Legal protection of personal data: What is personal data and why should it be "protected"?
Today, it’s commonly believed that you need to worry about the protection of personal data only if the person is directly covered by the GDPR Regulation. But in practice, even the national legislation of many countries, including Ukraine, provides for liability for breach of personal data protection requirements. As a rule, the data breach penalties that will shortly come into place are a fine, the amount of which depends on the type of violation and the legislation that applies to the processing of personal data.
In order to avoid negative consequences both for the company and for the persons, whose data is processed, it is necessary to determine correctly WHAT to process and HOW to do it correctly.
What do we mean by “processing” and “personal data”?
Processing of personal data is considered practically any action taken by the company (as the owner or manager of the personal data) over such data, in particular: collection, storage, depersonalization, sorting, transfer to third parties, deletion, etc.
What kind of information can be considered personal data?
Neither international acts (the GDPR), nor the Law of Ukraine “On Protection of Personal Data” give a clear list of data that can be considered personal information. They use abstract definition, which says that personal data can be information or its aggregate:
- that directly identifies a particular individual;
- that does not directly identify the person, but contains such data from which it can be indirectly identified who is in question.
For example, an order of the company to award an employee I.I. Ivanov can be considered as one that contains personal data of such an employee - information that directly identifies this person, namely: surname, patronymic name, existence of an employment relationship with the company, position, amount of remuneration, etc.
If such an order does not contain information about specific persons, but implies a bonus, for example, by job titles, it is not considered to contain personal data.
However, if such positions in the company are “single” (for example, the position of director) and the person can be identified from the very name of the position, it can be stated that the information contained in such an order allows indirectly identifying such a person, and therefore, such information is his/her personal data. As we know, there is only one director in the company, and the information about the person holding this position is publicly available.
Please note! Any information may be considered personal data provided that it concerns a particular person.
At one time the Constitutional Court of Ukraine, based on the practice of the European Court of Human Rights, established that personal data may be information about nationality, education, marital status, date and place of birth, residence and location, financial situation, relations with other individuals and legal entities, etc.
From the practice of the Court of Justice of the EU, we can also add that personal data of a person can be considered photo and video images, voice samples, cookies, login and password, etc.
You may also like: When Is GDPR Mandatory?
What is sensitive data?
A special subgroup of personal data is distinguished - “a special category of personal data” (so-called “sensitive data”), which includes, in particular, information about:
- racial origin;
- ethnic origin;
- political opinions and religious beliefs;
- sexual orientations;
- membership in political parties, trade unions and other organizations;
- data on prosecution;
- data relating to health;
- biometric data (fingerprints, blood type / rhesus, etc.).
Sensitive data may only be processed to the extent expressly permitted by law and subject to certain restrictions that should facilitate their protection.
Please note! The data that may be processed by the company must be conditioned by the specific purpose of the company and the volume of such data must be minimum necessary to fulfil that purpose.
For example, if a company sells furniture, it can not collect data on the health status of its customers, but at the same time, it can process data on their residence, for example, for the delivery of goods.
Violation of the procedure of personal data processing can be a reason to hold the company liable, as well as a ground for justified claims from the data subjects.
Therefore, it is so important at the start of your activity to follow the following algorithm of actions:
- To initially determine the data set that your company needs in order to achieve its individual goals in its economic activity;
- To establish the correct order of processing and protection of personal data, and thus to prevent possible claims.
The lawyers of our company will help you with the introduction of protection of personal data in your company, and help to avoid any problems in the future. Please contact us for details!
Didn’t find an answer to your question?