Kiew, L'va Tolstogo 6, 4. Stock, Büro 401

Nachrichten

pdf
31 Травня 2018

Personal data processing rules in Ukraine and GDPR in EU: Differences and Commonalities

The General Data Protection Regulation (GDPR), which modifies personal data processing rules and makes them more strict and, in case of their violation, establishes fines that can cause a devastating blow to the company's finances, came into force a few days ago in European Union.

The Regulation acts extraterritorially. Therefore, if there is only one EU resident whose data is processed by the company, the GDPR will be applied to it, so it`s reasonable to think about the possible consequences right now.

Naturally, the question arises: "Does the changes of company's internal policy is really significant? 

Let's try to answer this question by comparing the rules of the Regulation with the national legislation. In Ukraine, the main act that regulates the relevant relationships is The Law About Protection of Personal Data. After analysing its provisions we can note that Ukrainian legislation mostly complies with the requirements of the GDPR rules (in particular, it concerns the principles of processing, the procedure of obtaining a consent of the subject, the categories of personal data with a special status, the rights of the subjects and the obligations of the controller etc.).

However, certain differences exist. The Regulation sets a requirement for the controller (means the owner / manager of personal data) not only to protect the personal data, but also to be able to demonstrate the compliance of his actions with the rules of the Regulation. Therefore, only the consent of subject to data processing is no more enough. The data subject has to adopt an appropriate internal policy that coincide with the new requirements and implement the principles of protection under the GDPR (in particular, minimizing personal data processing, speeding up pseudonymization  of personal data, giving the ability to control data processing by subjects). It is better to create mechanisms for the certification of data protection to demonstrate compliance of data processing with the requirements of the Regulation. For the same purpose, the controller is now obliged to keep a register of all actions that are committed under the processing of personal data. In addition, the controller must set the appropriate technical and organizational instruments to ensure that only the personal data necessary for each specific purpose is processed by default. 

If your company processes data from EU residents (at least one) and is not located in the EU, it is necessary to have an official representative of the company in the EU (individual or legal entity) in one of the countries where processing is carried out. Exceptions are cases if data processing is not permanent; if the processed personal data do not belong to the "special" categories; data refers to criminal proceedings or allegations; if the character of the data indicates the impossibility of a significant violation of the rights of the person in case of their leakage.

The regulation provides strict enough fines for violating the requirements for the protection of personal data, although it does not mention criminal liability (obviously it is attributed to the jurisdiction of the participating countries): 2 or 4% of the annual profit (or  10 or 20 million, depending on what sum is bigger)  depending on type of violation.

Conclusion: the GDPR establishes more detailed (in comparison with national law) requirements for the technical side of the personal data collection and processing, including a positive (even if strict enough) novel: the requirement to demonstrate the legality of the controller's actions. Therefore, there is no reason to delay, and it is now time to think about appropriateness of the company's internal policies and personal data collection and processing mechanisms to the requirements of the Regulation and to avoid possible negative consequences. 

Our team of lawyers will help you to create the Company Policy in accordance with the requirements. It`s time to protect your company!