Virtually every organisation makes use of an operator – a third party vendor or service provider to do something and that something often involves processing personal information for them. For example, if an organisation outsources part of their IT function, the provider of the goods or services will almost certainly be processing personal information. Another example is email marketing – where an agency is sending email campaigns. If a third party (operator) is processing personal information for someone else (a responsible party), there are steps that need to be taken under the POPI Act.
The organisation will fall under the definition of a “responsible party“, which is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. The third-party service provider or vendor will fall under the definition of an “operator“, which is “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”. Section 21(1) and (2) of POPI will apply.
If someone processes personal information for another, there are steps that need to be taken
The obligations of the Responsible Party
You, as the responsible party, must:
- Ensure that the operator maintains the security measures referred to in section 19 of POPI; and
- Conclude a written agreement with the operator, which requires the operator to establish and maintain confidentiality and security measures to ensure the integrity of the personal information.
These are in any case good business practices.
The obligations of the Operator
If you are an operator, you should prepare yourself so that when a customer asks these questions you will be ale to respond appropriately. A great way to win the trust of your customers. Section 20 and 21 will also apply to you. You must:
- process personal information only with the knowledge or authorisation of the responsible party; and
- treat personal information which comes to your knowledge as confidential and must not disclose it,
unless required by law or in the course of the proper performance of your duties.
How we can help you
- Work out what role you play in your relationships where you process personal information together with someone else by doing a Data Protection Responsibility Assessment.
- Identify who your operators are (or who you are an operator for).
- Review all your current contracts with your operators (or responsible parties if you are an operator), capture the key information about them that is relevant to POPI so that the action you need to take can be identified.
- Facilitate a workshop for you to form your strategy and plan on how to deal with your operators.
- Provide you with a standalone Operator Agreement template that you can use to conclude written agreements with your operators.
- Provide you with a POPI Operator Clauses Guide and Template. It includes practical guidance and a variety of template clauses (with drafting notes) that you can include in your agreements with vendors (or service providers) who are operators. You can include them in your templates so that new agreements with operators comply. And also use them to draft an addendum to be signed to change existing agreements.
- Train you on drafting and implementing POPI compliant contracts and SLAs.
- Draft a new template for you to use to sign contracts with your vendors (or your customers if you are the operator).
- Draft an addendum to change existing agreements with your operators (or responsible parties if you are the operator).
Please complete the form on the right or enquire now. We will contact you to find out more about your requirements.