Help center • Legal

Data Subject Rights Procedure

Version 1.0.0

The latest version of our data subject rights procedure. These pages live in the help system so they are easy to reference from registration, listings, and support.

Help home Contact support

DATA SUBJECT RIGHTS PROCEDURE

Quote My Car (Pty) Ltd (“QMC”) Version: 1.0 Effective Date: 27/11/2025

1. Introduction

This Data Subject Rights Procedure outlines how Quote My Car (Pty) Ltd (“QMC”) facilitates and responds to data subject requests under the Protection of Personal Information Act, 4 of 2013 (POPIA).

A “data subject” includes:

  • Sellers
  • Motor dealers
  • Public auction participants
  • Website users
  • Employees and contractors

This procedure ensures transparency, compliance, and a standardised internal process for handling requests.

2. Purpose of This Procedure

This procedure aims to:

  1. Ensure full compliance with POPIA
  2. Provide a structured process for handling data subject requests
  3. Protect personal information from unauthorised access
  4. Maintain audit trails of decisions and actions
  5. Empower data subjects to exercise their rights

3. Responsible Parties

3.1 Information Officer

P.G. Wessels Email: support@qmcars.co.za

Responsible for:

  • Receiving and managing all POPIA/PAIA requests
  • Ensuring correct processing and timelines
  • Maintaining logs and audit trails
  • Ensuring organisational compliance with POPIA

4. Data Subject Rights (POPIA Chapter 3)

Right Explanation
Access Obtain confirmation and copies of personal information.
Correction Correct inaccurate, outdated, or incomplete information.
Deletion Request deletion where lawful (no legal retention required).
Objection Object to specific processing activities (e.g., marketing).
Withdraw Consent Withdraw consent where processing is consent-based.
Restrict Processing Temporarily halt processing under certain conditions.
Complaint Lodge a complaint with QMC or the Information Regulator.

5. Request Submission Process

5.1 How to Submit a POPIA Request

Requests may be submitted through:

  • Email: support@qmcars.co.za
  • Physical Delivery: Stand 58, Rietvlei Heights Country Estate, Pretoria, Gauteng

Requests must include:

  • Full name
  • Contact information
  • Proof of identity (ID copy or company authorisation)
  • Description of the right being exercised
  • Supporting documentation (if applicable)

5.2 Required Forms

  • PAIA Form 2 → required for access to records
  • QMC may provide internal POPIA request templates where helpful

6. Identity Verification

Before responding to any request, QMC must:

  1. Confirm identity of the requester
  2. Confirm authority (if acting on behalf of another)
  3. Request additional documentation if needed
  4. Decline requests where identity cannot be verified

Identity verification protects against unauthorised data exposure.

7. Logging & Tracking Requests

QMC must maintain a Request Register, recording:

  • Requester’s name
  • Type of request
  • Date received
  • Verification status
  • Action taken
  • Date of response
  • Final outcome
  • Reason for any refusal

The register must be retained for 5 years.

8. Response Timeframes

QMC must respond:

  • Within 21 business days for standard POPIA/PAIA requests
  • Within 30 days if an extension is required (with written notice)

If QMC does not respond in time, the request is treated as refused.

9. Grounds for Refusal

A request may be refused if:

  • Disclosure would reveal third-party information
  • Disclosure would harm QMC’s commercial interests
  • Information is legally required to be retained
  • Identity cannot be verified
  • The request is excessive, abusive, or repetitive
  • Disclosure would breach confidentiality or POPIA

Where possible, QMC will grant partial access via redaction.

10. Detailed Processes Per Right

10.1 Right to Access

Process:

  1. Verify identity
  2. Locate data
  3. Identify and redact third-party information
  4. Provide copies and explanation of processing
  5. Log and close request

PAIA fees may apply for reproduction.

10.2 Right to Correction

Correctable information includes:

  • Names
  • Contact details
  • Outdated account information

Process:

  1. Verify identity
  2. Request proof (optional)
  3. Update records
  4. Confirm completion
  5. Log the request

10.3 Right to Deletion (“Right to be Forgotten”)

Deletion allowed only where:

  • No legal retention applies
  • Data is no longer necessary
  • Consent has been withdrawn
  • Processing was unlawful

Cannot be deleted:

  • KYC records (retain 5–7 years)
  • Bank verification logs
  • Auction history
  • Deposit and refund logs
  • Transactional and financial records

Process:

  1. Verify identity
  2. Confirm if deletion is lawful
  3. Delete or anonymise
  4. Confirm with requester
  5. Log the action

10.4 Right to Object

Applies to:

  • Direct marketing
  • Certain legitimate-interest processing
  • Profiling or behavioural analysis (if applicable)

Process:

  1. Verify identity
  2. Evaluate objection
  3. Restrict processing or modify workflows
  4. Confirm result
  5. Log the request

10.5 Right to Withdraw Consent

Applies where consent was the only basis for processing.

Does not affect:

  • KYC verification
  • Bank verification
  • Auction records
  • Fraud-prevention data
  • Legal retention obligations

10.6 Right to Restrict Processing

Used when:

  • Data accuracy is contested
  • Processing is unlawful but deletion not requested
  • Data is needed for legal claims

Processing is paused until resolved.

11. Request Outcomes

Response must be provided in writing, including:

  • Confirmation of action taken
  • Explanations or reasons for refusal
  • Fee breakdown (if applicable)
  • Next steps if requester wishes to escalate

12. Complaints Process

12.1 Internal Complaints

Submit complaints to:

Information Officer support@qmcars.co.za Subject: POPIA Complaint – {{Your Name}}

12.2 External Complaints (Information Regulator)

Website: https://inforegulator.org.za Email: complaints.IR@justice.gov.za

13. Security and Confidentiality

Throughout the request process:

  • Only authorised personnel may access data
  • Sensitive documents must be encrypted
  • Identity documents must be handled securely
  • All actions must maintain strict confidentiality

14. Review of This Procedure

This procedure will be reviewed:

  • Annually
  • After legal or operational changes
  • After any data breach or audit requirement