Sign up for news

Countries Subject to GDPR

Author: Rode Arteaga
19 December 2019, 11:14
Votes: 1

General Data Protection Regulation (GDPR) is a set of rules aimed at controlling users’ personal data processing. The document was adopted by the EU Parliament on April 27, 2016. Despite this, even companies that are located outside the European Union must strictly adhere to its requirements.

Countries Subject to GDPR

Companies that process, collect or store personal data of any EU citizen, as well as those ones with offices located in one of the EU countries, are obliged to abide by the GDPR rules. In addition, companies and other organizations focused on an international audience, especially if they offer online gambling services, should also adhere to the GDPR.

Core principles of the GDPR:

  • Legality, fairness and transparency of the company’s activity;
  • Pursuing specific goals;
  • Data accuracy;
  • Minimization of the information use;
  • Confidentiality;
  • Accountability;
  • Time frame for user data storing.

GPDR in Russia and Ukraine

Despite the fact that GDPR is a part of the EU legislation, Russia and Ukraine are also included in the list of so-called GDPR countries. In particular, this regulation affects Russian and Ukrainian companies serving European customers and operating on the territory of the EU through branches and subsidiaries.

According to the new law, which entered into force on May 25, 2018, companies must operate under the new regulation and make a number of changes that will provide enhanced personal data protection.

Read more: Online Gambling Licenses in the European Union

Lawyers explained how GPDR influences Russian and Ukrainian companies serving European clients.

What is meant by GDPR compliance?

  • informing customers about their personal data collection and storage;
  • specifying the type of personal data that must be entered;
  • availability of new data collection policy;
  • adherence to the data protection laws of a specific country.

The GDPR adoption resulted in many companies raising questions (located not only in GDPR countries) concerning operating rules in the Russian and Ukrainian markets. Let’s consider some of them.

1. Which companies are subject to the new regulations?

As studies have shown, operators offering online services are most affected by the GDPR because of the largest number of clients from the European Union.

What is meant by GDPR compliance?

2. Should companies appoint competent employees to monitor the GDPR compliance?

Companies are not obliged to do this if they work in Russia or Ukraine, however, branches and their subsidiaries must appoint such officials.

3. What do market participants need to focus on first: local privacy regulations or GDPR?

Read more: Gambling Legislation in European Countries

Russian legislation on personal information protection is rather strict and very similar to the GDPR provisions, so no problems arise. In case of uncertainty, local courts shall determine the law that is applicable in a particular situation.

Ukrainian companies frequently have to deal with personal data of users from the EU. For example, software developers have access to personal data of people who are registered in a specific database. In the GDPR countries, personal data processing includes access to personal data, even if it is not stored on any device.

What Operators Need to Know

The GDPR defines the procedure for personal data collection and storage. It differs depending on the purpose of processing. A company that defines the purpose and means of data processing is a controller, therefore it has more obligations.

First, such a company must conduct a general check and determine what personal data is used, which of it is stored on devices, where and under what conditions it can be transferred, who has access to this information and what data protection methods are used. The company cannot collect more personal data than it is necessary for this business.

After a general check, a company should confirm that its privacy policy complies with the GDPR provisions. It should contain the collected data, the purpose of processing this data, the clients’ rights regarding their data and the procedure for handling complaints.

Read more: Number of Blacklisted URLs Exceeded 50 Thousand across Europe

What Operators Need to Know

Companies in the GDPR countries must ensure access to their privacy policy written in simple language. According to the new rules, users have to actually read the data processing rules before clicking on the "I agree" button.

The GDPR also requires clear privacy notices. Thus, it is better and more convenient when clients see a window with a short message and the "I agree" field. Obtaining consent to data processing is a key task of a controller.

However, a well-written privacy policy is not the only requirement for a company. It also must introduce technical and organizational measures aimed at personal data protection, such as data encryption methods (anonymous), as well as physical and online access control.

GDPR Countries

The physical location of an establishment, organization, or business is not so important regarding the GDPR. The main aspect is the residence of the user, whose data is processed by a particular company. And, obviously, in addition to Russia and Ukraine, this regulation applies to all EU countries.

As mentioned earlier, the European Gaming and Betting Association called into question consumer protection standards.

Read more: Europe Faces Major Changes in the Matter of Gambling Policy in 2019

Read more: Online Gambling in Eastern Europe – Part 1


No comments

Now read
31 May