26 July 2022

Data Processing Agreements

Submitted by SchoemanLaw Inc

By Jamie-Lee Payne 

The Protection of Personal Information Act regulates and protects the processing and dissemination of data/information in South Africa. If a business does not have a Data Processing Agreement, the Information Regulator may impose a fine for breach and/or non-compliance with the Act.1 

A Data Processing Agreement is an agreement between a data controller and a data processor. A data controller is typically an organization, whereas a third-party service provider is considered a data processor. 

Legal Framework 

To fully understand how this aspect of the law comes into play, we will use a generic example that has become prevalent globally. Let’s say an online news publisher collaborates with a third-party data processor to collect and examine data from the webpage. The data collected is deemed sensitive as it can be used to ascertain how many readers read the articles, how long they were on the webpage and which articles were the most clicked on. In turn, this information is used to make essential business decisions. Given the significance of the data, the two parties should have a Data Processing Agreement in place to control the use and management of that data. 

Data Processing Agreements are required by law; if you process personal information by obtaining, retaining or disseminating personal information, you must comply with the Act. The POPI Act requires organizations to obtain express written consent from all data subjects in the form of a written agreement.2  

The rationale behind requiring data controllers and data processors to have a Data Processing Agreement in place is derived from the very reason the European General Data Protection Regulation was put into operation; security breaches where sensitive information is involved are becoming more prevalent. In the South African context, the most recent data breach occurred at Experian Credit Bureau, whereby the personal information of approximately 26 million South Africans was stolen. Notwithstanding the above, failure to operate a POPIA compliant business can have numerous negative effects on a business; client trust will become diminished, and non-compliance can lead to a fine of up to R10 million and/or imprisonment of no more than 10 years. 


Data Processing Agreements are therefore imperative to regulate the information obtained and disseminated. The aim of POPIA is to protect this information, and it, therefore, imposes sanctions, such as fines, on responsible parties for failure to comply with the regulations as provided for in the Act.  

Contact an attorney at SchoemanLaw Inc for your legal needs. 

Jamie-Lee Payne | SchoemanLaw Inc
SchoemanLaw Inc – www.schoemanlaw.co.za 

SchoemanLaw Inc

SchoemanLaw Inc Attorneys, Conveyancers and Notaries Public is a boutique law firm offering its clients access to high quality online legal documents and agreements, together with a wide range of legal services. The firm has an innovative and entrepreneurial mindset that distinguishes it from other law firms. We apply our first-hand understanding of the challenges facing entrepreneurs (regardless of their business size) to develop proven, practical solutions incorporating legal compliance, risk aversion and business sense. We achieve this by offering clients tailored, yet holistic support comprising of legal gap analysis, the design of tailored legal solutions and the practical implementation thereof through training and automation. With your personal interests in mind, our ultimate aim is to implement measures that protect the results of your hard work as effectively as possible.