+375 29 366 44 77

What should a company that deals with the personal data of EU citizens pay attention to

Any company processing personal data of citizens of the European Union (EU) should be guided by the complexities of the General Data Protection Regulation (GDPR) in the IT space in Belarus. Maintaining legal and ethical standards in the field of data management requires understanding and compliance with the GDPR principles to avoid fines and comply with the law.

What rules should be followed when processing personal data of EU citizens

The General Data Protection Regulation (GDPR) sets rules for collecting and preserving EU citizens’ personal information. GDPR has become mandatory for all companies, both inside and outside the European Union and engaged in the processing of personal data of EU citizens. This regulation has been in effect since May 2018.

What applies to the processing of personal data of EU citizens

The processing of EU citizens’ personal data per the GDPR includes any actions with personal data. It includes the collection, recording, structuring, storage, processing, use, transfer, destruction and other actions with personal data.

Following the GDPR, all identifiers that help identify individuals online belong to personal data. It includes IP addresses and cookies.

Companies that deal with the personal data of EU citizens need to build their business processes in accordance with the GDPR.

Which companies need to apply the General Data Protection Regulation

It does not matter where the company that processes the personal data of EU citizens is located. GDPR requirements must be met by companies that:

  • They are located in or outside the territory of the European Union but carry out activities aimed at the territory of the European Union.
  • They cooperate with partners from the European Union and receive users’ personal data.
  • They collect and analyze information from the territory of the European Union and provide goods and services to its residents.
  • Personal data is processed on behalf of the operator, which is subject to the requirements of the general data protection regulation.

What personal data of EU citizens is prohibited from processing

Particular personal data of EU citizens related to ethnic or racial origin, political or religious views, genetic and biometric data, and health-related data cannot be processed. Only the individual, a European Union citizen, can make this data available.

Grounds for processing personal data of EU citizens

There are two types of grounds for processing the personal data of EU citizens. It is the consent of the citizen and the grounds when consent is not required by the GDPR.

The consent of EU citizens to the processing of personal data is not required when personal data is used only to conclude a contract with an individual.

In other cases, it is necessary to obtain the consent of an EU citizen for each action involving personal data. Before obtaining consent, an individual must be invited to familiarize himself with information about the company and the purposes of processing personal data.

On the website, consent can be expressed, for example:

  • A mark in a particular form on the website.
  • By selecting the technical settings on the site.

Who controls the correctness of GDPR application in the company

In order to monitor the correctness of the GDPR application, the data owner (this may be the software customer) appoints a DPO – Data Protection Officer or an inspector for personal data protection. Such a specialist works with appeals from individuals and regulatory authorities.

Following the Belarusian requirements for personal data protection, every company that deals with individuals must have specialists in processing personal data.

There is no such strict requirement regarding the personal data of EU citizens. The DPO can be an outsourcing specialist or an employee of the company.

DPoS are appointed or hired by organizations:

  • Which processes the personal data of many individuals who are citizens of the European Union.
  • Which processes large amounts of particular personal data.

What are the functions of the DPO

The DPO organizes an internal control system for the processing of personal data. The specifics of the company determine the functions of the DPO. Most often DPO:

  • Advises company employees who process personal data on the application of GDPR.
  • Controls the processing of individual requests and compliance with the procedure defined by the GDPR.
  • Conducts an audit of the processing of personal data, develops regulations and policies for their processing by the GDPR.
  • Assesses the risks of personal data leakage.
  • Cooperates with the supervisory authority.

A customer from the European Union may insist on an audit of GDPR compliance with personal data involving a DPO. In any case, it will be helpful for a company that processes the personal data of EU citizens to get advice from the DPO.

Who are the controller and processor

GDPR uses concepts such as “controller” and “processor”. These concepts correspond to the concepts of the operator and the authorized person in the Belarusian legislation on personal data.

The responsibilities of the controllers include:

  • Verification of compliance with the personal data processing procedure with the principles of legality, honesty, and transparency.
  • The ability of citizens to exercise their rights related to the processing of their personal data.
  • Information protection.
  • Hiring processors and signing contracts with them.
  • Informing the supervisory authority about violations in the processing of personal data within 72 hours.
  • Compliance with the procedure for the international transfer of personal data.
  • Interaction with the authorities controlling the processing of personal data in the EU states.

What should an individual be informed about

When the controller has received personal data not from the individual himself – the subject of personal data, by GDPR, the controller must inform the individual:

  1. About his data and the data of his representative.
  2. About DPO contacts.
  3. About the purposes of processing personal data and the grounds for processing.
  4. About the types of personal data and recipients of personal data.

The responsibilities of processors include:

  1. The execution of the controller’s instructions does not violate the legal requirements for the confidentiality of information.
  2. Information protection.
  3. Transmitting information to controllers and regulators about information security incidents.
  4. Engaging subprocessors at the direction of the controller and interacting with them.

What is the “right to be forgotten”

GDPR, like Belarusian legislation, grants individuals the right to request the controller to delete personal data that relate to these individuals. There must be grounds for the deletion of personal data:

  • There is no need for personal data for the purposes for which they are collected.
  • Withdrawal of consent to the processing of personal data by an individual.
  • Objections of an individual to the processing of personal data.
  • Illegal processing of personal data.
  • Destruction of personal data as required by law.

How to act in case of an incident

Incidents include cases of leakage of personal data. The leak must be reported to the supervisory authority in the territory of the EU state whose citizenship is held by citizens whose personal data has been affected. In the case of a large-scale leak of personal data, information about this is disseminated in the media.

What is a regulatory body

Regulatory authorities in the field of personal data include government agencies, for example, courts, in each EU state.

The regulator can:

  • Check the procedure for processing personal data.
  • Issue warnings and regulations on compliance with GDPR.
  • Determine the conditions for the cross-border transfer of personal data.
  • Prohibit the processing of personal data and fine for violations of the GDPR.

The European Union’s supervisory authority is the European Council for the Protection of Personal Data.

What measures can the regulator take for GDPR violations in the processing of personal data

For violations of privacy obligations and violations of the obligations of controllers and processors, a fine of up to 2% of the financial turnover for the previous year or 10 million euros is applied.

For violations of the principles of personal data processing, the rights of personal data subjects, the procedure for transferring personal data, the absence of a DPO, a fine of up to 4% of the financial turnover for the previous year or up to 20 million euros is applied.

It is possible to file a lawsuit in court.

How we can be useful in building business processes in accordance with GDPR and processing the personal data of EU citizens

We can:

  • Advise you on GDPR compliance with the procedure for processing personal data in the company.
  • Audit the processing of personal data for compliance with GDPR and make recommendations.
  • Provide outsourcing DPO services.
  • Represent your interests in negotiations with customers on compliance with GDPR processes.
  • Develop documents on the protection of personal data in accordance with the GDPR.

Contact us

If you have any questions about meeting GDPR requirements, we will be happy to help you! Our many years of experience will help you resolve any disputes.
Phone and e-mail communication options are available for your convenience:

  • +375293664477 (WhatsApp/Telegram/Viber);
  • info@ambylegal.by.
Contact us

    Message