Montana Data Company
POPIA Compliance

POPIA and Cloud Storage: What South African Businesses Must Know

Using cloud storage or cloud backup to process personal information triggers specific POPIA obligations. Here's what the Act requires, what to check in your provider agreements, and how to stay compliant.

27 August 20269 min readMontana Data Company · Compliance Team

Most South African businesses use cloud services to store, process, or transmit personal information — whether they think about it in those terms or not. Microsoft 365 holds employee emails and customer correspondence. Google Drive stores project files containing client data. A cloud backup service holds copies of your entire business dataset, including every personal information record in your systems.

Each of these arrangements triggers specific obligations under POPIA that many organisations have not considered. The fact that the data is stored by a third party does not transfer your compliance responsibility — it adds obligations on top of it.

The Responsible Party Remains Responsible

The foundational principle is straightforward: under POPIA, the responsible party — the organisation that determines why and how personal information is processed — remains legally responsible for that information regardless of where it is stored or who processes it on their behalf.

When you use a cloud provider to store personal information, you are engaging an operator (POPIA's term for a third party that processes personal information on behalf of the responsible party). The operator processes the data under your instruction, for your purposes. You remain the responsible party. You remain accountable.

This means that if a cloud provider suffers a breach that exposes your customers' personal information, POPIA's breach notification obligations apply to you — not just to the provider. You must notify the Information Regulator and affected data subjects. The fact that the breach occurred at the provider's infrastructure is relevant context, but it does not discharge your notification obligation.

The Operator Agreement Requirement

POPIA Section 21 requires responsible parties to enter into a written agreement with operators that processes personal information on their behalf. This agreement must ensure that the operator:

  • Processes personal information only with the knowledge and authorisation of the responsible party
  • Treats personal information as confidential
  • Does not disclose personal information without authorisation
  • Implements appropriate security measures to protect personal information
  • Notifies the responsible party immediately if there are reasonable grounds to believe personal information has been compromised

Many organisations use cloud services under standard consumer or small-business terms of service that do not contain these provisions. A free Google Workspace tier, a consumer-grade cloud storage account, or a SaaS tool procured by a department without IT review may have no data processing agreement at all.

What you need to do: Review your cloud service providers and confirm that a data processing agreement (DPA) is in place for any service that processes personal information. Most major cloud providers (Microsoft, Google, AWS, Druva, and others) offer DPAs as part of their enterprise or business terms — but you typically need to opt in, request them, or sign them separately. They are not automatically included in standard subscription agreements.

Cross-Border Data Transfer Restrictions

POPIA Section 72 restricts the transfer of personal information to third countries — countries other than South Africa — unless certain conditions are met. For cloud services whose data centres are located outside South Africa, this provision is directly relevant.

The conditions under which cross-border transfer is permitted include:

  • The recipient country has laws substantially similar to POPIA that provide adequate protection (the Information Regulator has not yet published a list of adequate countries)
  • The data subject consents to the transfer
  • The transfer is necessary for the performance of a contract between the responsible party and the data subject
  • The transfer is necessary for the conclusion of a contract between the responsible party and a third party in the interests of the data subject
  • The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent, and the data subject would likely give consent if asked
  • The responsible party has entered into a binding agreement with the recipient that imposes the same privacy standards as POPIA (essentially, contractual transfer mechanisms equivalent to GDPR's Standard Contractual Clauses)

In practice, for most South African businesses using international cloud providers, the most reliable mechanism is the last one: a data processing agreement that includes binding contractual protections for personal information equivalent to POPIA's requirements.

What this means for your cloud backup: If your cloud backup provider stores data in data centres outside South Africa — which many do, including US and European facilities — you need a DPA that includes cross-border transfer provisions. Most enterprise-tier cloud backup providers offer this. Confirm it is in place.

What to Check in Your Cloud Provider Agreements

When reviewing cloud provider agreements against POPIA's operator requirements, check for these specific provisions:

Processing limitation: The agreement should specify that the provider processes your data only for the purposes you have specified, and not for their own commercial purposes (such as training AI models, advertising targeting, or analytics sold to third parties).

Confidentiality: Provider staff with access to your data should be subject to confidentiality obligations.

Security measures: The agreement should specify what technical and organisational security measures the provider implements, or should require the provider to maintain measures at least equivalent to your own POPIA security obligations.

Subprocessors: If the provider uses subprocessors (other third parties to process your data), the agreement should require notification of any changes to subprocessors and should ensure subprocessors are bound by equivalent obligations.

Breach notification: The agreement should require the provider to notify you promptly (typically within 24–72 hours) of any security incident affecting your data.

Data return and deletion: On termination of the agreement, the provider should be required to return or destroy your data, and to confirm in writing that destruction has occurred.

Audit rights: You should have the right to audit, or to receive audit reports, confirming the provider's compliance with the agreement's security requirements.

Practical Steps for POPIA-Compliant Cloud Use

Step 1: Inventory your cloud services. Identify every cloud service used by your organisation that processes personal information. Include services procured by individual departments outside of IT oversight — CRM tools, project management platforms, HR systems, email marketing tools.

Step 2: Confirm DPAs are in place. For each service, confirm that a data processing agreement has been signed. Most major providers have DPAs available; request or activate them where they are not already in place.

Step 3: Identify where your data is stored. For each service, confirm the primary data centre location. For services storing data outside South Africa, confirm that the DPA includes cross-border transfer provisions adequate under POPIA.

Step 4: Review processing limitations. Confirm that providers are not using your data for purposes beyond the services you have contracted for. This is particularly relevant for AI-enhanced services and consumer-grade tools that may include personal-data use provisions in their standard terms.

Step 5: Establish a breach notification chain. Confirm that your agreements require providers to notify you of breaches promptly, and that your internal procedure routes those notifications to your Information Officer for POPIA assessment.

How Montana's Solutions Address These Requirements

Montana Data Company deploys cloud backup solutions — primarily Druva — that include enterprise-grade data processing agreements meeting POPIA's operator requirements. Druva's agreements include processing limitation, confidentiality, security measure specifications, subprocessor notification, breach notification obligations, and data return provisions.

For South African businesses, Druva offers South African data residency options that eliminate cross-border transfer complexity. Where data is stored in non-SA facilities, Druva's DPA includes contractual transfer protections.

This means that when you deploy backup through Montana, the POPIA operator compliance layer is already addressed. The DPA is available, the security measures are documented, and the breach notification chain is in place. You can demonstrate to the Information Regulator, to auditors, and to clients that your cloud backup arrangements satisfy POPIA's operator requirements.

POPIACloud StorageComplianceData PrivacySouth AfricaCloud Backup
Back to all articles

More in POPIA Compliance

POPIA Compliance

What Is POPIA and Does It Apply to My Business?

POPIA is South Africa's data privacy law — and it applies to almost every business that processes personal information. Here's what it requires, who it covers, and what the penalties look like.

POPIA Compliance

POPIA Fines: What Are the Real Penalties?

POPIA carries fines of up to R10 million and 10 years imprisonment — but what does enforcement actually look like? Here's an honest breakdown of POPIA penalties and how they're applied.

POPIA Compliance

POPIA vs GDPR: Key Differences Every Global Business Must Know

If your organisation handles data from both South African and EU residents, you're subject to two separate frameworks. Here's where POPIA and GDPR align — and where they diverge.

Monty

Montana Data Assistant

Hi, I'm Monty, your Montana Data Company assistant. How can I help you today?