It is hereby agreed that a Third-Party Data Processing Agreement shall be entered into between:
THE SCELETIUM SOURCE
(Who shall be referred to hereafter asthe RESPONSIBLE PARTY) – and
Supplier Name
(Who shall be referred to hereafter as OPERATOR)
Together referred to as “the Parties.
1. Compliance with Laws
The Supplier shall comply with all applicable data protection and privacy laws, including the Protection of Personal Information Act, 2013 (“POPIA”), and, where relevant, the European Union General Data Protection Regulation (“GDPR”).
2. Purpose of Processing
The Supplier may only process Personal Information on documented instructions from the Company and solely for the purposes of fulfilling its obligations under this Agreement.
3. Confidentiality and Security
The Supplier shall ensure that all persons authorised to process Personal Information are subject to confidentiality obligations.
The Supplier shall implement appropriate technical and organisational measures to protect Personal Information against unauthorised access, unlawful processing, accidental loss, destruction, or damage, consistent with industry best practice.
4. Sub-Processing
The Supplier shall not subcontract or engage any sub-processor without the prior written consent of the Company. Approved sub-processors shall be bound by equivalent obligations.
5. Data Subject Rights
The Supplier shall assist the Company in complying with its obligations to respond to data subject requests under applicable law. The Supplier shall not respond directly to any such request without the Company’s written authorisation.
6. Cross-Border Transfers
The Supplier shall not transfer Personal Information outside of South Africa, or where applicable outside the EU/EEA, without the prior written consent of the Company. Any approved transfer must comply with applicable safeguards under POPIA and/or GDPR.
7. Breach Notification
The Supplier shall notify the Company of any actual or suspected breach of Personal Information within 72 hours of becoming aware of it, and shall fully cooperate with the Company in investigating, mitigating, and reporting the incident.
8. Record-Keeping
The Supplier shall maintain complete and accurate records of all Processing activities carried out on behalf of the Company and shall provide such records to the Company on request.
9. Return or Deletion of Information
Upon termination or expiry of this Agreement, or at the Company’s request, the Supplier shall promptly return or securely delete/destroy all Personal Information processed on behalf of the Company and certify that no copies have been retained, unless retention is required by law.
10. Audit Rights
The Company may, upon reasonable notice, audit the Supplier’s compliance with this Agreement. The Supplier shall provide access to relevant information, personnel, and facilities as reasonably required.
11. Liability and Indemnity
The Supplier shall be liable for, and shall indemnify the Company against, all claims, fines, damages, or costs (including legal costs) arising from its breach of this Agreement or applicable data protection laws.
12. Survival
The obligations under this Agreement relating to confidentiality, return/deletion of data, and indemnity shall survive the termination of this Agreement.
13. Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the Republic of South Africa. Where GDPR applies, EU law shall apply to the extent required.
