Personal data protection according to GDPR

Regulation (EU) 2016/679, more commonly known as the GDPR, adopted by the European Commission and the European Parliamen came into force in 2018. Its aim is the creation of a single legal regime for personal data and ensuring their processing by a system of basic principles.

Personal data, according to the GDPR, is any information relating to an identified or identifiable natural person (“data subject”)

An identifiable natural person is a person who can be identified directly or indirectly, in particular, by reference to the name, surname, identification number, location data, online identifier or one, or more physical, physiological, genetic, characteristic spiritual, economic, cultural factors or referring to factors of social identity.

Category of particularly sensitive data, the processing of which is prohibited:

  • information on racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership;
  • genetic and biometric data when used for unique identification of an individual,
  • data on the health, sex life, or sexual orientation of an individual.

The GDPR defines two types of subjects who process personal data: the data controller and the data processor.

The controller is:

  • natural or legal person, public institution, agency or other entity
  • which alone or jointly with others (co-controllers)
  • determines the purposes and methods of processing personal data.

Most of the responsibility for the processing of personal data lies with the controller.

A processor – is a contractor of the controller, a natural or legal person, government organization, agency, or other body that processes personal data on behalf of the controller.

The Regulation enforces the principle of extraterritoriality in the processing of personal data since it applies to all companies that process personal data of EU residents, regardless of the jurisdiction of such companies. For example, if a Ukrainian company provides goods and services on the Internet to EU citizens, it immediately falls under the scope of the GDPR as a controller of personal data.

At the initial stages of business development, most projects only simulate GDPR compliance, which can lead to big troubles in the future

Personal data protection according to GDPR

But if an IT project is integrated into the chain of personal data processors (APIs of social networks are connected, third-party obligations are outsourced, etc.), and some of the links in the chain are faced with information leak, all participants in the personal data transmission chain are subject to liability. Identified violations are subject to fines as high as 20 million euros imposed directly or by recourse.

To comply with the Regulations and avoid iussues and fines, at least the following documentation should be developed for an IT project:

  • Publicised privacy policy compliant with GDPR;
  • Internal policy for the protection of personal data;
  • List of actions with personal data
  • Policy for responding to security flaws;
  • Form of notification of the supervisory authority about personal data leak;
  • Form of notification of the subject about personal data leak;
  • Data retention policy.

Unfortunately, there is no universal template for creating the described documentation. The level of detail depends on the frequency of processing of personal data, volume, and nature.

Projects in which data is continuously processed require a full-time Personal Data Officer (DPO) and a Permanent Representative in the EU (DPR), who will contact with supervisory authorities and take responsibility in case of violation of EU legislation.

The development of documentation in accordance with the requirements of the Regulation, as well as internal practices and policies, requires deep legal analysis, and their implementation requires a technical audit. Also, in the process of processing personal data, it is necessary to adhere to the principles of processing (legality, transparency, data minimization), which also requires legal assistance.

To avoid problems with personal data, we recommend contacting VigoLex team of lawyers from the first day the IT project enters the market. Solving problems afterwards will be much more difficult and expensive.

Get a consultation

I consent to the processing of my personal data


    63739 street lorem ipsum City, Country


    +12 (0) 345 678 9


    [email protected]