RECOMMENDATIONS ON PREPARATION TO NEW RULES OF GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) is Regulation (EC) 2016/679 2016/679 of the European Parliament and of the Council of April 27, 2016 "On the protection of individuals with regard to the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulations)"
WHAT IS GENERAL DATA PROTECTION REGULATION (GDPR)?
The General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation, GDPR)
The Regulation took effect in May 2016 and is mandatory for application in the European Union from May 25, 2018 as a direct action document (ie, it has the force of law throughout the EU).
The Regulation applies not only to EU residents but also to persons outside the EU processing personal data of individuals resident in the EU in connection with the offering/sale of goods and services (regardless of payment) or by monitoring the activities/behavior of data subjects in the European Union.
Thus, in relation to the website and other materials published online, such factors are taken into account:
- one of the languages of the European Union is used;
- prices are formed/payment is accepted in euros;
- the customers from the European Union are mentioned, etc.
BASIC TERMS IN THE NEW GDPR REGULATION
The GDPR introduces the concepts of "controller" and "processor" of personal data.
"CONTROLLER" is a natural or legal person, state body, agency or other body that alone or together with others, determines the purposes and means of processing personal data. The controller must:
- in certain cases, cooperate with data handlers;
- keep records;
- assess the impact of the processing of personal data on the rights of data subjects for certain types of data processing;
- implement data protection mechanisms;
- at the time of collecting personal data, provide data subjects with complete information about the purposes of collecting personal data, the rights of data subjects, etc .;
- if possible, notify National Data Protection Authorities (DPAs) within 72 hours of the discovery of leaks of personal data, and the relevant personal data subjects.
"PROCESSOR" is a natural or legal person, a government body, an agency or another body that processes personal data on behalf of the controller. The processor must:
- keep a register of operations for the processing of personal data executed on behalf of each controller;
- if the processor does not have a representative in the European Union, he must appoint such a person in certain cases;
- promptly notify the controller about the leakage of personal data;
- participate in cross-border data transfer activities.
WHO IS MUST TO OBSERVE THE REGULATION OF THE GDPR?
The regulations are compulsory for all companies collecting, storing or processing personal data of EU residents (controllers and data processors), regardless of the location of such controllers and processors.
The Regulation expressly prohibits, under the threat of the above sanctions, the movement of personal data of EU residents to countries outside the European Union, if the European Commission does not recognize the data of the country as having an adequate level of protection of personal data. For today (12/04/2018) those countries are:
Liechtenstein, Norway, Iceland, Andorra, Argentina, Canada, Israel, Isle Of Man, Faroe Islands, Guernsey, New Zealand, Switzerland, Uruguay, USA.
Also in the process of recognition on 12.04.18 are Japan and South Korea.
PRINCIPLES OF THE REGULATION GDPR
The Principle of the Regulations is its enforceability.
Simplely, if there is no possibility to involve the controller or the processor of personal data in a certain country in accordance with the Regulations, the processing of personal data of the residents of the European Union will be illegal.
WHAT WILL CHANGE WITH THE REGULATION GDPR ENTERING IN FORCE?
- If the data processing is of a large scale (the criterion is not specified), the GDPR requires a staff or a freelance personal data protection observer (DPO) from the controller or the handler of the appointment, puts forward certain requirements of professional suitability for this post and imposes personal responsibility for compliance with it the Regulation. As a basis for the criterion of "large-scale", for lack of another, one can take the indicator of one of the early projects of the GDPR - processing from 5000 records or the presence of 250 employees.
- The GDPR strictly regulates the procedure for obtaining user consent for the processing of PD at the time of gathering, the procedure for withdrawal and a number of other rights.
- The GDPR requires the presence of protection systems and technical regulations for the protection of personal data.
- If the project owner (data processor) is outside the EU and processes the data on a regular basis, the GDPR requires the appointment of a permanent representative of the processor in the EU.
PENALTY SANCTIONS FOR NON-COMPLIANCE WITH THE GDPR
The GDPR is the EU regulation that acquires the force of the law from May 25, 2018 and provides for significant sanctions for its violation when processing the personal data of EU residents (up to 20 million euros or up to 4% of the company's annual turnover).
RECOMMENDATION FOR THE COMPLIANCE OF YOUR SERVICE WITH THE GDPR
For full compliance with the requirements of the GDPR is recommended as a minimum:
a. Compliance with the requirements of the local legislation of such a country on the protection of personal data, including obtaining advice from the local body for the protection of personal data.
b. Appointment of a staff or freelance data protection observer (DPO) (need to be evaluated during on-site consultations).
d. Development of a system of notifications and obtaining user consent based on the preliminary audit of the service.
e. Development, implementation and description of the system of technical protection of personal data (in internal regulations and instructions).
f. If your company is located in the CIS countries, it is recommended to transfer the ownership of the project to a resident of one of the EU countries in order to comply with the new regulations.
All these measures should be implemented in a complex.
The mismatch of your service with the requirements of the GDPR can potentially entail the imposition of sanctions on the owner of the service, as well as on its client-employers, in sizes that are critical for business.
IF YOU ARE THE OWNER OF THE SITE AND COLLECT THE PERSONAL DATA FROM YOUR USERS, WE STRONGLY ENCOURAGE YOU TO CHECK YOUR SERVICE FOR THE NEW RULES OF THE GDPR.
We will help you to conduct a full analysis of your online service for compliance with the GDPR, write the right policies and provide individual legal advice.
Get ready in advance for the new rules to match the European service and not to pay the penalties.