The Protection of Personal Information Act 4 of 2013 (the “POPIA”) defines a number of different persons who may either, in the circumstances, be involved in and/or responsible for, the processing and protection of personal data or alternatively, are the persons to whom such personal data relates. Amongst these persons defined is the “operator” (equivalent to “data processor” under the GDPR).
This insight article seeks to provide a high-level overview of the role of an operator, how the positon compares to the role of the “responsible party” (equivalent to a “data controller” under the GDPR) and what organisation’s should practically be considering when it comes to implementing compliance measures which may involve this role.
Who is an operator?
The POPIA defines an operator as, “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.” (section 1). In other words, an operator is a person (for example, a registered entity, such as a company, public authority, department, or a natural person), contracted by another person, the responsible party, to assist with the processing of personal information for such responsible party.
A simple example would be to say that an operator may be a vendor or service level provider of a company who assists the company in being able to provide its customers with its goods or services and manage its business processing activities, such as an outsourced IT service provider, HR service provider or a supplier to a distributing business.
The operator’s relationship with the responsible party – who is responsible in the event of a breach event?
Under the POPIA, the responsible party is the, “public or private body or any other person, which alone or in conjunction with others, determines the purpose of and means for processing personal information” (section 1). For example, a responsible party is a company that provides goods and services to its customers (data subjects) and in order to effectively do this, it needs to make a decision on what information (which may include personal data) it may require of its customers to effectively deliver its products.
It is ultimately, the responsible party who is accountable to the Information Regulator (South Africa’s data protection authority) and data subjects, and is liable for ensuring that personal data is processed lawfully. The operator follows the instructions of the responsible party by virtue of written contractual mandate which may take the form of an operator agreement (also known as a data processing agreement), which can either be concluded as a separate agreement or it may be possible to incorporate same into an existing service level agreement.
What this means is that in the event of any breach incident occurring or complaint being lodged by a data subject, it is the responsible party who remains solely responsible for managing and/or reporting the incident and/or complaint, not the operator. Any right of recourse that the responsible party may have, in the case that the operator is to blame, will rest in the contract between the parties whereby the operator’s and responsible party’s relationship, duties and any indemnifications are clearly defined.
It can be appreciated that taking into account an organisation’s own circumstances, it may be possible that its plays multiple roles whereby, in one business relationship scenario it is the operator and in another, it is the responsible party.
Furthermore, POPIA caters, similarly to the Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”), for joint-responsibility whereby considering a particular processing activity, there is more than one person who is determining the means and purpose for processing the personal data as opposed to one responsible party solely determining the means and purpose and mandating an operator to assist it with such processing on its behalf, and therefore, in the first instance, these parties will be jointly liable as co-responsible parties to the Information Regulator and towards data subjects.
Of course in the ordinary course of business an operator, may wish to contract sub-operators to assist it in the performance of its mandate towards the responsible party, for example a maintenance company, as an operator, who has signed a written agreement with a homeowners association (responsible party), decides to sub-contract builders for the intended project work.
Therefore, it should be clearly set-out and distinguished from the outset, who the role players are and if your organisation is indeed an operator or alternatively, a joint responsible party, or perhaps a sub-operator.
What should an organisation be thinking about then to address responsible party – operator relationships?
Ensuring you know exactly what role your organisation plays in processing activities is vital to avoid attracting penalties such as hefty fines from the Information Regulator (not to mention any other data protection authority which may be applicable in the circumstances), or even reputational damage and court action for damages by persons whose privacy rights have not been considered or maintained.
If you are an operator you may be inclined to not worry about safeguarding against risks and having an operator agreement in place, since your organisation may not be responsible for accounting to the Information Regulator however, ensuring the terms and conditions in a business relationship are clearly defined, to avoid unnecessary delays, damages and potential disputes, miscommunication or litigation, makes business sense and therefore, it is recommended that no matter whether you are a responsible party or an operator in a certain scenario, you consider reviewing all existing and/or future contractual relationships with partners and/or service level providers to understand the dynamics of who is accountable and ensure that any processing of personal data of data subjects remains lawful.
In this regard, POPIA remains silent on what terms and conditions an operator agreement must contain other than providing that any agreement should be reduced to writing (refer to definition of “operator” above). However, in the absence of any official guidance and interpretation of POPIA’s provisions, we may be guided by the principles and interpretation of the GDPR (Article 28(3) outlines the minimum terms in a data processing agreement), and therefore, we are of the opinion that an operator agreement should address at least the following aspects:
- The subject matter and duration of the processing
- The nature and purpose of processing the personal data
- The types of personal data being processed and the categories of data subjects
- The responsible party’s obligations and rights
- The processing to take place only on the documented instructions of the responsible party (i.e. duty of the operator)
- A duty of confidentiality (i.e. duty of the operator)
- The appropriate security measures that will be put in place by the operator to ensure the personal data shared is safeguarded
- Regulating the possibility of using of sub-operators
- The outlining of what data subjects’ rights may be
- The operator having the duty to assist the responsible party in certain circumstances.
- The terms governing the termination and/or ending of the agreement and duties in relation thereto
- The managing and regulation of audits and inspections
- Indemnification and limitation of liability
Apart from the aforesaid, POPIA, unlike the GDPR, does not explicitly refer to any requirement for an operator (data processor), based on the scale and type of processing being conducted, to have a representative in South Africa where the responsible party has mandated the operator to process personal data on its behalf and the operator is located outside the South Africa. In the times to come, ongoing issued guidance by the Regulator and interpretations of POPIA’s provisions by South African courts, may result in certainty being obtained in relation to this and other practical uncertainties that may arise in relation to the operator – responsible party relationship.
Bear in mind that an organisation’s circumstances will need to be considered and applied to POPIA’s conditions and any other applicable data protection law, and that it may further be the case that the parties agree to supplement the operator agreement with additional terms.