• Ganna Prokhorova

    Head of Legal Department, IP & Law Firm Pakharenko and Partners, Attorney-at-Law

Pakharenko & Partners

Address:
Olimpiysky Business Centre,
72 Velyka Vasylkivska St.,
Kyiv, 03150, Ukraine
Tel.: +380 44 593 9693
Fax: +380 44 451 4048
E-mail: pakharenko@pakharenko.com.ua
Web-site: www.pakharenko.ua

IP and Law Firm Pakharenko & Partners was established in 1994 and has offices in Kyiv and London. As a firm providing full IP service coverage we are keen on developing successful protection and enforcement strategies for our clients, covering the development of an IP portfolio, acquisition of IPRs, commercialisation of IPRs, enforcement and management of IPRs including patents (inventions and utility models), designs, trademarks and geographical indications, domain names, copyright and related rights, plant breeders’ rights both at national and international level.

The firm provides assistance to national and foreign clients in securing and enforcing their intellectual property rights in Ukraine and CIS countries.

The company’s lawyers have been involved in anti-counterfeiting and anti-piracy activities since the implementation of the relevant provisions on IPR enforcement in Ukrainian legislation.

Our staff also possesses expertise in pharmaceutical law, competition law, media law, corporate and commercial law, unfair competition, data protection, commercial litigation.

We are able to service our clients’ needs around the world through our established network of associates. The special relationships developed by our company with many attorney firms in key foreign markets provide ongoing, substantial benefits to our internationally focused clients.

Main practice areas:

Intellectual Property, Anti-Counterfeiting and Anti-Piracy Operations and Legal Support, Media Law, Advertising Law, Competition Law, Pharmaceutical Law, Corporate Law, Customs Law, Commercial and IP Litigation.

 

IP and Law Firm Pakharenko & Partners was established in 1994 and has offices in Kyiv and London. As a firm providing full IP service coverage we are keen on developing successful protection and enforcement strategies for our clients, covering the development of an IP portfolio, acquisition of IPRs, commercialisation of IPRs, enforcement and management of IPRs including patents (inventions and utility models), designs, trademarks and geographical indications, domain names, copyright and related rights, plant breeders’ rights both at national and international level.

The firm provides assistance to national and foreign clients in securing and enforcing their intellectual property rights in Ukraine and CIS countries.

The company’s lawyers have been involved in anti-counterfeiting and anti-piracy activities since the implementation of the relevant provisions on IPR enforcement in Ukrainian legislation.

Our staff also possesses expertise in pharmaceutical law, competition law, media law, corporate and commercial law, unfair competition, data protection, commercial litigation.

We are able to service our clients’ needs around the world through our established network of associates. The special relationships developed by our company with many attorney firms in key foreign markets provide ongoing, substantial benefits to our internationally focused clients.

Main practice areas:

Intellectual Property, Anti-Counterfeiting and Anti-Piracy Operations and Legal Support, Media Law, Advertising Law, Competition Law, Pharmaceutical Law, Corporate Law, Customs Law, Commercial and IP Litigation

Membership in organizations:

The company and its members are actively involved in the operation of a number of national and international intellectual property associations, such as: AIPPI, INTA, FICPI, LES, MARQUES, PTMG, ECTA, ACG, IACC, ICC/CIB, ICC Ukraine, IBA, European Business Association (EBA), American Chamber of Commerce (ACC) in Ukraine, Ukrainian Patent Attorneys Association (UPAA), Ukrainian Alliance Against Counterfeiting and Piracy (UAACP) which is a member of the GACG Network, CIOPORA.

 

Ukraine + EU = GDPR

With all aspects of human life going digital in recent years, the complaints by citizens on serious violations of their rights in the course of processing and protection of their personal data have become frequent. Consequently, the need for reforms in the field of personal data protection has been discovered in the EU and by 25 May, 2018 the new revolutionary legal act of the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016; hereinafter — GDPR or Regulation) came into force to replace the existing EU Directive 1995.

What is the Famous GDPR All About?

The Regulation contains 99 clauses on 88 pages, and is the most complex legal act in the EU’s history. Many experts believe that the GDPR will have a decisive role in the future world’s practice of protecting personal data. Unlike EU directives that require further legislative actions on the part of the governments of member nations in order to be enacted, the GDPR is a regulation, meaning that the rules will become legally binding immediately.

The Regulation is aimed at protecting the personal data of individuals residing in the European Union, which, in fact, is not a new idea. However, the important feature of the present act is its extraterritorial nature: the GDPR will apply to all companies that are based in the EEA and/or target the EU’s markets or consumers. We will aim below to try and figure out what it implies and how it can affect Ukrainian businesses.

Who is at Risk?

The GDPR is not tied to the citizenship of a personal data subject or to the location of an entity exercising control and processing of personal data and, therefore, its operation may extend to:

— companies maintaining their actual operations in the EU through their permanent structure. For example, a Ukrainian parent company processing data in connection with the operation of its branch office in the EU;

— companies permanently offering their goods and services to consumers, inter alia, residing in EU countries (for example, the website of such a company is available in the language of at least one of the EU countries and supports payments in EU currencies). Consequently, various Ukrainian companies that offer online services, online stores, financial companies, healthcare organizations, social networks, etc. may fall under this category;

— companies carrying monitoring of the online activities of persons residing in the EU. For example, a Ukrainian company that has developed a useful mobile application which is using a geolocation and requiring authorization via email or a social network, tracking the activities of Internet users and analyzing their habits and preferences.

However, in a case where a company is collecting data on legal entities from the EU, and not individuals, or where the personal data collected is anonymous, i.e. this data cannot be correlated with a specific person by a given criterion (for example, statistical data, results of anonymous surveys and research data), compliance with the Regulation for the company will not be mandatory.

GDPR vs Law

It is known that in current Ukrainian legislation governing relations in the sphere of personal data protection, the framework act is the Law of Ukraine On Personal Data Protection of 1 June  2010 (hereinafter — the Law).

Even today it is clear that for those Ukrainian companies whose activities involve work with personal data and who target users in the EU, have contractual obligations with EU counterparties, there will be a “double burden”, as such companies will have to regulate their internal policies pertinent to the protection of personal data not only in accordance with Ukrainian legislation, but also in accordance with the new European Regulation.

If we compare, for example, the rights of personal data subjects, we may note that such rights as the right of access to data and its processing information, updating and supplementing the data, objecting against processing the data, withdrawal of consent, enshrined in the Ukrainian Law (Article 8 of the Law) are generally in line with the GDPR. The right to destroy data (the same Article 8 of the Law) is in line with the GDPR only partially (“right to erasure”), while the right to obtain a copy of the data and the right to transmit data (“data portability right”, Article 20 GDPR) are not available under the Ukrainian Law.

When comparing the key requirements to the personal data subject’s consent to processing, it can be noted that the obligation to comply with the form of acceptance by way of a specific application or affirmative action, the necessity of obtaining consent for each specific purpose of processing (Articles 6, 10, 11 of the Law) generally comply with the Regulation. At the same time, unlike the Law, the Regulation stipulates that such consent shall allow for simple and understandable language, shall be provided independently of any other issues and that its withdrawal should be as simple as its receipt (Article 6, 7 GDPR). In addition, according to the Regulation, for children under 16 years old wishing to receive online services, parental consent for data processing should be provided (Article 8 GDPR).

In general, if compared to the Ukrainian Law, the GDPR regulates the process of collecting, processing, storing personal data more thoroughly, determining the numerous functions of the participants in the process, also prescribing the rules and obligations of each of them.

Main Requirements under the GDPR

Adoption of the Regulation obliges companies to comply with certain requirements, among which the following are worth mentioning:

— the pseudonymisation of personal data (Article 32 GDPR) — storage of data that may be identified with a particular person independently of the data pertaining to him/her (for example, the person’s name is stored separately from his email address);

— expansion and specification of the scope of rights of personal data subjects, in particular, the right to request information at any time on what data have been collected, to whom the data have been transferred or disclosed (Article 15 GDPR), the right to request the transfer of their personal data from one personal data controller to another (data portability right, Article 20 GDPR), the right to erasure of data on demand (“the right to be forgotten”, Article 17 GDPR), etc.;

— obligation to notify the personal data breach to the supervisory authority of the EU not later than 72 hours after having become aware of it (Article 33 GDPR);

— establishment of a new European data protection board (Article 68-76 GDPR). At the same time, in each EU country there is a body responsible for the protection of personal data that will monitor compliance with the Regulation, and in the relevant cases it will decide on the responsibility of violators;

— a new staffing position responsible for data protection in each bigger organization — Data Protection Officer (DPO) (Article 37-39 GDPR). At the same time, the Regulation provides for the appointing of one such official by the parent company for a whole group of subsidiaries;

— stricter rules are provided for obtaining a consent to processing of personal data, which are aimed at building a data collection system in such a way that the user could first agree with the privacy policy, containing a description of the categories of data, duration and purpose of processing, etc., and only then could leave personal data;

— companies violating the requirements of the Regulation will be subject to big fines. In particular, for some violations, the fine may amount to 20 million euros or 4% of the company’s global turnover (Article 83 GDPR), not to mention reputational damage, litigation costs and compensation as a result of group and individual claims from individuals.

Nevertheless, according to many foreign colleagues, a number of norms of the Regulation generate questions as to their application. As a result, the GDPR leaves room for its interpretation and some articles would need case law before a person would become sure how to apply them properly. A number of explanatory and instructive documents on the application of the Regulation are expected to be adopted in the near future, and after May 2018, national law enforcement practice will start developing along with the practice of the European Court of Justice, which should shed light on certain disputable provisions in the act.

Legal Uncertainty

Obviously, the coming into force of the Regulation entails the emergence of obligations for a number of companies, including those outside the EU, to protect the personal data of individuals from the EU, which, if ignored, could result in heavy fines.

However, for the time being there is legal uncertainty as to how the decisions on collection of fines in non-EU countries will be enforced. Therefore, if an EU-based data subject appeals against the actions of the Ukrainian processor company to his country’s relevant competent authority with regard to the processing of his personal data, the issue of the manner of enforcement of the decision of such a body in the territory of Ukraine remains debatable. Apparently, despite the declared intentions of cooperation with the competent authorities in third countries on the basis of the principle of reciprocity, attempts by the European Commission and the EU’s supervisory bodies to cooperate in a transboundary context may be hampered by insufficient powers, a controversial regulatory regime, and practical obstacles, for example, limitations on the sources of information.

Instead of an Afterword

Since 25 May, 2018, new standards for the protection of personal data will become uniform for all those who are oriented towards the European market. Although GDPR is likely to cause some businesses more difficulty than others (such as those offering large data products), it’s important to remember that this act is being introduced to protect users’ rights at a time when almost every aspect of our lives is stored online. Obviously, the world will never be the same and multinational companies will have to adapt their activities to its realities. This challenge undoubtedly exists for Ukrainian lawyers and there is no other option than to accept it.