Revision: v2 — 10 July 2026
Purpose of this document
This document explains AQRate’s policies and procedures for compliance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”), and for maintaining client confidentiality.
The content is structured around the eight conditions for lawful processing under POPIA. Text in grey/black provides legislative background; text in blue sets out AQRate’s response. Principle 7 (Security Safeguards) has been expanded to cover the full scope of sections 19 to 22.
Principle 1: Accountability
This principle contemplates the assigning of responsibility by organisations for overseeing compliance with the Act.
- Responsibility for data governance lies with the appointed Information Officer at AQRate. Unless otherwise designated, this responsibility lies with the CEO.
- Where information is categorised by type, a suitable manager may be appointed as deputy Information Officer for that sphere of responsibility.
- Systems used for monitoring compliance are configured to notify the appropriate Information Officer of non-compliance events for investigation.
- The current Information Officer and deputy Information Officer(s), together with their registration status with the Information Regulator, are recorded in [internal register / PM-33].
Principle 2: Processing Limitation
This principle requires that personal information may only be processed in a fair and lawful manner.
- AQRate does not process information for any purpose other than the commercial engagement contracted, continued servicing of the client, and applicable legislative or regulatory requirements.
Principle 3: Purpose Specification
This principle determines the scope within which personal information may be processed.
- AQRate discloses to clients: the information collected, the purpose of collection, and the processing to be carried out.
- The most extensive of these disclosures occur during information sessions held prior to the majority of data collection.
- These disclosures are supplemented, for website visitors, by AQRate’s website Privacy Notice, which independently satisfies sections 18 and 19 of POPIA.
Principle 4: Further Processing Limitation
Processing of personal information may only occur insofar as necessary for the purposes for which it was obtained.
- AQRate only processes information to the extent required to complete and record verification under the B-BBEE Codes of Good Practice and applicable law, including regulations imposed by SANAS to maintain accreditation.
- Limited processing of non-verification information is conducted for continued client servicing.
Principle 5: Information Quality
Organisations must take reasonable steps to ensure personal information is complete, accurate, not misleading, and updated where necessary.
- AQRate’s verification service is itself a quality-control process over the information supplied.
- Collection, processing, and evaluation activities are audit-trailed against AQRate’s business systems to preserve data integrity and quality.
Principle 6: Openness
This principle requires processing to occur in a fair and transparent manner, made known to the data subject.
- During contracting and client information sessions, all data collection and processing activities are shared with the client.
- It is made clear which information will be collected and by what means.
- AQRate’s website Privacy Notice provides equivalent openness disclosures to website visitors and prospective clients, consistent with sections 18 and 19 of POPIA.
Principle 7: Security Safeguards
Condition 7 (sections 19 to 22 of POPIA) requires that personal information be kept secure…
Security measures (section 19)
- All AQRate staff, contractors, and service providers are identified with unique credentials.
- Activity is audit-trailed against unique credentials.
- Monitoring and alerting for high-risk activity, including data removal and DLP events.
- Data at rest and in transit is protected with encryption via Microsoft 365.
- Clients are directed to submit sensitive data via SharePoint rather than email.
- Systems infrastructure is independently reviewed on scheduled and event-triggered bases.
- Privileged users are monitored via activity and DLP tooling.
Information processed by an operator (sections 20 and 21)
- Operators process information only with AQRate’s knowledge or authorisation and under written contracts requiring equivalent security measures.
Notification of security compromises (section 22)
- AQRate will notify the Information Regulator and affected data subjects as required by section 22 of POPIA.
- This process is governed by AQRate’s Incident Management Policy (HR-23).
Principle 8: Data Subject Participation
This principle empowers data subjects to access, correct, or request deletion of personal information held about them.
- Clients may request an inventory of information AQRate holds about them, and request correction or removal, subject to legal and regulatory retention obligations.
- SANAS Requirement R47 requires retention of verification records for up to 8 years.
- Requests should be directed to the Information Officer.
AQRate (Pty) Ltd | Reg No. 2002/001364/07 | Unit OL012, Oak Leaf Terrace, Bellville, 7535
Phone: 0861 277 283 | Email: [email protected]