When do I need a Data Processing Agreement under POPIA?

You need a DPA whenever you engage a third party to process personal information on your behalf. This is far broader than most businesses realise. Common scenarios include cloud hosting providers (AWS, Azure, Google Cloud) that store your customer data, email marketing platforms (Mailchimp, SendGrid, HubSpot) that process customer contact details, payroll processors that handle employee personal information, CRM systems (Salesforce, Zoho) that store customer records, IT support companies with access to your systems and data, accounting software and bookkeeping services processing financial data with personal identifiers, and backup and disaster recovery services that replicate your databases. Under POPIA, the responsible party must ensure each of these operators is bound by a written contract before processing begins. The DPA must be in place from day one — retrospective compliance does not satisfy the statutory requirement.

What is the difference between a responsible party and an operator under POPIA?

The responsible party (equivalent to GDPR "controller") determines the purpose and means of processing personal information — they decide why personal information is processed and how. The operator (equivalent to GDPR "processor") processes personal information on behalf of the responsible party, under their instructions. A single organisation can be both a responsible party (for its own data — employees, customers, suppliers) and an operator (for client data processed on the client's behalf). The distinction is critical because it determines which party bears primary regulatory liability. The responsible party bears primary compliance responsibility under POPIA — they must ensure the operator is contractually bound, that processing purposes are lawful, and that data subjects' rights are respected. The operator's obligations are defined by the DPA and are limited to processing in accordance with the responsible party's instructions. However, the operator faces independent liability for failures to implement security measures under Section 19 and for processing outside the scope of the DPA.

Can my processor transfer personal information outside South Africa?

POPIA Section 72 restricts cross-border transfers of personal information. Transfers are permitted only where the recipient country has "adequate" data protection legislation (as determined by the Information Regulator — no formal list has been published yet), where the transfer is necessary for the performance of a contract between the data subject and the responsible party, where the data subject has consented to the transfer, where the transfer is for the benefit of the data subject and consent is not reasonably obtainable, or where binding corporate rules are in place. Given the absence of an adequacy list, South African businesses must rely primarily on contractual safeguards — standard contractual clauses incorporated into the DPA — to legitimise cross-border transfers to processors in countries like the United States, India, or other jurisdictions commonly used by global SaaS providers. The DPA should specify exactly where personal information will be processed and stored, the legal basis for each transfer, and the additional contractual safeguards in place. For GDPR compliance, standard contractual clauses (SCCs) adopted by the European Commission are the most common transfer mechanism.

How does the DPA handle sub-processors?

Sub-processors are third parties engaged by the processor to carry out specific processing activities on behalf of the controller — for example, a cloud provider (the processor) using a CDN service (the sub-processor) to deliver content. The DPA must address sub-processor management because the controller needs assurance that the entire processing chain is compliant. This template provides two consent models. The first is specific prior authorisation: the controller approves each sub-processor individually before engagement, providing maximum control but requiring administrative overhead. The second is general authorisation with objection rights: the processor provides a current list of sub-processors and notifies the controller of any additions with a specified notice period (typically 14-30 days), during which the controller can object. If the controller objects and the objection cannot be resolved, the controller has the right to terminate the affected services. Under both models, the processor must impose equivalent data protection obligations on sub-processors through written agreements, and remains fully liable for the sub-processor's acts and omissions.

What audit rights should I include in the DPA?

Audit rights are essential for verifying that the processor is actually implementing the security measures and processing restrictions they have agreed to. The DPA should grant the responsible party the right to audit the processor's data processing activities, either directly or through an independent third-party auditor bound by confidentiality obligations. The audit provisions should specify the frequency (typically once per 12-month period, plus additional audits following a security compromise), the notice period (usually 30 days), the scope (limited to activities relevant to the processing under the DPA), the processor's obligation to cooperate and provide access to facilities, systems, and personnel, the confidentiality of audit results, and the cost allocation (typically borne by the responsible party unless the audit reveals material non-compliance, in which case the processor bears the costs). As a practical alternative to on-site audits, many processors offer third-party audit reports (SOC 2 Type II, ISO 27001 certification) as evidence of compliance. The DPA should accept these as satisfying the audit requirement, with the right to conduct an on-site audit reserved for specific concerns.

What happens to personal information when the DPA terminates?

Upon termination of the underlying service agreement (and therefore the DPA), the processor must return all personal information to the responsible party in a standard, machine-readable format — such as CSV, JSON, or XML — and then securely delete all remaining copies, including backups, logs, cached data, and any derived datasets. The template specifies a return period (typically 30 days for return, followed by 30 days for deletion and certification). The processor must provide written certification of deletion, signed by an authorised representative. Exceptions are permitted for legally required retention — for example, financial records that must be retained for 5 years under the Companies Act or tax records required by SARS. However, the processor must clearly identify what data is retained, the legal basis for retention, the retention period, and the access controls limiting its use to the legally required purpose only. Under POPIA Section 14, personal information must be destroyed or deleted when it is no longer needed for the purpose for which it was collected — making post-termination deletion a statutory obligation, not merely a contractual one.

Is a clickwrap DPA enforceable in South Africa?

Yes. Under ECTA Section 11, agreements are not invalid merely because they are in electronic form. Section 22 requires that the other party has a reasonable opportunity to review and accept the terms. A clickwrap DPA — where the customer checks an acceptance box and clicks "I Agree" during the onboarding workflow — satisfies these requirements provided the full terms are presented (not just a hyperlink buried in a footer), the acceptance mechanism is affirmative (a checkbox or button click, not mere continued use), a timestamped record of acceptance is maintained, and the customer is provided with a copy of the accepted terms. For SaaS platforms processing customer data at scale, clickwrap DPA acceptance is the most practical and efficient approach. However, enterprise customers may require a negotiated, individually signed DPA that modifies the standard clickwrap terms — the DPA template should accommodate both scenarios.

How does the DPA relate to the Privacy Policy?

The DPA and the Privacy Policy serve different purposes and address different audiences. The Privacy Policy is a public-facing document that informs data subjects (individuals whose personal information is processed) about how their information is collected, used, shared, and protected. It satisfies the transparency requirements of POPIA Sections 13 and 18. The DPA is a private contract between two businesses — the responsible party and the operator — that governs the technical and organisational aspects of the processing relationship. It satisfies the operator engagement requirements of POPIA Section 21 and GDPR Article 28. The Privacy Policy should disclose that the business uses operators (processors) and may transfer personal information to them, and the categories of operators used. The DPA should ensure that the operator's processing activities are consistent with what the Privacy Policy discloses to data subjects. Inconsistency between the two documents creates compliance risk — for example, if the Privacy Policy states that data is stored in South Africa, but the DPA permits the operator to store data in the EU.

What penalties apply for non-compliance with POPIA data processing requirements?

Non-compliance with POPIA's data processing requirements exposes both the responsible party and the operator to multiple layers of liability. Administrative fines under Section 109 can reach R10 million. The Information Regulator can issue enforcement notices under Section 95 requiring specific compliance actions within defined timeframes. Section 99 provides for criminal penalties — imprisonment for up to 10 years — for certain offences including obstruction of the Information Regulator and processing in violation of an enforcement notice. Data subjects have the right to institute civil proceedings under Section 99 for damages suffered as a result of non-compliant processing — including both material and non-material damages. Class action litigation by groups of affected data subjects is also possible. Beyond regulatory penalties, businesses face reputational damage, loss of customer trust, and contractual consequences (many commercial contracts now include POPIA compliance warranties, and a breach can trigger termination rights). The cost of non-compliance consistently exceeds the cost of proper data processing agreements.

Do I need a separate DPA for each processor I use?

Yes — POPIA Section 21 requires a written agreement with each operator that processes personal information on your behalf. In practice, this means a separate DPA (or DPA addendum) for each SaaS platform, cloud provider, marketing tool, payroll processor, and IT service provider that accesses your personal information. The scope and detail of each DPA should be proportionate to the volume and sensitivity of the personal information being processed. For high-volume processors handling sensitive data (payroll, healthcare records, financial data), the DPA should be detailed and heavily negotiated. For lower-risk processors handling minimal personal information, a standard clickwrap DPA may be sufficient. Many SaaS providers now offer their own DPA as part of their standard terms — you should review these carefully to ensure they meet POPIA Section 21 requirements. If a provider refuses to enter into a DPA, this is a significant red flag and may require you to find an alternative provider.

Contract TemplateClickwrap Agreements

Data Processing Agreement (DPA)
Template — South Africa

An attorney-drafted Data Processing Agreement template designed specifically for South African businesses that need to comply with both POPIA and GDPR. This comprehensive, legally compliant document governs the relationship between the responsible party (data controller) and the operator (data processor) — covering processing instructions, security measures under POPIA Sections 19-22, cross-border transfer safeguards under Section 72, sub-processor management, breach notification, data subject rights, audit rights, and data return obligations, with dual compliance for GDPR Article 28 where applicable.

Join Waiting List See What's Included

Drafted by qualified South African attorneys

Reviewed for compliance with current legislation · Last updated April 2026

Why It Matters

Why Your Business Needs This Agreement

Processing Without a Written Operator Agreement

Many South African businesses engage cloud providers, marketing platforms, and IT support companies without a POPIA Section 21-compliant operator agreement. This is a direct violation of the law. The responsible party faces enforcement action for failing to ensure their operator is contractually bound, while the operator faces liability for processing without proper authorisation. The Information Regulator has flagged the absence of operator agreements as a priority compliance area.

Cross-Border Transfers Without Legal Basis

South African businesses routinely use international SaaS platforms that store and process data in the US, EU, or Asia — often without considering whether POPIA Section 72 permits the transfer. Without contractual safeguards in the DPA (such as standard contractual clauses), every API call to a foreign-hosted service that transmits personal information may constitute an unlawful cross-border transfer. The risk is particularly acute because the Information Regulator has not published an adequacy list, leaving contractual mechanisms as the primary lawful basis.

No Breach Notification Procedures in Place

Without a DPA that establishes clear breach notification timelines and procedures, a processor's security breach can go unreported for days, weeks, or even months. POPIA Section 22 requires notification "as soon as reasonably possible," and the responsible party cannot notify the Information Regulator or affected data subjects if they do not know about the breach. Late notification compounds the damage to data subjects, increases regulatory scrutiny, and erodes public trust.

Uncontrolled Sub-Processor Chains

Many processors engage their own sub-processors without the responsible party's knowledge or consent — creating processing chains that the responsible party cannot monitor or control. Without DPA provisions governing sub-processor engagement, the responsible party has no visibility into who is actually processing their data, where it is being stored, and what security measures are in place. This lack of control directly violates the accountability principle of POPIA and GDPR.

Data Locked After Service Termination

When a service agreement ends without a DPA that specifies data return and deletion procedures, the processor may retain personal information indefinitely — or delete it without providing the responsible party with an opportunity to export. Both outcomes create POPIA compliance problems: indefinite retention violates the purpose limitation principle of Section 14, while premature deletion may destroy records the responsible party needs for legal, tax, or business continuity purposes.

Dual POPIA-GDPR Non-Compliance

South African businesses that serve EU customers face the challenge of dual regulatory compliance. A DPA that satisfies POPIA but not GDPR — or vice versa — leaves gaps that either the Information Regulator or an EU supervisory authority can exploit. GDPR fines are significantly higher (up to EUR 20 million or 4% of global turnover), making non-compliance with EU requirements a material financial risk for South African businesses with international operations.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is not merely a good practice document — it is a legal requirement under both the Protection of Personal Information Act 4 of 2013 (POPIA) and the General Data Protection Regulation (EU) 2016/679 (GDPR). Whenever a business engages a third party to process personal information on its behalf — whether a cloud provider, payroll processor, email marketing platform, CRM system, IT support company, or any other service that involves accessing, storing, or manipulating personal information — both POPIA and GDPR require a written agreement governing that processing relationship. Without this agreement, both the responsible party (controller) and the operator (processor) face regulatory penalties, enforcement notices, and civil liability to affected data subjects.

Under POPIA, the obligation is clear and specific. Section 21(1) provides that an operator may only process personal information with the knowledge and authorisation of the responsible party, and must treat the personal information as confidential. Section 21(2) requires the operator to establish and maintain security measures referenced in Section 19. Section 19 itself is the cornerstone provision: it requires both the responsible party and the operator to secure the integrity and confidentiality of personal information by implementing "appropriate, reasonable technical and organisational measures" to prevent loss, damage, unauthorised destruction, unlawful access, or unlawful processing. Section 22 imposes mandatory breach notification obligations — where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, both the responsible party and the Information Regulator must be notified "as soon as reasonably possible."

Section 72 of POPIA adds a critical dimension for South African businesses that use processors located outside the country. Cross-border transfers of personal information are only permitted where the recipient country has been determined to have "adequate" data protection legislation, where the transfer is subject to binding corporate rules, where the data subject has consented, or where the transfer is necessary for the performance of a contract. The Information Regulator has not yet published a formal adequacy list, which means South African businesses must rely on contractual safeguards — typically standard contractual clauses incorporated into the DPA — to legitimise cross-border transfers to their processors. This is particularly relevant for businesses using global SaaS platforms (AWS, Microsoft Azure, Google Cloud, Salesforce, HubSpot, Mailchimp) where data is processed and stored outside South Africa.

For South African businesses that also serve European clients or process EU personal data, the GDPR applies concurrently with POPIA. GDPR Article 28 contains detailed and prescriptive requirements for controller-processor agreements, including specific provisions that must be included verbatim. The GDPR's extraterritorial reach under Article 3(2) means that any South African business offering goods or services to EU data subjects, or monitoring their behaviour, must comply with GDPR regardless of where the business is incorporated. This template is structured for dual POPIA-GDPR compliance, mapping the terminology and requirements of both frameworks side by side: "responsible party" (POPIA) maps to "controller" (GDPR), "operator" (POPIA) maps to "processor" (GDPR), "security compromise" (POPIA) maps to "personal data breach" (GDPR).

This attorney-drafted template covers every mandatory element of a data processing agreement under both POPIA and GDPR: definitions and role identification, processing scope and instructions, processor obligations and restrictions, security measures, sub-processor management, breach notification procedures, cross-border transfer mechanisms, data subject request handling, audit rights, data impact assessment assistance, and data return or deletion on termination. It is structured for clickwrap acceptance — making it ideal for SaaS platforms, online services, and digital businesses that need customers to accept data processing terms as part of their onboarding workflow.

Who Needs This

SaaS providers processing customer data on behalf of their clients as operators under POPIA

Businesses engaging cloud service providers, IT outsourcers, or managed service providers that access personal information

Companies using third-party payroll, HR, accounting, or marketing processors

Organisations with international operations requiring simultaneous POPIA and GDPR compliance

Any responsible party engaging an operator to process personal information under POPIA Section 21

South African businesses offering services to EU customers and subject to GDPR extraterritorial application

Financial institutions, healthcare providers, and other regulated entities with heightened data protection obligations

Digital platforms using clickwrap onboarding that need to incorporate data processing terms into their sign-up flow

Want early access to the Data Processing Agreement (DPA) template?

Join Waiting List

We'll email you the moment early access opens

POPIA Section 21 requires a written agreement between the responsible party and operator before processing begins — non-compliance can result in administrative fines of up to R10 million under Section 109 and criminal penalties of up to 10 years imprisonment under Section 107

POPIA Section 72 restricts cross-border transfers of personal information — the Information Regulator has not published an adequacy list, making contractual safeguards the primary mechanism for legitimising international data transfers

GDPR Article 28 contains the most prescriptive controller-processor agreement requirements in global data protection law — and applies to South African businesses serving EU customers under the GDPR's extraterritorial reach in Article 3(2)

GDPR administrative fines can reach EUR 20 million or 4% of annual global turnover — significantly exceeding POPIA's R10 million maximum, making GDPR compliance a material financial risk for South African businesses with international operations

Security compromises may simultaneously trigger POPIA Section 22 notification, GDPR Article 33 notification, and Cybercrimes Act Section 54 reporting obligations — the DPA must address all three frameworks for comprehensive compliance

Template Contents

Key Clauses Included

This Data Processing Agreement (DPA) template covers 12 essential sections, each drafted by South African attorneys.

Definitions & Role Identification

Clear identification of the responsible party (POPIA) / controller (GDPR) and the operator (POPIA) / processor (GDPR), mapping the terminology of both frameworks. Defines key terms including personal information, special personal information, processing, data subject, security compromise (POPIA) / personal data breach (GDPR), and Information Regulator / supervisory authority. Establishes that the DPA supplements the underlying service agreement and prevails in case of conflict on data protection matters.

Processing Scope & Documented Instructions

Specifies the categories of personal information to be processed (contact details, financial data, employee records, health information, etc.), the categories of data subjects (customers, employees, website visitors, minors), the purposes of processing, and the duration. Establishes that the operator may only process personal information in accordance with the responsible party's documented instructions — unless required by law to do otherwise, in which case the operator must inform the responsible party before processing (unless legally prohibited from doing so). This section satisfies POPIA Section 21(1) and GDPR Article 28(3)(a).

Operator/Processor Obligations

Comprehensive obligations binding the operator: processing only on documented instructions, ensuring personnel are bound by confidentiality agreements, implementing security measures as specified in the agreement, engaging sub-processors only with prior authorisation, assisting the responsible party with data subject requests and regulatory enquiries, deleting or returning all personal information on termination, and making available all information necessary to demonstrate compliance with the agreement. Includes the operator's duty to inform the responsible party if an instruction would violate POPIA or GDPR.

Security Measures

Specifies the technical and organisational security measures the operator must implement — mapped to POPIA Section 19 and GDPR Article 32. Includes encryption of personal information at rest (AES-256) and in transit (TLS 1.2+), access controls with role-based permissions and multi-factor authentication, pseudonymisation and anonymisation where appropriate, regular vulnerability assessments and penetration testing, incident response procedures, backup and disaster recovery measures, and the requirement to regularly test, assess, and evaluate the effectiveness of these measures. The measures must be appropriate to the risk, taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing.

Sub-Processor Management

Governs the engagement of sub-processors (sub-operators) by the operator. Provides two consent models: specific prior authorisation (the responsible party approves each sub-processor individually) or general authorisation with notification and objection rights (the operator provides a list of current sub-processors and notifies the responsible party of any additions, with the responsible party having the right to object). Requires the operator to impose equivalent data protection obligations on sub-processors through written contracts. Establishes that the operator remains fully liable for the acts and omissions of its sub-processors. Satisfies GDPR Article 28(2) and (4).

Security Compromise / Breach Notification

Establishes the operator's obligation to notify the responsible party of any security compromise (POPIA) or personal data breach (GDPR) without undue delay — the template specifies notification within 72 hours of the operator becoming aware of the breach, aligning with GDPR Article 33's timeline. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the effects. The responsible party is then responsible for notifying the Information Regulator (POPIA Section 22) or supervisory authority (GDPR Article 33) and affected data subjects (POPIA Section 22(4) / GDPR Article 34) where required.

Cross-Border Transfers

Mechanisms for lawfully transferring personal information outside South Africa (POPIA Section 72) or outside the EEA (GDPR Chapter V). Specifies the countries where data will be processed and stored, the legal basis for each transfer (adequacy decision, standard contractual clauses, binding corporate rules, consent, or contractual necessity), and the additional safeguards in place. The template includes the option to incorporate standard contractual clauses (SCCs) as an annex. For POPIA, given the Information Regulator's lack of a published adequacy list, contractual safeguards are the primary mechanism for legitimising cross-border transfers from South Africa.

Data Subject Rights & Request Handling

The operator's obligation to assist the responsible party in responding to data subject requests — including access (POPIA Section 23 / GDPR Article 15), correction (POPIA Section 24 / GDPR Article 16), deletion (POPIA Section 24 / GDPR Article 17), restriction of processing (GDPR Article 18), data portability (GDPR Article 20), and objection (POPIA Section 11 / GDPR Article 21). Specifies the timeframe for the operator to notify the responsible party of a received request (typically within 2 business days) and the technical measures the operator must implement to facilitate request fulfilment.

Data Protection Impact Assessments

The operator's obligation to assist the responsible party in conducting data protection impact assessments (DPIAs) where required — typically when processing involves high-risk activities such as systematic profiling, large-scale processing of special personal information, or systematic monitoring of publicly accessible areas. While POPIA does not have a formal DPIA requirement equivalent to GDPR Article 35, the principle of accountability under POPIA Condition 7 supports the practice. This section is primarily relevant for GDPR compliance.

Audit Rights & Compliance Verification

The responsible party's right to audit the operator's compliance with the DPA. Covers on-site inspections of the operator's data processing facilities, review of policies, procedures, and technical controls, use of independent third-party auditors (with confidentiality protections), the audit frequency (typically once per 12-month period, plus additional audits following a security compromise), notice requirements (usually 30 days), the scope of the audit, cost allocation (typically borne by the responsible party unless the audit reveals material non-compliance), and the operator's obligation to remediate any findings within agreed timeframes.

Data Return & Deletion on Termination

The operator's obligations upon termination of the underlying service agreement — returning all personal information to the responsible party in a standard, machine-readable format, certifying deletion of all retained copies (including backups, logs, and derived datasets), and the timeframe for completion (typically 30-90 days). Specifies exceptions for legally required retention (tax records, regulatory compliance), the format and method of return (encrypted transfer, secure download), and the responsible party's right to verify deletion through an audit or certification.

Liability & Indemnification

Allocation of liability between the responsible party and the operator for data protection breaches. Under POPIA, the responsible party bears primary liability to data subjects, but can seek contribution from the operator for breaches caused by the operator's failure to comply with the DPA. Under GDPR, both controllers and processors can be held directly liable to data subjects (Article 82). The DPA should specify the operator's indemnification obligations for losses arising from the operator's breach of the agreement, including regulatory fines, compensation claims, and notification costs.

Legal Compliance

South African Law Compliance

POPIA

Protection of Personal Information Act 4 of 2013

POPIA is the primary legislation governing data processing agreements in South Africa. Section 19 is the cornerstone provision — requiring both the responsible party and the operator to implement "appropriate, reasonable technical and organisational measures" to secure personal information against loss, damage, unauthorised destruction, unlawful access, or unlawful processing. Section 21 requires the operator to process only with the responsible party's knowledge and authorisation, to treat information as confidential, and to establish security measures. Section 22 mandates notification of security compromises to the Information Regulator and affected data subjects "as soon as reasonably possible." Section 72 restricts cross-border transfers, requiring adequate protection in the recipient country or specific safeguards. Section 100 grants the Information Regulator enforcement powers, and Section 109 provides for administrative fines of up to R10 million for non-compliance.

GDPR

General Data Protection Regulation (EU) 2016/679

GDPR Article 28 contains the most detailed and prescriptive requirements for controller-processor agreements in global data protection law. It mandates specific provisions that must be included in the agreement, including processing only on documented instructions, confidentiality obligations, security measures, sub-processor management, data subject request assistance, deletion or return on termination, compliance verification, and the duty to inform the controller of conflicting instructions. Article 28(3) lists these requirements exhaustively. The GDPR applies to South African businesses under Article 3(2) when they offer goods or services to EU data subjects or monitor their behaviour. Maximum administrative fines under GDPR are EUR 20 million or 4% of annual global turnover, whichever is higher — significantly exceeding POPIA's maximum penalties.

ECTA

Electronic Communications and Transactions Act 25 of 2002

ECTA supports the enforceability of data processing agreements accepted through electronic clickwrap mechanisms. Section 11 confirms that agreements are not invalid merely because they are in electronic form. Section 22 requires that the other party has a reasonable opportunity to review the terms before acceptance. For SaaS platforms that incorporate DPA acceptance into their digital onboarding workflow, ECTA's provisions on electronic agreements validate the online acceptance process. Section 15 confirms that electronic records satisfy legal requirements for written documents — relevant to POPIA Section 21's requirement for written operator agreements.

Cybercrimes Act

Cybercrimes Act 19 of 2020

The Cybercrimes Act creates criminal offences for unauthorised access to personal information (Section 2), unlawful interception of data (Section 3), and cyber fraud (Section 8). Section 54 imposes reporting obligations on electronic communications service providers — including certain data processors — requiring them to report specified offences to the SAPS within 72 hours. The DPA should address the operator's obligations under the Cybercrimes Act, including incident reporting, evidence preservation, and cooperation with law enforcement. A security compromise involving personal information may simultaneously trigger POPIA Section 22 notification and Cybercrimes Act Section 54 reporting obligations.

Promotion of Access to Information Act

Promotion of Access to Information Act 2 of 2000

PAIA grants individuals the right to request access to records held by both public and private bodies. Where the operator holds personal information on behalf of the responsible party, PAIA access requests may be directed to either or both parties. The DPA should address the operator's obligation to redirect PAIA requests to the responsible party and to assist in providing the requested information within the statutory timeframes. Section 50 of PAIA provides that private bodies must grant access to records if the requester is entitled to the information and the request complies with procedural requirements.

South African businesses are lining up for My-Contracts — be first in when we launch

Join Waiting List

POPIA CompliantLegally ReviewedDigital Signing Available

Simple Process

Create Your Data Processing Agreement (DPA) in Minutes

Our guided wizard walks you through every clause — no legal knowledge required. Attorney-drafted, South African law compliant.

Map your data processing relationships

Identify every third party that processes personal information on your behalf — including cloud providers, SaaS platforms, marketing tools, payroll processors, IT support companies, and backup services. For each processor, document what personal information they access, why, where it is stored, and whether cross-border transfers are involved. This data mapping exercise is the foundation for determining which DPAs you need.

Determine the applicable regulatory framework

Assess whether your processing activities are subject to POPIA only, or to both POPIA and GDPR. If you offer goods or services to EU data subjects or monitor their behaviour, GDPR applies concurrently. If your processors are located outside South Africa, identify the legal basis for cross-border transfers under POPIA Section 72. This assessment determines the level of detail required in your DPAs.

Customise the DPA template for each processor

Complete the template by specifying the categories of personal information, the processing purposes, the security measures required, the sub-processor consent model, the breach notification timeframe, and the cross-border transfer mechanisms. For high-volume or high-sensitivity processors, negotiate specific security commitments. For lower-risk processors, the standard template may be sufficient with minimal customisation.

Integrate the DPA into your onboarding workflow

For SaaS platforms, incorporate the DPA into the clickwrap onboarding flow — presenting it alongside the Terms of Service and Privacy Policy. Ensure the acceptance mechanism is ECTA-compliant with affirmative consent, timestamped records, and the ability for the customer to download a copy. For negotiated enterprise agreements, attach the DPA as a schedule to the master services agreement.

Implement monitoring and review processes

Establish a register of all DPAs in force, with renewal and review dates. Schedule annual reviews of each processor's compliance — either through audit rights, SOC 2 reports, or ISO 27001 certifications. Monitor for changes in processors' sub-processor lists and data hosting locations. Update DPAs when processing activities change, when new regulations are published, or when the Information Regulator issues relevant guidance.

Your Data Processing Agreement (DPA) is ready

Common Questions

Frequently Asked Questions

A Data Processing Agreement (DPA) is a legally required contract between a data controller (called a "responsible party" under POPIA) and a data processor (called an "operator" under POPIA) that governs how personal information is processed on the controller's behalf. Under POPIA Section 21, the responsible party must ensure that the operator processes personal information only with the responsible party's knowledge and under a written contract that establishes security obligations, processing limitations, and confidentiality. The DPA is not optional — it is a statutory requirement. Without it, both parties face enforcement action by the Information Regulator, including administrative fines of up to R10 million under Section 109, enforcement notices, and civil liability to affected data subjects. Similarly, GDPR Article 28 mandates a written agreement with specific mandatory provisions for businesses processing EU personal data. A DPA protects both parties by clearly defining their respective obligations and limiting liability exposure.

Why This Template

What You Get With This Template

Dual POPIA-GDPR compliant — satisfying Section 21 of POPIA and Article 28 of GDPR simultaneously, with mapped terminology for both frameworks

Comprehensive security measures framework aligned with POPIA Section 19 and GDPR Article 32, with specific technical and organisational requirements

Breach notification provisions with a 72-hour timeline aligned with GDPR Article 33, satisfying POPIA Section 22's "as soon as reasonably possible" standard

Cross-border transfer safeguards addressing POPIA Section 72 and GDPR Chapter V, with provision for standard contractual clauses

Sub-processor management with both specific and general authorisation models, objection rights, and flow-down obligations

Clickwrap-ready format for SaaS platforms, with ECTA-compliant electronic acceptance mechanisms

Audit rights with practical alternatives (SOC 2, ISO 27001) and cost allocation provisions

Customisable template with clearly marked decision points for processing scope, security measures, sub-processor consent model, and breach notification timelines

Related Templates

You May Also Need

View template →

SaaS Terms of Service

View template →

Acceptable Use Policy

View template →

Cloud Services Agreement

View template →

Data Processing Agreement (DPA)Template — South Africa

Why Your Business Needs This Agreement

Processing Without a Written Operator Agreement

Cross-Border Transfers Without Legal Basis

No Breach Notification Procedures in Place

Uncontrolled Sub-Processor Chains

Data Locked After Service Termination

Dual POPIA-GDPR Non-Compliance

What is a Data Processing Agreement (DPA)?

Who Needs This

Key Clauses Included

Definitions & Role Identification

Processing Scope & Documented Instructions

Operator/Processor Obligations

Security Measures

Sub-Processor Management

Security Compromise / Breach Notification

Cross-Border Transfers

Data Subject Rights & Request Handling

Data Protection Impact Assessments

Audit Rights & Compliance Verification

Data Return & Deletion on Termination

Liability & Indemnification

South African Law Compliance

Create Your Data Processing Agreement (DPA) in Minutes

Map your data processing relationships

Determine the applicable regulatory framework

Customise the DPA template for each processor

Integrate the DPA into your onboarding workflow

Implement monitoring and review processes

Frequently Asked Questions

What is a Data Processing Agreement and why is it legally required in South Africa?

When do I need a Data Processing Agreement under POPIA?

What is the difference between a responsible party and an operator under POPIA?

What must I do if my processor experiences a data breach?

Can my processor transfer personal information outside South Africa?

How does the DPA handle sub-processors?

What audit rights should I include in the DPA?

What happens to personal information when the DPA terminates?

Is a clickwrap DPA enforceable in South Africa?

How does the DPA relate to the Privacy Policy?

What penalties apply for non-compliance with POPIA data processing requirements?

Do I need a separate DPA for each processor I use?

What You Get With This Template

You May Also Need

Be First to Draft Your Data Processing Agreement (DPA)

Data Processing Agreement (DPA)
Template — South Africa