GDPR and Labor Relations. What to Expect?


KYIV - April 24, 2018. The Labor Law Committee of the Ukrainian Bar Association organized an event devoted to the requirements of the new General Data Protection Regulation of the European Union.

The key speaker at the event was Andriy Gumenchuk, member of the UBA Committee on Labor Law, lawyer at AVELLUM. The moderator was Serhii Silchenko, Chair of the UBA Labor Law Committee, partner at ILF, head of Labor Law and Tax Law Practice.

During the meeting, the participants focused on defining the GDPR and its implications for Ukrainian legislation, analyzing changes to existing mechanisms for processing personal data, and warning employers of new responsibilities when hiring employees.

Andriy Gumenchuk briefed the guests on the history of the adoption and the main principles of the GDPR, clearly outlining what data is protected by this document (it is interesting that philosophical and political views are also referred to as personal data).

The speaker drew attention to what particular actions with personal data are considered to be processing, and also warned that the placement of personal data in cloud storage is equivalent to being transferred to third parties.

It is important to remember that the GDPR has an extraterritorial effect, that is, its provisions will apply to non-residents of the EU (for example, residents of Ukraine) who have staff from the EU, carry out market research in the EU (for example, marketing ), operate in the EU (supply of goods, provision of services to EU residents, including free of charge), as well as use personal data of EU citizens for the manufacture of their products, etc.

Therefore, among the advice of the Ukrainian business, which was made at the meeting, one should pay attention to the following: it is necessary to take care of the appointment of the data protection officer responsible for fulfilling the data protection officer's requirements, to develop internal policies for the protection of personal data, to report the leakage of personal data of their owners and authorized bodies (within 72 hours after such leakage), etc.

Summing up, Mr. Gumenchuk drew the attention of employers to key changes in the implementation of GDPR requirements. It will have to obtain consent for the processing of personal data according to new standards, develop a plan of measures for the leakage of personal data and review existing internal policies for their protection; appoint a data protection officer and take into account the expansion of the rights of employees. The most effective motivation to comply with these requirements is the responsibility for violating the protection of personal data provided by the GDPR.