Regulation (EU) 2016/679, more commonly known as the GDPR, adopted by the European Commission and the European Parliamen came into force in 2018. Its aim is the creation of a single legal regime for personal data and ensuring their processing by a system of basic principles.
Personal data, according to the GDPR, is any information relating to an identified or identifiable natural person (“data subject”)
An identifiable natural person is a person who can be identified directly or indirectly, in particular, by reference to the name, surname, identification number, location data, online identifier or one, or more physical, physiological, genetic, characteristic spiritual, economic, cultural factors or referring to factors of social identity.
Category of particularly sensitive data, the processing of which is prohibited:
The GDPR defines two types of subjects who process personal data: the data controller and the data processor.
The controller is:
Most of the responsibility for the processing of personal data lies with the controller.
A processor – is a contractor of the controller, a natural or legal person, government organization, agency, or other body that processes personal data on behalf of the controller.
The Regulation enforces the principle of extraterritoriality in the processing of personal data since it applies to all companies that process personal data of EU residents, regardless of the jurisdiction of such companies. For example, if a Ukrainian company provides goods and services on the Internet to EU citizens, it immediately falls under the scope of the GDPR as a controller of personal data.
At the initial stages of business development, most projects only simulate GDPR compliance, which can lead to big troubles in the future
But if an IT project is integrated into the chain of personal data processors (APIs of social networks are connected, third-party obligations are outsourced, etc.), and some of the links in the chain are faced with information leak, all participants in the personal data transmission chain are subject to liability. Identified violations are subject to fines as high as 20 million euros imposed directly or by recourse.
To comply with the Regulations and avoid iussues and fines, at least the following documentation should be developed for an IT project:
Unfortunately, there is no universal template for creating the described documentation. The level of detail depends on the frequency of processing of personal data, volume, and nature.
Projects in which data is continuously processed require a full-time Personal Data Officer (DPO) and a Permanent Representative in the EU (DPR), who will contact with supervisory authorities and take responsibility in case of violation of EU legislation.
The development of documentation in accordance with the requirements of the Regulation, as well as internal practices and policies, requires deep legal analysis, and their implementation requires a technical audit. Also, in the process of processing personal data, it is necessary to adhere to the principles of processing (legality, transparency, data minimization), which also requires legal assistance.
To avoid problems with personal data, we recommend contacting VigoLex team of lawyers from the first day the IT project enters the market. Solving problems afterwards will be much more difficult and expensive.
