Data Processing Terms and Conditions
1.1 This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement (“Agreement”) entered into between the Client identified on the Order Form (“Client “) and talentCRU a division of Fortress Administration (Pty) Ltd (“talentCRU”) (each a “Party”, collectively, the “Parties”). To the extent that the Responsible Party Processes Personal Data in providing the Subscription Services to Client under the Agreement, Responsible Party will Process Personal Data in accordance with this DPA. Solely in relation to the Processing of Personal Data, to the extent that the terms of this DPA conflict with the terms of the Agreement, the terms of this DPA will take precedence over the terms of the Agreement.
1.2.1 “Data Protection Law” means any statute, directive, legislative enactment, order, regulation, rule or other law imposing data protection or privacy obligations on a Party including but not limited to the Protection of Personal Information Act 4 of 2013 (“POPIA”).
1.2.2 “Data Subject” means a Person who is the subject of Personal Data that may be processed under this DPA;
1.2.3 “Operator” means a person who processes Personal Information for the Responsible Party in terms of a contract or mandate, without coming under the direct authority of the Responsible Party;
1.2.4 “Person” means an identifiable natural or juristic person or any other person who is not a natural or juristic person;
1.2.5 “Personal Data” means any data Processed by Responsible Party under this DPA that relates to a Person.
1.2.6 “Client Personnel” means any employee, officer, agent or any other individual acting for and on behalf of the Client.
1.2.7 “Process, Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, access, transfer, storage, adaptation or alteration, retrieval, consultation, use, copying, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, deletion, restriction, disposal or destruction of Personal Data.
1.2.8 “Regulator” means the Information Regulator established in terms of section 39 of POPIA.
1.2.9 “Responsible Party” means the person who, alone or in conjunction with others, determines the purpose of and means for processing Personal Information. For the avoidance of doubt, talentCRU shall be the Responsible Party.
1.2.10 “Security Breach” means any unauthorised access or disclosure; unauthorised, unlawful or accidental loss, alteration, misuse, destruction, acquisition of, or damage to Personal Data; any other unauthorised Processing of Personal Data; or a discovery or reasonable suspicion that there is a vulnerability in any technological measure used to protect any Personal Data that has previously been subject to a breach as previously described in this definition, which may result in exploitation or exposure of that Personal Data.
1.2.11 “Subscription Services” means the services to be provided by talentCRU to Client pursuant to the Agreement.
- PROCESSING OF PERSONAL DATA
The Client authorises the Responsible Party to Process Client and Client Personnel’s Personal Data during the term of this DPA solely to the extent described in this DPA and pursuant to the Agreement.
- INSTRUCTIONS FOR PROCESSING AND PROCESSING PURPOSES
3.1 The Responsible Party shall Process Personal Data in accordance with (i) the terms and conditions of the DPA (iii) POPIA and the GDPR (where applicable), (iv) other applicable legislation, regulations and applicable case-law relating to the Processing of Personal Data.
3.2 The Responsible Party shall only Process Personal Data to the extent necessary to provide the Subscription Services to the Client. Responsible Party will not process the Personal Data for its own benefit and/or other purposes, notwithstanding any of its obligations under mandatory law.
3.3 The purpose for the collection of Client’s and Client Personnel’s Personal Data and the reason why talentCRU requires this Personal Information is to enable talentCRU to:
3.3.1 comply with lawful obligations, including all applicable labour, tax and financial legislation such as the Financial Advisory And Intermediary Services Act, 37 of 2002 (FAIS), the Financial Intelligence Centre Act 38 of 2001 (FICA), the National Credit Act, 34 of 2005 (NCA) and / or the B-BBEE laws; give effect to a contractual relationship as between Client and talentCRU and in order to ensure the correct administration of the relationship;
3.3.2 for operational reasons;
3.3.3 to protect the legitimate interests of talentCRU, the Client or a third party;
3.4 The Client may propose changes to its instructions. If the Responsible Party deems the proposed changes feasible, the Responsible Party shall accept and implement such changes. The Client shall pay any additional fees charged as a result of a change in its instructions, if applicable.
3.5 The Responsible Party shall inform the Client promptly if, in its opinion, an instruction issued by the Client violates legal regulations. In such cases, the Responsible Party shall be entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Client.
- RIGHTS OF THE DATA SUBJECT
4.1 A Data Subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of Personal Data including the right to be notified that: (i) personal information about him, her or it is being collected; or (ii) his, her or its personal information has been accessed or acquired by an unauthorised person; (iii) to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal; (iv) to request, where necessary, the correction, destruction or deletion of his, her or its personal information; (v) to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information; (vi) to object to the processing of his, her or its personal information, at any time for purposes of direct marketing; (vii) not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications; (viii) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person in terms of section 71; (IX) to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator; and (X) to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.
5.1 The Responsible Party may request the Client to provide information that reasonably demonstrates its compliance with its obligations under the DPA. The Client shall provide such information without undue delay.
5.2 To the extent that the information provided under clause 5.1 does not suffice, the Responsible Party may request a verification of the Client’s compliance with its obligations under the DPA. The Responsible Party shall give advance notice of a verification, observing a reasonable period of at least thirty (30) days.
5.3 If and insofar as the audit shows that compliance by the Client of one or more parts is inadequate, Client will make concrete proposals to correct and/or improve this. In which case, the costs for the audit and the resulting improvements are borne by the Client.
- CONTRACTING WITH OPERATORS
6.1 The Client agrees that the Responsible Party is allowed to engage an Operator for the processing of its Personal Data for the provision of the Services, provided that the Responsible Party shall:
6.1.1 assure that the Operator will only act on the instructions of Responsible Party when processing Personal Data (which instructions shall be consistent with the Client’s instructions to Responsible Party);
6.1.2 assure that the Responsible Party and the Operator enter into a data processing agreement containing the same or similar provisions as the DPA;
6.1.3 remain liable to the Client for the processing services of any of the Operators under the DPA.
6.2 The Client hereby consents to Responsible Party’s use of current Operators.
6.3 The Responsible Party shall inform the Client in advance of any intended changes concerning the addition or replacement of the Operator. The Client has the right to object to the proposed use of the Operator by Processor within fourteen (14) days after receipt of the Processor’s notice to Client (the “Notice Period”). If the Client does not object within the Notice Period, the proposed Operator shall be deemed accepted and approved by Client.
6.4 If the Client has a legitimate reason to object to the intended use or replacement of the Operator, the Client shall notify the Responsible Party thereof in writing within the Notice Period. In this case, the Responsible Party shall have the right to cure the Client’s objection through one of the following options (to be selected at the Responsible Party’s sole discretion):
6.4.1 the Responsible Party will cancel its plans to use the Operator with regard to the Client’s Personal Data or will offer an alternative to provide the Services without such Operator; or
6.4.2 the Responsible Party will take the corrective steps requested by the Client in its objection (which remove the Client’s objection) and proceed to use the Operator with regard to the Client’s Personal Data; or
6.4.3 the Responsible Party may cease to provide, or the Client may agree not to use (temporarily or permanently) the particular aspect of the Subscription Services that would involve the use of such Operator with regard to the Client’s Personal Data; or
6.4.4 If none of the above options are reasonably available and the objection has not been cured within thirty (30) days after the Responsible Party’s receipt of the Client’s objection, the Parties will in good faith come to a solution that is mutually acceptable for the Parties, which may include the right for Client to suspend or terminate the Subscription Services and Agreement.
- SECURITY OF PERSONAL DATA
The Responsible Party shall take all reasonable measures required to ensure a level of security appropriate to the risk, whilst considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
All Personal Data that the Responsible Party receives from the Client and/or collects itself within the context of the DPA, is subject to an obligation of confidentiality in respect of third parties. The Responsible Party will refrain from using this information for any purpose other than that for which it has acquired it. This obligation of confidentiality shall not apply insofar i) the Client has given consent for the information to be provided to third parties, or ii) if disclosure of the information to third parties is logically necessary given the nature of the Subscription Services and the implementation of the DPA, or iii) if there is a legal obligation for the Responsible Party to provide the information to a third party, or iv) this right is granted based on the DPA and/or the Agreement.
- INTERNATIONAL TRANSFER
In the case of a transfer of Personal Data outside the South African borders and/or to a country that is not recognized as providing an adequate level of data protection, the Responsible Party will ensure i) that the intended transfer of Personal Data shall be in accordance with chapter 9 of POPIA and ii) if applicable, that the Client grants the Responsible Party permission to use the respective Operator in accordance with the DPA.
- CORRECTION AND DELETION OF PERSONAL DATA
10.1 A Data Subject may, in the prescribed manner, request a Responsible Party to-
10.1.1 correct or delete Personal Data about the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
10.1.2 destroy or delete a record of Personal Data about the data subject that the Responsible Party is no longer authorised to retain in terms of section 14 of POPIA.
10.2 On receipt of a request in terms of clause 10.1, the Responsible Party will, as soon as reasonably practicable: (i) correct the information; or (ii) destroy or delete the information; (iii) provide the Data Subject, to his or her satisfaction, with credible evidence in support of the information; or where agreement cannot be reached between the Responsible Party and the Data Subject, if so requested, attach a notification to the information indicating that a correction of the information has been requested but has not been made.
- SECURITY BREACHES AND NOTIFICATION REQUIREMENTS
11.1 The Responsible Party shall inform the Client without undue delay, but at least within twenty-four (24) hours of discovery, of Personal Data breaches on the contact e-mail address as stipulated in the Order Form. Upon the notification of a data breach by Responsible Party on this e-mail address, the Responsible Party will be deemed to have complied with its notification obligations as stipulated under this clause 11.1.
11.2 Responsible Party shall provide Client at its first request and without undue delay the necessary information to enable the Client to document the breach and to notify the Regulator and the Data Subjects thereof, if so required by the Data Protection Law.
11.3 After consultation with the Client (unless in view of the nature of the breach, such consultation cannot be awaited) the Responsible Party shall take all measures necessary to restrict (possible) adverse consequences of the data breach.
11.4 The Responsible Party will not contact the Data Subjects and the data protection authority about any data beach, unless i) the Processor is obligated and this is required by the Data Protection Law or, ii) specifically agreed upon by the Parties.
12.1 Each Party is liable for its obligations set out in the DPA and under the Data Protection law as applicable to such Party.
12.2 Any liability arising out of or in connection with a violation of the obligations of this DPA or under the Data Protection Law as applicable to such Party, shall follow, and be governed by, the liability provisions set forth in the Agreement.
As appropriate, the Responsible Party shall provide all reasonably necessary cooperation to the Regulator in the fulfilment of its duties (such as allowing and facilitating any audits that the Regulator may require).
Any person may submit a complaint in writing to the Regulator in the prescribed manner and form alleging interference with the protection of the Personal Data of a Data Subject.
- TERM, TERMINATION AND RETENTION
15.1 The DPA commences on the Effective Date of the Agreement and ends upon termination of the Agreement and fulfilment of all obligations under the DPA.
15.2 The Processor can choose to be relieved from its obligations under the Agreement, if the Client should revoke or change its instructions under the DPA in such a way that Processor can no longer comply with its obligations under Data Protection Law.
15.3 If, upon termination of the DPA, the Client wishes to receive a copy of the Personal Data to which the DPA applies, the Client must make an explicit written request to provide such a copy ultimately upon termination of the DPA. The Processor shall upon such request provide the copy in an agreed format without undue delay.
15.4 In the event of the termination of this DPA, and on the request of the Client, the Responsible Party shall erase the Personal Data to which this DPA applies within a period agreed to by the Parties, unless the Responsible Party is required or permitted by law to retain the data.
16.1 Provisions from the DPA that are intended by their nature to survive the DPA will remain in full effect after the end of the DPA.
16.2 Should any of the provisions of the DPA be deemed invalid, unenforceable or contrary to South African law (either in whole or in part), the remaining provisions and/or the valid part of the DPA will be construed as if such invalid or unenforceable provisions were not contained herein. Such illegal, invalid and unenforceable provisions will then be deemed to be replaced by a provision which as closely as possible meets the intention of the Parties when inserting the original provision.
16.3 The DPA is exclusively governed by South African law. All disputes arising in connection with the DPA or the performance thereof will be determined in accordance with such law.