BBBEE and IT Asset Disposal: Choosing a Compliant ITAD Partner
When a corporate replaces its IT fleet, the disposal decision carries more legal and financial weight than most procurement teams expect. In South Africa, choosing the wrong ITAD vendor can cost your organisation scorecard points, create POPIA liability, and expose you to environmental regulatory risk under the law.
This guide gives procurement managers, CFOs, and supply chain leads a clear framework for evaluating ITAD vendors against BBBEE preferential procurement requirements, e-waste law, and data security obligations. By the end, you will know exactly what documents to request, what questions to ask, and what red flags to avoid.
Note for South Africa:
- The Amended Codes of Good Practice under the B-BBEE Act govern generic BBBEE scoring for most enterprises not covered by a sector-specific code.
- POPIA has been fully in force since July 2021. The responsible party, your organisation, retains accountability for data destruction even when using a third-party ITAD vendor.
- Extended Producer Responsibility (EPR) regulations for electrical and electronic equipment came into effect in November 2021 under NEMWA, adding a separate compliance layer for any vendor handling e-waste.
At a glance:
- ITAD spend can contribute to your BBBEE preferential procurement score if the vendor holds a valid, recognised certificate.
- Supplier category (EME, QSE, or Large Entity) determines the recognition level percentage applied to your qualifying spend.
- Environmental compliance under the DFFE EPR regulations and data security under POPIA are non-negotiable requirements, separate from but linked to BBBEE.
- A structured vendor checklist and RFP criteria will protect your organisation during verification audits.
Key takeaways:
- Always verify an ITAD vendor's BBBEE certificate against the SANAS-accredited verification agency register before counting the spend.
- Request a Certificate of Destruction and chain-of-custody documentation on every disposal engagement.
- Confirm the vendor's DFFE EPR compliance before signing a disposal contract, or you share the regulatory risk.
Why ITAD Is Now a Procurement Scorecard Concern
IT asset disposal was historically treated as a facilities or IT operations task. Stricter data protection law, updated BBBEE codes, and environmental regulations have changed that. Procurement and finance teams now own the compliance outcome of every disposal decision.
The financial stakes are real. BBBEE preferential procurement is a scored element on the Generic Scorecard, and every rand of qualifying spend either supports or undermines your rating. If your ITAD vendor cannot produce a valid, recognised BBBEE certificate, that spend may contribute nothing to your score.
Beyond the scorecard, the reputational and legal risks of poor IT disposal practice are significant. Unmanaged IT asset disposal creates data breach exposure, regulatory liability under POPIA, and potential NEMWA violations, all of which can surface during an audit or an incident.
The Link Between IT Disposal and BBBEE Preferential Procurement
Preferential procurement is one of the scored elements under the B-BBEE Act and Codes of Good Practice administered by the DTIC. Points are earned based on the proportion of your qualifying procurement spend directed to BBBEE-compliant suppliers, weighted by their recognition level.
IT asset disposal is a procurement spend category. If the ITAD vendor you select holds a valid BBBEE certificate at an appropriate level, that spend counts toward your preferential procurement score. If they do not, or if their certificate is invalid, the spend is effectively invisible to your scorecard.
For JSE-listed entities, SOEs, and corporates with significant government-facing business, this is not a marginal concern. BBBEE ratings directly affect tender eligibility, contract terms, and relationships with large clients who require supply chain compliance.
How BBBEE Procurement Points Are Calculated for ITAD Spend
The mechanics of preferential procurement scoring are set out in the Amended Codes of Good Practice. The key concepts procurement teams must understand are qualifying spend, recognition levels, and supplier categorisation. Always verify current point allocations and thresholds with your BBBEE verification agency or transformation consultant, as these are subject to amendment.
Qualifying Spend, Recognition Levels, and What Counts
Not all procurement spend is measured in the same way. Qualifying spend is a defined subset of total measured procurement spend, with specific inclusions and exclusions set out in the Codes. Your verification agency will determine which categories of spend are measured for your entity.
The recognition level percentage applied to a supplier's spend depends on their BBBEE status and supplier category. The three main categories are:
- EME (Exempted Micro Enterprise): Entities below a defined annual turnover threshold. A valid BBBEE certificate or affidavit for an EME typically confers an automatic recognition level, regardless of the supplier's detailed scorecard. Confirm the applicable level with your verification agency.
- QSE (Qualifying Small Enterprise): Entities in the next turnover band above EME. A valid QSE certificate confers a recognition level based on the supplier's verified BBBEE status. Confirm the applicable recognition percentage with your verification agency.
- Large Entity: Entities above the QSE turnover threshold. Recognition level is based on the supplier's verified BBBEE level, from Level 1 (highest recognition) to Level 8 or non-compliant (no recognition).
Directing spend to black-owned or black women-owned suppliers may attract additional recognition under the preferential procurement sub-elements. Verify the current sub-element structure with your transformation consultant. The table below summarises the key decision points when evaluating an ITAD vendor for scorecard purposes.
| Vendor Category | Certificate Required | Recognition Level Basis | Key Check for Procurement |
|---|---|---|---|
| EME | Valid BBBEE certificate or sworn affidavit | Automatic level, confirm with your BVA | Is the certificate current and issued by an approved body? |
| QSE | Valid BBBEE verification certificate | Based on verified BBBEE status | Is the issuing agency SANAS-accredited or IRBA-approved? |
| Large Entity | Full BBBEE verification certificate | Verified BBBEE level (1 to 8) | What is the recognition percentage and does the level trigger any threshold requirements? |
| Non-compliant or no certificate | None | Zero recognition | Spend does not contribute to your preferential procurement score. |
What to Look for in a BBBEE-Compliant ITAD Partner
Not all BBBEE certificates are equal. A certificate issued by an agency that is not accredited by SANAS or approved by IRBA will not be recognised for procurement scoring. This is one of the most common and costly errors procurement teams make when onboarding ITAD vendors.
Verification Certificates, Ownership Levels, and EME vs QSE vs Large Supplier
When assessing an ITAD vendor's BBBEE credentials, focus on these four factors:
- Certificate validity: Check the issue date and expiry date. An expired certificate does not count. Certificates are typically valid for 12 months from issue.
- Issuing body: Cross-reference the verification agency named on the certificate against the SANAS register of accredited BVAs. If the agency is not on the list, the certificate is not valid for scoring purposes.
- Supplier category: Confirm whether the vendor is an EME, QSE, or Large Entity, as this determines which recognition level percentage applies to your spend.
- Black ownership percentage: If your scorecard rewards spend with black-owned or black women-owned suppliers, request proof of the ownership structure in addition to the certificate.
For organisations procuring on behalf of public entities or SOEs, also confirm that the vendor is registered on the Central Supplier Database (CSD) maintained by National Treasury. CSD registration is mandatory for public sector suppliers and consolidates tax clearance, BBBEE, and company registration verification in one place.
Some industries are governed by sector-specific BBBEE codes that override the Generic Codes. The ICT Sector Code is one example. Confirm with the DTIC or your transformation consultant whether a sector code applies to your organisation or your ITAD vendor, as this affects how spend is calculated and scored.
E-Waste and Environmental Compliance: The Regulatory Layer You Cannot Ignore
BBBEE compliance and environmental compliance are separate obligations, but they are increasingly assessed together in corporate procurement. An ITAD vendor that is BBBEE-compliant but not environmentally compliant creates a different category of risk for your organisation.
DFFE Producer Responsibility Regulations and How They Interact With ITAD
Under the National Environmental Management: Waste Act (NEMWA), the DFFE Extended Producer Responsibility regulations for electrical and electronic equipment came into force in November 2021. These regulations require producers, importers, and brand owners to register with a DFFE-approved Producer Responsibility Organisation (PRO) and meet take-back and recycling targets.
For procurement teams, the practical implication is clear. Any ITAD vendor handling your retired IT equipment must be able to demonstrate compliance with NEMWA and the EPR regulations. If they cannot, your organisation shares the regulatory risk. Request the following from any vendor you are evaluating:
- Proof of PRO membership or confirmation of EPR compliance pathway
- Details of their accredited recycling or refurbishment process
- Evidence that e-waste is not landfilled or exported illegally
JSE-listed entities and those with ESG reporting obligations have an additional reason to demand environmental compliance documentation from ITAD vendors. Responsible IT disposal is increasingly a disclosed ESG practice, and your supply chain partners' conduct reflects on your own reporting.
Data Security and Chain of Custody in a Compliant ITAD Engagement
POPIA holds the responsible party accountable for personal information even after hardware leaves your premises. If an ITAD vendor fails to securely destroy data and a breach occurs, your organisation faces potential POPIA liability regardless of which vendor handled the equipment.
Section 19 of POPIA requires responsible parties to take appropriate, reasonable technical and organisational measures to prevent loss of or unlawful access to personal information. This obligation does not end at the point of handover to an ITAD vendor. You must be able to demonstrate that destruction was carried out.
The internationally recognised standard for media sanitisation referenced by most reputable ITAD vendors is NIST SP 800-88. It defines three sanitisation categories: clearing (software-based overwrite), purging (hardware-level techniques), and destroying (physical destruction). The method appropriate for a given device depends on the media type and the sensitivity of data stored.
Request a Certificate of Destruction from your ITAD vendor for every disposal engagement. This document should specify the asset, the destruction method, and the date of destruction. It is your primary evidence of compliance in a POPIA audit or investigation. Retain these certificates in line with your organisation's document retention policy.
Building BBBEE ITAD Criteria Into Your RFP and Vendor Assessment
The most effective way to protect your organisation is to embed compliance criteria into your RFP and vendor onboarding process before any disposal engagement begins. Ad hoc requests for certificates after the fact create audit risk and can result in spend that cannot be claimed on your scorecard.
If your organisation has a corporate IT asset disposal requirement of any scale, treat the vendor selection process with the same rigour you would apply to any significant procurement category. Define your minimum compliance requirements, document them in your RFP, and assess vendors against them before award.
A Vendor Qualification Checklist for Procurement Teams
Use this checklist as a starting point for your ITAD vendor assessment process. This is a framework for due diligence questions, not a substitute for advice from your BBBEE verification agency or legal counsel on your specific obligations.
- Valid BBBEE verification certificate: Is the certificate current? What is the issue and expiry date? What level is the supplier rated at?
- Issuing body confirmation: Is the verification agency SANAS-accredited or IRBA-approved? Cross-check against the SANAS register before accepting the certificate.
- Supplier categorisation: Is the vendor an EME, QSE, or Large Entity? What recognition level percentage applies to your spend with this supplier? Confirm with your BVA.
- Black ownership structure: What percentage of the business is black-owned or black women-owned? Does this qualify the spend for any additional preferential procurement sub-elements on your scorecard?
- CSD registration (public sector and SOEs): Is the vendor registered on the Central Supplier Database? This is mandatory for public sector procurement.
- Data destruction standard: Which standard does the vendor use for data sanitisation? Is it NIST SP 800-88 or an equivalent recognised methodology?
- Chain-of-custody documentation: Does the vendor provide a complete chain-of-custody record for each disposal job, from collection through to destruction or remarketing?
- Certificate of Destruction: Is a Certificate of Destruction issued per engagement, specifying the asset, method, and date?
- Environmental compliance: Can the vendor demonstrate PRO membership or equivalent EPR compliance under the DFFE regulations?
- Tax and VAT status: Does the vendor hold a valid VAT registration and current tax clearance certificate? Confirm these via SARS or the CSD.
- Corporate references: Can the vendor provide references from other corporate clients with similar BBBEE reporting and compliance needs?
Our professional services team works with South African corporates on IT asset disposal. If you have questions about what documentation to expect from an ITAD engagement, contact us to discuss your requirements.
Common Mistakes That Cost Companies Scorecard Points on IT Disposal
Most BBBEE scorecard errors on ITAD spend are avoidable. They tend to fall into a small set of recurring categories that procurement teams can guard against with a structured process.
If you are new to BBBEE ITAD procurement:
- Do not assume that any BBBEE certificate is automatically valid. Check the issuing body against the SANAS register before counting the spend.
- Do not treat IT disposal as a once-off facilities task. It is a procurement category that requires the same compliance steps as any other vendor onboarding.
- Do not skip the Certificate of Destruction request. It is your POPIA evidence and your BBBEE audit trail.
- Start by engaging your BBBEE verification agency to confirm which spend categories are measured for your entity and what recognition levels apply.
If you have managed BBBEE procurement before but are new to ITAD specifically:
- Confirm that IT disposal spend is correctly classified as qualifying spend under your measuring methodology. Your BVA will advise on this.
- Do not assume that environmental compliance and BBBEE compliance are the same thing. Verify both separately. A vendor can hold a BBBEE certificate but fail on EPR compliance.
- Review whether sector-specific BBBEE codes apply to your entity or your vendor. The ICT Sector Code, if applicable, may change how spend is measured.
- Assess whether any ITAD vendor relationship could qualify for Enterprise and Supplier Development (ESD) treatment, particularly if the vendor is a black-owned SME. Your transformation consultant can advise on conditions and eligibility.
Common mistakes that cost scorecard points, summarised:
- Accepting a BBBEE certificate without checking the issuing agency against the SANAS register.
- Using an expired certificate to claim preferential procurement points.
- Failing to retain supplier certificates as evidence for your next verification audit.
- Not specifying data destruction and environmental compliance requirements in the ITAD RFP.
- Treating ITAD spend as non-measured procurement when it may qualify as measured spend under your codes.
- Overlooking sub-element opportunities for spend with black-owned or black women-owned ITAD vendors.
Frequently asked questions
Does IT asset disposal spend automatically qualify for BBBEE preferential procurement scoring?
Not automatically. Whether ITAD spend qualifies as measured procurement spend depends on your entity's measuring methodology and how the Codes are applied to your specific circumstances. Confirm with your BBBEE verification agency which spend categories are included and excluded for your scorecard.
What makes a BBBEE certificate valid for procurement scoring purposes?
The certificate must be current (not expired), issued in respect of the correct legal entity, and issued by a SANAS-accredited verification agency or an IRBA-approved auditor. Certificates issued by bodies that are not on the SANAS register are not recognised for scorecard purposes. Always cross-check the issuing body before counting the spend.
What are our POPIA obligations when we hand over IT equipment to an ITAD vendor?
Your organisation remains the responsible party under POPIA. You must take reasonable steps to ensure that personal information stored on the hardware is securely destroyed or sanitised before or during the disposal process. A Certificate of Destruction from your ITAD vendor is the primary evidence of compliance. The obligation does not transfer to the vendor simply because you have engaged them.
Do DFFE EPR regulations apply to every company disposing of IT equipment, or only to manufacturers?
The EPR regulations under NEMWA apply primarily to producers, importers, and brand owners of electrical and electronic equipment. However, any ITAD vendor you engage to handle your retired equipment must operate within the EPR framework. If your vendor is not compliant, you are exposed to regulatory risk. Request proof of EPR compliance from every ITAD vendor you use.
Can using a black-owned ITAD vendor earn us points beyond preferential procurement?
Potentially, yes. Under certain conditions, spend with a qualifying black-owned SME ITAD vendor may be recognised under the Enterprise and Supplier Development (ESD) element of the BBBEE scorecard, in addition to preferential procurement. The conditions are specific and depend on your scorecard structure and the nature of the relationship. Engage your transformation consultant to assess whether an ESD treatment is applicable before structuring the engagement.
Wrapping up
Choosing a BBBEE-compliant ITAD partner is not a box-ticking exercise. It requires the same procurement discipline as any other vendor category, with the added complexity of environmental law and data protection obligations. Get it right and your ITAD spend actively supports your BBBEE scorecard. Get it wrong and you face audit risk, scorecard shortfalls, and potential regulatory liability on three separate fronts.
- Verify every BBBEE certificate against the SANAS register before counting spend, and retain certificates for your audit file.
- Confirm the vendor's supplier category (EME, QSE, or Large Entity) and the recognition level that applies to your spend.
- Demand a Certificate of Destruction and chain-of-custody documentation on every disposal engagement to satisfy POPIA obligations.
- Check DFFE EPR compliance separately from BBBEE, and request evidence of PRO registration or an equivalent compliance pathway.
- Embed BBBEE, POPIA, and EPR criteria into your ITAD RFP from the outset, not after vendor selection.
If you are evaluating ITAD vendors and want to understand what a compliant engagement looks like in practice, browse our corporate IT asset disposal services or visit our shop to see the types of refurbished IT equipment we handle. You are also welcome to contact us with any questions about your specific disposal requirements.
This is educational content, not financial advice.
