data processing agreement

This Data Processing Agreement (the “DPA”) forms part of Cloudfusion’s Terms and Conditions and is incorporated into these by reference.  

1. Introduction

This document defines the duties of the Operator (Cloudfusion) in terms of the processing of personal information under the rights of the Responsible Party (the Client) in compliance with the Protection of Personal Information Act, No.4 of 2013.

This Data Processing Agreement becomes effective when you register for our services. Cloudfusion acts as the Operator for your personal information or personal information for which you are responsible and you are the Responsible Party for the personal information which we process on your behalf.      

2. Definitions and Interpretations

“Applicable Law” means the Protection of Personal Information act of 2013;

“Agreement” means this agreement including any annexes attached hereto from time to time;

“Data Subject” means natural person or a juristic person to whom personal information relates;

“Operator” means a natural person or a juristic person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

“Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  2. Information relating to the education or the medical, financial, criminal or employment history of the person;
  3. Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  4. The biometric information of the person;
  5. The personal opinions, views or preferences of the person;
  6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  7. The views or opinions of another individual about the person; and
  8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

“Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

  1. The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  2. Dissemination by means of transmission, distribution or making available in any other form; or
  3. Merging, linking, as well as restriction, degradation, erasure or destruction of information

“Regulator or Information Regulator” means the Information Regulator established in terms of section 39 of the Act

“Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

“Special Personal Information” means:

  1. The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
  2. The criminal behaviour of a data subject to the extent that such information relates to:

(i) The alleged commission by a data subject of any offence; or

(ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

“Security safeguards” As defined in Section 19, 20 and 21 of the Act

“Sub-operator” means the authorised sub-contractor working on behalf of the Operator

“Effective Date” means the date on which the Client registers for Cloudfusion services

“The Act” means the Protection of Personal Information Act, No.4 of 2013 and any regulations, as well as codes of practice established by regulatory authorities.

3. Application and Acceptance

3.1. Application. This Data Protection Agreement applies when Cloudfusion processes your personal information subject to the applicable Data Protection Law.

3.2. Acceptance. By using our products and services you are deemed to have read, understood, accepted, and agreed to be bound by all of the terms of the respective agreements. You also accept this Data Protection Agreement when you register for use of our services on our website.

4. Duties of the Operator

The Operator agrees to:

4.1 Comply with the security measures as referred to in Section 19 of the Act, namely:

4.1.1 Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

4.1.2 Establish and maintain appropriate safeguards against the risks identified;

4.1.3 Regularly verify that the safeguards are effectively implemented; and

4.1.4 Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

4.2 Process Personal Information only with the knowledge or authorisation of the Responsible Party.

4.3 Treat Personal Information which comes to its knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of its duties.

4.4 Notify the Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.

4.5 Allow the Responsible Party to fulfill its duties as stated in Sections 19 to 21 of the Act.

4.6 Only use and disclose the Personal Information in accordance with the Responsible Party’s instructions.

4.7 Take reasonable and appropriate, organizational and technical security measures to protect the Personal Information supplied by the Responsible Party.

4.8 Permit the Responsible Party to audit the Operator’s compliance with the provisions of Sections 19 to 21 of the Act.

4.9 Comply with the reasonable requests of the Responsible Party which relate to requests for access to any Personal Information following receipt of a valid and approved request from a Data Subject.

4.10. The Operator is not permitted to sub-contract the Processing of Personal Information supplied by the Responsible Party without the prior written consent of the Responsible Party. If consent is granted, the Operator shall ensure that the sub-contractor (sub-operator) complies with the requirements of Sections 19 to 21 of the Act. The Operator indemnifies and holds the Responsible Party harmless in respect of any liability, damages, fines, costs, expenses of any nature whatsoever suffered and that may arise as a result of the Operator’s failure to comply with the provisions of the Act or this Agreement.

4.11. The Operator also agrees to co-operate with any action required to fulfill the demands of the Information Regulator, whether directly by the Information Regulator or indirectly by the Responsible Party.

5. Rights of the Responsible Party

The Responsible Party is entitled to, at any time during the term of this Agreement, perform an audit of the compliance of the Operator with Sections 19 to 21 of the Act, to be conducted by the Responsible Party or its authorized agent and may include but is not limited to:

• Ensuring that the Operator makes appropriate security checks on its employees, agents or representatives;

• Ensuring that the Operator transfers Personal Information securely;

• Ensuring that the Operator reports any security breach or other problem to the Responsible Party immediately;

• In any other way fulfilling the duties of the Responsible Party as outlined in Section 21 of the Act.

6. Variation of contract terms

• It is the duty of the Responsible Party to monitor any changes to the Act and associated regulations and to ensure ongoing compliance with the Act. This may require amendment from time to time of this agreement

7. Termination

Termination of Responsible Party and Operator agreement in terms of processing of personal information

• Where the Operator is found by the Regulator to have not fulfilled its obligations in terms of compliance with the Act, the Responsible Party has the right to cancel the agreement with the Operator with immediate effect;

• Whether for fault or any other termination reason, the Operator must return or effectively destroy all personal information processed on behalf of the Responsible Party without delay, unless you are required to retain such records in terms of other legislation or regulations.

Close Cookie Preference Manager
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.