In May 2018, Europe will be switching to the updated regulations for the processing of personal data set by the General Data Protection Regulation (GDPR). This regulation, which directly applies in all 28 EU countries, replaces the Framework Directive on Personal Data Protection 95/46/EC from October 24, 1995.
An important aspect of the GDPR is its extraterritorial application of the new European regulations on personal data processing. Therefore, Russian companies that provide services to the European or international markets should take this into account.The new regulation provides EU residents with tools to fully control their personal data. Since May 2018, the liability for violations of personal data processing rules has been strengthened: according to the GDPR, fines can reach 20 million euros (approximately 1.5 billion rubles), or 4% of a company’s global annual income. In this article, we have analyzed the new regulations for the processing of personal data in the EU and formulated recommendations for Russian companies on how to comply with the GDPR.
Who is affected by the GDPR?
The GDPR has extraterritorial effects and applies to all companies that process personal data of EU residents, regardless of their location.
Of course, branches and representative offices of Russian companies in the EU must comply with the new requirements.
Another (non-obvious) group that may be affected by the regulation is:The organization is based in Russia and sells online goods and services to users, including those from the European Union (EU). The services are provided to users in their local languages and currencies using the national top-level domain names of the EU countries, such as “.de”, “.nl”, or “.co.uk”.
At the same time, the organization does not conduct any operations or have any subcontractors on the territory of the EU.
Given that this organization offers services and goods to EU residents, it must comply with the General Data Protection Regulation (GDPR).
This is because:
– The services and goods are adapted to the local languages spoken by EU residents.
– Payment for the services and goods is made in local EU currencies.
– The domain names used for the services are part of the national top-level domains of EU countries.This means that organizations in Russia that process personal data from Europeans when implementing online sales, such as Russian Railways, airlines, hotels, and hostels, are subject to the General Data Protection Regulation (GDPR) and must comply with the new European regulations for processing personal information.
It’s important to note that, in addition to processing personal information, the GDPR also covers monitoring the behavior of individuals. This includes tracking EU residents online and using data processing techniques to create profiles of individuals, their behaviors, or attitudes towards certain things, such as analyzing or predicting personal preferences.The European legislator has also separated the concepts of data controller and data processor. The controller acts as the “captain” of the ship and has greater legal responsibility than the processor, who is like a “sailor” on the ship. Controllers decide what happens to personal data and are responsible for its processing, while processors act as “executors” of these decisions.
For example, if your company uses a cloud system to complete tasks and store personal customer data, that system would be a data processor, while you would be the controller.
What is personal data under GDPR?Personal data is any information that relates to an individual person, such as their name, location, online identifiers, and other factors that help to identify them. This includes information about their physical, physiological, genetic, mental, economic, cultural, or social identity.
It’s important to note that even IP addresses may be considered personal data under certain circumstances.
There are also some types of personal data that are considered special or confidential. This includes information that reveals a person’s racial or ethnic origin, political views, religious beliefs, membership in trade unions, genetic or biometric data, health information, and information related to their sexual life or orientation.6 Principles of GDPR Data Processing
The European approach to the processing of personal data can be summarized in six basic principles:
1. Legality, Fairness, and Transparency: Personal data must be processed in accordance with the law, in a fair and transparent manner. Any information regarding the purpose, method, and volume of personal data processing must be provided in an accessible and understandable manner.
2. Purpose Limitation: Data must only be collected for the specific purposes stated by the organization (online service).
3. Data Minimization: Personal data should not be collected beyond what is necessary for the stated purposes.
4. Accuracy: Any inaccurate personal data must be corrected or deleted upon request.
5. Storage Restriction: Personal data must be retained in a form that allows for identification of individuals for no longer than necessary for processing.
6. Security: Personal data must be protected against unauthorized access, alteration, or destruction.6) Integrity and Confidentiality: When processing user data, companies must ensure the protection of personal information from unauthorized or illegal access, alteration, or destruction.
Key Requirements
Notification of Data Protection Violations: Companies must notify regulatory authorities and, in some cases, data subjects of any violations related to personal information within 72 hours of discovering such a violation.
For example, recent news about a hacking attack on Uber serves as a clear example of a failure to comply with this requirement. Uber informed the press that hackers accessed the personal information of 57 million users and drivers after one year. If GDPR were in place, Uber would have faced a significant fine of up to 4% of its annual revenue.A list of national data protection authorities in all EU countries can be found here. Additionally, there is a pan-European authority, the Working Party 29 (WP29) or the Article 29 Working Group, but after the General Data Protection Regulation (GDPR) comes into effect, the WP29 will be replaced by the European Data Protection Board (EDPB).
The GDPR significantly expands the rights of European citizens and residents regarding their personal data. Users have the right to ask for confirmation of their data being processed, including the purpose and place of processing, categories of data being collected, third parties who will have access to the data, how long the data will be stored, and the source of the data the organization has received. They also have the right to correct any inaccuracies in their data and to request that the processing of their data be stopped.The General Data Protection Regulation (GDPR) also provides for the right to be forgotten, which gives Europeans the opportunity to have their personal data deleted upon request in order to prevent its dissemination or transfer to third parties.
This right is not new, as it is already included in the current data protection directive. The European Court of Justice clarified in the Google Spain case in 2014 that data subjects have the right to have information about them removed from search results if it is not in the public interest. However, this right applies not only to search engines, but to any data processing company that must delete personal data upon request unless it is contrary to society’s interests or other fundamental rights.For example, if you are a news organization, before deleting data, please check and make sure that this deletion does not violate the freedom of speech or the right to information guaranteed by Article 11 of the EU Charter on Human Rights.
The right to data portability
Data portability is an innovation introduced by the GDPR in EU data protection rules. This right means that companies must provide a free electronic copy of personal information to another company upon the request of the data subject.
For instance, a startup like “Sunny” wants to enter the market with a social media platform, but there are already large companies with a significant market share. Data portability will allow potential users to easily transfer their information from one service to another without having to re-enter the same information on different platforms.Another example. The user of the e-book service “E-book” decides to switch to “Read online”. In this case, thanks to the right to data portability, they can receive their personal data (for example, reading preferences) from “Electronic Book” and transfer them to the new service.
Consent to Processing
The General Data Protection Regulation (GDPR) sets high standards for obtaining consent for the processing of personal data. A person’s consent must be given explicitly and actively by the user, through a clear affirmative action. Consent is not valid if the user did not have a choice or the ability to withdraw their consent without detriment to themselves. If a user has given consent, the controller needs to be able to prove it.
We do not recommend using pre-checked consent boxes or other default methods for obtaining consent. Consent cannot be implied through silence or inactivity on the part of the user. Information about how to revoke consent should be easily accessible to the user.
Special Protection for Children
Children require special protection when it comes to their personal information. The GDPR requires extra safeguards to ensure that children’s rights are respected when their data is processed. This includes ensuring that children have the right to give or withdraw consent, and that they are informed about the use of their data.Children’s personal data deserves special protection because they are less aware of the risks, consequences, and their rights regarding the processing of their personal information. Parents (or legal representatives) must give consent for the processing of a child’s data. The age threshold for this authorization is set separately by each EU Member State (between 13 and 16 years).
This requirement also applies to companies that conduct regular and systematic surveillance or monitoring of individuals, or that process large amounts of special personal information, such as medical records or criminal records. These companies must appoint a person responsible for protecting children’s personal data.In any case, an organization can voluntarily appoint a data protection officer to oversee user data processing and ensure compliance with GDPR requirements. If this is the case, the company should publish information about this employee and provide it to the relevant national regulator for the protection of personal data in their country of operation.If your company is within the scope of the new European data protection regulation, or if you plan to expand your services and products to EU countries, we recommend conducting a comprehensive assessment of your company’s methods and practices for processing personal data. You should bring these practices in line with the new General Data Protection Regulation (GDPR) rules.
Additionally, you should review your privacy policies and terms of use on your websites and online services that target European consumers and users. To comply with the GDPR requirements, you will need to develop internal policies for data protection, train your staff, conduct regular inspections of data processing activities, maintain documentation of your processing processes, and implement measures for a comprehensive privacy system. It is also advisable to appoint an employee who is responsible for handling personal data, taking into consideration the nature and volume of data being processed.Despite the fact that the new regulations for the processing of personal data are strict, they have some positive aspects for non-EU companies: it is easier to follow a single set of data protection rules than to take into account the different national regulations of each EU country. This makes it easier for companies to comply with the GDPR and reduce costs and bureaucracy. The reform aims to stimulate economic growth by making it easier for small and emerging companies to enter new markets in the EU. Depending on the size and nature of the business, some obligations may vary.It is also important to consider in advance the mechanisms for responding to requests from European regulatory bodies and personal data subjects (users), which are possible under the General Data Protection Regulation (GDPR). These include clarifying data, deleting it, stopping processing, or transferring it to another company, in accordance with the right to data portability.GDPR is the most significant legislative document that significantly enhances the level of personal data protection within the EU and beyond. Its implementation requires careful study and adherence. The reform provides clarity and consistency in the rules that must be followed in the field of data protection, restoring user-consumer trust and allowing businesses to maximize their opportunities in the unified European digital market.
The collection, analysis, and movement of personal data worldwide have become of great economic significance. Personal data, of course, is the “currency” of the modern economy, and if companies collect user data in any form, they must carefully monitor its safety to prevent leaks and possible manipulation by third parties.
#GDPRcompliance #DataProtection #PrivacyRights #EUregulations #PersonalData #GDPRready #CyberSecurity #DataPrivacy #ComplianceMatters #DataSecurity