POPIA Compliance tip #1: Identifying the three main parties under POPIA
Authors: Natasha Jansen – Consultant
POPIA identifies three main parties:
The Data Subject: a person that the personal information belongs to or is about. Under POPIA, a Data Subject can be a natural person (i.e. an individual) or a juristic person (i.e. legal entities such as companies), and therefore measures need to be put in place to protect the personal information of both individuals and legal entities.
The Responsible Party: a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
The Operator: a party that processes personal information on behalf of the Responsible Party under a contract or mandate.
The Responsible Party always remains responsible and liable for the personal information that is processed by an Operator (the condition of Accountability). The Responsible Party is therefore always accountable for that personal information even when it is not processing the personal information itself.
In practical terms, an Operator is any third party who collects, processes, stores or manages personal information on the Responsible Party’s behalf or has access to personal information that the Responsible Party processes. POPIA sets out a number of requirements that must be complied with by Operators and Responsible Parties alike, when contracting an Operator to process personal Information on behalf of a Responsible Party.
One of these requirements is that the Responsible Party and Operator conclude a written agreement, to ensure that the Operator establishes and maintains security measures in compliance with POPIA while processing personal information on behalf of the Responsible Party.
Contact our Data Privacy & POPIA team for assistance with identifying whether your business processes personal information as a Responsible Party and/or an Operator and for further guidance on the obligations that POPIA places on Responsible Parties and Operators. We can also assist with drafting data processing agreements to be put in place between the Responsible Party and Operator, as required by POPIA.
Lawtons Africa is a South African law firm. With roots that grew out of seeds sown in down-town Johannesburg in 1892, our history features various changes and different names. Our team of lawyers, including directors, consultants, associates and candidate attorneys is highly qualified, market-recognised and skilled. For further information, visit www.lawtonsafrica.com