Protection of Personal Information Act (“POPI”)
Global Credit Rating Co. (Pty) Ltd, (a subsidiary of Global Credit Rating Company Limited, Mauritius), and its affiliates (collectively known as “GCR”), considers information to be critical to its business. Our stakeholders, clients, business partners and employees across multiple jurisdictions in Africa (“data subjects”), entrust us with their Personal Information (as defined in POPI) as well as confidential business information.
GCR shall process personal information for a specific, explicitly defined, and lawful purpose which relates to the services or activities provided by GCR under its various contractual agreements. GCR shall endeavor to ensure that the data subject is aware of the purpose for the collection of information, and thereby enabling the data subject to make an informed decision on whether or not to disclose the personal information to GCR.
We address some Frequently Asked Questions about GCR’s POPI readiness below:
We have concluded a comprehensive POPI implementation plan in South Africa to enhance our already established internal controls and to comply with POPI. GCR’s POPI implementation plan involved an assessment, remediation, and validation of business processes, operational practices, IT (systems and applications), third party relationships and documentation to address any new and/or additional requirements under POPI.
GCR has established, and continues to maintain, security measures for the protection of personal information required under various data privacy and security laws, including POPI. These will at all times include measures to:
- – identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control
- – establish and maintain appropriate safeguards against the risks identified
- – regularly verify that the safeguards are effectively implemented; and
- – ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
Further, GCR has policies and procedures in place for administrative, technical, and physical safeguards designed to appropriately protect the security, confidentiality, and integrity of Personal Information consistent with POPI.
GCR processes your Personal Information in accordance with our internal policies and procedures as referred to in the sections above, and in accordance with our contractual obligations in providing our agreed services to you. GCR also processes your Personal Information in a manner to ensure compliance with our sanctions, anti-money laundering, and anti-corruption and other regulatory obligations.
In order to provide the agreed services to you, and to help GCR operate effectively, we may disclose your Personal Information to GCR group companies or subsidiaries, joint venture companies, third-party service providers whose services or products you elect to use, regulators, or our professional advisors and auditors.
GCR may also disclose your Personal Information to any law enforcement agency, court, government authority, or other third party, where we believe this is necessary to comply with our legal or regulatory obligations, or to exercise our legal rights, and to a third party that purchases, or to which we transfer some, all or substantially all of our assets and/or business.
Where GCR contracts third party service providers, who may have access to your Personal Information on our behalf, we have an obligation to only appoint providers who can provide sufficient guarantees that the requirements of POPI, or other applicable data privacy laws, will be met, and the rights of the data subject is protected.
For a complete breakdown of how GCR processes personal information in accordance with POPI, please see Appendix 3 of GCR’s Access to Information Manual. This can be found by navigating to https://gcrratings.com/privacy-policy/
GCR may transfer Personal information outside of the borders of South Africa or to international organisations for the purposes of storing or otherwise performing the functions related to our systems. The details of such country and/or organisation are detailed in GCR’s IT records. In all such cases, GCR shall satisfy itself that such country and/or organisation will offer the same or higher level of protection afforded to the data subject under POPI and/or The General Data Protection Regulation (“GDPR”).
Information Officer: Craig Davids