Facebook no script
AutoTrader Logo

Data Processing Agreement

The terms between a responsible party and their operator to fulfil the responsible party’s obligation to enter into a contract with the operator and vice versa.

1. Introduction

These are the terms between:

  • responsible party – someone who uses AutoTrader’s services to: (i) manage their inventory of vehicles and advertise them for sale; (ii) follow up on leads from prospective buyers generated through the platform; (iii) follow up on seller leads generated through the platform; or (iv) carry out other related functions, such as downloading reports;
  • operator – Homefind24 (Pty) Ltd (Registration number: 2008/019235/07), also known as AutoTrader;

2. Purpose

These terms add supplementary requirements to the responsible party’s Advertising Agreement with the operator and clarify the relationship between the responsible party and the operator in terms of applicable data protection laws. The operator would like to enter into a written agreement with the responsible party in the form of these terms to:

  • manage their relationship;
  • facilitate a productive working dynamic;
  • clearly define their respective rights and responsibilities;
  • avoid misunderstandings or disputes; and
  • ensure a mutually beneficial relationship;

when it comes to compliance with relevant data protection laws and responsibility for that compliance.

3. Commencement, changes and duration

3.1. Commencement. These terms will come into effect whenever the responsible party accepts them by visiting this web page. The responsible party is deemed to have accepted them by the operator making this web page accessible to them, whether or not they actually access this web page, to the extent that applicable law allows.
3.2. Changes. The operator may change these terms at any time by updating this web page. The operator will notify the responsible party of any changes by sending the responsible party an email detailing the changes indicating the date of the update.
3.3. Duration. The operator will process personal information until the Advertising Agreement expires or terminates, unless:
  • the responsible party instructs them to do otherwise prior to the expiry or termination of the Advertising Agreement; or
  • they or their sub-operator (as the case may be) returns or destroys the personal information (at the responsible party’s choice).

4. Definitions, parties, subscription agreement and interpretation

4.1. Definitions. In these terms:

applicable data protection laws means relevant data protection laws, including the South African Protection of Personal Information Act 4 of 2013 (POPIA) together with any:

  • national implementing laws; and
  • other related laws agreed between the parties in writing;

appropriate technical and organisational measures means regarding a given goal, the technical and organisational efforts that a reasonable person in the operator’s position would use to achieve that goal as quickly, effectively, and efficiently as possible;

personal information means any information about a living human being or existing organisation (as applicable data protection laws require), provided that someone is capable of identifying them from that information;

personnel means any:

  • director, employee, or other person who works (permanently or temporarily) under either party’s supervision; or
  • person who renders services to either party for the purpose of their obligations under these terms as their agent, consultant, contractor, or other representative; and

processing means doing anything with personal information, including gathering it, disclosing it, or combining it with other information.

4.2. Role players. In these terms:

responsible party means the person who determines the purpose (’why’) and means (’how’) of processing the personal information alone or in conjunction with others, although it is more important that they determine why to process the personal information than how, and those related to it;

operator means the person who:

  • processes personal information on the responsible party’s behalf in terms of a contract; and
  • enters into these terms with the responsible party; and

those related to them.

4.3 Advertising Agreement meaning. In these terms, Advertising Agreement means the agreement between the responsible party and the operator in terms of which the responsible party subscribes to the operator’s services in exchange for subscription fees and the operator processes personal information on the responsible party’s behalf.
4.4. Advertising Agreement terms. The Advertising Agreement’s terms remain in full force and effect except as modified in these terms.
4.5. Responsible party’s documented instructions. In these terms, the responsible party’s documented instructions means the Advertising Agreement, its Addendums and any other relevant written agreements between the parties, unless the parties agree otherwise in writing.
4.6. Undefined terms. Any terms not otherwise defined in these terms have the meaning the Advertising Agreement gives to them.
4.7. Data protection law terms. Terms used in these terms that have meanings ascribed to them in applicable data protection laws, including ‘data subject’, ‘processing’, ‘personal information’, ‘responsible party’ and ‘operator’, carry the meanings set out under those laws to the extent that this Advertising Agreement does not define them.
4.8. Terms prevail. These terms’ provisions will prevail in the event of a conflict between any of the Advertising Agreement’s provisions and these terms’ provisions.

5. Application

These terms apply when the operator is processing personal information on the responsible party’s behalf for specific activities subject to applicable data protection laws to achieve the responsible party’s purposes. They do not apply to any of the operator’s:

  • processing on the responsible party’s behalf in terms of any other activity not set out in the Advertising Agreement between the responsible party and the operator; or
  • other processing, such as on the operator’s own behalf.

6. Requirements

6.1. Measure guarantees. The operator guarantees that they will implement appropriate technical and organisational measures to:
  • meet applicable data protection laws’ requirements; and
  • protect the data subject’s rights.
6.2. Required details. The parties agree on the following details related to the processing:
  • The processing’s subject-matter, to include the personal information belonging to the data subjects involved in the activities described under the definition of ‘responsible party’ above;
  • the processing’s duration, being the time needed for the operator to perform their obligations under the Advertising Agreement;
  • the method of processing, to include all processing the operator performs following the responsible party’s instructions and that are necessary to deliver the services to the responsible party and for the agreed purposes;
  • the processing’s purpose, to include for the operator to provide the services to the responsible party;
  • the personal information type, being generic personal information and sensitive personal information, under certain circumstances; and
  • the data subject categories, to include prospects or leads, customer or clients and employees or contractors.
6.3. Purpose pursuit. The parties have entered into an Advertising Agreement for the purposes set out in that agreement or otherwise agreed between the parties in writing and the operator may choose the means they consider necessary to pursue those purposes in their own discretion, provided that their choices are compatible with:
  • the requirements of these terms; and
  • particularly the responsible party’s written instructions.

7. Responsible party and operator

7.1. Determination by responsible party. The responsible party will determine the scope, purposes and manner by which the operator may access or process the personal information, to the extent that the Advertising Agreement does not adequately describe the operator’s data processing activities.
7.2. Processing instructions. The operator may only process the personal information:
  • on the responsible party’s documented instructions;
  • to the extent that providing the services related to the processing activities requires them to.
7.3. Infringing instructions notification. The operator will immediately tell the responsible party if they believe that any instruction infringes applicable data protection laws, provided that this:
  • is not an obligation to monitor or interpret the laws that apply to the responsible party; and
  • does not constitute legal advice to the responsible party.
7.4. Responsible party’s warranties. The responsible party warrants that:
  • they will only use the personal information obtained through their processing relationship with the operator for the purposes agreed between the parties in writing, including following up on enquiries regarding vehicles and seller leads;
  • they will not process the personal information obtained from the operator for direct electronic marketing activities;
  • they have all necessary rights to provide the personal information to the operator for the processing to be performed in relation to the services related to the processing activities; and
  • one or more lawful grounds set out in applicable data protection laws support the lawfulness of the processing.
7.5. Responsible party’s responsibilities. The responsible party is responsible for making sure that certain designated personnel within their organisation:
  • provide all necessary privacy notices to data subjects;
  • obtain any necessary data subject consent to the processing;
  • maintain a record of such consent;
  • communicate the fact that a data subject has revoked consent to the operator where a data subject does so;

to the extent that applicable data protection laws require.

8. Data sharing

8.1. Responsibility for secure data transfer. Each party is responsible for the secure transfer of any data they share with the other party.
8.2. Technical and organizational safeguards for secure data transfer. Each party must take appropriate technical and organisational measures to make sure that they transfer data securely to the other party.

Technical measures may include the use of:

  • a virtual private network (VPN);
  • secure file transfer protocol (SFTP);
  • a web portal or an application with an encrypted connection; or
  • any other means that will sufficiently secure the data stream from any incident that may compromise the integrity of the data concerned.

Organisational measures may include any methods that make sure personnel implement these technical measures, such as:

  • written policies;
  • documented procedures; and
  • necessary training.

9. Confidentiality

The operator must make sure that their personnel are authorised to process the personal information and have committed themselves to confidentiality, such as by:

  • signing an appropriate confidentiality agreement; or
  • being otherwise bound to a duty of confidentiality;

or are under an appropriate statutory obligation of confidentiality.

10. Security

10.1. Data security. The responsible party and the operator will implement appropriate technical and organisational security measures to make sure that the level of security is appropriate to the risks to the personal information in terms of applicable data protection laws, taking into account the:
  • state of the art (being the most recent level of development of technology of security measures at that particular time);
  • implementation costs;
  • processing nature, scope, context and purposes; and
  • varying risks to people’s rights and freedoms in terms of likelihood and severity.
10.2. Agreed security measures. The operator will develop (or has already developed) and continue to develop an information security program to:
  • help the responsible party secure personal information against data breaches, leaks or other incidents where an unauthorised party could gain access to it;
  • identify risks to the security of the operator’s equipment, premises, systems, networks and other means of processing personal information; and
  • minimise security risks, including through risk assessments and regular testing.

The operator will designate personnel to coordinate and be accountable for the information security program and the program will include at least the physical, technical, operational and administrative controls described below.

10.3. Physical controls. Physical controls are measures that you can see or touch which protect data on equipment and premises from unauthorised physical interaction and include:
  • physical access measures, such as locking filing cabinets or office doors and physical access controls (such as key cards, biometrics, or other identification methods to ensure that personnel have the correct access);
  • physical monitoring measures, such as video surveillance (including CCTV systems) and security personnel (including security guards);
  • hard copy records management measures, such as shredding paper records and enforcing a clean desk policy (where appropriate);
  • any other measures that physically limit or prevent access to data, be it on IT equipment, systems or infrastructure or in hard copy records.
10.4. Technical controls. Technical controls are electronic and digital measures which protect data on systems and networks from unauthorised electronic interaction and include:
  • data security measures, such as file encryption and password protection, unstructured data discovery and export control and data classification;
  • equipment and systems security measures, such as device and removable storage media encryption and user access management;
  • networking and communications security measures, such as firewalls, end-to-end encryption, digital access control, penetration testing and endpoint protection;
  • software security measures, such as having antivirus software and keeping software up to date; and
  • other measures related to hardware or software that is supposed to protect systems and resources.

Technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.

10.5. Operational controls. Operational controls are measures that relate to routine functions and operations which protect personal information from operational risks and include:
  • operational awareness measures, such as fostering a culture of data protection through an employee awareness campaign;
  • training measures, such as providing in-house and external personnel training to operationalise policies (particularly to people in data protection roles);
  • procedures, such as employee on-boarding and exit and security procedures; and
  • other measures that involve the ordinary members of the organisation.
10.6. Administrative controls. Administrative controls are measures that originate from key decision makers or formal structures which protect personal information from business risks and include:
  • administrative awareness measures, such as director awareness and impressing management responsibility;
  • security planning measures, such as planning around data protection, business continuity arrangements and considering acceptable standards;
  • security documentation measures, such as drafting and updating privacy, and incident response;
  • security assurances, such as maintaining cyber insurance, doing due diligence of prospective employees or subcontractors and implementing audit controls (where appropriate); and
  • other measures that involve decisions by the leadership of the organisation.
10.7. Continued review. The operator will continually review the:
  • security of their equipment, premises, systems, networks and other means of processing personal information; and
  • adequacy of their information security program;

against industry security standards and their policies and procedures to determine whether they require additional or different security measures to respond to new or emerging security risks.

10.8. Security policies. The responsible party and the operator will each maintain and fully implement written security policies that apply to personal information processing.

11. Data transfers

11.1. Transferring instructions. The operator may only transfer personal information to a third country or international organisation on the responsible party’s documented instructions, unless required to do so by applicable law. The operator must tell the responsible party about the legal requirement before processing the personal information, unless the law prohibits them from doing so in the public interest.
11.2. Statutory mechanism cooperation. The parties agree to cooperate in good faith if they are relying on a specific statutory mechanism to standardize international data transfers and:
  • the relevant authority subsequently modifies or revokes that mechanism; or
  • a court of competent jurisdiction holds it to be invalid;

by:

  • promptly suspending that transfer; or
  • pursuing a suitable alternate mechanism that can lawfully support the transfer.

12. Information obligations and incident management

12.1. Operator incident notification. The operator must notify the responsible party after becoming aware of a personal information incident without undue delay, provided that the incident has a material impact on personal information processing that is the subject of the Advertising Agreement.
12.2. Incident scope. A personal information incident means:
  • a complaint or a request regarding the exercise of a data subject’s rights under applicable data protection laws;
  • an investigation into or personal information seizure by government officials, or a specific indication that such an investigation or seizure is imminent;
  • any unauthorized, accidental or otherwise unlawful personal information processing;
  • any breach of security or confidentiality in terms of these terms leading to confirmed or possible risks to the personal information; or
  • where implementing an instruction received from the responsible party would violate applicable laws to which the responsible party or the operator are subject, in the opinion of the operator.
12.3. Incident notification requirements. The operator will address any incident notifications to the responsible party’s relevant contact point and should contain the following information to assist the responsible party in fulfilling its obligations under applicable data protection laws:
  • a description of the nature of the incident, including where possible the categories and approximate number of data subjects and personal information records concerned;
  • the name and contact details of the operator’s information officer or another contact point where the responsible party can obtain more information; and
  • a description of the likely consequences of the incident.

13. Contracting with sub-operators

13.1. Sub-operator definition. In these terms, sub-operator means any downstream operator that the operator engages to process personal information in accordance with the Advertising Agreement and these terms, as those documents permit.
13.2. Downstream operator authorisation. The operator must respect the conditions for downstream operator authorisation in terms of applicable data protection laws.
13.3. Downstream contract. The operator must enter into a contract or other written agreement with any sub-operator to govern processing by a sub-operator.
13.4. Downstream operator restriction. The operator may not subcontract any of their services related to the processing activities consisting of the processing of the personal information or assign their obligations to another operator without the responsible party’s:
  • general written authorisation (provided that the operator tells the responsible party the details of any operator that they intend to subcontract or assign their obligations to and gives the responsible party an opportunity to object); or
  • prior specific authorisation.
13.5. Sub-operator changes. The operator will inform the responsible party of any addition or replacement of sub-operators and give the responsible party an opportunity to object to such changes, provided that the parties will make a good-faith effort to resolve the responsible party’s objection if the responsible party timeously sends the operator a written objection notice, setting forth a reasonable basis for objection.
13.6. Operator remains responsible. The operator remains fully responsible to the responsible party for any sub-operator’s failure to perform their data protection obligations, to the extent that applicable data protection laws require.
13.7. Operator’s sub-operator obligations. The operator will:
  • make sure that the sub-operator is bound by data protection obligations compatible with those of the operator under these terms; and
  • impose on its sub-operators the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable data protection laws.
13.8. Responsible party’s verification right. The responsible party may make sure that the operator has complied with its obligations that the responsible party has imposed on them in conformity with this agreement.

14. Return or destruction of personal information

14.1. Deletion or return obligations. The operator must:
  • delete or return all the personal information to the responsible party, at the responsible party’s choice; and
  • delete all existing copies unless the law requires them to continue to store those copies;

when:

  • the operator has finished providing the responsible party with the services related to the processing;
  • these terms terminate;
  • the responsible party requests the operator to do so in writing; or
  • the operator has otherwise fulfilled all purposes agreed in the context of the services related to the processing activities where the responsible party does not require them to do any further processing.

15. Assistance to responsible party

15.1. Help responsible party respond. The operator must help the responsible party with appropriate technical and organisational measures to fulfil their obligation to respond to requests by data subjects exercising their rights, provided that:
  • the operator will assist the responsible party with appropriate technical and organisational measures insofar as possible to respond to requests by data subjects exercising their rights; and
  • the responsible party will be responsible for reasonable costs the operator incurs in providing this assistance.
15.2. Other help to responsible party. The operator must help the responsible party with:
  • their obligations regarding security of processing; and
  • their prior consultation obligations in terms of applicable data protection laws;

considering the nature of the processing and the information available to the operator.

15.3. Make compliance information available. The operator must make all information necessary to show compliance with the legal rules that apply to operators available to the responsible party on request.

16. Liability and indemnity

Each party indemnifies the other and holds them harmless against all claims, actions, third-party claims, losses, damages and expenses that the other party incurs arising out of a breach of these terms or applicable data protection laws by the indemnifying party, provided that:

  • each party provides the other with a notice of the claim promptly after receiving it;
  • the indemnified party gives the indemnifying party the right to control the defense;
  • the indemnified party will provide the indemnifying party with reasonable assistance as necessary; and
  • the indemnified party will avoid admission of liability.

17. General

17.1. Governing law. These terms are governed by the laws of the country specified in the relevant provisions of the Advertising Agreement.
17.2. Dispute resolution. Any disputes arising from or in connection with these terms will be brought exclusively before the competent court of the jurisdiction specified in the relevant provisions of the Advertising Agreement.

PLEASE REFER TO SECTION 3.1 FOR MORE INFORMATION REGARDING THE ACCEPTANCE OF THIS AGREEMENT.