- Interviews NEW
- Editor's Preface
- Ukrainian Legal Market
Practice Areas and Industries Review
- Administrative Disputes
- Advertising & Marketing
- Alternative Dispute Resolution
- Asset Tracing
- Banking & Finance
- Banking Disputes
- Business Crime
- Business Immigration
- Business Process Solutions
- Business Protection
- Capital Markets
- Commercial Law
- Competition Investigations
- Contract Law
- Corporate Disputes
- Counterfeiting & Piracy
- Criminal Process
- Cross-Border Debt Restructuring
- Currency Regulation
- Data Protection
- Dignity and Reputation Protection
- Due Diligence
- Energy Efficiency
- Enforcement of Foreign Awards
- Enforcement Proceedings
- Family Law
- Financial Restructuring
- Housing & Communal Services
- Industrial Parks
- International Arbitration
- International Civil Procedure
- International Finance/Eurobonds
- International Tax
- IT Law
- Labor & Employment
- Marine Insurance
- Maritime Law
- Medicine & Healthcare
- Mergers & Acquisitions
- Migration Law
- Natural Resources
- Parliamentary & Public Affairs
- Ports and Marine Terminals
- Private Clients / Wealth Management
- Procedural Actions
- Procurement Disputes
- Project Finance
- Public Private Partnerships
- Public Procurement
- Real Estate
- Renewable Energy
- Role of Experts in International Arbitration
- Secured Transactions
- Show Business
- Sports Law
- State Aid
- Tax Controversy
- Trade Remedies
- Transfer Pricing
- Unfair Competition
Who Is Who
- Antitrust and Competition
- Banking & Finance, Capital Markets /Debt Restructuring
- Corporate and M&A
- Criminal Law / White-Collar Crime
- Energy & Natural Resources
- Intellectual Property
- International Arbitration
- International Trade: Trade Remedies/WTO, Commodities, Commercial Contracts
- IT / Telecommunications & Media
- Labor & Employment
- Pharmaceuticals / Medicine & Healthcare
- Real Estate, Construction, Land
- Tax and Transfer Pricing
- Transport: Aviation, Maritime & Shipping
- Law Firms Profiles
- Lawyers Profiles
Head of Legal Department, IP & Law Firm Pakharenko and Partners, Attorney-at-Law
Ukraine + EU = GDPR
With all aspects of human life going digital in recent years, the complaints by citizens on serious violations of their rights in the course of processing and protection of their personal data have become frequent. Consequently, the need for reforms in the field of personal data protection has been discovered in the EU and by 25 May, 2018 the new revolutionary legal act of the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016; hereinafter — GDPR or Regulation) came into force to replace the existing EU Directive 1995.
What is the Famous GDPR All About?
The Regulation contains 99 clauses on 88 pages, and is the most complex legal act in the EU’s history. Many experts believe that the GDPR will have a decisive role in the future world’s practice of protecting personal data. Unlike EU directives that require further legislative actions on the part of the governments of member nations in order to be enacted, the GDPR is a regulation, meaning that the rules will become legally binding immediately.
The Regulation is aimed at protecting the personal data of individuals residing in the European Union, which, in fact, is not a new idea. However, the important feature of the present act is its extraterritorial nature: the GDPR will apply to all companies that are based in the EEA and/or target the EU’s markets or consumers. We will aim below to try and figure out what it implies and how it can affect Ukrainian businesses.
Who is at Risk?
The GDPR is not tied to the citizenship of a personal data subject or to the location of an entity exercising control and processing of personal data and, therefore, its operation may extend to:
— companies maintaining their actual operations in the EU through their permanent structure. For example, a Ukrainian parent company processing data in connection with the operation of its branch office in the EU;
— companies permanently offering their goods and services to consumers, inter alia, residing in EU countries (for example, the website of such a company is available in the language of at least one of the EU countries and supports payments in EU currencies). Consequently, various Ukrainian companies that offer online services, online stores, financial companies, healthcare organizations, social networks, etc. may fall under this category;
— companies carrying monitoring of the online activities of persons residing in the EU. For example, a Ukrainian company that has developed a useful mobile application which is using a geolocation and requiring authorization via email or a social network, tracking the activities of Internet users and analyzing their habits and preferences.
However, in a case where a company is collecting data on legal entities from the EU, and not individuals, or where the personal data collected is anonymous, i.e. this data cannot be correlated with a specific person by a given criterion (for example, statistical data, results of anonymous surveys and research data), compliance with the Regulation for the company will not be mandatory.
GDPR vs Law
It is known that in current Ukrainian legislation governing relations in the sphere of personal data protection, the framework act is the Law of Ukraine On Personal Data Protection of 1 June 2010 (hereinafter — the Law).
Even today it is clear that for those Ukrainian companies whose activities involve work with personal data and who target users in the EU, have contractual obligations with EU counterparties, there will be a “double burden”, as such companies will have to regulate their internal policies pertinent to the protection of personal data not only in accordance with Ukrainian legislation, but also in accordance with the new European Regulation.
If we compare, for example, the rights of personal data subjects, we may note that such rights as the right of access to data and its processing information, updating and supplementing the data, objecting against processing the data, withdrawal of consent, enshrined in the Ukrainian Law (Article 8 of the Law) are generally in line with the GDPR. The right to destroy data (the same Article 8 of the Law) is in line with the GDPR only partially (“right to erasure”), while the right to obtain a copy of the data and the right to transmit data (“data portability right”, Article 20 GDPR) are not available under the Ukrainian Law.
When comparing the key requirements to the personal data subject’s consent to processing, it can be noted that the obligation to comply with the form of acceptance by way of a specific application or affirmative action, the necessity of obtaining consent for each specific purpose of processing (Articles 6, 10, 11 of the Law) generally comply with the Regulation. At the same time, unlike the Law, the Regulation stipulates that such consent shall allow for simple and understandable language, shall be provided independently of any other issues and that its withdrawal should be as simple as its receipt (Article 6, 7 GDPR). In addition, according to the Regulation, for children under 16 years old wishing to receive online services, parental consent for data processing should be provided (Article 8 GDPR).
In general, if compared to the Ukrainian Law, the GDPR regulates the process of collecting, processing, storing personal data more thoroughly, determining the numerous functions of the participants in the process, also prescribing the rules and obligations of each of them.
Main Requirements under the GDPR
Adoption of the Regulation obliges companies to comply with certain requirements, among which the following are worth mentioning:
— the pseudonymisation of personal data (Article 32 GDPR) — storage of data that may be identified with a particular person independently of the data pertaining to him/her (for example, the person’s name is stored separately from his email address);
— expansion and specification of the scope of rights of personal data subjects, in particular, the right to request information at any time on what data have been collected, to whom the data have been transferred or disclosed (Article 15 GDPR), the right to request the transfer of their personal data from one personal data controller to another (data portability right, Article 20 GDPR), the right to erasure of data on demand (“the right to be forgotten”, Article 17 GDPR), etc.;
— obligation to notify the personal data breach to the supervisory authority of the EU not later than 72 hours after having become aware of it (Article 33 GDPR);
— establishment of a new European data protection board (Article 68-76 GDPR). At the same time, in each EU country there is a body responsible for the protection of personal data that will monitor compliance with the Regulation, and in the relevant cases it will decide on the responsibility of violators;
— a new staffing position responsible for data protection in each bigger organization — Data Protection Officer (DPO) (Article 37-39 GDPR). At the same time, the Regulation provides for the appointing of one such official by the parent company for a whole group of subsidiaries;
— companies violating the requirements of the Regulation will be subject to big fines. In particular, for some violations, the fine may amount to 20 million euros or 4% of the company’s global turnover (Article 83 GDPR), not to mention reputational damage, litigation costs and compensation as a result of group and individual claims from individuals.
Nevertheless, according to many foreign colleagues, a number of norms of the Regulation generate questions as to their application. As a result, the GDPR leaves room for its interpretation and some articles would need case law before a person would become sure how to apply them properly. A number of explanatory and instructive documents on the application of the Regulation are expected to be adopted in the near future, and after May 2018, national law enforcement practice will start developing along with the practice of the European Court of Justice, which should shed light on certain disputable provisions in the act.
Obviously, the coming into force of the Regulation entails the emergence of obligations for a number of companies, including those outside the EU, to protect the personal data of individuals from the EU, which, if ignored, could result in heavy fines.
However, for the time being there is legal uncertainty as to how the decisions on collection of fines in non-EU countries will be enforced. Therefore, if an EU-based data subject appeals against the actions of the Ukrainian processor company to his country’s relevant competent authority with regard to the processing of his personal data, the issue of the manner of enforcement of the decision of such a body in the territory of Ukraine remains debatable. Apparently, despite the declared intentions of cooperation with the competent authorities in third countries on the basis of the principle of reciprocity, attempts by the European Commission and the EU’s supervisory bodies to cooperate in a transboundary context may be hampered by insufficient powers, a controversial regulatory regime, and practical obstacles, for example, limitations on the sources of information.
Instead of an Afterword
Since 25 May, 2018, new standards for the protection of personal data will become uniform for all those who are oriented towards the European market. Although GDPR is likely to cause some businesses more difficulty than others (such as those offering large data products), it’s important to remember that this act is being introduced to protect users’ rights at a time when almost every aspect of our lives is stored online. Obviously, the world will never be the same and multinational companies will have to adapt their activities to its realities. This challenge undoubtedly exists for Ukrainian lawyers and there is no other option than to accept it.