Cape Town, 28 Jun 2018
Deficiencies around data privacy are placing an increasing number of organisations under the spotlight for failure to observe adequate policies and procedures to protect personal information. The GDPR aims to protect individuals in the EU by ensuring organisations that process personal information comply with certain standards. These standards can apply to a business regardless of whether or not the business is based in the EU.
A South African business that offers goods or services will be required to comply with the GDPR if the business offers goods or services to individuals in the EU (whether or not for consideration). Merely operating a Web site that is accessible in the EU is insufficient, on its own, to satisfy this requirement. However, other factors, such as the currency used for billing individuals, the language used on a business's Web site, delivery to the EU and other targeted marketing to individuals in the EU, may meet this test.
In addition, the GDPR will apply to businesses that monitor the behaviour of individuals in the EU. This may include tracking an EU data subject's activities on the Internet in order, for example, to analyse or predict behaviour, preferences and attitudes, says Wendy Tembedza, associate at Webber Wentzel.
A South African business caught by the extraterritorial reach of the GDPR will have to comply with the standards set out in the GDPR, including implementation of appropriate technical and organisational measures for the protection of personal information. Failure to do so can expose a business to liability, including the issuing of fines for serious infringements up to a maximum of the greater of EUR20 million or 4% percent of worldwide turnover.
South African businesses should also be aware that once the Protection of Personal Information Act 4 of 2013 (POPIA) comes into effect, there may be an overlap between POPIA and GDPR where a business meets the test for application of the GDPR. This could potentially see businesses having to ensure compliance with two pieces of legislation, which govern how they should process and otherwise deal with personal information.
Concluding remarks
South African businesses should, in their dealings with individuals in the EU, confirm whether they are caught by the GDPR and take steps to comply with its standards in order to avoid legal liability.
Share