On January 1, 2011,
Law No. 2297-VI “On Personal Data Protection” entered into force in Ukraine. Many have heard about this event, some were aware of the opening of the registration of PD bases in July of this year, but very few of those who are concerned with this law, were quick to take any concrete action. Meanwhile, from January 1, 2012, amendments to the administrative and criminal codes of Ukraine come into force, defining responsibility for non-compliance with the relevant law. Next, we will try to answer the most important questions:
- who cares?
- What do we have to do?
- and what will happen if nothing is done?
Who needs to take into account the law on personal data protection
Any person (natural or legal) of Ukraine, who owns any personal information of individuals. The law broadly interprets the concept of “personal data”. In its explanations, the PAP service
refers to the Council of Europe Convention and defines personal data as information or a collection of information about an individual that can be specifically identified using this information. Thus, almost any information can be personal data: email, IP-address, GPS position of the user. Not to mention such data as name, birth date, address and telephone number. The personal data base is a named collection of ordered personal data in electronic form and / or in the form of personal data files.
Obviously, according to the law, owners of almost any websites that have registered users must register their databases. All online stores with their customer bases also come here. But the most interesting is that personal data is also considered information about employees. So, any Ukrainian company is obliged to register its employee base.
')
After such a pessimistic start, let's move on to concrete actions.
How to ensure compliance with the law on personal data protection
In order for the PAP service to have no questions for you, you need to ensure the implementation of three conceptual points:
- to obtain permission of each subject of personal data (for example, a user) to process and use its PD, notifying him of the purpose of collecting these data and their processing, his rights, in connection with the inclusion of information about him in the personal data base, and the persons to whom this data are transmitted;
- register the personal data base in the state register;
- ensure the protection of personal data base.
If we talk about specific actions, they will be slightly different for different databases of PD. We distinguish two figurative cases: a website and a company with a database of employees.
Site
To implement the first paragraph, you will need to modify the user agreement. It is necessary to add information about the user's rights (it is possible to give a link or quote
article 8 of the law on personal data protection ), the purpose of processing PD, as well as the item “I allow the administration of the example.com site to collect and process my personal data. I am acquainted with the rights arising in connection with the processing of my personal data and the purposes of processing and using my personal data. ”
Company
It is necessary to adopt provisions in which the rights of employees arising in connection with the processing of their PD, as well as the purpose of processing PD (an example of an
order and
provision ) will be set forth. You also need to obtain written permission from each employee to process his PD (
example ).
Registration of databases PD will be the same for all cases and should not take a lot of time. We have prepared the necessary tool and detailed instructions in
our blog .
In addition, the law obliges the owner of data bases to ensure their protection. However, the choice of specific measures and methods of protection rests entirely with the owner of the databases of PD and is not marked in any way. Note that there is a
draft recommendation on ensuring the protection of databases of AP , and in the future this issue will be resolved much more accurately.
What is the responsibility for non-compliance with the law on personal data protection?
We cite the Code of Ukraine on Administrative Offenses. Non-taxable minimum income of citizens is 17 hryvnia.
Administrative responsibility :
- failure to notify (late notification) of the subject of personal data about his rights in connection with the inclusion of his personal data in the database, the purpose of collecting data and the persons to whom this data is transferred - a fine of up to 300 NMDG for citizens and from 300 to 400 for officials and SAP;
- Failure to notify (late notification) of the specially authorized body for the protection of data on changes in statements that are submitted for state registration of the personal data base - a fine of 100 to 200 NMDG for citizens and from 200 to 400 NMDG for officials and PDAs;
- evasion of registration of the personal data base - a fine from 300 to 500 NMDG for citizens and from 500 to 1000 NMDG - for officials and SAP;
- non-observance of the procedure established by the legislation for the protection of the database of PD, which resulted in illegal access to PD - from 300 to 1000 NMDG;
- failure to comply with the legal requirements of officials of the specially authorized body for the protection of PD - a fine of 100 to 200 NMDG.
There is also criminal liability for the illegal collection, storage, use, destruction and dissemination of confidential information (according to Article 182 of the Criminal Code of Ukraine), but we sincerely hope that this will not happen.
The drawing up of protocols on violations in the field of personal data protection is entrusted to the authorized body - the State Service for Personal Data Protection. To prosecute and decide on the recovery of a fine authorized by the local courts.
Special cases
The law does not apply in the following cases:
- if the base is used by an individual for personal non-professional needs;
- if the base is used by an individual for domestic needs;
- if the base is used by a journalist for the performance of his official duties;
- if the base is used by the creative worker for the implementation of his creative activity.
Therefore, if you run a personal blog and you have a subscriber database, you do not need to register anything.
Rubric question-answer
Q:
Is there a minimum amount of information that is considered personal data?
Oh no. Any information about a person by which he can be identified is
considered personal data.
Q:
Data is stored on servers in the USA, do I need to register a database of PD ?
Oh yeah.
Q:
What is the deadline for registration of databases PD?
A: There is no such time limit, but from January 1, 2012, for non-compliance with the provisions of the law on the protection of PD, you can be held administratively liable. However, most likely, the EPD service will not come to you with a
routine check , and real problems can arise only if you file a complaint with you. In any case, the base is better to register as soon as possible, it is not so difficult.
Q:
Are employee data considered personal data?
A:
yes
Q:
Do I need permission to use PD from existing users on my site?
A: No, but you need to make changes to the registration procedure for all new users.
Links
www.zpd.gov.ua - State Service for Personal Data Protection
www.zpd.gov.ua/zpd.gov.ua_rus/indexDovidkaInfo.html - reference information for citizens and legal entities
zakon2.rada.gov.ua/laws/show/2297-17 -
LU “On the protection of personal data”
zakon1.rada.gov.ua/cgi-bin/laws/main.cgi?nreg=616-2011-%EF - Regulations on the State Register of Personal Data Bases and the Procedure for its
Maintenance -
05/25/2011 )
www.zpd.gov.ua/R/perelik/perelik/24.htm - Regulations on the State Personal Data Protection Service
zakon2.rada.gov.ua/laws/show/3454-17 - Strengthening responsibility for violation of personal data protection legislation
rbpd.informjust.ua - registry of personal data bases
taxer.com.ua/blog/23 - instructions for filing an application for registration of the database of PD in electronic form
PS:
It should be noted that the law on the protection of personal data is not intended to cover all the cap. The user data itself is not registered. Only the fact of the existence of a personal data base is registered, which guarantees the presence of a responsible person who is responsible for the safety of user data. First of all, it gives a guarantee to the users themselves that their data will not leak anywhere and will not be used in illegal actions. In this regard, as personal data, it is necessary to consider not some set of data that EXACTLY defines the user (for example, full name + date of birth), but which CAN help identify the user. For example, if a user uses the address name@surname.com, then a third party that has received some access to this database will be able to associate this email with a specific person. And none of the users would not want this.