Ƶ

Book a demo

Controller Processor Agreement Template for South Africa

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Controller Processor Agreement?

This Controller Processor Agreement is essential for organizations engaging in data processing activities within or from South Africa. It is required under the Protection of Personal Information Act (POPIA) whenever a Responsible Party (Controller) engages an Operator (Processor) to process personal information on their behalf. The agreement establishes clear responsibilities, compliance obligations, and operational requirements for both parties, covering aspects such as data security, breach notification, sub-processing, and data subject rights. It is particularly crucial for demonstrating compliance with POPIA's requirements and ensuring proper governance of data processing relationships. The document should be customized based on the specific processing activities, security requirements, and operational context while maintaining compliance with South African data protection law.

Frequently Asked Questions

Is a Controller Processor Agreement legally required under POPIA in South Africa?

Yes, under Section 21 of POPIA, responsible parties (controllers) must enter into written agreements with operators (processors) before allowing them to process personal information. The agreement must specify the subject matter, duration, nature and purpose of processing, and ensure the operator provides sufficient guarantees regarding technical and organisational measures. Failure to have this agreement in place can result in enforcement action by the Information Regulator.

Can I be fined by the Information Regulator if my Controller Processor Agreement is missing or incomplete?

Yes, the Information Regulator can impose administrative fines up to R10 million or 10% of annual turnover (whichever is greater) for non-compliance with POPIA's operator agreement requirements. Missing or inadequate agreements violate Section 21 of POPIA and constitute a failure to implement appropriate safeguards. The Regulator can also issue enforcement notices requiring immediate compliance and may pursue criminal charges in serious cases.

How does a Controller Processor Agreement differ from a standard service agreement in South Africa?

A Controller Processor Agreement specifically addresses POPIA compliance requirements that standard service agreements don't cover. It must include mandatory clauses on data security measures, breach notification procedures, data subject rights, international transfers, and deletion obligations upon contract termination. Standard service agreements focus on commercial terms but lack the specific data protection safeguards and compliance mechanisms required under South African data protection law.

How long does it typically take to finalise a Controller Processor Agreement in South Africa?

Drafting and negotiating a compliant Controller Processor Agreement typically takes 2-4 weeks, depending on the complexity of data processing activities and parties' responsiveness. Simple agreements for standard services may be completed faster, while complex arrangements involving sensitive personal information or cross-border transfers require more detailed negotiations. Legal review and POPIA compliance verification add additional time to ensure all statutory requirements are met.

Must my Controller Processor Agreement include specific security measures required by POPIA?

Yes, Section 19 of POPIA requires the agreement to specify appropriate technical and organisational measures to secure personal information. These must include integrity and confidentiality safeguards, identification of reasonably foreseeable risks, and measures to prevent unauthorised access, modification, or disclosure. The agreement should detail specific security controls, incident response procedures, and regular security assessments appropriate to the sensitivity of the personal information being processed.

Common mistakes companies make when drafting Controller Processor agreements under POPIA?

The most common mistakes include failing to specify the categories of personal information being processed, omitting mandatory breach notification timeframes (72 hours to responsible party), and not including data subject rights procedures. Many agreements also lack proper international transfer safeguards, fail to address sub-processor arrangements, or don't specify data retention and deletion requirements. These omissions can result in POPIA non-compliance and regulatory penalties.

Can foreign companies use Controller Processor Agreements when processing South African personal information?

Yes, but the agreement must comply with POPIA requirements regardless of the processor's location. If personal information is transferred outside South Africa, the agreement must include additional safeguards under Section 72 of POPIA, such as adequacy determinations or binding corporate rules. Foreign processors must also appoint a local representative if they don't have a presence in South Africa but regularly process personal information of South African data subjects.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

South Africa

Reviewed by

&

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the Controller Processor Agreement

A Controller Processor Agreement is a legally binding contract that governs the relationship between a data controller (responsible party) and data processor (operator) under South African law. This agreement is mandatory under the Protection of Personal Information Act (POPIA) and establishes clear responsibilities for protecting personal information during processing activities.

When do you need this document?

You need this agreement whenever your organization engages a third-party service provider to process personal information on your behalf. This includes situations such as hiring cloud storage providers, payroll processing companies, marketing agencies handling customer data, or IT support services with access to employee information. The agreement is also required when outsourcing functions like customer service, data analytics, or any other activities involving the handling of personal information. Under POPIA, you cannot lawfully engage an operator without a written agreement that meets specific legal requirements.

Key legal considerations

The agreement must clearly define the scope and purpose of processing, ensuring that the operator only processes personal information as instructed by the responsible party. Key provisions include data security measures, breach notification procedures, restrictions on sub-processing, and requirements for returning or destroying data upon termination. The agreement should specify technical and organizational measures for protecting personal information, including access controls, encryption requirements, and staff training obligations. It must also address data subject rights, ensuring that individuals can exercise their rights under POPIA through appropriate mechanisms. Liability allocation between parties is crucial, particularly regarding potential penalties from the Information Regulator for POPIA violations.

Legal requirements in South Africa

Under POPIA, the agreement must comply with Section 22, which mandates that responsible parties ensure operators provide sufficient guarantees regarding technical and organizational security measures. The agreement must prohibit the operator from processing personal information for purposes other than those specified and require written authorization before engaging sub-processors. South African law requires that cross-border data transfers be addressed if the operator will transfer data outside the country, ensuring adequate protection levels or appropriate safeguards. The agreement must also establish procedures for cooperating with the Information Regulator during investigations and ensuring compliance with data subject access requests. Regular auditing rights and termination clauses must be included to maintain ongoing compliance with POPIA's evolving requirements and regulatory guidance.

GOVERNING LAW

Applicable law

This Controller Processor Agreement is drafted to comply with South Africa law. Key legislation includes:






Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it