By and large, the Protection of Personal Information Act, 2013 (“POPIA”) only imposes obligations, duties and liabilities on the responsible party. A responsible party is defined in POPIA as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.
For example, in terms of POPIA, it is the responsible party who bears the onus and obligation to report any security compromise or data breach to the Information Regulator and affected data subjects. Ultimately, it is the responsible party who is liable to data subjects for civil claims for damages and/or to the Information Regulator for enforcement action in the event that it fails to comply with POPIA.
In practice, however, confusion often arises between parties as to whether they act as a responsible party or as an operator (an operator is defined in POPIA as “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”).
The definition of “responsible party” in POPIA implies that parties can be joint responsible parties, processing personal information in conjunction with each other. POPIA does not address the practical uncertainties or give further guidance, rules, frameworks or clarity in relation to jointly responsible parties – new guidelines by the European Data Protection Board (“EDPB”) might provide some clarity.
The EDPB is responsible for the consistent application of the General Data Protection Regulation (“GDPR”) amongst data protection authorities. These EDPB guidelines are relevant to the application of POPIA, as POPIA contains as its objectives the "regulation, in harmony with international standards, of the processing of personal information by public and private bodies…"
Below are some aspects of the EDPB guidelines relevant to POPIA:
- “The concepts of controller [responsible party], joint controller and processor [operator] are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties… This implies that the legal status of an actor as either a “controller” or a “processor” must in principle be determined by its actual activities in a specific situation, rather than upon the formal designation of an actor as being either a “controller” or “processor” (e.g. in a contract).” (our emphasis added)
- In considering the meaning and definition of
“controller” (responsible party), the EDPB guidelines
say: “A controller is a body that decides certain key
elements of the processing... Certain processing activities can be
seen as naturally attached to the role of an entity (an employer to
employees, a publisher to subscribers or an association to its
members). In many cases, the terms of a contract can help
identify the controller, although they are not decisive in
A controller determines the purposes and means of the processing, i.e. the why and how of the processing.” (our emphasis added)
- The EDPB guidelines identify two basic conditions for identifying processors (operators):
- The processor is, firstly, a “separate entity in relation to the controller and that it processes personal data on the controller's behalf” (our emphasis added); and
- The processor “must not process the data otherwise than according to the controller's instructions” – a degree of discretion can necessarily remain with a processor about how to best serve the controller's interests (for example by allowing the processor the choice of the most suitable technical or organisational means to use).
- With regards to joint controllers (joint responsible
- “An important criterion is that the processing would not be possible without both parties' participation in the sense that the processing by each party is inseparable, i.e. inextricably linked…The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation.”
- Even if there is no legal requirement to have an agreement in place between joint responsible parties, the EDPB guidelines recommend that one is put in place in order to ensure that “…responsibility for compliance with data protection rules is clearly allocated in order to avoid that the protection of personal data is reduced, or that a negative conflict of competence lead to loopholes whereby some obligations are not complied with by any of the parties involved in the processing.”
- In terms of POPIA, a responsible party must secure the
integrity and confidentiality of personal information in its
possession or under its control by taking appropriate, reasonable
technical and organisational measures to prevent loss of, damage
to, or unauthorised destruction of personal information and
unlawful access to or processing of personal information.
The responsible party must have due regard to generally accepted information practices and procedures that may apply to it generally or may be required in terms of specific industry or professional rules and regulations.
Presumably, for this reason, the responsible party is obliged, in terms of a written contract which must be concluded between it and the operator, to ensure that the operator establishes and maintains these confidentiality and security measures. It therefore follows that the security measures and liabilities must contractually be imposed on the operator and are not imposed under POPIA. Unlike the GDPR, POPIA does not provide guidance on what terms, if any, should be included in any contract with an operator. There is, however, some guidance on the content of operator agreements that can be gleaned from the EDPR guidelines:
- A responsible party should only “use processors providing sufficient guarantees to implement appropriate technical and organisational measures… Elements to be taken into account could be the processor's expert knowledge (e.g. technical expertise with regard to security measures and data breaches); the processor's reliability; the processor's resources and the processor's adherence to an approved code of conduct or certification mechanism”;
- The contract can set out who the role players are: “In many cases, an assessment of the contractual terms between the different parties involved can facilitate the determination of which party (or parties) is acting as controller. Even if a contract is silent as to who is the controller, it may contain sufficient elements to infer who exercises a decision-making role with respect to the purposes and means of the processing”;
- The terms of the contract should not merely restate the POPIA requirements (of processing condition 7): “rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data [information] processing that is the object of the processing agreement. Far from being a pro-forma exercise, the negotiation and stipulation of the contract are a chance to specify details regarding the processing”;
- The contract should, in addition to the above, set out the specifics about: the subject matter of the processing (which needs to be formulated so as to be clear “what the main object of the processing is”); the duration of the processing (stipulating the “exact period of time, or criteria used to determine it”); the nature and purpose of the processing (which description should be “as comprehensive as possible… so as to allow external parties (e.g supervisory authorities) to understand the content and the risks of the processing”); the type of personal information being processed (specifically, in cases of special personal information, the contract should “at least specify what types of data are concerned, for example, ‘information regarding health records'”); and the specific categories of data subjects (for example employees).
From a practical perspective, it often makes sense to address the above-mentioned requirements in annexures to the relevant data-processing or privacy agreement.