Volkov & Partners

About Us

Volkov & Partners
Our Clients
Publications
Comments
Brochures
Contacts
Ukrainian Digest of International Trade Law


  Download PDF Brochure


SEARCH


TAGLaw
IBLC
IFA


 ENG   РУС  УКР   
About UsOur PracticeLawyersCareerNewsSearch
Home  / About Us

Publications - Right to informational self-determination?


Right to informational self-determination?


“Zerkalo Nedeli. Ukraine”  
№46, December 16, 2011

A citizen of the modern information society is an individual whose personal data (PD) is processed automatically. Is it agreed with the constitutional principle of privacy?
 
A day-to-day environment.
You are an individual, participant of such legal relations as, for example labor ones. When getting a job you provide an employer with required private information, or PD, in other words, "the information about an individual who is identified or can be specifically identified." The employer will put it in its personal data database (PDD) of employees, and - congratulations - you've got the status of a subject of personal data (SPD). The employer in this case is the owner of PDD. This means that your personal data gets to be collected, stored, maintained, adapted, modified, renewed, used and distributed, depersonalized and even eliminated! In short, your data is handled through PDD. PD is processed by a person- manager of PDD appointed by the owner.
The owner may process your PD solely on the basis of you voluntary recorded consent (with the scope of data specified) in accordance with the stated purpose. In this case, the objective of data procession is linked to employment.

Based on what?
The constitutional right to privacy is the basis of PD protection and provides for a special legal regime of information about an individual, since according to the Ukrainian legislation the information about an individual is confidential and, therefore, the access to it is limited by such individual on its own.
Only with a permission?
All PD about you as an individual is processed (automatically or through card-indexing) only with your written consent. This decision was taken by Ukraine towards a visa-free regime. But, let’s talk more about that later. Global jurisprudence on PD protection steered in two ways: either a way of identifying PD with any information relating to a particular person, or a way of differentiating PD. The principle of PD differentiation is also embodied in the national legislation. Embodied, but, unfortunately, not forming the basis for the PD access regime.
What does the differentiation mean? It means the breakdown of information about an individual onto the following components:
  - So-called operational minimum of PD - general information - full name, identification number, education, employment history, marital status, contact information;
  - The category of "sensitive" data - about racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexuality. The Law prohibits the procession of such information, but gives a list of exceptions to the prohibition. Conventionally, such exceptions include two aspects: one relates to the explicit consent of SPD and another refers to an objective necessity.
Remarkably, when the access to PD is based on the principle of data differentiation, then a licensing procedure for processing relates solely to the “sensitive” data. In our case, the obligation to obtain SPD’s consent concerns its all PD. This is how a Ukrainian legislator has decided to set up the protection of PD in the Law of Ukraine “On protection of personal data” No. 2297 of June 01, 2010 (hereinafter - the Law).
Thus, we have examined the situation from a position of SPD.
The law came in response to a new challenge of the European integration. In order to intensify a visa-free dialogue with the EU the PD protection was issued among the priority reforms of 2010: “Matrix of cooperation” between Ukraine and the EU and the Plan of Priority Measures for the Integration of Ukraine into the EU -  up to the Law. In addition, some national legislative acts were amended as regards the strengthening of accountability for violations of the legislation on protection of personal data (effective from January 01, 2012) and there were ratified the 1981 Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, (hereinafter - the Convention) and its 2001 Additional Protocol regarding supervisory authorities and transborder data flows. But before it no longer disappointed the EU, Ukraine has not got on well in sorting out the legal consequences of “reforms” for itself.
Now, let’s examine the situation from the perspective of PDD’s owner. The Law defined that the guarantee for PD protection shall be compulsory state registration of PDD. Although the Convention formulates only a general duty to create the PD safeguard system, i.e. it does not require from the member-states the introduction of some specific mechanism, such as, for example, mandatory registration of all PDD. Moreover, the European states-parties to the Convention introduced so-called necessary registration: first, the registration of PDD owners rather than PDD and, second, the registration of owners of “sensitive” PDD and, third, the registration with the purpose to control data processing and to ensure the transparency of information about processing.
By the way, you may not even realize that you have already had some PDD subject to registration. But from a new year your ignorance will reveal itself.
Entered into force on January 01, 2011, the Law launched a new mechanism. What, then, have the state’s efforts resulted in? An entrepreneur: a private-entrepreneur - individual (hereinafter - PE) automatically became an owner of PDD by hiring two employees. Therefore, PDD of the staff constitutes the first base. Doing a favourite pursuit means getting another “gift”  - PDD of clients.
If a status obliges, a business entity as a legal entity will have yet the third database – PDD of service providers.
As such, the registration minimum is for your attention: if you are an individual - PE, be prepared for the registration of two PDD, if you are an entity, you have to register, then, as much as three PDD!
How does the state propose to live with the status of an owner of PDD?
The state established a special legal and institutional mechanism to ensure protection of PD. The State Service for Personal Data Protection of Ukraine (SSPDP) is the regulator, the registrar and supervisor. The specialized legal framework, apart from the Law and amendments introduced in the other regulatory acts, includes subordinated acts governing SSPDP’s establishment and operation, maintenance of register and submission of documents for registration.
Owners to register PDD have to be prepared. And not only morally, but thoroughly:
  - to determine an objective for PD procession and a number of PDD required to carry out own activities;
  - to approve the procedure of PD procession and protection by an in-house order, make employees acquainted with this document;
  - to approve a text of an individual’s consent for the procession of his/her personal data;
  - to obtain a written consent of the subjects of personal data;
  - to define a structural unit or person responsible for the organization of work for protection of personal data during processing.
Having cleared up these issues at a private level, an owner submits an application for registration of PDD owned by it (separately for each PDD!). The application has to contain the information required for registration, namely, a request on PDD entry into the register, the information on PDD owner, the information on the title and location of PDD, the information on PDD manager, the information on the objective of data processing, the document certifying the obligation to fulfil requirements of the laws on PD protection.
The Ministry of Justice approved the sample application as soon as in August 2011. PDD registration is carried out by making an appropriate entry and issuing a certificate within ten days from the date of receipt of the application.
And the certificate, here it is on your hand! Could you, after the registration, forget about another bureaucratic mechanism? No. So, you have to live with this.
In accordance with the Law: “... any change of information required for registration shall be informed about by PDD owner to SSPDP no later than within ten working days from the occurrence of such change.”
What is the sequence of actions of a law-abiding owner? For example, PDD manager, some Mr. Hennady Pavlovich changed address.
PDD owner has to:
1) address to Mr. Hennady Pavlovich to obtain his consent to process his personal data (as the status of manager does not exempt him from the status of SPD);
2) having obtained the consent, introduce changes into PDD;
3) advise SSPDP about the changes introduced in the record.
Having changed the address of actual location or storage of PDD media, don’t forget to inform SSPDP.
In addition, the rules for maintenance of document circulation and the procedure for carrying out the activities by a employer require him the constant internal procession of PD. Although changes in the data of SPD do not require to inform SSPDP  about,  due to the procedure of obtaining a consent the data procession adds a lot of documentary burden to the employer. Even it is hard to cheer sincerely about the addition in an employee’s family…
Considering such scenario an individual or minor legal entity, once having faced the difficulties, would choose to extend its staff just for one person, but a larger entity would have to establish a separate unit for both inner “correspondence” as regards the procession of SPD’s data, and for “correspondence” with SSPDP. This is a real way to absurdity, isn’t it?
According to the Law: “…personal data in PDD is subject to elimination in case of termination of legal relations between SPD and PDD owner, unless otherwise prescribed by the law”. However, as far back as in 1998 the Main Archive Direction re-obliged an employer to keep personal data as long as 75 years. This provision is not a new one but inherited. And according to the legislative hierarchy, a law supersedes an order, so the practice of documents circulation and archiving is ignored?
And remember, you have also to inform about PD elimination both SPD and all persons this data was communicated to.
Article 1 — mistake No. 1.
Exception to the general rule of obligatory registration, by virtue of exclusion from the scope of the law, concerns the activity to create PDD and process personal data in these databases, which is carried out:
? by physical persons — exceptionally for non-professional private and domestic needs;
? by journalists — in view of their official and professional duties;
? by professional artistic intellectuals — to carry out creative activity.
Since the Law of Ukraine “On State Support of Mass Media and Social Protection of Journalists” defines a journalist as “a creative worker who professionally collects, receives, creates and prepares information for media ...”, the second category of subjects of release is included in the third category. All what is left to do is to put the accent on the unordinary attention given to exceptions from the scope of any reformatory law.
In the United Kingdom personal data is protected under the Data Protection Act, 1998 (hereinafter - the Act), which is based on the principle of differentiation of PD. This state, a member to the Convention, introduced a “required obligatory registration”, which provides exceptions for:
1) owners engaged in the procession of private information for:
  - personnel management (including billing information);
  - advertising, marketing, public relations (in connection with commercial activities);
  - book accounting
2) some unprofitable organizations;
3) procession of personal data for private, family and domestic purposes (including leisure activity);
4) owners engaged in procession of personal data to maintain public register;
5) owners not engaged in computer procession of personal data.
The register of owners is maintained by the Information Commissioner, who is also authorized to impose monetary penalties for violation of the registration. The register maintenance is supervised by the Information Commissioner’s Office. The institutional system is complemented with the tribunal for information policy that is included in the system of administrative court procedure.
Exceptions to the British system are not exceptions for the sake of exceptions, but they are really aimed at the elimination of bureaucracy in activities of PDD owners who deal with the processing of “operational minimum of PD”, and at the protection of “sensitive” PD.
Why is this important today? As of November 10, 2011, SSPDP received, processed and recorded 1,203 applications for registration of PDD into the State Register of PDD. Upon consideration of these applications the SSPDP Interim Commission for review of the documents for PDD registration brought 861 PDD into the State Register. What is that, a violation of the law?
At first glance, the statistics indicate the non-compliance by PDD owners of the current legislation on PD protection by avoiding PDD registration. But in fact, for the PD protection system to run properly the key mechanism has to be launched - the mechanism of accountability for violations of the law on PD protection. Relevant changes will take effect since January 01, 2012 and provide administrative and criminal liability in accordance with the Code of Administrative Offences (CAO) and the Criminal Code of Ukraine (CCU).
In particular, the initiatives contemplate an administrative responsibility in the form of penalties for failure to register PDD:
  - for individuals - ranging from 300 to 500 tax-free incomes, that is from UAH 5,100 to UAH 8,500 and
  - for officials and private entrepreneurs - ranging from 500 to 1000 tax-free incomes, that is from UAH 8,500 to UAH 17,000.
Since the majority of registration will account for the bases which contain the “operational minimum of PD”, the “misunderstanding” of the concept of mandatory registration may prove costly for PDD owners.

Publicity of information

Since January 01, 2012 the Register’s data will be publicly available on the web-site of the Register’s administrator (SE “Information Center” of the Ministry of Justice of Ukraine) by searching and browsing the information about PDD (name of database, information about the owner. For individuals – with available name, purpose of data procession, registration number of the record of PDD within the Register). The search, thus, may be performed based on the last three items.
Ukraine has once again followed the path of “anti-people law-writing”, putting additional bureaucratic, financial and administrative burden on entrepreneurs – the registration for the sake of registration and not to protect the required category of “sensitive” PD.
Undoubtedly, it is hard to underestimate the institute of PD protection in contemporary environment of unauthorized use of PD. However, Ukraine must institute its requirement to register PDD on the principle of differentiation of personal data. This, on one hand, would help meet the objective of protection of those personal data that need it, and, on the other hand - would not create additional barriers to the activity of PDD owners representing the layer of small and medium businesses.
Instead of curing Ukraine’s legal system, ill-conceived legislative reform brings it just “sores because it made sense to consult a doctor first, get a prescription and even buy medicine. It is necessary to take medicine properly and systematically rather than chase elusive health by taking excessive antibiotics and tranquilizers, especially when this health is badly needed for millions to people”.

Bek Marianna, Associate,
Oleksiy Volkov, Managing Partner, 
Volkov and Partners Law Firm 
 

To top




Releated Publications


04/01/2018

Дайджест правовых новостей: Корпоративное право. Выпуск № 3 (октябрь - ноябрь 2017)

09/10/2017

Legal News Digest: Medicine and pharmacy. Release № 2 (August – Sept. 2017)

09/10/2017

Legal News Digest: Energy. Release № 2 (August – Sept. 2017)

09/10/2017

Legal News Digest: Company law. Release № 2 (August – Sept. 2017)





About Us   Our Practice   Lawyers   Career   News   Search   
cheap naltrexone Cheap Terbinafine cheap sildenafil cheap tadalafil cheap cigarettes
© 2006 Волков i Партнери. Site Map