GDPR – learn how to achieve compliance
How do you know whether your African startup is subject to the GDPR? How do you determine whether it acts as a processor or a data controller? What obligations must you comply with?
STARTUPS — LEARN HOW TO COMPLY WITH THE GDPR!
Bad news: you must not only comply with the national regulations applicable to personal data, but also potentially with European regulations…
Good news… it's not complicated once you look into it, and we are here to explain everything…
How do you know whether your startup is subject to the European General Data Protection Regulation ("GDPR")? How do you determine whether your startup acts as a processor or a data controller under the GDPR? What are your obligations under the GDPR?
This article aims to help you identify whether the GDPR applies to you and what obligations you must comply with.
Step 1: CARRYING OUT PERSONAL DATA PROCESSING
The GDPR applies to "the processing of personal data wholly or partly by automated means, as well as to the non-automated processing of personal data which form part of a filing system or are intended to form part of a filing system."
In this context, personal data means: "any information relating to an identified or identifiable natural person, directly or indirectly."
Examples: first and last name, date of birth, email address, bank account number, IP address.
An identifiable natural person is "a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (data subject).
Examples: employee, customer, prospect, service provider.
Personal data processing means "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
Examples: recruitment management, human resources management, commercial prospecting management, customer management.
Accordingly, if you handle any of this data in the context of the activities mentioned above, you are carrying out personal data processing and must in principle first comply with the national regulations applicable to you…
However, you may also need to comply with European regulations — how do you find out?
Need help with your GDPR compliance?
Processing records, privacy policy, contracts, subprocessing arrangements, data transfers and GDPR obligations: get support from African Legal Factory.
STEP 2: DETERMINING WHETHER YOUR STARTUP BASED IN AFRICA IS SUBJECT TO THE GDPR
The territorial scope of the GDPR is not limited to the European Union ("EU"), as it also imposes obligations on actors not established in the EU.
Your startup falls within the scope of the GDPR even when it is not established in the EU, provided that your activities relate to:
- the offering of goods or services to data subjects in the EU, whether or not payment is required (e.g., an e-commerce website accessible to natural persons in the EU); or
- the monitoring of the behavior of those persons, insofar as the behavior takes place within the EU (e.g., behavioral tracking via cookies or profiling through a website).
Startups based in Africa that offer goods or services directly to natural persons in the EU (e.g., an online retail site), even free of charge, are therefore subject to the GDPR.
Warning: given the extraterritorial nature of the GDPR, European supervisory authorities may sanction companies located outside the EU, in particular through online inspections of websites, document-based audits, as well as on-site inspections or hearings.
Priority: bringing your website into compliance with GDPR requirements.
Now that you know whether you must comply with the GDPR, Step 2 involves determining your qualification under this regulation: are you a data controller or a processor acting on behalf of a data controller?
STEP 3: IDENTIFYING YOUR STARTUP'S QUALIFICATION UNDER THE GDPR
Under Article 4 of the GDPR:
- The data controller is "the one who determines the purposes and means of processing";
- The processor is "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller."
The processor is therefore the entity that processes personal data on behalf of, on the instructions of, and under the authority of a data controller.
Warning: the GDPR imposes new obligations on processors, who must assist data controllers in fulfilling their obligations.
Example: companies that process the personal data of individuals located in the EU on behalf of their clients are also subject to the GDPR (e.g., emailing services, call centers, payroll management, etc.).
STEP 4: COMPLYING WITH YOUR OBLIGATIONS UNDER THE GDPR
When your startup is located outside the EU and is subject to the GDPR, it must comply in particular with the following GDPR obligations:
- Designate a representative in the EU: your startup must designate in writing a representative in the EU (Article 27 of the GDPR). They should ideally be located in one of the EU countries where the natural persons whose personal data you process are based. The representative's main role is to act as a point of contact for European personal data protection authorities and for data subjects.
- Implement data protection principles by putting in place, in particular, processing records and a personal data protection policy;
- Formalize the relationship between data controller and processor, as well as with the various service providers and partners of your startup through appropriate contractual arrangements;
- Ensure the security of the data processed by implementing procedures to guarantee a high level of security and being in a position to respond in the event of a personal data breach;
- Govern transfers of personal data outside the EU.
Warning: in order to implement these compliance measures, you should first designate within your startup a compliance officer (as well as a Data Protection Officer, where applicable) responsible for establishing procedures and implementing these obligations.
WHY IS IT ESSENTIAL TO COMPLY WITH THE GDPR?
To avoid the financial penalties provided for under the GDPR and criminal sanctions!
Compliance with the GDPR addresses a dual challenge:
- financial and reputational, as sanctions can reach up to €20 million or represent 4% of total annual worldwide turnover — whichever is higher — and may be made public;
- commercial, as compliance is a business asset and a means of differentiating yourself from competitors.
Example: in France, the Penal Code provides for criminal sanctions of up to 5 years' imprisonment and fines of up to €1.5 million for legal entities.
References
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- Guidelines, recommendations and best practices published by the European Data Protection Board (EDPB);
- Guidelines of the Article 29 Working Party (WP29) endorsed by the EDPB;
- Guidelines of European data protection authorities (e.g., in France the Commission Nationale de l'Informatique et des Libertés (CNIL), in the United Kingdom the Information Commissioner's Office (ICO), in Spain the Agencia de Protección de Datos (APD)).
I would like support with my personal data protection compliance
Fill in the form to be contacted by the African Legal Factory team regarding your GDPR compliance, contracts, privacy policy or subprocessing obligations.
By completing this contact form, African Legal Factory collects and processes your personal data as data controller in order to respond to your enquiries. You have the right to access, rectify, object to, erase, restrict, port your data, and to provide instructions regarding its handling after your death.
For more information on the processing of your personal data, please consult our Privacy Policy.
