General Data Protection Regulation (GDPR) is a set of rules aimed at controlling users’ personal data processing. The document was adopted by the EU Parliament on April 27, 2016. Despite this, even companies that are located outside the European Union must strictly adhere to its requirements.
Companies that process, collect or store personal data of any EU citizen, as well as those ones with offices located in one of the EU countries, are obliged to abide by the GDPR rules. In addition, companies and other organizations focused on an international audience, especially if they offer online gambling services, should also adhere to the GDPR.
Core principles of the GDPR:
- Legality, fairness and transparency of the company’s activity;
- Pursuing specific goals;
- Data accuracy;
- Minimization of the information use;
- Time frame for user data storing.
GPDR in Russia and Ukraine
Despite the fact that GDPR is a part of the EU legislation, Russia and Ukraine are also included in the list of so-called GDPR countries. In particular, this regulation affects Russian and Ukrainian companies serving European customers and operating on the territory of the EU through branches and subsidiaries.
According to the new law, which entered into force on May 25, 2018, companies must operate under the new regulation and make a number of changes that will provide enhanced personal data protection.
Lawyers explained how GPDR influences Russian and Ukrainian companies serving European clients.
What is meant by GDPR compliance?
- informing customers about their personal data collection and storage;
- specifying the type of personal data that must be entered;
- availability of new data collection policy;
- adherence to the data protection laws of a specific country.
The GDPR adoption resulted in many companies raising questions (located not only in GDPR countries) concerning operating rules in the Russian and Ukrainian markets. Let’s consider some of them.
1. Which companies are subject to the new regulations?
As studies have shown, operators offering online services are most affected by the GDPR because of the largest number of clients from the European Union.
2. Should companies appoint competent employees to monitor the GDPR compliance?
Companies are not obliged to do this if they work in Russia or Ukraine, however, branches and their subsidiaries must appoint such officials.
3. What do market participants need to focus on first: local privacy regulations or GDPR?
Read more: Gambling Legislation in European Countries
Russian legislation on personal information protection is rather strict and very similar to the GDPR provisions, so no problems arise. In case of uncertainty, local courts shall determine the law that is applicable in a particular situation.
Ukrainian companies frequently have to deal with personal data of users from the EU. For example, software developers have access to personal data of people who are registered in a specific database. In the GDPR countries, personal data processing includes access to personal data, even if it is not stored on any device.
What Operators Need to Know
The GDPR defines the procedure for personal data collection and storage. It differs depending on the purpose of processing. A company that defines the purpose and means of data processing is a controller, therefore it has more obligations.
First, such a company must conduct a general check and determine what personal data is used, which of it is stored on devices, where and under what conditions it can be transferred, who has access to this information and what data protection methods are used. The company cannot collect more personal data than it is necessary for this business.
The GDPR also requires clear privacy notices. Thus, it is better and more convenient when clients see a window with a short message and the "I agree" field. Obtaining consent to data processing is a key task of a controller.
The physical location of an establishment, organization, or business is not so important regarding the GDPR. The main aspect is the residence of the user, whose data is processed by a particular company. And, obviously, in addition to Russia and Ukraine, this regulation applies to all EU countries.
As mentioned earlier, the European Gaming and Betting Association called into question consumer protection standards.
Read more: Online Gambling in Eastern Europe – Part 1