Skip to main content

In today’s data-driven world, organisations must ensure that personal information is processed securely and in compliance with relevant laws. The Protection of Personal Information Act (POPIA) in South Africa mandates specific requirements for data protection. Section 21 of POPIA requires responsible parties to enter into an operator agreement with operators regarding their processing of personal information.

This post explores:

  • what an operator agreement is;
  • why companies need one;
  • what POPIA requires; and
  • how to implement such an agreement effectively.

What is an operator?

An operator, in the context of South Africa’s POPIA, refers to a third-party service provider that processes personal information on behalf of a responsible party.

Key characteristics of an operator under POPIA

  1. Third-party role: Operators are external entities that manage data processing activities for another organisation (the responsible party).
  2. Processing based on instructions: Operators process personal information strictly based on the instructions provided by the responsible party. They don’t have the authority to determine the purposes or means of processing the data.
  3. Bound by contract: The relationship between the responsible party and the operator is governed by a legally binding contract (the operator agreement). This agreement outlines the responsibilities and obligations of the operator in handling the data securely and in compliance with POPIA.
  4. Data protection obligations: Operators must implement appropriate technical and organisational measures to ensure data security and protect personal information from unauthorised access, loss, or damage. They must also maintain confidentiality and report any data breaches to the responsible party without undue delay.

What is an operator agreement?

An operator agreement is a legally binding document that outlines the responsibilities and obligations of both the responsible party and the operator regarding the processing of personal information.

This agreement ensures that the operator processes personal information:

  • with the responsible party’s authorisation;
  • securely;
  • and in compliance with POPIA.

Why do companies need an operator agreement?

Legal compliance

POPIA requires responsible parties to have agreements in place with operators to ensure that personal information is processed in line with legal requirements. Non-compliance can result in significant fines and legal penalties. An operator agreement helps ensure that a company complies with POPIA and avoids potential legal issues.

Protecting data subjects

An operator agreement ensures that personal information is processed securely and according to the principles of POPIA. This helps protect the rights and privacy of individuals whose data is being processed.

Risk management

Engaging third-party operators introduces additional risks related to data handling. An operator agreement helps identify and mitigate these risks by setting clear expectations and responsibilities for data processing activities.

Building trust

A clear and comprehensive operator agreement demonstrates an organisation’s commitment to data protection, building trust and confidence among customers, partners, and stakeholders.

What POPIA requires

Conditions for lawful processing

POPIA sets out conditions for the lawful processing of personal information, which must be adhered to by both the responsible party and the operator. These include:

  • Accountability: ensuring that personal information is processed in compliance with POPIA.
  • Processing limitation: processing personal information lawfully and reasonably.
  • Purpose specification: collecting personal information for a specific, explicitly defined, and lawful purpose.
  • Further processing limitation: ensuring that further processing is compatible with the original purpose of collection.
  • Information quality: ensuring that personal information is complete, accurate, and updated.
  • Openness: maintaining transparency about data processing practices.
  • Security safeguards: implementing appropriate technical and organisational measures to secure personal information.
  • Data subject participation: allowing data subjects to access and correct their personal information.

Operator obligations

POPIA requires operators to adhere to the following obligations:

  • Processing: only process personal information based on the instructions of the responsible party.
  • Confidentiality: ensure that all employees and parties involved in processing personal information are bound by confidentiality agreements.
  • Security: implement appropriate security measures to protect personal information from loss, damage, and unauthorised access.
  • Data breach notification: notify the responsible party immediately in the event of a data breach.
  • Audit and monitoring: allow the responsible party to audit and monitor data processing activities to ensure compliance with POPIA.

Key components of an operator agreement

Introduction

An overview of the agreement’s purpose and the parties involved (responsible party and operator).

Scope

Defines the data processing activities covered by the agreement, including the nature, purpose, and duration of the processing.

Responsibilities of the operator

Outlines the responsibilities of the operator, such as ensuring data confidentiality, implementing security measures, and complying with the responsible party’s instructions.

Responsibilities of the responsible party

Details the responsibilities of the responsible party, including providing clear instructions to the operator and ensuring compliance with POPIA.

Data subject rights

Describes how the operator will assist the responsible party in responding to data subject rights requests, such as access, rectification, and deletion.

Security measures

Details the technical and organisational measures the operator must implement to protect personal information.

Data breach notification

Outlines the operator’s obligation to notify the responsible party of any data breaches without undue delay.

Audit and monitoring rights

Provides the responsible party with the right to audit and monitor the operator’s data processing activities to ensure compliance with the agreement and POPIA.

Termination and data deletion

Specifies the conditions for terminating the agreement and the requirements for returning or deleting personal information upon termination.

Implementing an operator agreement

Identify data processing activities

Identify all data processing activities that involve third-party operators. Understand the nature, purpose, and scope of these activities.

Draft the agreement

Draft a comprehensive operator agreement that includes all the key components outlined above. Ensure the agreement aligns with POPIA requirements and data protection principles.

Engage with operators

Share the operator agreement with your third-party operators and negotiate terms as necessary. Ensure they understand and agree to their obligations under the agreement.

Implement security measures

Ensure that both the responsible party and the operator implement appropriate technical and organisational measures to protect personal information.

Monitor compliance

Establish a system for monitoring compliance with the operator agreement. Conduct regular audits and inspections to ensure that operators adhere to the agreed-upon terms.

Update the agreement

Regularly review and update the operator agreement to reflect changes in laws, regulations, and business practices. Ensure that any changes are communicated to and agreed upon by the operators.

Buy an operator agreement template

Basic OA

ZAR 2600

Once off
  • Agreement template
  • Drafting notes
  • Customisation notes
  • 20-minute call with a professional policy drafter
  • Review and feedback
  • Implementation guidance
Buy now

Premium OAMost popular

ZAR 4600

Once off
  • Agreement template
  • Drafting notes
  • Customisation notes
  • 20-minute call with a professional policy drafter
  • Review and feedback
  • Implementation guidance
Buy now

Ultimate OA

ZAR 10000

Once off
  • Agreement template
  • Drafting notices
  • Customisation notes
  • 20-minute call with a professional contract drafter
  • Review and provide feedback
  • Implementation guidance
Buy now