South African data protection law and third-party processors

By:

Return to Africa Connected: Issue 2

Key takeaways

  • Controllers (which are referred to as responsible parties in South Africa) must conclude mandate agreements with processors (which are referred to as operators in South Africa).
  • Processors/operators may act only in accordance with the terms of those agreements.
  • Controllers/responsible parties are ultimately responsible for compliance with POPIA.
  • Processors may be liable under GDPR to pay damages and administrative fines for noncompliance with GDPR. POPIA does not provide for similar fines in respect of operators.

The EU General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act 2013 (POPIA) regulate the protection of data subjects’ personal information. Some provisions of POPIA are already in force, and the rest are expected to come into effect over the course of this year. Though there will be a one-year grace period after the new legislation comes into effect in its entirety, businesses are advised to start complying with the provisions of POPIA as soon as possible.

The key roles under POPIA and GDPR

In South Africa, the definition of a data subject is similar to that in GDPR in that it refers to a natural person who the personal information relates to. This is further extended under POPIA to include juristic persons such as companies or other institutions. The party who decides the purpose and the means of processing a data subject’s personal information is the responsible party under POPIA and the controller under GDPR. The role of an operator under POPIA is to process personal information on the instructions of the responsible party. This is essentially the same concept as a processor under GDPR.

As the law currently stands in South Africa, personal information may be processed with the data subject's content or when it is both necessary for pursuing legitimate interests and reasonable and justifiable to do so. Currently, there is nothing requiring the relationship between the responsible party and the third party to be regulated by a contract, although it is recommended. But this will change after POPIA is in effect, as there will be certain requirements when engaging a third party (i.e. an operator) to process personal information on a responsible party’s behalf. Examples of the use of operators are when an employer outsources its payroll to an external provider, or a when a company outsources marketing campaigns targeting customers by using personal information.

The relationship between the data controller/responsible party and the relevant processor/operator is also separately regulated under GDPR and POPIA. This article will explore what the legal requirements are under GDPR and POPIA, and the recommended best practices when making use of operators/processors. Broadly speaking, under both POPIA and GDPR the processor/operator must act under a mandate, and appropriate security safeguards need to be in place to protect personal information. The processor/operator must keep the personal information confidential.

Mandate

The relationship between a controller/responsible party and the processor/operator (e.g. between an employer and a provider of medical insurance to employees) must be stipulated in a written contract or, under GDPR, in terms of any other legal act recognized in law.

An operator under POPIA may process personal information only with the knowledge and authorization of the responsible party, unless otherwise required by law or in the course of the proper performance of its duties. Under GDPR, a processor who acts independently of the data controller and determines the purpose and means of processing data is considered a controller (and where applicable a joint controller under GDPR). There is no equivalent provision in POPIA, but it makes practical sense that an operator would similarly become a responsible party in relation to personal information if it determines the purpose and means of processing such information. We envisage that there would be a concept of joint responsible parties under POPIA, although this is not expressly provided for in the regulation. An operator would also still have obligations to perform as a responsible party in respect of the personal information that it processes in relation to its own functions (e.g. the personal information of the operator’s own employees and customers).

Security safeguards

GDPR specifically requires that the mandate agreement states the details of the data processing and the processor’s obligations with regard to ensuring the security and integrity of personal information. Under POPIA, the duty is on the responsible party to ensure – in a written contract with the operator – that the operator establishes and maintains reasonable technical and organizational measures to safeguard the personal information that is processed on the responsible party’s behalf. The responsible party will ultimately be liable if the operator does not comply with POPIA. It is sensible for a responsible party to expressly agree in the mandate agreement the nature and extent of the security safeguards that will be implemented and maintained by the operator, and to include a corresponding indemnity for failure to comply with such obligations. It is also advisable for the agreement to provide that the responsible party may – having given reasonable notice – carry out inspections to verify that the responsible party has implemented the agreed security safeguards.

Confidentiality

When processing personal information, data processors are required to ensure that the individuals processing the data are subject to a duty of confidence. Under POPIA, the operator is required to treat personal information as confidential and must not disclose it, except when the law requires it or if the operator requires disclosure in order to perform its duties. In order to minimize the risk of data breaches and comply with POPIA, a responsible party should make it a condition of the agreement that the operator will limit access to personal information to those individuals who have entered into appropriate confidentiality agreements with the operator, or who are subject to a duty of confidentiality by virtue of their office.

Data breach

In the event of a data breach, POPIA requires an operator to notify the responsible party. The responsible party must then notify the information regulator and the data subject(s) whose information has been unlawfully accessed within a reasonable time after reasonable suspicion that there has been a data breach. POPIA does not provide a prescribed period within which a responsible party must notify the regulator, but it must be as soon as reasonably possible. Under GDPR, a processor is required to notify the controller in the event of a data breach. The controller should then notify the supervisory authority within 72 hours of the data breach if there is a risk to a data subject’s rights and freedoms. And the data subject should be informed if such breach is likely to result in a high risk to their rights and freedoms without undue delay. POPIA differs in this respect: the information regulator must be notified of all data breaches, regardless of whether or not there is a high risk to a data subject’s rights and freedoms. Further, the data subjects must be notified, regardless of whether or not there is a high risk to a data subject's rights and freedoms, unless the data subject cannot be identified or the notification would impede a criminal investigation.

In the case of POPIA, it is recommended to include in the agreement a prescribed timeframe within which to notify the responsible party of the breach in order to reduce the risk of a further compromise to data subjects’ personal information. A set timeframe would also provide the responsible party with sufficient time to notify the information regulator and the data subjects.

Data protection officers

Controllers and processors are required by GDPR to appoint a data protection officer, whose responsibility it is to monitor the processing of personal information if it is carried out by a public body, if it requires regular and large-scale monitoring of data subjects, or if the core component of the processor’s activities is processing special categories of data or personal data relating to criminal convictions or offences. In terms of POPIA, each responsible party must appoint an information officer, who will perform similar duties to that of data protection officers under GDPR. Under POPIA, the information officer may sub-delegate his/her responsibilities to deputy information officers. POPIA does not state whether an operator must appoint an information officer, but most operators would be required to appoint an information officer as they would be a responsible party in relation to the personal information of their own employees and clients. It would be advisable, in terms of the agreement, to identify the information officer or deputy information officer of each of the parties to the agreement, who would be the contact person for any issues relating to the lawful processing of the personal information held by the respective parties.

Noncompliance and penalties

Under GDPR, processors can be liable to pay compensation for any harm suffered as a result of the failure to comply with specific GDPR provisions that relate to processors or where they have acted without a controller’s lawful instructions or contrary to those instructions. This is different to POPIA, where any failure to comply with the lawful processing requirements will lie directly with the responsible party, who bears the ultimate liability. As a responsible party is subject to POPIA, it is important to impose some of the obligations that would ordinarily fall on the responsible party on the operator. In addition, the responsible party/controller should obtain indemnities from the operator/processor for compliance with the contractual obligations and data protections laws and to ensure that the operators will be held liable for any risk, harm or loss suffered as a result of the breach of such laws and obligations. This could include requiring the operator to reimburse the responsible party for any penalty that is imposed on it by the information regulator, or any damages claims that may be brought by data subjects as a result of a data breach. Obviously, if an entity is acting in its capacity as an operator, it would want to resist these contractual obligations and only agree to and limit its liability to the obligations strictly imposed on it in law. The mandate agreement will ultimately be a matter of negotiation between the parties.

Cross-border flows of personal information

Given that there may be instances of cross-border transfers of personal information by or to a processor or operator on behalf of a responsible party, the agreement should prohibit such a transfer without the controller or responsible party’s written consent if the transfer is to a country that does not have adequate data protection laws. The reason for the inclusion of such a clause is so that the responsible party can ensure that there is a lawful justification for transferring the personal information to a country that does not have adequate data protection laws. For example, the responsible party could ensure that consent has been obtained from the data subject or that the recipient in the foreign country has entered into an appropriate data transfer agreement. Under POPIA, the responsible party would need to ensure that prior authorization has been obtained from the information regulator in circumstances where such prior authorization is required, for example, when transferring special personal information to locations that do not have adequate data protection laws.

Other factors to consider

GDPR imposes further obligations on processors, such as requiring the controller’s prior consent before engaging subcontractors; assisting data subjects to exercise their rights; assisting controllers with security safeguards, data breaches and data protection assessments; submitting to audits and inspection; and keeping records of processing activities under their responsibility. Though these may be agreed between responsible parties and operators, they are not mandatory under POPIA, and any operator who undertakes them should be prepared to shoulder the risk they present.

It is important to note that both POPIA and GDPR prohibit the retention of information after the purpose for which it was initially collected or subsequently processed has been achieved, and therefore the agreement should specify what processes should be followed on the conclusion or termination of the contract term. It is advisable to include a requirement to return, delete, destroy or anonymize the personal information at the request of the controller or responsible party or within a specified period of time after termination of the agreement.

Recommendations

In summary, the mandate agreement between the responsible party/controller and the operator/processor should include the following provisions (which are mandatory under POPIA): 

  • An undertaking to act only on the written instructions of the responsible party/controller.
  • Confidentiality undertakings during the period of data processing and restriction of access to individuals who are bound by confidentiality undertakings.
  • Agreement that reasonable technical and organizational measures will be established and maintained by the operator/processor and ideally specify the nature of these measures.
  • Notification requirements in the event of a data breach.
  • Restrictions on the transfer or storage of personal information to countries without adequate data protection laws.

It is also recommended that the mandate agreement includes the following additional provisions, although they are not mandatory under POPIA. They are, however, mandatory under GDPR.

  • The type of personal information and categories of personal information subject to processing. 
  • The nature, purpose and manner of data processing.
  • The duration of the processing activities.
  • Consent requirements in the event of engaging sub-processors/operators.
  • The end-of-contract obligations, for example, agreement that personal information will be returned, deleted, anonymized or destroyed on request or at the end of the contract, unless otherwise required by law.
  • Assisting responsible party/controller in providing data-subject access and allowing data subjects to exercise rights.
  • Submission to audits and inspections.
  • Indemnities in favor of the responsible party/controller (depending on whether or not acting as a responsible party or operator).

Under GDPR, the processor would also need to maintain a record of processing activities and assist the controller with data protection assessments.

Where the provisions above are not mandatory, we recommend that these clauses be included as best practice. However, this will ultimately remain a commercial decision for each business to make, after ensuring that it is in fact able to comply with all these obligations. Further, the obligations that are agreed would depend on whether you are acting as the responsible party or the operator.

Return to Africa Connected: Issue 2