top of page



B-BBEE Verification evidence & POPIa




B-BBEE Verification evidence & POPIa

Since the publishing and full enforcement of the Protection

of Personal Information Act (POPIA) on 1st July 2021,

organisations have been aware of their responsibilities in

collecting, processing and sharing third-party information. POPIA

has changed how South African organisations conduct business,

as it compels careful consideration and protection of the rights of

Data Subjects.

It has been a long time since parliament assented to the

POPIA on 19th November 2013. A portion commenced on 11th

April 2014, including section 1, Part A of Chapter 5, section

112 and section 113. The balance of POPIA came into effect on

1st July 2020, except sections 110 and 114(4), which became

effective on 1st July 2021.

POPIA, although promoting the right to privacy outlined in the

Constitution, manages the flow, timeframe of retaining and

destruction of information. POPIA refers to:

Responsible Party


Data Subject



A public or private body that

determines the purpose and means

for processing personal information

taken from a Data Subject.

The party that processes Personal

Information on behalf of a

Responsible Party.

Any party to whom the Personal

Information relates. It means an

identifiable, living, natural person and

an identifiable, existing juristic person.

Relates to any information that can

identify a Data Subject in any way.

The purpose of POPIA is to regulate, along with international

standards, the processing of personal information by public and

private bodies. The objective is to store and process Personal

Information in a manner that respects the right to privacy. Subject

to justifiable limitations, POPIA aims to protect the rights and vital

interests of Data Subjects.

The safekeeping of the vast amount of personal information

necessary for a B-BBEE Verification is dictated by the 2008

Verification Manual and the SANAS R47-03 document. The

introduction of POPIA has not changed any BEE requirements.

If any Personal Information or other relevant document is not

available at the time of a B-BBEE Verification, it will not be

recorded as evidence.

n terms of evidence at a B-BBEE Verification,

what party is responsible for proving

adherence to POPIA?

The Responsible Party is the organisation rolling out its B-BBEE

Strategy. It must take responsibility for collecting, processing

and sharing information with the correct permissions. The

Responsible Party must ensure that it has the consent of the

Data Subject to share their information in line with its B-BBEE

Verification, irrespective of whether an Operator collected the

Personal Information on their behalf.

The role of a B-BBEE Rating Agency remains to verify the data

supplied by a Responsible Party for a B-BBEE Verification

that must include a SANAS audit if necessary. Therefore, any

information not provided will not be counted in an organisation’s

B-BBEE Verification, impacting its overall B-BBEE Score.

Once a B-BBEE Rating Agency collects, processes and shares

information for a B-BBEE Verification, it, in turn, becomes the

Responsible Party for that Personal Information. To fulfil its

POPIA compliance requirements, a B-BBEE Rating Agency must

provide evidence that all Personal Information received from a

Responsible Party was in line with POPIA.

How is information lawfully processed from its

origin to a B-BBEE Rating Agency?

The Responsible Party collecting, processing and sharing

Personal Information must take into consideration section 2.4.1

of POPIA :

> Accountability;

> Processing limitation;

> Purpose specification;

> Further processing limitation;

> Information quality;

> Openness;

> Security safeguards; and

> Data Subject participation.

Are there any exclusions for POPIA


POPIA addresses exclusions to compliance in Chapter 2, Section

6 and 7. The following are exclusions from POPIA:

> Where Personal Information processed is not recorded in any

other form;

> Where Personal Information forms part of internal household


> Where information has been de-identified to the extent that it

cannot be re-identified again;

> When an organisation is a public body that protects

national security;

> When an organisation is a public body that prosecutes


> A Cabinet or Executive Council of a province;

> A court as defined in the Constitution; and

> When Personal Information is processed for journalistic,

artistic or literary purposes as per section 7.

The scope of POPIA is broad and applies to the processing

of personal information rather than a particular person or

organisation. Therefore, any organisation that processes data

must comply with POPIA and, in particular, a Responsible

Party must utilise all personal data according to the protection

principles held within POPIA.

The POPIA framework shapes the rules and practices a

Responsible Party must follow when processing information

about individuals or juristic persons. It bestows specific rights

regarding data, and generates an independent regulator to

enforce such rules, rights and practices.

POPIA applies to all information processed automatically,

recorded on paper, including health records and certain public

authority records.

Does a Data Subject have the right to refuse

information sharing?

A Data Subject is not obliged to share their personal information;

however, refusing could limit their access to employment,

participation in B-BBEE initiatives or any such benefits.

As POPIA safeguards a Data Subject’s Personal Information, the

Promotion of Access to Information Act (PAIA) provides the right

to access and controls the use of Personal Information. In effect,

these pieces of legislation balance out the right to privacy and the

legitimate needs of organisations to collect and use personal data

for business or any other legitimate purpose.

How does Personal Information flow through

parties to allow for a B-BBEE Verification?

The Personal Information of a Data Subject is captured and

processed long before it is presented as evidence at a B-BBEE

Verification. It is, therefore, fair to surmise that the flow of Personal

Information would end at a B-BBEE Verification after flowing

through various parties. However, the Personal Information, from

its origin, as it flows through multiple parties, must be traceable

with the relevant approvals, allowing it to flow.

All Parties must ensure that they process Personal Information

lawfully and in a reasonable manner that does not infringe,

the privacy of the Data Subject. Responsible Parties may only

process the minimum amount of relevant information, and it must

be for a specific purpose.

From where does the evidence necessary for

a B-BBEE Verification stem?

During the B-BBEE Verification process, Personal Information

from a multitude of Data Subjects is collected. From the

time Data Subjects become Participants or Beneficiaries in a

Responsible Party’s B-BBEE Strategy, their Personal Information

will be collected and processed through various parties, ending

with a B-BBEE Verification. In theory, because of the flow of a

Data Subject’s Personal Information, the process becomes more

complex as the responsibility spreads to a broader network.

More often than not, an organisation will use the services

of B-BBEE Consultants or an Operator to drive its Skills

Development, Procurement, Enterprise Development, Supplier

Development or Socio-Economic Development Solutions. It

is, therefore, crucial that an organisation works with service

providers that implement POPIA requirements. At any given

time during the process of capturing and sharing Personal

Information, the relevant Responsible Party bears the burden of

proof that it obtained consent from the Data Subject from the

initial interaction.

Responsible Parties must consider what historical data would

be necessary for a B-BBEE Verification. Therefore, obtaining

consent from Data Subjects pertaining to the last financial

period must be factored into the preparation timeline of a

B-BBEE Verification.

What information must a Responsible Party

provide to a Data Subject when requesting

their Personal Information?

Data Subjects must provide consent for their Personal Information

or Special Personal Information to be processed. The request

must be clear and concise in its intention. The following must

be communicated to a Data Subject when requesting their

Personal Information:

> What Personal Information or Special Personal Information

will be collected;

> The purpose for which the information is being collected;

> What other parties will be privy to this information and the

purpose for sharing it; and

> Contact details of Information Officers or Deputy Information

Officers responsible for sharing a Data Subject’s

Personal Information.

What are the criteria for sharing Personal Information?

POPIA provides the criteria according to which Personal Information may be processed.

1 The Data Subject, or legal guardian if the Data Subject is a child, has provided explicit consent for processing Personal Information.

2 When a Data Subject is a party to a contract, their Personal Information needs to be processed to meet their obligations.

3 Where a Responsible Party processes Personal Information to meet legal obligations.

4 When the processing of Personal Information will protect the legitimate interest of the Data Subject.

5 The processing of Personal Information is necessary for the proper performance of a public law duty by a public body.

6 When processing is necessary to pursue a legitimate interest of the Responsible Party or a third party.

Data Subjects have the right to withdraw their consent at any time, providing there are no legal implications as mentioned in the above

points 2 to 6. However, as per the points 4 to 6 above, withdrawal must be made in a prescribed format, outlining the reason why.

If a Data Subject withdraws their consent, a Responsible Party may no longer use that information. If the Personal Information flows through

various parties, the relevant Responsible Party must ensure the withdrawal of that Data Subject’s Personal Information.

What evidence is necessary to confirm that POPIA requirements were adhered to by the

Responsible Party at the time of a B-BBEE Verification?

Before embarking on a B-BBEE Verification, a B-BBEE Rating Agency may require evidence that a Data Subject gave consent to have their

Personal Information processed. Responsible Parties must consider what Personal Information is necessary per scorecard indicators.

How do the POPIA requirements flow through the B-BBEE Scorecard? What are the

considerations for each element?

The following outlines the necessary evidence for a B-BBEE Verification and how Personal Information flows through each element.

What are the responsibilities of a B-BBEE Rating Agency when processing Personal


The SANAS R47-03 accreditation regulations mean that B-BBEE Rating Agencies already had strict controls for the

identification, storage, protection, back-up, archiving, retrieval, retention time and disposal of Personal Information.

Section 21 of the SANAS document requires the following from B-BBEE Rating Agencies:

> Request for evidence, including the initial and ongoing B-BBEE Verifications;

> Justification of the timeframe determined for a B-BBEE Verification;

> Records of complaints and appeals, and any subsequent corrections or corrective actions;

> Adequate deliberations and decisions;

> Documentation of the findings; and

> Record of B-BBEE Verification Certificates issued.

Section 21 further stipulates that a B-BBEE Rating Agency must retain Personal Information from the current

accreditation cycle, plus the previous one; otherwise as the law prescribes. Currently, the accreditation cycle is four

years. However, Section 14 of POPIA addresses this, as it allows records to be retained for a period, as and when

required, prescribed in law or a code of conduct.

Due to remote B-BBEE Verifications, B-BBEE Rating Agencies have adapted security for capturing, processing and

sharing data. In some cases, third parties oversee the process. The responsibility, however, lies with a B-BBEE

Rating Agency to communicate clearly to its client how Personal Information will be processed, protected and

ultimately destroyed.

Responsible Parties must ensure that their chosen B-BBEE Rating Agency does have POPIA compliance protocols in

place. A B-BBEE Rating Agency’s B-BBEE Verification agreement should clearly outline what its POPIA processes are,

how it safeguards, retains and destroys Personal Information.

Download PDF • 244KB

bottom of page