What is the GDPR and how Ukrainian companies may follow it

Almost every Ukrainian company works with personal customer data. The rules require them to be careful about the protection of personal data, request only the necessary information, and prescribe clear policies for working with data.

IT attorney Sergiy Barbashin at Trustme Law Firm works with IT and service companies, preparing the necessary GDPR and AML policies almost every week. In his article, he tells about the GDPR whether the rules apply to Ukrainian businesses and avoid possible fines.

What is the GDPR

GDPR is the general regulation of the personal data protection of the European Union that works from May 25, 2018. In fact, these are the rules for storing and processing the personal data of individuals. Individuals regularly share their private information with others to obtain certain goods, services, etc. Therefore, the GDPR is a mandatory standard for recipients of this data to increase their protection against leakage and/or unauthorized use.

The main elements of the GDPR

1. Subjects. The rules define such fundamental data managers as:

• “Controller” – a person who collects data from EU residents, ensures the processing of data following the requirements of the GDPR and is responsible for violations. Control can be, for example, the site on which the order is made, or services are provided to consumers.
• “Processor” – a person who processes data on behalf of the controller and will also be liable for violations of GDPR. The processor can be, for example, a cloud service provider.
• “Recipient” – a person to whom personal data are disclosed.

These three roles can be performed by one or different individuals.

2. Principles. When working with personal data, companies must adhere to the following basic principles:

• Target definition. The individual must be informed about the specific purposes of collecting his personal data and what they will be used for.
• Data minimization. You cannot request data that is not necessary for the purpose of its processing.
• Precision. Personal data must be up-to-date and accurate. Not accurate data must be deleted.
• Integrity and confidentiality. The processing method should ensure the security of personal data from their loss, leakage, damage, destruction.

3. Consent of an individual to the processing of personal data

This is a critical factor because companies are not allowed to process personal data without consent. The request for approval must be clear and understandable. An example of proper permission is an agreement in the form of an unambiguous indication through a statement or an explicit positive action.

By checking the box “I accept,” the data subject performs an explicit positive action, which indicates consent to processing his personal data.

Examples of improper consent are the provision of abstract information for reference, the use of words such as “possible”, “certain”, “often,” and complex phrases that can confuse a person. Sometimes companies violate the principles of openness and free consent, which is to force customers/users to provide their personal data and support to their processing to those company services that do not need such information.

4. Purpose. The processing of personal data is considered lawful if it is carried out in the following cases:

• the provision of information is necessary for the performance of the contract, where directly or indirectly there is your company and the consumer;
• processing is required to protect the public interest;
• the consumer has agreed to the processing of personal data for clear purposes;
• obtaining personal data is necessary to protect vital interests.

Does the GDPR apply to Ukrainian companies?

There are three conditions when your activities are subject to GDPR:

• Work with personal data of EU citizens is underway
• Registration in the EU of a company that is a controller, processor, or data recipient.
• The behavior of data subjects within the EU is monitored.

In fact, if the business is registered in the EU or the personal data of EU citizens are collected, such activities are subject to the GDPR. For example, if the company is registered in Lithuania and the employees and founders are from Ukraine, it is considered that the company operates in the EU, so it is subject to regulations. If such a company provides services only to customers from the CIS or does not collect personal data, it must also comply with GDPR.

If a Ukrainian company provides (or can provide) services to EU citizens and residents, such a company must comply with the GDPR because the personal data of EU citizens are processed.

The last condition is to study the behavior of data subjects within the EU using cookies. This can be done to analyze the market for services and goods or for marketing purposes. Monitoring activities include video surveillance, geolocation tracking, personalized online health analysis services, behavioral advertising, and more.

For example, a company founded in Mexico provides advice on shopping in supermarkets in Spain, analyzing the movement of consumers in the store using Wi-Fi. Analyzing customers’ activity in the supermarket with the help of Wi-Fi tracking will be considered to monitor people’s behavior because behavior tracking takes place in the EU. Such activities must comply with GDPR standards.

What businesses need to meet GDPR

First, we recommend that you check the compliance with the regulations. Based on the results, you can create a map of personal data and make a gap assessment – a document indicates what is not enough for the company to comply with GDPR standards within business processes.

Carrying out the reconciliation is extremely important for the company, as it allows to determine whether the GDPR is needed at all and what processes need to be brought in line with the regulations. GDPR-audit will structure (inventory) personal data.

An essential step in adapting the company to the rules of the regulations is to make changes to the company’s internal documentation in accordance with the requirements of the GDPR. The company is obliged to develop and implement a set of documents that will regulate the processes within the company related to the processing and protection of personal data.

According to the explanations of Article 29 of the Regulations, examples of such documents are:

• Privacy Policy – a document for notifying data subjects about the company’s processing of their personal data;
• GDPR Controller / Processor Agreement Policy – a document that regulates the procedure for concluding agreements between the company and persons who process personal data and indicates the main points of such agreements;
• Privacy Notice Procedure – the procedure of notifying data subjects about the peculiarities of the processing of their personal data;
• Data Subject Request Procedure & Complaints Procedure – defines the company’s actions in case of a data subject’s complaint or request;
• Preparation Project Plan – discloses the activities carried out by the company to achieve compliance with the rules;
• Roles and Responsibilities – sets mandatory actions for company management and employees in the personal data processing.

Companies must establish a clear and accessible procedure for obtaining consent to collect and process personal data. According to the regulations, the user must first agree to the privacy policy on the site, which specifies the list of data and the purpose of processing, and only then be able to leave their personal data. The consent of users to data processing must be expressed by active action. You cannot collect data by default. The privacy policy text should be simple and inform who is collecting the data, what the data is, for how long, and so on.

Article 37 of the regulation obliges appointing a person responsible for implementing the GDPR requirements in the company (Data Protection Officer). Such a position should be introduced in government agencies, in companies where the processing of personal data is carried out systematically on a large scale. Requirements for the position are an excellent knowledge of legislation and practice in personal data protection. In addition, organizations need to ensure a high level of awareness of their staff and those involved in matters related to personal data protection.

Responsibility

The most common violations of the GDPR:

• Insufficient technical and organizational measures to ensure information security.
• Violation of the principles of data processing.
• The fulfillment of information obligations is not complete.
• Lack of legal framework for data processing.

A feature of the legal regulation of the GDPR is the introduction of significant amounts of fines: up to 20 million euros or up to 4% of the company’s annual turnover for the last financial year. More significant penalties may be imposed when the breach concerns large amounts of personal data or sensitive personal data (health information, race). As the potential penalties are significant, such a corrections system is an additional motivation to comply with the rules.

Examples of responsibilities include the following:

• The French Data Protection Authority (CNIL) fined Google € 50 million in January 2019. All claims against the company are described in detail on the regulator’s website. The reasons were lack of transparency, lack of information, and lack of actual consent to the processing and using personal data. Google did not provide enough information to users when consenting to the processing of personal data. The company appealed the regulator’s decision to the French Supreme Administrative Court, but the application was rejected.
• In October 2020, the UK’s data protection regulator fined British Airways £ 20 million for hacking the personal and financial data (payment card details, names, and addresses of travelers) of more than 400,000 customers.

Ukrainian legislation also does not shy away from personal data protection processes. It is determined that the processing of personal data requires a specific goal formulated in the regulations or constituent documents of companies.

Personal data shall be processed in a form that allows the identification of the person to whom they relate for a period not exceeding that required by the purpose of their processing. The processing and dissemination of personal data are permitted without the individual’s consent only in exceptional cases to protect their vital interests or in the interests of national security.

Personal data is deleted or destroyed in case of expiration of the storage period, termination of the relationship between the personal data subject (employee) and the company, or entry into force of a court decision on their removal. A structural subdivision or a responsible person shall be created (determined) in state authorities and local self-government bodies, organizing work related to data protection during their processing. Individual entrepreneurs independently ensure the security of the personal data they possess.

An example of a violation is the case № 361/1579/20. According to the decision, the chairman of the board of the garden society spread the victim’s appeal in the general chat. In addition to the full name, the application contained information on the applicant’s address, telephone number, and e-mail address. The accused pleaded not guilty, instead of explaining that the information she had disclosed was still known to all participants in the chat, and therefore her actions did not constitute an administrative offense.

The court disagreed with this position and noted that even if it was necessary to acquaint other members of the company with the content of the victim’s appeal before disclosure, the person’s personal data should be retouched and the applicant impersonal. As a result of the case, the court of the first instance imposed a fine of UAH 5,100.00 on the chairman of the company’s board. This decision was later upheld by the Kyiv Appeal Court.

Conclusion

We recommend Ukrainian companies gradually implement the rules of regulation in their activities. After all, for the systematic violation of the rules on personal data protection, companies risk losing the trust of customers, business partners and receive penalties.

Please note that the GDPR applies to EU companies and cases of service relations involving an EU resident or tracking consumer behavior in the EU. Given the processes of globalization, the peculiarity of the GDPR is that its rules apply to a significant number of companies not only in the EU.
To avoid liability, the activities should be carefully checked for compliance with the requirements of the regulations. At a minimum, you should implement:

• explicit request for consent on the website, service, application;
• draw up a Privacy Policy and other necessary documents;
• receive and store only the data you need, delete them on time;
• appoint a responsible person who will monitor compliance with the rules of the regulations if most of your customers are EU citizens.

We have prepared a questionnaire on GDPR compliance. It may be helpful if you want to check yourself or look for professional help.

The material is prepared for ain.ua

Link to the article