Many people have received the following notification, “We’ve changed our Privacy Policy” in recent weeks. This has all been in response to the European Union’s General Data Protection Regulation (GDPR) which took effect on 25 May 2018. These regulations are not only applicable to businesses in the European Union (hereinafter “the EU”) but also to businesses in South Africa, in some instances. It is therefore important that you are compliant. This is especially important in the context of privacy policies, which now require amendment.
The purpose of the GDPR is to protect the privacy and personal information of residents in the EU. It specifies how personal data should be lawfully collected, used, protected or interacted with. These regulations do not have general application in South Africa. However, if you process the personal information in South Africa of an individual who is resident in the EU, then you will have to comply with the GDPR. The GDPR is applicable to the following entities:

  • An entity not established in the EU who offers goods or services (even if the offer is free) to people in the EU. The entity can be government agencies, private/public companies, individuals and non-profits;
  • An entity is not established in the EU, but which monitors the behaviour of people who are in the EU, provided that such behaviour takes place in the EU.

For example, if you have a website that is accessible globally wherein you track the behaviour of visitors by using “cookies”, you would need to comply with the GDPR. Essentially, any company dealing with EU businesses’, residents’, or citizens’ all data will have to comply with the GDPR, even if a company does not have a European presence.

Businesses’ that are not complying with GDPR’s requirements can face fines of up to 4% of a Company’s annual global revenue or €20 million, whichever is greater.