In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers the questions we received on data privacy laws in other countries.
1. What applies in the case where data is potentially leaving SA? For example, onboarding client lists into Facebook or Google?
There’s a lot in POPIA about trans-border information flow. The problem with privacy legislation is that it’s country by country, but information flows everywhere. Most of us are storing information overseas if we’re using the big tech providers. This is okay if they say in their T&Cs that they observe data protection levels like POPIA.
It’s usually not a problem using the cloud or tech providers from overseas where your data is being stored in other parts of the world. If you do so, make sure you:
· Make sure your contract with the tech provider contains data-protection clauses
· Put the fact that the data is stored overseas in your privacy notice
2. Our head office is based in SA, but we have customers and offices in multiple countries. Do we have to be POPIA and GDPR compliant?
If you’re doing data processing in South Africa, you will need to be POPIA complaint.
As for the GDPR and data privacy legislation in other countries, if you’re targeting individual customers who are physically in Europe and the other countries, you may have to comply with the GDPR or the legislation relevant to them in their country.
Just storing the information in another country doesn’t usually require you to comply to the data privacy laws, however the legislation does vary from country to country.
We encourage you to speak to a legal representative to assess this.
3. Do we need to treat international data subjects according to POPIA? E.g.: Do we really need opt-in consents (for direct marketing OR cookies) if the laws applicable in the data subject’s country don’t require it?
POPIA will apply to you if there’s data processing happening in South Africa. It’s likely that a complex web of data privacy laws will apply to your data if you’re marketing to people in other countries and processing data here.
Usually, the way this is handled, is you apply a global set of laws and you have deviations per country.
For more guidance, watch our POPIA webinars, listen to our POPIA podcasts, read our POPIA guide, or chat to a POPIA expert, like Elizabeth de Stadler from Novation Consulting.
Originally published at https://www.everlytic.co.za.
