), if applicable, at the time of your request. Click here to request an erasure of your Personal Information.
• Withdraw consent at any time where we are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.  Please note that we may continue to process your Personal Information in certain instances where we are not relying on your consent. Click here to withdraw your consent to processing.

If you want to exercise any of these rights, please contact the Experian Information Officer.

You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded, excessive or a request to access comprehensive report on all information we may hold on you.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it.

Should your request or dispute relate specifically to credit bureau information, please refer to the Bureau dispute process, which you can access by clicking here.  

We encourage you to assist us in maintaining the accuracy of Personal Information by notifying us of any changes or by meeting your legal obligations regarding disputes logged.

Where Personal Information is submitted to Experian in terms of the NCA, we cannot alter the information reported by providers of Personal Information unless the information is confirmed to be wrong or inaccurate by the provider of the Personal Information (this is because the NCA has a clear procedure for managing  disputes and the provider of the Personal Information is the Responsible Party, which includes responsible of maintaining the accuracy of the Personal Information).

Where Experian is the Responsible Party, and you do not agree with the accuracy of your Personal Information which Experian has on file, we have procedures to ensure that such information is verified, and, where appropriate, amended or corrected. Please refer to our privacy rights section above.

If you have questions about our privacy notice  or wish to contact us, please contact our Information Officer at informationofficerafrica@experian.com. Our dedicated Data Privacy Office is available to attend to any query you may have.

Should your query not be resolved to your satisfaction, you may contact the General Legal Counsel at africalegal@experian.com

Where the above channels have not addressed your query or complaint appropriately, you have the right to make a complaint at any time to the government body / regulator responsible for enforcement of Privacy laws (e.g. the information regulator in South Africa). Details of the relevant regulator may be access online or requested via informationofficerafrica@experian.com.