The importance of having data processing agreements in place when engaging with third parties
18 Jan 2023
Now that some of the hype and uncertainty around the Protection of Personal Information Act (POPIA) has settled, and data privacy and protection has become an integral part of our personal and professional lives, we can take some time to reflect on some of the aspects of data privacy legislation that are required for organisations to be compliant. No organisation operates in isolation, and organisations generally require some assistance or services from third parties in their day-to-day operations.
It is important for organisations to have a written arrangement in place, setting out the roles and responsibilities of the parties when engaging with third parties. This is even more important where the third party (acting as an operator or sub-processor under POPIA) may or will be processing personal information on behalf of the organisation (acting as a responsible party under POPIA), in which event the parties must enter into a data processing agreement (DPA), as prescribed by various data protection laws, including POPIA.
The DPA should, among other aspects, set out (i) the purpose of the DPA, (ii) the nature of the relationship (e.g. responsible party to operator, or responsible party to responsible party), (iii) the grounds for processing the personal information, and make it clear that the third party is only to process such personal information as provided for in the DPA, or otherwise instructed by the organisation, (iv) the technical and organisational measures taken by the third party to secure the integrity and confidentiality of the personal information it will be processing, (v) that the third party will ensure compliance by it and its employees, agents, etc, with the DPA and applicable data protection legislation, (vi) the processes for handling data subjects requests, and security incidents, and (vii) the prohibition on the appointment of sub-processors, and of cross-border transfers of the personal information, without prior written consent.
An organisation that concludes a DPA with a third party, simply as a tick-box exercise, will not necessarily be seen as having taken adequate measures to ensure that personal information processed on its behalf is protected. It is important that organisations ensure that they only use operators that can, and do, implement adequate technical and organisational measures to comply with POPIA and to protect data subject rights. It is therefore advisable for organisations to conduct third party risk assessments before appointing a third-party service provider or executing a DPA, and to only appoint those third parties that meet or exceed the applicable requirements.
While DPAs are not mandatory for responsible party to responsible party relationships, it may be beneficial for organisations, in instances where they share personal information with each other, to conclude a DPA, setting out the purpose for processing, whether separately or jointly, and to outline the roles and responsibilities for handling and processing the personal information for each party. This will ensure transparency and accountability between the parties.
As mentioned above, the DPA and data protection generally are not simply box-ticking exercises, and all parties must ensure that (i) they are aware of the provisions of the DPA, and (ii) they, and their employees, comply with the terms thereof, as well as applicable data protection legislation (whichever is stricter).
Should you have any questions regarding the above, or require any assistance with the review, negotiation, and conclusion, of DPAs, please feel free to contact us.
Article sourced from Eversheds Sutherland.
- Maintaining compliance with the Protection of Personal Information Act (POPIA)
- 6 tips for easy POPIA compliance
- How to report a data breach to the Information Regulator
- POPIA – Who is your information officer?