With the meteoric increase of electronic data flow over the internet in the past two decades, it has become necessary to institute measures to control how individuals and business enterprises handle peoples’ personal information. This necessity arises as a result of the similarly sharp rise of information theft, identity theft and other criminal acts perpetrated on people who are not aware of the opportunities open to criminals who are technologically adept, as well as the worryingly prevalent collection of private data by companies such as Google and Facebook.
The General Data Protection Regulation (EU) 2016/679 (“GDPR”), a European Union (“EU”) regulation that deals with privacy and data protection in respect of all individuals within the EU and the European Economic Area (“EEA”), was implemented on 25 May 2018 after having been adopted on 14 April 2016.
The rights of South African data subjects
At first glance, it may seem that since the GDPR is an EU regulation, it does not apply to anyone in South Africa. This, however, is not correct, as the GDPR also applies to and regulates the export and processing of the personal data of so called “data subjects” (i.e. individuals) who reside within the European Union by a controller or processor not established in the EU. Data subjects are provided with a myriad of rights relating inter alia to transparency of information and communication, rights of access, rights of erasure and rights to restriction of processing.
The processing activities regulated by the GDPR are related to not only “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the [European] Union” but also to “the monitoring of [data subjects’] behaviour as far as their behaviour takes place within the Union.” In simpler terms, if you or your business offer goods or services to any person residing within the EU (whether or not that person pays you for the services), or monitors the behaviour of any person residing in the EU, the GDPR applies.
Data controllers versus data processors
The GDPR distinguishes between “data controllers” (“…the natural or legal person, public authority, agency or other body which…determines the purposes and means of the processing of personal data”) and “data processors” (“…a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”). Different rules apply to controllers and processors, and are very strict in enforcing the privacy of data subjects.
Defining personal data
The question then arises as to what qualifies as “personal data” for the purposes of the GDPR? Article 4(1) provides a very wide definition of “personal data”, in that it basically applies to any information relating to an identified or indentifiable natural person who can be identified directly or indirectly by reference to an identifier (“i.e. a name, ID number, location data, an online identifier or “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity”). Even stricter provisions relate to certain special categories of personal data, including (but not limited to) sexual orientation, health data and political opinions.
 General Data Protection Regulation (EU) 2016/679 Article 1.
 GDPR Articles 12 to 23.
 GDPR Article 3(2) read with Article 3(3).
 GDPR Article 4(7).
 GDPR Article 4(8).
 GDPR Article 9.
 GDPR Article 83.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)