Why do you need an Operator Agreement?
In terms of section 20 of POPIA, an Operator or anyone processing personal information on behalf of a Responsible Party or an Operator, has a duty to treat any personal information which it processes on behalf of the organization as confidential and must not disclose it, unless required by law or in the course of the proper performance of his/her duties.
Furthermore, in terms of section 21 of POPIA, the Responsible Party must have a written agreement between itself and the Operator to ensure that the Operator establishes and maintains adequate safeguards and security measures in respect of the information which it is processing on behalf of the Responsible Party.
The Responsible Party will ultimately be held liable by the Information Regulator for a breach of POPIA by the Operator where the breach occurred within the scope of the mandate agreement between the Responsible Party and the Operator.
However, in the instance where the Operator have exceeded its mandate and breached POPIA, the Operator is seen to be acting as a Responsible Party in regard to the Personal Information as the Operator is determining the purposes and means of processing.
A written agreement between the Responsible Party and the Operator is therefore extremely important for the Responsible Party. By including a liability clause, the Responsible Party can hold the Operator liable for any claims which the Information Regulator and/or data subjects may have against the Responsible Party as a result of a breach of POPIA by the Operator.