S.A. Red Cross AMS
AMS Vendor Assessment Form
Section A: VENDOR INFORMATION
Company Banking Details: IMPORTANT - Please attach a confirmation letter from your bank
Section B: VENDOR B-BBEE COMPLIANCE SCORING
IMPORTANT, Please provide a copy of the company B-BBEE certificate or sworn affidavit if you are B-BBEE compliant
Section D: VERIFICATION OF INFORMATION
I hereby verify that the contents of this document are valid at the date of signature and I have attached all relevant copies of supporting documentation. Furthermore, pursuant to the completion of Addendum: Data Operator Agreement, I verify that sufficient POPIA controls are in place to govern any AMS data received.
Supplier / Sub-Contractor
South African Red Cross Air Mercy Service
AMS Registration Number:
VAT Registration Number (if applicable):
General Aviation Area
Cape Town International Airport
Name of Information Officer:
Email Address of Information Officer:
(hereinafter referred to as ‘the AMS’)
(Hereinafter referred to as the “Operator”)
- The Protection of Personal Information Act, 4 of 2013 (POPIA) is a data protection privacy law which as its main function and objective, regulates and controls the processing of Personal Information by a Responsible Party.
- The Organisation, for the purposes of carrying out its business and related objectives, does and will from time to time, processes Personal Information belonging to several
persons, including legal entities and individuals, who are referred to as Data Subjects under POPIA.
- the Organisation is obligated to comply with POPIA, and the Data Protection conditions housed under POPIA with respect to the processing of all and any Personal Information
pertaining to all and any Data Subjects.
- In order for the Organisation to pursue its mandate and its related operational and business interests, the Organisation may from time-to-time request third parties to process certain Personal Information on its behalf, which Personal Information it has obtained from its Data Subjects.
- In terms of section 20 of POPIA, if the Organisation discloses Personal Information which it has collected from Data Subjects to another for the purpose of processing or further processing such Personal Information on its behalf, (hereinafter referred to as “the Operator”) then any such processing must be subject to a written agreement concluded between the Organisation and the Operator, which contractually obliges the Operator to:
- comply with the provisions of POPIA and the POPIA processing conditions when processing such Personal Information on behalf of the Organisation.
- only process the Personal Information received from the Organisation in accordance with the mandate or written instruction received from the Organisation.
- keep all the Personal Information held by the Operator on behalf of the Organisation and / or belonging to the Organisation Data Subjects, confidential.
- put measures in place to keep all such Personal Information held by the Operator, and processed on behalf of the Organisation confidential, safe, and secure from misuse, abuse and / or unauthorised use or access.
- the Organisation is desirous of providing the Operator with certain Personal Information which pertains to certain of its Data Subjects, which the Organisation would like the Operator to process on its behalf, and the Operator has agreed to process the Personal Information on behalf of the Organisation, which processing will be subject to the terms and conditions set out under this Operator Agreement.
- The parties must take note of the following definitions, which will be used throughout this Operator Agreement, unless the context indicates a contrary meaning:
- “Agreement” means the Agreement or series of Agreements entered into between the Organisation and the Operator.
- “Data Subject (s)” means the person (s) who own (s) the Personal Information which is to be processed by the Operator, on behalf of the Organisation, in terms of the Agreement and the Operator Agreement.
- “Operator Agreement” means this Operator Agreement.
- "person" means an identifiable, living, natural person, or an identifiable, existing juristic person.
- "Personal Information" means personal information relating to any identifiable, living, natural person, and an identifiable, existing juristic person, including, but not limited to:
- in the case of an individual:
- name, address, contact details, date of birth, place of birth, identity number, passport number, bank details, details about your employment, tax number and financial information;
- vehicle registration.
- dietary preferences.
- financial history.
- information about next of kin and or dependents.
- information relating to education or employment history; and
- Special Personal Information including race, gender, pregnancy, national, ethnic, or social origin, colour, physical or mental health, disability, criminal history, including offences committed or alleged to have been committed, membership of a trade union and biometric information, such as images, fingerprints and voiceprints, blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition.
- in the case of a juristic person:
- name, address, contact details, registration details, financials, and related history, B-BBEE score card, registered address, description of operations, bank details, details about employees, business partners, customers, tax number, VAT number and other financial information; and correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
- "process or processing" means any operation or activity or any set of operations, whether by automatic means, performed by the Operator concerning a Data Subject’s Personal Information, including—
- the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, or use.
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure, or destruction of information.
- "record" means any recorded information—
- regardless of form or medium, including any of the following:
- writing on any material.
- information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded, or stored.
- label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means.
- book, map, plan, graph, or drawing.
- photograph, film, negative, tape or other device in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced.
- in the possession or under the control of a responsible party.
- whether or not it was created by a responsible party; and
- regardless of when it came into existence.
- OBLIGATIONS OF THE OPERATOR
- The Operator expressly warrants and undertakes that it will:
- process the Personal Information strictly in accordance with its mandate any specific instructions provided to it by the Organisation from time to time.
- not use the Personal Information for any other purpose, save for the purpose set out under this Operator Agreement.
- only disclose, transfer and / or hand over the Personal Information to authorised person(s).
- treat the Personal Information as confidential and not disclose the Personal Information to any other person unless required by law and only once it has provided the Organisation with adequate warning of this requirement to disclose and the related details thereof, including the identity of the person who is to receive the Personal Information, the reason for the disclosure and confirmation that the person to whom the Personal Information is to be disclosed to, has signed the a similar Operator agreement with this Operator;
- has and will continue to have in place, appropriate technical and Organizational measures to protect and safeguard the Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, or access, and which in addition, provides a level of security appropriate to the risk represented by the processing and the nature of the Personal Information to be protected and which safeguards comply with the requirements set out under POPIA.
- notify the Organisation immediately where it has reasonable grounds to believe that the Personal Information, which has been provided to it, including any Personal Information which it has processed, has been lost, destroyed, or accessed or acquired by any unauthorised person.
- process the Personal Information strictly in accordance with POPIA and the POPIA processing conditions.
- not use the Personal Information for any direct marketing or advertising, research, or statistical purposes.
- not treat the Personal Information as its own, it expressly acknowledging that it has been tasked with processing the Personal Information in its capacity as the Organisation’s Operator and agent, and that ownership of all the records housing the Personal Information and any records comprising such Personal Information pertaining to the Data Subject, will always remain with the Operator.
- not sell, alienate, or otherwise part with the Personal Information or any of the records housing the Personal Information.
- where it is allowed to transfer the Personal Information onwards to any third party, known as a Sub Operator, for the purposes of performing its mandate, ensure that such party concludes a “Sub Operator agreement” with it and the Organisation which compels the third party receiving the Personal Information to respect and maintain the confidentiality and security of the Personal Information, which Sub operator agreement will house the same terms and conditions as contained in this Operator Agreement, and which shall be concluded before the Personal Information is transferred to a Sub operator.
- ensure that any person acting under the authority of the Operator, including any employee or sub operator, shall be obligated to process the Personal Information only on instructions from the Operator and strictly in accordance with this Operator Agreement, read together with the Agreement and in particular a Sub Operator Agreement, where applicable.
- The Operator warrants that it has the legal authority to give the above-mentioned warranties and fulfil the undertakings set out in this Operator Agreement.
- LIABILITY OF THE OPERATOR AND THIRD-PARTY RIGHTS
- In the event of the Operator, a Sub Operator or their respective employees or agents breaching any of the warranties and undertakings housed under this Agreement, or a Sub Operator Agreement here applicable, or failing to comply with any of the provisions of POPIA and / or the 8 POPIA Personal Information conditions, then in such an event, the Operator shall be liable for all damages it or a Sub Operator may have caused in consequence of said breach or non-compliance, including patrimonial, non-patrimonial and punitive damages suffered by the Organisation and / or the Data Subject(s) and the Operator indemnifies and holds the Organisation and its directors and employees harmless against any such loss, damage, action or claim which may be brought by whomsoever against the Organisation or any of its directors or employees or against any of its affiliated companies, or their directors or employees, and agrees to pay all and any such amounts on demand.
- APPLICABLE LAW
The laws of South Africa shall apply to this Operator Agreement, regardless of where the Personal Information is, will be, or was actually processed.
- In the event of:
- the Agreement being terminated for whatsoever reason.
- the transfer of Personal Information to the Operator being temporarily suspended by the Organisation for longer than one month, for whatever reason.
- the Operator is in breach of its obligations under the Agreement or this Operator Agreement or has failed to comply with POPIA or the 8 Information Processing
Principles and has failed when called upon to do so by the Organisation to rectify the breach or area of non-compliance.
- the Operator is in substantial or persistent breach of any warranties or undertakings given by it under the Agreement or this Operator Agreement, notwithstanding that the Organisation has not given the Operator notice of such breach.
- a Sub Operator is in breach of a Sub Operator Agreement.
- an application is filed for the placing of the Operator under business rescue, under administration, or winding up whether interim or final, which application is not dismissed within the applicable period for such dismissal under applicable law; or any equivalent event in any jurisdiction occurs, then the Organisation without prejudice to any other rights, which it may have against the Operator, shall be entitled to terminate the Agreement and the Operator Agreement as well as a Sub Operator Agreement.
- The Parties agree that the termination of the Agreement and the Operator Agreement at any time, and / or a Sub Operator agreement, where applicable, in any circumstances and for whatever reason, does not exempt them from the rights and obligations set out under this Operator Agreement with regards to the processing of the Personal Information detailed in the obligations under POPIA.
- In the event of the Agreement and / or Operator Agreement being terminated whenever, and for whatsoever reason, the Operator undertakes to:
- restore and / or transfer back to the Organisation all and any Personal Information which has been provided to the Operator for processing, including that held by a Sub Operator, whether same has been processed or not, and / or which has been processed, together with any related documentation and / or information, all of which documentation must without exception, be returned to the Organisation within a period of 30 (thirty) days from date of service of the termination notice.
- to confirm in writing simultaneously when the transfer takes place, that all such Personal Information will be kept confidential and that it will not under any circumstances use the aforementioned information for whatsoever reason.
- Notwithstanding termination of the Agreement and / or the Operator Agreement and for whatsoever reason, the clauses 4, 5, 6 and 7.2 will survive any such termination.
The parties may not modify the provisions of this Operator unless such variation is reduced to writing and signed by the Parties.
All notices to be provided in terms of the Operator Agreement must be sent to the Information Officer at: firstname.lastname@example.org
Concluded on at at
© Copyright SA Red Cross Air Mercy Service