SECTION 21 - OPERATOR AGREEMENT

1. Interpretation
It is recorded that this agreement will be subject to the provisions and definitions of the Protection of Personal Information Act 4 of 2013.
 
2. Processing Limitations
2.1 It is recorded that, pursuant to its obligations under this Agreement, the Service Provider will process Personal Information in connection with and for the purposes of the provision of the services for or on behalf of the Responsible Party and will act as  an Operator for purposes of POPI.
2.2 The parties have agreed on the following contractual clauses in order to adduce adequate safeguards with respect to the protection of Personal Information.
2.3 Unless required by law, the Services Provider shall process the Personal information only:
2.3.1 On behalf of the Responsible Party and in compliance with its instructions and this Agreement;
2.3.2 For the purposes connected with the provision of the services or as specifically otherwise instructed or authorised by the Responsible Party in writing.
2.4  The Services Provider shall treat the Personal Information that comes to its knowledge or into its possession as confidential and shall not disclose it without the prior written consent of the Responsible Party.
 
3. Security Measures
3.1 The Service Provider warrants that it shall secure the integrity of the Personal Information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
3.1.1 Loss of, our damage to, or unauthorised destruction of the Personal Information of the Personal Information;
3.1.2 Unlawful access to or processing of the Personal Information.
3.2 The Service Provider shall take reasonable measures to:
3.2.1 Identify all reasonable foreseeable internal and external risks to the Personal Information in its possession or under its control;
3.2.2   establish and maintain appropriate safeguards against the risks identified;
3.2.3  regularly verify that the safeguards are effectively implemented;
3.2.4   ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards and shall notify the Responsible party of the risks identified and the safeguards established and implemented from time to time.
3.2.5   Reasonable measures include:
3.2.5.1 encryption of all disks, USB or flash memory data storage devices, laptops, tablet or removable device capable of storing Personal Information.
3.2.5.2  taking immediate steps to address identified risks and  deficiencies.
3.3   The Services Provider shall:
3.3.1  have due regard to generally accepted information security practices and processes which may apply to it:       
3.4  Within five (5) Business Days of a request from the Responsible Party, the Service Provider shall provide to the Responsible Party a written explanation and full details of the appropriate technical and organisational measures taken by or on behalf of the Service Provider to demonstrate and ensure compliance with this clause.
 
4. Service Provider’s general obligations with regards to Personal Information
4.1  In addition to the other obligations set out in this clause, the Services Provider  shall:
4.1.1   take responsible steps to ensure the reliability of any if its Staff who have access to the Personal Information;
4.1.2   limit access to the Personal Information only to those Staff who need to know to enable the Service Provider to perform the services and ensure that Staff used by the Services Provider to provide the services have undergone training in the care and handling of the Personal  Information;
4.1.3   deal promptly and properly with all reasonable inquiries from the Responsible Party relating to its Processing of the Personal Information and provide to the Responsible Party copies of the Personal Information in the format reasonably specified by the Responsible Party;
4.1.4  provide the Responsible Party of its inability to comply with the Responsible Party’s instructions and this clause, in which case the Responsible Party  is entitled to suspend the Processing of Personal Information and/or terminate this Agreement;
4.1.5  provide the Responsible Party with full co-operation and assistance in relation to any requests for access or correction or complaints made by Data Subjects;
4.1.6   at the request of the Responsible Party or any regulatory body, submit its Personal Information Processing facilities for audit of the Processing activities covered by this Agreement.
 
5. Notifications
5.1   The Services Provider must notify the Responsible Party in writing:
5.1.1    within 2 (two) Business Day or otherwise as soon as reasonably possible if any Personal Information has been or may reasonably believed to have been access or acquired by an unauthorised person or if a breach has occurred with reference to its use of the Personal Information under this Agreement.  The notification must provide sufficient information to allow affected Data Subjects to take measures against the potential consequences of the compromise, including , if known to the Services Provider, the identity of the unauthorised person who may accessed or acquired the Personal  Information.
5.1.2  within 3 (three) Business Days of receipt thereof, of any request for access to or correction of the Personal Information or complaints received by the Services Provider relating to the Responsible Party’s obligations in terms of POPI and provide the Responsible party with full details of such request or complaint; 
5.1.3   promptly of any legally binding request for disclosure of Personal Information or any other notice or communication which relates to the processing of the Personal Information from any supervisory or governmental body.
 
6. Return / destruction of Personal Information
6.1   Upon termination of this Agreement or upon request by the Responsible Party, the Services Provider shall return any material containing, pertaining or relating to the Personal Information disclosed pursuant to this Agreement to the Responsible Party.  Alternatively, the Services Provider shall, at the instance of the Responsible Party, destroy or return such material and shall certify to the Responsible Party that it has done so, unless the law prohibits the Service Provider from doing so.  In that case, the Service Provider warrants that it will guarantee the confidentially of the Personal Information and will not actively process the Personal Information any further.            
  
7. Indemnities
7.1   The Service Provider hereby indemnifies and holds harmless the Responsible Party from any and all claims, loss or damage arising from any claim or action brought against the Responsible Party and arising from or due to the Service Provider’s breach of its information protection obligations set out in this clause.
7.2   Damages that the Service Provider will be responsible for will include but not limited to any fines/penalties, payments to data subject, reputational damages to correct the public relationship with data subjects/potential data subject.
 
8. Ownership
8.1   The Service Provider acknowledges and agrees that the Responsible Party retains all right, title and interest in and to the Personal Information.
8.2  The Services Provider shall not possess or assert any lien or other right against or to such Personal Information and no such Personal Information shall be sold, assigned, leased or otherwise disposed of to third parties by the Service Provider or commercially exploited by or on behalf of the Service Provider or its Staff.