Data Processing Agreements
Submitted by: Jamie-Lee Payne, SchoemanLaw IncBy Jamie-Lee Payne
The Protection of Personal Information Act regulates and protects the processing and dissemination of data/information in South Africa. If a business does not have a Data Processing Agreement, the Information Regulator may impose a fine for breach and/or non-compliance with the Act.1
A Data Processing Agreement is an agreement between a data controller and a data processor. A data controller is typically an organization, whereas a third-party service provider is considered a data processor.
Legal Framework
To fully understand how this aspect of the law comes into play, we will use a generic example that has become prevalent globally. Let’s say an online news publisher collaborates with a third-party data processor to collect and examine data from the webpage. The data collected is deemed sensitive as it can be used to ascertain how many readers read the articles, how long they were on the webpage and which articles were the most clicked on. In turn, this information is used to make essential business decisions. Given the significance of the data, the two parties should have a Data Processing Agreement in place to control the use and management of that data.
Data Processing Agreements are required by law; if you process personal information by obtaining, retaining or disseminating personal information, you must comply with the Act. The POPI Act requires organizations to obtain express written consent from all data subjects in the form of a written agreement.2
The rationale behind requiring data controllers and data processors to have a Data Processing Agreement in place is derived from the very reason the European General Data Protection Regulation was put into operation; security breaches where sensitive information is involved are becoming more prevalent. In the South African context, the most recent data breach occurred at Experian Credit Bureau, whereby the personal information of approximately 26 million South Africans was stolen. Notwithstanding the above, failure to operate a POPIA compliant business can have numerous negative effects on a business; client trust will become diminished, and non-compliance can lead to a fine of up to R10 million and/or imprisonment of no more than 10 years.
Conclusion
Data Processing Agreements are therefore imperative to regulate the information obtained and disseminated. The aim of POPIA is to protect this information, and it, therefore, imposes sanctions, such as fines, on responsible parties for failure to comply with the regulations as provided for in the Act.
Contact an attorney at SchoemanLaw Inc for your legal needs.
Jamie-Lee Payne | SchoemanLaw IncAttorneySchoemanLaw Inc – www.schoemanlaw.co.za
SchoemanLaw Inc Attorneys, Conveyancers and Notaries Public is a boutique law firm offering its clients access to high quality online legal documents and agreements, together with a wide range of legal services. The firm has an innovative and entrepreneurial mindset that distinguishes it from other law firms. We apply our first-hand understanding of the challenges facing entrepreneurs (regardless of their business size) to develop proven, practical solutions incorporating legal compliance, risk aversion and business sense. We achieve this by offering clients tailored, yet holistic support comprising of legal gap analysis, the design of tailored legal solutions and the practical implementation thereof through training and automation. With your personal interests in mind, our ultimate aim is to implement measures that protect the results of your hard work as effectively as possible.
Latest from
- An Introduction to the Nature of Servitude in Property Law
- Contractual Capacity: Implications for Minors and Incapacitated Parties in South Africa
- The Consumer Protection Act and Its Impact on Advertising and Marketing in South Africa
- Essential Guide for Founders and Managing Directors: Navigating POPIA - The Role and Responsibility of the Information Officer
- Navigating Harassment in the Modern Workplace: A Comprehensive Guide to Legal and Ethical Obligations
- Unpacking Artificial Intelligence Contracts
- The Cost of Litigation: When to Fight and When to Settle
- Consistency in Workplace Discipline: Striking the Right Balance
- Compliance with Advertising Standards: South African Influencers and the ARB
- Navigating POPIA Consent - A Guide for Entrepreneurs
- The Rights of Gamete Donors in Artificial Fertilisation
- Workplace Mediation A New Era in Conflict Resolution
- Intellectual Property A Content Creator's Biggest Asset in the Digital Age
- The Risk of Misclassifying Employees as Independent Contractors
- Understanding Profit Companies in South Africa - A Guide to Private, Public, and Personal Liability Companies
