With the rapid development of business on the Internet, including in Ukraine, a real legal settlement of the issues of personal data protection by preventive means and compensation damage for their violation is necessary. This issue is particularly relevant for those companies that have access to personal data of EU citizens and where the number of employees is more than 250 people (small and medium-sized enterprises are not required to keep records of data in most cases stipulated by Art. 30.5 GDPR).
The main conditions for the collection, storage and distribution of personal data and the liability for violation of personal data are provided for by the Law of Ukraine “On the protection of personal data” of 01.06.2010, No. 2297-VI (Law No. 2297-VI). Also, the responsibility for violation of personal data is provided in Art. 182 of the Criminal Code of Ukraine, in Art. 188-39 of the Code of Administrative Offenses of Ukraine.
On April 26, 2017, the European Court of Human Rights ruled in plaintiff’s favor for the protection of his personal data, with a reimbursement of EUR 6,000 for non-pecuniary damage, referring, inter alia, to the Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals in connection with the automated processing of personal data. More details can be found here.
According to p. 11 of the Resolution of the Cabinet of Ministers of Ukraine dated October 25, 2017, No. 1106 “On the implementation of the Association Agreement”, provides for “improvement of the legislation on the protection of personal data in order to bring it in line with Regulation (EC) 2016/679 (GDPR) until May 25, 2018″
GDPR provides for two categories of administrative fines, namely: up to 10 million euros or 2 % of the company’s combined annual turnover for the previous fiscal year; and up to 20 million euros, or up to 4% of the company’s combined annual turnover for the previous fiscal year. It is very difficult to foresee the final amount of the administrative fine, since its size may vary from various factors, such as actions taken by the violator to correct negative consequences; the degree of interaction of the offender with the supervisory authority; personal data categories; the way in which the regulator became aware of the offenses, in particular, whether the offender himself reported this.
An interesting fact remains that there are still no precedents for the imposition of penalties on non-resident companies of the EU. For example, the possibility of imposing fines on US resident companies that do not have representation in EU member states is fairly critical. For Ukraine still question remains: how does it possible to impose a fine on a company resident of Ukraine for violation of GDPR norms, who does not have a permanent representation on the EU territory?
In Ukraine significant remains the Decree of the Chamber of Civil Cases of the Supreme Court of Ukraine of September 27, 2017 No. 6-1435цс17, where the claimant appealed to the court for the protection of his personal data and compensation for moral damage. There are conclusions as follow:
- the mere fact of illegal spreading the personal data may be a confirmation of the caution of moral damage if the defendant’s unlawful actions caused the plaintiff’s soul suffering. As in this example, the assessment of moral damage is based on the number of views of the video/audio file, set out in free Internet access, which contained the plaintiff’s personal data.
- in tort, the obligation to deny the presumption of defendant’s guilt lies on the later. Thus if said presumption in court is not disproved, this is states defendant’s guilt.
- the burden circumstance is that the defendant did not take action to eliminate plaintiff’s moral damage by removing the video/audio file from free Internet access.
Till now the amount of moral damage has not yet been established, since this case is pending in the Kiev-Svyatoshinsky district court of the Kiev region.
During time the judicial practice will be formed, it will be clear how realistic the application of GDPR fines for resident companies in Ukraine is.