Bryan Cave Leighton Paisner (Russia) LLP advises that the EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018, marking the biggest change to EU data privacy laws for several decades. Given its extraterritorial reach, this regulation will have to be complied with by certain non-EU businesses.
The key GDPR points for Russian corporates are as follows:
1. Territorial Scope
The GDPR covers:
(a) companies operating in the EU through an establishment/stable arrangement (such as Russian businesses with EU branches, representative offices or subsidiaries);
(b) businesses outside the EU if they
offer goods or services to individuals in the EU (i.e., on-line stores from which purchases may be made in the EU) or
monitor their EU behaviour (banks or mobile operators).
Importantly, the GDPR does not use the term “citizenship”; it affords personal data protection to anyone within the borders of the EU, including Russian citizens staying there temporarily. Consequently, Russian banks receiving transaction reports for clients visiting the EU on holiday or business or mobile operators tracking customers’ roaming activity are likely to be bound by the GDPR.
2. GDPR key provisions and requirements:
The Regulation expands the personal data (PD) list (specifically by adding IP-addresses).
For data subjects, the GDPR also introduces a wider array of more specific rights (such as portability, erasure, access, etc.)
It also sets out the specific requirements on data subject consent and other grounds for processing personal data.
Organisations must ensure that they have transparent PD processing procedures in place under their full control and that these are clear and understandable for data subjects.
Any incident must be reported within 72 hours.
Personal data inventories must be created and kept up-to-date.
“Privacy by Design” calls for privacy to be taken into account throughout the engineering process for any new technology/ product.
Data protection impact assessments (DPIAs) must be carried out under certain circumstances.
In some cases, a Data Protection Officer (DPO) must be appointed.
If a company has no physical presence in the EU, it must designate an EU representative.
The GDPR clarifies the conditions and procedure for instructing other parties to process personal data.
Cross-border PD transfer requirements are also specified.
Supervisory authorities’ rights are now expanded.
Breaches entail fines of up to EURO 20 m (or 4% of the company’s annual turnover)
Bryan Cave Leighton Paisner’s international data protection team provides businesses with comprehensive GDPR support. Specifically, we:
advise on any GDPR matters on an on-going basis;
audit corporate business processes, elaborate a GDPR-compliance programme and help companies ensure that it is implemented.
If you would like to receive our legal alerts and updates highlighting current legal issues relevant to your areas of interest and providing expert commentary by our lawyers, please click on "Sign Up" and fill out the form.