Operator (POPIA)
Also known as: Data Processor, Processor.
What is Operator?
An operator, under section 1 of POPIA, is a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. It is the South African equivalent of the GDPR "processor" and must act only on the responsible party's lawful instructions.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
Definition and context
Section 1 of the Protection of Personal Information Act 4 of 2013 defines an operator as a person who processes personal information for a responsible party in terms of a contract or mandate without coming under the direct authority of that party. Common examples are cloud hosts, SaaS vendors, payroll bureaus, outsourced call centres, email-marketing providers and professional firms processing client lists on behalf of a business.
Section 20 of POPIA establishes the operator\'s duties: process only with the knowledge or authorisation of the responsible party; treat personal information as confidential; notify the responsible party immediately if there is reasonable belief that information has been accessed or acquired by an unauthorised person (security compromise). Section 21 requires the responsible party to conclude a written operator agreement establishing and maintaining appropriate security safeguards. The operator cannot unilaterally change purposes — doing so elevates it to a responsible party and triggers full Chapter 3 liability.
Attorneys drafting operator clauses should mirror the Information Regulator\'s Guidance Note on Processing of Personal Information by an Operator (2021) and require: (i) scope of processing, (ii) security safeguards (ISO 27001, encryption, access controls), (iii) sub-processor consent, (iv) data-subject request cooperation, (v) breach notification within 24 to 72 hours, (vi) audit rights, and (vii) return or deletion of data on termination. The POPIA Code of Conduct for the Legal Sector (2023) provides additional guidance for law firms acting as operators or sub-processors.
Where this term lives in law
Protection of Personal Information Act 4 of 2013
Sections: 1, 20, 21, 22
Regulates the processing of personal information by public and private bodies in South Africa.
Frequently asked questions
What is an operator under POPIA?
Section 1 of POPIA defines an operator as a person who processes personal information for a responsible party under a contract or mandate, without coming under the direct authority of that party. Typical examples are cloud providers, SaaS vendors, payroll bureaus and outsourced call centres.
What is the difference between a responsible party and an operator?
A responsible party determines the purpose and means of processing. An operator only processes on the responsible party's behalf and instructions. If an operator starts using the data for its own purposes, it becomes a responsible party and takes on full Chapter 3 liability.
Does an operator need a written agreement under POPIA?
Yes. Section 21(2) of POPIA requires the responsible party to conclude a written contract with the operator to establish and maintain appropriate security safeguards. Without the contract, the responsible party is in breach of POPIA regardless of the operator's conduct.
When must an operator notify the responsible party of a breach?
Section 21(2) read with section 22 requires the operator to notify the responsible party immediately on reasonable belief that a security compromise has occurred. Contracts typically translate "immediately" into 24 to 72 hours.
Contract templates using this term
5 templates reference Operator (POPIA).