- Whenever a responsible party uses an operator, there must be a written contract (or other legal act) in place.
- The contract is important so that both parties understand their responsibilities and liabilities.
- POPIA sets out what needs to be included in the contract.
- If an operator uses another organisation (i.e. a sub-operator) to assist in its processing of personal information for a responsible party, it needs to have a written contract in place with that sub-operator.
What to include in the contract
The contract (or other legal act) sets out details of the processing including:
☐ the subject matter of the processing;
☐ the duration of the processing;
☐ the nature and purpose of the processing;
☐ the type of personal information involved;
☐ the categories of data subject;
☐ the responsible party’s obligations and rights.
The contract or other legal act includes terms or clauses stating that:
☐ the operator must only act on the responsible party’s documented instructions, unless required by law to act without such instructions;
☐ the operator must ensure that people processing the information are subject to a duty of confidence;
☐ the operator must take appropriate measures to ensure the security of processing;
☐ the operator must only engage a sub-operator with the responsible party’s prior authorisation and under a written contract;
☐ the operator must take appropriate measures to help the responsible party respond to requests from data subjects to exercise their rights;
☐ taking into account the nature of processing and the information available, the operator must assist the responsible party in meeting its POPIA obligations in relation to the security of processing, the notification of personal information breaches and data protection impact assessments;
☐ the operator must delete or return all personal information to the responsible party (at the responsible party’s choice) at the end of the contract, and the operator must also delete existing personal information unless the law requires its storage; and
☐ the operator must submit to audits and inspections. The operator must also give the responsible party whatever information it needs to ensure they are both meeting their Section 20(1) obligations.
- What’s needed under POPIA?
- When is a contract needed and why is it important?
- What needs to be included in the contract?
- What responsibilities and liabilities do responsible parties have when using an operator?
- What responsibilities and liabilities do operators have in their own right?
POPIA makes written contracts between responsible parties and operators a requirement, rather than just a way of demonstrating compliance with the seventh data protection condition (appropriate security measures).
These contracts must now include specific minimum terms. These terms are designed to ensure that processing carried out by an operator meets all POPIA requirements, not just those related to keeping personal information secure.
Whenever a responsible party uses an operator to process personal information on their behalf, a written contract needs to be in place between the parties.
Similarly, if an operator uses another organisation (i.e. a sub-operator) to help it process personal information for a responsible party, it needs to have a written contract in place with that sub-operator.
Contracts between responsible parties and operators ensure they both understand their obligations, responsibilities and liabilities. Contracts also help them comply with POPIA, and assist responsible parties in demonstrating to data subjects and regulators their compliance as required by the accountability condition.
Contracts must set out:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal information and categories of data subject; and
- the responsible party’s obligations and rights.
Contracts must also include specific terms or clauses regarding:
- processing only on the responsible party’s documented instructions;
- the duty of confidence;
- appropriate security measures;
- using sub-operators;
- data subjects’ rights;
- assisting the responsible party;
- end-of-contract provisions; and
- audits and inspections.
Responsible parties must only use operators that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet POPIA requirements and protect data subjects’ rights.
Responsible parties are primarily responsible for overall compliance with POPIA, and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay settlements, damages in legal proceedings or be subject to fines or other penalties or corrective measures.
In addition to its contractual obligations to the responsible party, an operator has some direct responsibilities under POPIA. If an operator fails to meet its obligations, or acts outside or against the responsible party’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
An operator may not engage a sub-operator’s services without the responsible party’s prior specific or general written authorisation. If authorisation is given, the operator must put in place a contract with the sub-operator. The terms of the contract that relate to Section 21(1) must offer an equivalent level of protection for the personal information as those in the contract between the responsible party and operator. Operators remain liable to the responsible party for the compliance of any sub-operators they engage.