GDPR

Published:
June 21, 2018

EU market is developed every day, as a result it increases a cross-border personal data flows including the usage of the Internet. The above mentioned causes the large problems with the protection of personal data. Thus, the main aim of GDPR is to protect personal data and personal data subjects. General Data Protection Regulation come into force from May 25, 2018.

GDPR is designed to promote the development of a space of freedom, security, justice and economic union; economic and social progress; strengthening the rule of law and convergence of economies within the domestic market, as well as the general well-being of individuals in EU member states.

GDPR are necessary to all EU Members States.  For non-resident companies of the EU, including CIS countries, the requirements apply in the following cases:

  1. Companies that supply their goods or services to individuals in the EU. For example, online stores, tour operators, transport companies that are in Ukraine and process the data of EU residents.
  2. Companies that carry out marketing research covering consumers from the EU.
  3. Companies that, in the course of their activities, gain access to the personal data of the subjects in the EU. It can be any Ukrainian companies that, for example, have access to the data of employees from the EU.

The main important innovations of the GDPR, which will affect cif countries, are:

  1. The necessity to introduce a new position in the company – Data Protection Office

There is a mandatory appointment of the person who is responsible for protecting the employee’s personal data by all companies dealing with a significant amount of personal data or with the “special” categories of such data. He can perform his duties both under an employment contract and on a civil law

The Officer must have an appropriate level of knowledge in the field of personal data protection. A group of companies may have one responsible if it ensures unrestricted access to the activities of each member of the group. In addition, he can work in the company either at the main place of work or in part-time.

  1. Necessity of the representative (representation) in the EU

If your company falls under the GDPR and is not located in the EU, the presence of an official representative of the company in the EU is necessary. The representative must be appointed as a contact person on all issues of protection of personal data of EU citizens for authorized authorities. It can be both physical and legal entity.

Among the mandatory requirements for a representative is to be established (for the legal entities) or to be (for individuals) in one of the countries whose citizens are persons whose personal data are processed or the behavior of which is being investigated.

The exception of this rule is: if data processing  is not permanent; if the personal data processed does not belong to the “special” categories (as already mentioned above, including, in particular, genetic, biometric data), relating to  criminal proceedings or accusations;

If the character of the data indicates that it is impossible to seriously violate the rights of the person in case of their leakage (it is not difficult to  assume that market participants who do not intend to fulfill this requirement of the GDPR for one reason or another will try to use such an estimation formulation to avoid it).

  1. Proof of compliance with GDPR requirements

GDPR establishes the duty to prove the company’s compliance with the new requirements. In order to prove compliance, the controllers must store all information relating to the activity with personal data (about the controller, data transfer operations, etc.).

  1. Increasing the level of personal data security

GDPR does not set clear criteria for assessing the level of compliance with security requirements. Instead, it operates with rating categories, which implies that controllers and processors should provide the highest possible level of information security for them, including the implementation of appropriate technical and organizational measures to ensure a high level of information security.

Security measures can be very different. It depends on what data are processed, on their quantity, on the possibility of leakage, etc. As an example of the steps that can be taken, the GDPR provides pseudonymization and encryption.

  1. Limitation of the use of cloud storage for the placement of personal data

In according to GDPR, the placement of personal data in cloud storage is considered to be transferable to third parties. It is necessary to beware of the storage with a low level of protection, as well as limit the placement of personal data on them. In this case, if data transfer via cloud storage occurs outside the EU without adequate security, such actions are in violation of EU law.

  1. The introduction of control over the transfer of personal data outside the European Economic Area

According to the general rule, personal data can be transferred to a third country only if there is a positive conclusion from the European Commission regarding the country’s compliance with high standards of personal data protection. The most acceptable for Ukraine will be the use of standard terms of the contract, which are approved by the European Commission.

  1. Overall increase of privacy

The regulation provides for the need for increased privacy. In addition to the standard of highest level of privacy by default (for example, in social networks), it may be necessary to collect the consent of the subject to handle each individual item of information that he enters.

The basic rights of subjects of personal data (for example, the right to access data about themselves or the right to demand the termination of the processing of personal data) were provided for by the Directive. The regulation introduced, for example, such rights as the right to data portability.

The subject of personal data can ask to transfer his personal data from one organization to another, for example, when changing the medical institution in which he is served.

The regulation also introduces a new right – the right to be forgotten, which allows the subject to require the deletion of data about himself from all company databases. It is important to note that such a right is not absolute and applies only in directly established cases. For example, if processing is carried out at the request of the law, the subject cannot exercise his right to oblivion.

Especially, the person must know the purpose of processing personal data already at the stage of its collection. If data collection is the result of a person’s will, the controller must demonstrate that she is presenting his personal data here and there.

Although there are currently similar rules in Ukraine, lawyers from the EU indicate that the current level of awareness of users is not enough, and social networks, together with the adoption of the GDPR, will change to unknowing.

In this regard, there are interesting provisions of the Regulation, which states that EU Member States should ensure the privacy of the workplace. In particular, if the employer monitors workers by installing cameras, the worker must know and consent to the processing of personal data. Such a rule will also apply in Ukraine if the employee is a citizen of the EU.

For personal consultation, please contact to our specialist. If you have any questions or need advice on protection of personal data or GDPR, call us on the numbers on the website or fill out and send us a form at the bottom of the page.

You could be interested

What is DeFi? Decentralized finances concept

Decentralized finances functioning (DeFi) works on blockchain technologies. DeFi removes rights of intermediaries and gatekeepers to manage operations with assets, giving people opportunities to perform direct exchanges. Linking DeFi and Blockchain Blockchain is a key aspect enabling decentralized financial development to exist. It’s “distributed” within decentralized systems: all parties using DeFi have same public ledger...

Ready-made company in Lithuania

Many entrepreneurs are now striving to incorporate a company in Lithuania. This jurisdiction is a member of the European Union and the OECD, so it is perfect for any type of activity. To register a company, foreigners need to go through a step-by-step registration process, in particular, collect documents, attend interviews with regulatory authorities, conduct...

Company formation in Austria

Finance, commerce, and IT are three of the most sought-after investment industries in Austria, which draws international investors from all corners of the world. The law also supports new businesses, and with the assistance of our Austrian company formation experts, international investors may take benefit from a straightforward and adaptable business enrollment process. Typology of...

REGISTRATION OF A CRYPTOEXCHANGE IN THE CZECH REPUBLIC

Cryptocurrency is a digital currency controlled by cryptographic methods (international electronic money created using data encryption). Fiat is the traditional currency (dollar, euro, pounds), which has a physical shell in the form of banknotes and coins. Advantages: officially recognized currency, subject to exchange at a fixed equivalent. Disadvantages: less protected from the factors of decentralization, compared to...

Corporate Taxes in Austria

Austria, a central European country known for its rich cultural heritage and economic stability, offers an attractive environment for enterprises. However, understanding the commercial tax system in Austria is crucial for any company looking to operate in the country. This article provides a comprehensive overview of commercial-taxes in Austria, detailing the tax rates, the tax...

SPI license in Czech Republic

Recently, the Czech Republic has become a significant European center for a variety of payment systems. It is approached by both new companies wishing to start a business in the field of providing payment services, as well as existing companies that previously made tactical mistakes by choosing offshore zones, the Baltics or Cyprus for their...

Related posts

Gambling License: Do I Really Need It?

Why get a gambling license? If you are asking yourself this question, then most likely you want your entity to give virtual asset offerings and do so licitly and transparently. That’s why the answer is obviously yes. This permit gives your organization more opportunities and helps gain recognition and trust. This article will make you...

How to Get a Gambling License in 2025

Perhaps, you’re overwhelmed with the idea to launch your own online casino. You are naturally trying to find out as many details about it as possible and type queries “how to start online casino 2025” or more specific, namely, “how to get a gambling license in 2025.” The latter turns out to be a more...

Payment Institution license in Cyprus

In the fast-developing world of fintech-driven nowaday, getting a PI license in Cyprus is not just a good decision — it is the web-based doorway into the immense EU monetary scheme. Composing very tough regulation, tax perks, and easy access to the rest of Europe thanks to Cyprus being an EU member… No wonder more...

BVI Fund Formation for Global Investors: Legal and Strategic Insights

One of the first pillars to establish in the world of global finance is where to incorporate investment vehicles, and the British Virgin Islands (BVI) is one of the most popular places to do this. The attraction of a BVI investment fund lies both in the territory’s tax neutrality and in its loyal judicial form,...

Compliance GDPR

GDPR COMPLIANCE: REGULATIONS FOR THE EXPORT OF PERSONAL DATA FROM THE EUROPEAN UNION Compliance with GDPR is an urgent issue, since in recent years, when accessing any Internet resource, active users of the World Wide Web noted a change in privacy policy, as well as an update to this system. There has also been a...

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the EU Regulation No. 2016/679 dated 04/27/2016 “On the protection of individuals with regard to the processing of personal data and their free movement” and the repeal of the Directive on General Data Protection Provisions of the European Union No. 95/46. This algorithm began to operate on May...
Fill the blank: