This POPIA Compliance Agreement (“Agreement”) is entered into between Coast IT (“Service Provider”) and you (the “Client”) to ensure compliance with the Protection of Personal Information Act, 2013 (“POPIA”). By engaging Coast IT for services, you agree to be bound by the terms of this Agreement.
1. Purpose
The purpose of this Agreement is to outline the responsibilities of both parties in relation to the processing of personal information in compliance with POPIA and to safeguard the rights of individuals regarding their personal data.
2. Definitions
- Personal Information: Refers to information about an identifiable individual, including but not limited to names, contact details, identification numbers, and any other information that may identify a person.
- Processing: Refers to any operation or activity performed on personal information, including collection, storage, retrieval, use, disclosure, and destruction.
3. Client Obligations
The Client agrees to comply with the following obligations:
- Data Accuracy: The Client shall ensure that any personal information provided to Coast IT is accurate, complete, and up to date.
- Legal Basis for Processing: The Client confirms that it has obtained any necessary consent or has a lawful basis for processing personal information as required by POPIA.
- Notification of Changes: The Client shall promptly notify Coast IT of any changes to the personal information provided or to the consent given by data subjects.
4. Service Provider Obligations
Coast IT agrees to adhere to the following obligations in relation to the processing of personal information:
- Compliance with POPIA: Coast IT shall comply with all provisions of POPIA, ensuring that all personal information is processed lawfully, transparently, and fairly.
- Limitation of Purpose: Coast IT will only process personal information for the purposes agreed upon in the service agreement and in accordance with the Client’s instructions.
- Data Security: Coast IT will implement appropriate technical and organizational measures to protect personal information against unauthorized access, loss, destruction, or damage.
5. Data Processing and Transfers
- Processing by Third Parties: Coast IT may engage third-party service providers for processing personal information on its behalf. In such cases, Coast IT shall ensure that appropriate data protection agreements are in place with these service providers.
- Cross-Border Transfers: Coast IT shall not transfer personal information to a third party in a foreign country unless it complies with the conditions for cross-border data transfers as set out in POPIA.
6. Data Subject Rights
The Client acknowledges that individuals whose personal information is processed have certain rights under POPIA, including the right to:
- Access their personal information.
- Request the correction or deletion of inaccurate or incomplete personal information.
- Object to the processing of their personal information.
The Client is responsible for facilitating the exercise of these rights upon request by data subjects.
7. Breach Notification
In the event of a personal information breach, Coast IT will notify the Client promptly, detailing the nature of the breach, the personal information involved, and any steps taken to mitigate the breach. The Client will be responsible for notifying affected data subjects in compliance with POPIA.
8. Data Retention
Coast IT will retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Upon expiration of the retention period, personal information will be securely deleted or anonymized.
9. Confidentiality
Both parties agree to maintain the confidentiality of personal information and to refrain from disclosing it to any unauthorized third parties without the express consent of the data subjects, unless required by law.
10. Governing Law
This Agreement shall be governed by and construed in accordance with the laws of South Africa.
11. Amendments
Coast IT reserves the right to amend this POPIA Compliance Agreement at any time. Clients will be notified of any significant changes.
12. Entire Agreement
This Agreement constitutes the entire agreement between the parties regarding the processing of personal information under POPIA and supersedes all prior agreements and understandings, whether written or oral.
