- The Company acts as a Responsible Party, as defined in the Protection of Personal Information Act, 4 of
- The Company wishes to enter into an agreement with the External party, and which imply the processing of personal information, to the External Party.
- The Parties seek to implement a personal information processing agreement that complies with the requirements of the
IT IS AGREED AS FOLLOWS:
- DEFINITIONS AND INTERPRETATION
- Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
- “Act” means the Protection of Personal Information Act, 4 of 2013 and the Regulations thereto;
- “Agreement” means this Personal Information Processing Agreement and all Schedules;
- “Company Personal Information” means any Personal Information, as defined by the Act, processed by the External Party on behalf of the Company pursuant to or in connection with the Principal Agreement;
- “Contracted Processor” means a Sub-processor;
- “Data Transfer” means:
- a transfer of Company Personal Information from the Company to the External Party; or
- an onward transfer of Company Personal Information from the External Party to a Sub- processor;
- “External Party” means a Service Providers, Customer, Agent, Supplier, Contractor, Company or Juristic Person.
- “Personal Information” means information relating to an identifiable, living, natural person or an identifiable, existing juristic person, as defined in the Act;
- “Principal Agreement” means the agreement entered into between the Company and the External Party;
- “Processing” means any operation or activity concerning Company Personal Information as defined in the Act;
- “Sub-processor” means any person appointed by or on behalf of the External Party to process Company Personal Information on behalf of the Company in connection with the Agreement or the Principal
- No provision of this Agreement shall be construed against or interpreted to the disadvantage of any Party hereto by reason of such Party having or being deemed to have structured, drafted or introduced such
- The eiusdem generis rule shall not apply and whenever a term is followed by the word “including” or “includes” which is then followed by specific examples, such examples shall not be construed so as to limit the meaning of that
2. PROCESSING OF COMPANY PERSONAL INFORMATION
- The External Party shall:
- comply with the Act in the Processing of Company Personal Information;
- not Process Company Personal Information other than on the relevant Company’s documented instructions and only as is strictly necessary for the fulfilment of the its obligations under the Principal Agreement;
- only Process Company Personal Information with the knowledge and authorisation of the Company;
- treat all Company Personal Information as Confidential Information as defined in the Principal Agreement; and
- take all appropriate, reasonable measures to prevent the loss of, damage to, unauthorised destruction of, unauthorised access to, or unauthorised processing of, Company Personal Information under its control.
- The External Party shall take reasonable measures to:
- identify all reasonably foreseeable internal and external risks to Confidential Information and Company Personal Information in its possession or under its control;
- establish and maintain appropriate safeguards against risks so identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented
3. THE EXTERNAL PARTY’S PERSONNEL
The External Party shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Company Personal Information, ensuring in each case that access is strictly limited to those individuals who need to know, or access, the relevant Company Personal Information, as strictly necessary for the purposes of the Principal Agreement, and to comply with the Act in the context of that individual’s duties to the External Party, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Taking into account the state, nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the External Party shall in relation to the Company Personal Information implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Condition 7 of the Act.
- In assessing the appropriate level of security, the External Party shall take account the risks that are presented by
- The External Party shall not appoint (or disclose any Company Personal Information to) any Sub-processor unless required or authorised by the
6. DATA SUBJECT RIGHTS
- Taking into account the nature of the Processing, the External Party shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by the Company, to respond to requests to exercise Data Subject rights under the
- The External Party shall:
- promptly notify Company if it receives a request from a Data Subject under the Act in respect of Company Personal Information; and
- ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable laws to which the External Party is subject, in which case the External Party shall to the extent permitted by law inform the Company of that legal requirement before the External Party responds to the
7. PERSONAL INFORMATION BREACH
- The External Party shall notify the Company without undue delay upon it becoming aware of a Personal Information Breach affecting Company Personal Information, providing the Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Information Breach.
- The External Party shall co-operate with the Company and take reasonable commercial steps as are directed by the Company to assist in the investigation, mitigation and remediation of each such Personal Information
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
The External Party shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Company reasonably considers to be required by the Act or any other data protection law, in each case solely in relation to Processing of Company Personal Information by, and taking into account the nature of the Processing and information available to, the External Party.
9. DELETION OR RETURN OF COMPANY PERSONAL INFORMATION
- The External Party shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of the Company Personal Information (the "Cessation Date"), delete and procure the deletion of all copies of that Company Personal Information. The External Party shall provide written certification to the Company that it has fully complied with this clause 9.1 within 10 business days of the Cessation Date. Notwithstanding the foregoing, the External Party may retain one copy of the Company Personal Information in its legal department as and to the extent required to comply with applicable laws or enforce its rights under this Agreement or the Principal Agreement, provided that such Company Personal Information shall be returned or destroyed in accordance with this provision upon the expiration of the period specified in the applicable law, the expiration of the applicable statute of limitations and the final resolution of any pending dispute
- The Company may at any time request the External Party to return any Company Personal Information, in whatever form, or to destroy such information and to provide a written statement, if required, that all the information has been returned or destroyed. Any such information shall be returned or destroyed within a reasonable time not exceeding 10 (ten) business days.
10. AUDIT RIGHTS
The External Party shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Information by the External Party or Sub-processor.
11. DATA TRANSFER
The Processor may not transfer or authorize the transfer of Company Personal Information to countries outside South Africa without the prior written consent of the Company. If Company Personal Information processed under this Agreement is transferred from a country outside South Africa, the Parties shall ensure that the Company Personal Information is adequately protected.
Should either party commit any breach of any provision of this Agreement which can be remedied, the other party shall be entitled to give the defaulting party notice to remedy such breach within 10 (ten) business days. If the breach cannot be remedied or if the defaulting party fails to comply with the notice, the other party may claim an interdict, damages and any other remedy available to it.
- This Agreement constitutes the whole agreement between the Parties and supersedes all prior verbal or written agreements or understandings or representations by or between the Parties regarding the subject matter of this Agreement, and the Parties will not be entitled to rely, in any dispute regarding this Agreement, on any terms, conditions or representations not expressly contained in this
- No variation of or addition to this Agreement will be of any force or effect unless reduced to writing and signed by or on behalf of the
- Neither party to this Agreement has given any warranty or made any representation to the other party, other than any warranty or representation which may be expressly set out in this
- Neither of the Parties shall be entitled to assign, cede, delegate or transfer any rights, obligations, share or interest acquired in terms of this Agreement, in whole or in part, to any other party or person without the prior written consent of the other party, save that the Company may, cede, delegate or transfer any rights, obligations in terms of this Agreement to any of the companies within its corporate
- No indulgence, leniency or extension of a right, which either of the Parties may have in terms of this Agreement, and which either party (“the grantor”) may grant or show to the other party, shall in any way prejudice the grantor, or preclude the grantor from exercising any of the rights that it has derived from this Agreement, or be construed as a waiver by the grantor of that
- No waiver on the part of either party to this Agreement of any rights arising from a breach of any provision of this Agreement will constitute a waiver of rights in respect of any subsequent breach of the same or any other
- In the event that any of the terms of this Agreement are found to be invalid, unlawful or unenforceable, such terms will be severable from the remaining terms, which will continue to be valid and enforceable.