Data Processing Agreement

“Client” means the organisation on behalf of which a person enters into a commercial relationship with MyBento through the Commercial Terms and the acceptance of the Client Terms (together the “Main Contract”).

“Client Terms” means the Client Terms of Service available at /client-terms-of-service.

“Commercial Terms” means a document entered into between the Client and MyBento detailing the services to be provided by MyBento, the applicable fees associated with these services, and any other mutually agreed upon transaction-specific terms and conditions.

“Disclosing Party” means a Party who discloses Personal Information to a Receiving Party, or on whose behalf Personal Information has been collected by the Receiving Party, pursuant to this DPA.

“Operator” has the meaning ascribed thereto in POPIA. 

“Personal Information” has the meaning ascribed thereto in POPIA.

“POPIA” means the Protection of Personal Information Act, 4 of 2013.

“Processing” has the meaning ascribed thereto in POPIA.

“Receiving Party” means a Party who receives Personal Information from the Disclosing Party, or on whose behalf it collects Personal Information, pursuant to this DPA and such receipt of Personal Information renders that Party an Operator. 

“Relevant Laws” means POPIA and other applicable data protection laws.

“Representative” means an officer, director or employee of the Receiving Party.

“Third Party Operator” means a third party who is an Operator of the Receiving Party.

This DPA applies from the date the Main Contract has come into effect, and for so long as the services as contemplated in the Main Contract are rendered.

To the extent that the Receiving Party processes Personal Information, it warrants that -   

• it shall process such Personal Information only on the written instruction of the Disclosing Party, in accordance with this DPA or as required by Relevant Laws and as necessary to perform its obligations under the Main Contract and for no other purpose; 
• it shall not create or maintain data which are derivatives of such Personal Information, except for the purpose of performing its obligations under the Main Contract and as authorised by the Disclosing Party in writing; 
• it shall, at any and all times during which it is Processing such Personal Information – 
  • comply with POPIA, and not, by act or omission, place the Disclosing Party in violation of any Relevant Laws regulating privacy or security; 
  • implement and maintain appropriate and reasonable technical and organisational security measures to protect the security of such Personal Information, including security measures applicable to the storage and transmission of such Personal Information, and to prevent a data security breach, including, without limitation, a breach resulting from or arising out of the Receiving Party’s internal use, Processing or other transmission of such Personal Information, whether between or among the Receiving Party’s Representatives or any Third Party Operator. Appropriate, reasonable technical and organisational measures are subject to technological progress over time but may include data encryption and pseudonymisation;
  • maintain reasonable measures to identify all reasonably foreseeable internal and external risks to the Disclosing Party’s data in its possession, establish and maintain appropriate safeguards against the risks identified, regularly verify that the safeguards are effectively implemented and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. In doing so, the Receiving Party will have due regard to generally accepted information security practices and procedures which may apply to it or be required in terms of specific industry or professional rules and regulations;    
  • assign an employee who will be responsible for implementing and maintaining the technical and organisational security measures required in terms of this DPA and, upon the Disclosing Party’s request, provide evidence that it has established and maintains such technical and organisational security measures governing the Processing of such Personal Information; 
  • safely secure all such Personal Information when processing such Personal Information on a laptop or other portable device (including memory sticks, USB flash drives, or other storage medium devices); 
• it shall notify the Disclosing Party immediately and without undue delay where there are reasonable grounds to believe that there has been any data security breach in respect of such Personal Information and, at the Receiving Party’s cost and expense, assist and cooperate with the Disclosing Party concerning any disclosures to affected parties and other remedial measures as requested by the Disclosing Party or required under applicable law; 
• it shall not permit any Representative or Third Party Operator to process such Personal Information, unless such Processing is in compliance with this DPA and is necessary in order to carry out the Receiving Party’s obligations under this DPA;  
• it shall not disclose such Personal Information to any third party (including, without limitation, Associated Companies and Subsidiaries and Third Party Operators) unless –
  • the disclosure is necessary in order to carry out the Receiving Party’s obligations under this DPA and the Main Contract;  
  • such third party is bound by the same provisions and obligations as those set out in this DPA;  
  • the Receiving Party has received the Disclosing Party’s prior written consent; and  
  • the Receiving Party remains responsible for any breach by such third party of the obligations set out in this DPA and the Main Contract to the same extent as if the Receiving Party caused such breach;  
• it shall establish policies and procedures to provide all reasonable and prompt assistance to the Disclosing Party in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any such Personal Information; 

• it shall provide security awareness and/or training to its Representatives and any other third parties who process Personal Information on its behalf to promote continual security education related to user security responsibilities for protecting Personal Information received from the Disclosing Party. Where appropriate, training must include secure application development training to ensure that the Receiving Party’s developers are programming according to secure coding techniques and principles;  
• it shall immediately cease processing any Personal Information and shall return, delete, or destroy (at the Disclosing Party’s election), or cause or arrange for the return, deletion, or destruction of, all such Personal Information, including all originals and copies of such Personal Information in any medium and any materials derived from or incorporating such Personal Information, upon the expiration or earlier termination of the Main Contract or otherwise on the instruction of the Disclosing Party, but in no event later than 30 (thirty) days from the date of such expiration, earlier termination or instruction; 
• it and all of its Representatives shall adhere to the requirements and security safeguards set out in POPIA; 
• it shall designate adequate resources to assist with the compliance and implementation of the obligations imposed on the Parties in terms of POPIA and will implement the necessary controls to ensure appropriate data protection and governance of such Personal Information.  The Receiving Party will provide the Disclosing Party, on its request, with evidence of the implementation of such controls; 
• it shall conduct periodical internal and external reviews to measure the adequacy of the implemented controls on infrastructure and platforms that are used to process such Personal Information; 
• it shall not use such Personal Information for any purpose that is inconsistent with POPIA on or before the time of collection of that Personal Information;  
• it shall employ prudent and effective business continuity and disaster recovery facilities and procedures for the purposes of protecting all such Personal Information;  
• it shall not transfer such Personal Information outside of South Africa unless the recipient of the Personal Information is subject to a law, binding corporate rules or binding agreement, which provide an adequate level of protection for the Personal Information, as determined with reference to POPIA; and 
• It shall only be required to retain or retain Personal Information for as long as it is necessary to achieve the purpose for which it was received, following which, it may and shall at regular intervals delete or anonymise such Personal Information.

As at the date this DPA has become effective, the sub-processors currently engaged by the Receiving Party to process Personal Information are set out in Annexure A. The Receiving Party may update Annexure A from time to time to reflect current sub-processors. The Receiving Party shall maintain an up-to-date version of Annexure A, which shall be made available to the Disclosing Party upon request.

The provisions of this DPA shall take priority over the Main Contract in relation to Processing of Personal Information and serve as a supplement to it, if not otherwise regulated in this DPA.