What is GDPR and how protection of private data relates to Ukrainian companies and individual entrepreneurs

It has been 4 months since the GDPR, the famous EU regulation on privacy protection, has come into force. The Internet has responded overwhelmingly to the overloaded inboxes of various privacy policies updates, Facebook has barely survived the scandal with Cambridge Analytica (and obviously not only cause the new regulations), and Ukrainian lawyers were preparing for the requests of their clients regarding this novelty.
This regulation, in fact, is not the first piece of legislation governing such rules in the EU. Prior to this, there was a Data Protection Directive, which was, as the name implies, only a directive. And when a directive is just a framework that serves only as a basis for EU member states to adopt their laws, the regulations are binding for member and other states, including Ukraine.
Stop, stop. The EU always approves of various regulations, and the GDPR abbreviation sounds cool, but does it have an impact on Ukraine, and especially on companies that run the business here?
The principle of extraterritoriality, or why it is important for Ukrainian companies
Typically, EU regulations and directives have little to do with Ukraine. Sometimes, we do harmonize our legislation with theirs. However, GDPR went a step further this time. One of the most interesting features of the regulation is that the scope of its action can extend to companies that are not registered in the EU.
For example, a Ukrainian company decided to create a certain internet service. When registering, such a service collects the usual data – name, last name, email, etc. – of users who are in the EU. Thus, the company has already become the controller of data – and accordingly, it is subject to the rules of GDPR, as it concerns the private data of persons located in the EU. Or a Ukrainian individual entrepreneur (also known as “FOP”) is outsourced the processing such data – therefore, the rules will apply to it as the processor of data. And – what is important – it is not necessary to process data of only EU citizens; such persons must be just within its territorial limits.
In general, GDPR identifies several instances where such a controller or processor ought to comply with this regulation.
Controller and processor – what are these new words?
In fact, they are not so new. Even Ukrainian legislation has already had the concept of those for quite some time. In addition, there is a subject of personal data.
Imagine a situation where a company registered in Ukraine develops a cool mobile tracking application for sports training. The potential users give the company some of their data at registration, agree with the privacy policy and do all the usual steps. But since the company has to process a lot of data, it hires a few individual entrepreneurs to outsource such activities.
In this case, the potential user will be the subject of the data, that is, the person whose data is processed. A company developing a mobile application is a data controller. Such a company defines “the purpose and means of processing personal data”, that is why the data of different subjects is collected in general and how it will be used in the future. Individual entrepreneurs that can be hired for outsourcing will be the processors of data. The main task of the processor is to process the data that is provided by the controller and only as specified by the controller.
Usually, both the controller and processor must adhere to the principles and rules of the Regulation. But it happens that the company processes certain “sensitive” data, and then they need a representative in the EU. And sometimes they need a data protection officer (DPO). But why, if the company is law-abiding?
Who are a Data Protection Officer and a representative in the EU?
First of all, these individuals are needed to ensure compliance with the GDPR, that is, to ensure that companies comply with the rules of this Regulation correctly. The main difference between an officer and a representative is that the former is a part of the company, whether the latter is an external contact person, so to speak.
A DPO may be a person with expertise in private data protection. And what’s more, such a person does not necessarily have to be a part of the company’s staff – it is enough to engage them, for example, with a service contract. Such an officer, as a rule, should be appointed when the company processes regularly and systematically a large amount of private data, or “sensitive” data such as nationality, medical records, etc.
The appointment of a representative takes place only when the company is not registered in the EU, which is also an important distinction between the two. It is also important to note that a representative is not necessary to be assigned if the company does not handle a large array of “sensitive” data.
So, when the duties of an officer are mostly proactive in preventing and eliminating GDPR violations, the representative is merely the contact person of the company in the EU “just in case”.
And finally
Compliance with GDPR may not look so complicated if you dig into it and sort it out. Together with our law firm, you will certainly know a lot more about GDPR and how it should be applied in practice. Our lawyers will give you answers to all the convenient and not that many questions and help with solving the difficulties.]]>

You may like
A new law on virtual assets: the picture is formed, but without details. On September 8, 2021, the Verkhovna Rada has finally adopted the long-awaited law "On Virtual Assets", which clarified many ambiguous points. This is especially true for the status of cryptocurrency and the rules of its circulation in the country. Let`s take a closer look at novelties. An ambiguous term Let's start with what the legislator actually means by "virtual assets". There are the following features:  they are an intangible good (cannot be represented on tangible media)  fall under the list of objects of civil rights (that is, they can be owned and be disposed of)  represent an electronic form of a set of data (essentially, they are blocks of information put in order);  the existence and circulation of assets are due to software tools (specific electronic environment). From these features we can draw the following conclusion: virtual assets are not limited to cryptocurrency. Digital currency is part of the concept, but other instruments, such as tokens, NFTs, or even in-game items, fall under the definition. Actually, the actual existence of most digital products, having a certain value, is due to the software environment (ecosystem), either it is blockchain technology, a trading platform, or an online game server. It should be noted that the attempt to define virtual assets was already made in the adopted Law of Ukraine in counteracting money laundering. In this act, they understand it as digital means of payment, which goes against the new definition. As a result, there are now two different explanations for virtual assets, which causes significant confusion not only in regulation but also in interpretation. It is definitely necessary to expect clarifications from competent state bodies. Let's return to the new law. Its application covers legal relations in which the "Ukrainian element" is present:  provider or recipient of services represented in Ukraine;  an agreement according to which the turnover of virtual assets is carried out in accordance with Ukrainian legislation;  the acquirer of assets (or both counterparties) is a resident(s) of Ukraine. The law also introduces an interesting division of all virtual assets into two groups: secured and unsecured. Here again, there is a problem of interpretation. The first category includes products exchanged for (state) currency, the second category includes instruments that can be exchanged only for other digital assets. There is an alternative opinion: that the turnover of secured assets is supported by real goods (money or other property), while unsecured ones are not supported by anything. The latter interpretation is the most credible, as the new law stipulates that virtual assets are NOT means of payment. Moreover, they cannot be exchanged for real goods, be they property, services or money. This significantly narrows the potential for the use of virtual assets not only for commercial but also for civilian purposes. About obligatory licensing The new law states that in some cases, the use of virtual assets will require licensing. The 4 types of activity are mentioned:  storage and management of virtual assets (or its` keys)  servicing of exchange operations with virtual assets (both for other analogues and for real goods);  translation of digital assets;  any intermediary services. A list is quite impressive, but there are some important exclusions:  if your service works with cryptocurrency wallet (it means users can dispose of accumulations into cryptocurrency independently);  If your service works on smart contracts or decentralized protocol, based on which internal transfers are performed. As to intermediary services, everything is more compicated. Actually, any mediation is based on the public share offering. That is why it is subject to licensing. How to get a license? A company that wishes on legal grounds to engage in virtual assets must satisfy legislative requirements. The key role is played by the minimum amount of the statutory capital, which equals 1,19 million hryvnyas (for non-residents it is 5,95 million hryvnyas) in case of storage and administration. For other types of activity (trading, translation and mediation services) the minimum size of the statutory capital amounts to 595 thousand hryvnyas (for non-residents is 2,98 million hryvnyas). The order of the registration of license:  to compose an application and prepare documents.  to pay state fee (68-136 thousand hryvnyas for residents and 340-680 thousand hryvnyas is for non-residents).  to pend review of the request (30 days).  to get a license. The duration of the license is 1 year. No norms about the continuation of legal force of permission are set (we are expecting amendments or explanations from the Ministry of Digital transformation of Ukraine). Notably that non-residents must pay a far greater sum, than domestic companies. The Ukrainian legislator obviously encourages an internal market, getting rid of a strong foreign presence (that, in fact, coincide with modern politics of the state on the whole). Together with an application, the following documents must be prepared: The access code to the copy of the Statute of the company (or the foundation agreement) kept in an electronic file in the database of the Unified State Register of Enterprises and Organizations (USREO);  Funding sources of the statutory capital (where the money are taken from);  confirmation of the actual injection of money;  information about beneficiaries (special attention must be paid to business reputation);  the information about the director and founders;  the check about payment of state fee;  the internal regulations, in accordance with which ones, the privacy policy rules are regulated. In the terms of volume of necessary documentation of licensing is very alike with complete registration of legal entity. It is understood that the state wants the severe adjusting of activity of organizations that will engage in virtual assets. Is it already possible to get a license? The adoption of the law by the parliament is a significant step forward in adjusting and legal market of virtual assets creation in Ukraine. However, the new rules haven`t come into effect yet - their term of introduction depends on making amendments in the Internal Revenue Code. It is yet unknown, when a legislator will decide to enter the renewed system of taxation for such assets. Being "IT-hub" and territory, where cryptocurrency enjoys large popularity, the question of taxes must be decided maximally safely. Despite the presence of obvious gaps in interpretation, a new law on virtual assets gives the official narrative of what takes place and that, how the legal relationships related to cryptocurrency will be regulated. It is to be hoped that in the nearest time the Ministry of digital information will give out the detailed explanations concerning debatable norms.
20/01/2022

We will
call you