Personal data processing rules in Ukraine and GDPR in EU: Differences and Commonalities
The General Data Protection Regulation (GDPR), which modifies personal data processing rules by making them more strict and, in case of their violation, establishes fines that can cause a devastating blow to the company's finances, came into force a few days ago in the European Union.
The Regulation acts extraterritorially. Therefore, if there is only one EU resident whose data is processed by the company, the GDPR will be applied to it, so it`s reasonable to think about the possible consequences right now.
Naturally, the question arises:
“How significantly should the company’s internal policy be amended?”
Let's try to answer this question by comparing the rules of the Regulation with the national legislation. In Ukraine, the main act that regulates the relevant relationships is The Law about Protection of Personal Data. After analysing its provisions we can note that Ukrainian legislation mostly complies with the requirements of the GDPR rules (in particular, it concerns the principles of processing, the procedure of obtaining a consent of the subject, the categories of personal data with a special status, the rights of the subjects and the obligations of the controller etc.).
However, certain differences exist. The Regulation sets a requirement for the controller (means the owner / manager of personal data) not only to protect the personal data, but also to be able to demonstrate the compliance of his actions with the rules of the Regulation. Therefore, the consent of subject to data processing is no more enough. The data subject has to adopt an appropriate internal policy that coincides with the new requirements and implements the principles of protection under the GDPR (in particular, minimizing personal data processing, speeding up pseudonymization of personal data, giving the ability to control data processing by subjects). It is better to create mechanisms for the data protection certification to demonstrate compliance of data processing with the requirements of the Regulation. For the same purpose, the controller is now obliged to keep a register of all actions that are committed under the processing of personal data. In addition, the controller must set the appropriate technical and organizational instruments to ensure that only the personal data necessary for each specific purpose is processed by default.
If your company processes data from EU residents (at least one) and is not located in the EU, it is necessary to have an official representative of the company in the EU (individual or legal entity) in one of the countries where processing is carried out. Exceptions are cases if data processing is not permanent; if the processed personal data do not belong to the "special" categories; data refers to criminal proceedings or allegations; if the character of the data indicates the impossibility of a significant violation of the rights of the person in case of their leakage.
The regulation provides rather strict fines for violation the requirements for the protection of personal data, however it does not mention criminal liability (obviously it is attributed to the jurisdiction of the participating countries): the fines varies from 2 or 4% of the annual profit (10 or 20 million, depending on what sum is bigger) depending on type of violation.
Summary: the GDPR establishes more detailed (in comparison with national law) requirements for the technical side of the personal data collection and processing, including a positive (even if strict enough) requirement to demonstrate the legality of the controller's actions. Taking into account the above stated it is a high time to make the company's internal policies and personal data collection and processing mechanisms consistent with the requirements of the Regulation for the purpose to avoid any possible negative consequences.
Our team of lawyers will help you to create the Company Policy in accordance with the new requirements. It`s time to protect your company!