1.1 "Applicable Law(s)" means, as amended from time to time and to the extent it applies to a Party (including, as applicable, affiliates and sub-contractors of a Party), or the Processing and wherever occurring in any relevant jurisdiction, (a) any statute, regulation, notice, policy, directive, ruling or subordinate legislation (including treaties, multinational conventions and the like having the force of law); (b) all relevant judgments, rulings and orders handed down by any competent court situated within the Republic of South Africa; (c) the common law; (d) any applicable industry code or policy enforceable by law, and (e) any applicable direction, policy or order that is given by any regulator, competent authority or organ of state or industry body;
1.2 "Client" means the client in terms of the Main Agreement(s) to which this Agreement relates;
1.3 "Confidential Information" means any and all confidential information (whether in oral, written or electronic form) given, including technical information, other information or Personal Information imparted in confidence or disclosed by one party to the other or otherwise obtained by one party relating to the other's business, finance or technology, know-how, intellectual property, assets, strategy, products, including without limitation information relating to data processes, management, financial, marketing, technical and other arrangements or operations of any affiliate, person, firm, or organization associated with that party;
1.4 "Data Subject" means any person to which specific Personal Information relates, as contemplated in POPIA, and whose Personal Information is processed by the Service Provider in the fulfilment of their obligations in terms of the Main Agreement;
1.5 "Data" means any data, including Personal Information, irrespective of the media or form and includes: (i) all data that is in the possession of the Parties, and all data concerning or indexing such data (regardless of whether or not owned by the Parties, or generated or compiled by the Parties and (ii) all other records, data, files, input materials, reports, forms and other such items that may be received, computed, developed, used or stored by any third party or any of its employees, contractors or agents from, for or on behalf of the Parties, all of which are confidential for purposes of this Agreement;
1.6 "Main Agreement(s)" means any commercial agreement(s), including the corporate rate agreement, in terms of which the Service Provider provides the Services contemplated therein to the Client;
1.7 "Service Provider" means Innov8 Spaces (Pty) Ltd, the provider of the Services contemplated in terms of the Main Agreement;
1.8 "Personal Information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
1.9 "Processing" or "Process" means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
1.10 "POPIA" means the Protection of Personal Information Act 4 of 2013 as amended from time to time;
1.11 "Regulator" means the appropriate Information Regulator as defined under POPIA;
1.12 "Services" means the Services contemplated in terms of the Main Agreement;
1.13 "Special Personal Information" means:
1.14 "Staff" means any employee, independent contractor, agent, consultant, subcontractor or other representative of either the Client or the Service Provider; and
The Parties acknowledge that pursuant to the conclusion of any Main Agreement(s), they expressly accept the terms of this Agreement without the need for this Agreement to be independently signed by the Parties. The terms and conditions of this Agreement are to be read with the terms and conditions of any Main Agreement(s), as if specifically incorporated therein and in the event of any conflict between any provisions of the Main Agreement(s) and this Agreement, the provisions of this Agreement will prevail. As such, the Parties acknowledge that pursuant to the conclusion of any Main Agreement(s), they will have access to, and be required to Process, Data relating to one another, as well as one another's Data Subjects, including their mutual client(s). Accordingly, the Parties warrant and undertake to and in favour of one another that they shall:
2.1 Treat the Data Personal Information as strictly confidential in accordance with the provisions contained in clause 3;
2.2 Only Process the Data and Personal Information in accordance with Applicable Laws, in terms of the provisions of the Main Agreement and this Agreement;
2.3 Not disclose or otherwise make available the Data to any third party (including sub-contractors and Staff) other than authorised Staff who require access to such Data strictly in order for the Parties to comply with their contractual obligations towards one another as well as to carry out their obligations under this Agreement, as well as in terms of Applicable Laws;
2.4 Ensure that all Staff and any other persons having access to the Data are bound by appropriate and legally binding confidentiality and non-disclosure obligations in relation to the Data and especially any Personal Information forming part thereof, on substantially the same terms and conditions as set forth in clause 3;
2.5 Take appropriate, reasonable technical and organisational security measures to ensure that the integrity of the Data in their possession or under their control is secure and that such Data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access, by:
2.6 Not sell, alienate or otherwise part with the Data or any of the records housing the Data, nor shall it use the Data for any direct marketing, advertising, research or statistical purposes, unless expressly authorised to do so in terms of any other agreement between them, as well as this Agreement.
3.1. Each party undertakes in favour of the other to:
3.2. The obligations of the Parties with respect to each item of Confidential Information shall endure for an indefinite period from receipt of that item of Confidential Information. The obligations referred to in this clause 3 shall endure notwithstanding any termination of this Agreement, any other agreement entered into between the Parties or any discussions between the Parties.
3.3. In addition to the provisions of clause 4, the Client hereby indemnifies and holds the Service Provider harmless from any and all losses arising from, or in connection with, any claim or action arising from the Service Provider's breach of any obligation with respect to Confidential Information.
4.1. The Client hereby indemnifies the Service Provider in respect of all losses, claims, damages, costs, expenses, fines and penalties arising from and in connection with the Service Provider's (including its Staff) actions and/or omissions relating to this Agreement.
The Parties shall:
5.1. Notify one another in writing immediately of becoming aware of or having reasonable grounds to believe that the Data, and especially Personal Information, of a Data Subject has been accessed or acquired by an unauthorised person and take all appropriate steps to limit the compromise of Data and to restore the integrity of the affected information systems as quickly as possible;
5.2. As soon as reasonably possible thereafter, the Parties shall be required to engage with one another to discuss the security breach, to report all relevant facts relating to the compromise and to identify the steps to be taken to mitigate the extent of the compromise and loss occasioned by the compromise;
5.3. Provide one another with details of the Data affected by the compromise, including but not limited to, the identity of Data Subjects, the nature and extent of the compromise, and, where possible, details of the identity of the unauthorized person/s who are known to or who may reasonably be suspected of, having accessed or acquired the Data;
5.4. Immediately upon notifying one another as set forth in clause 5.1, each Party shall:
The Parties shall:
6.1. Assist one another to comply with any requests for access to Data and/or Personal Information received from Data Subjects and, upon request, the Parties shall promptly provide one another with a copy of any Data / Personal Information held by them in relation to a specified Data Subject;
6.2. Upon request, provide reasonable evidence of their compliance with its obligations under this Agreement;
6.3. Not Process the Data / Personal Information otherwise than in accordance with the Main Agreement, as well as this Agreement.
The Parties:
7.1. Shall only Process the Data / Personal Information of Data Subjects provided to them by one another for a specific, lawful purpose strictly in accordance with the underlying purpose of the Main Agreement concluded between the Parties;
7.2. If required to collect information from Data Subjects in the execution of their respective obligations towards one another, shall do so in a manner that does not infringe the privacy of the Data Subject, in accordance with any legislation governing the collection of Data / Personal Information from the Data Subject;
7.3. Shall, on the written instruction, assist one another in updating Data / Personal Information provided, to ensure that the Data / Personal Information remains complete, accurate and up to date.
In the event that the Parties are required to disclose or Process any Data / Personal Information required by Applicable Laws, or if the Processing of such Data / Personal Information is required to enable a public body to properly perform a public law duty to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party, is necessary for pursuing the legitimate interests of either Party, a third party to whom the information is supplied, or a Data Subject, or complies with an obligation imposed by law on either Party, they:
9.1. Unless otherwise specifically recorded in any agreement between the Client and the Service Provider, neither Party shall, not itself or via any of its subcontractors or Staff, Process Data / Personal Information provided with, nor combine or merge such Data / Personal Information with the information (whether Personal Information or not) of another party.
10.1. Either Party may, at any time on written request to the other Party, require that any Data / Personal Information shared between the Parties in terms of this Agreement, or any other agreement between the parties, be returned (or destroyed in certain circumstances) to it and may, in addition, require that the relevant Party furnish a written statement to the effect that upon such return (or destruction), it has not retained in its possession or under its control, whether directly or indirectly, any such Data / Personal Information or material.
10.2. Any request referred to in clause 10.1 above, is to be responded to, or actioned, within a reasonable time.
10.3. The Parties shall ensure that all Data / Personal Information communicated, including any digital communication or any Data / Personal Information stored in digital form shall be secured against being accessed or read by unauthorized parties, using appropriate security safeguards, having due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
11.1. In supplementation of the above provisions of this Agreement, as well as any relevant provisions of the Main Agreement(s), the Service Provider undertakes to process any and all Data (including Personal Information) in accordance with the technical and organizational measures set forth in Annexure A. The Service Provider reserves the right to amend these measures from time-to-time. Any such changes will not impact the Service Provider's compliance with applicable data protection laws and will be communicated to the Client. In such circumstances, the Client's continued use of the services contemplated in this Agreement will confirm the Client's acceptance of the relevant changes.
The Service Provider shall maintain and enforce the following key Technical and Organisational Measures ("TOMs") as outlined in this annexure:
(A) Data Privacy and Protection Measures1. Governance and Operating Model
2. Policies, processes and Guidelines
3. Data Protection by Design
The Service Provider is committed to implementing reasonable measures to support the Client's ability to comply with applicable data protection laws. As far as possible, the principles of data protection by design and by default are applied during the development and delivery of the Service Provider's services.
4. Data Landscape
5. Information Lifecycle Management
6. Data Protection Training and Awareness
The Service Provider requires all employees to complete data protection training on a regular basis. All data protection policies, processes, standards and guidelines are available to employees and communicated regularly.
7. Breach Response and Notification
8. Third Party Management
9. Monitor and Assess
The Service Provider reports on the design and operational effectiveness of its data protection activities to its senior management teams on a periodic basis.
The Service Provider is committed to ensuring that information security control is implemented and properly managed, in order to protect the confidentiality, integrity and availability of personal information processed on behalf of and under the instruction of the Client.
1. Information Security
2. Human Resources
3. Asset Management
4. Access Controls
5. Physical and Environmental Security
The Service Provider has implemented reasonable and appropriate measures to prevent unauthorised physical access, damage or interference with its information, applications, systems, databases and infrastructure.
6. Operational Security
7. System Acquisition, Development and Maintenance
8. Third Party Management
9. Information Security Incident Management
The Service Provider has policies, processes and procedures for identifying, detecting, responding, recovering and notifying appropriate stakeholders in the event of an information security incident, including personal information breaches. This includes mechanisms for performing a root cause analysis and undertaking corrective actions.
10. Business Continuity
The Service Provider has established business continuity and disaster recovery plans.
11. Compliance
Service Provider has established roles and responsibilities for identifying laws and regulations that affect the Service Provider's business operations. Responsibility for compliance with laws and regulations are established.