Regulation (EU) 2016/679, more commonly known as the GDPR, adopted by the European Commission and the European Parliamen came into force in 2018. Its aim is the creation of a single legal regime for personal data and ensuring their processing by a system of basic principles.
Personal data, according to the GDPR, is any information relating to an identified or identifiable natural person (“data subject”)
An identifiable natural person is a person who can be identified directly or indirectly, in particular, by reference to the name, surname, identification number, location data, online identifier or one, or more physical, physiological, genetic, characteristic spiritual, economic, cultural factors or referring to factors of social identity.
Category of particularly sensitive data, the processing of which is prohibited:
- information on racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership;
- genetic and biometric data when used for unique identification of an individual,
- data on the health, sex life, or sexual orientation of an individual.
The GDPR defines two types of subjects who process personal data: the data controller and the data processor.
The controller is:
- natural or legal person, public institution, agency or other entity
- which alone or jointly with others (co-controllers)
- determines the purposes and methods of processing personal data.
Most of the responsibility for the processing of personal data lies with the controller.
A processor – is a contractor of the controller, a natural or legal person, government organization, agency, or other body that processes personal data on behalf of the controller.
The Regulation enforces the principle of extraterritoriality in the processing of personal data since it applies to all companies that process personal data of EU residents, regardless of the jurisdiction of such companies. For example, if a Ukrainian company provides goods and services on the Internet to EU citizens, it immediately falls under the scope of the GDPR as a controller of personal data.
Get a consultation
At the initial stages of business development, most projects only simulate GDPR compliance, which can lead to big troubles in the future
But if an IT project is integrated into the chain of personal data processors (APIs of social networks are connected, third-party obligations are outsourced, etc.), and some of the links in the chain are faced with information leak, all participants in the personal data transmission chain are subject to liability. Identified violations are subject to fines as high as 20 million euros imposed directly or by recourse.
To comply with the Regulations and avoid iussues and fines, at least the following documentation should be developed for an IT project:
- Internal policy for the protection of personal data;
- List of actions with personal data
- Policy for responding to security flaws;
- Form of notification of the supervisory authority about personal data leak;
- Form of notification of the subject about personal data leak;
- Data retention policy.
Unfortunately, there is no universal template for creating the described documentation. The level of detail depends on the frequency of processing of personal data, volume, and nature.
Projects in which data is continuously processed require a full-time Personal Data Officer (DPO) and a Permanent Representative in the EU (DPR), who will contact with supervisory authorities and take responsibility in case of violation of EU legislation.
The development of documentation in accordance with the requirements of the Regulation, as well as internal practices and policies, requires deep legal analysis, and their implementation requires a technical audit. Also, in the process of processing personal data, it is necessary to adhere to the principles of processing (legality, transparency, data minimization), which also requires legal assistance.
To avoid problems with personal data, we recommend contacting VigoLex team of lawyers from the first day the IT project enters the market. Solving problems afterwards will be much more difficult and expensive.
The VigoLex team has many years of experience and unique knowledge in IT law, online and offline gambling, as well as other high-risk business and e-commerce areas.
We do not have conventional solutions and traditional approaches, whereas every task is considered comprehensively with all traps and pitfalls.
We are not afraid of changes and new challenges. We are ready to improve and adjust in accrodance to the time-being requirements and client’s needs.
We understand that our client is interested not in the process but in the result. The result of the client is our reputation.
Get a consultation
GDPR is the Regulation of the European Union (the regulation that is binding on all EU member states, regardless of their national legislation), which sets the requirements for the collection, processing, transfer, storage and protection of personal data.
GDPR is mandatory for companies that are registered in the EU or process personal data of EU residents.
Therefore, if a Ukrainian project is registered in one of the EU countries (for example, Cyprus), or is located in Ukraine, but works for the EU market, the GDPR requirements apply to such a project.
GDPR sets out 7 basic principles for the processing of personal data:
- legality, fairness and transparency of personal data processing;
- limitation of the purposes of processing;
- data minimization;
- accuracy of the processed data;
- limitation of the data storage period;
- integrity and confidentiality of the data being processed;
- accountability of the company.
All principles are explained in detail in other GDPR regulations, as well as in the guidelines and explanations of the controlling authority.