Analytics Legal analytics

10
July
2017

New developments in european legislation on personal data: risks and recommendations for russian businesses

Alexandra Vasyukhnova, Partner, Head of Technology and Investment group

In the spring of 2016, widescale work ended that was performed on reforming legislation that addressed personal data (hereinafter PD) in the framework of the European Union (hereinafter EU). The result was the adoption of EU Regulation No. 2016/679 entitled “On the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter the Regulation), which enters into force in May 2018. The key objective of this reform was the need to unify the regulations concerning personal data in the EU and allow for a single approach to be adopted by all EU countries, ensuring unhindered and efficient interaction between EU operators.

EU innovations in the area of PD have led to a number of consequences, including financial ones, that are reflected in potential fines of up to 20 million euros, or 4% of annual world turnover for one fiscal year. These consequences are applicable not only to European companies, but to Russian ones that process PD for European citizens. The provisions in the Regulation, which became a cause for concern, and the potential risks and practical recommendations for businesses are detailed in this analytical review.

I. Who is affected by the new Regulation’s requirements?

1. Organizations founded in the EU (EU residents).

2. Organizations founded outside the EU (EU non-residents) that process PD for EU citizens. These organizations could include companies from outside countries (that are not EU members) that sell goods/services to European citizens. These include, for example, online services, online stores, social media, and data centers. According to official commentary on the Regulation, non-resident companies are also bound to observe the Regulation’s provisions that: 1) use official EU countries’ languages as part of the descriptions for their goods/services, as well as when taking orders, 2) use EU member countries’ currencies when dealing with their clients, and 3) indicate directly on their websites that their goods/services are available for EU citizens.

3. Organizations that collect and process PD as part of monitoring EU citizens’ behavioral patterns.

This means that the Regulation applies not only to EU residents, but organizations, including Russian ones, that process EU citizens’ PD.

II. The Regulation’s new rules and penalties

For example, the Regulation introduces fines that are large in size - up to 20 million Euro, or 4% of annual world turnover for the previous fiscal year (depending on whichever amount is greater). In view of the fact that the Regulation is extraterritorial, Russian companies involved in processing PD for European citizens will have to comply with a number of new requirements. Particular attention should be paid to the fact that the scope of liability for non-compliance with norms for the protection of PD has been significantly expanded.  For example, the Regulation imposes a penalty large in size - up to 20 million euros, or up to 4% of annual world turnover for the previous fiscal year (whichever is larger). At the same time, it is worth noting that the supervisory authority may limit itself to reprimanding the violator if the violation’s nature does not entail any risk to individuals’ personal data protection being compromised.

III. Key recommendations for business

1. Limiting activity involved in collecting PD on European citizens.

When collecting PD on European Union citizens, a Russian company is bound to be governed by the Regulation’s provisions. In order to avoid the necessity of adhering to the new Regulation, a company should limit the PD for European citizens it collects and processes, and completely stop performing this kind of activity with PD by 2018.

2. Adopting a set of additional controls related to the organization, its management, and technical issues.

If a company is not prepared to stop collecting and processing EU citizens’ PD, then in this case it is recommended to take several steps, on a time-phased basis, to ensure compliance with the Regulation’s requirements for the processes involved in processing PD, specifically:

  • Creating a task force, including specialists from the IT, HR (if the company processes PD for European expatriates as part of employment relations), and legal departments, as well as representatives from the departments responsible for processing PD in the company.

  • Auditing the processes involved in collecting and processing PD in the company. The goal at this stage is to determine whether the Regulation’s provisions are applicable to the activities performed by the company, and to reveal potential risks. As part of an audit, the following must be precisely defined:

- the scope of the PD processes by the company, and establishing whether foreign servers are used during the process

- the circle of parties whose PD is processed by the company (and whether there is any data on Europeans amid the PD)

- the mechanisms for protecting PD that the company has, including security measures that are technical in nature (for example, the order of encryption)

- the set of internal policies that regulate the processes for collecting and processing PD

  • Improving the processes used to collect PD and compliance for internal documentation. At this stage, it is necessary to put additional security measures in place, to designate the appropriate company officials, and to ratify any additional internal corporate policies on protecting PD – or to update those that already exist.

  • Interacting with suppliers. It is recommended that contractual relations be analyzed with any partners that process European citizens’ PD on behalf of the company (or on their own behalf but in the interests of the company). At this stage, it is recommended introducing any relevant provisions into the contracts concerning the delineation of scopes of liability when processing EU citizens’ PD, as well as establishing additional guarantees that the Regulation’s norms will be complied with on a mutual basis.

The table we give below contains the new requirements, penalties for non-compliance, and recommendations. For repeat violations, penalties are imposed in the amount of 4% of annual world turnover for the previous fiscal year or a fine up to 20 million Euro.

No.

 

Article in Regulation

 

 

Requirement

Fine for Non-Compliance

 

 

Recommendations

 

1

 

Art. 27

Assigning an EU representative that will answer for processing PD for European citizens.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

The EU representative may be both a company employee working at a company's branch office or an independent consultant that is located in the EU.

Developing internal corporate policies concerning an EU representative for issues related to protecting PD.

2

 

Sec. 3

Art. 7

The method for a party to revoke consent to process his/her PD must be identical to the method used for him/her to grant that consent.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

From a technical standpoint, furnishing the ability for a party to revoke his/her consent to process his/her PD in the same manner that the consent was granted.

3

 

Art. 5

 

Art. 6

 

Receiving express consent from a party to process  his/her PD for each separate use the PD that is collected and processed is slated for.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

Revising the current PD processing consent forms, confining the text to consent for the purposes of collecting it. For example, an online store collects PD to 1) send the goods to the customer, 2) to mail out advertising materials, and 3) to gather statistical data. Each goal for collecting PD should be stated separately in the consent form, with the set of PD being processed indicated that corresponds to it.

4

 

Art. 34

Immediately informing the party for whom PD has been processed if there is an information leak.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Adding a section into the current policies governing PD processing that is devoted to the procedure for informing a party from whom PD has been processed if there is an information leak, or developing a separate internal regulation.

5

 

Art. 13

 

Art. 14

Upon request from the party for whom PD is being processed, furnishing information about the operator, the goals for processing the PD, the time frames PD is stored, and the type of recipients of the PD.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

Adding, into the current policies governing PD processing, provisions on the rights of parties to receive this kind of information, with the time frames for receiving it indicated, and developing an internal policy that defines the procedure used to process these parties’ requests and the subsequent action that is taken.

6

 

 

Art. 16

 

Art. 17

 

Art. 18

 

Upon request from the party for whom PD is being processed, immediately altering,  deleting, or restricting the use of that PD.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

Adding, into the current policies governing PD processing, provisions on the rights of parties to change, delete, or impose restrictions on how their data is used, with the time frame indicated to fulfill the request.

Developing an internal policy that defines the procedure used to process these kinds of requests, and the subsequent action that is taken by the PD operator.

7

 

Art. 20

Upon request from the party for whom PD is being processed, transmitting PD to him/her in a structured, computer-readable format.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

Adding, into the current policies governing PD processing, provisions on the rights of parties to receive their data in a structured format, with the time frame indicated to fulfill the request. Developing an internal policy that defines the procedure used to process these kinds of requests, and the subsequent action that is taken by the PD operator.

8

 

Art. 49

Furnishing the party for whom PD is being processed a complete description of the risks associated with the cross-border transmission of his/her data.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

Adding, into the current consent forms, content on the possibility of cross-border transmission for data, with a description of the risks and ways used to minimize/eliminate them.

9

 

Art. 9

Collecting and processing special categories of PD.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

Determining whether the data that the company collects falls under special categories. If the answer is yes, it is worth either ceasing the collection of special categories of PD or making available consent forms for the express consent of these categories of PD.

10

 

Art. 30

Keeping a written record of activity performed while processing PD.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Maintaining a journal to record activity performed with EC citizens’ PD. It is recommended keeping these journals in an electronic, computer-readable format, separating activity performed that concerns Russian Federation citizens from that which concerns European citizens.

11

Sec. 5

Art. 33

Keeping an PD incident register.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Maintaining a journal to record PD incidents. It is recommended keeping these journals in an electronic, computer-readable format.

12

 

Art. 32

Introducing a procedure involving regularly checking and assessing the effectiveness of organizational measures geared toward protecting PD.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Developing and implementing a policy concerning the procedure involving regularly checking and assessing the effectiveness of organizational measures geared toward protecting PD, and designating those responsible.

13

 

Art. 32

 

Art. 35

Making available documented evaluations of the potential risks involved in processing PD.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Conducting a full-scale analysis of the mechanisms to protect PD in order to discover potential risks, and adopting measures to minimize/eliminate them.

14

 

Art. 36

Consulting preliminarily with the supervisory authority in case there is any unfavorable assessment of the potential risks involved in processing PD.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Developing a policy concerning interaction with the EU supervisory authority about protecting PD that must provide for a format for the interaction to occur, and that determines in which cases the company is obligated to consult with the authority.

15

Art. 33

Notifying the supervisory authority about any PD-related incidents.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Stipulating the procedure that governs notifying the supervisory authority in a fully-developed policy concerning interacting with the EU supervisory authority about protecting PD.

16

 

Art. 26

Making available agreements between parties performing joint work processing PD.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

Revising current contracts with contractors that process PD, including putting in clauses about liability and guarantees that the Regulation’s rules will be followed. It is recommended that caution be exercised when selecting new contractors in terms of their business processes being compliant with the Regulation’s requirements.

17

Art. 58

Fulfilling the requirements of the supervisory authority is mandatory.

Up to 4% of annual world turnover for the previous fiscal year, or up to 20 million Euro

Stipulating a procedure governing the fulfillment of requirements put forth by the supervisory authority in a fully-developed policy concerning interacting with the EU supervisory authority about protecting PD

18

 

Art. 37

Assigning an inspector with the job of protecting PD.

Up to 2% of annual world turnover for the previous fiscal year, or up to 10 million Euro

The inspector can be both a certified company employee or a certified independent consultant. The inspector can be the same person who is the EU representative. Developing and implementing a provision for issues related to protecting PD.

 

Related services

VEGAS LEX_Новое в европейском законодательстве о персональных данных_10.07.2017

Download file
File added 10.07.2017
Presentation .pdf (491 Кб)

Apply to participate

Agreement

Apply to participate

Оценка:

Agreement