GLOBAL ROAD
BINDERS
contact us: 011 803 9338
Rory Botha: 083 648 1787
Johnathan Hawkins : 073 398 5375
DATA PROCESSING AGREEMENT
ENTERED INTO BETWEEN:
Global Road Binders, a Private Company incorporated in terms of the laws of South Africa, having its registered office and principal place of business in Vanderbijlpark at 28 Fairbanks Street NW7, (hereinafter to be referred to as: the “Responsible Party”),
AND
DS Accounting Services, a Sole Proprietor incorporated in terms of the laws of South Africa, having its registered and principal place of business in Vanderbijlpark at 5 Woltemader Street (hereinafter to be referred to as: the “Operator”).
HEREBY AGREE AS FOLLOWS:
1. Definitions:
“Data subject”: means the person to whom personal information relates.
“Information officer”: of, or in relation to, a –
-
Public body means an information officer or deputy information officer as contemplated in terms of Section 1 or 17 of this Act; or
-
Private body means the head of a private body as contemplated in Section 1, of The Promotion of Access to Information Act.
“Operator”: means a person who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party.
“Personal information”: means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –
-
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
-
Information relating to the education or the medical, financial, criminal or employment history of the person;
-
Any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person;
-
The biometric information of the person;
-
The personal opinions, views or preferences of the person;
-
Correspondence sent by the person that would reveal the contents of the original correspondence;
-
The views or opinions of another individual about the person; and
-
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
“Processing”: means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
-
The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
-
Dissemination by means of transmission, distribution or making available in any other form; or
-
Merging, linking, as well as restriction, degradation, erasure or destruction of information.
“Promotion of Access to Information Act”: means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).
“Protection of Personal information Act”: means the Protection of Personal information Act, 2013 (Act No. 4 of 2013)
“Pseudonymisation”: It requires that personal data must not be able to be attributed to a specific data subject without the use of additional information kept separately, and subject to “technical and organisational measures.
“Responsible Party”: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
2. Subject matter of this Data Processing Agreement
2.1. This Data Processing Agreement applies to the processing of personal information subject to the Protection of Personal information Act (hereinafter referred to as POPIA) in the scope of the Payroll Service Agreement entered on [date] between the parties.
2.2. Insofar as the Operator will be processing personal information subject to POPIA on behalf of the Responsible Party during the performance of the Payroll Service Agreement with the Responsible Party, the terms of this Data Processing Agreement shall apply. In the event of a conflict between any provisions of the Payroll Service Agreement and the provisions of this Data Processing Agreement, the provisions of this Data Processing Agreement shall govern and control. An overview of the categories of personal information, the categories of Data Subjects, and the nature and purposes for which the personal information are being processed is provided in Annexure 2.
3. The Responsible Party and the Operator
3.1. Subject to the provisions of the Payroll Service Agreement, to the extent that the Operator’s personal information processing activities are not adequately described in the Payroll Service Agreement, the Responsible Party will determine the scope, purposes, and manner by which the personal information may be accessed or processed by the Operator. The Operator will process the personal information only as set forth in the Responsible Party’s written instructions and no personal information will be processed unless explicitly instructed by the Responsible Party.
3.2. The Operator will only process the personal information on documented instructions of the Responsible Party to the extent that this is required for the provision of the services. Should the Operator reasonably believe that a specific processing activity, beyond the scope of the Responsible Party’s instructions, is required to comply with a legal obligation to which the Operator is subject, the Operator shall inform the Responsible Party of that legal obligation and seek explicit authorization from the Responsible Party before undertaking such processing. The Operator shall never process personal information in a manner inconsistent with the Responsible Party’s documented instructions.
3.3. The parties have entered into a Payroll Service Agreement to benefit from the capabilities of the Operator in securing and processing the personal information for the purposes set out in Annexure 2. The Operator shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this Data Processing Agreement, in particular the Responsible Party’s written instructions.
3.4. The Responsible Party warrants that it has all necessary rights to provide the personal information to the Operator for the processing to be performed in relation to the services, and that one or more justification grounds set forth in POPIA support the lawfulness of the processing. To the extent required by the POPIA, the Responsible Party is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another justification ground is set forth in POPIA supports the lawfulness of the processing, that any necessary Data Subject consent to the processing is obtained, and for ensuring that a record of such consent is maintained. Should such a consent be revoked by a Data Subject, the Responsible Party is responsible for communicating the fact of such revocation to the Operator, and the Operator remains responsible for implementing the Responsible Party’s instruction with respect to the processing of that personal information.
4. Confidentiality
4.1. Without prejudice to any existing contractual arrangements between the parties, the Operator shall treat all personal information as confidential and it shall inform all its employees, agents and/ or approved sub-Operators engaged in processing the personal information of the confidential nature of the personal information. The Operator shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
5. Security
5.1. Considering the industry norm, the costs of implementation, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Responsible Party and Operator shall implement appropriate, reasonable technical and organisational measures to ensure a level of security of the processing of personal information appropriate to the risk. These measures shall include, at a minimum, the security measures agreed upon by the parties in Annexure 3.
5.2. Both the Responsible Party and the Operator shall maintain written security policies that are fully implemented and applicable to the processing of personal information. At a minimum, such policies should include assignment of:
-
Internal responsibility for information security management;
-
Devoting adequate personnel resources to information security;
-
Carrying out verification checks on permanent staff who will have access to the personal information;
-
Requiring employees, vendors and others with access to personal information to enter into written confidentiality agreements, and
-
Conduct training to make employees and others with access to the personal information aware of information security risks presented by the Processing.
5.3. The Operator’s adherence to either an approved code of conduct or to an approved recognised security certification standard, may be used as an element by which the Operator may demonstrate compliance with the requirements set out, provided that the requirements contained in Annexure 3 are also addressed by such code of conduct or recognised security certification standard.
6. Improvements to Security
6.1. The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Operator will therefore evaluate the measures as implemented on an on-going basis in order to maintain compliance with the requirements set out in POPIA.
6.2. Where an amendment to the Payroll Service Agreement is necessary to execute a Responsible Party’s instruction to the Operator to improve security measures as may be required by changes in terms of the POPIA from time to time, the parties shall negotiate an amendment to the Payroll Service Agreement in good faith.
7. Information Transfers
7.1. The Operator shall promptly notify the Responsible Party of any planned permanent or temporary transfers of personal information to a third country, without an adequate level of protection, and shall only perform such a transfer after obtaining authorisation from the Responsible Party, which may be refused at its own discretion. Annexure 4 provides a list of transfers for which the Responsible Party grants its authorisation upon the conclusion of this Data Processing Agreement.
8. Information Obligations and Incident Management
8.1. When the Operator becomes aware of an incident that has a material impact on the processing of the personal information that is the subject of Payroll Service Agreement, it shall promptly notify the Responsible Party about the incident, shall at all times cooperate with the Responsible Party, and shall follow the Responsible Party’s instructions with regard to such incidents, in order to enable the Responsible Party to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
8.2. The term “incident” used in paragraph 8.1 shall be understood to mean in any case:
(a) a complaint or a request with respect to the exercise of a Data Subject’s rights in terms of POPIA;
(b) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the personal information;
(c) any breach of the security and/or confidentiality as set out in this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal information, or any indication of such breach having taken place or being about to take place;
(d) where, in the opinion of the Operator, implementing an instruction received from the Responsible Party would violate applicable laws to which the Responsible Party or the Operator are subject.
8.3. The Operator shall always have in place written procedures which enable it to promptly respond to the Responsible Party about an incident. Where the incident is reasonably likely to require a data breach notification by the Responsible Party in terms of the POPIA, the Operator shall implement its written procedures in such a way that it is in a position to notify the Responsible Party without undue delay after the Operator becomes aware of such an incident.
8.4. Any notifications made to the Responsible Party shall be addressed to the employee of the Responsible Party whose contact details are provided in Annexure 1 of this Data Processing Agreement and, to assist the Responsible Party in fulfilling its obligations in terms of the POPIA, should contain:
(a) a description of the nature of the incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal information records concerned;
(b) the name and contact details of the Operator’s Information Officer or another contact point where more information can be obtained;
(c) a description of the possible consequences of the incident;
(d) a description of the measures taken or proposed to be taken by the Operator to address the incident including, where appropriate, measures to mitigate its possible adverse effects; and
(e) if known, the identity of the unauthorised person who may have accessed or acquired the personal information.
9. Contracting with Sub-Operators
9.1. The Operator shall not subcontract any of its service-related activities consisting (partly) of the processing of the personal information or requiring personal information to be processed by any third party without the prior written authorisation of the Responsible Party.
9.2. The Responsible Party authorises the Operator to engage the sub-Operators listed in Annexure 4 for the service-related personal information processing activities described in Annexure 2. Operators shall inform the Responsible Party of any addition or replacement of such sub-Operators giving the Responsible Party an opportunity to object to such changes. If the Responsible Party timely sends the Operator a written objection notice, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve the Responsible Party’s objection. In the absence of a resolution, the Operators will make commercially reasonable efforts to provide Responsible Party with the same level of service described in the Payroll Service Agreement, without using the sub-Operator to process personal information. If the Operator’s efforts are not successful within a reasonable time, each party may terminate the portion of the service which cannot be provided without the sub-Operator, and the Operator will be entitled to a pro-rated refund of the applicable service fees.
9.3. Notwithstanding any authorisation by the Responsible Party within the meaning of the preceding paragraph, the Operator shall remain fully liable vis-à-vis the Responsible Party for the performance of any such sub-Operator that fails to fulfil its information protection obligations.
9.4. The Operator shall ensure that the sub-Operator is bound by data protection obligations compatible with those of the information processed in terms of this Data Processing Agreement, shall supervise compliance thereof, and must impose on its sub-Operators the obligation to implement appropriate, reasonable technical and organisational measures in such a manner that the processing will meet the requirements of the POPIA.
10. Returning or Destruction of Personal Information
10.1. Upon termination of this Data Processing Agreement, upon the Responsible Party’s written request, or upon fulfilment of all purposes agreed in the context of the services whereby no further processing is required, the Operator shall, at the discretion of the Responsible Party, either delete, destroy, or return all personal information to the Responsible Party and destroy or return any existing copies.
10.2. The Operator shall notify all third parties supporting its own processing of the personal information of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the personal information or return the personal information to the Responsible Party, at the discretion of the Responsible Party.
11. Assistance to the Responsible Party
11.1. The Operator shall assist the Responsible Party by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Responsible Party’s obligation to respond to requests for exercising the data subject’s rights in terms of the POPIA.
11.2. Considering the nature of processing and the information available to the Operator, the Operator shall assist the Responsible Party in ensuring compliance with obligations pursuant to Section 4 (Security), as well as other Responsible Party obligations in terms of POPIA that are relevant to the information processing described in Annexure 2, including notifications to the Information Regulator or to Data Subjects.
11.3. The Operator shall make available to the Responsible Party all information necessary to demonstrate compliance with the Responsible Party’s obligations and allow for and contribute to audits, including inspections, conducted by the Responsible Party.
12. Duration and Termination
12.1. This Data Processing Agreement shall come into effect on the effective date of the Payroll Service Agreement.
12.2. Termination or expiration of this Data Processing Agreement shall not discharge the Operator from its confidentiality obligations in terms of this agreement.
12.3. The Operator shall process personal information until the date of expiration or termination of the Payroll Service Agreement, unless instructed otherwise by the Responsible Party, or until such data is returned or destroyed on instruction of the Responsible Party.
13. Miscellaneous
13.1. In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Payroll Service Agreement, the provisions of this Data Processing Agreement shall prevail.
13.2. This Data Processing Agreement is governed by the laws of South Africa. Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of South Africa.
Signed for and on behalf of the Responsible Party:
Name:
Title:
Date:
Signed for and on behalf of the Operator:
Name: Driekie Stone
Title: Sole Director
Date: 27 July 2021
Annexure 1:
Contact information of the information officer of the Responsible Party
Name and Surname:
Contact number:
Email address:
[Contact information]
Contact information of the information officer of the Operator.
Name and Surname:
Contact number:
Email address:
Annexure 2:
Types of personal information that will be processed in the scope of the Payroll Service Agreement
Categories of Data Subjects:
Employees
Nature and purpose of the information processing:
General personal info
Tax information
Time & attendance records
Payroll records
Termination details
Annexure 3: Security Measures
Operator shall:
1. Ensure that the personal information can be accessed only by authorized personnel for the purposes set forth in Annexure 2 of this Data Processing Agreement;
2. Take all reasonable measures to prevent unauthorized access to the personal information through the use of appropriate physical and logical (passwords) entry controls, securing areas for information processing, and implementing procedures for monitoring the use of information processing facilities;
3. Build in system and audit trails;
4. Use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
5. Account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of personal information;
6. Ensure pseudonymisation and/or encryption of personal information, where appropriate;
7. Maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
8. Maintain the ability to restore the availability and access to personal information in a timely manner in the event of a physical or technical incident;
9. Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of personal information;
10. Monitor compliance on an ongoing basis;
11. Implement measures to identify vulnerabilities with regard to the processing of personal information in systems used to provide services to the Responsible Party;
12. Provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.
Annexure 4:
Transfers to sub-Operators in third countries, including outside the Republic of South Africa, without an adequate level of protection for which the Responsible Party has granted its authorisation:
Sub-Operator:
Business Name:
Registration number:
Contact number:
Email Address:
Country: