Personal data protection. GDPR
In the middle of 2010, the Law aimed at regulating personal data protection was enacted. Thus, Ukraine followed the example of most developed countries by adopting international experience in the regulation of this area.
In order to strengthen the country’s positive image in the international arena, the Parliament has also completed the ratification of the Council of Europe Convention on the Protection of Personal Data.
What does the Convention have an impact on? First of all, it protects personal data subject to automatic processing, i.e. the process in which an individual does not participate directly.
Such developments have contributed to:
- Enhancement of coordination between Ukraine and the international law enforcement system;
- Introduction of measures aimed at strengthening control over foreigners crossing its border.
Until today, the process of data protection of individuals was changed only once - in 2013. At that time, the control over personal data controllers was transferred to the Ukrainian Parliament Commissioner for Human Rights - Ombudsman. Following the experience of the developed European countries, it was given the right to carry out inspections of personal data controllers.
In this publication, we will talk about what the GDPR is, how it works and how it can affect your business.
Related article: GDPR - General Data Protection Regulation
What is the GDPR?
Processing of personal data takes place in almost all areas of commercial activity. And it should be conducted in accordance with the requirements of the current legislation, and therefore:
- The company shall determine whether its activities, in addition to the Ukrainian legislation, also fall within the EU jurisdiction.
If a Ukrainian company renders services or trades in goods with individuals that have passports of EU member states, its activities fall under a document called the GDPR (General Data Protection Regulation). This General Data Protection Regulation is designed to unify data protection for all individuals within the EU.
The goal of the GDPR: to protect the privacy of all EU citizens, as well as to help eliminate any violations of the law in the field of personal data protection.
How can the GDPR affect businesses?
Introduction of the principle of extraterritoriality (Expansion of territorial reach).
The most significant change relates to the expanded jurisdiction of the GDPR. It applies to all companies processing personal data of data subjects residing in the EU, regardless of the companies’ location.
Previously, this issue had been settled ambiguously, resulting in many legal proceedings.
On the other hand, the GDPR clearly stipulates where and how it can be applied:
- Processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place within the EU or not;
- Processing of personal data by controllers or processors as part of the activities of enterprises related to the provision of goods or services to citizens of the European Union, regardless of whether they are subject to payment.
Note! If a company locates outside the EU but it is going to process personal data of the EU residents, it shall designate a representative in the EU.
New fines and penalties.
Organizations that violate the GDPR may be fined up to 4% of the global annual turnover or €20 million (whichever is greater).
This is the highest possible penalty for the most serious violations, such as:
- giving consent to the processing of personal data instead of the Client;
- violation of general principles of data transfer to third countries, international organizations.
If a company does not maintain records of its processing activities in accordance with the procedure established by the GDPR, it may be fined 2% of its annual turnover.
Conditions for granting consent to processing of personal data have been expanded:
- Companies are prohibited from using long illegible terms and conditions full of legalese.
- The request for consent shall be presented in an intelligible and easily accessible form.
- The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, using clear and plain language.
- It shall be as easy to withdraw as to give consent.
Rights of the personal data subject
Individuals whose data are to be processed shall have the following right:
- The right be informed of any violations of their rights. According to the GDPR, personal data breach notifications must be sent in all EU member states, where a breach is likely “to result in a high risk to the rights and freedoms of individuals”.
This must be done within 72 hours of becoming aware of such a breach. Data processors are also required to notify their clients and controllers as soon as they become aware of a hacking of the personal data base.
- The right to be forgotten. Also known as “the right to erase”, it gives the individual the right to have their personal data erased by the controller, to request the controller to stop further distribution of the data and to potentially stop the processing of the data by third parties.
- The right of access to information. Individuals have the right to know whether their personal data is being processed. If yes, it is necessary to specify where and for what purpose this will be done.
In addition, the controller shall provide a copy of the personal data undergoing processing in electronic form upon request.
- Right to privacy. The GDPR encourages the controllers to store and process only those personal data that are necessary for the performance of their duties (data minimization), as well as, to limit the access to personal data for those involved in the processing, if possible.
Things to be remembered against the background of the introduction of the GDPR?
The General Data Protection Regulation compels companies to:
- Prepare a specific Regulation on the protection of personal data that may come into the possession of the database owner.
- Prepare forms for notifying individuals that their data will be processed and their consent forms.
- Prepare various agreements that will contribute to data protection and proper functioning of the database, etc.
Our company can assist you with the development of a complete package of documents required to comply with the GDPR.
If you want to know more about GDPR and how to secure your business during its implementation, please call us!