POPIA Contract Template (Free Download)
A practical, customizable agreement you can adapt for data processing and marketing services in South Africa. Suitable for most businesses and service providers, including digital marketers and medical practices. This is a starting point only—please obtain legal advice before use.
Before You Use This Template: POPIA Was Updated in 2025
POPIA’s regulations were refreshed in 2025, tightening consent requirements for direct marketing and making it easier for people to exercise their data rights (including via WhatsApp, SMS, phone, and email). Information Officers are expected to take a more active role in ongoing compliance.
For a plain‑English overview, see this summary of the 2025 POPIA amendments.
- Explicit, recorded consent is now the bar for direct marketing—opt‑out alone isn’t enough.
- Data subject requests may be made across multiple channels; organisations should record and respond promptly.
- Information Officers must demonstrate active, evolving compliance—not box‑ticking.
Download the Template
Prefer an editable copy? Grab the Word version:
Download POPIA Contract Template (.docx)
About This POPIA Contract Template
This agreement sets out how a Service Provider (e.g., a digital marketer) may process personal information on behalf of a Business (the responsible party).
It includes clauses for consented direct marketing, handling data subject requests, security, breach notification, and retention. A short industry note is included for
medical/health contexts, where special personal information is involved.
Legal disclaimer: This content is provided for informational purposes only and does not constitute legal advice. Always ask a qualified attorney to review and adapt this agreement to your needs.
POPIA Contract for Data Processing & Marketing Services
1. Parties
This Agreement is between [Business Name] (the “Responsible Party”) and
[Service Provider Name] (the “Operator” or “Service Provider”).
2. Purpose
The Responsible Party engages the Service Provider to perform services that may require access to and processing of personal information
(including, where applicable, special personal information such as health data) in accordance with the Protection of Personal Information Act, 2013 (“POPIA”) and applicable regulations.
3. Key Definitions
- Personal Information: Information relating to an identifiable, living person and, where applicable, an identifiable juristic person.
- Special Personal Information: Information including health data and other categories defined by POPIA.
- Processing: Any operation concerning personal information, including collection, storage, use, sharing, modification, and deletion.
- Data Subject: The individual to whom the personal information relates.
- Information Officer: The person designated by the Responsible Party under POPIA to oversee compliance.
4. Operator Obligations
- Lawful Processing & Instructions. The Service Provider will process personal information only on documented instructions from the Responsible Party and solely for the services described in this Agreement.
- Confidentiality. The Service Provider will treat personal information as confidential and ensure that personnel and approved subcontractors are bound by written confidentiality and data protection obligations.
- Security. The Service Provider will implement appropriate, reasonable technical and organisational measures to protect personal information against loss, unauthorised access, disclosure, or other risks.
- Sub‑processors. The Service Provider will not appoint a sub‑processor (e.g., email, CRM, analytics, advertising platforms) without written authorisation from the Responsible Party and will flow down obligations equivalent to those in this Agreement.
- Data Subject Requests. The Service Provider will promptly assist the Responsible Party in responding to requests (access, correction, deletion, objection, etc.) received via recognised channels (including WhatsApp, SMS, telephone, email, or in person), and will maintain records of such requests.
- Breach Notification. The Service Provider will notify the Responsible Party without undue delay after becoming aware of any actual or suspected security compromise involving personal information and will cooperate in investigation, mitigation, and notification steps required by law.
- International Transfers. The Service Provider will not transfer personal information outside South Africa unless authorised by the Responsible Party and permitted by POPIA (e.g., adequate protection, contractual safeguards, or data subject consent).
- Records & Audits. The Service Provider will maintain appropriate records to demonstrate compliance and will reasonably cooperate with audits by or on behalf of the Responsible Party on reasonable notice.
5. Direct Marketing & Consent
- Consent Standard. Direct marketing activities will only proceed where the Responsible Party has obtained explicit, recorded consent from the data subject for the relevant channel(s) (e.g., email, SMS, WhatsApp, automated calls).
- Proof & Preference Management. The Responsible Party will provide the Service Provider with the consent records and instructions necessary to honour channel‑specific permissions and opt‑outs. Both parties will retain evidence of consent and opt‑out actions.
- Content & Targeting. The Service Provider will follow the Responsible Party’s lawful instructions regarding audience selection, message content, and frequency caps, and will not use personal information for its own purposes.
6. Special Note for Medical/Health Contexts (If Applicable)
Where services involve special personal information (e.g., patient or health data), the parties will implement enhanced safeguards, ensure purpose limitation, restrict access to trained personnel, and avoid combining data for unrelated marketing or profiling without a separate lawful basis and explicit consent.
7. Retention & Deletion
Personal information processed by the Service Provider will be retained only as long as necessary to perform the services or as required by law. Upon termination or on written request, the Service Provider will securely delete or return personal information and certify completion, subject to any legal retention requirements.
8. Audit & Compliance
The Responsible Party may, on reasonable prior notice, conduct or commission audits to verify compliance with this Agreement and POPIA. The Service Provider will provide necessary information and reasonable access, subject to confidentiality and security.
9. Indemnity
Each party will indemnify the other against direct losses arising from its breach of this Agreement or violation of POPIA, to the extent permitted by law and subject to any agreed limitations of liability.
10. Governing Law
This Agreement is governed by the laws of the Republic of South Africa. The parties consent to the jurisdiction of the appropriate South African courts.
11. Term & Termination
This Agreement commences on the Effective Date and continues for the service term. Either party may terminate on written notice for material breach if not remedied within a reasonable period after notice.
12. Signatures
Responsible Party (Business): ___________________________ Date: ___________
Service Provider: ___________________________ Date: ___________
POPIA Template FAQs
Is this contract legally binding?
No. It is a template only. Have a qualified attorney review and adapt it to your situation.
Can I use this for any industry?
Yes, the core structure is broadly applicable. Add stricter controls for sectors handling special personal information (e.g., healthcare, finance).
How do I handle consent for marketing?
Obtain explicit, recorded consent per channel, store the proof, and respect opt‑out and preference changes across all systems.
What channels can people use to exercise their rights?
Requests may be made via WhatsApp, SMS, telephone, email, or in person. Keep auditable records and respond within reasonable timelines.