This article provides a high-level overview of the role of an operator, how the position compares to the role of the “responsible party” and what organisations should practically be considering when it comes to implementing compliance measures which this role may involve.
Who is an operator?
Section 1 of POPIA defines an operator as “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”. In other words, an operator is a person (for example, a registered entity, such as a company, public authority, department, or a natural person), contracted by another person, the responsible party, to assist with the processing of personal information for such responsible party.
For example, an operator may be a vendor or service provider of a company who assists the company in being able to provide its customers with its goods or services and manage its business processing activities, such as an outsourced IT service provider, HR service provider, or a supplier to a distributing business.
Who is responsible in the event of a breach?
The responsible party is the “public or private body or any other person, which alone or in conjunction with others, determines the purpose of and means for processing personal information”. For example, a responsible party is a company that provides goods and services to its customers (data subjects) and in order to effectively do this, it needs to make a decision on what information (which may include personal data) it may require of its customers to effectively deliver its products.
The responsible party is accountable to the Information Regulator and data subjects, and liable for ensuring that personal data is processed lawfully. The operator follows the instructions of the responsible party by virtue of a written contractual mandate which may take the form of an operator agreement (also known as a data processing agreement), which can either be concluded as a separate agreement or incorporated into an existing service level agreement.
What this means is that in the event of any breach occurring or complaint being lodged by a data subject, it is the responsible party who remains solely responsible for managing and/or reporting the incident and/or complaint, not the operator. Any right of recourse that the responsible party may have, in the case that the operator is to blame, will rest in the contract between the parties whereby their relationship, duties and any indemnifications are clearly defined.
Taking into account an organisation’s own circumstances, it may be possible that its plays multiple roles whereby in one business relationship scenario it is the operator, and in another, it is the responsible party.
Furthermore, POPIA caters for joint responsibility whereby in a particular processing activity there is more than one person who is determining the means and purpose for processing the personal data, as opposed to one responsible party solely determining the means and purpose and mandating an operator to assist it with such processing on its behalf. It follows that, in the first instance, these parties will be jointly liable as co-responsible parties to the Information Regulator and towards data subjects.
In the ordinary course of business an operator may wish to contract sub-operators to assist it in the performance of its mandate towards the responsible party. For example, a maintenance company, as an operator, who has signed a written agreement with a homeowners association (responsible party), may decide to sub-contract builders for the intended project work.
Therefore, the roles and responsibilities should be clearly set out and distinguished from the outset, and should define whether your organisation is indeed an operator or alternatively a joint responsible party, or perhaps a sub-operator.
What should an organisation consider regarding responsible party – operator relationships?
Ensuring you know exactly what role your organisation plays in processing activities is vital to avoid attracting penalties such as hefty fines from the Information Regulator (not to mention any other data protection authority which may be competent in the circumstances), or even reputational damage and court action for damages by persons whose privacy rights have not been considered or maintained.
If you are an operator you may be inclined to not worry about safeguarding against risks and having an operator agreement in place, since your organisation may not be responsible for accounting to the Information Regulator. However, ensuring the terms and conditions in a business relationship are clearly defined, to avoid unnecessary delays, damages and potential disputes, miscommunication or litigation, makes sound business sense. It is therefore recommended that no matter whether you are a responsible party or an operator in a certain scenario, you consider reviewing all existing and/ or future contractual relationships with partners and/ or service providers to understand the dynamics of who is accountable and to ensure that any processing of personal data remains lawful.
In this regard, POPIA remains silent on what terms and conditions an operator agreement must contain other than providing that any agreement should be reduced to writing. However, in the absence of any official guidance and interpretation of POPIA’s provisions, we may be guided by the principles and interpretation of the European Union’s General Data Protection Regulation (GDPR), which in Article 28(3) outlines the minimum terms in a data processing agreement.
According to Article 28(3) of the GDPR, an operator agreement should address at least the following aspects:
– The subject matter and duration of the processing;
– The nature and purpose of processing the personal data;
– The types of personal data being processed and the categories of data subjects;
– The responsible party’s obligations and rights;
– That the processing may only take place on the documented instructions of the responsible party (i.e. duty of the operator);
– A duty of confidentiality (i.e. duty of the operator);
– The appropriate security measures that will be put in place by the operatory to ensure the personal data is safeguarded;
– Regulating the possibility of using sub-operators;
– An outline of the data subjects’ rights;
– The operator’s duty to assist the responsible party in certain circumstances;
– The terms governing the termination and/ or ending of the agreement and duties in relation thereto;
– The managing and regulation of audits and inspections; and
– Indemnification and limitation of liability.
POPIA, unlike the GDPR, does not explicitly refer to any requirement for an operator (data processor), based on the scale and type of processing being conducted, to have a representative in South Africa where the responsible party has mandated the operator to process personal data on its behalf and the operator is located outside the South Africa.
Going forward, guidance issued by the Information Regulator and interpretations of POPIA’s provisions by South African courts may result in certainty in relation to this and other practical uncertainties that may arise in relation to the operator – responsible party relationship.
Bear in mind that an organisation’s circumstances will need to be considered and applied to POPIA’s conditions and any other applicable data protection law, and that it may further be the case that the parties agree to supplement the operator agreement with additional terms.
This article is intended for information purposes only and is a brief exposition of the abovementioned legal position. Mention is not necessarily made of all the finer nuances as set out in the abovementioned legislation. This article should not be construed as formal legal advice. Contact VDT Attorneys at the details below for legal support and advice.