The impact of GDPR on Russian personal data operators

    Author: Anastasia Zavedenskaya, Assistant Analyst, Analytical Center LLC UCCB
    Reviewers: Ekaterina Rubleva and Konstantin Samatov, Heads of Direction, Analytical Center LLC UCCB

    The company that processes personal data is considered their operator. Most likely, this company knows about the Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data” and its requirements. And if the company has customers in the European Union or is there a desire to attract those? Or just have a website on the Internet with forms to fill the user? Then you need to understand what GDPR is and its scope.

    Back in 1995, the European Union countries adopted Directive No. 95/46 / EC on the protection of the rights of individuals during the processing of personal data. But everything changes, and on May 25, 2018, the General Data Protection Regulation (English General Data Protection Regulation), adopted by the European Parliament in April 2016, was abbreviated simply to GDPR, came to replace it.

    The application of the GDPR will be approved in three more countries of the European Free Trade Association (EFTA), more precisely, in Iceland, Liechtenstein, Norway, which are not members of the EU. The EFTA website (in the EFTA) article on “Including a GDPR in the EEA Agreement (the European Economic Area) and continuing to apply Directive 95/46 / EC” states that the adoption of a GDPR by the EEA Joint Committee (EEA) Joint Committee) and its entry into force in the EEA EFTA States in mid-July 2018. Until then, Data Protection Directive No. 95/46 / EC remains applicable in the EEA Agreement, thus guaranteeing the possibility of unhindered dissemination of data between EEA EFTA states and EU member states.

    To whom does the GDPR apply?

    First you need to understand who should follow the requirements of the GDPR, and who does not fall under its requirements.


    Figure 1 - Algorithm for determining the scope of the GDPR

    Based on the text of the document, its requirements are applicable not only to European organizations, but also to any companies working with personal data of EU citizens or persons in the EU (see Figure 1). At the same time, the location of the company itself does not matter.

    So, if a company is registered in the EU or, for example, in the aforementioned Iceland, Liechtenstein, Norway, then, regardless of the location of the processing process itself, this is definitely a GDPR.

    In order to understand whether the organization provides services or goods to persons in the EU, even its intention to offer services / goods will be sufficient. According to the GDPR, the intention becomes obvious, if the company’s website provides for the use of the national language and the currency of the EU member state, an order in this language is possible. Or there are references to consumers or users who are in the European Union.

    Although even if the site is entirely in Russian, and in itself its accessibility to EU people does not show intentions, you cannot be 100% sure that no one, while in the European Union, will use its services. Therefore, it is recommended, in any case, to meet the requirements of GDPR.

    Another interesting and relevant concept in the context of GDPR is monitoring. Monitoring in GDPR refers to tracking individuals on the Internet with further use or potential use of various personal data processing technologies to analyze or predict preferences, personal characteristics, and behavioral characteristics. That is, if the company takes any action to study the behavior of persons in the EU, for marketing purposes, for statistics, etc. - this is monitoring. For example, Yandex Metrika, Google Analytics, etc. are installed on the organization’s website, which means you need to apply GDPR. Because, as already mentioned, there is no guarantee that a person from the EU will not visit the site on which these services are applied.

    It is important to know that the organization is obliged to appoint a representative to the EU when at least one of the following conditions is met:

    1. processing takes place continuously;
    2. special categories of personal data are processed on a large scale;
    3. personal data related to convictions or crimes are processed;
    4. There is a high risk of violation of human rights and freedoms.

    According to the GDPR, special categories of personal data are defined similarly to the Russian legislation. Except for the fact that the data on prior convictions and offenses are made separately, with the obligation to control their processing by an official body or by permission of the state legislation.

    A representative can be a natural or legal person who is specifically authorized on the basis of relevant documents. The representative must be located in the EU country where the data subjects are located. On behalf of the company, his task is to interact with the EU authorities and citizens, to follow the instructions of the company. He is also held accountable for violations.

    For example, a Russian company that does not have subsidiaries in Finland constantly provides its services to its citizens. This means that the company is obliged to appoint a representative who is officially in Finland. If there is a subsidiary, then it can be designated as a representative.

    It turns out that the General Data Protection Regulation has a fairly wide coverage and, if everything is quite logical with the companies of the European Union, then other countries also “fell under the distribution”. It becomes clear that Russian organizations that are customer-oriented towards the European Union must also comply with the requirements of the GDPR.

    Suppose a small Russian company has an online store, and a Latvian citizen purchases their goods. This means that the requirements of the GDPR apply to this online store, since it will process the personal data of an EU citizen. If the site of this company initially has an English version and puts prices in the currency according to the user's state, then it also falls within the scope of the GDPR. And in any case, if the company does not work personally with each client, you cannot know exactly where the client comes from. This means that even the entire Russian site of a small company must be prepared to meet the requirements of the GDPR.

    The list of companies covered by the GDPR can go on for a long time, but so far there is no law enforcement practice, according to the author, it is necessary to analyze who the company’s actions are directed at and with whom it interacts.

    What roles does the GDPR offer?

    As with any process, data processing has two sides - the one whose data is being processed, i.e. the subject of personal data, and the one who processes this data. Let us dwell on the second. The concepts of a controller (data controller) and a processor (data processor) are introduced in the GDPR.

    Let us deal with these terms, based on the GDPR and the explanations given on the website of the European Commission.

    The controller, in accordance with clause (7) of Article 4 of the GDPR, is individuals, physical or legal, various bodies and agencies that determine the purpose for which and by what means the data are processed.

    All responsibility for fulfilling the requirements for the processing and protection of personal data rests with the controller. The controller must be able to confirm compliance with the requirements.

    So, if the company decides “why?” And “how?” Personal data is processed, then this is the data controller. Employees involved in the processing, do it as a data controller.

    If a company together with one or several organizations jointly determines “why?” And “how?” Personal data is processed, then it can be called a joint controller. Joint controllers enter into an agreement that sets out the obligations to comply with the requirements of the GDPR. The main aspects of this agreement should be transferred to persons whose data are processed.

    The processor (processor), in accordance with clause (8) of Article 4 of the GDPR, are individuals, physical or legal, various bodies and agencies that process personal data on behalf of the controller.

    It turns out that the processor has the right to process personal data only on behalf of the controller. A data processor, for example, can be a third-party company engaged to process data.

    An organization can be a data controller or data processor, or both.

    In the Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, there is the concept of an operator, which is similar to a controller, and the processor is similar to a person who processes personal data on behalf of an operator.

    GDPR and No. 152-FZ “On Personal Data”. General and differences

    Any regulatory document uses its own rules of definition, consider them and compare.

    Personal data, according to Article 3 of the Federal Law “On Personal Data”, is any information that directly or indirectly allows you to identify an individual. Paragraph (1) of Article 4 of the GDRR provides a similar definition, except that instead of the word “identify” it is used to “identify”.

    The terms are similar, but the GDPR speaks in more detail about information relating to personal data. From where we find that information that allows to determine the identity of the data subject, is personal data. It does not matter whether it is possible to identify a subject directly by him or whether special tools or programs need to be used.

    The GDPR has the following list of personal data:

    1. Name;
    2. An identification number;
    3. Location data;
    4. Online ID;
    5. The combination of identifiers / indicators.

    The most difficult with online identifiers. These include IP addresses, cookies, etc. An IP address, for example, can lead to a certain person who goes online, or it can simply show the network access point, i.e. in some cases it can be used to identify a person only in conjunction with other data. Whether an IP address is related to personal data is a moot point and depends on the context of the situation. But since the GDPR focuses its attention on online identifiers, it is recommended to protect them too.

    The principles and conditions of processing are set forth in Articles 5, 6 of the Federal Law “On Personal Data” and in Articles 5.6 and GDPR.

    The Law on Personal Data of the Russian Federation contains 7 processing principles, and the GDPR - 6. All principles are comparable, except that the Russian legislation clarifies the prohibition of combining databases created for incompatible purposes. An important addition to the principles in the GDPR is the principle of transparency / transparency. Namely, any information and messages related to the processing of personal data were easily accessible to the subject and clear for his understanding, that is, a clear and simple language was used. In addition, the GDPR defines the security of personal data as the principle [par. (f), Article 5, GDPR,], and here it is rather presented as a duty.

    The conditions under which the treatment is legitimate are also comparable. At the same time, GDPR allows states to introduce their processing requirements.

    Article 9 of the Federal Law “On Personal Data” and Article 7 of the GDPR describe the subject’s consent to the work of processing personal data. Both documents speak of concreteness, awareness and awareness. It is important that the GDPR requires that consent be compiled in a language that is understandable and easily accessible. Consent to the processing of data must be made separately from other terms and conditions and agreements. All processing targets should be included. The process of withdrawal of consent should be just as simple as receiving it - this is how to put a "tick" and remove it.

    It turns out that the agreement should not be ambiguous, but exact - “I agree ...”. It should include a list of specific processing objectives. It is also impossible to use, for example, checkboxes with the installation of the consent by default. This is contrary to the freedom of consent. And the operator must always be ready to confirm that the subject has given his consent.

    One of the main differences of the GDPR is that it sets specific rules for giving consent to the provision of information society services to minors. If a child who is 16 years old is involved in the processing of personal data, then it is legal. For children under the age of 16, consent must be given by the person performing parental or guardian functions.

    Both of the documents in question fairly extensively describe the rights of the data subject. Both there and there individuals can get their data and information about how they are processed, can correct, delete information about themselves. The main thing is that, according to the Federal Law “On Personal Data”, a subject may receive information about the processing of personal data upon his request. And for the GDPR - the organization is obliged to provide all the information about the processing at the time of receiving personal data. The GDPR describes the deletion and modification of information as the right of the subject, and Russian law as the duty of the operator. The subject of personal data can always withdraw his consent to the processing and request the deletion of data relating to him.

    Another important difference of the GDPR is that it allocates a separate right to transfer its data. A company operating as part of the GDPR must understand that when a subject requests information provided to them earlier, they must provide it freely. The GDPR makes it clear that these data should be structured and have a machine-readable format. Also, at the user's request, the organization must transfer its data to any other organization. All this is new to legal requirements.

    The GDPR has a separate section on the Data Protection Officer. This role is similar to the person appointed responsible for organizing the processing of personal data from Russian law. According to the GDPR, if an organization continuously monitors subjects or processes special categories on a large scale, then it is obliged to appoint a Data Protection Officer. Otherwise, the appointment is made at the discretion of the organization or on the basis of the laws of its state. Under the Federal Law on Personal Data, the operator is obliged to appoint the person responsible for organizing the data processing, in any case.

    When listing security measures in the Federal Law “On Personal Data”, reference is made to the processing of personal data processing activities. In turn, the GDPR also obliges to keep such records in a documented form, including an electronic form. The obligation is not imposed on organizations with less than 250 employees if they do not process on an ongoing basis, do not process special categories or data on convictions or offenses on a large scale. According to the author, it is desirable to keep such records anyway.

    If the company is a controller, the account must contain:

    1. data about the controller, his representative and the data protection officer (if any);
    2. processing purposes;
    3. information on data subjects and categories of personal data processed;
    4. information about other recipients of personal data;
    5. dates of deletion if possible;
    6. Description of security measures, if applicable.

    If the company is a processor, accounting should include:

    1. data about the processor, controller and, if possible, his representative and the data protection officer;
    2. processing information;
    3. information about other recipients of personal data;
    4. dates of deletion if possible;
    5. Description of security measures, if applicable.

    The organization should be ready to provide this information to the supervisor at any time.

    What is the personal data themselves, then “how?”, “Why?” And “why?” They are processed, what measures are used to protect information, what the subject can do and what the operator is obliged to perform - these key points are similar in Federal Law. About personal data "and GDPR. But what to do if all the same unwanted data leakage occurred, it is specifically stated only in the GDPR. So, if the company still allowed leakage of personal data, then it is obliged to tell about it in a short time to the supervisor and the entity that suffered the loss. Otherwise, the company will be fined. According to the GDPR, the supervisory authority is appointed in each country by the relevant regulations. The leaders of these oversight bodies constitute the European Data Protection Council.

    And the most interesting: in order to strengthen the obligation to comply with the norms, the GDPR imposes fines for any violations. Fines amount to 20 million euros, or 4% of the company's cash flow (the largest amount is chosen). But in fact - it's not so scary. In cases where the violation is minor, just a reprimand can be declared. Intangible sanctions may also include a ban on the part of the supervisory authority on the processing of personal data (or their transfer to the counterparty) until the violations are eliminated.

    A fine, first of all, should have a sensible effect, which means that it can vary widely within a fixed amount. The amount of the penalty is set depending on the characteristics of the violation itself:

    1. the nature, severity and duration of the violation;
    2. deliberately or through negligence a violation;
    3. damage mitigation measures;
    4. protection measures used;
    5. past violations;
    6. categories of personal data affected by the violation;
    7. how the violation became known;
    8. other aggravating and mitigating factors.

    That is, for example, the previously considered notice of the leak is an important factor in order to mitigate the punishment.

    Let's sum up

    The General Data Protection Regulation is a new large document with a long preamble and 99 articles, which everyone can interpret in his own way. But if a company does not want to get under a multi-million fine, it is necessary to fulfill the requirements of the GDPR, and, of course, do not forget about the Federal Law “On Personal Data” and its by-laws.

    If you are a Russian company, first you need to determine whether the scope of the organization is in the scope of the GDPR.

    If it is included, then the priority actions that need to be carried out to bring the new requirements into line will be as follows:

    Determine if a representative is needed in the EU. Assign it if necessary.
    Check the availability to the subjects of information on the processing (goals, shelf life, information on the rights of the data subject, etc.), as well as the presence of well-established and documented processes of response to the treatment of personal data subjects.
    Check the consent to the processing of personal data for compliance with the requirements of the GDPR. It should be presented in plain language, specifically, contain all the processing objectives, is separate from other conditions / agreements. Consent is given on the basis of active action, and not "by default" or inaction. If necessary, update it.

    Check the processed personal data for compliance with the specified processing objectives.
    Keep records of all activities for the processing of personal data.

    Assess Data protection impact assessment, i.e. to determine the degree of importance of each specific business process associated with the processing of personal data by assessing the damage caused during the period of failure in work.

    Check safety measures for compliance with GDPR. If necessary, improve them.

    Introduce lined and documented processes of notification of the incident to the supervisory authority, preferably within 72 hours after detection. Include in the notifications information on the nature of the leak, information for feedback, possible consequences, measures to eliminate the leak. If possible, inform the subject of personal data if there is a risk to his rights and freedoms and the data has not been encrypted, within a reasonable time.

    Be prepared to provide evidence of the legality of PD processing activities.

    Also popular now: