Global menu

Our global pages


GDPR in South Africa

  • South Africa
  • Privacy, data protection and cybersecurity - GDPR


While South African businesses are preparing for the implementation of the Protection of Personal Information Act (POPIA) in South Africa, they should also keep their eye on the European Union General Data Protection Regulation (GDPR).

The GDPR was amended earlier this year to extend the scope of its application, and its applicability is now based on the location of the data subject rather than the location of the data processor or controller. As a result, a South African based business could find itself required to comply with the GDPR if its activities are caught in the GDPR net.

Where a business does not have an establishment in the EU, but:

• offers goods and services to individuals in the EU; or

• monitors the behaviour of individuals in the EU,

then any processing of personal data related to those activities may be subject to the GDPR regardless of where the processing takes place.

The application of the GDPR is subject to limitations – for example simply having a website which is accessible from the EU is not enough, and to be said to be offering goods and services to an individual in the EU, the business must have demonstrated an intention of offering goods to data subjects within the EU - indicators given are:

• the use of a language or a currency generally used in the EU;

• the possibility of ordering goods and services in that other language; and

• the mentioning of customers or users who are in the EU.

In light of the substantial fines which can be imposed for non-compliance with the GDPR, it would be advisable to look at the personal data which your business processes and assess whether it includes the personal data of natural persons within the EU.

The GDPR is similar to POPIA in a lot of ways, but there are some differences, so putting a POPIA compliance program in place will be a good start (and is something that all businesses need to be doing in any event), but GDPR-affected businesses will need to take the extra step of ensuring that their activities are fully GDPR-compliant as well.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings