Not sure if you need to put in place data processing agreements (DPAs) with your service providers? Read this.
Author5 min read Deal with Software or Data
There is a general misconception that if a service provider (for example the company doing your payroll) is dealing with personal information that you provided them with, then the service provider assumes the risk of data breaches. It is not that simple.
POPIA dictates that the main responsibility of data protection lies with the responsible party. If you are a responsible party and any of your services providers will have access to or process any personal information you must conclude a data processing agreement with the service provider.
Section 21(1) and (2) of POPIA, provides that:
Section 19 of POPIA, provides that:
If you are required in terms of POPIA to have data processing agreements in place, and these agreements are not in place, the information regulator can impose severe penalties on you.
Generally, it will not be sufficient to merely have confidentiality provisions apply between you and your service provider. The POPIA act is specific on what is required in the data processing agreement.
Concluding a basic data processing agreement with your service providers is a start. There are however situations where you would want to look at concluding a more comprehensive data processing agreement with a service provider. These situations may include situations where more risk in the processing of personal information is involved, the personal information will be transferred outside of South Africa or where the personal information can be considered special personal information in terms of POPIA.
An additional provision that you can consider including is an indemnity relating to third party claims that may be instituted against you as a result of your service provider not complying with its obligations in terms of the data processing agreement.
For example, it can happen that a service provider fails to establish and maintain security measures referred to in Section 19 of the POPIA, and as a result, there is a data breach and claims are then instituted against you as the responsible party. With a correctly drafted indemnity, you as the responsible party will be able to rely on the indemnity to recover damages or losses as a result of the claims being instituted against you from the service provider that provided the indemnity.
Data protection is a continuous process and prevention is certainly better than cure. If you are the responsible party under POPIA, well-drafted audit rights provisions will certainly provide you with peace of mind.
Let’s face it, it is impossible to make provisions for all risks especially relating to an ever-changing data protection landscape. If you are the responsible party and outsourcing certain data processing activities to a service provider holds many risks, it is a good idea to place an obligation on the service provider to take out appropriate insurance.=
With the DocNinja contract creator, you can easily create a data processing agreement tailored to your needs.
Create your tailored data processing agreement - https://docninja.io/available-documents/document/175-data-processing-agreement-dpa/show
If you get stuck, don’t worry. Simply reach out to one of our contract and commercial law specialists to assist and guide you.
Monthly information regarding new legislation and contract updates.