Data Processing Agreement

It is hereby agreed that a Third-Party Data Processing Agreement shall be entered into between:

THE SCELETIUM SOURCE

(Who shall be referred to hereafter asthe RESPONSIBLE PARTY) – and

Supplier Name

(Who shall be referred to hereafter as OPERATOR)

Together referred to as “the Parties.

1. Compliance with Laws

The Supplier shall comply with all applicable data protection and privacy laws, including the Protection of Personal Information Act, 2013 (“POPIA”), and, where relevant, the European Union General Data Protection Regulation (“GDPR”).

2. Purpose of Processing

The Supplier may only process Personal Information on documented instructions from the Company and solely for the purposes of fulfilling its obligations under this Agreement.

3. Confidentiality and Security

The Supplier shall ensure that all persons authorised to process Personal Information are subject to confidentiality obligations.
The Supplier shall implement appropriate technical and organisational measures to protect Personal Information against unauthorised access, unlawful processing, accidental loss, destruction, or damage, consistent with industry best practice.

4. Sub-Processing

The Supplier shall not subcontract or engage any sub-processor without the prior written consent of the Company. Approved sub-processors shall be bound by equivalent obligations.

5. Data Subject Rights

The Supplier shall assist the Company in complying with its obligations to respond to data subject requests under applicable law. The Supplier shall not respond directly to any such request without the Company’s written authorisation.

6. Cross-Border Transfers

The Supplier shall not transfer Personal Information outside of South Africa, or where applicable outside the EU/EEA, without the prior written consent of the Company. Any approved transfer must comply with applicable safeguards under POPIA and/or GDPR.

7. Breach Notification

The Supplier shall notify the Company of any actual or suspected breach of Personal Information within 72 hours of becoming aware of it, and shall fully cooperate with the Company in investigating, mitigating, and reporting the incident.

8. Record-Keeping

The Supplier shall maintain complete and accurate records of all Processing activities carried out on behalf of the Company and shall provide such records to the Company on request.

9. Return or Deletion of Information

Upon termination or expiry of this Agreement, or at the Company’s request, the Supplier shall promptly return or securely delete/destroy all Personal Information processed on behalf of the Company and certify that no copies have been retained, unless retention is required by law.

10. Audit Rights

The Company may, upon reasonable notice, audit the Supplier’s compliance with this Agreement. The Supplier shall provide access to relevant information, personnel, and facilities as reasonably required.

11. Liability and Indemnity

The Supplier shall be liable for, and shall indemnify the Company against, all claims, fines, damages, or costs (including legal costs) arising from its breach of this Agreement or applicable data protection laws.

12. Survival

The obligations under this Agreement relating to confidentiality, return/deletion of data, and indemnity shall survive the termination of this Agreement.

13. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Republic of South Africa. Where GDPR applies, EU law shall apply to the extent required.