Operators vs Responsible Parties Under POPIA: Who Bears the Liability?

Operators vs Responsible Parties Under POPIA: Who Bears the Liability?

If your business outsources any data processing — payroll, cloud storage, email marketing, HR software — understanding the distinction between a responsible party and an operator under the Protection of Personal Information Act (POPIA) is essential. Getting this wrong can leave either your business or your service provider exposed.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What POPIA Says About Responsible Parties and Operators

POPIA draws a clear line between two roles:

• A responsible party is the public or private body (or person) that determines *why* and *how* personal information is processed. In most SME contexts, this is your business.
• An operator is anyone who processes personal information *on behalf of* a responsible party, under that party's authority or mandate. Your payroll bureau, your CRM vendor, your cloud-hosting provider — these are typically operators.

The distinction matters enormously because the two roles carry different — but overlapping — obligations under POPIA.

---

The Responsible Party's Core Obligations

As the responsible party, your business is the accountable principal. POPIA places the foundational compliance duties on your shoulders:

• Lawful basis for processing. POPIA requires that personal information is only processed on a recognised justification — such as consent, a contractual necessity, a legal obligation, or a legitimate interest (see POPIA s11).
• Purpose limitation. Personal information may only be collected for a specific, defined, and lawful purpose (POPIA s13).
• Retention limits. Records of personal information may not be kept longer than necessary for the purpose for which they were collected (POPIA s14).
• Security safeguards. Reasonable technical and organisational measures must be in place to protect personal information (POPIA s19).
• Breach notification. If a security compromise occurs, the Information Regulator and affected data subjects must be notified (POPIA s22).
• Appointing an Information Officer. POPIA s55 sets out the duties of the Information Officer, who must be registered with the Information Regulator.

In short, the responsible party owns the compliance programme. If something goes wrong — a breach, an unlawful marketing campaign, an unjustifiable retention period — the Information Regulator's primary lens is trained on the responsible party.

---

The Operator's Obligations

Operators are not off the hook. POPIA imposes direct obligations on operators, most critically around security. POPIA requires operators to:

• Process personal information only with the knowledge or authorisation of the responsible party.
• Treat the confidentiality and security of personal information with the same rigour required of the responsible party itself — including the obligation under POPIA s19 to maintain appropriate safeguards.
• Notify the responsible party immediately if there are reasonable grounds to believe a security compromise has occurred, so the responsible party can fulfil its own breach-notification duty under POPIA s22.

Critically, an operator who acts outside the responsible party's mandate — processing data for their own purposes, sharing it without authorisation, or retaining it beyond the agreed period — can be treated as a responsible party for that unauthorised processing. The label "operator" does not provide cover for going rogue.

---

The Contract Between Responsible Party and Operator

This is where many SMEs have a significant gap. POPIA requires that where a responsible party engages an operator, the processing must be governed by a written contract (or equivalent binding legal instrument). That contract must oblige the operator to:

1. Process personal information only with the responsible party's knowledge or authorisation.
2. Maintain confidentiality and implement the security measures required by POPIA s19.

Without this contract, the responsible party cannot demonstrate that it exercised appropriate oversight — and the Information Regulator's guidance makes clear that outsourcing does not outsource accountability. The responsible party remains on the hook for the operator's failures if the responsible party did not take reasonable steps to ensure the operator would comply.

> A note on section numbers: Many practitioners refer to the operator-contract requirement as falling under "POPIA section 21." This article does not cite that section number directly because it does not appear in our verified reference list. The contractual requirement is well-established in the Act; for the precise provision, consult the full text of POPIA on the Information Regulator's website or seek legal advice.

---

Practical Implications for SMEs That Outsource

1. Audit your vendor relationships. List every third party that touches personal information your business holds — payroll providers, IT support companies, marketing platforms, cloud services. Each of these is almost certainly an operator.

2. Check your contracts. Do your service agreements include POPIA-compliant data processing clauses? Standard commercial contracts often do not. If a vendor's terms do not address the POPIA obligations described above, that is a gap worth closing.

3. Do not assume the operator carries the compliance risk. A common misconception is that if a vendor is breached, liability shifts to them. While an operator may face its own penalties for failing to maintain security, the responsible party — your business — remains accountable for having chosen and overseen that operator. A contractual right of recourse against the vendor does not protect you from the Information Regulator.

4. Cross-border transfers. If your operator is based outside South Africa — common with cloud services — POPIA s72 imposes additional requirements on the transfer of personal information across borders. This is a further layer to assess in your vendor due diligence.

5. Document everything. POPIA s17 requires that records of processing activities be maintained. Knowing who your operators are, what they process, and under what contractual authority is part of that record-keeping obligation.

---

Summary

| | Responsible Party | Operator | |---|---|---| | Who | Your business (determines purpose & means) | Your vendor / service provider | | Primary duty | Owns the full compliance programme | Processes only as instructed; must maintain security | | Contract required? | Must put one in place | Must operate under it | | Breach liability | Yes — to the Information Regulator | Yes — for own failures; and may become a responsible party if acting outside mandate |

The bottom line: outsourcing data processing tasks is entirely lawful under POPIA — but it does not transfer your compliance obligations. The responsible party remains accountable. Choosing compliant operators, contracting correctly, and maintaining oversight is how your business demonstrates good faith to the Information Regulator.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including reviewing your vendor contracts or assessing your operator relationships — consult a qualified attorney. For primary source materials, visit the Information Regulator of South Africa.