POPIA and 3d Party Data Processors

The Protection of Personal Information Act 2013 (POPIA) regulate the protection of data subjects’ personal information.

The key roles under POPIA

The party who decides the purpose and the means of processing a data subject’s personal information is the responsible party under POPIA. The role of an operator under POPIA is to process personal information on the instructions of the responsible party.

Under POPIA, there will be certain requirements when engaging a third party (i.e. an operator) to process personal information on a responsible party’s behalf. Examples of the use of operators are when an employer outsources its payroll to an external provider, or a when a company outsources marketing campaigns targeting customers by using personal information.

Security safeguards

Under POPIA, the duty is on the responsible party to ensure – in a written contract with the operator – that the operator establishes and maintains reasonable technical and organizational measures to safeguard the personal information that is processed on the responsible party’s behalf. The responsible party will ultimately be liable if the operator does not comply with POPIA.


When processing personal information, data processors are required to ensure that the individuals processing the data are subject to a duty of confidence. In order to minimize the risk of data breaches and comply with POPIA, a responsible party should make it a condition of the agreement that the operator will limit access to personal information to those individuals who have entered into appropriate confidentiality agreements with the operator, or who are subject to a duty of confidentiality by virtue of their office.

Non-compliance and penalties

As a responsible party is subject to POPIA, it is important to impose some of the obligations that would ordinarily fall on the responsible party on the operator. In addition, the responsible party/controller should obtain indemnities from the operator/processor for compliance with the contractual obligations and data protections laws and to ensure that the operators will be held liable for any risk, harm or loss suffered as a result of the breach of such laws and obligations.


In summary, the mandate agreement between the responsible party/controller and the operator/processor should include the following provisions (which are mandatory under POPIA):

  • An undertaking to act only on the written instructions of the responsible party/controller.
  • Confidentiality undertakings during the period of data processing and restriction of access to individuals who are bound by confidentiality undertakings.
  • Agreement that reasonable technical and organizational measures will be established and maintained by the operator/processor and ideally specify the nature of these measures.
  • Notification requirements in the event of a data breach.
  • Restrictions on the transfer or storage of personal information to countries without adequate data protection laws.