GDPR: Application in Ukraine and the EU

Criteria for GDPR application

The GDPR applies not to organizations as a whole but to specific internal processes. Furthermore, it does not automatically apply to all companies worldwide; instead, it has clearly defined criteria. The primary trigger is a connection to the European Economic Area (EEA), such as having a company based in the EU, using top-level domains (e.g., “.de,” “.pl,” “.eu”), or offering services and delivering goods to Europe.

For example, if your company is based in Ukraine and someone from the EU accidentally purchases a product from you, this does not necessarily oblige you to comply with GDPR requirements.

However, if you actively target European customers by running ads aimed at them, using local phone numbers, displaying prices in EU member state currencies, and consistently accepting orders from Europe, these actions may serve as clear indicators for regulators to enforce GDPR compliance on your business.

Additionally, it is crucial to consider Ukrainian legislation, which may impose similar requirements. If you plan to expand into EU markets, it is wise to prepare privacy policies for your website or mobile application in advance.

Types and roles in personal data processing

Cookie 🍪

In addition to the types of personal data mentioned earlier, it is important to highlight cookies. These are files that enhance the user experience on websites by tracking visitor activity, such as the number of visitors, how long they stay on a page, and how far they scroll down, among other metrics.

Cookies can significantly improve your browsing experience and provide valuable feedback to system administrators. For example, cookies allow you to set language preferences, add items to your shopping cart, and avoid re-entering your login credentials on every page.

Website administrators can also use cookies to improve performance, track errors, optimize page load times, and enhance both content and navigation.

Cookies are typically categorized into four types: strictly necessary, functional, statistical, and marketing cookies. However, considering the regulatory framework, case law, and recommendations from European regulators, users have the right to decide which browsing experience they prefer and whether to allow anything beyond strictly necessary cookies.

What should be included in Privacy Policies

First, it’s important to distinguish between the terms “Privacy Policy” and “Privacy Notice.” While they are often translated similarly, they serve different legal purposes:

• A Privacy Policy is an internal document used within the organization to regulate the processing of personal data, primarily concerning employees.
• A Privacy Notice, on the other hand, is a document addressed to data subjects, in which the data controller outlines how they collect, process, and use the data. The Privacy Notice is subject to more stringent regulation than the Privacy Policy. However, both documents should align and be consistent with each other.

Now that we’ve clarified the terms, let’s focus on the content. The Privacy Notice should be written in clear, user-friendly language — simple and non-legalistic. The younger the average age of your user base (particularly important for developers of children’s games), the more straightforward and accessible the policies should be.

In compliance with GDPR, privacy policies must include the following information:

• The purposes of data processing
• The legal bases for processing
• The data processing periods
• A clear identification of the personal data being collected
• The rights of users (data subjects)
• Information about you as the data controller

A good example can be found in Google’s privacy policies, where each section includes a video explaining the legal basis for each data interaction. However, this is only an example; due to the scale of the company and the variety of services it offers, Google faces more regulatory requirements than smaller businesses.

GDPR vs ISO

As previously mentioned, GDPR is a regulation from the European Union that governs the processing of personal data. It is legally binding and must be adhered to by all organizations that handle personal data of EU citizens. Non-compliance with GDPR can result in substantial fines and legal consequences.

In contrast, ISO refers to international standards established by experts globally for various industries. ISO standards are not mandatory, but they can be used to ensure high levels of quality and security within organizations. For instance, ISO 27001 focuses on information security management, and ISO 27701 builds on this by incorporating privacy management into information security systems.

In summary, GDPR is a legal obligation that companies must follow before conducting business in Europe. It does not have a specific certification process, as there are no accreditation mechanisms for ensuring compliance with the regulation.

Although companies can undergo audits to assess their GDPR compliance and be labeled as “GDPR compliant,” these audits are often superficial and may not cover the entire spectrum of data interactions.

On the other hand, ISO certification is voluntary, but it is a valuable tool for streamlining internal processes. The review generally includes an evaluation of existing company policies, the protection of assets (including physical, software, and human resources), identification of potential security threats, and interviews with key staff.

The ISO certification process may take several months, depending on the company’s size and level of preparation. Once certified, the organization receives a certificate confirming compliance, which can provide a competitive edge and ensure that the company’s internal processes meet internationally recognized standards.

Conclusion

Adhering to information security requirements and adequately processing personal data can significantly challenge companies.

To ensure compliance with these requirements, it is essential not to overlook the key principles established in Article 5 of the GDPR, which include:

1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently, and data subjects must be informed about why their data is being collected.
2. Purpose limitation: Data should be collected only for specific, clear, and legitimate purposes necessary for fulfilling customer obligations.
3. Data minimization: Only data necessary for achieving the purpose of processing should be collected.
4. Accuracy: Personal data should be accurate and kept up to date.
5. Storage limitation: Information should be stored in a form that allows the identification of data subjects only for as long as necessary for processing purposes.
6. Security: Appropriate measures must be taken to ensure the security of personal data, including protection against unauthorized or unlawful processing, loss, destruction, or damage.
7. Accountability: The data controller is responsible for ensuring compliance with these principles and must be able to demonstrate this compliance.

By adhering to these principles, businesses can navigate the complexities of GDPR compliance and safeguard personal data effectively.

Published by LОЙЕР
Link to article