Board Resolution – POPIA Implementation

Board Resolution – POPIA Implementation

This generic board resolution aims to enable a private or public body (e.g. company, close corporation, partnership), as a responsible party under POPIA, to adopt implementation measures to comply with POPIA and PAIA. It covers:

  • Resolve to compliance measures commencing (gap analysis or audit report and high impact assessments being conducted)
  • Resolve to recognised head of the body as the automatically appointed information officer
  • Resolve to designation and authorisation of information officer (IO) from the head of the body to another person within the body
  • Resolve to authorisation of deputy information officer(s) (DIO)
  • Resolve to IO's and DIO's registration with the Information Regulator
  • Resolve to general duties and responsibilities of the information officer
  • Signed by acting chairperson of the board of the body

The document is customisable. Simply purchase and download the document and apply to your organisation. If you require help to customise the document, contact us.

 

Information Officer Appointment Letter

Information Officer Appointment Letter

Every responsible party is required to register an Information Officer. Information officers are appointed automatically in terms of PAIA. POPIA extends on the role and responsibilities of the Information Officer. What this means is that every public body (e.g. national department, provincial body, and municipality) and every private body (e.g. a company, a trust, or a close corporation) has an Information Officer by default and no one is exempt. The default position is that the Information Officer is the head of the body (CEO / managing director). The CEO or managing director may, in writing, designate and authorise any natural person within the body to act as the Information Officer. 

What does the appointment letter cover?

  • enables the head of the body to change the default position and appoint and authorise a person within the organisation to fulfil the role of the Information Officer.
  • sets out that Information Officer's duties and responsibilities
  • makes provision for recommended indemnities for the role
  • makes provision for recommended duties of the responsible party to support the Information Officer in performance of their role
  • incorporates the registration requirements for Information Officer's to be registered with the Information Regulator
  • can be customised for your organisation's requirements

Simply purchase and download the document and apply to your organisation. If you require help to customise the document, contact us.

 

Intra-Group Transfer Agreement for Data Transfers

Intra-Group Transfer Agreement for Data Transfers

Intra-Group Agreement for Data Transfers (“IGA”)– Group Companies: This generic IGA for group transfers has been drafted in accordance with the data protection principles of both the GDPR and POPIA and is best suited to apply to the processing of personal data in the context of a group structure whereby companies transfer personal data between members of the group. The IGA sets out the terms and conditions on which any member company of the group engages another member company in relation to the processing of personal data. The IGA deals specifically with Controller-to-Controller transfers, Joint Controllership, Controller-to-Processor transfers, Processor-to-Sub-Processor transfers and authorisation for third party data processing agreements to be concluded by members of the group with third parties. Purchase and download the IGA, apply to your group circumstances and, if need be, contact us if you require customisation of the IGA

s.

Data Breach Management Policy

Data Breach Management Policy

This data breach management policy provides a generic policy guideline for an internal personnel to deal with a data security breach or incident within the organisation and sets out a hierarchic plan and responsibilities for high-level and low-level staff to follow in the event of any perceived data breach; in order to ensure such event is dealt with in a timely manner and in accordance with the law. Therefore, the policy provides for a generic standardised response plan to any reported data breach incident, and assists in providing guidance on what to do in the event of a breach event, ensuring that an incident is appropriately recorded and properly investigated, the impacts are understood, risks identified and action is taken to prevent further damage reducing the risks to your business and assisting in compliance with the law. The standard policy may be customised according to your organisation's specific needs, therefore, simply purchase the policy, customise it, or get us to help you, and apply the policy within your organisation

Employee Privacy Notice

Employee Privacy Notice

This generic employee privacy notice sets out the basis upon which you process personal information of your business' staff or employees. The employee privacy notice was therefore, drafted to be in line with the 8 conditions of lawful processing of personal information as provided for in the POPI Act and may incorporated by reference therein to in your business’ employment contracts with employees and/or recruitment terms and condition documents, internal employment procedures and/or guidelines and protocols. This generic employee privacy notice can be customised according to your specific needs, so simply purchase and download the document, customise it or ask us to do it for you, and apply to your business.

Generic Cookie Policy

Generic Cookie Policy

This generic cookie policy explains to the user of your website what cookies are and their purpose, what cookies your website may use, how to delete cookies and the potential effect of deleting any types of cookies when making use of your website. The document may be connected to your privacy policy and can be further be customised according to your specific needs. Simply purchase and download the document, customise it or ask us to do it for you, and apply to your business. The cookie policy should be displayed and accessible from your business' website(s).

GDPR vs. POPIA Guide

GDPR vs. POPIA Guide

The Guide provides a comparative overview of the differences and similarities between the European Union’s data protection law – the General Data Protection Regulation (EU) 2016/679 (GDPR) and South Africa’s Protection of Personal Information Act 4 of 2013 (POPIA).  If you are an organisation that may be required to comply with both the GDPR and POPIA this Guide provides a high-level overview of what the fundamental differences and similarities between the two laws and covers:

  1. When is compliance with the GDPR and/or POPIA required?
  2. What types of processing are covered/exempted?
  3. Key data protection concepts and how each concept is addressed under POPIA and the GDPR
  4. Recommended guidance steps and how each step is treated under each law
Data Processing Agreement (POPIA & GDPR)

Data Processing Agreement (POPIA & GDPR)

A data processing agreement or “DPA” is a legal document signed by the data controller and the data processor either in writing or in electronic form and with the purpose being to regulate the terms and conditions of how the parties shall process personal information about data subjects and also manage responsibility in terms of such processing. Therefore, if you are an organisation that processes personal data falling under the application of the GDPR and POPIA, an appropriate DPA in such circumstances is vital to ensure both the data controller and data processor are aware of their duties and responsibilities and that the necessary protections and indemnities are catered for. Purchase and download our DPA tailored for POPIA & GDPR compliance, and apply to your organisation’s data processor relationships, where personal data protection has not yet been catered for in writing. If you require our help customising the document further, contact US.

Data Processing Agreement (Global)

Data Processing Agreement (Global)

A data processing agreement or “DPA” is a legal document signed by the data controller and the data processor either in writing or in electronic form and with the purpose being to regulate the terms and conditions of how the parties shall process personal information about data subjects and manage responsibility in terms of such processing. Therefore, if you are an organisation that processes personal data globally or in multiple jurisdictions, having a global DPA in place is vital to ensure both the data controller and data processor are aware of their duties and responsibilities and that the necessary protections and indemnities are catered for. Purchase and download our global DPA which has been drafted to comply with global data protection standards, and apply to your organisation’s data processor relationships, where personal data protection has not yet been catered for in writing. If you require our help customising the document further, contact US.

Operator Agreement (SA)

Operator Agreement (SA)

An operator agreement is a legal document signed by the responsible party and the operator either in written or in electronic form, the purpose of which is to regulate the terms and conditions of how the operator shall process personal information about data subjects on behalf of the Responsible Party. Personal data means any information, with the help of which it’s possible to identify a person, for e.g. name, date of birth, place of residence etc. Therefore, if your business uses third party service providers to assist in the processing of personal information of your customers, it is recommended that an operator agreement be put in place to ensure both parties know their scope and purpose of personal data processing; what data is processed and how it should be protected; the relationship between the operator and the responsible party and necessary indemnities and protections, etc. Purchase and download our operator agreement which is drafted to comply with the provisions of POPIA and apply to your business’ third party-operator relationships if personal data protection has not yet been catered for in writing. If you require our help customising the document further, contact us.