The new law on the protection of personal data

On May 25 , a new European regulation concerning the protection of personal data came into effect, most often on the Internet it is called by its abbreviation - GDPR (General Data Protection Regulation). The purpose of the GDPR is to ensure that companies collect and store personal information in a way that maximizes the protection of individuals' privacy.

In practice, there may be certain inaccuracies in its use, but judicial practice gradually provides a complete interpretation of all regulations. Constant scandals and lawsuits with Facebook have long demanded the implementation of such a law, so it will continue to develop and this is only the beginning.

What is personal data?

According to the regulation, personal data is any information about a person that helps to identify him: name, location data, online identifier or one or more factors characteristic of physical, physiological, genetic, mental, economic, cultural or social the identity of this natural person (paragraph 1 of article 4). The definition is broad and makes it quite clear that even IP addresses can also be personal data.

Rights of EU residents according to the new regulation:

The GDPR Regulation clearly establishes the rights of EU residents to fully protect their personal data, namely:

• right to information about processing;
• categories of processed personal data
• the right to know what personal data will be known to third parties
• the right to access data;
• the right to correct data;
• the right to delete data;
• right to restriction of processing;
• the right to transfer data; the right to object;
• automated decision-making rights, including profiling;
• the right to know about data leaks
• right to erasure, right to be forgotten – the ability to delete your personal data upon request to avoid their distribution or transfer to third parties.

Never send advertising, letters to someone who has exercised the right to be forgotten. Companies are trying to win back old customers in this way, but this is against the rules of the new law.

We can see that a person is given full control over his personal data, he can always find out exactly how and where his personal data is used.

Features of ZRDZ:

You should pay attention to children's personal data, because they   deserve special protection, because children are less informed about the risks, possible consequences and their rights regarding the processing of personal data. Consent to the processing of the child's data must be authorized by the parents (or legal representatives of the child). The age threshold for parental authorization is set by EU member states separately (from 13 to 16 years).

It is important to note that there are certain types of personal data that fall under the category of special or confidential personal data. This is information that reveals: racial or ethnic origin, political views, religious or philosophical beliefs and trade union membership. In addition, this group includes genetic, biometric data used to identify a natural person, data on health, information related to sex life or sexual orientation (Article 9). This is the information that is protected in a special way: no one has the right to demand the disclosure of such information from an EU resident!

Who will the law apply to?

The law applies not only to European companies, but to any company that processes personal data of an EU resident. That is, roughly speaking, this is a law that has a very wide scope. If your company owns the personal data of at least one of the EU residents, then this company falls under the scope of this law. The personal data of EU residents temporarily living in other countries is also protected by this law, so given the expansion of EU residents around the world, it is safe to say that this directive applies to most companies in the world that work with people.

How the law affected companies and websites:

The first consequence of the implementation of this law is that the attitude of companies will change not only to the personal data of EU residents, but also to the rest, because anyone, for example, a Ukrainian citizen, can have Ukrainian citizenship, as well as EU citizenship, which no one knows about . Since the fines are quite high, no company will take such a risk and deviate from the law and the principles of personal data processing prescribed in it.

As for fines, they are imposed for non-compliance with the requirements of the law. The amount of the fine is from ten to twenty million EUR or 2-4% of the company's annual turnover. The fines are currently large enough to scare any company, but are all states really ready to implement this law and will it be held accountable? If we are not talking about EU residents, then the answer will most likely be negative, because it will be difficult for the EU to control these issues outside of its scope.

The second consequence is the emergence of a new profession - DPO. The protection of personal data is a young profession that received a significant push for development thanks to the entry into force of the new European GDPR regulation. This profession is established by Articles 37, 38, 39 of this regulation.

The next consequence will be the possibility of normal cooperation between the EU and other companies around the world only on the condition that they fully comply with the principles of this regulation, which is difficult to imagine without the integration of the DPO profession at least in the consulting services sector.

The fourth consequence , or rather simply the result, will be that a greater percentage of people will begin to read the text they sign. According to this law, the services are obliged to indicate exactly how and for what purpose they are going to use this information, and they have no right to deviate from what is specified in the contract, without the written consent of the EU resident.

The fifth quite possible consequence will be the implementation of such a law not only at the level of the EU, but also at the level of other international organizations, because each organization seeks to protect its members.

The sixth consequence will be the massive development of the field of personal data protection, because the EU, by implementing such a regulation, gave a strong impetus to all other countries for the development of its national legislation.

The last effect that will be noticeable to people who just buy things in online stores will be a decrease in spam. E-mail is also personal information, as it indirectly indicates a person. On this basis, the person has the right to request its removal or correction.

What do we get at the end?

GDPR is the most important legal document that significantly increases the level of personal data protection in the EU and beyond. This law applies not only to companies within the EU, but to most companies in the world. This will be a massive impetus to the development of this field of law at the international and national levels. The law is constantly developing through judicial practice and the implementation of new norms, so it should not be neglected. The final impact of the GDPR will depend on how actively users exercise their new rights. The trend of preserving privacy is spreading, so it is possible that very soon this law will be expanded.

You can get acquainted with the law directly at the link: https://gdpr-info.eu

Official website of the EU:   https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679