Not sure if you need to put in place data processing agreements (DPAs) with your service providers? Read this.

Not sure if you need to put in place data processing agreements (DPAs) with your service providers? Read this.

5 min read
Deal with Software or Data

What is a data processing agreement (DPAs) and is this something I must have in place with my service providers? 

There is a general misconception that if a service provider (for example the company doing your payroll) is dealing with personal information that you provided them with, then the service provider assumes the risk of data breaches. It is not that simple.

POPIA dictates that the main responsibility of data protection lies with the responsible party. If you are a responsible party and any of your services providers will have access to or process any personal information you must conclude a data processing agreement with the service provider. 

Section 21(1) and (2) of POPIA, provides that:

  • A responsible party must, in terms of a written contract between the responsible party and the operator, ensure the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in Section 19.
  • The operator must notify the responsible party immediately where there are reasonable grounds to believe the personal information of a data subject has been accessed or acquired by any unauthorised person.

Section 19 of POPIA, provides that:

  • The integrity and confidentiality of the personal information must be secured by taking reasonable measures to ensure that the integrity of the personal information is not compromised or that the personal information is not accessed by someone that is not allowed to access or process the personal information.

If you are required in terms of POPIA to have data processing agreements in place, and these agreements are not in place, the information regulator can impose severe penalties on you. 

We have confidentiality clauses in all our agreements, do we still need to conclude data processing agreements?

Generally, it will not be sufficient to merely have confidentiality provisions apply between you and your service provider. The POPIA act is specific on what is required in the data processing agreement.

Which additional provisions must I consider including in a data processing agreement?

Concluding a basic data processing agreement with your service providers is a start. There are however situations where you would want to look at concluding a more comprehensive data processing agreement with a service provider. These situations may include situations where more risk in the processing of personal information is involved, the personal information will be transferred outside of South Africa or where the personal information can be considered special personal information in terms of POPIA.

Third-party claim indemnities relating to data processing

An additional provision that you can consider including is an indemnity relating to third party claims that may be instituted against you as a result of your service provider not complying with its obligations in terms of the data processing agreement.

For example, it can happen that a service provider fails to establish and maintain security measures referred to in Section 19 of the POPIA, and as a result, there is a data breach and claims are then instituted against you as the responsible party. With a correctly drafted indemnity, you as the responsible party will be able to rely on the indemnity to recover damages or losses as a result of the claims being instituted against you from the service provider that provided the indemnity.

Audit rights

Data protection is a continuous process and prevention is certainly better than cure. If you are the responsible party under POPIA, well-drafted audit rights provisions will certainly provide you with peace of mind.


Let’s face it, it is impossible to make provisions for all risks especially relating to an ever-changing data protection landscape. If you are the responsible party and outsourcing certain data processing activities to a service provider holds many risks, it is a good idea to place an obligation on the service provider to take out appropriate insurance.=

You need a data processing agreement, what are the next steps

With the DocNinja contract creator, you can easily create a data processing agreement tailored to your needs.

Create your tailored data processing agreement -

If you get stuck, don’t worry. Simply reach out to one of our contract and commercial law specialists to assist and guide you.

Want updates about new blog posts?

Monthly information regarding new legislation and contract updates.

We care about the protection of your data. Read our Privacy Policy.