What do you know...and what can you do with it? [Part 2]


An article series exploring data protection laws in South Africa and the EU.

This is the second in a three-part series of articles discussing GDPR, POPIA regulation and compliance as relevant to data privacy and protection, and the management of data breaches.

The Protection of Personal Information Act 4 of 2013 (“POPIA”)

POPIA is intended to give effect to the constitutional right to privacy and balance it against the right of access to information and important interests such as the free flow of information in South Africa and outside its borders. It achieves this by imposing obligations in respect of the way public and private persons and entities collect, store and use personal data belonging to individuals and entities, such as their employees and customers. POPIA applies where the responsible party, or the means by which the personal information it processes are located within the borders of South Africa.

POPIA provides that where there is a failure to comply with lawful processing requirements, the responsible party will bear the ultimate liability.

The responsible party should ideally obtain indemnities from the operator (a person or entity that processes personal information on behalf of a responsible party, referred to as the “processor” in terms of GDPR) for compliance with contractual obligations and data protection laws and to ensure that the operators will be held liable for any risk, harm or loss suffered as a result of the breach of obligations or data protection laws. The operator could be required to reimburse the responsible party for any penalties imposed by the Information Regulator, or any damages claims that may be bought by data subjects as a result of the data breach.

The Relationship between GDPR and POPIA

Owing to the cross-border application of both GDPR and POPIA, both statutes contain provisions dealing with the transfer of personal information to countries outside their own areas of jurisdiction. In this regard:

  • In terms of the GDPR, personal data may only be transferred by a controller (the person or body that determines how personal data is to be processed, referred to as the “responsible party” in POPIA) in the EU area to one outside it if the EU Commission has decided that the law in the territory to which the data is to be transferred ensures an adequate level of protection, or where the controller has provided adequate safeguards and enforceable rights and legal remedies are afforded to data subjects.

  • In terms of POPIA, a responsible party in South Africa may only transfer personal information to a party outside South Africa if the party to whom the information is being transferred is subject to a law that provides a similar level of protection to those contained in POPIA.

  • Under both statutes, therefore, it is necessary, in the case of cross-border transfers of information, that the controller/responsible party be aware of the laws not only of the territory where it is based, but also of the territory to which the data is being transferred.

Differences Between GDPR and POPIA

There are several notable differences between the GDPR and POPIA in regard to the type of data that is protected, the data subjects to whom protection is afforded, and the practical measures and structures that must be implemented. These include:

  • The GDPR protects only personal information of natural persons, whereas POPIA includes information pertaining to juristic persons where applicable.

  • The GDPR, in Article 37, provides for the specific appointment of a Data Protection Officer, who is responsible for the organisation’s compliance, where, in the case of a private body, its core activities involve large scale processing of data, whereas POPIA automatically designates the head of a private body as the information officer, with certain responsibilities.

  • Article 25 of the GDPR makes provision for data protection by design and by default. Data protection by design and by default requires data controllers to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This means that data controllers have to integrate data protection into processing activities and business practices, from the design stage right through to completion. The obligation applies to the amount of personal data collected, the extent of their processing, the period of the storage and their accessibility.

  • Article 35 of the GDPR provides for the obligation to conduct data protection impact assessments whereas POPIA does not provide for such an obligation. POPI does not make express provision for these obligations, but requires them by implication, in requiring responsible parties to ensure that processing of information is in accordance with the purpose of collection, which, by implication, requires ongoing assessments of the impact of the processing activities.

  • Lastly, Article 20 of the GDPR provides for the right of data portability, which gives data subjects the option to request their data to be transferred to another data controller or service provider, whereas POPIA does not provide for such a right.

Our third, and final article in this series discusses data breaches and processes to follow in terms of compliance with GDPR and POPIA.