Skip links

Preparation of policies for compliance with regulatory legal acts (GDPR, CCPA, LGPD, PIPEDA, COPPA, etc.)

Protection of personal data

Analysis and alignment of business processes of your company in accordance with GDPR, CCPA, the Law of Ukraine «On Protection of Personal Data».

What is personal data?

As a rule, the term “personal data” is enshrined at the level of national legislation. For example, in the European Union, processing of personal data is regulated by the General Data Protection Regulation (GDPR), in Canada by the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA), in the United States (in California) by the California Consumer Privacy Act (CCPA).

These laws govern how businesses must behave when collecting and processing customer and employee data.

There are slight differences in the definition of personal data, but in order to make it easier to understand, we will use the GDPR definition.

  • Personal data is any information relating to an identified or identifiable natural person (“data subject”, i.e. a person).
  • An identified natural person is a person whose identifier (name, phone number, personal number, login, etc.) is present in the data.
  • An identifiable natural person, in turn, is a person who can be easily identified, that is, distinguished from other people.

Personal data is not only the identifier itself, but also the information related to a person. In simple terms, name, passport number, ID card, username, nickname, e-mail address, phone number, IP address, bank card data are always personal data, because they are identifiers. A license plate number, handwriting, videotape or photo are probably personal data because they are easily identifiable. Address, marital status, sex, gender, e-wallet information, health information, page views, searches, social media posts are personal data when you know who it belongs to.

How does a business comply with data protection laws?

Conducting an audit of business processes

We audit current and future business processes for compliance. We create a Data Map to identify potential irregularities.

Drawing up company policies regarding the processing of personal data

We draw up a privacy policy, privacy notice, cookie policy and other necessary documents.

Conducting an audit of the web-site/application

We check the availability of the necessary consent collection forms, the operation of cookies, the location of legal documents and make recommendations as a result.

We prepare and conclude data processing agreements with your counterparties

If you transfer personal data to third countries, you will need to enter into Data Processing Agreements.

Appointing a Data Protection Officer (DPO)

The designation of a DPO is mandatory if: (a) the processing is carried out by a public body or authority other than courts of competent jurisdiction; or (b) the legal entity's principal activities consist of data processing operations that, by their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale; or (c) the legal entity's core business consists of large-scale processing of special categories of data pursuant to Article 9 of the GDPR and of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.

Conducting a Data Protection Impact Assessment (DPIA)

Conducting a DPIA on a regular basis is only necessary for some specific processing activities, namely those activities that may have a significant impact on the rights and freedoms of data subjects.

Provide employee training

Employee training on safe handling of personal data is mandatory. We will teach your employees how to respond to requests from data subjects and regulators.

FAQ

In Ukraine, the State Service of Ukraine for Personal Data Protection is responsible for monitoring compliance with personal data legislation.

Violations of personal data legislation are punishable by administrative fines for individuals and legal entities, as well as criminal liability in case of grave violations.

Companies and organisations processing personal data must comply with the principles of data processing, obtain the consent of data subjects, and ensure data protection and confidentiality.

Companies should implement technical and organisational security measures, such as data encryption, access restrictions, staff training and auditing of data processing systems, to protect personal data from unauthorised access and leaks.

Leave a request and our lawyers will contact you!

    Found an inaccuracy?  Let us know