|4 June 2021
With POPIA’s effective date being less than a month away, we’re focusing on cross-border data transfer agreements this week
Cross Border Transfers – POPIA
In relation to the processing of Personal Information belonging to Data Subjects in South Africa, in terms of section 72 of POPIA, if one discloses or provides Personal Information which it has collected from Data Subjects to another who is situated in another country then any such processing is subject to the following provisions:
“A responsible Party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless:
a. the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that — (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country; or
b. the data subject consents to the transfer; or
c. the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request; or
d. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
e. the transfer is for the benefit of the data subject, and — (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and (ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.“
Furthermore, in relation to the processing of Personal Information belonging to Data Subjects in South Africa, in terms of section 20 of POPIA, if one discloses Personal Information which it has collected from Data Subjects to another for the purpose of processing or further processing such Personal Information on its behalf (hereinafter referred to as “the Operator Recipient”), and where such Personal Information is to be sent to an Operator who is outside South Africa (Operator Recipient), then any such processing must be subject to a written agreement concluded between the Responsible Party, and the Operator Recipient, which contractually obliges the Operator Recipient to:
a. comply with the provisions of POPIA and the POPIA processing conditions when processing such Personal Information on behalf of the Responsible Party;
b. only process the Personal Information received from the Responsible Party in accordance with the mandate or written instruction received from the Responsible Party;
c. keep the Personal Information processed / held by the Operator Recipient, confidential;
d. put measures in place in order to keep all such Personal Information confidential, safe and secure from misuse, abuse and/or unauthorised use or access.
The GDPR Position
The GDPR houses a similar set of provisions as found under our law. In this regard PWC has published a document setting out their view on Binding Corporate Rules, stating: “Under the General Data Protection Regulation (‘GDPR’), transfers of personal data outside of the EU are restricted to ensure that the level of protection afforded by the GDPR is not undermined. Personal data may only be transferred to a jurisdiction outside the EU (a ‘third country’) or international organisation in compliance with certain safeguards and conditions for transfers. Binding Corporate Rules (‘BCRs’) are one way that controllers and processors can comply with the GDPR’s third country data transfer requirements. They are explicitly recognised in the GDPR as a mechanism providing appropriate safeguards for third country data transfers (Article 46(2)(b) and 47, GDPR).” To view the full PWC article, click here.
Following this, under Article 47, the general principle is that international cross-border personal data transfers are allowed, provided that the controllers or processors meet the conditions housed under the GDPR. Read more about this here: International personal data transfers: binding corporate rules (BCRs) under the GDPR
Back to South Africa
Whilst the Information Regulator has not yet established a procedure for the approval of “Binding Corporate Rules”, nor has it provided any guidelines on what should be housed under a “Cross Border Transfer Agreement”, it is imperative that all organizations in South Africa have:
- a policy setting out the organization’s rules and procedures when it comes to the sharing of Personal Information amongst the various entities which form part of the organization – both locally and cross-border;
- an agreement, which will be concluded with any Recipient of Personal Information which the organization sends outside South Africa, and which compels the recipient contractually to handle and use the personal Information in accordance with the South African law, POPIA.
We’ve developed the related documents for you to use when drafting your organization’s agreements and policies.
For subscribers, please login to The Legal Team to access this templates.
Should you wish to subscribe to our UPDATE service, please contact us with a request for a quote. The UPDATE service includes weekly e-mails containing detailed Gazette Watch, Newsflash, Alerter, Template of the Week information.