021 045 0801 [email protected]

AQRate POPIA Compliance Disclosure

Revision: v2 — 10 July 2026

Purpose of this document

This document explains AQRate’s policies and procedures for compliance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”), and for maintaining client confidentiality.

The content is structured around the eight conditions for lawful processing under POPIA. Text in grey/black provides legislative background; text in blue sets out AQRate’s response. Principle 7 (Security Safeguards) has been expanded to cover the full scope of sections 19 to 22.

Principle 1: Accountability

This principle contemplates the assigning of responsibility by organisations for overseeing compliance with the Act.

  • Responsibility for data governance lies with the appointed Information Officer at AQRate. Unless otherwise designated, this responsibility lies with the CEO.
  • Where information is categorised by type, a suitable manager may be appointed as deputy Information Officer for that sphere of responsibility.
  • Systems used for monitoring compliance are configured to notify the appropriate Information Officer of non-compliance events for investigation.
  • The current Information Officer and deputy Information Officer(s), together with their registration status with the Information Regulator, are recorded in [internal register / PM-33].

Principle 2: Processing Limitation

This principle requires that personal information may only be processed in a fair and lawful manner.

  • AQRate does not process information for any purpose other than the commercial engagement contracted, continued servicing of the client, and applicable legislative or regulatory requirements.

Principle 3: Purpose Specification

This principle determines the scope within which personal information may be processed.

  • AQRate discloses to clients: the information collected, the purpose of collection, and the processing to be carried out.
  • The most extensive of these disclosures occur during information sessions held prior to the majority of data collection.
  • These disclosures are supplemented, for website visitors, by AQRate’s website Privacy Notice, which independently satisfies sections 18 and 19 of POPIA.

Principle 4: Further Processing Limitation

Processing of personal information may only occur insofar as necessary for the purposes for which it was obtained.

  • AQRate only processes information to the extent required to complete and record verification under the B-BBEE Codes of Good Practice and applicable law, including regulations imposed by SANAS to maintain accreditation.
  • Limited processing of non-verification information is conducted for continued client servicing.

Principle 5: Information Quality

Organisations must take reasonable steps to ensure personal information is complete, accurate, not misleading, and updated where necessary.

  • AQRate’s verification service is itself a quality-control process over the information supplied.
  • Collection, processing, and evaluation activities are audit-trailed against AQRate’s business systems to preserve data integrity and quality.

Principle 6: Openness

This principle requires processing to occur in a fair and transparent manner, made known to the data subject.

  • During contracting and client information sessions, all data collection and processing activities are shared with the client.
  • It is made clear which information will be collected and by what means.
  • AQRate’s website Privacy Notice provides equivalent openness disclosures to website visitors and prospective clients, consistent with sections 18 and 19 of POPIA.

Principle 7: Security Safeguards

Condition 7 (sections 19 to 22 of POPIA) requires that personal information be kept secure…

Security measures (section 19)

  • All AQRate staff, contractors, and service providers are identified with unique credentials.
  • Activity is audit-trailed against unique credentials.
  • Monitoring and alerting for high-risk activity, including data removal and DLP events.
  • Data at rest and in transit is protected with encryption via Microsoft 365.
  • Clients are directed to submit sensitive data via SharePoint rather than email.
  • Systems infrastructure is independently reviewed on scheduled and event-triggered bases.
  • Privileged users are monitored via activity and DLP tooling.

Information processed by an operator (sections 20 and 21)

  • Operators process information only with AQRate’s knowledge or authorisation and under written contracts requiring equivalent security measures.

Notification of security compromises (section 22)

  • AQRate will notify the Information Regulator and affected data subjects as required by section 22 of POPIA.
  • This process is governed by AQRate’s Incident Management Policy (HR-23).

Principle 8: Data Subject Participation

This principle empowers data subjects to access, correct, or request deletion of personal information held about them.

  • Clients may request an inventory of information AQRate holds about them, and request correction or removal, subject to legal and regulatory retention obligations.
  • SANAS Requirement R47 requires retention of verification records for up to 8 years.
  • Requests should be directed to the Information Officer.

AQRate (Pty) Ltd | Reg No. 2002/001364/07 | Unit OL012, Oak Leaf Terrace, Bellville, 7535

Phone: 0861 277 283 | Email: [email protected]