South Africa: The role and liability of an operator under POPIA
The Protection of Personal Information Act, 2013 (Act 4 of 2013) (‘POPIA’) defines a number of different persons who may either, in the circumstances, be involved in and/or responsible for the processing and protection of personal data or alternatively, are the persons to whom such personal data relates. Amongst these persons defined is the ‘operator’ (equivalent to ‘data processor’ under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)).
Who is an operator?
Section 1 of POPIA defines an operator as ‘a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party’. In other words, an operator is a person (for example, a registered entity, such as a company, public authority, department, or a natural person), contracted by another person, the responsible party, to assist with the processing of personal information for such responsible party.
A simple example would be to say that an operator may be a vendor or service level provider of a company who assists the company in being able to provide its customers with its goods or services and manage its business processing activities, such as an outsourced IT service provider, HR service provider, or a supplier to a distributing business.
Who is responsible in the event of a breach?
Under POPIA, the responsible party is the ‘public or private body or any other person, which alone or in conjunction with others, determines the purpose of and means for processing personal information’. For example, a responsible party is a company that provides goods and services to its customers (data subjects) and in order to effectively do this, it needs to make a decision on what information (which may include personal data) it may require of its customers to effectively deliver its products.
It is ultimately the responsible party who is accountable to the Information Regulator (South Africa’s data protection authority) and data subjects, and liable for ensuring that personal data is processed lawfully. The operator follows the instructions of the responsible party by virtue of written contractual mandate which may take the form of an operator agreement (also known as a data processing agreement), which can either be concluded as a separate agreement or incorporated into an existing service level agreement.
What this means is that in the event of any breach incident occurring or complaint being lodged by a data subject, it is the responsible party who remains solely responsible for managing and/or reporting the incident and/or complaint, not the operator. Any right of recourse that the responsible party may have, in the case that the operator is to blame, will rest in the contract between the parties whereby the operator’s and responsible party’s relationship, duties and any indemnifications are clearly defined.
It can be appreciated that taking into account an organisation’s own circumstances, it may be possible that its plays multiple roles whereby, in one business relationship scenario it is the operator and in another, it is the responsible party.
Furthermore, POPIA caters, similarly to the GDPR, for joint responsibility whereby in a particular processing activity there is more than one person who is determining the means and purpose for processing the personal data, as opposed to one responsible party solely determining the means and purpose and mandating an operator to assist it with such processing on its behalf. It follows that, in the first instance, these parties will be jointly liable as co-responsible parties to the Information Regulator and towards data subjects.
Of course, in the ordinary course of business an operator may wish to contract sub-operators to assist it in the performance of its mandate towards the responsible party. For example, a maintenance company, as an operator, who has signed a written agreement with a homeowners association (responsible party), may decide to sub-contract builders for the intended project work.
Therefore, the roles and responsibilities should be clearly set out and distinguished from the outset, and whether your organisation is indeed an operator or alternatively, a joint responsible party, or perhaps a sub-operator.
What should an organisation consider re: responsible party – operator relationships?
Ensuring you know exactly what role your organisation plays in processing activities is vital to avoid attracting penalties such as hefty fines from the Information Regulator (not to mention any other data protection authority which may be competent in the circumstances), or even reputational damage and court action for damages by persons whose privacy rights have not been considered or maintained.
If you are an operator you may be inclined to not worry about safeguarding against risks and having an operator agreement in place, since your organisation may not be responsible for accounting to the Information Regulator. However, ensuring the terms and conditions in a business relationship are clearly defined, to avoid unnecessary delays, damages and potential disputes, miscommunication or litigation, makes business sense and therefore it is recommended that no matter whether you are a responsible party or an operator in a certain scenario, you consider reviewing all existing and/or future contractual relationships with partners and/or service level providers to understand the dynamics of who is accountable and ensure that any processing of personal data remains lawful.
In this regard, POPIA remains silent on what terms and conditions an operator agreement must contain other than providing that any agreement should be reduced to writing (refer to definition of ‘operator’ above). However, in the absence of any official guidance and interpretation of POPIA’s provisions, we may be guided by the principles and interpretation of the GDPR, which in its Article 28(3) outlines the minimum terms in a data processing agreement. Following Article 28(3) of the GDPR, we are of the opinion that an operator agreement should address at least the following aspects:
- the subject matter and duration of the processing;
- the nature and purpose of processing the personal data;
- the types of personal data being processed and the categories of data subjects;
- the responsible party’s obligations and rights;
- that the processing may only take place on the documented instructions of the responsible party (i.e. duty of the operator);
- a duty of confidentiality (i.e. duty of the operator);
- the appropriate security measures that will be put in place by the operator to ensure the personal data shared is safeguarded;
- regulating the possibility of using of sub-operators;
- an outline of the data subjects’ rights;
- the operator’s duty to assist the responsible party in certain circumstances;
- the terms governing the termination and/or ending of the agreement and duties in relation thereto;
- the managing and regulation of audits and inspections; and
- indemnification and limitation of liability.
Apart from the aforesaid, POPIA, unlike the GDPR, does not explicitly refer to any requirement for an operator (data processor), based on the scale and type of processing being conducted, to have a representative in South Africa where the responsible party has mandated the operator to process personal data on its behalf and the operator is located outside the South Africa.
Going forward, guidance issued by the Information Regulator and interpretations of POPIA’s provisions by South African courts may result in certainty in relation to this and other practical uncertainties that may arise in relation to the operator – responsible party relationship.
Bear in mind that an organisation’s circumstances will need to be considered and applied to POPIA’s conditions and any other applicable data protection law, and that it may further be the case that the parties agree to supplement the operator agreement with additional terms.