What is GDPR?
On May 25, 2018, the General Regulations for the Protection of Personal Data of the European Union (English General Data Protection Regulation, GDPR; hereinafter - GDPR, Regulation) entered into force. Many believe that GDPR applies only to European organizations or companies that process personal data (PD) in the territory of the European Union. But in reality, the Regulation is extraterritorial and applies to organizations that are not located in the territory of the European Union.
The Regulations, as well as the Federal Law of the Russian Federation No. 152- “On Personal Data”, use the concepts and approaches formulated in the Convention on the Protection of Individuals in the automated processing of personal data.
The main focus of the Regulations is on the protection of the rights and freedoms of individuals when processing their personal data.
Russian organizations falling under the GDPR are “between two fires”: they need to comply with both Russian legislation and the new European Regulation. In this article we will try to reveal who in Russia needs to fulfill the requirements of a GDPR, why, and what the consequences of their non-compliance may be.
To whom does the GDPR apply?
According to article 3 of the Regulation, the GDPR applies to:
1. PD processing in the course of the operator’s activity, or the processor (the person to whom the operator entrusted with PD processing) in the territory of the European Union (EU), regardless of whether the treatment is carried out in the EU or abroad.
2. PD processing by an operator or handler located outside the EU if the processing is related to:
a. offering goods or services (paid or free) to PD subjects located in the EU;
b. monitoring actions (behavior, activity) of PD subjects in the EU.
3. PD processing by an operator located outside the EU, if applicable to it the legislation of a Member State in accordance with international public law.
If the operators, obviously falling under point 1 (need to be in the EU) and paragraph 3 (diplomatic missions and consulates of EU member states) are more or less clear, then paragraph 2 raises many questions, since it is he who determines the applicability of GDPR to Russian to companies.
In order to find answers to these questions, in addition to the main text of the Regulations, it is also worth paying attention to the fact that the GDPR has a preamble in which it reveals what the legislator was guided in when establishing the described norms in the GDPR. Including in paragraph 23 of the preamble, it is told how to determine that the operator (or data processor) offers goods or services to persons located in the EU. Factors that allow to establish the focus of activity on the territory of the EU can be considered the use in the offering and sale of goods or services of the
language or
currency of a EU member state, mention of customers or users located in the territory of the EU. And in paragraph 24 of the preamble it is stated that monitoring the actions of a PD subject implies tracking users of the Internet, including the possible subsequent creation of profiles of individuals, in particular, for the purpose of analyzing or predicting preferences, behavior, etc.
In addition, Article 2 of the GDPR states that the
Regulation does not apply to activities that are not subject to EU legislation.From the above, we can determine the following criteria for the direct applicability of GDPR to a Russian organization:
- The organization is located in the EU (is a branch or representative office of a Russian company).
- The organization is not located in the EU, but operates physically in the EU, and this activity includes PD processing (for example, a transport company with the delivery of goods from Russia to individuals in the EU).
- The organization systematically offers products with delivery to the EU with the possibility of payment in euros (Polish zloty, SEK, etc.).
- The organization offers services to individuals in one of the official languages of the EU, there is a website in such a language. For payment of services you can use the currency of the EU countries or payment is not required.
- The organization collects and analyzes information about visitors to sites from the EU, and uses the results of the analysis independently or sells (transmits) to other persons.
For organizations falling under paragraphs 2-5, the GDPR is valid to the extent that PD processing is carried out on persons in the EU. For example, PD processing within the framework of personnel records, if all employees of the organization work in Russia, does not fall under the regulation of the GDPR, and the business processes specified in the criteria fall.
Organizations that process PDs on behalf of the operator who is the subject of the regulation of the GDPR fall within the scope of the GDPR in a volume that depends on what part of the processing is transferred on behalf of. If an organization performs part of the processing (for example, collecting PD, analyzing PD, etc.), it falls under the GDPR. If an organization provides hosting services (DPCs), only those GDPR requirements that the operator has to apply to it directly apply to it.
We also want to note that the following cases, which are often found in materials about GDPR, are not criteria for the applicability of the Regulation:
- Citizenship of PD subjects does not affect the applicability of the GDPR (for example, the presence of employees from EU countries does not mean that the organization falls under the GDPR);
- The availability of an organization’s web site in the EU does not automatically mean the applicability of GDPR. If an organization does not perform profiling, and the statistics collected are not tied to specific users, its activity should not fall under GDPR.
- If the service is provided outside the EU (for example, a hotel room located in Russia can be booked remotely from the EU territory), the organization should not be subject to the GDPR, since its activities are not carried out in the EU territory and are not subject to EU legislation.
If you still have doubts about the applicability of the Regulations to your organization, you can contact ZAO NPC Informzaschita, and we will help you determine how and what requirements your organization’s GDPR needs to be observed.
Monitoring compliance with the GDPR in Russia and the consequences of non-compliance
In order to protect the rights of PD subjects in each of the EU countries, state bodies have been created to protect the rights of PD subjects (in the text of the Regulation - Supervisory Authorities, in general practice such bodies are called Data Protection Authorities (DPA)). Among others, DPA is endowed in accordance with Part 1, Article 58 of the GDPR with the following powers:
- request any information relating to the processing of PD;
- conduct audits of personal data protection;
- get from the operator and handler access to all PD and to all the information necessary to perform their tasks;
- get access to any premises of the operator and handler, including any equipment and data processing facilities.
Specific control procedures are established by EU countries independently. If any violations of the provisions of the DPA Regulation are identified, among others, according to Part 55, Article 58 of the GDPR:
- issue a warning or remark to the operator or processor that the current procedure for processing PD violates the provisions of the Regulations;
- issue an order about the need to fulfill the request of the subject, about the need to inform the subject about the violation of the security of personal data;
- request that the PD processing operations be brought into compliance with the Regulations at a certain time;
- impose a temporary or permanent restriction on processing , including a ban on processing;
- issue an order for deletion or specification of personal data;
- impose an administrative fine together with other measures or instead of them;
- request to stop the transfer of PD to a third country or to an international organization.
The regulation establishes the need for organizations located outside the EU to designate a representative in the EU, through which the DPA will interact with the organization, but emphasizes that the responsibility for processing PD is not the representative, but the organization itself.
The GDPR does not disclose the procedure for monitoring compliance with the Regulations by organizations located outside the EU and not appointing a representative, as well as how organizations located outside the EU will be held responsible for violations of PD processing rules.
We conducted a series of interviews with DPA in EU countries on monitoring compliance with non-EU GDPR. The answers were different, but in general there was no clarity. One of the representatives of DPA made a reservation that such cases would be regulated in cooperation with the DPA of the countries where the operator or handler is located. The current geopolitical situation and the position of the head of Roskomnadzor A. Zharov on the need for compliance of Russian organizations with a GDPR bring some doubts that such attempts by DPA of EU countries with Roskomnadzor will be productive.
I would like to draw your attention to the fact that the multimillion-dollar fines indicated in the GDPR, which operators are most afraid of, are the upper bar. The GDPR says that the fines imposed (and other sanctions) must be proportionate to the violation, effective and preventive of repeated violations. The specific size of the fines will be determined individually, taking into account a large number of factors. A multi-million fine may be imposed on an organization if it knowingly and maliciously violated the rights of the subjects, carefully concealing it and obtaining high-profit PD from such processing.
The most likely (but not the only) and significant consequence of non-fulfillment of the GDPR for Russian organizations that do not have representative offices or subsidiaries in the EU (as well as a designated representative for processing personal data) is not a fine, but blocking the organization’s website in the EU or individual states EU members. Despite the fact that the possibility of blocking the site is not registered directly in the GDPR, it seems to be a natural way to limit PD processing in order to prevent repeated violations, especially if there are no other possibilities to influence the operator.
Why should Russian organizations comply with the GDPR?
The implementation of the GDPR has other advantages for organizations besides the obvious possibility of avoiding possible sanctions by the EU DPA.
First of all, this is an increase in the overall level of IS and data management in the organization. Often, in the process of bringing to compliance with the requirements for PD protection, an organization for the first time creates a register of existing business processes, understands existing data flows, creates a network diagram, describes the existing information protection system. These actions become the foundation for protecting not only personal data, but also other types of confidential information, as well as for optimizing business processes.
If an organization processes PD transmitted to it by a counterparty that falls under the actions of the GDPR, the counterparty will require it to comply with the requirements of the GDPR imposed on PD processors. Compliance with the GDPR will allow the service provider to expand the available market for the provision of services in the EU, as well as provide services to those Russian organizations that fall under the requirements of the GDPR.
The requirement of mandatory compliance with the GDPR can come from the parent company, if the GDPR is applicable to the organizations of the group of companies with which the Russian organization exchanges PD. But in this case it is advisable, firstly, to clarify whether PDs are actually processed by persons in the EU, and secondly, if they are processed, to extend the requirements of the Regulations to those processes in which such PDNs are processed, and not to organization.
The GDPR establishes the need to respect the multiple rights of PD subjects and ensure transparency of PD processing for subjects. Compared with the Federal Law “On Personal Data”, the GDPR clarifies in more detail how to inform PD subjects about the processing of their PD, as well as how they can exercise their rights regarding this processing. Reflection of these issues of PD processing in the PD processing policy, as well as when collecting information on PD processing, allows increasing the transparency of the organization’s activities and ensuring greater trust from all PD subjects.
Summary
If your organization is located in Russia, this does not mean that the GDPR is not applicable to it. You can check the applicability of the Regulations to your organization using the above criteria.
The regulations have just come into force, and according to Symantec, 80% of organizations in the EU do not meet the requirements of the GDPR. How the EU can be applied to the Russian organization in connection with violations of the GDPR is not clear, but nevertheless, the Regulation should be taken seriously.
In conclusion, we would like to note that with a high probability, in the near future, for consistency with European legislation, Russian legislation on processing PD will contain formulations that are similar to the requirements of GDPR.
Author: Alisa Gorinova, Senior Consultant, Consulting and Audit Department, Informzaschita Company. If you have any questions, we are ready to talk with you. We are waiting for your letters to the address a.gorinova@infosec.ru.