An operator agreement (or operator contract) governs the relationship between a responsible party (as defined in POPIA) and an operator. It deals with how an operator processes personal information for the responsible party and is required by law. It is part of managing data processing relationships.

Virtually every organisation makes use of an operator – a third party vendor or service provider who processes personal information for them. For example, if an organisation outsources part of their IT function, the provider of the goods or services will almost certainly be processing personal information. Another example is email marketing – where an agency is sending email campaigns. If a third party (operator) is processing personal information for someone else (a responsible party), there are steps that need to be taken under the POPI Act.

The organisation will fall under the definition of a “responsible party“, which is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. The third-party service provider or vendor will fall under the definition of an “operator“, which is “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”. Section 21(1) and (2) of POPIA will apply.

If someone processes personal information for another, there are steps that need to be taken

The obligations of the responsible party

The responsible party must:

  1. Ensure that the operator maintains the security measures referred to in section 19 of POPIA.
  2. Conclude a written agreement with the operator, which requires the operator to establish and maintain confidentiality and security measures to ensure the integrity of the personal information.

These are in any case good business practices.

The obligations of  the operator

If you are an operator, you should prepare yourself so that when a customer asks these questions you can respond appropriately. A great way to win the trust of your customers. Section 20 and 21 will also apply to you. You must:

  • process personal information only with the knowledge or authorisation of the responsible party; and
  • treat the personal information which comes to your knowledge as confidential and must not disclose it,

unless required by law or in the proper performance of your duties.

Operator agreement, operator contract or operator clauses

Some people call the written contract between the responsible party and the operator an operator contract or an operator agreement. Some call it a Responsible Party and Operators Agreement. Others refer to operator clauses that can be included in the broader contract between the responsible party and the operator. We prefer the term – data processing agreement. This seems to be the term most commonly used around the world and we believe is the term that should be used in South Africa as well. There are many different flavours and you get globalised ones (using global terminology) and localised ones (using local terminology like responsible party and operator in South Africa). There are lean ones and comprehensive ones. In South Africa, POPIA only requires a lean written agreement but we often advise that you include many things in it because it makes business sense.

Joint responsible parties

Multiple bodies or persons can be joint responsible parties. This happens when they collectively determine the purpose of and means for processing. In this case, they should sign a joint responsible party agreement (often called a joint controller agreement in most parts of the world). Sometimes people sign a data processing agreement with the two parties being joint responsible parties.

There are pros and cons to being a joint responsible party rather than an operator.

Actions you can take regards operator agreements

  1. Know how to draft and implement POPIA-compliant contracts and SLAs by joining the Michalsons data protection programme and working through the managing data processing relationships module.
  2. Work out your role in your relationships where you process personal information together with another organisation by doing a Data Protection Responsibility Assessment.
  3. Identify who your operators are (or who you are an operator for).
  4. Review all your current contracts with your operators (or responsible parties if you are an operator), and capture the key information about them relevant to POPIA to identify the action you need to take.
  5. Form your strategy and plan on how to deal with your operators by asking us to facilitate a workshop for you.
  6. Get a data processing agreement template (aka operator agreement template) to conclude written agreements with your operators (or your customers if you are the operator) by asking us to draft one for you.
  7. Get a data processing addendum template (aka operator addendum) to change existing agreements with your operators (or responsible parties if you are the operator) by asking us to draft one for you.
  8. Update your existing signed agreements and templates by asking Michalsons to provide you with a POPI Operator Clauses Guide and Template. Note that this is South Africa specific. It includes practical guidance and a variety of template clauses (with drafting notes) that you can include in your agreements with your operators. You can include them in your templates so that new agreements with operators comply. And also use them to draft an addendum to be signed to change existing agreements.