Skip to content

Brought to you by

Dentons logo

Business Going Digital

Helping companies in the digital transformation of their business.

open menu close menu

Business Going Digital

  • Home
  • Regions
    • Asia Pacific
    • EMEA
    • Latin America and the Caribbean
    • North America
  • Sectors
    • Automotive
    • Energy
    • Financial Institutions
    • Government
    • Infrastructure
    • Manufacturing
    • Real Estate
    • Retail
  • Podcasts/Videos
    • Podcasts/Videos
    • The future of European AI regulation: Q&A with Brando Benifei
    • Artificial intelligence: EU Commission’s proposal
    • The EU VAT e-commerce package
    • Meeting the challenge of digitalization
  • Interactive tools
    • Interactive tools
    • Digital Signatures Tracker
    • Europe Cookie Law Comparison Tool
    • Global Autonomous Vehicles Index
    • Global FinTech Comparison Tool

Engaging with evolving regulations – GDPR

By Victor Naumov
October 2018
  • Automotive
  • EMEA
  • Energy
  • Financial Institutions
  • Government
  • Infrastructure
  • Manufacturing
  • Real Estate
  • Retail
Share on Facebook Share on Twitter Share via email Share on LinkedIn

In today’s convenience-based economy, more and more people are buying goods and services online. Every time you shop, you leave a digital footprint. Over time, these footprints accumulate in cyberspace and together, they can be used to establish your identity. In this context, the protection of personal data and privacy are integral guarantors of the protection of human rights in e-commerce.

Protecting personal data and the right to privacy

The main legislation governing data protection in the EU is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 General Data Protection Regulation (GDPR) which has applied across all EU Member States since May 25, 2018. The GDPR was adopted with the view of harmonizing data protection regulations across the EU. For any company involved in e-commerce, it is important to be familiar with these new obligations and to devote enough time to compliance.

According to the GDPR, personal data is understood as any information relating to an identifiable natural person (data subject). An identifiable natural person, or data subject, is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Does the GDPR reach beyond the EU?

In respect to e-commerce and personal data it is worth noting that GDPR outlines a set of progressive rules that consider specific aspects of personal data processing in the digital space. Article 3 specifies that the GPDR applies to the processing of personal data regardless of whether the processing takes place in the EU or not.

Beyond that, there are two situations in which the GDPR applies to processing by a controller or processor that is not based in the EU: first, if the controller or processor offers goods and services to individuals in the EU, and second, if it monitors individuals in the EU. Such entities must comply with the GDPR. For example, they will need to appoint a representative in the EU, who will represent the controller or processor with regard to their respective obligations under the GDPR.

These two cases of the extra-territorial effect of GDPR require further clarification. The controller or processor would be deemed as offering goods and services in the EU if it clearly intends to offer such services in one or more EU member states. Such an intention could be proved by the use of an EU-based language or currency on the e-commerce site, the possibility for EU-based customers to order goods and services, or the mentioning of customers or users who are based in the EU. Thus the accessibility of the controller’s or processor’s website, email address and other contact details in the EU alone are not sufficient to determine intent.

The definition of monitoring is also quite broad, but in the context of the GDPR, it could be interpreted as the use of various technical mechanisms to collect and analyze data to profile an individual. In light of the popularity of profiling, a large number of companies which do business online will thus fall within the scope of the GDPR.

Privacy and the impact on profiling

In order to recognize an activity as profiling three basic elements must be determined:

  • It uses an automated form of processing;
  • It includes the use of personal data;
  • The aim of the activity is to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person’s performance at work, health, personal preferences, interests, location or movements.

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other significant effects concerning them. Individuals must also be informed about profiling activities and have the right not to be the subject of such activities.

Data portability

One more right of individuals that you should take into consideration is the right to data portability. It means that individuals have the right to receive their personal data that they previously provided in a commonly used and machine-readable format. However there is a limitation on this right, because it only applies if the processing of the personal data was based on consent or on a contract.

A compliance challenge

Data protection and privacy are among the most controversial and challenging issues of our time. For companies operating in the e-commerce sector – and indeed all companies operating in today’s digital economy, compliance with the GDPR must be a top priority.

Personal data protection in Russia

The regulation of personal data in Russia is similar to the GDPR in many aspects: Russian personal data legislation also applies to operators regardless of whether or not they have local representation in Russia if they have a website that targets a Russian audience. The ‘localization amendment’ is therefore rather impactful as it establishes an obligation on the localization of personal data of Russian citizens in Russia. However Russian regulations use slightly different criteria for determining which foreign operators acting through a website comply with Russian personal data legislation. Foreign operators are determined as those who:

  • Use a Russian-related domain name and/or a genuine Russian version of the website; or
  • Include additional criteria which indicate “explicit evidence that the owner of the website intends to include the Russian market in its business strategy”. This could be through the use of ruble payments, the delivery of goods to Russia, and/or the use of Russian advertising to lead to the website, etc.
Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest articles by email.
Stay in Touch
Victor Naumov

About Victor Naumov

Victor Naumov is a St. Petersburg Managing Partner, Head of the Russia IP, IT and Telecommunications practice, Co-Head of Europe Internet & Tech Regulatory.

All Articles Full bio

Related Articles

  • Automotive
  • North America

Protecting “secrets” – or trying to – when litigating in the United States

By Ronald Hedges
  • Asia Pacific
  • Retail

Protecting IP in China with emerging digital technologies

By Business Going Digital Group
  • Automotive
  • Energy
  • Financial Institutions
  • Government
  • Infrastructure
  • Latin America and the Caribbean
  • Manufacturing
  • Real Estate
  • Retail

Digital transformation in Colombia: State of play in the public and private sectors

By Juanita Acosta and Carolina Herrera

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2022 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site