EU market is developed every day, as a result it increases a cross-border personal data flows including the usage of the Internet. The above mentioned causes the large problems with the protection of personal data. Thus, the main aim of GDPR is to protect personal data and personal data subjects. General Data Protection Regulation come into force from May 25, 2018.
GDPR is designed to promote the development of a space of freedom, security, justice and economic union; economic and social progress; strengthening the rule of law and convergence of economies within the domestic market, as well as the general well-being of individuals in EU member states.
GDPR are necessary to all EU Members States. For non-resident companies of the EU, including CIS countries, the requirements apply in the following cases:
- Companies that supply their goods or services to individuals in the EU. For example, online stores, tour operators, transport companies that are in Ukraine and process the data of EU residents.
- Companies that carry out marketing research covering consumers from the EU.
- Companies that, in the course of their activities, gain access to the personal data of the subjects in the EU. It can be any Ukrainian companies that, for example, have access to the data of employees from the EU.
The main important innovations of the GDPR, which will affect cif countries, are:
The necessity to introduce a new position in the company — Data Protection Office
There is a mandatory appointment of the person who is responsible for protecting the employee’s personal data by all companies dealing with a significant amount of personal data or with the «special» categories of such data. He can perform his duties both under an employment contract and on a civil law
The Officer must have an appropriate level of knowledge in the field of personal data protection. A group of companies may have one responsible if it ensures unrestricted access to the activities of each member of the group. In addition, he can work in the company either at the main place of work or in part-time.
Necessity of the representative (representation) in the EU
If your company falls under the GDPR and is not located in the EU, the presence of an official representative of the company in the EU is necessary. The representative must be appointed as a contact person on all issues of protection of personal data of EU citizens for authorized authorities. It can be both physical and legal entity.
Among the mandatory requirements for a representative is to be established (for the legal entities) or to be (for individuals) in one of the countries whose citizens are persons whose personal data are processed or the behavior of which is being investigated.
The exception of this rule is: if data processing is not permanent; if the personal data processed does not belong to the «special» categories (as already mentioned above, including, in particular, genetic, biometric data), relating to criminal proceedings or accusations;
If the character of the data indicates that it is impossible to seriously violate the rights of the person in case of their leakage (it is not difficult to assume that market participants who do not intend to fulfill this requirement of the GDPR for one reason or another will try to use such an estimation formulation to avoid it).
Proof of compliance with GDPR requirements
GDPR establishes the duty to prove the company’s compliance with the new requirements. In order to prove compliance, the controllers must store all information relating to the activity with personal data (about the controller, data transfer operations, etc.).
Increasing the level of personal data security
GDPR does not set clear criteria for assessing the level of compliance with security requirements. Instead, it operates with rating categories, which implies that controllers and processors should provide the highest possible level of information security for them, including the implementation of appropriate technical and organizational measures to ensure a high level of information security.
Security measures can be very different. It depends on what data are processed, on their quantity, on the possibility of leakage, etc. As an example of the steps that can be taken, the GDPR provides pseudonymization and encryption.
Limitation of the use of cloud storage for the placement of personal data
In according to GDPR, the placement of personal data in cloud storage is considered to be transferable to third parties. It is necessary to beware of the storage with a low level of protection, as well as limit the placement of personal data on them. In this case, if data transfer via cloud storage occurs outside the EU without adequate security, such actions are in violation of EU law.
The introduction of control over the transfer of personal data outside the European Economic Area
According to the general rule, personal data can be transferred to a third country only if there is a positive conclusion from the European Commission regarding the country’s compliance with high standards of personal data protection. The most acceptable for Ukraine will be the use of standard terms of the contract, which are approved by the European Commission.
Overall increase of privacy
The regulation provides for the need for increased privacy. In addition to the standard of highest level of privacy by default (for example, in social networks), it may be necessary to collect the consent of the subject to handle each individual item of information that he enters.
The basic rights of subjects of personal data (for example, the right to access data about themselves or the right to demand the termination of the processing of personal data) were provided for by the Directive. The regulation introduced, for example, such rights as the right to data portability.
The subject of personal data can ask to transfer his personal data from one organization to another, for example, when changing the medical institution in which he is served.
The regulation also introduces a new right — the right to be forgotten, which allows the subject to require the deletion of data about himself from all company databases. It is important to note that such a right is not absolute and applies only in directly established cases. For example, if processing is carried out at the request of the law, the subject cannot exercise his right to oblivion.
Especially, the person must know the purpose of processing personal data already at the stage of its collection. If data collection is the result of a person’s will, the controller must demonstrate that she is presenting his personal data here and there.
Although there are currently similar rules in Ukraine, lawyers from the EU indicate that the current level of awareness of users is not enough, and social networks, together with the adoption of the GDPR, will change to unknowing.
In this regard, there are interesting provisions of the Regulation, which states that EU Member States should ensure the privacy of the workplace. In particular, if the employer monitors workers by installing cameras, the worker must know and consent to the processing of personal data. Such a rule will also apply in Ukraine if the employee is a citizen of the EU.
For personal consultation, please contact to our specialist. If you have any questions or need advice on protection of personal data or GDPR, call us on the numbers on the website or fill out and send us a form at the bottom of the page.