Data Operator Policy and Agreement

In terms of the Protection of Personal Information Act, 4 of 2013

    1. Purpose

    This Policy and Agreement regulates the processing of Personal Information by third-party operators (“Operators”) on behalf of Emergence Growth South Africa (“the Company”) in compliance with POPIA.

    2. Scope

    Applies to all third-party service providers who process Personal Information for or on behalf of the Company.

    3. Legal Framework

    This Policy is aligned with Sections 19, 20 and 21 of POPIA, requiring the Company to ensure that Operators establish and maintain appropriate security measures.

    4. Operator Obligations

    The Operator must:

    • Process Personal Information only on documented instructions from the Company
    • Treat all Personal Information as confidential
    • Implement appropriate technical and organisational security measures
    • Restrict access to authorised personnel on a need-to-know basis
    • Ensure personnel are trained and bound by confidentiality obligations
    • Notify the Company immediately of any actual or suspected security compromise
    • Assist the Company in responding to Data Subject requests and regulatory requirements

    5. Sub processing

    The Operator may not appoint a sub-operator without prior written consent. Any approved suboperator must be bound by the same obligations.

    6. Cross-Border Transfers

    Personal Information may not be transferred outside South Africa without prior written approval and appropriate safeguards.

    7. Security Requirements

    The Operator must:

    • Identify and manage risks to Personal Information
    • Implement safeguards to prevent loss, damage, or unauthorised access
    • Regularly test and review security measures

    8. Audit Rights

    The Company reserves the right to audit the Operator’s compliance with this Policy and POPIA.

    9. Incident Management

    The Operator must report any security incident immediately and provide:

    • Description of the incident
    • Categories and volume of data affected
    • Likely consequences
    • Remedial actions taken

    10. Termination

    Upon termination of services, the Operator must return or securely destroyall Personal Information and certify such destruction where required.

     

    11. Liability

    The Operator remains liable for any breach of this Policy and indemnifies the Company against any resulting losses or damages.

     

    12. Agreement

    This Policy forms part of all service agreements with Operators and must be complied with at all times.

     

    13. Contact Details

    Email: [email protected]

    Updates to this Policy

    The Company reserves the right to amend this Policy at any time to ensure ongoing compliance with applicable legislation and best practices.

     

    Updated March 2026

    Ready to transform insights into action?
    Contact Emergence Human Capital to design, deploy, and drive meaningful change through intelligent employee engagement surveys.

    Office: +27 11 026 3442

    eMail: [email protected]

    https://emergencegrowth.com/hr-reward-services/hr-surveys-data-insights/