Am I an ‘operator‘ or ‘responsible party’ under POPI?

It’s important to know whether you are regarded as an ‘operator‘ or ‘responsible party’ under POPI. Both have certain obligations but the responsible party has a much broader responsibility.

To determine if you are an operator, you can ask yourself whether you:

  1. Process the data solely in the interest of and on behalf of another,
  2. do so only according to their instructions, but without coming under their direct authority,
  3. in terms of a written contract,
  4. would dispose of the data after the arrangement ends,
  5. are merely a service provider, and
  6. do not use the data for any of your own purposes

If all the above are true, you are probably an operator – if not, you are a responsible party. If you are uncertain, you can book a POPI Intro hour with us to find out.

Operators have the following obligations under POPI:

Section 20: An operator or anyone processing personal information on behalf of a responsible party or an operator, must—

(a)  process such information only with the knowledge or authorisation of the responsible party; and

(b)  treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.

Section 21:  (1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures (referred to in section 19).

(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Want to read the Act for yourself? Click here