This Data Processing Agreement (the “DPA”) forms part of Cloudfusion’s Terms and Conditions and is incorporated into these by reference.
This document defines the duties of the Operator (Cloudfusion) in terms of the processing of personal information under the rights of the Responsible Party (the Client) in compliance with the Protection of Personal Information Act, No.4 of 2013.
This Data Processing Agreement becomes effective when you register for our services. Cloudfusion acts as the Operator for your personal information or personal information for which you are responsible and you are the Responsible Party for the personal information which we process on your behalf.
“Applicable Law” means the Protection of Personal Information act of 2013;
“Agreement” means this agreement including any annexes attached hereto from time to time;
“Data Subject” means natural person or a juristic person to whom personal information relates;
“Operator” means a natural person or a juristic person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
“Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
“Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
“Regulator or Information Regulator” means the Information Regulator established in terms of section 39 of the Act
“Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information
“Special Personal Information” means:
(i) The alleged commission by a data subject of any offence; or
(ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
“Security safeguards” As defined in Section 19, 20 and 21 of the Act
“Sub-operator” means the authorised sub-contractor working on behalf of the Operator
“Effective Date” means the date on which the Client registers for Cloudfusion services
“The Act” means the Protection of Personal Information Act, No.4 of 2013 and any regulations, as well as codes of practice established by regulatory authorities.
3.1. Application. This Data Protection Agreement applies when Cloudfusion processes your personal information subject to the applicable Data Protection Law.
3.2. Acceptance. By using our products and services you are deemed to have read, understood, accepted, and agreed to be bound by all of the terms of the respective agreements. You also accept this Data Protection Agreement when you register for use of our services on our website.
The Operator agrees to:
4.1 Comply with the security measures as referred to in Section 19 of the Act, namely:
4.1.1 Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
4.1.2 Establish and maintain appropriate safeguards against the risks identified;
4.1.3 Regularly verify that the safeguards are effectively implemented; and
4.1.4 Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
4.2 Process Personal Information only with the knowledge or authorisation of the Responsible Party.
4.3 Treat Personal Information which comes to its knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of its duties.
4.4 Notify the Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.
4.5 Allow the Responsible Party to fulfill its duties as stated in Sections 19 to 21 of the Act.
4.6 Only use and disclose the Personal Information in accordance with the Responsible Party’s instructions.
4.7 Take reasonable and appropriate, organizational and technical security measures to protect the Personal Information supplied by the Responsible Party.
4.8 Permit the Responsible Party to audit the Operator’s compliance with the provisions of Sections 19 to 21 of the Act.
4.9 Comply with the reasonable requests of the Responsible Party which relate to requests for access to any Personal Information following receipt of a valid and approved request from a Data Subject.
4.10. The Operator is not permitted to sub-contract the Processing of Personal Information supplied by the Responsible Party without the prior written consent of the Responsible Party. If consent is granted, the Operator shall ensure that the sub-contractor (sub-operator) complies with the requirements of Sections 19 to 21 of the Act. The Operator indemnifies and holds the Responsible Party harmless in respect of any liability, damages, fines, costs, expenses of any nature whatsoever suffered and that may arise as a result of the Operator’s failure to comply with the provisions of the Act or this Agreement.
4.11. The Operator also agrees to co-operate with any action required to fulfill the demands of the Information Regulator, whether directly by the Information Regulator or indirectly by the Responsible Party.
The Responsible Party is entitled to, at any time during the term of this Agreement, perform an audit of the compliance of the Operator with Sections 19 to 21 of the Act, to be conducted by the Responsible Party or its authorized agent and may include but is not limited to:
• Ensuring that the Operator makes appropriate security checks on its employees, agents or representatives;
• Ensuring that the Operator transfers Personal Information securely;
• Ensuring that the Operator reports any security breach or other problem to the Responsible Party immediately;
• In any other way fulfilling the duties of the Responsible Party as outlined in Section 21 of the Act.
• It is the duty of the Responsible Party to monitor any changes to the Act and associated regulations and to ensure ongoing compliance with the Act. This may require amendment from time to time of this agreement
Termination of Responsible Party and Operator agreement in terms of processing of personal information
• Where the Operator is found by the Regulator to have not fulfilled its obligations in terms of compliance with the Act, the Responsible Party has the right to cancel the agreement with the Operator with immediate effect;
• Whether for fault or any other termination reason, the Operator must return or effectively destroy all personal information processed on behalf of the Responsible Party without delay, unless you are required to retain such records in terms of other legislation or regulations.