Free POPIA Operator Agreement Skeleton
A section 21 POPIA operator agreement skeleton for SA businesses engaging third-party data processors. Mandatory contractual elements, security measures, sub-processor approval.
Written by
Martin Kotze
Attorney, Conveyancer & Notary Public
A POPIA operator agreement (also called a Data Processing Agreement or DPA) is the mandatory written contract under section 21 of POPIA between a responsible party and any operator processing personal information on its behalf. The absence of a written operator agreement is itself a contravention of POPIA. This template provides the s 21 mandatory contractual elements, the section 19 security-measures framework, breach notification mechanics, sub-processor controls, audit rights, and section 72 cross-border transfer clauses. Use it as a starting point with low-risk processors; for regulated industries, AI/ML processors, or cross-border arrangements bespoke drafting is needed (from R6,500).
Email me the template
Enter your email and we’ll send the template straight to your inbox. Link valid for 7 days.
What’s in the template
What it’s not
- GDPR-aligned dual-compliance terms — these need bespoke drafting.
- Industry-specific schedules (banking, healthcare, insurance, public-sector procurement).
- AI/ML-specific processing carve-outs (training data, model-output handling).
Frequently asked
Is a POPIA operator agreement legally required?
Yes. Section 21 of POPIA requires a written contract with any operator that processes personal information on the responsible party's behalf. The absence of a written operator agreement is itself a contravention of POPIA, regardless of whether any breach has occurred. The Information Regulator can impose administrative fines up to R10 million for non-compliance.
When do I need a DPA versus this template?
A DPA (Data Processing Agreement) and a POPIA operator agreement are functionally the same thing — different names for the same contract. International vendors call it a DPA; the SA statute calls it an operator agreement. This template uses POPIA terminology but is functionally a DPA.
Can I use this with a US/EU vendor?
You can — but most international vendors will insist on their own DPA template. Use this template as a baseline for what your POPIA s 21 requirements are; then negotiate against the vendor's template to ensure their version meets the same standard. Common gaps in foreign DPAs: insufficient s 72 cross-border safeguards specifically for SA personal information, missing references to POPIA terminology and the Information Regulator.
How long does the operator-agreement obligation last?
Throughout the term of the underlying processing relationship plus a defined period thereafter for data return / destruction obligations. Confidentiality obligations typically survive indefinitely. Data-protection obligations end when all personal information has been returned or destroyed.
Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.
This guide is general information, not legal advice for your specific matter.