EUROPEAN BUSINESS ASSOCIATION
Corporate code of conduct
on personal data protection in The SHERE OF
infOrmation technologies
CONTENTS
Introduction……………………………………………………………………………………………………………………………………….
Letter from EBA Executive Director………………………………………………………………………………………………………
Recommendation letter from the State Service of Ukraine for Protection of Personal Data…………………
Section 1.Purpose of the Code……………………………………………………………………………………………………………..
Section 2. Definitions………………………………………………………………………………………………………………………….
Section 3. Scope and Applicability of This Code……………………………………………………………………………………
Section 4. General Principles of Data Processing………………………………………………………………………………….
Section 5. General Recommendations on Data Protection…………………………………………………………………..
Section 6. Data Security Recommendations………………………………………………………………………………………..
Section 7. Direct Performers Guidelines……………………………………………………………………………………………...
Section 8.Recommendations on Personal Data Requests…………………………………………………………………..
Section 9. Cross-Border Data Transfer (from abroad)………………………………………………………………………….
Section10. Cross-Border Data Transfer (to abroad)……………………………………………………………………………
Section 11. Specific Recommendations on Data Protection…………………………………………………………………
Section 12. Compliance Issues and List of Signatories…………………………………………………………………………
Section 13. Legal Force. Introducing Amendments. Data Protection Working Group…………………………..
Letter from EBA Executive Director
Corporate code of conduct on personal data protection in The SHERE OF infOrmation technologies
Approved by European Business Association
SECTION 1.Purpose of the Code
The European Business Association (hereinafter – the “EBA”), as a voluntary union of legal entities, non-governmental and non-profit organisation, has approved this Code, which defines the recommendations and practical advice for IT Companies regarding execution of the Law of Ukraine “On Personal Data Protection” No.2297-VI dated June 1, 2010 (as further amended, hereinafter the “Law”) and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108 as of 28.01.1981 with regard to special conditions of personal data processing in IT industry.
The Code will be helpful for IT Companies which have willing to comply with Ukrainian and European data protection legislation.
The practical recommendations will also help IT Companies to advance the security level while processing personal data of their employees, clients and the other persons, and, therefore, to build trustworthy relations with them. This is actual and important in the age of digital communications, Internet trade and other distance relations, where the trust to IT Company is the pillar of development of business which is based on use of personal data.
Foreign companies while choosing a reliable business partner among Ukrainian IT Companies quite often verify the personal data security level. Therefore, the observance of recommendations and principles of this Code will promote the development of business with foreign customers.
IT Companies that joined the signing of the Code intend to reassure business partners as well as the general public that IT services are provided in a professional and ethical manner with respect to the right to privacy.
From a legal standpoint this Code is permissive document, at the same time its legality as regulating instrument is confirmed by the Article 27 (2) of the Law. This Code is not aimed to overburden the activity of IT Companies with the new duties, quite the contrary it is targeted to explanation of the duties set by the Law.
SECTION 2. Definitions
2.1 For the purposes of this Code, if otherwise is not defined by the law:
(1)personal data subject shall mean a natural person, whose personal data is processed pursuant to the Law;
(2)personal database controller (or data controller) shall mean the individual or legal entity, which has the right to process personal data based on law or individual’s consent, determines the purposes of the processing of personal data in the personal database, determines the contents of the personal data and means of its processing, if otherwise is not set by the Law.
Formally, the data controller shall be a legal entity or an individual entrepreneur who processes data for its own purposes or pursuant to law. For example, companies/individual entrepreneurs in course of their business activity may run databases of their private clients, potential clients, employees or other key contact persons; authorities may run official databases of citizens for performance of their public duties;
(3)personal database processor (or data processor) shall mean an individual or legal entity, which has the right granted by the controller or by the Law to process the personal data.
The purpose of data processing is a key criterion to distinguish data processor from data controller. The data controller processes personal data for its own purposes or may appoint a data processor as an outsource entity for doing so. IT Companies can be either data controllers or data processors defining their status at their sole discretion according to the data that they process. IT Companies acting as providers in the context of outsourcing IT services usually shall be regarded as data processors while they process personal data received from their clients that require outsourcing IT services.
(4)data protection authority shall mean the state executive authority responsible for the state policy in the sphere of data protection, which legal status is defined by the effective legislation of Ukraine. At the date of adoption of this Code, such authority is granted to the State Service for Personal Data Protection;
(5)IT Companies shall mean the companies that conduct software development, operation services or cloud computing services and are signatories of this Code.Where appropriate the IT Company acts as processor or controller.Private entrepreneurs may be deemed as IT Companies as well;
(6)direct performer shall mean the individual employed or engaged (by a civil contract) by the IT Company and implements specific tasks, technological processes, services during which the processing of personal data is performed.
As a general rule, they shall act on behalf of data controller or data processor, if otherwise is relevant from the merits of the case;
(7)third party shall mean any individual or legal entity, other than the data subject, the controller, the processor and the data protection authority, to whom the controller or the processor transmits personal data pursuant by the Law;
(8)personal data shall mean any information or set thereof related to an identified or identifiable an individual (data subject).
An identifiable person is one who can be identified, for example, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, social or other identity. The exhaustive list of personal data is not set by national legislation and international treaties and cannot be determined for objective reasons;
Usually, all personal data is classified as “general” or “sensitive” personal data. The list of types of sensitive data is limited to: racial or ethnic provenance, political, religious or conceptual convictions, membership with political parties and trade unions, as well as the data on health or sexual life; the rest of data may be regarded as general. However, there is no exhaustive list of what shall stand for “personal data”. Any attempt to make a list of what can be regarded as personal data earlier or later will become outdated, as this may impact individuals’ privacy rights. Therefore, there is a common European practice to introduce an abstract legal definition of personal data;
In order to determine, whether the available data should be regarded as personal data, it is recommended to answer the following questions:
- Does the data relate to an individual?
- Does the data contain any information (description) attributed to the person?
- Does anybody may identify certain person based on this data? Data controller or data processor shall be able to identify individual based on the available data.
(9)personal data subject's consent (or consent) shall mean any documented, in particular, written, freely given indication of his wishes by which the data subject signifies his agreement to personal data related to him being processed pursuant to the determined purpose of its processing;
(10)personal database shall mean any named structured set of personal data which exists in electronic format and/or as filing system;
(11)processing of personal data shall mean any operation or set of operations which is performed fully or partially in information (automated) system and/or in filing system, which relates to collection, recording, acquisition, storage, adaptation, alteration, retrieval, use and dissemination (distribution, sale, disclosure by transmission), depersonalising, or destruction of personal data;
(12)depersonalising shall mean the withdrawal of data allowing to identify data subject.
(13)information technology (or IT) shall mean the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications;
(14)software development shall mean the development of a computer program (set of instructions as words, numbers, codes, charts, characters or in any other kind, expressed in form, suitable for a read-out by computer, which starts it operating for achievement of certain goal or result);
(15)operation services shall mean a process-focused managing of information technology systems as the practice of transferring day-to-day related management responsibility for operations inclusive of production support and lifecycle build/maintenance activities;
(16)State Register of Personal Databases shall mean the unified state information system for collecting, storing and processing of data on the registered personal databases.
(17) cloud computing services shall mean the provision of computational resources on demand via a computer network.
Other definitions shall have the same meaning as defined by the effective legislation of Ukraine.
Section 3.Scope and Applicability of This Code
3.1. This Code addresses situations and cases of personal data processing in business activity of IT Companies.
3.2. This Code is followed by the signatories (initial and future), however guidelines on data protection may be helpful for any personal data controller or personal data processor.
3.3. The signatories hereby undertake the obligation to ensure that all direct performers comply with the Law and this Code.
3.4. IT Companies are encouraged to join and follow the Code in their business activity as well as promote the Code for further sharing and implementation of its guidelines in IT sphere.
Section 4.General Principles of Data Processing
4.1. In addition to the principles set in the effective legislation of Ukraine, these are the principles of the Code:
(1) IT Companies shall respect confidentiality of personal data processed in their professional activities;
(2) IT Companies shall balance the needs of subjects of the personal data relations;
(3) IT Companies shall ensure that their professional activities related to processing of personal data are conducted by persons with appropriate skills, experience and awareness of this Code;
(4) IT Companies shall protect the reputation and integrity of IT profession and industry;
(5) IT Companies shall track any amendments to the data protection legislation, this Code as well as best practices in data protection.
Section 5. General Recommendations on Data Protection
5.1. IT services should be provided in compliance with the effective legislation of Ukraine relevant to a given project or other jurisdiction law, if applicable.
5.2.IT Companies shall take reasonable steps to avoid conflicts of interest with the clients and/or data subjects in respect of data protection.
5.3. IT Companies will act with awareness of ongoing, persistent threat of electronic attack from criminals operating in cyberspace which may impair personal data protection.
5.4. IT Companies shall be ready to respond to any breach of security swiftly and effectively.
5.5. IT Companies shall design and organise an appropriate level of security.
5.6.Direct performers can access and process personal data within the scope of their authority only.
5.7. IT Companies shall take reasonable steps to ensure that if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.
5.8. IT Companies who are data controllers should follow the requirements on registration of personal database with the State Register of Personal Databases.
Section 6. Data Security Recommendations
6.1. IT Companies should take security measures against the risk of unauthorised disclosure, loss, destruction or alteration of personal data. IT Companies should take the security measures to prevent repetition of any data security breach incident.
6.2.IT Companies may introduce different security levels regarding personal data that are appropriate to the following criteria:
(1) definite legal requirements set by the effective legislation of Ukraine;
(2)the nature (general and sensitive) and volume of the personal data to be protected;
(3)the harm that might result from the improper, unauthorised or unlawful processing of the personal data, or from its accidental loss or destruction;
(4)size and complexity of the organisation;
(5)technologies generally available and/or adopted by other IT companies or by IT company’s business partners;
(6)cost of implementation;
(7) undertakings set forth by service contracts with counteragents.
6.3.IT Companies independently and subject to the provisions of applicable Law define the security measures/security programmes they should have in place, namely:
(1)physical security (security of the premises; unavailability of computer screens to public/visitors; work stations’ security and maintenance; security of printouts disposal, etc.);
(2)technological security (security of the internal IT network; security of computer servers andapplication programmes; security of mobile computing; rendering personal data anonymously; encryption, etc.);
(3)management security (tracking and management of the incidents; authorisation management and users’ sensitization; job control; back-up and business continuity; archiving; availability control, etc.);
(4)organisational security (risks assessment; company security rules; users’ authentication; exchange of information on potential risks with other organisations, etc.).
6.4.It is not required for IT Companies to have state-of-the-art security technology to protect personal data they hold, but IT Companies should regularly review their security arrangements as technology advances or if potential risks increase.
Section 7. Direct Performers Guidelines
7.1.IT Companies shall appoint in writing a personal data protection officer (department) who will be responsible for organisational measures for the protection of personal data during personal data processing pursuant to Law and this Code.
7.2. IT Companies are recommended to appoint authorised direct performers who may or may not access and process personal data and set respective measures as to verifying direct performers’ identity. The identifier of a direct performer who has lost authorisation to personal data processing should not be granted to another authorised direct performer.
7.3. IT Companies are recommended to prescribe legal obligations regarding data protection in local labour regulations, policies and/or handbooks. IT Companies are recommended to execute confidentiality agreements with each direct performer and/or include confidentiality clauses into the employment/civil contracts.
7.4. IT Companies are recommended to provide appropriate initial and refresher trainings for the authorised direct performers dealing with personal data.
7.5. IT Companies are recommended to determine the required restrictions to the personal use of corporate computers or other devices by direct performers. A direct performer who is using a laptop or other device containing personal data shall be obliged to take special precautions while having the laptop / other device transported, stored or used outside the IT Company premises / area where the data are being processed.
7.6. If applicable, the IT Companies are recommended to inform the direct performers regarding the fact of personal/premises monitoring. The IT Company should establish policies on monitoring, and direct performers should acknowledge receipt thereof. Monitoring practices should not violate direct performers’ rights for private life, private correspondence and confidentiality of their personal data.
7.7. IT Companies are recommended to inform the direct performers about the Law and the Code and corresponding articles of their own labour schedules, policies and / or internal directives.
Section 8. Recommendations on Personal Data Requests
8.1.Request for access (hereafter – the “request”) to personal data may be submitted by the personal data subject regarding his own information, and the third party or the state body regarding specific personal data subject. There are different conditions of request considerations depending on who submits the request. That is why IT company should identify who is the author of the request regarding the requested personal data: personal data subject or not.
8.2.In case if the personal data subject submits the request regarding himself, then the following rules are applied: according the Article 16(6) of the Law, the subject of personal data has the right to obtain any kind of the information regarding himself from any kind of the subject of relations connected with personal data, without mentioning the purpose of the request. Whereas the IT company should ensure that request reflected accordingly:
(1)Surname, name and middle name, address of living (place of stay) and information of the document which identifies the individual, who submits the request (for individual – applicant);
(2)Information on personal database, regarding which the request is submitted, or information on the personal data base processor or controller;
(3)The list of personal data which I requested.
In addition, the personal data subject has the right to require the personal data controller to change or to add the personal data or to delete the personal data if they are illegally processed or the personal data is inadequate.
The answers should be accurate, complete and timely (previous response should be done during the 10 working days, according to request – during the 30 working days from the date of request receiving).
6.3.In case if the request is submitted by the third party or the state body regarding the particular personal data subject, then the following rules are applied: according the Article 16 (3) of the Law the request should be submitted to the personal data base controller. In case if the IT company doesn’t act as the personal database controller, but as personal database processor then it is recommended to submit the request directly to the personal database controller, and the author of the request should be informed during the 10 working days on the redirection of the request to the appropriate personal data controller. In case if It Company acts as the personal data controller, or is the personal data controller authorised to process all the request by the IT company itself, then IT company should ensure that request reflected accordingly: