Operator Agreements Under POPIA: What Businesses Need to Know About Data Processing Contracts

Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation, consult a qualified attorney.

When your business hands personal information to a third party — a payroll bureau, a cloud storage provider, a marketing agency — that third party is called an operator under the Protection of Personal Information Act (POPIA). The relationship between your business (the responsible party) and that operator is not simply a commercial matter; POPIA sets out specific obligations that govern how that relationship must be structured and documented.

Understanding these obligations is important for any South African SME that outsources tasks involving personal data.

---

What Is an Operator?

POPIA defines an operator as a person or organisation that processes personal information on behalf of a responsible party, in terms of a contract or mandate, without coming under the direct authority of the responsible party. In practical terms, if you hire an external HR platform to manage employee records, that platform is your operator.

The key distinction is that the operator acts on your instructions. Your business, as the responsible party, remains accountable for what happens to that personal information — even when it sits in someone else's systems.

---

The Written Contract Requirement

POPIA's provisions on operators require that any operator engaged to process personal information must do so only with the knowledge or authorisation of the responsible party, and must treat the information as confidential. Importantly, the Act requires that the arrangement between a responsible party and its operator be governed by a written contract or similar authorisation.

A note on section numbers: the operator framework in POPIA is set out in provisions that do not appear on our verified anchor list, so rather than risk citing a wrong number, this article describes the requirements as they appear in the Act and as interpreted in published Information Regulator guidance. You can read the full text of POPIA at justice.gov.za and review the Information Regulator's resources at inforegulator.org.za.

---

What the Contract Should Cover

Based on the structure of POPIA and the Information Regulator's published guidance, a sound operator agreement generally addresses the following areas:

1. Scope and purpose of processing The contract should describe precisely what personal information the operator will handle and for what purpose. POPIA requires that personal information be collected and processed for a specific, defined purpose (s13). That purpose-limitation principle flows through to the operator: the operator should not be permitted to use the data for anything beyond the agreed scope.

2. Confidentiality POPIA requires that operators treat personal information as confidential. The contract should make this obligation explicit and should survive termination of the agreement.

3. Security measures POPIA requires responsible parties to secure the integrity and confidentiality of personal information through reasonable, appropriate technical and organisational measures (s19). Your operator agreement should reflect this — specifying the security standards the operator is expected to maintain, how incidents must be reported to you, and what happens in the event of a security compromise. Under s22, it is the responsible party that carries the primary obligation to notify the Information Regulator and affected data subjects of a breach; your contract should therefore require the operator to notify you promptly so that you can meet that obligation.

4. Sub-operators If your operator intends to engage further sub-processors, the contract should address whether this is permitted, under what conditions, and whether the same data-protection standards apply down the chain.

5. Data subject rights Data subjects have rights under POPIA, including the right to access their personal information (s23) and to request correction of inaccurate data (s24). Your operator agreement should specify how the operator will support you in responding to such requests within the timeframes the Act contemplates.

6. Return or deletion of data POPIA limits how long personal information may be retained (s14). The operator agreement should address what happens to the personal information at the end of the engagement — whether it is returned to the responsible party, securely deleted, or destroyed — and within what timeframe.

7. Audit rights Best practice, consistent with the accountability principle underpinning POPIA (s8), is to include a right for the responsible party to audit or inspect the operator's data-handling practices, or to require the operator to provide evidence of compliance.

---

Why This Matters for SMEs

Many SMEs assume that once personal data is handed to a reputable third-party provider, responsibility passes with it. POPIA takes a different view. The responsible party — your business — remains accountable for ensuring that the operator processes personal information in a manner consistent with POPIA. If an operator suffers a breach or misuses data, the Information Regulator's inquiry will look at both parties, and the responsible party will need to demonstrate that the engagement was properly governed.

A well-drafted operator agreement is therefore not a bureaucratic formality. It is the documentary evidence that your business exercised reasonable oversight.

---

Reviewing Existing Contracts

Many SMEs already have contracts with service providers that touch on data, but those contracts may pre-date POPIA's commencement or may simply not address data-protection obligations in sufficient detail. It is worth reviewing any agreement under which a third party handles personal information on your behalf — whether that is a cloud accounting platform, an outsourced IT provider, a payroll bureau, or a debt-collection agency — to check whether a POPIA-compliant operator agreement is in place or needs to be added.

Khanyitas provides tools to help businesses manage their operator agreements as part of a broader compliance programme, including templated agreement structures and document tracking. You can explore these features at khanyitas.co.za.

---

A Practical Starting Point

If your business is starting from scratch, a useful first step is to list every third-party service provider that has access to personal information you hold — customer data, employee data, or supplier data. For each one, identify whether a written data-processing arrangement exists. Where there are gaps, prioritise those involving sensitive or high-volume data.

The Information Regulator has published guidance materials and a code-of-conduct framework that provide additional context. These are available at inforegulator.org.za.

---