GDPR vs. POPIA: Comparing South African Version

Articles 3, 4(1)

Recitals 22-25

The GDPR applies to controllers or processors established in the EU, regardless of whether the processing takes place in the EU or not. It also applies to organizations that are not established in the EU but monitor individual’s behavior, as far as their behaviour occurs in the EU or offer goods or services to data subjects in the EU.

1. Data subjects have the right to request erasure of their personal data that must be responded to without undue delay.
2. The right to erasure applies when the personal data is no longer necessary, when a data subject withdraws consent, when the data was unlawfully processed, or when data has to be erased for compliance with legal obligation.
3. The right to erasure does not apply to the extent that the processing is necessary
4. • For exercising the right of freedom of expression or information
   • For compliance with a legal obligation
   • For reasons of public interest
   • For establishment, exercise or defence of legal claims
   • For archiving purposes in the public interest, scientific or historical purposes or statistical purposes

Articles 13, 14 Recital 58

1. Certain information relating to personal data processing must be provided to data subjects, whether or not personal data is collected directly from data subjects.
2. It includes the information on identity and contact details of the controller, controller’s representative where applicable, controller’s data protection officer where applicable, the purposes of the processing, the lawful basis of the processing, the recipients or categories of recipients of personal data, and where applicable if the controller intends to transfer personal data outside the EU along with the mechanism used for the transfer as well as information necessary to ensure fair and transparent processing.
3. Data controllers are also required to inform data subjects of the existence of data subjects’ rights.

Articles 21
Recitals: 69, 70

1. Data subjects have the right to object to the processing of their personal data where the processing is based on legitimate interests or public interest. As a consequence of any valid objection, the data. controller must no longer process the data subject’s personal data unless it can demonstrate compelling and legitimate grounds for the processing. These grounds must be sufficiently compelling to override the interests, rights, and freedoms of the data subject.
2. Data subjects also have the right to object to their data being processed for direct marketing purposes.

Article: 15
Recital: 63

1. The right of access includes the right to obtain confirmation from the controller as to whether or not personal data is being processed and access to the personal data. Data controllers are required to include certain information in their response to an access request including the categories of personal data, data recipients, the purposes and retention periods.
2. Deadline to respond is one month which can be extended to 2 further months depending on the complexity and number of the requests.
3. A data controller can refuse to act on a request under certain circumstances. For example, the request to obtain a copy of personal information may be refused if granting it will adversely affect the rights and freedoms of others.
4. The right to access can be exercised free of charge. However, a controller may charge a reasonable fee on manifestly unfounded or excessive requests, in particular because of their repetitive character. For example, an administrative fee may be charged for any further copies requested by the data subject.

Article 18
Recital 67

Data subjects have the right to obtain restriction of processing where accuracy of data is contested, processing is unlawful, the controller no longer needs the data for the purposes of the processing, or the data subject has objected to data being processed for direct marketing and objection is pending the verification.

Article 16
Recital 65

Data subjects have the right to obtain from the controller the rectification of inaccurate personal data and to have incomplete personal data completed.

Articles: 12, 20, 28
Recitals: 68, 73

Data subjects have the right to receive data in a structured, commonly-used, and machine-readable format and transmit the data to another controller.

Article 22

The GDPR provides data subjects the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them.

This prohibition against automated decision-making does not apply if the processing is authorized by law, necessary for the preparation and execution of a contract, or done with the data subject’s explicit consent. In such situations, the GDPR requires data controllers to implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller to express his or her point of view and to contest the decision.

Articles: 83, 84
Recitals: 158, 149

1. Fines may be issued directly by the relevant supervisory authority that also has a variety of other administrative and investigative powers.
2. Depending on the circumstances of each individual case, the type of infringement and the severity of the violation, the administrative fine may be up to either: 2% of global annual turnover or €10 million; or 4% of global annual turnover or €20 million (whichever is higher).
3. The GDPR does not specify any provisions for imprisonment. However, data subjects have a right to an administrative remedy including the right to lodge a complaint with the relevant supervisory authority as well as the right to an effective judicial remedy against a controller or processor.