Meeting the data processing agreement (DPA) requirement
As many of our customers are aware, the EU’s General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and South Africa’s Protection of Personal Information Act (POPIA) will come into effect on 1 July 2021. Many organisations have geared up to comply with their regulatory obligations under data protection law by these dates. We have done the same. We are committed to complying with our obligations in data protection law, including in our role as a data processor (or operator as it is called in South Africa) for our customers.
What role does xneelo perform for you?
We are the data controller (or responsible party as it is called in South Africa) of your personal data when you sign up with us. We are the processor (or operator) when we store the personal data of your data subjects that you have uploaded to your hosting package on our servers.
When we provide services to you, you are the data controller for the personal data you process because you decide the purpose and means of how the personal data of your data subjects gets processed. This means that you decide how and why we process your data when we provide services to you. You are responsible or accountable for complying with data protection laws for the personal data of your data subjects.
As a processor, we merely process the personal data on your behalf, such as hosting your data on our managed hosting servers. We are a ‘low-touch’ processor, which means that xneelo has no knowledge of the actual content of data that our controllers or customers store on our hosting platform.
What are the data protection law requirements?
As the controller, data protection law (such as the GDPR in the EU or POPIA in South Africa) requires you to conclude agreements with your processors when they process the personal data of your data subjects. Some customers require their processors to sign a Data Processing Agreement (DPA) to fulfil this requirement.
At xneelo, we have taken the proactive step to update our Terms of Service in line with our requirements in data protection law. This means that you do not need to use a DPA because these requirements have been included in our Terms of Service under ‘Data Processing’ (clause 19). The clause describes the steps we take to ensure that we meet our processor obligations when we provide services to you. You can view our Terms of Service or find out more on our website’s Legal Centre.