Almost every Ukrainian company works with personal customer data. The rules require them to be careful about the protection of personal data, request only the necessary information, and prescribe clear policies for working with data.
IT attorney Sergiy Barbashin at Trustme Law Firm works with IT and service companies, preparing the necessary GDPR and AML policies almost every week. In his article, he tells about the GDPR whether the rules apply to Ukrainian businesses and avoid possible fines.
GDPR is the general regulation of the personal data protection of the European Union that works from May 25, 2018. In fact, these are the rules for storing and processing the personal data of individuals. Individuals regularly share their private information with others to obtain certain goods, services, etc. Therefore, the GDPR is a mandatory standard for recipients of this data to increase their protection against leakage and/or unauthorized use.
These three roles can be performed by one or different individuals.
This is a critical factor because companies are not allowed to process personal data without consent. The request for approval must be clear and understandable. An example of proper permission is an agreement in the form of an unambiguous indication through a statement or an explicit positive action.
By checking the box “I accept,” the data subject performs an explicit positive action, which indicates consent to processing his personal data.
Examples of improper consent are the provision of abstract information for reference, the use of words such as “possible”, “certain”, “often,” and complex phrases that can confuse a person. Sometimes companies violate the principles of openness and free consent, which is to force customers/users to provide their personal data and support to their processing to those company services that do not need such information.
There are three conditions when your activities are subject to GDPR:
In fact, if the business is registered in the EU or the personal data of EU citizens are collected, such activities are subject to the GDPR. For example, if the company is registered in Lithuania and the employees and founders are from Ukraine, it is considered that the company operates in the EU, so it is subject to regulations. If such a company provides services only to customers from the CIS or does not collect personal data, it must also comply with GDPR.
If a Ukrainian company provides (or can provide) services to EU citizens and residents, such a company must comply with the GDPR because the personal data of EU citizens are processed.
The last condition is to study the behavior of data subjects within the EU using cookies. This can be done to analyze the market for services and goods or for marketing purposes. Monitoring activities include video surveillance, geolocation tracking, personalized online health analysis services, behavioral advertising, and more.
For example, a company founded in Mexico provides advice on shopping in supermarkets in Spain, analyzing the movement of consumers in the store using Wi-Fi. Analyzing customers’ activity in the supermarket with the help of Wi-Fi tracking will be considered to monitor people’s behavior because behavior tracking takes place in the EU. Such activities must comply with GDPR standards.
First, we recommend that you check the compliance with the regulations. Based on the results, you can create a map of personal data and make a gap assessment – a document indicates what is not enough for the company to comply with GDPR standards within business processes.
Carrying out the reconciliation is extremely important for the company, as it allows to determine whether the GDPR is needed at all and what processes need to be brought in line with the regulations. GDPR-audit will structure (inventory) personal data.
An essential step in adapting the company to the rules of the regulations is to make changes to the company’s internal documentation in accordance with the requirements of the GDPR. The company is obliged to develop and implement a set of documents that will regulate the processes within the company related to the processing and protection of personal data.
According to the explanations of Article 29 of the Regulations, examples of such documents are:
Companies must establish a clear and accessible procedure for obtaining consent to collect and process personal data. According to the regulations, the user must first agree to the privacy policy on the site, which specifies the list of data and the purpose of processing, and only then be able to leave their personal data. The consent of users to data processing must be expressed by active action. You cannot collect data by default. The privacy policy text should be simple and inform who is collecting the data, what the data is, for how long, and so on.
Article 37 of the regulation obliges appointing a person responsible for implementing the GDPR requirements in the company (Data Protection Officer). Such a position should be introduced in government agencies, in companies where the processing of personal data is carried out systematically on a large scale. Requirements for the position are an excellent knowledge of legislation and practice in personal data protection. In addition, organizations need to ensure a high level of awareness of their staff and those involved in matters related to personal data protection.
The most common violations of the GDPR:
A feature of the legal regulation of the GDPR is the introduction of significant amounts of fines: up to 20 million euros or up to 4% of the company’s annual turnover for the last financial year. More significant penalties may be imposed when the breach concerns large amounts of personal data or sensitive personal data (health information, race). As the potential penalties are significant, such a corrections system is an additional motivation to comply with the rules.
Examples of responsibilities include the following:
Ukrainian legislation also does not shy away from personal data protection processes. It is determined that the processing of personal data requires a specific goal formulated in the regulations or constituent documents of companies.
Personal data shall be processed in a form that allows the identification of the person to whom they relate for a period not exceeding that required by the purpose of their processing. The processing and dissemination of personal data are permitted without the individual’s consent only in exceptional cases to protect their vital interests or in the interests of national security.
Personal data is deleted or destroyed in case of expiration of the storage period, termination of the relationship between the personal data subject (employee) and the company, or entry into force of a court decision on their removal. A structural subdivision or a responsible person shall be created (determined) in state authorities and local self-government bodies, organizing work related to data protection during their processing. Individual entrepreneurs independently ensure the security of the personal data they possess.
An example of a violation is the case № 361/1579/20. According to the decision, the chairman of the board of the garden society spread the victim’s appeal in the general chat. In addition to the full name, the application contained information on the applicant’s address, telephone number, and e-mail address. The accused pleaded not guilty, instead of explaining that the information she had disclosed was still known to all participants in the chat, and therefore her actions did not constitute an administrative offense.
The court disagreed with this position and noted that even if it was necessary to acquaint other members of the company with the content of the victim’s appeal before disclosure, the person’s personal data should be retouched and the applicant impersonal. As a result of the case, the court of the first instance imposed a fine of UAH 5,100.00 on the chairman of the company’s board. This decision was later upheld by the Kyiv Appeal Court.
We recommend Ukrainian companies gradually implement the rules of regulation in their activities. After all, for the systematic violation of the rules on personal data protection, companies risk losing the trust of customers, business partners and receive penalties.
Please note that the GDPR applies to EU companies and cases of service relations involving an EU resident or tracking consumer behavior in the EU. Given the processes of globalization, the peculiarity of the GDPR is that its rules apply to a significant number of companies not only in the EU.
To avoid liability, the activities should be carefully checked for compliance with the requirements of the regulations. At a minimum, you should implement:
We have prepared a questionnaire on GDPR compliance. It may be helpful if you want to check yourself or look for professional help.
The material is prepared for ain.ua
The author of the material is
Sergiy Barbashin – IT attorney, managing partner at Trustme Law Firm, Intellectual Property Expert