Online Data Processing Agreement and Privacy Policy




Service Provider, as per the definition of clause 3 of the Online Terms and Conditions of use, fulfils the role of:



Sub-processor: where the role clarification as per the Online Standard Terms and Conditions, clause 3.1 applies (Business Partner). and;




Operator/Processor: where the role clarification as per the Online Standard Terms and Conditions, clause 3.2 applies (Customer).


Customer and Business Partner Roles:



Customer fulfils the role of Responsible Party/Controller.



Business Partner fulfils the role of Operator/Processor.




All capitalised terms herein will have the meanings ascribed to such terms in this clause 2 or as otherwise defined in this Agreement.


Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.


Agreement” has the meaning ascribed to it is clauses 2.1 and 2.2 of Service Provider’s Online Terms and Conditions of Use.


“Confidential Information” has the meaning ascribed to it in clause 18 of Service Provider’s Online Terms and Conditions of Use.


Customer/Business Partner” can be used interchangeably, depending on the business relationship with Service Provider and has the meaning ascribed to it as per clause 2.5 of the Online Terms and Conditions of Use.


Data Subject” means an individual or juristic entity which is the subject of Personal Information that may be Processed under this Agreement.


Enhancements or Upgrades” has the meaning ascribed to it as per clause 2.7 of the Online Terms and Conditions of Use.


Intellectual Property Rights” means:



all Intellectual Property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights and these “Intellectual Property rights” include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models and rights in designs;



applications for registration, and the right to apply for registration, for any of these rights. and;



all other Intellectual Property rights and equivalent or similar forms of protection existing anywhere in the world.


Party or Parties” means a Party or the Parties to this Agreement.


PaySpace Application” has the meaning ascribed to it as per clause 2.9 of the Online Terms and Conditions of Use.


Personnel” means any person employed or contracted by Service Provider and Customer/Business Partner or their approved sub-contractors, relating to the provision of the Services.


Operator/Processor” can be used interchangeably and means a public or private body or any other person who processes Personal Information for a Responsible Party/Controller in terms of a contract or mandate, without coming under the direct authority of the Responsible Party/Controller.


Personal Information” means all information relating to an identifiable, living natural person, including that which Service Provider (or any of its Affiliates or Personnel) processes in connection with its relationship with Customer/Business Partner (including employees of Customer/Business Partner Affiliates and where applicable of its sub-contractors).


Process, Processed or Processing” means the collection, use, disclosure, transfer, storage, deletion, combination, regulatory submission to Government Authorities or other use of Personal Information.


Responsible Party/Controller” can be used interchangeably and means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information.


POPI” means the minimum standard as gazetted by the Republic of South Africa and set out in the Protection of Personal Information Act 4 of 2013 (as amended).


Service Provider” means the company that Customer/Business Partner is contracting with, based on criteria as defined in clause 2.8 of the Terms and Conditions of Use.


Services” mean the Services and deliverables, as described in clause 2.9 of the Online Terms and Conditions of Use.


Sub-contractor” means a third-party contractor to whom the Processing of Personal Information is subcontracted or outsourced by the Service Provider in accordance with any agreements between the Parties.


Supervisory Authority” means the Information Regulator as established in RSA, pursuant to the POPI Act.


Territory” means any country where Services Provider processes information on behalf of the Customer/Business Partner.


“URL” has the meaning ascribed to it in clause 2.12 of Online Terms and Conditions of Use.


User or Users” means any Customer/Business Partner and / or its Personnel and / or organisation and / or individual and / or End Users (as defined in clause 2.6 of the Online Terms and Conditions of Use), of Business Partner, that uses Service Provider’s Services.




Registration. To create an account on the PaySpace Application, Users must provide Service Provider with at least an email address and a password and agree to Service Provider’s Terms and Conditions of Use and this Agreement, which governs how Service Provider treats User’s information. Users will provide additional information during the registration flow (for example, company addresses and contacts, pay structures, journal codes, employee biographical information and salary information) to help Users build its company and employee profiles and to provide User with Services. User understands that, by creating an account, Service Provider a will be able to identify Users by their profiles on the PaySpace Application. Service Provider may also ask for User’s credit card or bank details to retrieve applicable service fees. 


Customer Service. When a User contacts Service Provider’s customer support services telephonically or through Service Provider’s online Help Center, Service Provider will have to access Users’ profile, company information, employee information and other contributions to Service Provider’s Services and collect the information Service Provider needs to categorize a User’s question, respond to it, and, if applicable, investigate any breach of Service Provider’s Terms and Conditions of Use and or this Agreement. Service Provider also use this information to track potential problems and trends and customize Service Provider’s support responses to better serve Users. Service Provider does not use this information for advertising.


Cookies. Service Provider uses cookies to store a session identifier in order to correctly serve a User its data as well as improve a User’s experience, increase security, measure use and effectiveness of Service Provider’s Services. A User can control cookies through browser settings and other tools. By visiting Service Provider’s Services, a User consents to the placement of cookies in User’s browser in accordance with this agreement.


Information About Users Computer and Mobile Device. When Users visit or leave Service Provider’s Services (whether as a Member or Visitor, as defined in clause 5.3 of the Online Terms and Conditions of Use) by clicking a hyperlink Service Provider automatically receives the URL of the site from which a User came or the one to which a User is directed. Also, advertisers receive the URL of the page that a User is on when a User clicks an ad on or through Service Provider’s Services. Service Provider also receives the internet protocol (“IP”) address of a User’s computer or the proxy server that a User uses to access the web, a User’s computer operating system details, a User’s type of web browser, a User’s mobile device (including a User’s mobile device identifier provided by User’s mobile device operating system), User’s mobile operating system (if a User is accessing the PaySpace Application using a mobile device), and the name of User’s ISP or User’s mobile carrier. Service Provider may also receive location data passed to Service Provider from third-party services or GPS-enabled devices that User have set up, which Service Provider use to show User’s relevant information.


Communications. Service Provider communicates with Users through email, notices posted on Service Provider’s websites or applications and other means available through the Services, including mobile text messages and push notifications. Examples of these communications include:



welcome and engagement communications – informing Users about how to best use Service Provider’s Services, new features, and updates about legislation;



service communications – these will cover service availability, security, and other issues about the functioning of Service Provider’s Services. and;



promotional communications – these include email and may contain promotional information directly or on behalf of Service Provider’s partners. These messages will be sent to Users based on User’s profile information and messaging preferences. User’s may change User’s email and contact preferences at any time by signing into User’s account and opting out of receiving emails.



Users cannot opt out of receiving service messages from Service Provider. User agrees that Service Provider may provide notices to Users in the following ways:       

a banner notice on the Service. or;       

 an email sent to an address User provided. or;       

through other means including mobile number, telephone, or mail. User agrees to keep User’s contact information up to date.


Testimonials and Advertisements. If User provides any testimonials about Service Provider’s goods or services or place advertisements, Service Provider may post those testimonials and examples of advertisements User placed in connection with Service Provider’s promotion of these services to third parties. Testimonials and advertisements may include User’s name and other Personal Information that User has provided.


External Links. The PaySpace Application is an information portal, it contains links to other Web sites. These sites however do not fall under any control of Service Provider and therefore Service Provider cannot be held responsible for the privacy practices or the contents of such other web sites.


Rights to Access, Correct, or Delete User Information, and Closing User Account. User can change User’s information on the PaySpace Application at any time by editing User’s profile, deleting information that User has posted, or by giving Service Provider notice of termination. User has a right to:



access, modify, correct, or delete User’s Personal Information controlled by Service Provider regarding User’s profile;



change User’s information. and;



close User’s account.




Customer/Business Partner hereby grants to Service Provider a non-exclusive licence to copy, reproduce, store, distribute, publish, export, adapt, edit, and translate the Personal Information to the extent reasonably required for the performance of Service Provider’s obligations and the exercise of Service Provider’s rights under this Agreement.


Customer/Business Partner also grants to Service Provider the right to:



sub-license these rights to its hosting, connectivity, and telecommunications organisations, subject to any express restrictions elsewhere in this Agreement;



Electronically submit to revenue authorities the necessary monthly, quarterly, and annual returns as may be required under the applicable law.


Customer/Business Partner warrants to Service Provider that the Personal Information when used by Service Provider in accordance with this Agreement will not infringe the Intellectual Property Rights or other legal rights of any person.


Customer/Business Partner hereby confirms that they have an appropriate lawful basis to process Personal Information including transferring same to Service Provider for purposes of Processing the payroll and other legislative related services on behalf of Customer/Business Partner.


Service Provider will comply with POPI and the Data Protection Standards of ISO 27001 in countries without data privacy legislation. If the law related to data protection in the territory conflicts and/or is more onerous than these provisions, Customer/Business Partner shall in writing advise of such conflict and the Service Provider shall revert on the feasibility, if any, to comply with the Data Protection Legislation.


Without prejudice to the obligations set out in this clause 4, the Parties acknowledge and agree that Service Provider and Customer/Business Partner will remain solely responsible for complying with their respective obligations under POPI with regards to privacy and protection of Personal Information laws governing Customer/Business Partner’s data in the Territory.




It is recorded that Service Provider has an ISO/IEC 27001:2013 certification and as such Service Provider has implemented appropriate safeguards against the unauthorized access to, and destruction, loss, or alteration of, Customer/Business Partner’s Confidential Information and Personal Information which at any time is in Service Provider’s possession or to which Service Provider may have access.


Service Provider warrants to Customer/Business Partner that it shall maintain such safeguards for so long as it has any of Customer/Business Partner’s Confidential Information and Personal Information in its possession or has access to such information.




Service Provider shall procure that each of its Sub-contractors and/or Affiliates contractually agree in writing that they will:



comply with this clause 6 and POPI;



not access, use, or process Customer/Business Partner’s data and/or Personal Information except to the extent reasonably necessary in performance of its obligations under this Agreement;



not perform any act that puts Customer/Business Partner at risk of Customer/Business Partner’s data and/or Personal Information being disclosed;



implement appropriate technical and organisational security measures to preserve the integrity of Customer/Business Partner’s data and/or Personal Information. and;



prevent any unauthorised or unlawful access, accidental or unauthorised destruction, corruption, loss, alteration or disclosure or other prohibited processing of Customer/Business Partner’s data and/or Personal Information.




Service Provider shall only allow Customer/Business Partner and its auditors, regulators, and other advisers to audit the relevant records of Service Provider pertaining to this Agreement, and for that reason to have reasonable access to any of Service Provider’s premises, personnel and relevant records as may be.


Customer/Business Partner shall provide at least 30 (thirty) Business Days’ notice of its intention to conduct an audit.


Customer/Business Partner shall use its reasonable endeavours to procure that an audit is completed within 5 (five) Business Days from the date that such audit starts.


Customer/Business Partner shall bear all Service Provider’s costs and expenses incurred in respect of compliance with any audits under this Agreement.


In the event that the audit identifies substantive findings relating to misrepresentation or a material default (the default must go to the root of this Agreement) by Service Provider then Service Provider shall reimburse Customer/Business Partner for all its reasonable costs incurred in the course of, and for, that audit.


If an audit identifies that Service Provider has failed to comply with any of its obligations under this Agreement, then, without prejudice to the other rights and remedies of Customer/Business Partner, Service Provider shall take the necessary steps to comply with its obligations at no additional cost to Customer/Business Partner and Service Provider will reimburse Customer/Business Partner for its reasonable costs incurred in the audit.




Service Provider will notify the Customer/Business Partner, within a reasonable timeframe, after becoming aware of any Personal Information Breach and provide reasonable information in its possession to assist the Customer/Business Partner to meet the Customer/Business Partner ‘s obligations to report a Personal Information Breach as required under POPI.


Service Provider may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by Service Provider.




On notice of termination of Customer/Business Partner account, Customer/Business Partner will have 30 days to download or export the data using one of many mechanisms such as reports, web services and business intelligence tools.


After the said 30-day period, Service Provider will lock all Responsible Party/Controller accounts and Customer/Business Partner will no longer have access to any of the Personal Information.


It is specifically agreed that Personal Information, after notice of termination and after the 30 days for downloading of the Personal Information has expired, will be retained for the legal basis of historical purposes and when required by Customer/Business Partner, access will be provided at 50 (fifty) percent of the last subscription fee paid by Customer/Business Partner. Such access will be available for a period on 1 (one) calendar month after which access will again be revoked.


Requests for access should be addressed to the Service Provider’s Information Officer as specified in clause 14 of this agreement.


Appropriate safeguarding measures will continue to be applied and be kept in place as if the agreement for processing of Personal Information was still in place between Customer/Business Partner and Service Provider.


Service Provider warrants that Personal Information stored for historical basis will not be used for any other purpose.


Should the Customer/Business Partner require that its Personal Information be deleted, Service Provider will have no obligation to maintain or provide Customer/Business Partner Personal Information and will delete or destroy all copies of Customer/Business Partner’s Personal Information in Service Provider’s systems or otherwise in Service Provider’s possession or control, unless legally prohibited.




If the Service Provider receives any demand for disclosure of Personal Information by law, Service Provider will promptly notify the Customer/Business Partner, in writing, of the Legal Request (unless legally prohibited from doing so).




It is specifically recorded that:



Service Provider will perform replication of Personal Information to a data center in Europe for the purposes of implementing adequate disaster recovery processes and other legitimate processing activities;



Section 72 of POPI allows the transfer of Personal Information to a Sub-processor in a foreign country in circumstances where amongst others:     

the Sub-processor is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection that are substantially similar to POPI and effectively uphold the principles as set out in POPI. or;     

Data Subject consents to the transfer. or;     

the transfer is necessary for the performance of a contract between the Data Subject and the Responsible Party/Controller or for the performance of a contract concluded in the interest of the Data Subject between the Responsible Party/Controller and a third party. or;     

the transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain the consent of the V to the transfer.


The data center to be used by the Service Provider in the European Union will be subject to adequate laws that are substantially similar to POPI and effectively uphold the principles of lawful processing as set out in POPI. Accordingly, the Service Provider would comply with section 72 of POPI on the basis that the third-party recipient of the information (namely the data centre in the European Union is subject to a law which provides an adequate protection level of protection. It will thus not be necessary for the Service Provider and/or the Customer/Business Partner to obtain the consent of the Data Subject to transfer the Personal Information to the data center.


Having regard to the above, the parties agree that Service Provider has taken steps to ensure compliance with its obligations as set out in POPI.




This Agreement will commence on the effective date and will continue until the termination in accordance Service Provider’s Terms and Conditions of Use.




The Service Provider and Customer/Business Partner as applicable, shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.




Service Provider contact for any issues in relation to this Agreement:



Risk Officer – Alwyn Stoman.


Any questions or comments about this Agreement can be directed to Service Provider by contacting Service Provider on +27 87 210 3000, or through Service Provider’s online support center or by email.