Data sharing agreement vs operator agreement (DPA) — the table
This is the single most confused distinction in SA data protection practice. Both documents move personal information between two businesses, so they get treated as interchangeable — they are not. The test is simple: does the recipient use the data for its own purposes? If yes, the recipient is a responsible party and you need a data sharing agreement. If the recipient only processes on your instructions — a hosting provider, a payroll bureau — it is an operator, and POPIA section 21 makes a written operator agreement mandatory.
| Data sharing agreement | Operator agreement (DPA) | |
|---|---|---|
| Who decides the purpose | Both parties. The recipient uses the personal information for its own purposes and makes its own processing decisions. | The discloser alone. The operator processes only on the responsible party's instructions and may not repurpose the data. |
| Who faces the Regulator | Each party independently — both are responsible parties in their own right, each accountable for its own processing. | The responsible party. The operator's duties are primarily contractual, though it remains independently bound by section 19 security safeguards. |
| Which POPIA sections drive it | Section 15 (further-processing compatibility), section 18 (notification — including the source of indirectly-collected data), section 69 (direct marketing), section 72 (offshore recipients). | Section 20 read with section 21 (mandatory written operator agreement), section 19 (security), section 22 (breach reporting to the responsible party). |
| Typical scenarios | Group companies sharing customer data, referral partnerships, joint ventures, co-branded products, industry data pools, due-diligence disclosures. | Cloud hosting, payroll bureaux, analytics platforms, outsourced call centres — any vendor processing on your behalf. |
Getting the classification wrong cuts both ways. Paper a true sharing arrangement as a DPA and the "operator" breaches the contract the moment it uses the data for itself — which was the whole point of the deal. Paper a true outsourcing arrangement as a sharing agreement and you have skipped the written operator agreement that section 21 actually requires.
When you need one
Any time personal information moves to a party that will make its own decisions about it, a data sharing agreement is how the discloser evidences a lawful disclosure and the recipient accepts the duties that come with the data. The recurring scenarios:
Group companies sharing customer data
A holding company centralising CRM, marketing or credit data across subsidiaries. Each company is a separate responsible party — the corporate structure does not merge their POPIA identities.
Referral partnerships
A broker, agent or platform passing client details to a product provider that will contract with the client directly and use the data for its own onboarding and compliance.
Co-branded products
Two businesses launching a joint offering where both need the customer base — each will run its own communications, billing and analytics on the shared records.
Industry data pools
Credit bureaux feeds, fraud-prevention consortiums, insurance claim registers — multiple participants contribute and consume personal information for their own risk decisions.
Due-diligence disclosures
M&A and investment processes where employee, customer or supplier records are disclosed to a buyer or funder that analyses them for its own transaction purposes.
The eight clauses that matter
Defined datasets + permitted purposes
A schedule itemising exactly which categories of personal information are shared, about which data subjects, and the specific purposes the recipient may use them for. Everything outside the schedule is prohibited.
Lawful-ground warranty + data-subject notice
The discloser warrants it has a lawful ground to disclose (consent, contract performance, legitimate interest) and that data subjects were notified. The recipient, collecting from a source other than the data subject, must address its own section 18 notification — including identifying the source.
Purpose limitation + further-processing restraints
The recipient commits not to process the data for purposes incompatible with the purpose of collection. Section 15's compatibility test binds both sides — the agreement should hard-code the permitted purposes and require fresh agreement (and fresh lawful grounds) for anything new.
Security minimums on both sides
Section 19 binds each responsible party independently, so the agreement should set minimum technical and organisational measures for both — encryption in transit, access controls, and secure transfer mechanics for the handover itself.
Data-subject rights handling
Who answers access and correction requests? Each party answers for its own copy of the data, but the agreement should require the parties to route misdirected requests to each other and to propagate corrections and deletions across both datasets.
Breach notification + section 22 allocation
Each party must report compromises of the shared data to the other, and each carries its own section 22 duty to notify the Information Regulator and affected data subjects "as soon as reasonably possible". The agreement should allocate who leads on a joint incident and how communications are coordinated.
Cross-border restrictions
If a recipient (or its infrastructure) is outside South Africa, the onward transfer must satisfy a section 72 ground — typically a binding agreement imposing substantially similar protections, or data-subject consent. The agreement should prohibit offshore transfers that bypass this.
Term + return or destruction
How long the sharing arrangement runs, what happens to already-shared data on termination, and certified destruction or return mechanics — recognising that the recipient may have independent legal retention obligations for some records.
Direct marketing traps
The most dangerous data sharing deals are the ones built for marketing. Section 69 of POPIA makes unsolicited electronic direct marketing — email, SMS, automated calls — opt-in: the data subject must have consented, or fall within the narrow existing-customer exception. That exception belongs to the business that obtained the contact details in the context of a sale of its own product or service. It does not travel with the list. A partner receiving your customer list cannot rely on your customer relationship to message them.
That makes bought and shared lists radioactive without consent provenance: a documented trail proving each data subject opted in to marketing from third parties in your category. If the discloser cannot produce that trail, the recipient is sending unlawful marketing from message one — and the Information Regulator has made direct marketing an enforcement priority. A properly drafted sharing agreement warrants provenance, attaches the consent records, and indemnifies the recipient if the warranty fails. If the deal cannot survive that clause, the list should not change hands.
Group companies are not exempt
POPIA has no intra-group exemption. A holding company and its subsidiaries are separate juristic persons, and each is its own responsible party for the personal information it holds. "It stays within the group" is a comfort for the boardroom, not a lawful ground: when Subsidiary A passes its customer database to Subsidiary B for B's own marketing or credit decisions, that is a disclosure to a third party in POPIA's eyes — needing a lawful ground, a section 15 compatible purpose, and section 18 notice, exactly as if B were a stranger.
The practical fix is an intra-group data sharing protocol: one agreement signed by every group entity that defines the shared datasets, the permitted purposes per entity, the security baseline, and who answers data-subject requests. Add section 72 mechanics where group members sit offshore — a common gap in SA groups with Mauritian, UK or Dutch holding structures. One document, refreshed as entities join or leave the group, replaces an unmanageable web of bilateral agreements.
Frequently asked
What is the difference between a data sharing agreement and a DPA (operator agreement)?
A data sharing agreement governs disclosure from one responsible party to another responsible party that will use the personal information for its own purposes — both parties decide their own "why" and "how", and each is independently accountable under POPIA. A DPA (operator agreement under section 21) governs a vendor that processes only on your instructions and for your purposes. Section 21 makes the operator agreement mandatory and in writing; POPIA does not name "data sharing agreements" at all, but the sharing itself is processing that must be lawful, so a written agreement is how prudent parties evidence and allocate those duties.
Is sharing personal information legal under POPIA?
Yes — provided the discloser has a lawful ground for the disclosure (consent, performance of a contract, a legal obligation, or the legitimate interests of the parties or the data subject) and the recipient's intended use is compatible with the purpose for which the information was originally collected (the section 15 further-processing test). Sharing without a lawful ground, or for an incompatible new purpose, is unlawful processing — regardless of how good the contract between the parties is.
Do group companies need data sharing agreements between themselves?
Yes, in substance. POPIA contains no intra-group exemption: a holding company and each subsidiary are separate juristic persons and separate responsible parties. Customer data collected by one company cannot simply flow to a sister company for that company's own use without a lawful ground, a compatible purpose, and section 18 notice. An intra-group data sharing agreement (or a group data-sharing protocol signed by all entities) is the standard way to document this.
Can I share my customer list with a marketing partner?
Only after a section 69 analysis. Electronic direct marketing (email, SMS, automated calls) to consumers requires opt-in consent unless the narrow existing-customer exception applies — and that exception belongs to the party who obtained the details in the course of a sale, not to a partner receiving the list. Bought or shared lists are radioactive without consent provenance: the recipient must be able to prove that each data subject consented to marketing from third parties. The agreement should warrant provenance and carry an indemnity for unlawful marketing.
Who is liable if the recipient misuses the shared data?
Each responsible party is liable for its own processing. Once the data is handed over, the recipient answers to data subjects and the Information Regulator for what it does with its copy — the discloser is not automatically liable for the recipient's misuse. But the discloser remains accountable for the disclosure itself (was there a lawful ground? was the purpose compatible?), and a careless handover to an obviously non-compliant recipient is the discloser's own contravention. The agreement allocates contractual recourse — warranties, indemnities and termination rights — on top of each party's statutory position.
Does sharing data with an offshore recipient change anything?
Yes. Disclosure to a recipient outside South Africa is a cross-border transfer under section 72, which is prohibited unless a transfer ground applies — most commonly a binding agreement that imposes protections substantially similar to POPIA's conditions, or the data subject's consent. The data sharing agreement itself usually serves as that binding agreement, which is why the POPIA clauses must be substantive, not decorative, when the counterparty is offshore.
What must data subjects be told when their data is shared?
Section 18(1) requires the responsible party collecting the information to take reasonably practicable steps to make the data subject aware of, among other things, what is being collected, the collector's identity, the purpose, and — where the information is not collected directly from the data subject — the source it came from. In a sharing arrangement this means the discloser's privacy notice should disclose the categories of recipients, and the recipient must give its own notice identifying the discloser as the source, unless a section 18(4) exception applies.
What does a bespoke data sharing agreement cost in SA?
From R8,500 for a bilateral responsible-party-to-responsible-party agreement with defined datasets and permitted purposes. Multi-party arrangements (group protocols, industry data pools) and agreements doubling as section 72 transfer instruments for offshore recipients are quoted on scope.