1. Home
  2. news
  3. adv louis nel business review advice indemnities general data protection regulation gdpr part

Adv Louis Nel Business Review Advice: Indemnities & the general data protection regulation ('GDPR') (Part 1) - Introduction

January 18, 2024
Partner News

Everything of the very best for 2024 to all my readers and their families!

What you may not know is that an enquiry about the GDPR precipitated this series of articles! However, rather than dealing with the GDPR first thing, I considered it more constructive to analyse indemnities comprehensively, as I’ve done.

Before you carry on reading and reach out for a cup of coffee (or something stronger!) to clarify the confusion and complexity, let's make one or two things quite clear:

  • The GDPR is the first comprehensive review of privacy legislation in the European Union (‘EU’) for 20 years - it supersedes the EU Data Protection Directive 1995.
  • It must be borne in mind that the UK has its own GDPR (post-Brexit) – by and large, it is a ‘mirror image’ of the EU GDPR.
  • The GDPR has been around for 2 years, i.e., it came into effect on May 24, 2016.
  • It applies to all entities (Processors & Controllers) ‘established’ in the EU or wherever they are in the world that provide goods and services to any consumer (Data Subject) who is an EU subject or a non-EU citizen that resides in any of the EU member states.
  • Given the more pervasive nature of the GDPR, it is recommended that it be used as a standard rather than POPIA (see 'aims' below).
  • You may see references to 'Privacy Shield' (formerly 'Safe Harbor') - this only applies to data exchanges between the EC and the USA.

So as an opener and to ease your mind, let's look at some of the key similarities and then some of the key differences between the GDPR and POPIA, the South African Privacy Act:

SIMILARITIES (with minor nuances):

  • 'Data Subject' is described more broadly e.g. a person who can be identified by an 'identifier' such as a username or web cookie - this appears in POPIA where it refers to 'personal information' as including such an 'online identifier' (Read with the definition of 'unique identifier').
  • 'Personal Information' is called 'Personal Data'.
  • The POPIA 'Responsible Person' (one who 'determines the purpose of processing') is called a 'Controller'.
  • The aforesaid role is extended to a so-called 'Processor' i.e. an entity/person that processes personal data on behalf of the controller e.g. a developer or analyst, referred to in POPIA as an 'Operator'.
  • The POPIA 'Information Officer' is called a 'Data Protection Officer', BUT the definition stipulates that such a person must have 'an extensive knowledge of data privacy laws and standards'.
  • As with POPIA, 'consent' is not required in the case of a 'lawful basis' (Section 11 (1) (c) & (e)) or 'legitimate interest' (Section 11 (1) (d) & (f)).
  • It is not stated in POPIA, but as you may know from my previous articles, I am of the view that the POPIA Information Officer (GDPR 'Data Protection Officer') can be an external or internal appointment - the following aspects of the GDPR may be a useful guideline for an internal appointment: ensure there is no conflict of interest e.g. a financial director as opposed to the IT director or manager. Additional guidelines appear in the definition i.e. legal, security or accounting background and knowledge of privacy.

DIFFERENCES:

  • 'Data Subject' does NOT include legal entities (juristic persons) e.g. companies - only natural persons can rely on the protection of GDPR.
  • The fines are materially higher i.e. the greater of 4% of the entity's global annual revenue or €20 million - compare with the POPIA R10 million. However, during the period 2016/'17 of the 17,300 cases investigated in the EU, only 16 fines were imposed and the highest was £500,000, and this was because the breach impacted 3 million people!
  • The Data Protection Officer is only required for public authorities – However, this obligation also applies to private business if one of the following applies to it i.e. one of its core, primary activities is e.g. processing personal data to fulfil key goals such as profiling and tracking for behavioural advertising.
  • So-called 'smaller firms' i.e. less than 250 employees do not have to comply with certain GDPR requirements (See list in GDPR) but they must keep a record of processing if there is 'a risk to the rights and freedoms of the Data Subject'.
  • Data breaches must be conveyed to the authorities and affected consumers within 72 hours - POPIA states '.. as soon as reasonably possible...' (Section 22 (2)).

© ADV LOUIS NEL

Louis-THE-lawyer

DISCLAIMER - Each case depends on its own facts & merits - the above does not constitute advice - independent advice should be obtained in all instances

LOUIS’ LEGAL ADVICE CLUB (‘LAC’) – obtaining legal advice & guidance can be quite costly (See below*) hence my LAC via which you can obtain an hour’s legal advice for R500, 00 per month once you’ve joined AND the fee for additional hours is R1850 per hour! Furthermore you are dealing with a lawyer who has been in tourism since 1982!        

* The AVERAGE hourly rate is R2700 (https://www.myggsa.co.za/how-much-do-lawyers-charge-per-hour-in-south-africa/)