POPI identifies key role players that will be involved in the protection of Personal Information, namely the Data Subject, the Responsible Party and the Operator.
The person to whom the Personal Information relates to is known as the Data Subject. An example of this would be a consumer, such as a person buying a house.
The Responsible Party determines the purpose for which the Personal Information is collected and the means of processing that information. In other words, they decide what Personal Information to collect and what to do with it. The Responsible Party can outsource a part or all of the processing of the Personal Information to a third party, who is referred to as an ‘Operator’ under POPI.
The Operator is any third party processing the Personal Information on behalf of the Responsible Party. When the Operator is contracted to do something on behalf of a Responsible Party, the Operator will only be allowed to execute on the terms of that arrangement, and will not be bound to some of the other conditions of POPIA, which apply to the Responsible Party. In short, the Operator:
POPIA requires a Responsible Party to enter into a written contract with the Operator, to ensure that the Operator establishes and maintains the necessary security measures when dealing with Personal Information, and clearly articulates the bounds of the processing.