GDPR Captures the World

In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. Almost four years later, agreement was reached on what that involved and how it will be enforced. GDPR was issued in 2016 and came into force on May 25, 2018 and has effected not only European Area.

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in European Union law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Let’s look through the key points of the GDPR:

  • “Personal data” means any information relating to an identified or identifiable natural person (“data subject”);
  • GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form a filing system;
  • GDPR applies to the processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or the monitoring of their behavior as far as their behavior takes place within the Union;
  • Personal data shall be processed: lawfully, fairy, and in transparent manner in relation to the data subject; in a manner that ensures appropriate security of the personal data;
  • Personal data shall be collected: for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed; accurate and, where necessary, kept up to date; kept no longer than is necessary for the purposes for which they are processed;
  • Processing shall be arranged on the grounds of the data subject’s consent or other lawful grounds indicated in Article 6 of the GDPR;
  • The consent must be: freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

It’s worth paying attention to the rights of the data subject. GDPR has greatly expanded this category. The following rights are provided for data subjects in the GDPR:

  • Right to be informed;
  • Right of access;
  • Right to rectification;
  • Right to erasure;
  • Right to restrict processing;
  • Right to data portability;
  • Right to object;
  • Right not to be subjected automated individual decision making, including profiling, where the decision will have legal or other significant effects;
  • Right to a remedy.

As the GDPR has already came into force most controllers and processors had already taken actions to be in compliant with GDPR. However, a large number of companies outside the Union are still pending the GDPR procedures and wondering if they are regulated by GDPR or not. At first, they have to determine their status under GDPR as a “controller” and/or “processor”. In accordance with the GDPR “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. “Processor” means a natural or legal person, public authority, agency or other body which process personal data on behalf of the controller. Secondly, they have to determine if they are processing the personal data of data subjects who are in the Union. If these requirements are met the following minimum measures must be taken:

  • Appointment of a Data Protection Officer who will inform and advise the controller or the processor and the employees who carry out processing of their obligations, monitor compliance with GDPR, cooperate with supervisory authority;
  • Development of the consent, which must reflect that it is freely given and the data subject (e.g. client or employee) is “informed”. Consent must contain the right to withdraw it at any time;
  • Implementation of the appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Development of the Codes of Conduct reflecting the data protection policy of the company;
  • Development of the agreements which have to be signed between data controllers and data processors, and third parties participating in data processing procedure (outsources);
  • Organize staff training.

Companies regulated under GDPR must take measures in short terms as the penalties are pretty substantial: they can result in up 4% of sales up to a maximum of 20 million EUR. To comply with GDPR in short terms companies may outsource the GDPR matters to third parties or educate themselves via different educational programs and obtaining legal advice.

Irina Otrokhova

Chief Compliance Officer

Corporate Services

Korpus Prava (Cyprus)

Other Articles on Topics
See Also Articles from the Issue
Succession of Pension Savings of Citizens

This law came into force on January 1, 2002 and marked an attempt to reform the pension system in Russia. Within the meaning of the law, a part of the employer's pension contributions was meant to form the funded part of the pension.

October 22, 2018

Vague Description of a Vague Idea

The "beneficial owner of income" institution was introduced into the Tax Code of the Russian Federation only in 2015, but has been successfully applied in other countries (including in Switzerland, Austria, Germany, the Netherlands, etc.).

October 22, 2018

Country-by-country Reports of International Groups of Companies: the BEPS Plan in Russian

The Organization for Economic Co-operation and Development, or the OECD approved a global response plan with the Base Erosion and Profit Shifting, or the BEPS in 2013

October 22, 2018

Should But Not Obliged

Mandatory proposal is addressed to anyone who responds to it. It is intended to protect the interests not of individual groups, but of all shareholders of the company.

October 20, 2018

Bringing Hidden Beneficiary to Subsidiary Responsibility

The next stage of development has begun in the Russian Bankruptcy Law: a new chapter III.2 has been introduced into the Bankruptcy Law.

October 20, 2018

Every Barber Knows That

Federal Law No. 231-FZ dated 29 July 2018 (the Law) amending Part One of the Tax Code will come into force on 1 January 2019. According to this Law, the tax authorities will have the opportunity to obtain information about taxpayers from audit organizations and individual auditors (auditors).

October 20, 2018

Redomiciliation. Novel Russian legislation stating the change of personal law of the legal entity

Redomiciliation, being relatively undeveloped on a global scale, at the same time represents an actual topic that has been developed under private international law practice and doctrine.

October 20, 2018

All covered with benefits…

The Russian Parliament adopted a number of legislative acts regulating the possibility of conducting the redomiciliation procedure of foreign companies in the Russian Federation in exchange for providing tax advantages.

October 20, 2018