The eight things every SA DPA must contain
Scope of processing
Categories of personal information, categories of data subjects, the purpose, the nature of processing activities, and the duration.
Security measures
Technical and organisational measures meeting or exceeding section 19 of POPIA — encryption, access controls, intrusion detection, staff training, access policies.
Breach notification
Operator must notify the responsible party "without delay" of any security compromise. Aligned with the 72-hour reporting target the Information Regulator has indicated.
Sub-processors
Restrictions on engaging sub-operators, written consent requirements, and back-to-back obligations binding sub-processors to equivalent terms.
Audit rights
The responsible party's right to audit the operator's compliance — directly or via an independent third-party auditor.
Data subject rights assistance
The operator's obligation to assist the responsible party in responding to data-subject access, correction, and deletion requests.
Cross-border transfers
Section 72-compliant safeguards for any personal information leaving South Africa — adequacy, binding agreement, consent, or contractual necessity.
Return + destruction on termination
Mandatory return or certified destruction of all personal information at the end of the processing relationship.
Template vs bespoke — when is each appropriate?
Template suits
- •Standardised SaaS vendors with many similar customers
- •Single-purpose data processors (payment gateway, email delivery, analytics)
- •Operator-published DPAs for self-service products
- •Pre-contract negotiation starting point that will be amended
Bespoke needed when
- •Regulated industries (banking, healthcare, insurance, public sector)
- •Cross-border data flows that need section 72-tailored safeguards
- •AI/ML processors using customer data for model training
- •Multi-jurisdiction operations needing POPIA + GDPR alignment
- •Custom integration arrangements with deep data access
- •Audit-rights schedules customised for specific regulatory regimes
Frequently asked
Is there an official POPIA-approved DPA template published by the Information Regulator?
No. The Information Regulator has not published a standard form DPA. Section 21 of POPIA simply requires the agreement to be in writing and to ensure the operator maintains appropriate security and confidentiality. Practitioners typically adapt GDPR-template DPAs (Standard Contractual Clauses, controller-processor terms) to POPIA, replacing the GDPR-specific terminology and processing conditions with POPIA equivalents.
Can I just sign the vendor's DPA?
For low-risk processors (analytics, email delivery, transactional services) where the vendor's DPA materially aligns with POPIA — yes. For higher-risk processors (CRMs, ERP systems, customer-facing SaaS that handles personal information at scale) — review carefully. Common gaps in vendor DPAs aimed at SA customers include: insufficient section 72 cross-border safeguards; sub-processor disclosure obligations weaker than POPIA expects; audit rights restricted to once-yearly or limited to documentary review.
Who pays for an audit conducted under the DPA?
Standard SA practice: the responsible party pays for routine audits (annual or per-trigger); the operator pays if the audit reveals non-compliance and the operator is at fault. Aggressive responsible parties push for the operator to bear all audit costs; aggressive operators push for the responsible party to bear all costs regardless of findings. Either extreme is unusual in practice.
How does a POPIA DPA differ from a GDPR DPA?
POPIA terminology ("responsible party" / "operator" rather than "controller" / "processor"); POPIA additionally protects juristic persons (companies), not just natural persons; the Information Regulator is the supervisory authority, not a national DPA; section 72 cross-border transfer mechanics are POPIA-specific. A GDPR-aligned DPA can usually be adapted to POPIA with focused amendments rather than full rewriting.
What is a sensible duration for the DPA's confidentiality + return obligations?
Confidentiality obligations should survive termination indefinitely for as long as the information is confidential. Data return or destruction obligations should be triggered immediately on termination, with a defined wind-down window (30–90 days) for the responsible party to retrieve data. Operator records of processing should be retained for the period required by POPIA section 14 or the responsible party's own retention policy, whichever is longer.
What does a POPIA-compliant DPA cost to draft?
A bespoke single-direction DPA (you as the responsible party, your vendor as operator) from R6,500 excluding VAT. A two-way / multi-purpose DPA suitable for you to offer as a SaaS vendor to many enterprise customers: R10,000–R15,000. The free DPA-skeleton template (Phase 5 deliverable, coming soon at mjkinc.co.za/templates) is intended as a starting point, not a final document.