GDPR and POPIA: Data transfer

29 October 2018
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

Missed the previous articles?  Read them here: Article 1 | Article 2 | Article 3 | Article 4 | Article 5

In a connected world, it is too easy for personal data to move across borders. In the sixth article in our series, we look at how GDPR and POPIA treat cross-border transfers. Here is what we'll discuss:

“The neighbour has your data”

Imagine this scenario for a moment.  You are on a date at the zoo, chatting to your new beau while perusing animals, when you almost drop your phone into the water at the penguin enclosure. “Luckily I copied all your details to my neighbour’s phone, so at least that is safe.”

They look at you somewhat annoyed: “Hopefully not the weird one!  And why not just back it up to the cloud?” In your defense, the weird neighbour was the only one with enough space on his device.  And the WiFi was down.

One of the key characteristics of data is that it is relatively easy to move.  Companies may have many different reasons to move data around, and do so on a regular basis.  On the other hand, data subjects might also want to capture and move their data.

In today’s article, we are discussing the issues of cross-border data transfer and data portability as they relate to GDPR and POPIA.

Something like passport control for data

Data transfer by data controllers across borders is prohibited by POPIA, and restricted by GDPR, with specific exceptions.  Additionally, GDPR provides data subjects with the right to transfer their data between controllers (data portability).

GDPR POPIA - data transfers and data portability

What the laws say

In Section 72 of Chapter 9, POPIA states the following: “A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country…” and then proceeds to list a number of exceptions which are discussed below.

Chapter 5 of the GDPR deals with cross-border data transfers.  In Article 49 we find the following: “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”

Where POPIA sets out exceptions, GDPR sets out requirements.  We can compare the POPIA exceptions to the GDPR requirements as follows:


POPI Act

GDPR

Data is not allowed to be transferred across international borders to a third party.

Data can be transferred on the basis of an adequacy decision by the Commission.

Data can be transferred subject to appropriate safeguards.

Data can be transferred on the basis of binding corporate rules.

Data can be transferred by force on mutual international agreements.

Exceptions - Cross-border data transfers are acceptable:

Exceptions - Cross-border data transfers are acceptable:

With consent of the data subject.

With consent of the data subject.

For the performance of a contract, or for
pre-contractual measures in response to the data subject’s request.

When necessary for performance of a contract (between the controller and data subject).

For the conclusion of a contract between the controller and a third party for the benefit of the data subject.

When necessary for performance of a contract (between the controller and a third party for the benefit of a data subject).

 No comparable exception.

When it is in the public interest.

  No comparable exception.

When necessary for the exercise or defense of legal claims.

For the benefit of the data subject where (a) consent can’t be reasonably obtained or (b) where consent can be obtained, it is likely that consent would be granted.

For the protection of vital interests where the data subject is unable to give consent.

 No comparable exception.

When transferred from publicly accessible registers.

When adequate protection is provided for where the third part is bound by law, agreements or corporate rules.

  No comparable exception.

 

The concept of “binding corporate rules” was designed, in both cases, to provide organizations and their subsidiaries with a means to transfer data over international boundaries.  Underpinning this concept is that of “a group of undertakings” which is a broad definition for an organization that consists of multiple entities operating in different regions.

GDPR and POPIA - Cross border transfers

How the laws differ

At face value, the POPI Act prohibits cross-border data transfers, whereas GDPR provides strict requirements for such a transfer to take place. This makes sense as the EU consists of many co-operative countries who are bound to have organizations span international boundaries.

However, the emphasis in Section 72 of POPIA is not on prohibiting data flowing out of the country, but rather on the exceptions themselves.  The exceptions are designed to safeguard data when they flow outside of the country. With this understanding, the differences between the two laws regarding cross-border transfers are mostly superficial.

When it comes to the exceptions, GDPR provides additional possibilities that relate to the public interest or publicly accessible data.  GDPR also provides an exclusion related to legal applications, which POPIA lacks.

Finally, in Article 20, the GDPR provides the data subject with the right to transfer data from one controller to another, called data portability, which is absent from POPIA.

Pick your cloud wisely

With numerous cloud services available, it is commonplace for businesses to host data outside of a given geographical jurisdiction.  POPIA is designed to ensure that data controlled by South African entities is safe, regardless of where it is transferred to.

When using cloud services, or transferring data between on-site servers within the same organization (binding corporate rules), the effort lies in ensuring that the country that hosts the data offers the same degree of protection than would the POPI Act itself.

It is worth noting that the United States is not regarded as giving such protection.

If you must transfer it, keep it safe

Back at the zoo, you told your date that you allegedly copied their personal information to the weird neighbour’s phone. They didn’t give you permission to do that, and let’s be honest, the neighbour may lose his phone or abuse the information.

Similarly, POPIA and GDPR aim to protect personal data by restricting the ways in which organizations can transfer it outside of the geographical jurisdictions of these laws.

The rule of thumb is this: when moving data, be sure to store it in a country where it will be just as safe as it would be should POPIA or GDPR protect it.

Confused?  Download the free workflow poster

POPIA compliance is a challenge.  We created this free flowchart poster to help you figure it out.  Click below to download your copy.

popia-compliance-poster-thumbnail

Download your poster today

SAP Knowledge Sidebar

By Jan van Rensburg

No SAP system is an island. Most of the time, SAP systems act as the hub that connects many other systems, including third parties. These include banks, benefit providers, vendors, clients and a multitude of cloud systems. It’s not uncommon for us to work with SAP systems that have more than a hundred interfaces.

You can only manage what you know. One of your first steps to POPIA and GDPR compliance is to map your data and data flows. This includes making an inventory of all interfaces on the SAP systems and classifying the data that flows through them. This will be the basis for working with third parties to ensure that data shared with them are done in a compliant manner. This takes time, since it depends on how quickly those third parties can respond and make changes, where required. Therefor, the data flow mapping should be one of the early steps in your compliance project.

EPI-USE Labs has developed our Privacy Comply methodology to streamline privacy compliance projects. Understanding data classifications and flows are a core part of this methodology. Given our years of experience working with data mappings in big systems, we use our software to largely automate sensitive data discovery, thereby eliminating a big part of the tedious work that’s typically required.

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: