What is GDPR and how protection of private data relates to Ukrainian companies and individual entrepreneurs

It has been 4 months since the GDPR, the famous EU regulation on privacy protection, has come into force. The Internet has responded overwhelmingly to the overloaded inboxes of various privacy policies updates, Facebook has barely survived the scandal with Cambridge Analytica (and obviously not only cause the new regulations), and Ukrainian lawyers were preparing for the requests of their clients regarding this novelty.

This regulation, in fact, is not the first piece of legislation governing such rules in the EU. Prior to this, there was a Data Protection Directive, which was, as the name implies, only a directive. And when a directive is just a framework that serves only as a basis for EU member states to adopt their laws, the regulations are binding for member and other states, including Ukraine.

Stop, stop. The EU always approves of various regulations, and the GDPR abbreviation sounds cool, but does it have an impact on Ukraine, and especially on companies that run the business here?

The principle of extraterritoriality, or why it is important for Ukrainian companies

Typically, EU regulations and directives have little to do with Ukraine. Sometimes, we do harmonize our legislation with theirs. However, GDPR went a step further this time. One of the most interesting features of the regulation is that the scope of its action can extend to companies that are not registered in the EU.

For example, a Ukrainian company decided to create a certain internet service. When registering, such a service collects the usual data – name, last name, email, etc. – of users who are in the EU. Thus, the company has already become the controller of data – and accordingly, it is subject to the rules of GDPR, as it concerns the private data of persons located in the EU. Or a Ukrainian individual entrepreneur (also known as “FOP”) is outsourced the processing such data – therefore, the rules will apply to it as the processor of data. And – what is important – it is not necessary to process data of only EU citizens; such persons must be just within its territorial limits.

In general, GDPR identifies several instances where such the controller or processor ought to comply with this regulation.

Controller and processor – what are these new words?

In fact, they are not so new. Even Ukrainian legislation has already had the concept of those for quite some time. In addition, there is a subject of personal data.

Imagine a situation where a company registered in Ukraine develops a cool mobile tracking application for sports training. The potential users give the company some of their data at registration, agree with the privacy policy and do all the usual steps. But since the company has to process a lot of data, it hires a few individual entrepreneurs to outsource such activities.

In this case, the potential user will be the subject of the data, that is, the person whose data is processed. A company developing a mobile application is a data controller. Such a company defines “the purpose and means of processing personal data”, that is why the data of different subjects is collected in general and how it will be used in the future. Individual entrepreneurs that can be hired for outsourcing will be the processors of data. The main task of the processor is to process the data that is provided by the controller and only as specified by the controller.

Usually, both the controller and processor must adhere to the principles and rules of the Regulation. But it happens that the company processes certain “sensitive” data, and then they need a representative in the EU. And sometimes they need a data protection officer (DPO). But why, if the company is law-abiding?

Who are a Data Protection Officer and a representative in the EU?

First of all, these individuals are needed to ensure compliance with the GDPR, that is, to ensure that companies comply with the rules of this Regulation correctly. The main difference between an officer and a representative is that the former is a part of the company, whether the latter is an external contact person, so to speak.

A DPO may be a person with expertise in private data protection. And what’s more, such a person does not necessarily have to be a part of the company’s staff – it is enough to engage them, for example, with a service contract. Such an officer, as a rule, should be appointed when the company processes regularly and systematically a large amount of private data, or “sensitive” data such as nationality, medical records, etc.

The appointment of a representative takes place only when the company is not registered in the EU, which is also an important distinction between the two. It is also important to note that a representative is not necessary to be assigned if the company does not handle a large array of “sensitive” data.

So, when the duties of an officer are mostly proactive in preventing and eliminating GDPR violations, the representative is merely the contact person of the company in the EU “just in case”.

And finally

Compliance with GDPR may not look so complicated if you dig into it and sort it out. Together with our law firm, you will certainly know a lot more about GDPR and how it should be applied in practice. Our lawyers will give you answers to all the convenient and not that many questions and help with solving the difficulties.