An operator processing personal information on behalf of a responsible party or another operator, must process such information only with the knowledge or authorisation of the responsible party. The operator must ensure that the personal information being processed on behalf of a responsible party is complete, accurate, not misleading and update to date.
The responsible party must clarify in its contracts with operators, the services that the operators are engaged to provide. The transfer of personal information to the operator must be limited to what is necessary for the operator to fulfil its contractual obligations.
Operators may not further process personal information unless the purpose is compatible with the original purpose for which it was collected unless consent was obtained.
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.
Responsible parties are required to identify all reasonable foreseeable internal and external risks, and in terms of a written contract between the responsible party and the operator, ensure that the operator establishes and maintains the measures necessary to secure the confidentiality, integrity and accuracy of personal information in its possession or under its control.
Responsible parties may not enter into contracts with operators who cannot process personal information lawfully.
Technical and Organisational Measures
The contract between the responsible party and the operator must provide details of the technical and organisational measures that the responsible party has identified necessary for the operator to establish and maintain to address the internal and external risks to the processing of personal information, as identified by the responsible party.
The contract between the parties must also indicate that the responsible party understands the conditions under which the personal data will be handled by the operator.
The responsible party must verify that the operator has fulfilled its contractual obligations to implement and maintain effective technical and organisational measures to safeguard the data subjects’ rights.
The responsible party must validate the effectiveness of the technical and organisational measures implemented.
Service Provider Capability
Data subjects have the right to expect that the operator adheres to the conditions for lawful processing of personal information and therefore operators must be transparent in all aspects of the processing of personal information.
Data subjects have the right to request the deletion and destruction of personal information when this information is not accurate, irrelevant, excessive, out of date, incomplete or obtained lawfully. Operators will be required to destroy all personal information obtained unlawfully and may be requested to provide assurance that this was done properly.
At least annually, the responsible party must verify that the operators’ processing of personal information is lawful and the technical and organisational safeguards effective.