THE APPLICATION OF GDPR IN SOUTH AFRICA
General Data Protection Regulation (EU) 2016/679 The road to GDPR compliance
Introduction • The General Data Protection Regulation (EU) 2016/679 (" GDPR ") seeks to restructure the existing data protection legislative framework in the European Union by consolidating its data protection laws into one comprehensive piece of legislation with application throughout the European Union • GDPR entered into force as of 25 May 2016 and will be applicable as of 25 May 2018, its purposes include: – protecting the fundamental rights and freedoms of natural persons; and – in particular their right to the protection of personal data Hogan Lovells | 3
GDPR Application in South Africa • The Protection of Personal Information Act, 2013 (" POPIA ") is South Africa's first piece of comprehensive legislation primarily concerned with data protection • POPIA is based substantially on the UK Data Protection Act, 1998 and although signed into law on 26 November 2013, the President has yet to promulgate the commencement date • Comments to the Draft Regulations are currently being reviewed and considered by the Regulator Hogan Lovells | 4
POPIA Harmonisation Principle Section 3(2)(b): " If any other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in Chapter 3, the extensive conditions prevail. " Hogan Lovells | 5
GDPR Application in South Africa – Territorial Scope According to Article 3 of the GDPR • GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not • This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: – the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or – the monitoring of their behaviour as far as their behaviour takes place within the Union Hogan Lovells | 6
GDPR Application in South Africa – Grounds • Ground One – Applicability based on establishment in the EU • Ground Two – Applicability based on individuals being in the EU Hogan Lovells | 7
Ground One Applicability based on establishment in the EU – Economic activity in EU Member State Hogan Lovells | 8
Ground Two • Applicability based on individuals being in the EU – Offering of goods or services to them – Monitoring of their behaviour Hogan Lovells | 9
Fines/Penalties • Assess fines for specific data protection violations • Statutory catalogue of criteria • Severe violations – up to EUR 20 million – Companies – up to 4% of total global turnover in the previous financial year • Less severe violations – up to EUR 10 million – Companies - up to 2 % of total global turnover in the previous financial year Hogan Lovells | 10
Questions?
Recommend
More recommend