Data privacy, defined by Tech target is a discipline intended to keep data safe against improper access, theft or loss. One of the triads of cybersecurity is confidentiality and this has to do with data privacy. The world has become a global village and data privacy issues are now more relevant than they ever were before.

In 2009, a popular brand in America had a serious breach of its systems. For 18 months, hackers had access to the brand’s data and were able to get customers credit card details and personally identifiable information undetected. How did this happen? and how can you make sure that this doesn’t happen to your organization? The answer is simple, you need to pay attention to data privacy. As long as your business collects personal identifiable information, your business has a duty to protect the confidentiality of the people who have given you that information.

Download BAO E-MAGAZINE

Sometimes, the obligation to protect data is beyond a moral right. In Europe for example, you have the GDPR (General Data Protection Regulation), in America you have applicable laws like Health Insurance Portability and Accountability Act of 1996 (HIPAA) which demand data privacy. In Nigeria, privacy rights draw from the Constitution of the Federal Republic of Nigeria (1999) (as amended) and can also be found in the  Nigerian Data Protection Regulation, 2019.

All these laws show you that as a business owner, you are not only expected to protect data, you are under an obligation by law in some cases to protect certain types of data. The question is, how do you protect data and ensure that the privacy rights of your customers are respected?

1. Employ a CISO: You should consider employing a Chief Information Security Officer (CISO) if your organization is large, who would be in charge of formulating policies to protect data privacy as well as other valuable data in your organization. Actions like these can prevent competitors from getting valuable data from your company, ensure your company complies with relevant laws on data privacy and thus win customers’ confidence in your brand.
2. Implement good information security policies and procedures: You would also need to create good policies on information security. Ensure documents with sensitive data on customers are password protected, ensure that firewalls and anti-malware software are installed to fight off malicious cyber-attacks aimed at stealing customer data and create trainings for staff handling sensitive data.
3. Don’t collect data you don’t need: Where you don’t need to collect customer data, don’t do it. Only ask customers to give you the information relevant to the service you are providing for them. 
4.  Don’t keep data longer than you need it: Where you don’t need data anymore, and no law requires that you keep it, destroy it. Where a customer has indicated that they want their account deleted, or they don’t want to share their data with your company anymore, ensure that the data is destroyed.
5. Properly destroy data that is no longer useful to you: The same way you receive data through a process, you need to understand that destroying data is also a process. Data is not destroyed simply because you put it in the recycle bin and deleted it from the recycle bin. Ensure that data is properly destroyed when it’s no longer useful. 

At the end of the day, data privacy is important for businesses in the world today. I hope these tips would help you choose to take steps to protect your customers data in every part of your business and ensure the data privacy rights of your customers are respected.

Article by: Morenike George-Taylor CDMP, County Support Director & Data Governance Expert 

Tax image credit: Getty

The Kenyan Government, in its latest Finance Act 2022, has enacted some key changes in the area of direct tax, including an important update on the country-by-country (CbC) reporting threshold for multinational companies.

What is country-by-country reporting?

Corporates and connected persons, such as groups of companies and multinational entities (MNEs) usually face complex compliance risks. To address the potential gaps and mismatches in various tax systems globally, the Organization for Economic Co-operation and Development (OECD) introduced Action 13 CbC reporting as part of its Base Erosion and Profit Shifting (BEPS) Action Plan. Under BEPS Action 13, MNEs are required to prepare a CbC report with aggregate data on the allocation of income, profit, taxes paid and economic activity amongst all the jurisdictions in which they operate. This report must be shared with the tax administrations in these jurisdictions, for use in high-level transfer pricing and BEPS risk assessments. Part of the solution provided by Action 13 is to require countries to adopt legislation dealing with the filing of CbC reports in their jurisdiction. 

Finance Act 2022 updates of CbC

The Kenyan Government has introduced a threshold for CbC reporting with the effect from 1 January 2023. The threshold introduced in the Finance Act is for companies with gross revenues of KES 95 billion (EUR 790 million approximately) or more, including extraordinary and investment income. From 1 January 2023, a parent entity or a constituent entity of a MNE group that is tax resident in Kenya, and that has a gross turnover of over KES 95 billion, will be required to file a CbC report of its financial and economic activities in Kenya, as well as all  other jurisdictions in which the MNE has a taxable presence.

The report must contain all information of the group’s aggregate revenue, profit or losses before tax, income tax paid, income tax accrued, accumulated earnings,  number of employees, tangible and intangible assets, cash and cash equivalents and any other information as requested by the Kenya Revenue Authority (KRA).

Download BAO E-MAGAZINE 

Information to be contained in the master and local bundle.

The Finance Act requires a master file that must contain the following:

• A detailed overview of the group and the group’s growth engines.
• A description of the supply chain of the key products and services.
• The group’s research and development policy.
• A description of each constituent entity’s contribution to value creation.
• Information about intangible assets and the group intercompany agreements associated with them.
• Information on any transfer of intangible assets within the group during the tax period, including the identity of the constituent entities involved, the countries in which those intangible assets are registered and the consideration paid as part of the transfer.
• Information about financing activities of the group.
• The consolidated financial statements of the group.
• Tax rulings made in respect of the group.
• Any other information requested by the KRA.

The local file must contain:

• Details and information of the resident constituent activities within the multinational enterprise group.
• The management structure of the resident constituent entity.
• Business strategies, including structuring, description of the material-controlled transaction, the resident. constituent entity’s business and competitive environment.
• International transactions concluded by the resident constituent entity.
• Amounts received by the entity.
• Any other information requested. 

Exceptions to the CbC report filing requirement

The Finance Act provides certain exceptions to the filing requirements for a resident constituent entity of an MNE group. If a non-resident surrogate parent entity already files a CbC report for the group with the tax authorities of its tax jurisdiction, the jurisdiction in which the non-resident surrogate parent entity is resident requires a CbC report in terms of its domestic legislation, under the following conditions:

• The tax authorities of the jurisdiction where the non-resident surrogate parent entity have an exchange of information agreement with the KRA.
• The tax authority in the jurisdiction where the non-resident surrogate parent is resident has not notified the KRA of a systematic failure.
• The non-resident parent entity has notified the competent authority in the jurisdiction of its tax residence and that the entity is the designated surrogate parent entity of the group.

Concluding remarks

The reporting requirements brought by the Finance Act 2022 are consistent with the OECD’s BEPS Action Plan 13 guidelines and the three-tiered documentation approach, which is relevant to the reporting of related-party transactions and aligns with the four minimum standards under the OECD’s BEPS project.

It is important for parent entities of MNEs operating in Kenya to note the additional compliance burden which is imposed by this new legislative update. Multinationals that would be affected by the new legislative update should review their current transfer pricing documentation and compliance processes to ensure that they are in line with the new reporting requirements under the Finance Act 2022, by 1 January 2023. Failure to comply with the CbC reporting requirements will be an offense in Kenya and subject to a fine not exceeding KES 1 million (EUR 8200 approximately), a prison term not exceeding three years, or both, upon conviction.

By: Francis Mayebe, Candidate Attorney, overseen by Virusha Subban, Partner and Head of the Tax Practice, Baker McKenzie Johannesburg

By Advocate Dennis Chamisa and Dr Kim Lamont-Mbawuli (Legal Practitioner) In collaboration with Dech Legal & Associates and NLM Attorneys 

1.1. PURCHASING SHARES IN A PRIVATE COMPANY AS PER SECTION 39(2) OF THE COMPANIES ACT

Section 39(2) of the Companies Act (herein referred to as the “Act”), provides that each shareholder of a private company has a right before any other person who is not a shareholder of that company, to be offered and to subscribe for a percentage of the shares to be issued with equal voting power of that shareholder’s general voting rights immediately before the offer is made, where the company is then compelled to make an offer to all of its voting shareholders pro rata to their respective percentages of the total number of voting rights, before it may issue any shares to a third party. 

1.1.1. WHO IS BOUND BY THE SHAREHOLDER AGREEMENT

The binding force of the Shareholders Agreement stems from the law of contract, whereas section 15(6) of the Act, governs the status of a Company’s MOI and all MOIs need to be filed and registered with CIPC. The disadvantage of a Shareholders Agreement is that it binds only those shareholders who are party to it. It does not bind any other shareholders, unless they consent to be bound. 

1.1.2. WHAT IS A SUBSCRIPTION AGREEMENT 

A subscription agreement is a formal agreement between a company and an investor to buy shares of a company at an agreed-upon price. The subscription agreement contains all the required details. It is used to keep track of outstanding shares and share ownership (who owns what and how much) and mitigate any potential legal disputes in the future regarding share payout subscription agreement will include the details about the transaction, the number of shares being sold and the price per share, and any legally binding confidentiality agreements and clauses.

1.1.3. SUBSCRIPTION OF SHARES AGREEMENT 

In the event that the Company proposes to issue any shares, other than shares issued in terms of options or conversion rights in terms of section 39(1)(b), or capitalisation shares in terms of section 47 or if the consideration for any shares that are issued or to be issued is in the form of an instrument such that the value of the consideration cannot be realised by the Company until a date after the time the shares are to be issued, or is in the form of an agreement for future services, future benefits or future payment by the subscribing party.

1.2. WHAT IS THE ROLE OF A DIRECTOR OF A PRIVATE COMPANY AS PER SECTION 76 OF THE COMPANIES ACT 

By accepting their appointment to the position, directors and prescribed officers agree that they will perform their duties to a certain standard, and it is a reasonable assumption of the shareholders that every individual director and prescribed officer will apply their particular skills, experience and intelligence to the advantage of the company. 

The Act codifies the standard of directors’ conduct in section 76. The standard sets the bar for directors very high. The intention of the legislature seems to be to encourage directors to act honestly and to bear responsibility for their actions – directors should be accountable to shareholders and other stakeholders for their decisions and their actions. However, with the standard set so high, the unintended consequence may be that directors would not be prepared to take difficult decisions or expose the company to risk. 

Since calculated risk taking and risk exposure form an integral part of any business, the Companies Act includes a number of provisions to ensure that directors are allowed to act without constant fear of personal exposure to liability claims. In this regard, the Companies Act has codified the business judgement rule, and provides for the indemnification of directors under certain circumstances, as well as the possibility to insure the company and its directors against liability claims in certain circumstances. 

The Act makes no distinction between executive, non-executive or independent non-executive directors. The standard, and consequent liability where the standard is not met, applies equally to all directors.

In terms of this standard, a director (or other person to whom section 76 applies), must exercise his or her powers and perform his or her functions. these are the following; 

•  In good faith and for a proper purpose.  
• In the best interest of the company, and  
• With the degree of care, skill and diligence that may reasonably be expected.

1.3. BREACH OF FIDUCIARY DUTY

 The Companies Act prohibits a director from using the position of director, or any information obtained while acting in the capacity of a director, to gain an advantage for himself or herself, or for any other person (other than the company or a wholly-owned subsidiary of the company), or to knowingly cause harm to the company or a subsidiary of the company.

Directors have a fiduciary duty to act in the best interest of the company as a whole. Directors owe this duty to the company as a legal entity, and not to any individual, or group of shareholders – not even if the majority shareholder appointed the director. 

Directors are obliged to act in good faith in the best interest of the company. They should act within the bounds of their powers, and always use these powers for the benefit of the company. Where a director transgresses his or her powers, the company might be bound by his or her action, but he or she can be held personally liable for any loss suffered as a result of the transgression. 

In discharging any board or committee duty, a director is entitled to rely on one or more employees of the company, legal counsel, accountants or other professional persons, or a committee of the board of which the director is not a member. However, the director does not transfer the liability of the director imposed by this Act onto such employees. Directors of a company may be held jointly and severally liable for any loss, damage or costs sustained by the company as a result of a breach of the directors’ fiduciary duty or the duty to act with care, skill and diligence. 

The Act sets out a range of actions for which directors may be held liable for any loss, damage or costs sustained by the company. These actions include the following;  Acting in the name of the company without the necessary authority  Being part of an act or omission while knowing that the intention was to defraud shareholders, employees or creditors  Signing financial statements that were false or misleading in a material respect.

1.4. CIVIL CLAIM AGAINST THE DIRECTOR 

Section 77(3)(b) of the Act, as read with section 22 of the Act, penalises and holds directors personally liable to the company for any loss incurred through knowingly carrying on the business of the company recklessly, with gross negligence, with intent to defraud any person or for any fraudulent purpose. 

CONCLUSION 

Shareholders play a critical role in terms of the South African Companies Act of 2008, with reference to the affairs of the company. Just any contract, shareholders agreement is the essential document that binds the relationship of shareholders who are a party to it. Notwithstanding the existence of Memorandum of Incorporation, (MOI) one of the roles of a shareholder is the appointment of directors. Therefore, the MOI provides “mechanism of power equilibrium” between the shareholders and directors of the company. In that the shareholders using their voting rights can authorize critical transactions and any dividends proposed by the directors. 

As discussed above, subscription agreement is a contract that is between the company and investor for the purchase of shares at an agreed price. Such an agreement will have the terms and conditions agreed upon and can also be used to track any outstanding shares thus to mitigate possible legal disputes. Last but not least any director of the company ought to measure to the defined standard as per section 76 of the Companies Act, thus with reference to skills, experience and intelligence. In terms of the Act, directors ought to act with utmost honesty and should bear responsibility for their actions, as they are obligated to act in good faith and for the best interest of the company. 

In conclusion, should there be any breach of the fiduciary duty by the director, section 77 (3) (b) of the Act read with section 22 of the Act penalizes and holds the directors personally liable to the company for any loss incurred through knowing conducting the affairs of the company recklessly with gross negligence. In such instances the veil of protection will be lifted so as to protect the company as a separate entity. 

ACKNOWLEDGEMENTS

We acknowledge Dr Maribanyana Lebeko who is part of the advisory for Simanye Clinic for his assistance with respect to compilation, editing and proofreading of this article.

Download BAO E-MAGAZINE