Operator Agreement (POPIA Section 21)
Also known as: Data Processing Addendum, DPA, Processor Agreement.
What is Operator Agreement?
An operator agreement is the written contract required by section 21 of POPIA between a responsible party and any operator processing personal information on its behalf. It must impose confidentiality, appropriate security safeguards, and breach-notification duties on the operator, and is the keystone of vendor POPIA compliance.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
Definition and context
Section 21(1) of POPIA requires a responsible party, when engaging an operator, to ensure that the operator establishes and maintains the security measures referred to in section 19 (appropriate technical and organisational measures to prevent loss, damage, unauthorised destruction or unlawful access). Section 21(2) requires this arrangement to be set out in a written contract between the responsible party and the operator. An operator agreement is therefore mandatory — the POPIA analogue of the GDPR\'s article 28 data-processing addendum.
The Information Regulator\'s Guidance Note on Processing of Personal Information by an Operator (September 2021) clarifies the minimum content: the subject-matter and duration of processing, the nature and purpose of processing, the types of personal information and categories of data subjects, the obligations and rights of the responsible party, a sub-processor consent mechanism, confidentiality undertakings from the operator\'s personnel, cross-border transfer controls under section 72, and return or deletion of data on termination.
In practice the operator agreement is usually a DPA (Data Processing Addendum) bolted onto an MSA, SaaS agreement or outsourced services contract. It should expressly preserve the responsible party\'s data-subject liability, cap the operator\'s liability at an uncapped basis for breach of POPIA duties (or with a higher cap than general liability), and provide for audit rights, SOC 2 / ISO 27001 reporting and indemnities for regulatory fines. Template language drawn from the EU Standard Contractual Clauses is often adapted, but must be localised to POPIA definitions and section references.
Where this term lives in law
Protection of Personal Information Act 4 of 2013
Sections: 19, 20, 21, 22, 72
Regulates the processing of personal information by public and private bodies in South Africa.
Frequently asked questions
Is an operator agreement compulsory under POPIA?
Yes. Section 21(2) requires any engagement of an operator to be recorded in a written contract. Without it, the responsible party is in direct contravention of POPIA — regardless of any actual breach or harm.
What must an operator agreement contain?
As a minimum: scope and purpose of processing, types of personal information, confidentiality undertakings, security safeguards aligned to section 19, sub-processor consent, data-subject request cooperation, breach notification, cross-border transfer controls, audit rights, and return or deletion of data on termination.
Does a GDPR-compliant DPA satisfy POPIA section 21?
Not automatically. A GDPR article 28 DPA covers most substantive topics but must be supplemented with POPIA-specific language — definitions, the section 72 cross-border basis, notification to the Information Regulator, and POPIA section references. Courts will read it against POPIA, not the GDPR.
Who is liable if the operator breaches the agreement?
Primarily the responsible party toward the data subject and the Information Regulator (section 8). The responsible party then has a contractual claim against the operator under the operator agreement — hence the importance of indemnities and meaningful liability caps.
Contract templates using this term
5 templates reference Operator Agreement (POPIA Section 21).