You are only as strong as your weakest third party operator


An operator is person who is contracted by the responsible party in terms of a mandate to assist the responsible party with the processing of personal information. In practice this may be a service level provider that is contracted by a company to assist in the handling of personal data in order for the company to provide its goods and services to its customers.


When managing your company’s operators it is essential to ensure that they are processing personal data on your behalf lawfully and that you are contractually safeguarded in the event of something going wrong. Understanding the circumstances of the processing and setting out the relationship between the parties where both are fully aware of their duties and responsibilities ensures that no nasty surprises await.

Skills session topic:

You are only as strong as your weakest third party operator

Cost of session:

R2 300 per attendee (VAT excluded)

Learning Outcomes – What an attendee will learn at this session includes:
  • What are ‘responsible parties and ‘operators?
  • How do you determine whether you are an operator or responsible party?
  • What does it mean if you are a responsible party?
  • What does it mean if you are an operator?
  • What does it mean if you are joint-responsible parties?
  • The need for an operator agreement and what the contract should cover
  • Must we have a separate operator agreement or can we include it in our existing service level agreement?
  • The role of the operator in the case of a breach
  • Practical scenarios and guidance steps
Why attend the session?

A responsible party and an operator have different roles and responsibilities in terms of POPIA, so it is important to know which role you play in order to manage the various risk. For some businesses and their third party service providers, the distinction might not be as clear-cut and it may be the case that, in the circumstances, a dual role is played.

Understanding what hat your business wears (i.e. am I a responsible party, operator or both?) is vital so that you have peace of mind that you have done everything that needs to be done on your part and further, are aware of how to go about managing your operators in the event that you are the responsible party.

Who should attend the session?
  • The information officer tasked with leading POPIA compliance in a business.
  • Internal compliance and legal teams
  • IT service providers
  • HR service provider
Duration and location:
  • The session can either be held at our offices (Brooklyn, Pretoria) (we have capacity for a maximum of 1 – 10 persons) or online via video conferencing. The organisation to provide its preferred method of presentation.
  • The duration of the session is 2 hours, with a brief tea interval and allocated time for Q&As.

Once we have received the intended number of persons who will attend the session, together with each of their names, surnames and email addresses we shall provide 3 available dates for the session to be held.


Upon confirmation of session booking, our invoice shall be dispatched for payment to be made prior to the date of session.

Training session material:

We will provide all material in connection with the session to be presented.


The training is offered in English.

*Please take note that VDT’s training POPIA knowledge sessions are not accredited and/or affiliated with any higher education or skills development authority or institution. The skills development sessions are planned and presented internally and aim to provide applicable information regarding a particular topic presented and equip attendees with valuable skills which may assist them in further decision making.