Data Protection Agreement

{{company_name}}

{{company_address}}

Phone: {{phone}} | Email: {{email}} | Web: {{website}}

Data Protection Agreement

Data Protection Agreement

{{company_name}} {{company_address}} Phone: {{phone}} Email: {{email}} Website: {{website}}

DATA PROTECTION AGREEMENT

This Data Protection Agreement ("Agreement") is entered into on this {{date}} by and between:

{{company_name}}, A company incorporated in {{jurisdiction}}, having its registered office at {{company_address}} ("Controller")

AND

{{processor_company_name}}, A company incorporated in {{jurisdiction}}, having its registered office at {{processor_company_address}} ("Processor")

(Each a "Party" and collectively the "Parties")

1. DEFINITIONS

1.1. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.2. "Personal Data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.3. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4. "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

1.5. "Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data, including the Protection of Personal Information Act, 2013 (POPIA) in South Africa, and other similar data protection legislation in Southern Africa as applicable.

2. PURPOSE AND SCOPE

2.1. This Agreement sets out the obligations of the Parties with respect to the Processing of Personal Data by the Processor on behalf of the Controller.

2.2. The Processor shall process Personal Data only to the extent necessary to perform the services outlined in the primary agreement between the Controller and Processor, henceforth referred to as the "Main Agreement" dated {{main_agreement_date}}.

3. DETAILS OF THE DATA PROCESSING

3.1. Subject matter of the processing: The Processor will process Personal Data as required for the provision of {{description_of_services}}.

3.2. Duration of the processing: The processing will take place for the duration of the Main Agreement.

3.3. Nature and purpose of the processing: The processing involves {{nature_and_purpose_of_processing}}.

3.4. Type of Personal Data: The Personal Data to be processed includes {{types_of_personal_data_examples_e.g._names,_addresses,_contact_details,_financial_information}}.

3.5. Categories of Data Subjects: The categories of Data Subjects include {{categories_of_data_subjects_e.g._customers,_employees,_website_users}}.

4. OBLIGATIONS OF THE PROCESSOR

4.1. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

4.2. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

4.4. The Processor shall assist the Controller in ensuring compliance with the Controller's obligations to respond to requests for exercising the Data Subject's rights.

4.5. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (or equivalent provisions under applicable Data Protection Laws) taking into account the nature of processing and the information available to the Processor.

4.6. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4.7. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

5. OBLIGATIONS OF THE CONTROLLER

5.1. The Controller warrants that it has all necessary rights to provide the Personal Data to the Processor for the Processing to be carried out in accordance with this Agreement.

5.2. The Controller shall be responsible for the lawfulness of the Processing of Personal Data.

6. SUB-PROCESSING

6.1. The Processor shall not engage another processor ("Sub-processor") without the prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.

6.2. Where the Processor engages a Sub-processor, the Processor shall impose on that Sub-processor the same data protection obligations as set out in this Agreement by way of a written contract.

7. DATA BREACH NOTIFICATION

7.1. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.

8. RETURN AND DELETION OF DATA

8.1. Upon termination of the Main Agreement or at the Controller's request, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.

9. LIABILITY AND INDEMNITY

9.1. Each Party shall be liable for any damage caused to a Data Subject by its Processing in infringement of this Agreement and Data Protection Laws.

9.2. The Processor shall indemnify and hold harmless the Controller from and against any claims, damages, liabilities, fines, penalties and expenses arising out of the Processor's breach of its obligations under this Agreement.

10. GOVERNING LAW AND JURISDICTION

10.1. This Agreement shall be governed by and construed in accordance with the laws of {{jurisdiction}}.

10.2. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of {{jurisdiction}}.

SIGNATURES

FOR THE CONTROLLER:

__________________________ Name: {{controller_signatory_name}} Title: {{controller_signatory_title}} Date: {{signature_date}}

FOR THE PROCESSOR:

__________________________ Name: {{processor_signatory_name}} Title: {{processor_signatory_title}} Date: {{signature_date}}