In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers the questions we received on data privacy laws in other countries.
Laws in Other Countries Q&A:
What applies in the case where data is potentially leaving SA? For example, onboarding client lists into Facebook or Google?
There’s a lot in POPIA about trans-border information flow. The problem with privacy legislation is that it’s country by country, but information flows everywhere. Most of us are storing information overseas if we’re using the big tech providers. This is okay if they say in their T&Cs that they observe data protection levels like POPIA.
It’s usually not a problem using the cloud or tech providers from overseas where your data is being stored in other parts of the world. If you do so, make sure you:
- Make sure your contract with the tech provider contains data-protection clauses
- Put the fact that the data is stored overseas in your privacy notice
Our head office is based in SA, but we have customers and offices in multiple countries. Do we have to be POPIA and GDPR compliant?
If you’re doing data processing in South Africa, you will need to be POPIA compliant.
As for the GDPR and data privacy legislation in other countries, if you’re targeting individual customers who are physically in Europe and the other countries, you may have to comply with the GDPR or the legislation relevant to them in their country.
Just storing the information in another country doesn’t usually require you to comply to the data privacy laws, however the legislation does vary from country to country.
We encourage you to speak to a legal representative to assess this.
Do we need to treat international data subjects according to POPIA? E.g.: Do we really need opt-in consents (for direct marketing OR cookies) if the laws applicable in the data subject’s country don’t require it?
POPIA will apply to you if there’s data processing happening in South Africa. It’s likely that a complex web of data privacy laws will apply to your data if you’re marketing to people in other countries and processing data here.
Usually, the way this is handled, is you apply a global set of laws and you have deviations per country.
For more guidance, watch our POPIA webinars, listen to our POPIA podcasts, read our POPIA guide, or chat to a POPIA expert, like Elizabeth de Stadler from Novation Consulting.
Related POPIA Q&As
- What is Direct Marketing?
- Who’s Responsible for POPIA & What will Happen if They Don’t Comply?
- What You Can Do Before POPIA Becomes Enforceable
- Data Collection, Privacy & Storage
- Harvesting Data from the Internet & Social Media
- Getting Consent for Direct Marketing
- Marketing to Certain People Without Extra Consent
- Third-Party Consent for Direct Marketing
- Dealing with Unsubscribes from Your Direct Marketing
- Data Privacy Laws & Using Personal Information
- Other POPIA Rules
