Personal data protection GDPR
Private data (PD) is an intangible value and a benefit that must be carefully protected. Just like dignity or reputation. When an individual provides personal information to any organization, you need confidence: his phone number, bank card number, full name, etc. will not get to strangers. The organization must at all costs ensure the safety and private data confidentiality. Otherwise, she may receive a fine, another punishment according to the law and mistrust of clients.
All organizations that collect information in any way are obliged to protect PD. To carry out this procedure, a number of documents are created. They stipulate a list of intelligence that can be requested and processed, as well as possible actions with them.
The company becomes the owner of the PD, and the individual transferring them becomes the subject. The latter must consent to the treatment, and the owner must comply with the obligation of non-disclosure of PD.
SION specialists help develop papers that regulate work with PD in the organisation. We know the requirements for such documentation, we have experience in its preparation. Also, if necessary, we represent the interests of the parties in court.
The procedure for processing and protecting PD
In developed countries, special directives have been introduced at the legislative level. The document relevant to the EU is the General Data Protection Regulation (GDPR). He establishes order in the infoworld. The law contains a number of principles that can be used by companies collecting and treating customer intelligences. This applies to all businesses: offline (banks, clinics, stores) and online (online stores, brand promotions).
The main principles of the GDPR:
- Legal grounds for collection, honesty, transparency in use.
- Processing only to the extent that is stated.
- Minimization of collection (no need to ask for too much).
- The wording must be accurate, error-free and not misleading.
- Storage only for the agreed period, no longer.
- Confidential and secure storage, no leakage.
- Appointment of responsibilities for operations, documentations.
The document must be drawn up in a transparent and understandable way so that the company is not suspected of concealment and, even worse, of fraud. SION employees help you legally draw up a regulation on the procedure for working with PD in order to protect the interests of the company and not violate the interests of individuals.
Protection of personal data on the Internet
In the online area, GDPR principles also apply. However, it is much more difficult to find and punish violators on the Internet. To preserve your own identity, not to transfer information about it (and, often, about tangible assets) to malefactors, you need to be three times more vigilant. Particular attention should be paid to the protection of such intelligence:
- logins, passwords on sites;
- Apple ID, Google account;
- accounts in social networks, online games;
- numbers and codes of bank cards, electronic wallets.
On the Internet, we advise you to focus on technical protective methods. This is two-factor authentication, the use of licensed software, the setting of strong passwords for access. And also – attentiveness and literacy.
In Ukraine, there is a cyber police that investigates the theft of information on the Internet. In addition, thefts from cards are investigated by the security services (SB) of banks. In some cases, they return the stolen money – the main thing is to correctly draw up and submit an appeal. If your private photos are stolen and posted on a third-party site, it makes sense to contact its owner with a request to delete it.
We advise on a specific online violation and show you what can be done – for example, is there a chance to expect a refund from the bank. If necessary, we help to draw up an appeal to the Security Council of the financial organization, the State Service for the Protection of PD. Or the owner of a site where materials about you were unlawfully posted.
Personal data protection documents
Each company independently forms the procedure for working with PD of customers and employees. But the general scheme must comply with the principles of the GDPR, it almost always be the same. May imply such papers:
- The procedure for working with PD (contract, agreement). Notifies about the inclusion of information in the database, asks for consent to their treatment.
- Cookie Statement. These files help sites to “remember” the username and password, settings, etc. Their storage also requires the user’s consent.
- Public offer agreement. An offer to conclude an electronic contract with an unlimited number of users (for example, from a website offering online services). Like an ordinary paper contract, it prescribes the rights and obligations of the parties, the conditions for the provision of services, and info about the seller.
Personal data processing and protection agreement
It can be called in different ways: contract, message, consent, provision, rules, etc. Surely everyone has come across such agreements on the sites: they must be read and ticked on consent to the collection and work of information. The document usually contains the following subsections:
- Goals. Why the collection takes place – for registration, mailing by e-mail, delivery of goods, customer support, etc.
- Explanation of terms. For example, treatment is a set of actions for collecting, accumulating, storing, adapting, updating, using, transferring intelligences.
- The types of info collected (name, date of birth, phone number, e-mail, cookie, sources of entry to the resource, etc.).
- Storage method. These are usually electronic media.
- Privacy mode and more.
Depending on the degree of elaboration, the paper can consist of several paragraphs or several pages of text. SION employees tell you how detailed the study should be, what points should be contained in the documentation, and develop the contract itself.
Punishment for disclosing personal data in Ukraine
The legislation providing for the protection of private intelligence of individuals has been in force in Ukraine since 2011. It is on its way to GDPR principles. The main rules for dealing with PD are set out in Art. 32 of the Constitution of Ukraine. Other important documents are the laws “On the protection of PD” dated 01.06.2010 No. 2297-VI, “On information” (Art. 23).
Responsibility for PD (their distribution) is provided for administrative and criminal. Accordingly, this is stipulated by Art. 18839 of the Code of Administrative Offenses of Ukraine (KUoAP) and Art. 182 of the Criminal Code of Ukraine (Criminal Code). Depending on the composition, the severity of the violation and other points, the following types of liability are provided:
- fines (most often applied);
- correctional labor;
- deprivation of liberty.
It will not be considered a violation to disseminate info with the consent of an individual. We strongly recommend that you carefully read the papers you sign. It is also not forbidden to disseminate messages about committed offenses and crimes, for this they are not prosecuted.
Penalty for the dissemination of personal data
The amount of fines, most often, is tied to the size of the non-taxable minimum income. In 2021, it is pegged to a hard cash equivalent of UAH 17. Possible amount of fines:
- For illegal intentional distribution of PD, criminal liability is assumed in accordance with Art. 182 UKU. Assumes a fine of 500-1000 non-taxable minimums (UAH 8,500-17,000).
- For non-compliance with the procedure for protecting private information, as a result of which third parties gained access to them, administrative liability is provided for under Art. 18839 KUoAP. It implies a fine of 100-500 non-taxable minimums (UAH 1,700-8,500).
In case of info leakage, a natural person can apply to the court or to the Authorized Person of the Verkhovna Rada for Human Rights (Ombudsman). The appeal must be filed within a year after the violation. After it, an unscheduled inspection of the enterprise may follow, as a result, an order for correction is issued, a protocol on an administrative violation or materials are transferred to law enforcement agencies.
Processing personal data without the consent of the subject
Ukrainian legislation stipulates that the treatment of confidential intelligences (that is, any actions associated with it) are not allowed without the consent of an individual. This consent must be expressed unambiguously and confirmed by an action – a private signature (on paper) or a checkmark (in the online questionnaire).
There are a number of cases when it is possible not to ask the consent of the PD subject. This is possible to comply with:
- national security;
- economic welfare;
- human rights.
In fact, unauthorized work with PD is sometimes carried out. The most popular option is if a person owes a debt to a microfinance organization (MFI), it sells the debt to collectors. The latter receive info without the consent of the individual. By law, consent to processing does not mean consent to the transfer of information to outsiders.
In order to be able to sell the business to collectors, the MFI must prescribe in the contract a clause on the possibility of transferring intelligence about the creditor to third parties. Also, the organization is obliged to sign an agreement with a collection firm on debt collection. There is no clause, no agreement, which means that the pressure of the collectors on the debtor is considered illegal.
Personal data judicial practice
The owner of the database is responsible for the safety of PD. The protection of PD depends on his conscientiousness and ability to organize the process. Sometimes private info is stolen, and sometimes the owner of the database himself discloses it. In Ukraine, this most often happens when banks or MFIs transfer materials about debtors to collectors.
Debtor’s lawyers know the method of recognizing the agreement between the bank and the collectors as invalid. Ground – transfer of client PD to a third party without permission. It really works. The same can be done if the collectors start calling relatives or persons indicated as guarantors.
It happens that courts react differently to similar violations. In this case, precedents (decisions on similar cases) and evidence on them can be used as evidence. Our lawyers represent in court the interests of persons who have suffered from the unlawful transfer of their private information. They know and successfully use solutions in previous similar cases.
The cost of developing documentation for the protection of personal data
Everyone has the right to be sure that intelligence about his personality, life, health and other aspects will be inviolable. In this case, sometimes situations arise when certain information becomes the object of an administrative or criminal offense. If you are faced with something like this, please write to us by mail: firstname.lastname@example.org or dial +38 (095) 629-66-63. We advise and provide practical assistance.