Security, breaches & governance

Operators: your providers, your problem

Section 21 requires a written contract with everyone who processes for you — the Dis-Chem enforcement turned on exactly this.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
An operator is anyone who processes personal information for you on contract or mandate — payroll bureaus, cloud hosts, marketing platforms, collections agencies. Section 21(1) requires a written contract obliging the operator to establish and maintain the section 19 security safeguards, and section 21(2) obliges the operator to notify you immediately of any suspected compromise. When Dis-Chem’s provider was breached (±3.6 million records), the enforcement notice turned heavily on the missing operator agreement.

On this page

Who is an operator?

Source — the actual words

“’operator’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;”

Protection of Personal Information Act 4 of 2013, s 1, definition of “operator”Read it on Dept of JusticePDF

Your payroll bureau, bulk-SMS and email platforms, cloud and hosting providers, IT support with admin access, the debt-collection agency on mandate, the managing agent, the shredding company — operators all. Your own employees are not (they act under your direct authority); a provider deciding its own purposes for the data is not an operator but a responsible party in its own right, which changes the analysis entirely.

The written-contract duty

Section 20 requires the operator to process only with your knowledge or authorisation and to keep the information confidential. The contracting duty, though, sits on you:

Source — the actual words

“A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.”

Protection of Personal Information Act 4 of 2013, s 21(1)Read it on Dept of JusticePDF

And section 21(2): the operator “must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.” Immediately — because your section 22 clock starts running on discovery, and you cannot notify what your provider sat on. A practical starting point is the firm’s free POPIA operator agreement template.

The Dis-Chem lesson

This is not paperwork for its own sake. When Dis-Chem’s e-statement service provider, Grapevine, was brute-forced in 2022 — roughly 3.6 million data subjects’ records — the Regulator’s enforcement notice turned heavily on the fact that Dis-Chem had failed to “enter into an operator agreement with Grapevine and ensure that Grapevine has adequate security measures in place to secure personal information in its possession.” Dis-Chem complied with the notice and the file closed without a fine — but the finding stands as the canonical statement of the rule: the breach was the provider’s; the accountability was the client’s. Full details on the enforcement tracker.

Your operator inventory

  • List every provider that touches personal information for you — payroll, IT, cloud, marketing platforms, collections, destruction
  • Check each for a written contract covering s 19 security and s 21(2) immediate breach notification
  • For global SaaS, locate the data-processing agreement in the terms and file it — that is your s 21 evidence
  • Flag foreign processing for a s 72 gateway (the DPA usually is the binding agreement)
  • Re-verify annually and whenever a provider changes hands or platforms

Frequently asked questions

Is my cloud provider an operator?

Yes — a host processing (storing is processing) personal information for you on contract is an operator. With the global providers the data-processing agreement in their standard terms typically does the section 21 work; verify it covers security and immediate breach notification.

What must an operator agreement contain?

At minimum: processing only with your knowledge or authorisation, confidentiality (s 20), establishment and maintenance of the section 19 security measures (s 21(1)), and immediate notification of suspected compromises (s 21(2)). Sub-operator controls and cross-border terms are the sensible extensions.

Who answers to the Regulator when an operator is breached — them or me?

You. Accountability (s 8) keeps the responsible party answerable for processing done on its behalf, and section 22 notification duties are yours. The operator’s duty is to tell you immediately; yours is everything that follows.

What if my operator uses foreign sub-processors?

That is a cross-border transfer needing a section 72 gateway — typically the binding-agreement gateway through the provider’s DPA, which should impose onward-transfer limits substantially similar to section 72 itself.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Security, breaches & governance

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub