GDPR

Published:
June 21, 2018

EU market is developed every day, as a result it increases a cross-border personal data flows including the usage of the Internet. The above mentioned causes the large problems with the protection of personal data. Thus, the main aim of GDPR is to protect personal data and personal data subjects. General Data Protection Regulation come into force from May 25, 2018.

GDPR is designed to promote the development of a space of freedom, security, justice and economic union; economic and social progress; strengthening the rule of law and convergence of economies within the domestic market, as well as the general well-being of individuals in EU member states.

GDPR are necessary to all EU Members States.  For non-resident companies of the EU, including CIS countries, the requirements apply in the following cases:

  1. Companies that supply their goods or services to individuals in the EU. For example, online stores, tour operators, transport companies that are in Ukraine and process the data of EU residents.
  2. Companies that carry out marketing research covering consumers from the EU.
  3. Companies that, in the course of their activities, gain access to the personal data of the subjects in the EU. It can be any Ukrainian companies that, for example, have access to the data of employees from the EU.

The main important innovations of the GDPR, which will affect cif countries, are:

  1. The necessity to introduce a new position in the company – Data Protection Office

There is a mandatory appointment of the person who is responsible for protecting the employee’s personal data by all companies dealing with a significant amount of personal data or with the “special” categories of such data. He can perform his duties both under an employment contract and on a civil law

The Officer must have an appropriate level of knowledge in the field of personal data protection. A group of companies may have one responsible if it ensures unrestricted access to the activities of each member of the group. In addition, he can work in the company either at the main place of work or in part-time.

  1. Necessity of the representative (representation) in the EU

If your company falls under the GDPR and is not located in the EU, the presence of an official representative of the company in the EU is necessary. The representative must be appointed as a contact person on all issues of protection of personal data of EU citizens for authorized authorities. It can be both physical and legal entity.

Among the mandatory requirements for a representative is to be established (for the legal entities) or to be (for individuals) in one of the countries whose citizens are persons whose personal data are processed or the behavior of which is being investigated.

The exception of this rule is: if data processing  is not permanent; if the personal data processed does not belong to the “special” categories (as already mentioned above, including, in particular, genetic, biometric data), relating to  criminal proceedings or accusations;

If the character of the data indicates that it is impossible to seriously violate the rights of the person in case of their leakage (it is not difficult to  assume that market participants who do not intend to fulfill this requirement of the GDPR for one reason or another will try to use such an estimation formulation to avoid it).

  1. Proof of compliance with GDPR requirements

GDPR establishes the duty to prove the company’s compliance with the new requirements. In order to prove compliance, the controllers must store all information relating to the activity with personal data (about the controller, data transfer operations, etc.).

  1. Increasing the level of personal data security

GDPR does not set clear criteria for assessing the level of compliance with security requirements. Instead, it operates with rating categories, which implies that controllers and processors should provide the highest possible level of information security for them, including the implementation of appropriate technical and organizational measures to ensure a high level of information security.

Security measures can be very different. It depends on what data are processed, on their quantity, on the possibility of leakage, etc. As an example of the steps that can be taken, the GDPR provides pseudonymization and encryption.

  1. Limitation of the use of cloud storage for the placement of personal data

In according to GDPR, the placement of personal data in cloud storage is considered to be transferable to third parties. It is necessary to beware of the storage with a low level of protection, as well as limit the placement of personal data on them. In this case, if data transfer via cloud storage occurs outside the EU without adequate security, such actions are in violation of EU law.

  1. The introduction of control over the transfer of personal data outside the European Economic Area

According to the general rule, personal data can be transferred to a third country only if there is a positive conclusion from the European Commission regarding the country’s compliance with high standards of personal data protection. The most acceptable for Ukraine will be the use of standard terms of the contract, which are approved by the European Commission.

  1. Overall increase of privacy

The regulation provides for the need for increased privacy. In addition to the standard of highest level of privacy by default (for example, in social networks), it may be necessary to collect the consent of the subject to handle each individual item of information that he enters.

The basic rights of subjects of personal data (for example, the right to access data about themselves or the right to demand the termination of the processing of personal data) were provided for by the Directive. The regulation introduced, for example, such rights as the right to data portability.

The subject of personal data can ask to transfer his personal data from one organization to another, for example, when changing the medical institution in which he is served.

The regulation also introduces a new right – the right to be forgotten, which allows the subject to require the deletion of data about himself from all company databases. It is important to note that such a right is not absolute and applies only in directly established cases. For example, if processing is carried out at the request of the law, the subject cannot exercise his right to oblivion.

Especially, the person must know the purpose of processing personal data already at the stage of its collection. If data collection is the result of a person’s will, the controller must demonstrate that she is presenting his personal data here and there.

Although there are currently similar rules in Ukraine, lawyers from the EU indicate that the current level of awareness of users is not enough, and social networks, together with the adoption of the GDPR, will change to unknowing.

In this regard, there are interesting provisions of the Regulation, which states that EU Member States should ensure the privacy of the workplace. In particular, if the employer monitors workers by installing cameras, the worker must know and consent to the processing of personal data. Such a rule will also apply in Ukraine if the employee is a citizen of the EU.

For personal consultation, please contact to our specialist. If you have any questions or need advice on protection of personal data or GDPR, call us on the numbers on the website or fill out and send us a form at the bottom of the page.

You could be interested

Caribbean Low-Tax Gem: Saint Lucia

The Caribbean is famous for its breathtaking landscapes, crystal-clear waters, and vibrant cultures. However, for entrepreneurs and businesses, it’s also a region known for its attractive low-tax jurisdictions. Among the many islands, Saint Lucia stands out as a growing business hub that offers numerous advantages for companies seeking favorable tax environments. In this article, we’ll...

New Fintech legislation in Ukraine

New Fintech legislation in Ukraine outlined fundamentals of functioning and regulation of modern fin-technologies, particularly, circulation and usage of e-money, payment mechanisms and virtual currencies within Ukraine. Legal provisions provide greater safety and higher effectiveness of financial services offered in country, particularly, for every company with financial license. Ukrainian legislators harmonized new Law with updated...

What is the FCA?

The Financial Conduct Authority (FCA) is a monetary administrative body in the United Kingdom, however it works freely of the UK Government, and is financed by charging expenses to individuals from the monetary administrations industry. The FCA manages monetary firms offering types of assistance to buyers and keeps up the uprightness of the monetary business...

Ready-made company in Romania

The nation has undergone several reforms to facilitate commercial operations and draw international investment since entering the European Union. Romania is therefore one of Europe’s most promising countries for foreign investors, while many other customers prefer quicker transactions and the purchase of ready-made businesses. What is a “ready-made” company in Romania? When someone has a...

PI license in Estonia

Operation of local payment-companies is monitored at the legislative level. There are special laws and directives (PIEIA and PSD2) specifying the norms for firms operating in field of payment-services. PSD2 is applied to banking-institutions, construction firms, payment-companies, e-money firms and their customers. PI license in Estonia is released by a special regulator – EFSA. Such...

New requirements for VASPs

In recent times, the use of virtual assets has grown rapidly, leading to the need of regulation of VASP to ease exchange and storage. To guarantee the strongest integrity and safety of these services, the duties for VASP’s were amended in the AML/CFT Law. This article will lead you through all new liabilities. AML/CFT Law...
Fill the blank:

Zurich

Dreikonigstrasse, 31A, Stockerhof

Kyiv

Baseina street, 7

London

Grosvenor Gardens, 52

Washington

1629 K St. Suite 300 N.W.

Vilnius

Gediminas Avenue, 44A

Tallinn

Kesklinna linnaosa, Tuukri 19

Edinburgh

Lochrin Square, 1

Nicosia

Jacovides Tower, 5 floor

Riga

Esplanade, 7 floor

Hong Kong

18 Harbour Road, 35/F, Central Plaza, Wanchai

Singapore

Level 42, Suntec Tower Three, 8 Temasek Boulevard

Sydney

20 Martin Place

Porto

2609 Avenida da Boavista
Calls are made only from Portugal

Tbilisi

Revaz Tabukashvili Str., N 45, area N 7