SOUTH AFRICAN DATA SERVICES (Item check 0249) | ID NUMBER 100641
• Supplier hosts the Supplier Data
• Supplier is a Sub-processor of Client Information
• Client Information includes Personal Data
• The Sub-processor is located in South Africa
• The Sub-processor is located outside of the EEA
• This Supplier has not agreed to be subject to GDPR but has agreed to equivalent data protection provisions.
• The Supplier has passed GBG’s full GDPR due diligence assessment and information security review.
• Where GDPR applies to the End User, the End User must rely on a derogation to transfer Client Information to the Sub-processor based outside of the EEA in accordance with Article 49 GDPR
• The End User must not provide Personal Data belonging to EEA Data Subjects for sub-processing by this Data Supplier
The Supplier Data that GBG uses to provide South African Data Services (Item Check 0249) is supplied by TransUnion. GBG is obliged under the terms of its agreement with TransUnion to ensure that all End Users agree to comply with the following provisions:
1. DEFINITIONS
1.1. In these Additional Terms, the following definitions shall apply, in addition to the definitions set out in the General Terms:
“Consumer Credit Information” shall bear the meaning set out in Section 70 (1) of the NCA;
“Data” means any data including personal information (as defined in the ECTA and any other applicable legislation) in whatever form provided, supplied, stored, collected, collated, accessed or processed by TransUnion;
“ECTA” means the Electronic Communications and Transaction Act, 2002;
“Permitted Purpose” means the prescribed purposes set out in Regulation 18 (4) and Regulation 18 (6);
“Input Data” means the End User’s proprietary data submitted to TransUnion when processing an enquiry via the Decision System;
“NCA” means the National Credit Act, 34 of 2005 together with the Regulations as well as the National Credit Act 19 of 2014 and the accompanying amended Regulations;
“Prescribed Information” shall bear the meaning set out in Regulation 18 (6);
“Recommendation” means a system generated recommendation, derived from a pre-determined set of rules used to analyse the Input Data and produce an objective opinion, which could include inter alia the following alternatives namely “accept”, “refer”, “serious refer” or “decline”;
“Regulations” means the National Credit Regulations, published in Government Gazette No. 8477. Notice 28864 and such other Regulations promulgated in terms of the NCA from time to time;
“Report” means a credit report and / or consumer enquiry generated response to a Request;
“Request” means a request for a Report; and
“Services” means the services that the End User subscribes to from GBG from time to time, part of which includes the provision of Reports to the End User.
2. USE OF THE SERVICE
2.1 Permitted Purpose: TransUnion will only provide Confidential Information and/or Consumer Credit Information to contracted End Users for the Permitted Purposes set out in the NCA and Regulations.
2.2 Submission of Data to TransUnion: The End User shall ensure that any Consumer Credit Information requested from or submitted to TransUnion, whether directly or through GBG shall contain, in relation to a Consumer:
(a) who is a natural person, the minimum criteria as set out in Regulation 19(1); and
(b) who is a juristic person, the juristic person’s registered and trading name; registration number, registered address, physical and postal address.
2.3 Adverse Credit Information: Generally in relation to the provision of data, and in relation to listings of adverse credit information/defaults, the End User undertakes that:
(a) it is lawfully entitled to submit the Consumer Credit Information, Prescribed Information and Confidential Information to GBG or TransUnion and shall ensure that all information reported by it shall be accurate, up-to-date, relevant, complete, valid and not duplicated;
(b) it shall only list adverse credit information in respect of Consumers if (i) it is a member of the CPA (in which case listing of adverse credit information must be done via its monthly payment profile submissions to the credit bureaus); (ii) it is a data supplier to the National Loan Register (“NLR”) (it shall not however be entitled to list defaults in the public domain. This is because public domain defaults are not created for data that is submitted to the NLR); or (iii) it is neither a CPA nor a NLR member, provided that it shall only be able to provide TransUnion with the nature of information, and the related purposes, in accordance with clause below;
(c) it shall submit only information which falls in the permitted categories set out in Regulation 18(6) of the NCA; and
(d) the End User may not list information of the following nature, whether or not Consumer consent has been obtained, and of any nature that may be notified by TransUnion from time to time:
• cheques - data suppliers may only submit negative information relating to cheques marked “Returned to Drawer” if it is on the grounds of insufficient funds;
• Consumer Credit Information in respect of a debt that has prescribed in terms of the Prescription Act, No. 68 of 1969;
• duplicate listings – for example, where listings in respect of a book debt are made by a data supplier who subsequently sells that book debt and the purchaser of the book debt lists the debtor for the same debt, the latter listing by the purchaser will not be permitted. Where it is found that a default listing is in respect of a debt that was previously listed either as a default or judgment, the second listing will be removed;
• listings in relation to SABC television licences, maintenance orders and road traffic fines;
• cost orders;
• adverse information forming part of any dispute, existing prior to the date of the submission of that disputed adverse information, between the Subscriber and the Consumer in respect of whom such information is submitted (for purposes of this obligation, “dispute” refers to any instance where it can be proven that the Consumer had reasonably and expressly denied being liable for the whole or part of the relevant debt, whether or not through the institution of legal proceedings); and
• information which the Subscriber had already submitted to TransUnion in respect of a Consumer, which information the Consumer had successfully challenged in accordance with the process provided for in the NCA (“Information Challenge”). For purposes of clarity, the Subscriber shall not be entitled to modify the successfully challenged information in any way so as to resubmit same.
2.4 The End User will give its customers twenty (20) Business Days’ written notice, as required by Regulation 19(4), of its intention to submit adverse information regarding the customer before such information is submitted to TransUnion.
2.5 The End User will fully and timeously co-operate with TransUnion’s requests for credible evidence related to a listing when that listing has been challenged by a Consumer as part of any Information Challenge.
2.6 Removal of Information from TransUnion’s Database: A default listing shall only be removed from TransUnion’s database if it is factually incorrect, related to fraud or a duplicate listing.
2.7 The End User does not and will not, unless lawfully entitled to do so, take an upfront fee in order to remove or clear a person’s name from the blacklist of a credit bureau.
2.8 TransUnion may, at any time, and at its sole discretion remove any information from its database with immediate effect, except information which TransUnion is obliged to retain in terms of the NCA and any other applicable Laws; and/or verify the accuracy of any statement or information obtained from the End User.
2.9 Consumer Credit Information Requested In Respect of Juristic Persons and their Principles: The End User acknowledges that in the event that it requests Consumer Credit Information in relation to any juristic person/s, the relevant commercial report to be provided to it may contain Consumer Credit Information relating to that entity’s directors, senior leadership and/or key stakeholders in the business (“Principals”).
2.10 In light of the above, the End User undertakes:
(a) it shall be fully authorised, as required by all applicable Laws, to obtain the Consumer Credit Information in respect of the Principals; and
(b) in the event that it requests Consumer Credit Information relating to both its Consumers and their Principles, it shall have fully complied with the requirements as set out in Section 18(5) of the Regulations; and it shall have obtained all required consents for obtaining and having sight of information regarding the Principals.
2.11 Information which the End User submits to TransUnion, whether directly or through GBG, may be utilized by TransUnion as part of its database in the ordinary course of its business as a registered credit bureau.
2.12 Requests for Reports for a Consumer: The End User shall be entitled to request Reports for purposes of counselling certain Consumers strictly in circumstances where the End User is a registered debt counsellor and is accessing and using the reports solely in its capacity as a debt counsellor.
2.13 Prior to submitting and requesting a Consumer’s report for purposes of debt counselling the End User:
(a) shall ensure that the Consumer has provided it with written, informed and specific consent to TransUnion releasing his/her relevant Consumer Credit Information to the End User;
(b) shall obtain a clear copy of the Consumer’s identity document and proof of address not older than three (3) months old, and shall ensure that such documents are retained for a period of 3 years. When requested by TransUnion the End User shall furnish TransUnion with proof to its satisfaction that the End User has complied with this obligation; and
(c) shall ensure and warrant that the Consumer Credit Information is used strictly for purposes of debt counselling sessions with the Consumer, and provided to the Consumer and/or destroyed thereafter. The End User shall not be entitled to store and use the Report/s for any other purpose.
2.14 The End User shall not cede any of its rights or delegate any of its obligations in relation to the procurement of the Services to any third party.
3. CHANNEL PARTNERS / THIRD PARTY VENDORS:
3.1 GBG may provide the Services to an End User via third party channel partner (“Vendor”) where the Vendor is a technology provider and its products and/or systems are customised so as to enable End Users of such products and/or systems to request and receive Reports directly from GBG using such technology; or where the End User is able to request and receive Report from the Vendor acting as agent for and on behalf of GBG, provided that:
(a) TransUnion have provided their consent to such arrangement;
(b) Prior to being able to request a Report, the End Users have agreed to be bound by these Additional Terms;
(c) The Vendor complies with the terms set out in this clause 3.
3.2 The Vendor shall:
(a) provide TransUnion with a list of all End Users who have requested Reports on request as well as any such other information as may be requested by TransUnion;
(b) comply with all relevant laws, including the NCA and the Regulations;
(c) implement an effective audit trail for each and every transaction in respect of the request and receipt of Report and the acceptance these Additional Terms by End Users (which audit trail shall be retained for three (3) years from the date of the customer request) including the dates and times when Reports were requested and dates and times when Reports were sent to such End Users;
(d) make such audit trail available to TransUnion within fourteen (14) days of its request. Without limiting the generality of that aforegoing, the Vendor shall for the purposes of Regulation 17(1), retain for a period of two years from date of request, the number of enquires made on a consumers record, including the name of the person who made the request and a contact person if available;
(e) maintain records of Consumer Credit Information in accordance with Regulation 18(1) and the following standards (i) identified by the consumer's identity number or passport number, or where no identity number or passport number is available for a particular person, any other reasonable method to identify the record; (ii) collected, processed and distributed In a manner that ensures that the records remain confidential and secure; (iii) protected against accidental, unlawful destruction and unlawful intrusion; (iv) protected against loss or wrongful alteration; and (v) protected against unauthorised disclosure or access;
(f) be responsible for the verification of End Users in accordance with TransUnion’s Client Acquisition and Management Policy and the Client Verification Check List; and
(g) at all times adhere to TransUnion’s policies, procedures and guidelines (as amended from time to time) regulating the use of its Intellectual Property Rights. Without limiting the aforegoing, the Vendor shall obtain TransUnion’s prior written consent before launching any campaign or issuing any publication which refers to TransUnion, which consent shall be given (or refused as the case may be) by TransUnion within such period so as not to delay such launch or publication.
3.3 The Vendor warrants that it shall during the term of its Agreement:
(a) ensure that all End Users agree to be bound by these Additional Terms prior to submitting a Request;
(b) obtain all consents, approvals and licenses necessary to carry out Its obligations it terms of its Agreement with GBG including these Additional Terms, and shall ensure that such consents, approvals and licenses remain in place for the duration of the Agreement; and
(c) not (unless lawfully entitled to do so) take an upfront fee to remove or clear a person's name from the records of a credit bureau.
3.4 Each of the warranties set out at clause 3.3 is deemed to be material warranty by TransUnion and will be construed and enforceable as a separate and severable warranty from the remaining warranties and the waiver, fulfilment or abandonment of any one warranty will not limit or otherwise adversely affect any other warranty. Likewise, the generality of any one or more of the warranties will not be restricted by the particularity of any other warranty and vice versa.
4. DUE DILLIGENCE AND AUDIT RIGHTS
4.1 Prior to granting the End User access to the South African Data Services, GBG must carry out a due diligence check on the End User in accordance with TransUnion’s Client Acquisition and Management Policy and the Client Verification Check List.
4.2 The End User acknowledges and agrees that access to the South African Data Services is dependent on the satisfactory completion of TransUnion’s Client Acquisition and Management Policy and the Client Verification Check List in accordance with clause 4.1.
4.3 On the request therefore by TransUnion or GBG (as applicable), the End User shall furnish TransUnion or GBG, its representatives or an independent third party, as the case may be, with such information, data, records and Reports (collectively “the Items”) as is necessary for TransUnion or GBG (as applicable) to ensure the End User’s compliance with these Additional Terms.
4.4 Following receipt of the Items, where the Items furnished as aforesaid are not sufficient to enable TransUnion to confirm the End User’s compliance with these Additional Terms, the End User shall furnish TransUnion, its representatives or an independent third party, as the case may be, with any additional and specific Information requested by TransUnion. Thereafter, should such additional information not be sufficient to enable confirmation as aforesaid, TransUnion, an independent third party or independent auditor as the case may be, shall be entitled on reasonable notice to the End User, and during business hours, to audit the End User solely for the purpose of ensuring its compliance with these Additional Terms.
4.5 Should the End User fail or refuse to submit to the compliance audit set out in clause 4.4 above, TransUnion shall be entitled to immediately terminate the End User’s access to the Services.
5. EXCLUSION OF WARRANTIES
5.1TransUnion does not make any representations, nor give any warranties (whether express, implied in law or residual or guarantees of any nature whatsoever in relation to our Services and/or the Reports, or as to the accuracy or correctness of any Reports or any aspect thereof, and accordingly, the Services and Reports are provided on an "as is" basis.
6. DATA PROTECTION AND COMPLIANCE WITH RELEVANT LAWS
6.1 General Compliance with Laws and Associated bodies: When being provided with the Services the End User shall:
(a) at all times comply with the requirements for the receipt, compilation and reporting of information (including, but not limited to, Prescribed Information and Consumer Credit Information) as prescribed by the NCA and other applicable Laws;
(b) ensure that it is the only entity that uses the Services and that no other entity/ies within its Group use the Services;
(c) at all times comply with all Data use and Data protection requirements as may be applicable to the Services as dictated by TransUnion’s data protection policies in force from time to time and/or any applicable laws; and
(d) as required by the NCA and other applicable laws, protect the confidentiality of any Confidential Information pertaining to a consumer or prospective consumer and in particular shall only release such Confidential Information to TransUnion in accordance with the NCA.
6.2 Use of Consumer Credit Information/Reports: Any Consumer Credit Information and/or Report and/or Recommendation containing Consumer Credit Information shall be used by the End User solely and exclusively for a Prescribed Purpose. The End User shall not, whether directly or indirectly, sell or use for any other commercial purpose the Report(s) and/or any of the contents thereof.
6.3 Consents: The End User shall ensure that prior to submitting to and/or requesting any Consumer Credit Information or Reports from TransUnion it shall have obtained all consumer consents (whether from natural or juristic persons – as applicable) that may be required in terms of the NCA or any other applicable Laws to submit, request and/or receive such Consumer Credit Information or Reports, as the case may be.
6.4 Security: All persons accessing the Services on the End User’s behalf have been duly authorized by the End User to do so. In addition, the End User shall ensure that only it or its authorised representatives have access to any PIN and/or password PIN issued for the purposes of requesting a Report. The End User shall be liable for transactions, fees and other costs arising out of the use by any person of TransUnion’s services via the PIN and/or Password whether or not such use is or has been authorised by the End User.
6.5 Notification: The End User shall immediately notify GBG and TransUnion in writing of any breach or attempted breach of security of which the End User become aware or ought to have become aware of and the End User shall take reasonable steps to prevent a recurrence thereof and to mitigate the effects of such breach. GBG shall, through TransUnion, be entitled to fully investigate such breach or attempted breach and the End User shall give GBG its full co-operation with such investigation. Furthermore, the End User shall be liable for transactions, fees and other costs arising out of the use by any person of the Services including use of the Services arising from a security breach.
6.6 Conflicts: In the event of a conflict between the provisions of these Additional Terms and the NCA, as read with the Regulations, or any other applicable laws, the provisions of the NCA as read with the Regulations or the Laws (as the case may be) will prevail.
6.7 Sub-processing: The Supplier Data used to provide this element of the Service is hosted by TransUnion. In order to perform the Services, TransUnion shall act as Sub-processor of Client Information (including any Personal Data supplied) for the sole purpose of delivering this element of the Service. The End User authorises GBG to appoint TransUnion as Sub-Processor for the purposes specified in this clause 6.7.
6.8 Derogations: TransUnion is based in South Africa which is located outside of the EEA. Where GDPR applies to the End User, the End User acknowledges that prior to submitting Client Information to GBG or TransUnion for processing it shall determine, and is solely liable for ensuring that it can rely on a derogation to transfer Client Information to TransUnion in accordance with Article 49 GDPR.
6.9 GDPR: TransUnion has not agreed to be subject to GDPR but has agreed to equivalent data protection obligations and has passed GBG’s full GDPR due diligence assessment and information security review. The End User warrants that it shall not provide Personal Data belonging to EEA Data Subjects for sub-processing by TransUnion.
7. TERMINATION
7.1 Notwithstanding the termination provisions between GBG and the End User in the General Terms, under the terms of GBG’s agreement with TransUnion, the supply of the South African Data Services may be terminated:
(a) immediately in the event that TransUnion is prevented by law from continuing to carry out its obligations in accordance with the terms of its Agreement with GBG.; or
(b) at any time by GBG providing the End User with 12 months’ notice.
7.2 GBG and TransUnion shall not be liable for any loss or liability of whatsoever nature which arises as a result of termination of this element of the Service in accordance with this clause 7.
8. GOVERNING LAW AND JURISDICTION
8.1 Any matter concerning the South African Data Services and these terms and conditions, shall be governed by the laws of the Republic of South Africa and the courts of South Africa shall have jurisdiction