With the rapid development of business on the Internet, including in Ukraine, a real legal settlement of the issues of personal data protection by preventive means and compensation damage for their violation is necessary. This issue is particularly relevant for those companies that have access to personal data of EU citizens and where the number of employees is more than 250 people (small and medium-sized enterprises are not required to keep records of data in most cases stipulated by Art. 30.5 GDPR).
The main conditions for the collection, storage and distribution of personal data and the liability for violation of personal data are provided for by the Law of Ukraine “On the protection of personal data” of 01.06.2010, No. 2297-VI (Law No. 2297-VI). Also, the responsibility for violation of personal data is provided in Art. 182 of the Criminal Code of Ukraine, in Art. 188-39 of the Code of Administrative Offenses of Ukraine.
On April 26, 2017, the European Court of Human Rights ruled in plaintiff’s favor for the protection of his personal data, with a reimbursement of EUR 6,000 for non-pecuniary damage, referring, inter alia, to the Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals in connection with the automated processing of personal data. More details can be found here.
According to p. 11 of the Resolution of the Cabinet of Ministers of Ukraine dated October 25, 2017, No. 1106 “On the implementation of the Association Agreement”, provides for “improvement of the legislation on the protection of personal data in order to bring it in line with Regulation (EC) 2016/679 (GDPR) until May 25, 2018″
GDPR provides for two categories of administrative fines, namely: up to 10 million euros or 2 % of the company’s combined annual turnover for the previous fiscal year; and up to 20 million euros, or up to 4% of the company’s combined annual turnover for the previous fiscal year. It is very difficult to foresee the final amount of the administrative fine, since its size may vary from various factors, such as actions taken by the violator to correct negative consequences; the degree of interaction of the offender with the supervisory authority; personal data categories; the way in which the regulator became aware of the offenses, in particular, whether the offender himself reported this.
An interesting fact remains that there are still no precedents for the imposition of penalties on non-resident companies of the EU. For example, the possibility of imposing fines on US resident companies that do not have representation in EU member states is fairly critical. For Ukraine still question remains: how does it possible to impose a fine on a company resident of Ukraine for violation of GDPR norms, who does not have a permanent representation on the EU territory?
Based on the GDPR, many companies write down the Privacy Policy, the User Agreement or the Terms of Use, and the KYC Policy disclosing information on their websites, such as: storage and processing of personal data; about the purposes of the use of personal data; to what extent, under what conditions it is possible to transfer personal data to third parties; risks and liability of the company; ways to protect personal data; as well as the user may have the right to be forgotten and right to be erasure. For example, information that must necessarily be written in the Privacy Policy can be found here.
It is worth paying attention to the new concept for the legislation of Ukraine in the field of personal data protection, like “cookies”, which means small text files recorded on your computer when you visit a website. Usually they are used to support authorized sessions or customize a personalized interface, font size, color scheme, site language, etc., save your preferences and generally ensure a more comfortable stay on the site. There are several types of cookies depending on the time of their use (temporary or session-based — automatically destroyed after the site is closed, persistent — they take some time until the specified time of action, or they are deliberately not destroyed by users) and belonging to a specific domain or group of domains (i.e. top-level domain). Now even the website of the Verkhovna Rada of Ukraine contains the Policy on the use of cookies.
In Ukraine significant remains the Decree of the Chamber of Civil Cases of the Supreme Court of Ukraine of September 27, 2017 No. 6-1435цс17, where the claimant appealed to the court for the protection of his personal data and compensation for moral damage. There are conclusions as follow:
- the mere fact of illegal spreading the personal data may be a confirmation of the caution of moral damage if the defendant’s unlawful actions caused the plaintiff’s soul suffering. As in this example, the assessment of moral damage is based on the number of views of the video/audio file, set out in free Internet access, which contained the plaintiff’s personal data.
- in tort, the obligation to deny the presumption of defendant’s guilt lies on the later. Thus if said presumption in court is not disproved, this is states defendant’s guilt.
- the burden circumstance is that the defendant did not take action to eliminate plaintiff’s moral damage by removing the video/audio file from free Internet access.
Till now the amount of moral damage has not yet been established, since this case is pending in the Kiev-Svyatoshinsky district court of the Kiev region.
During time the judicial practice will be formed, it will be clear how realistic the application of GDPR fines for resident companies in Ukraine is.