Technology Law

Data Processing Agreements Under POPIA

How to structure operator agreements that satisfy POPIA's requirements for outsourced data processing, and what responsible parties must include to limit their exposure

11 min readMJ Kotze Inc

Contents

Every time a South African business uses a cloud service, engages a payroll bureau, outsources customer support, or integrates a third-party analytics tool, it is likely sharing personal information with an external party that processes that information on its behalf. Under the Protection of Personal Information Act 4 of 2013 ("POPIA"), the relationship between the business (the "responsible party") and the external processor (the "operator") must be governed by a written contract -- commonly referred to as a data processing agreement or operator agreement. For a broader overview of technology law issues, see our Software & Technology Law hub.

The absence of a properly drafted operator agreement exposes the responsible party to administrative fines of up to R10 million, civil liability to data subjects, and enforcement action by the Information Regulator. Despite this, many South African businesses continue to rely on informal arrangements, generic service-level agreements, or international data processing addenda that do not address POPIA's specific requirements.

What is a Data Processing Agreement?

A data processing agreement ("DPA") -- referred to in POPIA terminology as an "operator agreement" -- is a legally binding contract between a responsible party and an operator that sets out the terms on which the operator may process personal information on behalf of the responsible party. The term "data processing agreement" is borrowed from EU data protection parlance, while "operator agreement" is the South African equivalent under POPIA.

Section 1 of POPIA defines an "operator" as "a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party." The operator is distinguished from an employee (who operates under the responsible party's direct authority) and from an independent responsible party (who determines its own purposes and means of processing).

Key Terminology

  • Responsible party: The person who alone, or in conjunction with others, determines the purpose and means of processing personal information (equivalent to the GDPR "controller")
  • Operator: A person who processes personal information for a responsible party under a contract or mandate (equivalent to the GDPR "processor")
  • Processing: Any operation concerning personal information, including collection, storage, modification, retrieval, consultation, use, disclosure, distribution, merging, linking, restriction, degradation, erasure, or destruction

The distinction between a responsible party and an operator is critical because it determines the allocation of POPIA obligations. The responsible party bears primary accountability to data subjects and the Information Regulator. The operator's obligations flow from the operator agreement rather than directly from POPIA (although the operator is independently bound by POPIA's security safeguard requirements under section 19).

When is an Operator Agreement Required Under POPIA?

Section 21 of POPIA requires that where a responsible party engages an operator to process personal information on its behalf, the processing must be governed by a written contract. This requirement is triggered whenever personal information is shared with a third party that processes it according to the responsible party's instructions, rather than for its own independent purposes.

Common scenarios that require an operator agreement include:

  • Cloud services: SaaS, PaaS, and IaaS providers that store or process customer data. For a detailed discussion, see our guide to cloud computing contracts and data sovereignty.
  • Payroll and HR outsourcing: Bureau providers that process employee personal information on behalf of the employer
  • Marketing platforms: Email marketing services, CRM platforms, and analytics tools that process customer contact details and behavioural data
  • IT managed services: Providers that access client systems for maintenance, monitoring, or support and may incidentally access personal information stored on those systems
  • Call centres and customer support: Outsourced service desks that access customer records to resolve queries
  • Document storage and archiving: Physical or digital document management providers that store records containing personal information

An operator agreement is not required where the third party processes personal information as an independent responsible party -- that is, where it determines the purposes and means of processing for its own account. For example, when a business shares employee details with SARS for tax purposes, SARS is not an operator; it is an independent responsible party processing the information for its own statutory purposes. The distinction can be subtle and should be assessed on a case-by-case basis.

Mandatory Contents -- What Must Be Included

Section 21 of POPIA prescribes the minimum content requirements for an operator agreement. While POPIA does not mandate a specific format or template, the agreement must address the following elements as a minimum:

1

Processing Only on Instructions

The operator must establish and maintain the security measures referred to in section 19 of POPIA, and must process personal information only with the knowledge or authorisation of the responsible party. This clause ensures that the operator does not repurpose the personal information for its own benefit -- for example, using customer email addresses for the operator's own marketing campaigns.

2

Security Safeguards

The operator must treat all personal information as confidential and must not disclose it unless required by law or with the responsible party's prior written consent. The agreement should specify the technical and organisational security measures the operator must implement, aligned with section 19's requirement to secure the "integrity and confidentiality" of personal information. This includes encryption, access controls, audit logging, and incident response procedures.

3

Confidentiality

If the operator engages employees or contractors to process personal information on behalf of the responsible party, those individuals must be bound by confidentiality obligations. The agreement should require the operator to ensure that all personnel who access personal information are aware of, and comply with, the operator's confidentiality and security obligations.

4

Notification of Security Compromises

The operator must notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. Section 22 of POPIA imposes notification obligations on the responsible party (to the Information Regulator and to data subjects), but the responsible party can only fulfil these obligations if the operator reports breaches promptly. The agreement should specify a maximum notification timeframe -- ideally 24 to 48 hours.

5

Return or Destruction of Personal Information

Upon termination of the agreement, the operator must return all personal information to the responsible party or destroy it, unless retention is required by law. The agreement should specify the format for return, the timeline for completion, and the method of destruction (with certification).

Responsible Party Liability for Operator Breaches

One of the most consequential aspects of POPIA's operator framework is that the responsible party is not absolved of liability merely because it has outsourced processing to an operator. Section 21(2) provides that the responsible party must ensure that the operator "establishes and maintains" the required security measures. If the operator fails to do so, the responsible party may be held liable to data subjects under section 99 and may face enforcement action by the Information Regulator.

This principle of vicarious accountability means that the responsible party must exercise due diligence in selecting its operators and must actively monitor the operator's compliance with the operator agreement. A responsible party that simply signs an operator agreement and then ignores the operator's security posture has not discharged its POPIA obligations.

Due Diligence Obligations

The responsible party should, at minimum:

  • Assess the operator's security capabilities before engaging it -- request evidence of ISO 27001 certification, SOC 2 reports, or equivalent standards
  • Include audit rights in the operator agreement and exercise them periodically
  • Monitor the operator's breach notification track record and incident response capability
  • Maintain a register of all operators and the categories of personal information each operator processes
  • Review and update operator agreements annually to reflect changes in processing activities, security standards, and regulatory guidance

POPIA vs GDPR -- How Operator Agreements Differ from DPAs

Businesses that operate across jurisdictions -- or that use international SaaS platforms -- often encounter both POPIA operator agreements and GDPR data processing agreements. While the two frameworks share a common conceptual foundation (both derived from the OECD Privacy Guidelines and the EU Data Protection Directive), there are important differences that affect drafting and compliance strategy.

Key Differences

  • Prescriptiveness: Article 28 of the GDPR contains a detailed list of mandatory DPA contents (subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, and the controller's obligations). POPIA section 21 is less prescriptive -- it requires a written contract but does not enumerate specific clauses. Best practice is to include the GDPR-style detail in a POPIA operator agreement to demonstrate compliance.
  • Processor direct liability: Under the GDPR, processors can be directly liable to data subjects and supervisory authorities for their own GDPR breaches. Under POPIA, operator liability is primarily contractual -- the Information Regulator's enforcement powers are directed at the responsible party, although the operator is independently bound by section 19's security safeguard requirements.
  • Sub-processing: The GDPR explicitly addresses sub-processing in Article 28(2) and (4), requiring prior authorisation and flow-down of obligations. POPIA does not expressly address sub-processing, but the responsible party's accountability under section 21 implicitly requires control over downstream processors.
  • Breach notification timelines: The GDPR requires processors to notify controllers "without undue delay" upon becoming aware of a breach (Article 33(2)). POPIA section 22 requires notification "as soon as reasonably possible" -- the practical expectation is similar, but the contractual agreement should specify a precise timeframe to remove ambiguity.

For businesses subject to both POPIA and the GDPR -- such as South African companies with EU customers, or EU companies with South African operations -- a single operator agreement can be drafted to satisfy both regimes. This requires careful mapping of the requirements and, where the two laws diverge, applying the stricter standard.

Sub-processing -- Chains of Operators

In modern technology ecosystems, processing chains are common. A SaaS provider (the primary operator) may use a cloud infrastructure provider (a sub-operator) to host its platform, a third-party email service (another sub-operator) to deliver transactional emails, and an analytics platform (yet another sub-operator) to monitor service performance. Each link in the chain introduces additional data protection risk.

POPIA does not expressly regulate sub-processing, but the responsible party's accountability under section 21 extends to the entire processing chain. If a sub-operator suffers a security breach, the responsible party remains answerable to data subjects and the Information Regulator. The operator agreement must therefore address sub-processing comprehensively.

Sub-processing Clauses Should Address

  • Prior authorisation: Whether the operator requires specific or general prior authorisation from the responsible party before engaging a sub-operator. Specific authorisation (naming each sub-operator) provides more control; general authorisation (requiring only advance notice) is more practical for cloud providers with frequently changing sub-operator lists.
  • Flow-down of obligations: The operator must impose on each sub-operator the same data protection obligations that the operator agreement imposes on the operator. This creates a contractual chain of protection that extends to the end of the processing chain.
  • Right to object: The responsible party should have the right to object to the appointment of a sub-operator on reasonable grounds (e.g., the sub-operator's jurisdiction, security posture, or track record). If the objection cannot be resolved, the responsible party should have the right to terminate the agreement without penalty.
  • Operator liability for sub-operators: The operator should remain fully liable to the responsible party for the acts and omissions of its sub-operators. This avoids a situation where the responsible party must pursue an unfamiliar sub-operator in a foreign jurisdiction to obtain redress.

Template Guidance -- Key Clauses

While every operator agreement must be tailored to the specific processing activity and risk profile, the following clause framework provides a starting point for POPIA-compliant operator agreements.

1

Definitions and Interpretation

Define "personal information," "processing," "responsible party," "operator," "data subject," "security compromise," and other key terms by reference to POPIA. Where the agreement also addresses GDPR, include cross-references to the equivalent GDPR terminology.

2

Scope and Purpose of Processing

Describe the specific personal information to be processed, the categories of data subjects, the nature and purpose of the processing, and the duration of the processing. This clause anchors the agreement and ensures the operator cannot process personal information beyond the agreed scope.

3

Operator Obligations

Set out the operator's core obligations: process only on the responsible party's documented instructions; ensure personnel are bound by confidentiality; implement the agreed security measures; assist with data subject requests; notify breaches within the agreed timeframe; cooperate with audits; and return or destroy personal information on termination.

4

Security Measures

Annex the specific technical and organisational measures the operator must implement. This should cover encryption standards, access control mechanisms, vulnerability management, penetration testing, backup procedures, and physical security. Reference section 19 of POPIA and, where applicable, relevant industry standards (ISO 27001, SOC 2).

5

Breach Notification

Require the operator to notify the responsible party within a specified period (e.g., 24 or 48 hours) of becoming aware of a security compromise. Specify the information the notification must contain (nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken to address the breach).

6

Cross-Border Transfers

If the operator will process personal information outside South Africa, specify the jurisdictions involved and the legal basis for the transfer under section 72 of POPIA. Require the operator to notify the responsible party before transferring personal information to any new jurisdiction.

7

Indemnification and Liability

Include an indemnification clause under which the operator indemnifies the responsible party for losses arising from the operator's breach of the agreement or of POPIA. Consider whether liability should be capped and, if so, ensure the cap is proportionate to the risk profile of the processing activity.

8

Audit Rights

Grant the responsible party the right to audit the operator's compliance with the agreement, either directly or through an independent third-party auditor. Specify the frequency, scope, and notice period for audits. Alternatively, accept the operator's independent audit reports (SOC 2, ISO 27001) subject to the reports being current and covering the relevant services.

Practical Steps for SaaS Vendors and Enterprise Clients

The operator agreement sits at the centre of the data protection relationship between technology vendors and their customers. Both sides have an interest in getting the agreement right -- vendors because a robust operator agreement builds customer trust and reduces dispute risk, and enterprise clients because the agreement is their primary mechanism for controlling how their data is handled.

For SaaS Vendors

  • Prepare a standard DPA: Draft a POPIA-compliant data processing addendum that can be appended to your standard terms of service. Make it available on your website for enterprise customers to review during procurement.
  • Maintain a sub-operator register: Publish a list of your sub-operators on your website or in your trust centre. Include the sub-operator's name, location, and the processing function it performs. Notify customers before adding new sub-operators.
  • Invest in certifications: ISO 27001 and SOC 2 Type II reports significantly reduce friction in enterprise sales cycles. They also demonstrate compliance with POPIA's section 19 security safeguard requirements.
  • Build data export tools: Make it easy for customers to export their data in standard formats. This satisfies the return-of-data obligation and reduces churn friction.

For Enterprise Clients

  • Audit your operator ecosystem: Compile a comprehensive register of all operators that process personal information on your behalf. Assess whether each relationship is governed by a POPIA-compliant operator agreement.
  • Do not accept generic DPAs uncritically: International SaaS providers often offer a single global DPA that references the GDPR but does not mention POPIA. Request a POPIA-specific addendum or negotiate amendments to ensure South African compliance.
  • Include operator management in your POPIA compliance programme: Operator management is not a procurement exercise alone -- it requires ongoing monitoring, periodic audits, and documented evidence of oversight. The Information Regulator will expect to see this evidence in the event of an investigation.
  • Plan for termination: Ensure every operator agreement includes clear data return and destruction procedures. Test these procedures before you need them -- a vendor migration under pressure is not the time to discover that data export is impractical.

Need Help Drafting an Operator Agreement?

Data processing agreements are a cornerstone of POPIA compliance for any business that outsources processing activities. MJ Kotze Inc advises both technology vendors and enterprise clients on drafting, reviewing, and negotiating POPIA-compliant operator agreements -- from standard-form DPAs for SaaS platforms to bespoke operator agreements for complex processing arrangements involving multiple jurisdictions and sub-processing chains.

Related Topics

Chat with us