All Countries
Compliance
Data Privacy Addendum

Data Privacy Addendum Template for South Africa

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Privacy Addendum

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Privacy Addendum

"I need a Data Privacy Addendum for my South African software company that will be using AWS cloud services to process customer data starting January 2025, with specific provisions for cross-border transfers and sub-processor management."

Celebrated by
Collaborations with
Investors
Document background
The Data Privacy Addendum is essential for organizations operating in South Africa that engage in the processing of personal information through third-party service providers. This document should be used whenever a business relationship involves the handling of personal data, especially when one party processes personal information on behalf of another. The addendum ensures compliance with the Protection of Personal Information Act (POPIA) and establishes clear responsibilities and obligations for data protection. It addresses critical aspects such as security measures, data breach notifications, cross-border transfers, and sub-processor engagement. The document is particularly important given South Africa's strict data protection requirements and the significant penalties for non-compliance with POPIA. It serves as a crucial supplement to existing service agreements, ensuring that all personal information processing activities are properly governed and protected.
Suggested Sections

1. Parties: Identification of the data controller (responsible party) and data processor (operator) including their registered details and representatives

2. Background: Context of the addendum, reference to the main agreement, and purpose of the data processing relationship

3. Definitions: Definitions of key terms used in the addendum, aligned with POPIA terminology

4. Scope and Purpose of Processing: Detailed description of the personal information to be processed and the specific purposes for processing

5. Obligations of the Processor: Core responsibilities of the processor including processing limitations, confidentiality, and security measures

6. Obligations of the Controller: Responsibilities of the controller including lawful instructions, compliance with POPIA, and oversight duties

7. Security Measures: Required technical and organizational security measures to protect personal information

8. Sub-processors: Conditions and requirements for engaging sub-processors, including approval process

9. Data Subject Rights: Procedures for handling data subject requests and assistance requirements

10. Data Breach Notification: Process and timeframes for reporting and managing personal data breaches

11. Audit Rights: Controller's rights to audit and verify compliance with data protection obligations

12. Term and Termination: Duration of the DPA and circumstances for termination

13. Return or Deletion of Data: Obligations regarding personal information upon termination of services

14. Liability and Indemnities: Allocation of risk and responsibility for data protection breaches

15. Governing Law and Jurisdiction: Confirmation of South African law and jurisdiction

Optional Sections

1. Cross-border Data Transfers: Requirements and safeguards for international transfers of personal information, necessary when data will be processed outside South Africa

2. Special Personal Information: Additional safeguards for processing sensitive personal information as defined in POPIA, required when processing special categories of data

3. Direct Marketing: Specific provisions for processing personal information for direct marketing purposes, needed if marketing activities are involved

4. Automated Decision Making: Requirements for automated processing and profiling, necessary when automated decision-making is used

5. Children's Data: Special provisions for processing personal information of children, required when processing minors' data

6. Insurance Requirements: Specific insurance obligations for data protection, recommended for high-risk processing

7. Business Continuity: Requirements for ensuring continuous data protection during disruptions, recommended for critical services

Suggested Schedules

1. Schedule 1: Description of Processing Activities: Detailed description of processing activities including categories of data subjects, types of personal information, and processing purposes

2. Schedule 2: Technical and Organizational Security Measures: Specific security measures implemented to protect personal information

3. Schedule 3: Approved Sub-processors: List of approved sub-processors and their processing activities

4. Schedule 4: Security Breach Response Plan: Detailed procedures for responding to and managing security breaches

5. Schedule 5: Data Retention and Deletion Policy: Specific requirements for retention periods and deletion procedures

6. Schedule 6: Cross-border Transfer Mechanisms: Details of mechanisms used for lawful cross-border transfers

7. Appendix A: Contact Details: Contact information for key personnel and data protection officers

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Data Protection Laws
Authorised Personnel
Breach Notification
Business Purpose
Competent Authority
Confidential Information
Consent
Cross-border Transfer
Data Subject
De-identified Information
Direct Marketing
Effective Date
Electronic Communication
Information Officer
Information Regulator
Main Agreement
Operator
Personal Information
Personal Information Breach
Processing
Professional Services
POPIA
Record
Responsible Party
Re-identify
Security Compromise
Security Measures
Security Safeguards
Services
Special Personal Information
Sub-operator
Technical and Organizational Measures
Third Party
Transborder Information Flow
Unique Identifier
Relevant Industries

Financial Services

Healthcare

Technology

Retail

Education

Professional Services

Telecommunications

Insurance

E-commerce

Manufacturing

Public Sector

Non-profit Organizations

Marketing and Advertising

Human Resources Services

Cloud Services

Relevant Teams

Legal

Compliance

Information Technology

Information Security

Risk Management

Procurement

Operations

Data Protection

Privacy

Vendor Management

Corporate Governance

Information Management

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Information Officer

Legal Counsel

Compliance Manager

IT Security Manager

Risk Manager

Chief Information Security Officer

Privacy Manager

Contracts Manager

Chief Technology Officer

Chief Legal Officer

Information Security Manager

Operations Director

Procurement Manager

Industries
Protection of Personal Information Act (POPIA): South Africa's primary data protection legislation that sets out the requirements for lawful processing of personal information, including conditions for collection, processing, storage, and transfer of personal data.
Constitution of South Africa (Section 14): Establishes the fundamental right to privacy, which forms the constitutional basis for data protection in South Africa.
Electronic Communications and Transactions Act (ECTA): Governs electronic communications and transactions, including provisions for the protection of personal information obtained through electronic transactions.
Promotion of Access to Information Act (PAIA): Gives effect to the constitutional right of access to information and intersects with POPIA regarding access to personal information.
Consumer Protection Act: Contains provisions relating to privacy of consumer information and direct marketing practices that may impact data processing activities.
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Joint Controller Data Processing Agreement

A South African law-governed agreement establishing responsibilities and obligations between joint controllers of personal information under POPIA.

find out more

DPA Data Protection Agreement

A South African law-compliant Data Protection Agreement governing personal information processing between controllers and processors under POPIA.

find out more

Joint Controller Data Sharing Agreement

A South African law-governed agreement establishing terms for joint processing of personal information between multiple controllers, ensuring POPIA compliance.

find out more

International Data Protection Agreement

A South African law-governed agreement regulating international transfers and processing of personal information in compliance with POPIA and global data protection standards.

find out more

Supplier Data Processing Agreement

South African law-governed data processing agreement establishing terms for personal information processing under POPIA.

find out more

Data Privacy Addendum

A South African law-compliant Data Privacy Addendum governing personal information processing between controllers and processors under POPIA.

find out more

Non Disclosure Agreement Data Protection

South African Non-Disclosure Agreement with POPIA-compliant data protection provisions for safeguarding confidential and personal information.

find out more

Confidentiality Agreement Data Protection

South African Confidentiality Agreement with data protection provisions compliant with POPIA, governing the protection of confidential information and personal data.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.