All Countries
Data Privacy
Data Controller To Data Controller Agreement

Data Controller To Data Controller Agreement Template for South Africa

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Controller To Data Controller Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Controller To Data Controller Agreement

"I need a Data Controller to Data Controller Agreement for sharing patient health records between our private hospital group and a medical research institution in South Africa, with extra provisions for special personal information and scheduled implementation by March 2025."

Celebrated by
Collaborations with
Investors
Document background
The Data Controller to Data Controller Agreement is essential when two organizations need to share personal information while acting as independent controllers under South African law. This document is required whenever organizations jointly process or exchange personal information, ensuring compliance with the Protection of Personal Information Act (POPIA). The agreement details each party's obligations, data protection responsibilities, security requirements, and procedures for managing data subject rights. It is particularly crucial in scenarios where organizations regularly share customer, employee, or other personal information databases, conduct joint ventures, or participate in data-sharing initiatives. The document includes specific provisions required by South African law, including Information Regulator notification requirements and local data protection standards.
Suggested Sections

1. Parties: Identification of the data controllers entering into the agreement, including their registration details and physical addresses

2. Background: Context of the agreement, relationship between the parties, and purpose of the data sharing arrangement

3. Definitions: Definitions of key terms used in the agreement, including those aligned with POPIA definitions

4. Purpose and Scope: Detailed description of the purpose of data sharing and scope of data processing activities

5. Roles and Responsibilities: Clear delineation of each controller's responsibilities and obligations under POPIA

6. Lawful Basis for Processing: Specification of the legal grounds under POPIA for processing and sharing personal information

7. Data Protection Principles: Commitment to comply with POPIA's conditions for lawful processing of personal information

8. Security Measures: Required technical and organizational security measures to protect personal information

9. Data Subject Rights: Procedures for handling data subject requests and ensuring data subject rights

10. Data Breach Notification: Procedures for notifying each other and relevant authorities of security compromises

11. Confidentiality: Obligations regarding confidentiality of shared personal information

12. Duration and Termination: Term of the agreement and circumstances for termination

13. Liability and Indemnification: Allocation of liability and indemnification obligations between the parties

14. Governing Law and Jurisdiction: Specification of South African law as governing law and jurisdiction for disputes

15. General Provisions: Standard contractual provisions including notices, amendments, and severability

Optional Sections

1. Cross-border Data Transfers: Required when personal information will be transferred outside South Africa, specifying compliance with POPIA's cross-border transfer requirements

2. Special Personal Information: Required when processing special personal information as defined in POPIA, including additional safeguards

3. Children's Personal Information: Required when processing personal information relating to children, including specific protections

4. Direct Marketing: Required when personal information will be used for direct marketing purposes

5. Data Protection Impact Assessment: Required for high-risk processing activities

6. Sub-processing: Required when either controller may engage sub-processors

7. Audit Rights: Optional section detailing mutual audit rights to ensure compliance

8. Insurance Requirements: Required when specific insurance coverage is needed for data protection risks

Suggested Schedules

1. Schedule 1 - Categories of Personal Information: Detailed list of personal information categories being shared

2. Schedule 2 - Purposes of Processing: Specific purposes for which each category of personal information will be processed

3. Schedule 3 - Technical and Organizational Security Measures: Detailed security measures implemented by each controller

4. Schedule 4 - Contact Details: Contact information for key personnel, including Information Officers and operational contacts

5. Schedule 5 - Data Transfer Procedures: Operational procedures for secure data transfers between controllers

6. Schedule 6 - Data Breach Response Plan: Detailed procedures for handling and reporting data breaches

7. Schedule 7 - Sub-processors: List of approved sub-processors and their processing activities

8. Appendix A - Standard Forms: Standard forms for data subject requests, breach notifications, and other routine communications

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Law
Authorised Personnel
Business Day
Competent Authority
Confidential Information
Consent
Data Breach
Data Protection Laws
Data Subject
Direct Marketing
Effective Date
Information Officer
Information Regulator
Operator
Personal Information
Processing
POPIA
Record
Responsible Party
Security Compromise
Security Measures
Services
Special Personal Information
Sub-processor
Technical and Organisational Measures
Term
Third Party
Transfer
Shared Personal Information
Data Protection Impact Assessment
Cross-border Transfer
Child/Children
De-identified Information
Re-identify
Unique Identifier
Filing System
Information Matching Programme
Prior Authorisation
Processing Agreement
Clauses
Definitions
Interpretation
Data Protection Compliance
Controller Obligations
Data Processing
Data Security
Confidentiality
Data Subject Rights
Cross-border Transfers
Breach Notification
Audit Rights
Liability
Indemnification
Insurance
Term and Termination
Force Majeure
Assignment
Subcontracting
Notice
Governing Law
Dispute Resolution
Severability
Entire Agreement
Amendment
Data Retention
Technical Requirements
Information Security
Regulatory Compliance
Warranties
Records Management
Direct Marketing
Special Personal Information
Children's Data
Training Requirements
Reporting Requirements
Business Continuity
Relevant Industries

Financial Services

Healthcare

Insurance

Technology

Telecommunications

Retail

Professional Services

Education

Manufacturing

Real Estate

Government

Non-profit Organizations

Marketing and Advertising

Research and Development

Human Resources Services

Relevant Teams

Legal

Compliance

Privacy

Information Security

Risk Management

Data Governance

Information Technology

Operations

Business Development

Project Management

Vendor Management

Information Management

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Information Officer

Legal Counsel

Compliance Manager

Privacy Manager

Risk Manager

Information Security Manager

Chief Information Security Officer

Chief Legal Officer

Chief Compliance Officer

Data Governance Manager

Privacy Analyst

Compliance Officer

Contract Manager

Business Development Manager

Project Manager

Operations Manager

Industries
Protection of Personal Information Act (POPIA) 4 of 2013: South Africa's primary data protection legislation that regulates the processing of personal information and sets out the requirements for lawful data processing, including transfers between data controllers
Electronic Communications and Transactions Act 25 of 2002: Governs electronic communications and transactions, including requirements for electronic signatures and the legal recognition of electronic documents
Constitution of the Republic of South Africa, 1996: Section 14 establishes the fundamental right to privacy, which underlies data protection legislation
Consumer Protection Act 68 of 2008: May be relevant if the data subjects are consumers, as it provides additional protection regarding the collection and use of personal information in commercial contexts
Promotion of Access to Information Act (PAIA) 2 of 2000: Governs access to information held by public and private bodies, which may be relevant for data subject access requests and transparency obligations
Common Law of Contract: General principles of contract law that govern the formation and enforcement of the agreement between the data controllers
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

International Data Transfer Addendum

A South African law-compliant addendum governing international transfers of personal information under POPIA requirements.

find out more

Intra Group Data Processing Agreement

A South African law-governed agreement regulating personal information processing between entities within the same corporate group, ensuring POPIA compliance.

find out more

Third Party Processing Agreement

A South African law-governed agreement regulating personal information processing between a responsible party and an operator under POPIA.

find out more

Data Processing Addendum

A South African law-compliant agreement governing personal information processing between controllers and processors under POPIA.

find out more

Intercompany Data Transfer Agreement

South African law-governed agreement regulating intra-group data transfers in compliance with POPIA and local data protection regulations.

find out more

Data Management Agreement

A South African law-compliant agreement governing data management and processing activities between organizations, ensuring POPIA compliance and data protection.

find out more

Data Controller To Data Controller Agreement

South African POPIA-compliant agreement governing personal information sharing between two data controllers, establishing mutual obligations and responsibilities.

find out more

DPA Agreement

A South African law-compliant Data Processing Agreement establishing terms for handling personal information under POPIA regulations.

find out more

Third Party Data Processing Agreement

A South African law-compliant agreement governing the processing of personal information by a third-party operator on behalf of a responsible party under POPIA.

find out more

Personal Data Transfer Agreement

A POPIA-compliant agreement for transferring personal information between parties under South African law.

find out more

Controller Processor Agreement

A South African law-governed agreement between a data controller and processor establishing terms for personal information processing under POPIA.

find out more

Affiliate Addendum

A South African law-compliant addendum establishing terms and conditions for affiliate marketing relationships, including commission structures and compliance requirements.

find out more

Sub Processing Agreement

A South African-compliant agreement governing the delegation of personal information processing activities to a sub-processor under POPIA requirements.

find out more

International Data Transfer Agreement

A South African law-governed agreement for cross-border personal information transfers, ensuring POPIA compliance and data protection standards.

find out more

Data Protection Addendum

A South African law-governed addendum establishing POPIA-compliant terms for personal information processing between parties.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.