The impact of GDPR on Russian personal data operators
Author: Anastasia Zavedenskaya, Assistant Analyst, Analytical Center LLC "UTsSB"
Reviewers: Ekaterina Rubleva and Konstantin Samatov, Heads of Direction, Analytical Center LLC UCCB
A company that processes personal data is considered their operator. Most likely, this company knows about the Federal Law of July 27, 2006 No. 152- “On Personal Data” and its requirements. And if the company has customers in the European Union or is there a desire to attract those? Or is there simply a website on the Internet with forms to be filled by the user? Then you need to understand what GDPR is and its scope.
Back in 1995, the European Union countries adopted Directive No. 95/46 / EC on the protection of the rights of individuals during the processing of personal data. But everything changes, and on May 25, 2018, the General Data Protection Regulation (English General Data Protection Regulation), adopted by the European Parliament in April 2016, was abbreviated simply to GDPR, came to replace it.
')
The application of the GDPR will be approved in three more countries of the European Free Trade Association (EFTA), or rather in Iceland, Liechtenstein, Norway, which are not members of the EU. On the EFTA website, the article on “Including a GDPR in the EEA Agreement (the European Economic Area) and continuing to apply Directive 95/46 / EC” states that the adoption of a GDPR by the EEA Joint Committee (EEA) Joint Committee) and its entry into force in the EEA EFTA States in mid-July 2018. Until then, Data Protection Directive No. 95/46 / EC remains applicable in the EEA Agreement, thus guaranteeing the possibility of unhindered dissemination of data between the EEA EFTA states and the EU member states.
First you need to understand who should follow the requirements of the GDPR, and who does not fall under its requirements.
Figure 1 - Algorithm for determining the scope of the GDPR
Based on the text of the document, its requirements apply not only to European organizations, but also to any companies working with personal data of EU citizens or persons in the EU (see. Fig. 1). At the same time, the location of the company itself does not matter.
So, if a company is registered in the EU or, for example, in the previously mentioned Iceland, Liechtenstein, Norway, then, regardless of the location of the process itself, it is definitely a GDPR.
In order to understand whether the organization provides services or goods to persons in the EU, even its intention to offer services / goods will be sufficient. According to the GDPR, the intention becomes obvious, if the company’s website provides for the use of the national language and the currency of the EU member state, an order in this language is possible. Or there are references to consumers or users who are in the European Union.
Although even if the site is entirely in Russian, and in itself its accessibility to EU people does not show intentions, one cannot be 100% sure that no one, while in the European Union, will use its services. Therefore, it is recommended, in any case, to meet the requirements of GDPR.
Another interesting and relevant concept in the context of GDPR is monitoring. Under the monitoring in the GDPR, we mean tracking individuals on the Internet with further use or potential use of various personal data processing technologies for analyzing or predicting preferences, personal characteristics, behavior patterns. That is, if the company takes any action to study the behavior of persons in the EU, for marketing purposes, for statistics, etc. - this is monitoring. For example, Yandex Metrika, Google Analytics, etc. are installed on the organization’s website, which means that you need to apply GDPR. Because, as already mentioned, there is no guarantee that a person from the EU will not visit the site on which these services are applied.
It is important to know that the organization is obliged to appoint a representative to the EU when at least one of the following conditions is met:
According to the GDPR, special categories of personal data are defined similarly to the Russian legislation. Except for the fact that the data on prior convictions and offenses are made separately, with the obligation to control their processing by an official body or by permission of the state legislation.
A representative can be a natural or legal person who is specifically authorized on the basis of relevant documents. The representative must be located in the EU country where the data subjects are located. On behalf of the company, its task is to interact with the EU authorities and citizens, to follow the instructions of the company. He is also held accountable for violations.
For example, a Russian company that does not have subsidiaries in Finland constantly provides its services to its citizens. This means that the company must appoint a representative who is officially in Finland. If there is a subsidiary, then it can be designated as a representative.
It turns out that the General Data Protection Regulation has a fairly wide coverage and, if everything is quite logical with the companies of the European Union, then other countries also “fell under the distribution”. It becomes clear that the Russian organizations that are customer-oriented towards the European Union must also comply with the requirements of the GDPR.
Suppose a small Russian company has an online store, and a Latvian citizen purchases their goods. This means that the requirements of the GDPR apply to this online store, since it will process the personal data of an EU citizen. If the site of this company initially has an English version and exposes prices in currency according to the user's state, then it also falls within the scope of the GDPR. And in any case, if the company does not work personally with each client, you cannot know exactly where the client comes from. This means that even the entire Russian website of a small company must be prepared to meet the requirements of the GDPR.
The list of companies covered by the GDPR can be continued for a long time, but so far there is no law enforcement practice, according to the author, it is necessary to analyze who the company’s actions are directed at and with whom it interacts.
As with any processes, data processing has two sides - the one whose data is processed, i.e. the subject of personal data, and the one who processes this data. Let us dwell on the second. The concepts of a controller (data controller) and a processor (data processor) are introduced in the GDPR.
Let us deal with these terms, based on the GDPR and the explanations given on the website of the European Commission.
The controller, in accordance with clause (7) of Article 4 of the GDPR, are individuals, physical or legal, various bodies and agencies that determine the purpose for which and by what means the data are processed.
All responsibility for fulfilling the requirements for the processing and protection of personal data rests with the controller. The controller must be able to confirm compliance with the requirements.
So, if the company decides “why?” And “how?” Personal data is processed, then this is the data controller. Employees in the processing business do this as a data controller.
If a company together with one or several organizations jointly determines “why?” And “how?” Personal data are processed, then it can be called a joint controller. Joint controllers enter into an agreement setting out the obligations to comply with the requirements of the GDPR. The main aspects of this agreement must be transferred to persons whose data are processed.
The processor (processor), in accordance with paragraph (8) of Article 4 of the GDPR, are individuals, physical or legal, various bodies and agencies that process personal data on behalf of the controller.
It turns out that the processor has the right to process personal data only on behalf of the controller. A data processor, for example, may be a third-party company engaged in data processing.
An organization can be a data controller or data processor, or both.
In the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, there is the concept of an operator, which is similar to the controller, and the processor is similar to the person who processes personal data on behalf of the operator.
Any regulatory document uses its own rules of definition, consider them and compare.
Personal data, according to Article 3 of the Federal Law “On Personal Data”, is any information that directly or indirectly allows you to identify an individual. Paragraph (1) of Article 4 of the GDRR provides a similar definition, except that the word “identify” is used instead of “identify”.
The terms are similar, but the GDPR speaks in more detail about information relating to personal data. From where we find that information that allows to determine the identity of the data subject, is personal data. It does not matter whether it is possible to directly identify the subject by him or whether special tools or programs are needed.
The GDPR has the following list of personal data:
The most difficult with online identifiers. These include IP addresses, cookies, etc. An IP address, for example, can lead to a certain person who goes online, or it can simply show the network access point, i.e. in some cases it can be used to identify a person only in conjunction with other data. Whether an IP address is related to personal data is a moot point and depends on the context of the situation. But since the GDPR focuses its attention on online identifiers, it is recommended to protect them too.
The principles and conditions of processing are set forth in Articles 5, 6 of the Federal Law “On Personal Data” and in Articles 5.6 and GDPR.
The Law on Personal Data of the Russian Federation contains 7 processing principles, and the GDPR is 6. All principles are comparable, except that the Russian legislation clarifies the prohibition of combining databases created for incompatible purposes. An important addition to the principles in the GDPR is the principle of transparency / transparency. Namely, any information and messages related to the processing of personal data were easily accessible to the subject and clear for his understanding, that is, a clear and simple language was used. In addition, the GDPR defines the security of personal data as the principle [par. (f), Article 5, GDPR,], and here it is rather presented as a duty.
The conditions under which the treatment is legitimate are also comparable. At the same time, GDPR allows states to introduce their processing requirements.
Article 9 of the Federal Law “On Personal Data” and Article 7 of the GDPR describe the subject’s consent to the work of processing personal data. Both documents speak of concreteness, awareness, and consciousness. It is important that the GDPR requires that consent be compiled in a language that is understandable and easily accessible. Consent to the processing of data must be made separately from other terms and conditions and agreements. All processing objectives should be included. The process of withdrawal of consent should be just as simple as receiving it - this is how to put a "tick" and remove it.
It turns out that the agreement should not be ambiguous, but exact - “I agree ...”. It should include a list of specific processing objectives. It is also impossible to use, for example, checkboxes with the installation of the consent by default. This is contrary to the freedom of consent. And the operator must always be ready to confirm that the subject has given his consent.
One of the main differences of the GDPR is that it establishes specific rules for giving consent to the provision of information society services to minors. If a child who is 16 years old is involved in the processing of personal data, then it is legal. For children under the age of 16, consent must be given by the person performing parental or guardian functions.
Both of the documents in question fairly extensively describe the rights of the data subject. Both there and there individuals can get their data and information about how they are processed, can correct, delete information about themselves. The main thing is that, according to the Federal Law “On Personal Data”, a subject may receive information about the processing of personal data upon his request. And on the GDPR - the organization is obliged to provide all the information about the processing at the time of receipt of personal data. The GDPR describes the deletion and modification of information as the right of the subject, and Russian law as the duty of the operator. The subject of personal data can always withdraw his consent to the processing and request the deletion of data relating to him.
Another important difference of the GDPR is that it allocates a separate right to transfer its data. A company operating within the framework of the GDPR must understand that when a subject requests information provided by him earlier, they must provide it freely. The GDPR makes it clear that this data should be structured and have a machine-readable format. Also, at the user's request, the organization must transfer its data to any other organization. All this is new to legal requirements.
The GDPR has a separate section on the Data Protection Officer. This role is similar to the person appointed responsible for organizing the processing of personal data from Russian law. According to the GDPR, if the organization continuously monitors the subjects or processes special categories on a large scale, then it is obliged to appoint a Data Protection Officer. Otherwise, the appointment is made at the discretion of the organization or on the basis of the laws of its state. Under the Federal Law “On Personal Data”, the operator is obliged to appoint the person responsible for organizing the data processing, in any case.
When listing security measures in the Federal Law “On Personal Data”, reference is made to the processing of personal data processing activities. In turn, the GDPR also obliges to keep such records in a documented form, including an electronic form. The obligation is not imposed on organizations with less than 250 employees if they do not process on a permanent basis, do not process special categories or data on convictions, offenses on a large scale. According to the author, it is desirable to keep such records anyway.
If the company is a controller, the account must contain:
If the company is a processor, accounting should include:
The organization should be ready to provide this information to the supervisor at any time.
What are the personal data themselves, then “how?”, “Why?” And “why?” They are processed, what measures are used to protect the information, what the subject can do and what the operator must do - these key points are similar in Federal Law. About personal data "and GDPR. But what to do if all the same unwanted data leakage occurred, it is specifically stated only in the GDPR. So, if the company still allowed the leakage of personal data, then it is obliged to tell about it in a short time to the supervisor and the entity itself, which suffered losses. Otherwise, the company will be fined. According to the GDPR, the supervisory authority is appointed in each country by the relevant regulatory acts. The leaders of these oversight bodies form the European Data Protection Council.
And the most interesting: in order to strengthen the obligation to comply with the norms, the GDPR imposes fines for any violations. The fines amount to 20 million euros, or 4% of the company's cash flow (the largest amount is chosen). But in fact - it's not so scary. In cases where the violation is minor, just a reprimand can be declared. Intangible sanctions may also include a ban on the part of the supervisory authority on the processing of personal data (or their transfer to the counterparty) until the violations are eliminated.
A fine, first of all, should have an enlightening effect, which means that it can vary widely within a fixed amount. The amount of the penalty is set depending on the characteristics of the violation itself:
That is, for example, the previously considered notice of a leak is an important factor in order to mitigate the punishment.
The General Data Protection Regulation is a new large document with a long preamble and 99 articles, which everyone can interpret in their own way. But if a company does not want to get under a multi-million fine, it is necessary to comply with the requirements of the GDPR, and, of course, do not forget about the Federal Law “On Personal Data” and its by-laws.
If you are a Russian company, first you need to determine whether the scope of the organization is in the scope of the GDPR.
If included, then the priority actions that need to be performed to bring the new requirements into line will be as follows:
Determine whether you need a representative in the EU. Assign it if necessary.
Check the availability to the subjects of information on the processing (goals, terms of storage, information on the rights of the data subject, etc.), as well as the presence of well-established and documented processes for responding to requests from the subjects of personal data.
Check the consent to the processing of personal data for compliance with the requirements of the GDPR. It should be set out in an understandable language, specifically, contain all the objectives of processing, is located separately from other conditions / agreements. Consent is given on the basis of active actions, and not "by default" or inaction. If necessary, update it.
Check the processed personal data for compliance with the specified processing objectives.
Keep records of all activities for the processing of personal data.
Assess Data protection impact assessment, i.e. to determine the degree of importance of each specific business process associated with the processing of personal data by assessing the damage caused during the period of failure in work.
Check safety measures for compliance with GDPR. If necessary, improve them.
Introduce lined and documented processes of notification of the incident to the supervisory authority, preferably within 72 hours after detection. Include in the notifications information on the nature of the leak, information for feedback, possible consequences, measures to eliminate the leak. If possible, inform the subject of personal data if there is a risk to his rights and freedoms and the data has not been encrypted, within a reasonable time.
Be prepared to provide evidence of the legality of PD processing activities.
Reviewers: Ekaterina Rubleva and Konstantin Samatov, Heads of Direction, Analytical Center LLC UCCB
A company that processes personal data is considered their operator. Most likely, this company knows about the Federal Law of July 27, 2006 No. 152- “On Personal Data” and its requirements. And if the company has customers in the European Union or is there a desire to attract those? Or is there simply a website on the Internet with forms to be filled by the user? Then you need to understand what GDPR is and its scope.
Back in 1995, the European Union countries adopted Directive No. 95/46 / EC on the protection of the rights of individuals during the processing of personal data. But everything changes, and on May 25, 2018, the General Data Protection Regulation (English General Data Protection Regulation), adopted by the European Parliament in April 2016, was abbreviated simply to GDPR, came to replace it.
')
The application of the GDPR will be approved in three more countries of the European Free Trade Association (EFTA), or rather in Iceland, Liechtenstein, Norway, which are not members of the EU. On the EFTA website, the article on “Including a GDPR in the EEA Agreement (the European Economic Area) and continuing to apply Directive 95/46 / EC” states that the adoption of a GDPR by the EEA Joint Committee (EEA) Joint Committee) and its entry into force in the EEA EFTA States in mid-July 2018. Until then, Data Protection Directive No. 95/46 / EC remains applicable in the EEA Agreement, thus guaranteeing the possibility of unhindered dissemination of data between the EEA EFTA states and the EU member states.
To whom does the GDPR apply?
First you need to understand who should follow the requirements of the GDPR, and who does not fall under its requirements.
Figure 1 - Algorithm for determining the scope of the GDPR
Based on the text of the document, its requirements apply not only to European organizations, but also to any companies working with personal data of EU citizens or persons in the EU (see. Fig. 1). At the same time, the location of the company itself does not matter.
So, if a company is registered in the EU or, for example, in the previously mentioned Iceland, Liechtenstein, Norway, then, regardless of the location of the process itself, it is definitely a GDPR.
In order to understand whether the organization provides services or goods to persons in the EU, even its intention to offer services / goods will be sufficient. According to the GDPR, the intention becomes obvious, if the company’s website provides for the use of the national language and the currency of the EU member state, an order in this language is possible. Or there are references to consumers or users who are in the European Union.
Although even if the site is entirely in Russian, and in itself its accessibility to EU people does not show intentions, one cannot be 100% sure that no one, while in the European Union, will use its services. Therefore, it is recommended, in any case, to meet the requirements of GDPR.
Another interesting and relevant concept in the context of GDPR is monitoring. Under the monitoring in the GDPR, we mean tracking individuals on the Internet with further use or potential use of various personal data processing technologies for analyzing or predicting preferences, personal characteristics, behavior patterns. That is, if the company takes any action to study the behavior of persons in the EU, for marketing purposes, for statistics, etc. - this is monitoring. For example, Yandex Metrika, Google Analytics, etc. are installed on the organization’s website, which means that you need to apply GDPR. Because, as already mentioned, there is no guarantee that a person from the EU will not visit the site on which these services are applied.
It is important to know that the organization is obliged to appoint a representative to the EU when at least one of the following conditions is met:
- processing takes place continuously;
- special categories of personal data are processed on a large scale;
- personal data related to convictions or crimes are processed;
- There is a high risk of violation of human rights and freedoms.
According to the GDPR, special categories of personal data are defined similarly to the Russian legislation. Except for the fact that the data on prior convictions and offenses are made separately, with the obligation to control their processing by an official body or by permission of the state legislation.
A representative can be a natural or legal person who is specifically authorized on the basis of relevant documents. The representative must be located in the EU country where the data subjects are located. On behalf of the company, its task is to interact with the EU authorities and citizens, to follow the instructions of the company. He is also held accountable for violations.
For example, a Russian company that does not have subsidiaries in Finland constantly provides its services to its citizens. This means that the company must appoint a representative who is officially in Finland. If there is a subsidiary, then it can be designated as a representative.
It turns out that the General Data Protection Regulation has a fairly wide coverage and, if everything is quite logical with the companies of the European Union, then other countries also “fell under the distribution”. It becomes clear that the Russian organizations that are customer-oriented towards the European Union must also comply with the requirements of the GDPR.
Suppose a small Russian company has an online store, and a Latvian citizen purchases their goods. This means that the requirements of the GDPR apply to this online store, since it will process the personal data of an EU citizen. If the site of this company initially has an English version and exposes prices in currency according to the user's state, then it also falls within the scope of the GDPR. And in any case, if the company does not work personally with each client, you cannot know exactly where the client comes from. This means that even the entire Russian website of a small company must be prepared to meet the requirements of the GDPR.
The list of companies covered by the GDPR can be continued for a long time, but so far there is no law enforcement practice, according to the author, it is necessary to analyze who the company’s actions are directed at and with whom it interacts.
What roles does the GDPR offer?
As with any processes, data processing has two sides - the one whose data is processed, i.e. the subject of personal data, and the one who processes this data. Let us dwell on the second. The concepts of a controller (data controller) and a processor (data processor) are introduced in the GDPR.
Let us deal with these terms, based on the GDPR and the explanations given on the website of the European Commission.
The controller, in accordance with clause (7) of Article 4 of the GDPR, are individuals, physical or legal, various bodies and agencies that determine the purpose for which and by what means the data are processed.
All responsibility for fulfilling the requirements for the processing and protection of personal data rests with the controller. The controller must be able to confirm compliance with the requirements.
So, if the company decides “why?” And “how?” Personal data is processed, then this is the data controller. Employees in the processing business do this as a data controller.
If a company together with one or several organizations jointly determines “why?” And “how?” Personal data are processed, then it can be called a joint controller. Joint controllers enter into an agreement setting out the obligations to comply with the requirements of the GDPR. The main aspects of this agreement must be transferred to persons whose data are processed.
The processor (processor), in accordance with paragraph (8) of Article 4 of the GDPR, are individuals, physical or legal, various bodies and agencies that process personal data on behalf of the controller.
It turns out that the processor has the right to process personal data only on behalf of the controller. A data processor, for example, may be a third-party company engaged in data processing.
An organization can be a data controller or data processor, or both.
In the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, there is the concept of an operator, which is similar to the controller, and the processor is similar to the person who processes personal data on behalf of the operator.
GDPR and No. 152- “On Personal Data”. General and differences
Any regulatory document uses its own rules of definition, consider them and compare.
Personal data, according to Article 3 of the Federal Law “On Personal Data”, is any information that directly or indirectly allows you to identify an individual. Paragraph (1) of Article 4 of the GDRR provides a similar definition, except that the word “identify” is used instead of “identify”.
The terms are similar, but the GDPR speaks in more detail about information relating to personal data. From where we find that information that allows to determine the identity of the data subject, is personal data. It does not matter whether it is possible to directly identify the subject by him or whether special tools or programs are needed.
The GDPR has the following list of personal data:
- Name;
- An identification number;
- Location data;
- Online ID;
- The combination of identifiers / indicators.
The most difficult with online identifiers. These include IP addresses, cookies, etc. An IP address, for example, can lead to a certain person who goes online, or it can simply show the network access point, i.e. in some cases it can be used to identify a person only in conjunction with other data. Whether an IP address is related to personal data is a moot point and depends on the context of the situation. But since the GDPR focuses its attention on online identifiers, it is recommended to protect them too.
The principles and conditions of processing are set forth in Articles 5, 6 of the Federal Law “On Personal Data” and in Articles 5.6 and GDPR.
The Law on Personal Data of the Russian Federation contains 7 processing principles, and the GDPR is 6. All principles are comparable, except that the Russian legislation clarifies the prohibition of combining databases created for incompatible purposes. An important addition to the principles in the GDPR is the principle of transparency / transparency. Namely, any information and messages related to the processing of personal data were easily accessible to the subject and clear for his understanding, that is, a clear and simple language was used. In addition, the GDPR defines the security of personal data as the principle [par. (f), Article 5, GDPR,], and here it is rather presented as a duty.
The conditions under which the treatment is legitimate are also comparable. At the same time, GDPR allows states to introduce their processing requirements.
Article 9 of the Federal Law “On Personal Data” and Article 7 of the GDPR describe the subject’s consent to the work of processing personal data. Both documents speak of concreteness, awareness, and consciousness. It is important that the GDPR requires that consent be compiled in a language that is understandable and easily accessible. Consent to the processing of data must be made separately from other terms and conditions and agreements. All processing objectives should be included. The process of withdrawal of consent should be just as simple as receiving it - this is how to put a "tick" and remove it.
It turns out that the agreement should not be ambiguous, but exact - “I agree ...”. It should include a list of specific processing objectives. It is also impossible to use, for example, checkboxes with the installation of the consent by default. This is contrary to the freedom of consent. And the operator must always be ready to confirm that the subject has given his consent.
One of the main differences of the GDPR is that it establishes specific rules for giving consent to the provision of information society services to minors. If a child who is 16 years old is involved in the processing of personal data, then it is legal. For children under the age of 16, consent must be given by the person performing parental or guardian functions.
Both of the documents in question fairly extensively describe the rights of the data subject. Both there and there individuals can get their data and information about how they are processed, can correct, delete information about themselves. The main thing is that, according to the Federal Law “On Personal Data”, a subject may receive information about the processing of personal data upon his request. And on the GDPR - the organization is obliged to provide all the information about the processing at the time of receipt of personal data. The GDPR describes the deletion and modification of information as the right of the subject, and Russian law as the duty of the operator. The subject of personal data can always withdraw his consent to the processing and request the deletion of data relating to him.
Another important difference of the GDPR is that it allocates a separate right to transfer its data. A company operating within the framework of the GDPR must understand that when a subject requests information provided by him earlier, they must provide it freely. The GDPR makes it clear that this data should be structured and have a machine-readable format. Also, at the user's request, the organization must transfer its data to any other organization. All this is new to legal requirements.
The GDPR has a separate section on the Data Protection Officer. This role is similar to the person appointed responsible for organizing the processing of personal data from Russian law. According to the GDPR, if the organization continuously monitors the subjects or processes special categories on a large scale, then it is obliged to appoint a Data Protection Officer. Otherwise, the appointment is made at the discretion of the organization or on the basis of the laws of its state. Under the Federal Law “On Personal Data”, the operator is obliged to appoint the person responsible for organizing the data processing, in any case.
When listing security measures in the Federal Law “On Personal Data”, reference is made to the processing of personal data processing activities. In turn, the GDPR also obliges to keep such records in a documented form, including an electronic form. The obligation is not imposed on organizations with less than 250 employees if they do not process on a permanent basis, do not process special categories or data on convictions, offenses on a large scale. According to the author, it is desirable to keep such records anyway.
If the company is a controller, the account must contain:
- data on the controller, his representative and the data protection officer (if any);
- processing purposes;
- information on data subjects and categories of personal data processed;
- information about other recipients of personal data;
- dates of deletion if possible;
- Description of security measures, if applicable.
If the company is a processor, accounting should include:
- data about the processor, controller and, if possible, his representative and the data protection officer;
- processing information;
- information about other recipients of personal data;
- dates of deletion if possible;
- Description of security measures, if applicable.
The organization should be ready to provide this information to the supervisor at any time.
What are the personal data themselves, then “how?”, “Why?” And “why?” They are processed, what measures are used to protect the information, what the subject can do and what the operator must do - these key points are similar in Federal Law. About personal data "and GDPR. But what to do if all the same unwanted data leakage occurred, it is specifically stated only in the GDPR. So, if the company still allowed the leakage of personal data, then it is obliged to tell about it in a short time to the supervisor and the entity itself, which suffered losses. Otherwise, the company will be fined. According to the GDPR, the supervisory authority is appointed in each country by the relevant regulatory acts. The leaders of these oversight bodies form the European Data Protection Council.
And the most interesting: in order to strengthen the obligation to comply with the norms, the GDPR imposes fines for any violations. The fines amount to 20 million euros, or 4% of the company's cash flow (the largest amount is chosen). But in fact - it's not so scary. In cases where the violation is minor, just a reprimand can be declared. Intangible sanctions may also include a ban on the part of the supervisory authority on the processing of personal data (or their transfer to the counterparty) until the violations are eliminated.
A fine, first of all, should have an enlightening effect, which means that it can vary widely within a fixed amount. The amount of the penalty is set depending on the characteristics of the violation itself:
- the nature, severity and duration of the violation;
- deliberately or through negligence a violation;
- damage mitigation measures;
- protection measures used;
- past violations;
- categories of personal data affected by the violation;
- how the violation became known;
- other aggravating and mitigating factors.
That is, for example, the previously considered notice of a leak is an important factor in order to mitigate the punishment.
Let's sum up
The General Data Protection Regulation is a new large document with a long preamble and 99 articles, which everyone can interpret in their own way. But if a company does not want to get under a multi-million fine, it is necessary to comply with the requirements of the GDPR, and, of course, do not forget about the Federal Law “On Personal Data” and its by-laws.
If you are a Russian company, first you need to determine whether the scope of the organization is in the scope of the GDPR.
If included, then the priority actions that need to be performed to bring the new requirements into line will be as follows:
Determine whether you need a representative in the EU. Assign it if necessary.
Check the availability to the subjects of information on the processing (goals, terms of storage, information on the rights of the data subject, etc.), as well as the presence of well-established and documented processes for responding to requests from the subjects of personal data.
Check the consent to the processing of personal data for compliance with the requirements of the GDPR. It should be set out in an understandable language, specifically, contain all the objectives of processing, is located separately from other conditions / agreements. Consent is given on the basis of active actions, and not "by default" or inaction. If necessary, update it.
Check the processed personal data for compliance with the specified processing objectives.
Keep records of all activities for the processing of personal data.
Assess Data protection impact assessment, i.e. to determine the degree of importance of each specific business process associated with the processing of personal data by assessing the damage caused during the period of failure in work.
Check safety measures for compliance with GDPR. If necessary, improve them.
Introduce lined and documented processes of notification of the incident to the supervisory authority, preferably within 72 hours after detection. Include in the notifications information on the nature of the leak, information for feedback, possible consequences, measures to eliminate the leak. If possible, inform the subject of personal data if there is a risk to his rights and freedoms and the data has not been encrypted, within a reasonable time.
Be prepared to provide evidence of the legality of PD processing activities.
Source: https://habr.com/ru/post/423733/
All Articles