DATA PROTECTION AND PRIVACY AGREEMENT | PROCESSING
INTRODUCTION
Whereas
MultiNET BUSINESS PARTNERS as a result of our Master Services Agreement has been required by the Responsible Party to further process the Data so received from the Responsible Party for the purposes of a home loan application.
And whereas
MultiNET BUSINESS PARTNER is required to warrant that the Data being further processed is done in accordance with the provisions of the relevant Data Protection Legislation and in particular the POPIA;
And whereas
The Responsible Party has agreed to provide MultiNET BUSINESS PARTNER with the requisite Data and MultiNET Home Loans has accepted such Data to be further processed, subject to the provisions of this Agreement.
INTERPRETATION AND DEFINITIONS
The clause headings contained in this Agreement are for reference purposes only and shall not be construed in the interpretation hereof.
In this Agreement, unless the context indicates a contrary intention, an expression which denotes any gender includes the other genders, a natural person includes an artificial person and vice versa and the singular includes the plural and vice versa.
The following words shall bear the meanings assigned to them below and cognate expressions shall bear a corresponding meaning:
“Agreement” means this document and all annexures hereto (if any);
“Commencement Date” means 1st July 2021.
“Day” means a calendar day;
“Data” shall mean the personal and private confidential information, provided to the Operator by the Responsible Party on the premise that the Data Subject(s) has / have given his/her/their informed consent in as far as such Data is concerned and also that the Data may be further processed by the Operator;
“Data Subject” means the person / individual, whose information has been obtained by the Responsible Party and will be processed by the Operator, subject to the definition ascribed to “Data Subject in the PoPIA;
“Computer Programs” means any set of instructions fixed or stored in any manner which, when used directly or indirectly in a computer, directs its operations to bring about a particular result including, but not limited to, software programs, source code, object code and algorithms for the computer software program;
“Confidential Information” means all information disclosed by any Party, at any time before or after the Signature Date of this Agreement, that may reasonably be regarded as confidential, being information not in the public domain, whether such information is oral or written, recorded or stored by electronic magnetic, electro-magnetic or other form or process, or otherwise in a machine readable form, translated from the original form, recompiled, made into a compilation, wholly or partially copied, modified, updated or otherwise altered, originated or obtained by, or coming into the possession, custody, control or knowledge of the other Party whether alone or jointly, including but without being limited to: technical data, research and development information; know-how, trade secrets, designs, models, processes, formula and techniques, business and product development plans, budgets, prices, costs and financial projections or financial information; trade connections, technical information and specifications, designs, electronic artwork, manufacturing techniques, circuit diagrams, instruction manuals, blue prints, samples, devices, demonstrations, information concerning materials, marketing and business information generally, machinery, technical, commercial, scientific information, software, hardware, and any other materials of whatsoever nature and whatsoever description and which the Party has an interest in being kept confidential;
“Intellectual Property” means all patents, designs, copyrights, trademarks, trade names and other intangible proprietary rights customarily considered as intellectual property or applications therefore which the Operator may at any time own, adopt, use, or register.
“Parties” means the Operator and the Responsible Party collectively and “Party” refers to either one, as the context requires;
“POPIA” shall mean the Protection of Personal Information Act, No.4 of 2013, as amended from time to time.
“PAIA” shall mean the Promotion of Access to Information Act, No.2 of 2000 as amended from time to time;
“ECTA” shall mean the Electronic Communications and Transactions Act, No. 25 of 2002 as amended from time to time;
“Territory” means any and / or all cities, towns, suburbs, and areas within South Africa.
“Trade Secrets” means any information belonging to the divulging party including but not limited to: technical or non-technical data, formula, models, compilations, programmes, devices, methods, techniques, diagrams, processes, financial plans, product plans, business connections or lists of actual or potential clients or business connections which derive economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means, by other persons who can obtain economic value from its disclosure or use, and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
If any provision in a definition is a substantive provision conferring any right or imposing any obligation on any Party, then, notwithstanding that it is only in the definition section, effect shall be given to it as if it were a substantive provision in the body of this Agreement.
When any number of days is prescribed in this Agreement, such number shall be calculated by excluding Saturdays, Sundays or public holidays and excluding the first day and including the last
day unless the last day falls on a Saturday, Sunday or public holiday, in which case, the last day shall be the next succeeding day which is not a Saturday, Sunday or public holiday.
The use of the word “including” and/or inter alia followed by a specific example or examples shall not be construed as limiting the meaning of the general wording preceding it and the ejusdem generis (“of the same kind”) rule shall not be applied in the interpretation of such general wording or such specific example/s.
Where a definition is used in this Agreement, such definition shall bear the same meaning in any annexure to this Agreement and vice versa.
In the event of ambiguity, this Agreement shall not be interpreted against the Party responsible for the drafting or preparation of this Agreement, therefore the Contra Proferentem rule will not be applicable to this Agreement.
DURATION
Subject to any other provisions for cancellation or termination vested in the [Refer to the Master Services Agreement / Service Level Agreement], this Agreement shall commence on the Commencement Date and shall continue indefinitely.
Notwithstanding the termination of this Agreement, the provisions contained in clauses 3, 4, 6 9, 10, 11, 12, 13, 14, 15, and 22, which are by their very nature perpetual shall remain in full force and effect in perpetuity.
PROVISION, PROCESSING AND SECURING OF DATA
The Responsible Party has acquired the Data by means of the Data Subject(s) consenting to the Data being utilised and further processed by the Operator for the purposes of a home loan application.
The Operator shall receive the Data and further process the Data for the benefit of the Responsible Party for the purposes of a home loan application.
The Data shall be provided free of charge to the Operator by the Responsible Party.
The Operator in no way guarantees the correctness or authenticity of the Data received from the Responsible Party.
Any information obtained and released by the Operator as part of this Agreement shall in no way be construed as an opinion of the Operator on any person reported upon but merely reflects a recording of information received by the Operator from the Responsible Party from time to time.
The Responsible Party shall be solely liable for all actions and decisions taken in reliance on the Data and hereby indemnifies the Operator of any and / or all claims by any third party as a result of the usage or provision of the Data.
The Operator will, once it has received the Data, secure the Data in a manner compliant with the normal industry standards and as required in terms of the POPIA, which will inter alia include the necessary software, safety precautions, virus protection, password protection and firewall security measures.
The Operator shall further process and utilise the Data in accordance with the provisions of POPIA, ECTA and PAIA and shall only utilise the Data for its intended purpose.
The Operator shall not at any point in time on-sell the Data to any third party so acquired and received from the Responsible Party.
The Operator shall only process the Data for the intended purpose and shall, at or on the termination date, destroy the Data and de-identify the Data Subject(s) with immediate effect, unless otherwise and/or instructed by the Responsible Party.
In the event of a Data Subject indicating to either the Responsible Party or the Operator that it no longer consents to its Data being further processed, the Responsible Party shall with immediate effect notify the Operator of such a request and the Operator shall with immediate effect de- identify the Data Subject.
The Responsible Party hereby agrees that should it fail to inform the Operator of the Data Subject(s)’ consent being revoked to indemnify the Operator of any and / or all claims that may arise as a result of such an omission.
In the event of a Data Subject informing the Operator that it no longer consents to its Data being further processed, the Operator shall notify the Responsible Party of same within 6 working hours and the Operator shall with immediate effect de-identify the Data subject.
The Operator and the Responsible Party shall on an ongoing basis do an audit on the Data Subject(s)’ activity to ensure that no Data Subject has revoked its consent in as far as the further processing of its Data is concerned.
DATA PROTECTION
Each Party will take responsibility for the protection of Personal Information processed by it as more fully set out hereunder and in terms of the Protection of Personal Information Act 4 of 2013, as amended (“POPIA”). For the avoidance of doubt, each Party shall be fully liable for compliance of POPIA both in its performance in terms of this Agreement, provision of the Services and use of any software provided hereunder.
Each of the Parties shall secure the Personal Information in its possession or under its control by taking appropriate, reasonable technical and organisation measures to prevent loss of, or damage to, or unauthorised destruction of the Personal Information or unlawful access to or processing of the Personal Information and which provide a level of security appropriate to the risk represented by the processing and the nature of the Personal Information to be protected.
Each of the Parties warrants that it shall secure the integrity and safety of the Personal Information in its possession or under its control by taking and implementing appropriate, reasonable technical and organisational measures to prevent:
loss of or damage to or unauthorised destruction of any Personal Information; and
unlawful access to or processing of any Personal Information.
Each of the Parties undertakes and agrees that it shall take reasonable measures to:
identify all reasonably foreseeable internal and external risks to the Personal Information in its possession or under its control;
establish and maintain appropriate safeguards against the risk identified;
regularly verify that the safeguards are effectively implemented; and
ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards and shall notify the other Party of the risks identified and the safeguards established and implemented from time to time.
In addition to the other obligations set out above, the Parties shall:
take reasonable steps to ensure the reliability of any of its personnel, staff, employees, agents or otherwise who have access to the Personal Information and to ensure that each of its employees, agents and sub-contractors are made aware of and are trained in its obligations under this Agreement with regard to the security, handling and protection of the Personal Information;
limit access to the Personal Information only to those persons under its control who need to know to enable the Parties to achieve the purposes and objective of this Agreement and ensure that persons employed by the Parties to process the Personal Information have undergone training in the care and handling of Personal Information;
process the Personal Information at all times in accordance with PoPIA and solely for the purposes and in the manner specified from time to time by the Party affected, and for no other purpose or in any manner except with the express prior written consent of the Party affected;
provide the other Party with full co-operation and assistance in relation to any requests for access or correction or complaints made by any third party pursuant to PoPIA;
at the request of any regulatory body, submit its Personal Information processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the requesting Party to ascertain compliance with the warranties and undertakings in this clause, with reasonable notice and during regular business hours;
comply with any request from the Party concerned to amend, transfer or delete Personal Information;
if either Party receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Information, the Party shall immediately notify the other Party and it shall provide the other Party with full cooperation and assistance in relation to any complaints, notices or communications; and
not process or transfer the Personal Information outside of the Republic of South Africa, except with the express prior written authority of the Party concerned.
Each of the Parties, and any persons under its control and employ, comply with all other data protection laws applicable to this Agreement and, without limitation to the foregoing, shall ensure the security and confidentiality of all personal data processed by it in accordance with all applicable data protection laws.
Each Party indemnifies and holds the other Party harmless against any loss, claim, harm, expense, penalty and/or damage, of whatever nature, suffered or sustained by the aggrieved Party pursuant to a breach by the former Party of the provisions of this clause or failure to comply with its obligations in terms of POPIA.
OBLIGATIONS OF THE PARTIES
The Responsible Party shall:
adhere to all the legislative requirements imposed on it in terms of POPIA, ECTA and PAIA;
ensure that it has complied with all the required safety and security protocols in as far as data security and data storage is concerned; and
in the event of a data breach / leak / compromise, immediately inform the Operator of same and assist the Operator in the investigation related to the said data breach.
The Operator shall:
perform the services diligently, competently and efficiently in accordance with its own data protection and privacy policies;
adhere to all the legislative requirements imposed on it in terms of POPIA, ECTA and PAIA.
ensure that it has complied with all the required safety and security protocols in as far as data security and data storage is concerned; and
in the event of a data breach / leak, immediately inform the Responsible Party of same and assist the Responsible Party in the investigation related to the said data breach.
FORCE MAJEURE
If a Force Majeure Event occurs, the affected Party must immediately provide the other Party with a written notice containing:
full particulars of the Force Majeure Event, including its nature and likely duration;
obligations of the Party the performance of which is prevented or delayed; and
nature and extent of the effects of the Force Majeure Event on those obligations.
RIGHT OF INSPECTION
Either Party may, upon providing the other Party with at least 7 (seven) days’ notice at its own discretion inspect the security measures implemented by such Party to secure the Data.
If the inspecting party, in good faith determines that all or a portion of the security measures do not conform to normal industry standards, it may retain the Data so provided and / or received and suspend any processing associated with the said Data until the relevant security protocols have been implemented.
The inspecting party will provide written notice to the other party of the reasons why the security protocols do not conform or are rejected.
RELATIONSHIP BETWEEN PARTIES
It is expressly understood that the Operator is an independent contractor and that neither it nor its employees, agents, representatives or subcontractors are agents or employees of the Responsible Party.
In addition, the Parties agree that nothing contained herein shall constitute a partnership, joint venture, employment or principal/agent relationship between them.
Neither Party shall have any authority to bind, contract, or otherwise commit the other Party, nor in any way to pledge the credit of the other Party.
WARRANTIES
The Parties warrant that they:
understand the contents of this Agreement;
have voluntarily agreed to enter into this Agreement;
are bound by every provision hereof, and that each and every provision hereof is reasonable and necessary to protect the rights of the Responsible Party, the Operator and the Data Subject(s);
are authorised to enter into this Agreement;
are solvent and in business; and are suitably qualified, have the specialised knowledge and equipment required to perform the functions as envisaged by them in utilising the Data so obtained and acquired.
BREACH AND TERMINATION
This Agreement may be terminated by the Operator in the event of:
any breach of this Agreement by the Responsible Party not cured within seven (7) days of receipt of a written notice thereof, irrespective of whether or not such breach is material or not;
the Responsible Party being liquidated, sequestrated and/or applying for or being placed under business rescue;
the inability or prospective failure of the Responsible Party to perform its obligations in terms of this Agreement;
the enactment of a law, statute, rule, regulation, decree, sentence or pronouncement, whether governmental, judicial or administrative, which would impair or restrict the right of either Party to terminate or elect not to renew this Agreement as herein provided or any such law which makes it unlawful for the Parties to continue their relationship in terms of this Agreement;
the inability or failure by the Responsible Party to maintain the necessary registrations or governmental authorisations;
the Responsible Party at any time during the negotiations or currency of this Agreement making any misstatement or misrepresentation in relation to its business or financial position or the usage of the Data provided to the Operator; and / or
the Responsible Party being responsible for any abuse or misuse of the Data so provided by it in failing to adhere to its own data protection policies or utilising the Data for any purpose it was not intended for.
This Agreement will further be suspended without any notice in the event of a Data breach / Data compromise or Data leak.
The termination shall be effective as of the date specified in the notice.
Regarding clause 10.1.4, however, this Agreement shall terminate not later than the day prior to the effective date of the law, statute, rule, regulation, decree, sentence, or pronouncement.
The provisions of this clause shall be reciprocal.
RIGHTS AND OBLIGATIONS UPON TERMINATION
Upon expiration or termination of this Agreement for any reason the Operator shall:
cease the further processing of any Data provided to it by the Responsible Party;
return to the Responsible Party all documents (originals and copies), including but not limited to the details of all the Data Subjects provided to it by the Responsible Party;
have no right, title and interest in and to the intellectual property of the Responsible Party and shall immediately discontinue the use of such intellectual property.
The Parties shall abide by and uphold any rights or obligations accrued or existing on the date of such termination.
INDEMNITY AND DISCLAIMER
Each Party (“Indemnifying Party”) indemnifies the other Party (“Indemnifying Party”) against all loss, liability, damage and expense of whatever nature, which the Indemnified Party may suffer or incur as a result of or in connection with a breach by the Indemnifying Party of any terms in this Agreement.
The Indemnifying Party agrees to, at its expense, defend any action instituted by a third party against the Indemnifying Party as a result of a breach by the Indemnifying Party of any terms in this Agreement.
The Indemnifying Party is obliged to apply for the substitution of “the defendant” (in order to substitute itself as the defendant in the matter), in terms of the relevant rules of the court having jurisdiction.
The Indemnifying Party agrees to, at the Indemnifying Party’s expense, assist the Indemnifying Party by providing the Indemnifying Party with such information as the Indemnifying Party may require in order to defend any of the proceedings instituted against it.
Each Party’s obligation to indemnify the other Party survives the termination of this Agreement.
The Operator accepts no liability for any opinions, recommendations, forecasts or comments or actions and decisions taken in reliance on the Data provided by it to the Responsible Party in terms of this Agreement.
PUBLICITY
Neither Party shall use any trade name, trademark, service mark, logo, or other identifying indicia of the other Party without prior written authorisation from the other Party.
The foregoing notwithstanding, the Operator may list the Responsible Party and its customers, as channel partners/customers of the Operator in any materials, regardless of form, format and media; provided however, that the Operator makes no further statement referencing the Responsible Party or its customers without the prior written authorisation of the Responsible Party or its clients.
The Responsible Party agrees to submit to the Operator all advertising, written sales promotions, press releases and any other publicity material relating to the conclusion of this Agreement in which the Operator’ trade name or trademark is mentioned, and will not publish or use or allow the publication or the use of such advertising, sales promotions, press releases or publicity material without the prior written approval of the Operator in each instance.
When obtaining the requisite consent from the Data Subject(s), the Responsible Party shall:
Ensure that the Data Subject has consented to such processing and further processing of its Data and the Responsible Party further complies with all forms of legislation applicable to the Data Subject(s).
LIMITATION OF LIABILITY
Neither Party is liable to the other for any indirect, special or consequential damages.
Neither Party is liable for any loss, liability, damage or expense of the other Party as a result of or which may be attributable to (a) a breach of that other Party’s obligations in this Agreement or other applicable Laws; (b) the intentional or negligent acts or omissions of that other Party, its employees, agents, contractors and representatives; (c) any event of force majeure; or (d) the downtime of any telecommunications line and/or infrastructure and/or facilities.
The limitations of liability do not apply to (a) the Responsible Party’s liability to the Operator under the clauses regarding the provision, procession and security of the Data, Intellectual Property Rights and Confidentiality; (b) liability resulting from gross negligence or wilful misconduct of the Responsible Party, its agents, employees or assigns; or (c) damages incurred by the Operator as a result of governmental, regulatory or judicial action(s) pertaining to violations of any Laws, or any combination of same, to the extent that such damages result from the Responsible Party’s breach, directly or indirectly, of its obligations under this Agreement.
The limitations of liability do not apply to (a) the Operator’s liability to the Responsible Party under the clauses regarding the provision, procession and security of the Data, Intellectual Property Rights and Confidentiality; (b) liability resulting from gross negligence or wilful misconduct of the Operator, its agents, employees or assigns; or (c) damages incurred by the Responsible Party as a result of governmental, regulatory or judicial action(s) pertaining to violations of the applicable data protection statutes, or any combination of same, to the extent that such damages result from the Operator’ proven breach, directly or indirectly, of its obligations under this Agreement.
DISPUTE RESOLUTION
The Parties accept that disputes and differences may arise between the Parties during the course of this Agreement.
The Parties shall endeavour to resolve such disputes amongst themselves for a period of 14 (fourteen) days from the date that the aggrieved Party has notified the other Party of the dispute.
Should the Parties fail to resolve the dispute, they shall agree on the appointment of an arbitrator.
Each Party shall provide a shortlist of 5 (five) arbitrators within 5 (five) days of the dispute becoming unresolved as per clause 15.2 above.
Should the Parties fail to agree on the appointment of an arbitrator or arbitrators within 5 (five) days of them having provided their shortlists, the Party declaring the dispute shall make application to the President of the Legal Practice Council for the appointment of an arbitrator.
Once an arbitrator has been appointed, the aggrieved party shall refer its dispute within twenty one (21) days.
The arbitration shall be held at Johannesburg, within twenty-one (21) days of the referral and in accordance with the Arbitration Act, No. 42 of 1965 and the Uniform Rules of the High Court.
The Parties consent to any dispute between them because of this Agreement being determined as provided for in this clause 15.
This clause shall not preclude either Party from obtaining interim relief on an urgent basis from a court of competent jurisdiction pending the decision of the arbitrator.
DOMICILIUM CITANDI ET EXECUTANDI
The Parties hereby select the address as indicated in clause Error! Reference source not found. and Error! Reference source not found. of this Agreement as the address at which all notices, legal processes and other communications must be delivered to it for the purposes of this Agreement as indicated on the cover page of this Agreement.
Any notice or communication required or permitted to be given in terms of this Agreement will be valid and effective only if in writing and delivered by hand with acknowledgement of receipt.
Either Party may by written notice to the other Party change its chosen address to another physical address, provided that the change will become effective on the fourteenth (14th) day after receipt of the notice by the addressee.
Any notice sent to a Party and contained in a correctly addressed envelope and:
sent by prepaid registered post to it at its chosen address shall be deemed to have been received, unless the contrary is proved, on the 14th day after posting; or
delivered by hand to a responsible person during ordinary business hours at its chosen address will be deemed, unless the contrary is proved, to have been received on the day of delivery.
Emailed to a responsible person to his/her chosen email address will be deemed, unless the contrary is proved, to have been received on the day of dispatch.
ENTIRE AGREEMENT
This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereto and supersedes all prior agreements between the Parties, whether written or oral, relating to the same subject matter.
GOVERNING LAWS
This Agreement shall be governed by the laws of the Republic of South Africa, notwithstanding the place at which this Agreement was entered into or where the Data was received or processed.
SEVERABILITY
If the whole or any part of a provision of this Agreement is void or voidable by either Party or unenforceable or illegal the whole or that part (as the case requires) of that provision shall be severed and the remainder of this Agreement shall have full force and effect provided such severance does not amount to rewriting this Agreement or altering the nature of this Agreement and that such severance is not contrary to public policy.
WAIVER
The waiver by either Party of a breach or default of any of the provisions of this Agreement by the other Party shall not be construed as a waiver of any succeeding breach of the same or other provision; nor shall any delay or omission on the part of either Party to exercise or avail itself of any right, power or privilege that it has or may hereunder operate as a waiver of any breach of default by the other Party.
EXCLUSIVITY
The Responsible Party agreed that it has appointed the Operator on an exclusive basis to further process the Data for the intended purposes.
AMENDMENTS TO AGREEMENT
No amendment, modification, or supplement to this Agreement, including any variation to this clause 22, shall be valid or have any force or effect unless reduced to writing and signed by duly authorised representatives of both Parties.