DPA & Territory Terms — South Africa
This Annexure forms part of the Services Agreement and applies where the Territory is South Africa. Capitalised terms have the meanings given in the Services Agreement and the Global Data Processing Agreement (Global DPA).
This Annexure supplements (and does not replace) the Services Agreement and the Global DPA. In the event of any inconsistency, data-protection matters are governed by the Global DPA, and all other matters are governed by the Services Agreement.
Part A — Consumer Protection Compliance
| Topic | Territory Specific Terms | Relevant Clauses in Services Agreement amended as set out herein |
|---|---|---|
| Application of CPA | The Consumer Protection Act, 2008 ("CPA") applies where the Customer qualifies as a "Consumer" under the CPA, including: (a) a natural person; or (b) a juristic person with an annual turnover or asset value below ZAR 2,000,000. | Mandatory law overlay — no specific clause amended. |
| Termination of Fixed Term Agreements (Customer is a natural person) | Where the Customer is a natural person, the Customer may cancel the Terms at any time, on 20 (twenty) business days' written notice, subject to a reasonable cancellation charge. RollCall shall provide the Customer with renewal notices and information required under section 14 of the CPA. | Clause 15 — Termination / Clause 4 — Term (renewals) |
| Importation, Certification and Compliance | Where Hardware is supplied in South Africa, the parties will ensure compliance with applicable importation and regulatory requirements. Allocation of importer responsibilities will be set out in the applicable Services Schedule. | Clause 6 — Hardware / Services Schedule |
| Quality and Statutory Warranties (Hardware) | Where Hardware is supplied to a Customer who qualifies as a Consumer under the CPA, statutory rights under sections 55 and 56 of the CPA apply. | Clause 11 — Warranties and Disclaimers / Clause 12 — Liability |
Part B — POPIA Data Processing Terms
1. Introduction
The Parties acknowledge that the Protection of Personal Information Act (Act No. 4 of 2013), as amended from time to time ("POPIA") applies to the processing of Personal Data relating to Data Subjects in South Africa.
2. Definitions
In this Part B, the following terms have the meanings set out below:
- "Operator" means RollCall, in its capacity as the party processing Personal Data on behalf of the Responsible Party.
- "Responsible Party" means the Customer, in its capacity as the party determining the purpose and means of processing Personal Data.
- "POPIA" means the Protection of Personal Information Act (Act No. 4 of 2013), as amended from time to time.
- "Sub-Operator" means another operator engaged by the Operator to process Personal Data on behalf of the Responsible Party.
3. Roles of Parties
In the Global DPA, reference to "Controller" is replaced with "Responsible Party" and reference to "Processor" is replaced with "Operator". The Customer acts as the Responsible Party and RollCall acts as the Operator.
4. Information of Children
Per section 35 of POPIA, where the Customer processes Personal Data of a child, the Customer shall ensure consent from a competent person or applicable statutory justification is obtained. The Operator provides technical and organisational measures to support the processing of such data but does not determine the lawfulness of processing.
5. Processing of Personal Data
The Responsible Party solely determines the purposes and manner of processing. The Operator processes Personal Data solely on behalf of the Responsible Party and in accordance with the Responsible Party's documented instructions.
6. Processing via Hardware
The Customer is responsible for the physical security and access control of any Hardware used in connection with the services. RollCall applies appropriate technical and organisational measures as described in the Global DPA.
7. Information Officer
Each party shall designate an Information Officer (or Deputy Information Officer) as required under POPIA. Contact details for both parties' Information Officers shall be exchanged in writing. Each party shall inform the other of any changes to their Information Officer contact details without undue delay.
8. Sub-Operators
The engagement of Sub-Operators is governed by clause 6.1 of the Global DPA. The Operator shall ensure that any Sub-Operator engaged to process Personal Data on behalf of the Responsible Party is bound by obligations no less protective than those set out in this Annexure and the Global DPA.
9. Cross-Border Transfers
Cross-border transfers of Personal Data are governed by section 72 of POPIA and the provisions of the Global DPA. Data is processed in the locations described in the Global DPA. The Operator will make information regarding the locations of processing available to the Responsible Party upon reasonable request.