ASSESSMENT OF SUFFICIENCY
For each processing operation in scope, where the responsible party uses a operator, the responsible party has assessed that the operator is providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements and ensure the protection of the rights of the data subject.
For each processing operation in scope, where the responsible party uses an operator, it has a contract in place that fulfills the following requirements for the operator:
- the operator processes personal information only on the documented instructions from the responsible party, including with regard to transfers of personal information to a third country or an international organisation, unless required to do so by law to which the operator is subject; in such a case, the operator shall inform the responsble party of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest
- ensures that persons authorised to process the personal information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- takes all measures required to ensure secure processing
- does not engage another operator without prior specific or general written authorisation of the responsible party. In the case of general written authorisation, the operator shall inform the entity of any intended changes concerning the addition or replacement of other operators, thereby giving the entity the opportunity to object to such changes. Where an operator engages another operator for carrying out specific processing activities on behalf of the responsible party, the same information protection obligations as set out in the contract or other legal act between the responsible party and the operator as shall be imposed on that other operator by way of a contract or other legal act under law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of POPIA.
- taking into account the nature of the processing, assists the responsible party by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the responsible party’s obligation to respond to requests for exercising the data subject's rights
- assists the responsible party in ensuring compliance with its obligations taking into account the nature of processing and the information available to the operator
- at the choice of the entity, deletes or returns all the personal data to the responsible party after the end of the provision of services relating to processing, and deletes existing copies unless a law requires retention of the personal information
- makes available to the responsible party all information necessary to demonstrate compliance with the obligations and allows for and contribute to audits, including inspections, conducted by the responsible party or another auditor mandated by the responsible party.