Data Processing Agreements

By Jamie-Lee Payne 

The Protection of Personal Information Act regulates and protects the processing and dissemination of data/information in South Africa. If a business does not have a Data Processing Agreement, the Information Regulator may impose a fine for breach and/or non-compliance with the Act.1 

A Data Processing Agreement is an agreement between a data controller and a data processor. A data controller is typically an organization, whereas a third-party service provider is considered a data processor. 

Legal Framework 

To fully understand how this aspect of the law comes into play, we will use a generic example that has become prevalent globally. Let’s say an online news publisher collaborates with a third-party data processor to collect and examine data from the webpage. The data collected is deemed sensitive as it can be used to ascertain how many readers read the articles, how long they were on the webpage and which articles were the most clicked on. In turn, this information is used to make essential business decisions. Given the significance of the data, the two parties should have a Data Processing Agreement in place to control the use and management of that data. 

Data Processing Agreements are required by law; if you process personal information by obtaining, retaining or disseminating personal information, you must comply with the Act. The POPI Act requires organizations to obtain express written consent from all data subjects in the form of a written agreement.2  

The rationale behind requiring data controllers and data processors to have a Data Processing Agreement in place is derived from the very reason the European General Data Protection Regulation was put into operation; security breaches where sensitive information is involved are becoming more prevalent. In the South African context, the most recent data breach occurred at Experian Credit Bureau, whereby the personal information of approximately 26 million South Africans was stolen. Notwithstanding the above, failure to operate a POPIA compliant business can have numerous negative effects on a business; client trust will become diminished, and non-compliance can lead to a fine of up to R10 million and/or imprisonment of no more than 10 years. 

Conclusion  

Data Processing Agreements are therefore imperative to regulate the information obtained and disseminated. The aim of POPIA is to protect this information, and it, therefore, imposes sanctions, such as fines, on responsible parties for failure to comply with the regulations as provided for in the Act.  

Contact an attorney at SchoemanLaw Inc for your legal needs. 

Jamie-Lee Payne | SchoemanLaw IncAttorneySchoemanLaw Inc – www.schoemanlaw.co.za