Personal data protection and GDPR for business

Barbashyn Law Team Andriy Barbashyn - lawyer Barbashyn Law Firm
5 July, 2023 9 min for reading
5 July, 2023 9 min for reading

Every day, people entrust their personal data (hereinafter – personal data) to third parties. They do this when they register accounts in social networks, download applications from Google Play or the App Store, get a discount card at a nearby supermarket, and even while reading this article you can transfer your personal data.

The increase in the number of users, Internet resources, and outdated legal norms made it necessary to develop legal standards in the field of personal data processing and protection. In particular, the General Data Protection Regulation or GDPR was created in the EU, which is currently considered one of the strictest privacy laws. Despite the fact that the regulation was developed within the EU, it has an “extraterritorial effect”, as it applies to the activities of any companies that collect or transfer personal data of users in the EU.

The Regulation is designed to make the processing of personal data transparent and understandable for users and to give them more control over how their personal data is collected, processed and protected.

It is worth noting that IT companies have a special role in the field of data processing, as they usually act as processors of personal data. So let’s figure out what the main requirements of the GDPR should be followed in order to gain the trust of users and avoid fines.

Follow the principle of legality

You may receive, process, and store personal data only for specific, defined reasons defined in the GDPR. Personal data can be collected, processed, and transferred if:

🔹There is unambiguous and informed consent of the user to the processing of personal data. For example, when creating an account on the site, the user ticked the message that he has read the Privacy Policy and the User Agreement.

🔹 Processing is necessary for preparation for concluding a contract or for its execution. For example, in order to buy plane tickets in the application, you need to enter personal data, without this the purchase is impossible.

🔹Data processing is necessary to fulfill a legal obligation. Such a legal obligation can be the execution of a court order.

🔹Data processing is necessary to save lives. For example, the police can process the data of a person who has been kidnapped without their permission.

🔹Data processing is necessary to perform a task in the public interest. However, here it is necessary to maintain a balance between the public interest and the individual’s right to privacy.

🔹There is a legitimate interest in processing someone’s personal data.

If you cannot justify the processing of personal data on one of these grounds, then you are in breach of the GDPR and may be fined for such a breach.

Apply technical protection measures

The Regulation provides controllers and data processors with a choice regarding the types and methods of technical and organizational measures and does not contain specific requirements on this matter.

In addition to international standards (PCI DSS, TLS, SSL 256 bit GoDa, TrueBusiness ID, EV SSL), the most common example of technical measures is the use of two-factor authentication in the accounts of users and company employees or the use of end-to-end data encryption.

The technical aspect is of great importance for the protection of personal data processing. Because it is precisely because of a weak security technical system that user data is usually leaked during hacker attacks.

An example of organizational measures can be limiting access to personal data only to those employees who need it for work. Thus, information about the personal data of employees is necessary for the work of the personnel department.

So, in 2022, the Irish Data Protection Commission fined Meta 17 million for GDPR violations. The investigation was launched after receiving 12 complaints from users.

During the review, the commission concluded that Meta had not “implemented appropriate technical and organizational measures” that would have demonstrated that the “security systems it used” served to protect the data of community users.

Respect user rights

The regulation contains a certain list of such rights. Let’s deal with those rights that are most violated.

It should be remembered that all users have the right to:

🔹 be informed. The user has the right to know for what purpose, how, by whom, where his personal data will be processed or whether such data will be transferred to third parties. In addition, the person must have access to this information constantly and receive it without hindrance. A privacy policy is the most convenient way to explain to users how, for what and in what way their personal data is processed. If the company has a website, it can place a link to it at the bottom of the website.

🔹to access data. Yes, at the request of the user, he must be provided with information about what his data is processed, how and where it is processed and whether it is transferred to third parties.

🔹for data correction. If the user’s data contains an error or has changed (moved to a new address, changed the last name, etc.), then he must be able to make changes himself or submit a request to change such data.

🔹 to be forgotten. That is, at the request of the user, the company must delete all personal data related to his person.

Last year, the Spanish data protection agency fined Google 10 million euros for violating this right. The regulator found that despite users’ requests to delete their personal data, Google transferred their data to a third party.

🔹be notified of violations. In the event of a violation related to the processing of personal data, the company is obliged to notify users and regulatory authorities within 72 hours and take all possible measures to stop it and mitigate its consequences.

Such behavior will have a positive impact in the event of a breach investigation by a data protection agency. Thus, the British ISO significantly reduced the fine of the Mariott company, taking into account the measures taken by it to mitigate the consequences of the violation.

Transfer information to a third party only with consent

In 2021, a data protection agency in Norway fined a dating app more than 6 million euros for sending users’ personal data without consent. The company transferred information about the age, gender, IP addresses, and GPS data of its users to potential advertising partners without their consent.

Users were forced to agree to the Privacy Policy of the application as a whole in order to use it and were not able to refuse the transfer of their data to a third party.

In order to avoid such a violation, the company must inform users about to whom their data will be available. In addition, the transfer of personal data to a third party must be carried out only with the explicit consent of the user. So, for example, during registration on the website, the user can check the box stating that he agrees with the advertising mailing from the company’s partners. In addition, the user must be able to withdraw their consent at any time without hindrance.

Use cookies in compliance with GDPR and e-PD requirements

The use of cookies is one of the most common ways of collecting and transmitting personal data on the Internet.

It is worth noting that the GDPR does not contain special rules for the use of cookies, but only classifies them as an “online identifier”, which under certain circumstances can be considered personal data.

The issue of the use of cookies is controlled by the EU e-Privacy Directive (e-PD), which is often referred to as the “cookie law”. This directive complements the GDPR.

According to the e-PD, organizations must provide users with clear and comprehensive information about the processing of cookies and obtain users’ informed consent before starting to track their interactions with the site using cookies. The exception is only necessary (mandatory) cookies, without which the service cannot work correctly and their use carries minimal risks for the user. They mostly concern technical characteristics. For example, the shopping service uses cookies to store information about which products you have placed in your cart.

In addition, according to the e-PD, the user must have the possibility and the right to refuse the use of cookies as easily as he gave his consent.

It is the rule regarding obtaining informed consent and the possibility to easily refuse the use of cookies that is most often violated.

Thus, in 2021, the National Commission for Data Protection of Luxembourg fined Amazon 746 million euros for the fact that the online seller did not obtain consent from its users before saving advertising cookies.

In the same year 2021, the French data regulator fined Google LLC 99 million euros and Facebook 60 million euros for using a complex mechanism to refuse the use of optional cookies.

However, we would like to note that the e-PD is soon to be replaced by the e-Privacy Regulation (e-PR), which will be more in line with the industry-wide technological changes that have taken place over the past few years. In particular, e-PR will allow users to refuse the use of cookies by managing their privacy settings. However, user consent will not be required for “non-privacy cookies”. E-PR will provide protection against any form of unwanted electronic messages, including spam.

Conclusion

GDPR compliance is important not only to avoid fines, but also to gain user trust and legal protection of the company’s interests.

In this article, we have mentioned only some of the main requirements of the GDPR regarding the processing and protection of personal data. However, the regulation is a complex and “living” document that is constantly interpreted in accordance with today’s challenges. In order for the processing of personal data of your users to comply with the requirements of the GDPR, it is worth taking into account all its requirements and constantly updating the processing rules in accordance with the trends of GDPR application.

Achieving full GDPR compliance can seem unrealistic and only make things more difficult. However, companies that comply with the Regulation receive a sufficient number of advantages.

First of all, the application of GDPR is about improving the reputation and trust of users. The amount of news about data sources on the Internet encourages users to choose those companies that can provide an adequate level of protection and processing of personal data.

Secondly, compliance with the GDPR allows minimizing the collection of personal data, and as a result, to reduce the costs of their processing and protection.

And thirdly, achieving full compliance with the Regulation provides competitive advantages and expansion of cooperation opportunities. For example, third parties (Google Ads, Google Analytics, Meta, App Store, Google Play) check their customers and partners and their products for GDPR compliance before starting cooperation.

To make sure that your company falls under the scope of GDPR and meets its requirements, you should consult with a lawyer.

Share

We use cookies to improve the performance of the site and enhance your user experience.

More information can be found in our Privacy Notice