SLA Data Processing

In terms of POPIA Sections 19–21

    1. Purpose

    This Service Level Agreement (“SLA”) governs the processing of Personal Information by a thirdparty Operator on behalf of Emergence Growth South Africa (“the Company”), in compliance with the Protection of Personal Information Act, 2013 (POPIA).

    2. Scope

    This Agreement applies to all third-party service providers (“Operators”) who process Personal Information on behalf of the Company.

    3. Operator Obligations

    The Operator agrees to:

    • Process Personal Information only on documented instructions from the Company
    • Treat all Personal Information as confidential
    • Implement appropriate technical and organisational security measures
    • Prevent unauthorised access, disclosure, loss or destruction of Personal Information
    • Ensure staff are trained and bound by confidentiality obligations

    4. Security Measures (POPIA Section 19)

    The Operator must:

    • Identify and mitigate risks to Personal Information
    • Maintain appropriate safeguards (technical and organisational)
    • Regularly review and update security controls
    • Align with industry best practices

    5. Breach Notification (POPIA Section 22)

    The Operator must:

    • Notify the Company immediately of any suspected or actual data breach
    • Provide full details of the incident
    • Cooperate in investigation and remediation

    6. Sub-Operators

    The Operator may not:

    • Appoint sub-contractors (sub-operators) without prior written approval

    Where approved:

    • The Operator remains fully responsible
    • Equivalent data protection obligations must be imposed

    7. Data Subject Rights

    The Operator must:

    • Assist the Company in responding to data subject requests
    • Provide access, correction or deletion support where required

    8. Audit And Compliance

    The Company reserves the right to:

    • Audit the Operator’s compliance with POPIA
    • Request evidence of security controls and procedures

    The Operator must:

    • Cooperate with audits
    • Address any identified risks or deficiencies

    9. Data Transfers

    The Operator must not transfer Personal Information outside South Africa without:

    • Prior written approval from the Company
    • Ensuring adequate data protection safeguards

    10. Data Retention and Destruction

    The Operator must:

    • Retain Personal Information only for as long as necessary
    • Securely delete or return data upon termination of services

    11. Liability

    The Operator is responsible for:

    • Any breach caused by its negligence or failure to comply
    • Any unauthorised processing or disclosure

    12. Termination

    The Company may terminate this Agreement if:

    • The Operator breaches POPIA requirements
    • There is a material security risk

    13. Governance

    The Information Officer is responsible for oversight of this Agreement.

     

    Updates to this Policy

    The Company reserves the right to amend this Policy at any time to ensure ongoing compliance with applicable legislation and best practices.

     

    Updated March 2026

    Ready to transform insights into action?
    Contact Emergence Human Capital to design, deploy, and drive meaningful change through intelligent employee engagement surveys.

    Office: +27 11 026 3442

    eMail: [email protected]

    https://emergencegrowth.com/hr-reward-services/hr-surveys-data-insights/