At the core of POPIA’s principles lies a fundamental distinction between two essential entities: The Responsible Party and an Operator. This distinction clearly outlines each party’s roles, obligations, and responsibilities in upholding data protection standards and safeguarding individuals’ privacy rights.
The Responsible Party (usually a public or private business) will set out the purpose of the processing activity, and the Operator (sub-contractors, agents, suppliers, importers, exporters, representatives, service providers, or manufacturers) will process personal information on behalf of the Responsible Party in terms of a contract or mandate without coming under the direct authority of that party.
Responsible Parties must ensure that any Operator processing personal information on their behalf complies consistently with POPIA.
Practical example of each party and their distinctive roles
A practical example would be an IT support service.
The Responsible Party receives/collects the personal information from its clients, employees, etc. The Operator will be providing the IT services to the Responsible Party. It will access the business’s personal information while delivering such services.
Implementing Data Processing Agreements
The Responsible Party is required to ensure that the Operator handling the personal information does so solely with written authorisation from the Responsible Party.
To adhere to the requirements set out in POPIA and to ensure the lawful processing of personal information, Responsible Parties are encouraged to establish standard written agreements with their Operators.
It is therefore suggested that the business incorporate a Data Processing Agreement with all its Operators. These agreements should be in place before sharing personal information with these parties.
These agreements typically outline:
- The scope of personal information being shared.
- The purpose of the data processing.
- Security measures that need to be in place to protect the personal information.
- Confidentiality obligations.
Operators need to notify the Responsible Party immediately where there are reasonable grounds to believe that the personal information of a data subject has been lost, accessed or acquired by any unauthorised person or a data breach has accrued. This notification ensures that swift measures can be taken to mitigate the impact and comply with legal obligations for reporting a data breach to the Information Regulator.
What does the Information Regulator say about Data Processing Agreements?
On the 31st of August 2023, the Information Regulator issued an Enforcement Notice to Dis-Chem. The Information Regulator mentioned in the Enforcement Notice the importance of ensuring that businesses conclude written contracts with all Operators who process personal information on their behalf.
The Enforcement Notice reads as follows[1]:
“ensure that it concludes written contracts with all operators who process personal information on its behalf and that such contracts compel the operator(s) to establish and maintain same or better security measures referred to in section 19 of POPIA.”
This highlights the crucial role in ensuring a business has Data Processing Agreements in place to adhere to POPIA.
Conclusion
Data Processing Agreements are essential for achieving POPIA compliance, underscoring the significance of businesses identifying their Operators and providing them with such agreements.
[1] https://inforegulator.org.za/wp-content/uploads/2020/07/FINAL-MEDIA-STATEMENT-ENFORCEMENT-NOTICE-ISSUED-TO-DISCHEM-PHARMACIES-LTD.pdf
Does your business have Data Processing Agreements in place? Don’t risk an enforcement notice from the Information Regulator. Click here now and we will call you back.