GDPR is a European-wide regulation of personal data protection, mandatory for all companies. Failure to comply with the GDPR can result in fines ranging from several thousand euros, commercial limitations on the part of partners that are already compliant with the GDPR, lawsuits with moral damages on the part of customers and the risk of being reported by competitors. With the advent and development of technology, people have become more generous with personal data, because in return they receive convenience and comfort. We are so used to it that we can't imagine our world any other way. However, does this mean that life is safer now? Not at all. All this information may well be used against us. And we, the data subjects, have lost control over them in the new digital reality. The Europeans have seriously taken up this issue. And, as a result, on April 27, 2016, the General Regulations for the Protection of Personal Data were adopted. The new law began to be applied only two years later (May 25, 2018), so that businesses would have time to prepare for it. The GDPR rules have made additions to the previous privacy protection standards in Europe, which were almost two decades old. And of course, this raised a lot of questions for business: what to do? who should I contact? how dangerous is non-compliance? The Data Privacy Office team has sorted out the most controversial and popular issues. Personal data is not only the identifier itself, but also information related to a person. In simple words, the name, passport number, ID card, login, nickname, email address, phone number, IP address, bank card data are always personal data, because they are identifiers. The car number, handwriting, video recording or photo are probably personal data, because they easily allow identification. And the address, family status, gender, gender, information from electronic wallets, health information, information about pages viewed, search queries, posts on social networks – personal data when it is known to whom they relate. There are nuances here. Without an identifier, the information becomes anonymous. The related information will be personal data only in cases where it is possible to conduct an additional “investigation” without using special devices and without excessive expenditure of time and effort. That is, if we do not have a reasonable opportunity to identify the data subject, then such information is not personal, but anonymous. Personal data Any information relating to an identified or identifiable natural person ("data subject", i.e. a person). Identified individual A person whose ID (name, phone number, personal number, login, etc.) is available among the data. Identifiable natural person A person who can be identified, that is, distinguished from other people. First of all, the new law was adopted in connection with the development of technologies, due to which people may lose the right to privacy. We have already talked about what privacy is and how it dissipates in the modern world. Now let's talk about the rights that we, as data subjects, can use under GDPR. Right of access (Article 15 GDPR) Everyone has the opportunity to get their data or access to it. We are talking not only about the information that he himself provided, but also about the information that the company (data controller) collected about him from other sources or even created itself. By the way, here we talked in more detail about the role of the controller and the processor. At the same time, the data subject may not suspect that such a collection has taken place, and this right allows the subject to find out about it: for what purposes are his personal data used; to whom and to which countries are transferred (and here is more about cross-border data transfer); how long are stored; from where (data sources) are obtained; information about important decisions that are made automatically for him; does he have the right to delete or clarify the data, or to “freeze” them (restrict processing), as well as to file a complaint with the supervisory authority. How can the company exercise this right? She must provide personal data in any form in which a person requests them (in the form of an email or a paper document). You can also provide access to personal data in the user's personal account. According to the rules of the Regulations, they are provided free of charge. A fee can be charged for additional copies, as well as in the case of obviously unreasonable or excessive requests. Right to clarification (Article 16 GDPR) The subject has the right to request the correction of information that has lost its reliability or is inaccurate, but is still being processed by the company. This can happen if he changes his passport, surname or place of residence, or an error was made somewhere in his data. This right becomes relevant when accurate and complete information is needed for processing. The right to delete data (Article 17 GDPR) Also known as the right to be forgotten. The subject has the right to request the controller company to delete his data. However, not everything is so simple. The GDPR provides only a few circumstances that allow you to exercise this right. Among the personal data, GDPR distinguishes the so-called sensitive data (special categories of data). They need special protection because they make a person vulnerable. These, in particular, include: 1. data on race or ethnicity 2. political beliefs 3. religious or philosophical beliefs 4. participation in trade unions 5. genetic / biometric data 6. health status and sexual life / orientation 7. data on crimes and criminal liability measures applied or that have been applied in the past to a particular person. These lists can be expanded in the national legislation of the EU Member States. Processing of such data is possible only on the basis of clear grounds. Consent Data Protection OfficerEmail Marketing EncryptionFines Penalties Personal DataPrivacy by DesignPrivacy Impact Assessment Processing Records of Processing ActivitiesRight of AccessRight to be Forgotten Right to be InformedThird Countries

Eurlex Data Protection

General Data Protection