GDPR - new rules for the processing of personal data in Europe for the international IT market

In May 2018, Europe will switch to the updated rules for the processing of personal data, established by the General Data Protection Regulation ( EU Regulation 2016/679 of April 27, 2016 or the GDPR - General Data Regulation Regulation). This regulation, which is directly applicable in all 28 EU countries, will replace the Framework Directive on personal data protection 95/46 / EC of October 24, 1995. An important nuance of the GDPR is the extraterritorial principle of the operation of the new European rules for the processing of personal data; therefore, Russian companies should be attentive to them if the services are oriented to the European or international market.

The new regulation provides EU residents with tools for full control over their personal data. Since May 2018, responsibility for violation of the rules for processing personal data has become tougher: according to the GDPR, fines reach 20 million euros (about 1.5 billion rubles) or 4% of the company's annual global income. In this article, we analyzed the new rules for processing personal data in the EU and formulated recommendations for Russian companies on how to respond to GDPR.
')

Who is in the range of the GDPR?

The GDPR has an extraterritorial effect and applies to all companies that process personal data of residents and EU citizens, regardless of the location of such a company.

Of course, branches, representative offices of Russian organizations in the EU will have to meet new requirements.

We consider another (non-obvious) category of subjects with the following example:
The organization is based in Russia. It sells online products and services to users, including users from the EU. Services are provided to users in local languages ​​in local currencies on national top-level domains of EU countries (eg, “.de”, “.nl” or “.co.uk”). At the same time, this organization does not perform any operations or subcontractors directly in the EU.

Should such an organization comply with the GDPR?
Yes.

After all, services and products are obviously offered to EU residents because:

- services / goods adapted to the local languages ​​of the EU residents;
- services / goods are paid in local EU currencies;
- services / goods are provided on national top-level domains of EU countries.

This means that organizations that process personal data of Europeans in Russia in the implementation of online sales (for example, Russian Railways, airlines, hotels, hostels and others) are subject to GDPR and must comply with the new European rules for the processing of personal data.

It is important to note that in addition to the processing of personal data in GDPR, the concept of monitoring the behavior of data subjects is used , which drives another category of subjects under the action of GDPR. The GDPR applies to organizations established outside the EU if they (as a controller or processor) control the behavior of EU residents (to the extent that such behavior occurs in the EU).

Monitoring may include:

- tracking EU resident on the Internet;
- The use of data processing methods for profiling individuals, their behavior or their attitude to something (for example, to analyze or predict personal preferences).

The European legislator also separates the concepts of a data controller (data controller) and a data processor (data processor) . The controller, acting as the captain of the ship, bears more legal responsibility than the processor, which acts as a seaman on the ship. In essence, controllers decide what happens to personal data and are responsible for processing, and the processors are some kind of “executors”.

For example, the cloud system that your employees use to accomplish tasks and projects, where personal customer data is also stored, will be a data processor, and you, accordingly, a controller.

What is meant by personal data in the GDPR?

Personal data is any information relating to an identified or identifiable individual (data subject) by which it can be directly or indirectly determined. Such information includes the name, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of this individual (clause 4 of article 4). The definition is broad and makes it quite clear that even IP addresses can also be personal data.

It is important to note that there are certain types of personal data that belong to the category of special or confidential personal data. This is information that reveals: racial or ethnic origin, political opinions, religious or philosophical beliefs, and membership in trade unions. In addition, this group includes genetic, biometric data used to identify an individual, health data, information relating to sexual life or sexual orientation (Art. 9).

6 principles of GDPR data processing

The general approach of Europeans to the processing of personal data is formulated in the form of 6 basic principles:

1) Legality, justice and transparency . Personal data must be processed legally, fairly and transparently. Any information about the purposes, methods and amounts of personal data processing should be stated as accessible and simple as possible.
2) Restriction of purpose . Data must be collected and used exclusively for the purposes stated by the company (online service).
3) Minimizing data . You may not collect personal data in a larger volume than is necessary for processing purposes.
4) Accuracy . Personal data that is inaccurate must be deleted or corrected (at the request of the user).
5) Storage Restriction . Personal data should be stored in a form that allows you to identify data subjects for a period not exceeding that necessary for processing purposes.
6) Integrity and confidentiality . When processing user data, companies are obliged to ensure the protection of personal data from unauthorized or unlawful processing, destruction and damage.

Key requirements

Notification of cases of violation of GDPR
Companies are obliged to notify regulatory authorities (and in some cases data subjects) of any violations related to personal data within 72 hours after the discovery of such a violation.

For example, the recent news about the hacker attack on Uber is a vivid example of breaking this rule. Uber told the press that hackers gained access to personal data of 57 million users and drivers a year later. If the GDPR now operated, then avoiding a high fine of 4% of the annual turnover would have been impossible.

The list of national regulators in the field of personal data for all EU countries is given here . There is also a pan-European regulator - the Working party 29 or the Working Group on Article 29. However, after the GDPR came into force, the Working Group on Article 29 will replace the new body - the European Data Protection Board (European Data Protection Board - EDPB).

Rights of the data subject (individual)

The GDPR significantly expands the rights of citizens and EU residents to control their personal data. European users have the right to request confirmation of the processing of their data, the place and purpose of processing, the categories of personal data processed, to which third parties personal data are disclosed, the period during which the data will be processed, as well as to specify the source of the organization’s personal data and require their correction. Moreover, the user has the right to demand the termination of the processing of their data.

The GDPR also provides for the right to oblivion (right to erasure, right to be forgotten), which gives Europeans the opportunity to delete their personal data upon request in order to avoid their distribution or transfer to third parties.

This is not a new right, it is also in the current Directive. The EU Justice Court (CJEU - Court of Justice of the European Union) in a decision in the case of Google Spain in 2014 clarified that data subjects have the right to remove information about them from the search results if it does not represent public interest. However, the right to oblivion extends not only to search engines. Any data processing company must delete someone’s personal data upon request, if this does not contradict the interests of the public or other fundamental rights of Europeans.

For example, if you are a news service, then before deleting data, check and make sure that such deletion will not affect freedom of speech and the right to access information guaranteed by Europeans under Article 11 of the European Union Charter on Human Rights.

The right to data portability

The right to data portability is a novelty in the EU data processing rules introduced by GDPR. This right consists in the fact that companies are obliged to provide free of charge an electronic copy of the personal data of another company upon the request of the personal data subject himself.

For example, a startup called “Sun” wants to enter the market with a social media sharing site, but the market already has its giants with a large market share. The right to data portability will make it easier for potential customers to transfer their data from one online service to another (without re-entering the same data on different sites).

Another example. The data subject uses the e-book reader service. At one point, the user decides to go to the service “Read online”. In this case, the right to data portability allows you to receive personal data (for example, preferences in literature and others) from the “E-book” and transfer them to another service.

Consent to processing

The GDPR places high demands on the form of consent for data processing. The consent of the person to the processing of his personal data should be expressed in the form of approval or in the form of clear active user actions. Consent to the processing of personal data will be invalid, if the user did not have a choice or did not have the opportunity to withdraw his consent without harming himself. If the user has agreed to the processing of their personal data, the controller should be able to demonstrate this.

We do not recommend using the default field of consent with the already ticked or other methods of obtaining consent by default. Consent can also not be expressed as silence or inaction of the user. Information on the withdrawal of consent to the processing of personal data should be placed in such a way that the user can easily find it.

Special protection for children

Children's personal data deserve special protection, because they are less aware of the risks, consequences, guarantees and their rights in relation to the processing of personal data. Consent to the processing of the child’s data must be authorized by the parents (or legal representatives of the child). The age limit for parental authorization is set by EU member states separately (from 13 to 16 years).

Appointment of the person responsible for the protection of personal data

This requirement applies to companies that carry out regular and systematic large-scale observation, monitoring of persons (mentioned above); or who carry out large-scale processing of special personal data, such as medical records or criminal convictions.

In any case, any organization may voluntarily appoint a data protection officer to manage user data processing and monitor compliance with the requirements of GDPR. In this case, the company must publish information about such an employee, as well as send it to the national regulator for the protection of personal data of the relevant EU country.

What to do?

If you enter the zone of the new European data protection regulations or plan to expand and provide services and goods to the EU countries, it is recommended to conduct a comprehensive assessment of the methods and means of personal data processing used by the company and bring them in line with the new rules of GDPR. It is also necessary to review the privacy policy and the provisions on the processing of personal data of user agreements (Terms of use) of their sites and online services targeted at European consumers and users. To comply with the requirements of the GDPR, it is necessary to develop internal data protection policies, train personnel, carry out checks on data processing activities, keep records of processing processes, implement measures for the built-in confidentiality system, and also designate the employee responsible for the processing of personal data (of course, taking into account the nature and volumes of personal data processed).

Despite the fact that the new requirements for the processing of personal data are serious, they have positive aspects for non-European players: it is easier to adhere to a single set of rules for data protection and processing than to take into account the national nuances of personal data processing in each individual EU country, as it had to be done before introducing GDPR. Moreover, the reform aims to stimulate economic growth by reducing costs and bureaucracy for companies operating in the EU. Compliance with one rule instead of 28 (number of EU member states) will help small and developing companies to enter new markets. According to the law, in some cases obligations vary depending on the size of the business, the nature of the data being processed and other factors.

You should also think in advance about the mechanisms for responding to requests from European regulators and personal data subjects (users) that are possible within the framework of the GDPR (for example, to refine the data, delete them, stop processing or transfer to another company the right to data portability).

Conclusion

GDPR is the most important legislative document that significantly increases the level of personal data protection in the EU and beyond. It requires very careful study and compliance. The reform provides clarity and consistency of the rules to be applied in the field of data protection. It also restores the trust of the user-consumer, which allows businesses to make the most of their opportunities in the single European digital market. The collection, analysis and transfer of personal data around the world has acquired enormous economic importance. Personal data is, of course, the “currency” of the modern economy. And if you are collecting any user data in any form - for their safety should be carefully monitored to avoid leaks and possible manipulation of them by third parties.