The purpose of the GDPR is to protect the privacy and personal information of residents in the EU. It specifies how personal data should be lawfully collected, used, protected or interacted with. These regulations do not have general application in South Africa. However, if you process the personal information in South Africa of an individual who is resident in the EU, then you will have to comply with the GDPR. The GDPR is applicable to the following entities:
- An entity not established in the EU who offers goods or services (even if the offer is free) to people in the EU. The entity can be government agencies, private/public companies, individuals and non-profits;
- An entity is not established in the EU, but which monitors the behaviour of people who are in the EU, provided that such behaviour takes place in the EU.
For example, if you have a website that is accessible globally wherein you track the behaviour of visitors by using “cookies”, you would need to comply with the GDPR. Essentially, any company dealing with EU businesses’, residents’, or citizens’ all data will have to comply with the GDPR, even if a company does not have a European presence.
Businesses’ that are not complying with GDPR’s requirements can face fines of up to 4% of a Company’s annual global revenue or €20 million, whichever is greater.