Data Processing Policy | POPIA Othos Telecom



Context:

1) The Party identified in (2) above is a partner of Othos Telecom and, as part of the relationship between the parties, personal data (as defined below) will pass between their respective networks and systems.

2) In some instances, Othos Telecom will be the Data Controller (as defined below) and the Partner will be the Data Processor (as defined below); in other instances, the reverse will be the case.

3) Each Party, when processing personal data controlled by the other Party or its customers, agrees that:

a) the other Party is the Data Controller (and therefore controls what happens to it its personal data); and b) it is the Data Processor

4) The Parties wish to enter into this agreement to take account of their respective obligations under the POPIA legislation in South Africa and GDPR (as defined below), and to supplement the provisions in the Main Agreement (as defined below) on the terms set out below.

5) The Parties acknowledge and agree that nothing in this agreement relieves them from their direct Data Controller and Data Processor responsibilities and liabilities under the POPIA.

6) In the event of any conflict between the Main Agreement and this agreement, the provisions of the Main Agreement shall prevail.

Definitions

In this agreement the following words and expressions shall have the following meanings, unless the context otherwise requires:

“Data Controller”

determines the purposes and means of processing personal data.

“Data Processor”

is responsible for processing personal data on behalf of a controller.

“Data Subject”

an identified or identifiable natural person.

“GDPR”

the General Data Protection Regulation (EU) 2016/679

“Main Agreement

the relevant Chanel Partner or Master Services Agreement which has been entered into by Othos Telecom and the Partner.

“Partner”

Shall mean any individual(s) or organisation(s) who are authorised to represent and /or resell company services, products or equipment to customers who purchase or rent products, services or equipment supplier by the company either directly or indirectly and individual(s) or organisation(s) who provide services to the company

“Personal Data”

any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing”

any operation or set of operations which is performed on personal data (or on sets of personal data), whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“POPIA”

“POPI” THE PROTECTION OF PERSONAL INFORMATION ACT, ACT No. 4 OF 2013



Data Processing Terms & Conditions

Details of the compulsory items: subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and the categories of Data Subjects are set out below:

Subject matter of the Processing

The processing of personal data in connection with Othos Telecom’s delivery of managed voice services.

Duration of the Processing:

The term of the Main Agreement.

Nature and purpose of the Processing:

The collection, transmission, storage and deletion of personal data in connection with the Parties’ respective obligations under the main agreement.

Types of Personal Data:

Personal data may include, among other information, contact information (such as name, address, telephone or mobile number), unique IDs collected from mobile devices and any other data transmitted in connection with the Parties’ respective obligations under the Main Agreement.

Categories of Data Subject:

Data Subjects may include the Parties’ representatives (including employees, contractors, partners and customers), end users of Othos Telecom and its customers, and individuals attempting to communicate or transfer Personal Data to end users of Othos Telecom’s services.

When the Data Processor processes the Data Controller’s personal data in the course of undertaking its obligations under the contract, the Data Processor will:

Process the Data Controller’s personal data only in accordance with written instructions from the Data Controller, except where required to do so by law. If the Data Processor is required by law to process the Data Controller’s personal data for any other purpose, the Data Processor will inform the Data Controller of this requirement before acting, unless that law prohibits this on grounds of public interest.

1) Keep records of its processing activities

2) Take reasonable steps to ensure the reliability and competence of the Data Processor personnel who have access to the Data Controller’s Personal Data.

3) Ensure that the personnel required to process the Data Controller’s Personal Data:

a) are informed of the confidential nature of the Data Controller’s Personal Data

b) are subject to appropriate obligations of confidentiality; and

c) do not publish, disclose or divulge any of the Data Controller’s personal data to any third party, unless directed in writing to do so by the Data Controller.

4) Implement and maintain appropriate technical and organisational measures to protect the Data Controller’s personal data against unauthorised or unlawful processing; and against accidental loss, destruction, damage, theft, alteration or disclosure.

5) Only engage a sub-processor with the prior consent of the data Controller, and a suitable written contract.

6) Assist the Data Controller in providing subject access and allowing Data Subjects to exercise their right under the POPIA. The Data Processor shall notify the Data Controller of any requests from Data Subjects without undue delay.

7) On expiry or termination of the Main Agreement, at the Data Controller’s option, either delete or return to the Data Controller all the Data Controller’s personal data (unless the Data Processor is required to retain it by law).

8) Co-operate with supervisory authorities.

9) Submit to audits and inspections during the term of the Main Agreement; and make available to the Data Controller all information necessary to ensure that they are both able to demonstrate their compliance with the obligations in this agreement.

10) Not give access to, or transfer, any of the Data Controller’s personal data to any third party (including any group companies or sub-contractors) without the prior written consent of the Data Controller.

11) Tell the controller immediately if asked to do something that infringes the POPIA.


Personal Data Breach


If the Data Processor becomes aware of any accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to any Data Controller’s personal data that the Data Processor processes when providing the Services (a Personal Data Breach), the Data Processor will:

1) Notify the Data Controller within two working days.

2) Provide the Data Controller (as soon as possible) with a detailed description of the Data Breach, the type of Data Controller’s Personal Data that was the subject of the Data Breach and the identity of each affected person, as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information the Data Controller may reasonably request relating to the Data Breach)

3) Not release or publish any filing, communication, notice, press release, or report concerning the Data Breach without the Data Controller's prior written approval (except where required to do so by law).

Standard Contractual Clauses:

If the Information Commissioner adopts standard contractual clauses for matters pertinent to this agreement; and the Data Controller notifies the Data Processor that it wishes to incorporate any element of any such standard contractual clauses into this agreement, the Data Processor will agree to the changes as reasonably required by the Data Controller to achieve this.

International Transfers:

Personal data may only be transferred outside of South Africa in compliance with the conditions for transfer set out in the POPIA.