Construction Education and Training Authority (CETA) v V2 Digital and Another case centres on data migration disputes and POPIA’s provisions relating to data governance, after CETA terminated its ICT service agreement with V2 Digital.

Who should care about this judgment and why?

  • Organisations and government entities must ensure their agreements cover data governance, especially when hosting personal information in the cloud.
  • Service providers must also maintain transparent and compliant practices, especially when charging for hosting or claiming third-party involvement, to avoid legal disputes and penalties.

What could you do about it?

  • Clearly outline each party’s obligations related to the destruction and return of personal information, data migration and contract termination in all ICT service agreements.
  • Verify independence and credentials of vendors, particularly regarding BEE status and registration with the Central Supplier Database.
  • Begin data migration steps before the contract ends. Secure any necessary software or infrastructure to eliminate gaps that outgoing providers can exploit.
  • Implement agile contract management and data governance policies to monitor vendor performance and compliance proactively. Make sure that they follow the relevant provisions of POPIA.

Our insights

This judgment illustrates the significant operational and legal risks involved in managing outsourced ICT and cloud-hosted services. It highlights how contractual clarity, especially around data governance issues and data return timelines, can preempt costly disputes. Particularly for government entities, it reinforces the need for thorough due diligence when engaging service providers, ensuring full alignment with POPIA standards.

Digest

Facts

The applicant urgently requested an order for the first respondent to return its cloud-hosted data and restore its systems. The first respondent had been contractually obliged to purge all personal and confidential data in line with POPIA, yet continued to withhold access and raise additional charges.

Reasoning

The court held that the first respondent was obligated under contract to ensure a seamless data migration at the end of the agreement. It rejected the first respondent’s argument about third-party hosting costs. The court found this conduct unjustified, pierced the corporate veil between the first respondent and a deregistered related entity. The court also emphasised that service providers retain POPIA obligations throughout the data lifecycle. Consequently, the court ordered the first respondent to immediately restore full functionality of the applicant’s systems and return all cloud-hosted data.

Order

  • The court grants the applicant permission to file this case as urgent.
  • The court orders the immediate restoration and reinstatement of the applicant’s data and system functionality.
  • The first respondent is ordered to pay the costs of the application, including senior counsel on scale C.

Details of Construction Education and Training Authority v V2 Digital and Another

  • Universal citation: [2025] ZAGPPHC 248
  • Case number: 2025-024691
  • Full name: Construction Education and Training Authority (CETA) v V2 Digital (Pty) Ltd and Another (2025-024691) [2025] ZAGPPHC 248 (6 March 2025)