DATA PROTECTION POLICY You, as the Disclosing Party, hereby consent to and are bound by this Data Protection Policy (“Data Protection Policy”) of is effective as of the date of consent hereto or the effective date of any main agreement incorporating the terms of this Data Protection Policy by reference (“Agreement”), whichever is earlier.


1.1 “Affiliate” means, with respect to any entity, any other entity Controlling, Controlled by or under common Control with such entity, for only so long as such Control exists;

1.2 1.3 “Control” means the direct or indirect ownership of more than 50% of the voting capital or similar right of ownership of an entity, or the legal power to direct or cause the direction of the general management and policies of that entity, whether through the ownership of voting capital, by contract or otherwise. Controlled and Controlling shall be construed accordingly;

1.4 ; 1.5 “Data Subject” means the individual to whom Personal Information relates as 2. PROCESSING OF PERSONAL INFORMATION

2.1 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Data Protection Policy.

2.2 The Recipient shall comply with Data Protection Laws and Regulations.

2.4 The Recipient will not sell, share, or rent Disclosing Party’s Personal Information to any third party or use Disclosing Party’s phone number for unsolicited messages, without the express consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement.

2.5 It is expressly stated that the Recipient agrees and warrants:

2.5.1 that the Processing of Personal Information shall be carried out in accordance with the relevant provisions of the Data Protection Laws and Regulations and does not violate the relevant provisions of the POPI Act;

2.5.2 that it shall throughout the duration of the Processing process the Personal Information only on the Disclosing Party’s behalf and in accordance with the Data Protection Laws and Regulations; and

2.5.3 that after assessment of the requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal  Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to the Personal Information, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementation.

2.6.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Data Protection Policy. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations. 

3. SCOPE OF PROCESSING The nature and purpose of Processing of Personal Information by the Recipient is as set out in the table at the end of this Data Protection Policy.


4.1.1 access and rectify their Personal Information collected by the Recipient. On the request of the Disclosing Party, the Recipient will provide such access as is reasonably practicable and either allow the Disclosing Party to rectify such information themselves or implement any rectifications on behalf of the Disclosing Party; necessary for pursuing the legitimate interests of the Recipient or its Affiliates, unless Processing is otherwise permissible under the Data Protection Laws and Regulations or this Data Protection Policy;

4.1.3 object to the Processing of their Personal Information for the purposes of direct marketing other than as allowed by the Data Protection Laws and Regulations; and 

4.1.4 lodge a complaint with the Supervisory Authority at


5.1 Confidentiality The Recipient shall ensure that its Associated Personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities and have executed written confidentiality agreements or are under general obligations of confidentiality towards the Recipient. .

5.3 Limitation of Access The Recipient shall ensure that access to Personal Information is limited to those Associated Personnel of the Recipient directly involved in the fulfilling of the purpose.


6.1 Appointment of Operators

6.1.2 subject to clause

6.2 below, the Recipient or any such Affiliate may engage any third parties from time to time to process Personal Information on their behalf and in connection with the fulfilment of the purpose envisaged in Attachment 1 to this Data Protection Policy.

6.2 Approval of Operators Except as otherwise provided in this Data Protection Policy, the Recipient shall not provide any third party with access to Disclosing Party Personal Information without the prior express approval of Disclosing Party. The Recipient shall provide advanced written notice to the Disclosing Party should it desire to provide a third-party access to Disclosing Party’s Personal Information. Where approval has been granted by Disclosing Party in accordance this section, the Recipient shall:

6.2.3 Provide Disclosing Party with such information regarding the Operator as Disclosing Party may reasonably require.


7.1 Security Measures Taking into account the state of art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Recipient shall implement appropriate organizational and technical measures towards a level of security, appropriate to the risk (including risks that are presented by Processing, in particular from accidental or unlawful destruction, loss alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise Processed), including but not limited to: the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical and technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

7.2 Notifications Regarding Personal Information Breach

7.2.1 The Recipient will ensure that it and its Operators have in place reasonable and appropriate security incident management policies and procedures as required by the POPI Act, and shall notify Disclosing Party without undue delay (but in any event within 24 hours) where there are reasonable grounds to believe that there has been, or after becoming aware of, the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to Personal Information, transmitted, stored or otherwise Processed by the Recipient or Operators of which the Recipient becomes aware (hereinafter, a “Personal Information Breach”), as required to assist the Disclosing Party in ensuring compliance with its: documentation obligation regarding the facts relating to the Personal Information Breach, its effects, and the remedial action taken.

7.2.2 The Recipient shall make reasonable efforts to identify the cause of such Personal Information Breach and take those steps as it deems necessary and reasonable in order to remediate the cause of such a Personal Information Breach, to the extent that the remediation is within the Recipient’s reasonable control.

7.3 Records The Recipient shall maintain complete and accurate written records of the Processing it undertakes on behalf of Disclosing Party in accordance with Data Protection Laws and Regulations.

8. RETURN OF PERSONAL INFORMATION, COMMUNICATION 8.1 Return of Personal Information practices. If the Recipient or its Affiliates are required to retain a copy of the Personal Information by law, it shall retain that which is required by applicable Data Protection Laws and Regulations for not longer than is reasonably necessary.

9. COOPERATION WITH SUPERVISORY AUTHORITY The Disclosing Party and the Recipient as applicable, shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.

10. CONFLICT and this Data Protection Policy, the terms of this Data Protection Policy will prevail to the extent of such inconsistency. Nature and purpose of Processing This table includes certain details of the Processing of Personal Information as required by section 18 of the POPI Act. Nature and purpose of Processing The Recipient and Operators will/may Process Personal Information as necessary to [INSERT PURPOSE]. Failure to provide the Personal Information may mean that the Recipient will be unable to fulfil this purpose, and as such, is mandatory Categories of third parties Personal Information may be shared with the following categories of third parties: •  Types of Personal Information to be Processed in terms of this Data Protection Policy • • Phone number • Address • Credit card information  • Text, audio, video or image files • 

Scroll to Top