The Kwazulu-Natal High Court recently decided a case regarding an ex-employee's solicitation of business from his former employer. Usually, such cases turn on the interpretation of the restraint of trade, non-solicitation and confidentiality provisions in an employee's contract, but in Zulu Nyama Game Ranch (Pty) Ltd v Beukes and Another [2025] ZAKZDHC 87 ("Zulu Nyama"), the Protection of Personal Information Act of 2013 ("POPIA") also featured prominently as an additional basis for relief.

In this blogpost, we consider the court's finding that an employee can act as an "operator" when processing personal information on behalf of their employer.

Facts of the case

The first respondent, Christiaan Beukes, was employed by Zulu Nyama, a private game reserve and safari lodge, as a game ranger for some 11 years. During this time, Christiaan Beukes became privy to Zulu Nyama's confidential customer list and customer personal information such as names, contact details, and Zulu Nyama's pricing structure.

Following his employer's discovery that he was selling his own excursions to Zulu Nyama's customers while they were guests at Zulu Nyama, Mr Beukes' was dismissed. Almost immediately thereafter, Mr Beukes set about establishing his own game excursion business in competition with Zulu Nyama, and, crucially, utilising the confidential and personal information of Zulu Nyama's customer lists to solicit business from its customers.

The urgent application

Zulu Nyama applied for an urgent interdict to prevent Mr Beukes from disclosing the confidential information of, and contacting, its customers.

The employment contract between Mr Beukes and Zulu Nyama did not contain a restraint of trade or non-solicitation clause, but did contain confidentiality provisions which prohibited Mr Beukes from disclosing Zulu Nyama's trade secrets, customer lists, business operations, technical methods and the like. This obligation survived termination of the agreement and required Mr Beukes to hand over any confidential information in his possession upon termination of his employment.

Zulu Nyama accordingly argued that Mr Beukes' conduct was in breach of the confidentiality provisions in his employment agreement.

Interestingly, however, Zulu Nyama argued in addition that Mr Beukes was bound by confidentiality obligations in terms of section 20 of POPIA as an operator processing personal information on behalf of Zulu Nyama as responsible party.

As one would expect, the court directed Mr Beukes to delete soft copies of, and hand over hard copies of, all confidential information in his possession as provided in his employment agreement. In addition, and more controversially, the court also interdicted Mr Beukes from using, and directed him to delete, the personal information of Zulu Nyama's customers in terms of POPIA, having accepted that he processed personal information on behalf of his former employer in the capacity of an operator.

"Operator" is defined in POPIA as "a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party".

In our view, the court erred in accepting Mr Beukes was processing personal information in his capacity as an operator without considering the definition of the term. It is generally accepted by data privacy professionals that the proviso "without coming under the direct authority of" the responsible party in the definition of "operator", excludes employees from acting as operators when they process personal information on behalf of their employers.

This principle is well established under the EU's Data Protection Directive, the predecessor to the GDPR that POPIA was heavily derived from. The Article 29 Working Party, in its "Guidelines on controller/processor concepts", stated that the "two basic conditions for qualifying as a processor [equivalent to an operator in POPIA] exist: that it is a separate legal entity in relation to the controller and that it processes personal data on the controller's behalf". The position is the same under the now-authoritative GDPR, in respect of which the European Commission has published guidance affirming that employees processing personal data within an organisation are considered to be part of the controller.

This interpretation also makes sense. If employees were considered to be "operators" acting on behalf of their employers, employers would be required to a conclude data processing agreement with each employee, paradoxically requiring that employee to establish appropriate technical and organisational measures to protect personal information entrusted in their care, when in fact that it is the employer who determines the purposes of processing and who designs and controls the systems governing access to, storage of and security safeguards for personal information, with employees merely required to adhere to those internally prescribed measures.

Concluding thoughts

Given the confidentiality obligations of Mr Beukes' employment agreement, it was unnecessary to class him as an operator to entitle Zulu Nyama to the relief it sought and the court, in our view, should have considered the language of POPIA more carefully before doing so. The court's reliance on POPIA nevertheless forms part of the developing jurisprudence under the Act, and it remains to be seen whether future courts will adopt the same approach where the classification of roles is central, rather than incidental, to the outcome.