Background

The whole notion of POPIA covers Personal Information, its processing and storage while ensuring transparency of its use. For the enterprises involved in upholding these obligations, compliance requires an understanding of where you fit in the data ecosystem.

The key players are; Information Regulator, Responsible Party, Co-Responsible Party, Operator, and Data Subjects.

Role Players

Understanding these roles is crucial since the value chain is complicated. So as when there are a data breach, it’s vital to know where you fit in this framework.

Templates Forms, Policies, Guidelines – POPIA Roles & Responsibilities

FAQ

What is the main difference between a Responsible Party and a Operator? Why are those differences important, and what are the responsibilities for each role under POPIA?

There is still a bit of confusion in understanding the essential differences between the Responsible Party and the Operator. We will compare those roles in order to truly understand what your obligations are and ensure you achieve POPIA compliance.

Understanding these differences is crucial in the compliance program since it will affect your responsibilities under POPIA.

Who is a Responsible Party?

Responsible Party is a natural personlegal entity, organisation, company, agency, or any other institution that alone or jointly with other Responsible Partys define the purpose and means of Personal Information processing.

Despite the fact that POPIA describes the Responsible Party in these broad terms, twe can recognize 3 main building blocks when it comes to defining who is the Responsible Party:

  • the personal aspect (“the natural or legal person, public authority, agency or any other body”)
  • the possibility of pluralistic control (“which alone or jointly with others”)
  • the essential elements to distinguish the Responsible Party from others  (“determines the purposes and the means of the processing of Personal Information”)

Responsible Party is the one who determines the purpose and means of the processing (not the Operator). That is why the Responsible Party holds all of the responsibilities and obligations under POPIA.

Who is Operator

Operator is the legal or natural person, organisation, agency, authority, or institution which processes Personal Information on behalf of the Responsible Party.

Usually, the Operator is a third-party company chosen by the Responsible Party to process the Personal Information. Operator does not own the Personal Information, does not define the purpose of the processing or the means in which Personal Information will be used, and answers to the Responsible Party.

The existence of a Operator depends on decisions taken by the Responsible Party. The Responsible Party can decide either to process Personal Information within the organisation or to delegate processing activities to an external organisation.

Two basic conditions for qualifying as a Operator are a separate legal entity with respect to the Responsible Party and processing Personal Information on his behalf.

Co-Responsible Party

In a situation where there are two or more entities, organisations, or companies that jointly determine the purpose and means of processing, POPIA considers them to be Co-Responsible Partys.

As a Co-Responsible Party, you should determine individual responsibilities for compliance with the POPIA obligations in a transparent manner.

In particular, regarding the exercising of the rights of the data subject and the duty to provide the information referred to in section 18 of POPIA. However, each Responsible Party remains responsible for complying with all the obligations under POPIA.

What is the main difference between a Responsible Party and a Operator? Why are those differences important, and what are the responsibilities for each role under POPIA?

There is still a bit of confusion in understanding the essential differences between the Responsible Party and the Operator. We will compare those roles in order to truly understand what your obligations are and ensure you achieve POPIA compliance.

Understanding these differences is crucial in the compliance program since it will affect your responsibilities under POPIA.

Who is a Responsible Party?

Responsible Party is a natural personlegal entity, organisation, company, agency, or any other institution that alone or jointly with other Responsible Partys define the purpose and means of Personal Information processing.

Despite the fact that POPIA describes the Responsible Party in these broad terms, twe can recognize 3 main building blocks when it comes to defining who is the Responsible Party:

  • the personal aspect (“the natural or legal person, public authority, agency or any other body”)
  • the possibility of pluralistic control (“which alone or jointly with others”)
  • the essential elements to distinguish the Responsible Party from others  (“determines the purposes and the means of the processing of Personal Information”)

Responsible Party is the one who determines the purpose and means of the processing (not the Operator). That is why the Responsible Party holds all of the responsibilities and obligations under POPIA.

Who is Operator

Operator is the legal or natural person, organisation, agency, authority, or institution which processes Personal Information on behalf of the Responsible Party.

Usually, the Operator is a third-party company chosen by the Responsible Party to process the Personal Information. Operator does not own the Personal Information, does not define the purpose of the processing or the means in which Personal Information will be used, and answers to the Responsible Party.

The existence of a Operator depends on decisions taken by the Responsible Party. The Responsible Party can decide either to process Personal Information within the organisation or to delegate processing activities to an external organisation.

Two basic conditions for qualifying as a Operator are a separate legal entity with respect to the Responsible Party and processing Personal Information on his behalf.

Co-Responsible Party

In a situation where there are two or more entities, organisations, or companies that jointly determine the purpose and means of processing, POPIA considers them to be Co-Responsible Partys.

As a Co-Responsible Party, you should determine individual responsibilities for compliance with the POPIA obligations in a transparent manner.

In particular, regarding the exercising of the rights of the data subject and the duty to provide the information referred to in section 18 of POPIA. However, each Responsible Party remains responsible for complying with all the obligations under POPIA.

POPIA Section Summary of Requirements
Section 12: Information to be provided where Personal Information have not been obtained from the Personal Information subject When Personal Information has not been collected, provide Personal Information subjects with relevant details such as the purpose of processing the Personal Information, recipients of the Personal Information, and period for which the Personal Information will be stored
Section 18: Information to be provided where Personal Information are collected from the Personal Information subject When Personal Information is collected, provide Data Subjects with relevant details such as the purpose of processing the Personal Information, recipients of the Personal Information, and period for which the Personal Information will be stored
Section 19: Security measures on integrity and confidentiality of personal information Conduct assessments, and implement appropriate safeguards
Section 22: Notification of security compromises Document any Personal Information breaches
Section 26 – 32: Processing of special categories of Personal Information Prohibit the processing of certain classes of Personal Information (e.g. genetic/ biometric details), unless under certain conditions (e.g. the Personal Information subject has provided explicit consent to process the given Personal Information)
Section 71: Automated individual decision-making, including profiling Implement measures to safeguard the Personal Information subject’s rights to contest decisions that were based on automated Personal Information processing, including profiling
Section 72: Transborder Information Flow: Ensure that Responsible Party do have a legaljustification to transfer.