Legal requirements under the Protection of Personal Information Act, 2013 when engaging a third party

Monique Jefferson
When engaging a third party to process personal information it is important to establish whether that third party will be processing the personal information in the capacity of responsible party, or operator. This is because the obligations differ depending on whether the third party is acting as a responsible party or operator. A responsible party is the party who decides the purpose and the means of the processing of personal information. This is the party that exercises control and makes decisions over the personal information, and in other jurisdictions is commonly referred to as a data controller. An operator is a party that processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. The operator acts on the instructions of the responsible party, and in other jurisdictions is commonly referred to as a data processor.

If a responsible party engages an operator to process personal information of identifiable living natural persons or existing juristic persons then it is required in terms of the Protection of Personal Information Act, 2013 (“POPIA”) to conclude a written agreement with the operator in terms of which the operator agrees to only process the personal information with the knowledge or authorisation of the responsible party, unless otherwise required by law or in the course of the proper performance of its duties. Under the European Union General Data Protection Regulation (“GDPR”), a processor who acts independently of the data controller and determines the purpose and means of processing data is considered a controller (and, where applicable, a joint-controller under the GDPR).

There is no equivalent provision in POPIA, but it makes practical sense that an operator would similarly become a responsible party in relation to personal information if it determines the purpose and means of processing such information. Our view is that there is a concept of joint responsible parties under POPIA, although this is not expressly provided for. If the third party is acting in the capacity of operator then it is mandatory for there to be a written agreement with the operator setting out the provisions referred to below. If the third party is acting in the capacity of joint responsible party then a written agreement is not mandatory, although it is still recommended, to conclude an agreement with appropriate data protection provisions to ensure that the third party complies with POPIA.

Security safeguards

Under POPIA the duty is on the responsible party to ensure, in terms of a written contract with the operator, that the operator establishes and maintains reasonable technical and organisational measures to safeguard the personal information that is processed on the responsible party’s behalf. The responsible party will ultimately be liable if the operator does not comply with POPIA. It is sensible for a responsible party to expressly agree in the mandate agreement the nature and extent of the security safeguards that will be implemented and maintained by the operator, and to include a corresponding indemnity for failure to comply with such obligations. It is also advisable for the agreement to provide that the responsible party may carry out inspections to verify that the responsible party has implemented the agreed security safeguards.


Under POPIA, the operator is required to treat personal information as confidential and must not disclose it, except when the law requires it or if the operator requires disclosure in order to perform its duties. In order to minimize the risk of data breaches and comply with POPIA, a responsible party should make it a condition of the agreement that the operator will limit access to personal information to those individuals who have entered into appropriate confidentiality agreements with the operator, or are subject to a duty of confidentiality by virtue of their office.

Data breach

In the event that there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, POPIA requires an operator to notify the responsible party immediately. The responsible party must then notify the Information Regulator and the potentially affected data subject(s) within a reasonable time after reasonable suspicion that there has been a data breach.

Cross-border flows of personal information

Given that there may be instances of cross-border transfers of personal information by or to an operator on behalf of a responsible party, it is recommended that the agreement prohibits such a transfer without the responsible party’s written consent if the transfer is to a country that does not have adequate data protection laws. The reason for the inclusion of such a clause is so that the responsible party can ensure that there is a lawful justification for transferring the personal information to a country that does not have adequate data protection laws. For example, the responsible party could ensure that consent has been obtained from the data subject or that the recipient in the foreign country has entered into an appropriate data transfer agreement.

Under POPIA, the responsible party would need to ensure that prior authorisation has been obtained from the Information Regulator in circumstances where such prior authorisation is required, for example, when transferring special personal information or personal information of children to third parties in foreign countries that do not provide an adequate level of protection for the processing of personal information.

Enrol in the course: POPI Act – Understanding the essentials (eBook)

Enrol in the course: The POPI Act – what every professional should know, in a nutshell