Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside the country;
- people/entities outside South Africa being able to access or "see" personal data held in South Africa; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
Employers can transfer employee data outside of South Africa in cases where:
- the recipients of the information are subject to laws, binding corporate rules or binding agreements which provide a level of protection similar to the requirements under the Protection of Personal Information Act (2013);
- the employee consents to the transfer;
- necessary to perform a contract (or pre-contractual measure) between an employee and the employer;
- necessary for the conclusion or performance of a contract concluded in the interest of the employee between the employer and a third party; or,
- the transfer is for the benefit of the employee, consent isn’t reasonable to obtain and the employee would likely give consent.
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside South Africa when an adequate level of protection is ensured and access by subsequent entities remains limited to the minimum necessary for the intended purpose.