Data Processing Agreement
Template — South Africa

Establishes the POPIA-defined roles with precision — identifying the responsible party (the organisation determining the purpose and means of processing) and the operator (the third party processing on the responsible party's instructions). This section specifies the categories of data subjects affected (customers, employees, prospects, website visitors), the types of personal information being processed (contact details, financial information, identity numbers, biometric data, health information, employment records), the permitted processing purposes, and the duration of processing. Clarity on these definitions is critical — the Information Regulator uses these parameters to assess compliance and scope any enforcement action.

Requires the operator to process personal information only on documented instructions from the responsible party and only for the explicitly defined purposes. Processing for the operator's own purposes — including data analytics, product improvement, marketing, or profiling — is strictly prohibited unless separately authorised. The section establishes the mechanism for issuing instructions (written instructions from authorised representatives), the operator's obligation to inform the responsible party if an instruction appears to violate POPIA, and the consequences of processing outside the permitted scope. This implements the POPIA Section 13 purpose limitation principle and the Section 21 requirement that the operator acts only on the responsible party's authority.

Specifies the technical and organisational security measures the operator must implement under POPIA Section 19 to secure personal information against loss, damage, unauthorised destruction, and unlawful access or processing. Technical measures include encryption of personal information at rest and in transit (minimum AES-256 and TLS 1.2/1.3), access controls with role-based permissions and multi-factor authentication, network security measures (firewalls, intrusion detection/prevention systems), regular vulnerability assessments and penetration testing, secure data disposal procedures, and backup and disaster recovery capabilities. Organisational measures include information security policies and procedures, employee training and awareness programmes, background checks for personnel with access to personal information, incident response plans, and regular security audits. The measures must be appropriate having regard to the sensitivity of the information and current industry best practices.

Restricts the operator from engaging sub-processors (sub-operators) to process personal information without the responsible party's prior specific or general written consent. Where general authorisation is given, the operator must notify the responsible party of any intended addition or replacement of sub-processors, providing the responsible party with an opportunity to object. The operator must impose equivalent data protection obligations on all sub-processors through a written agreement, and remains fully liable for the sub-processor's compliance. The section includes a list of currently approved sub-processors with their processing activities and locations. This provision is essential because personal information often flows through multiple tiers of processing — cloud providers using infrastructure sub-processors, payroll providers using tax calculation services, and CRM platforms using email delivery services.

Establishes the operator's obligation to notify the responsible party of any security compromise without unreasonable delay — the template specifies a maximum notification window of 72 hours from discovery, aligned with the emerging regulatory expectation. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal information records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects. The operator must cooperate with the responsible party's investigation and provide ongoing updates. The responsible party then fulfils its Section 22 obligation to notify the Information Regulator and affected data subjects. The section also addresses containment procedures, evidence preservation, and the operator's role in the responsible party's incident response plan.

Requires the operator to assist the responsible party in fulfilling its obligations to data subjects under POPIA — including the right to access personal information (Section 23), the right to request correction or deletion (Section 24), the right to object to processing (Section 11(3)(a)), and the right to complain to the Information Regulator (Section 74). The operator must promptly redirect any data subject requests received directly to the responsible party and must implement technical and organisational measures that enable the responsible party to respond to data subject requests within the timeframes prescribed by POPIA. For large-scale processing operations, this may require specific system capabilities such as data export, search, and deletion functionality.

Addresses the conditions under which personal information may be transferred outside the Republic of South Africa, in compliance with POPIA Section 72. Cross-border transfers are only permitted where the recipient country has adequate data protection legislation, the data subject has consented to the transfer, the transfer is necessary for the performance of a contract between the data subject and the responsible party, the transfer is for the benefit of the data subject and consent cannot reasonably be obtained, or the responsible party has taken reasonable measures to ensure the recipient will process the information in accordance with POPIA's conditions. For cloud-based processing where data may transit through or be stored in multiple jurisdictions, the section includes specific provisions for data localisation requirements, permitted storage locations, and the operator's obligations regarding data sovereignty.

Grants the responsible party the right to audit and inspect the operator's processing activities, security measures, and compliance with the DPA — either directly or through an independent third-party auditor. The audit scope includes security assessments, data handling practices, sub-processor compliance, breach response readiness, and policy adherence. The section specifies notice requirements (typically 20-30 business days for standard audits, with immediate access for breach investigations), the frequency of audits (at least annually), the operator's obligation to provide access to relevant premises, systems, and personnel, and the handling of audit findings including remediation timelines for any non-compliance identified. The audit right is essential for the responsible party to demonstrate ongoing compliance with its Section 19 obligations — the responsible party cannot outsource accountability.

Specifies the operator's obligations upon termination or expiry of the DPA — or upon the responsible party's written request at any time. The operator must, at the responsible party's election, return all personal information in a standard, machine-readable format (typically CSV, JSON, or XML) or securely destroy all personal information using methods that prevent reconstruction (physical destruction of media, cryptographic erasure, or data sanitisation meeting international standards such as NIST SP 800-88). The section specifies the timeframe for return or destruction (typically 30 days), the requirement for written certification of destruction signed by an authorised representative, and exceptions for personal information that the operator is required to retain by law or regulation (in which case the data protection obligations continue for the duration of retention). POPIA Section 14 requires that personal information must not be retained longer than necessary for the purpose for which it was processed.

Allocates liability for POPIA violations, data breaches, and related losses between the parties. The operator indemnifies the responsible party against losses arising from the operator's breach of the DPA or its POPIA obligations — including regulatory fines, data subject compensation claims, investigation costs, and remediation expenses. The section addresses liability caps (typically carved out from the general service agreement's liability cap for POPIA-related claims), required insurance coverages (cyber liability and professional indemnity), and the operator's obligation to mitigate the consequences of any breach. Under POPIA Section 99, any person who suffers damage due to a violation of the Act may institute civil proceedings against the responsible party or operator — making adequate liability provisions and insurance essential.

The DPA remains in force for as long as the operator processes personal information on behalf of the responsible party — it should not have an arbitrary expiry date that allows processing to continue without contractual safeguards. The responsible party may terminate the DPA immediately if the operator commits a material breach of its data protection obligations. Upon termination, the data return and destruction obligations take effect, and certain provisions survive indefinitely — confidentiality, indemnification, and the obligation to cooperate with regulatory investigations or data subject complaints that relate to the processing period. The section also addresses the responsible party's right to instruct the operator to cease all processing immediately upon termination, with no grace period for unauthorised continued processing.