GDPR in South Africa
22 Oct 2018
While South African businesses are preparing for the implementation of the Protection of Personal Information Act (POPIA) in South Africa, they should also keep their eye on the European Union General Data Protection Regulation (GDPR).
The GDPR was amended earlier this year to extend the scope of its application, and its applicability is now based on the location of the data subject rather than the location of the data processor or controller. As a result, a South African based business could find itself required to comply with the GDPR if its activities are caught in the GDPR net.
Where a business does not have an establishment in the EU, but:
- offers goods and services to individuals in the EU; or
- monitors the behaviour of individuals in the EU,
then any processing of personal data related to those activities may be subject to the GDPR regardless of where the processing takes place.
The application of the GDPR is subject to limitations – for example simply having a website which is accessible from the EU is not enough, and to be said to be offering goods and services to an individual in the EU, the business must have demonstrated an intention of offering goods to data subjects within the EU – indicators given are:
- the use of a language or a currency generally used in the EU;
- the possibility of ordering goods and services in that other language; and
- the mentioning of customers or users who are in the EU.
In light of the substantial fines which can be imposed for non-compliance with the GDPR, it would be advisable to look at the personal data which your business processes and assess whether it includes the personal data of natural persons within the EU.
The GDPR is similar to POPIA in a lot of ways, but there are some differences, so putting a POPIA compliance program in place will be a good start (and is something that all businesses need to be doing in any event), but GDPR-affected businesses will need to take the extra step of ensuring that their activities are fully GDPR-compliant as well.
See also:(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)