Many companies focused on the consumer as their main client often collect and process personal data of individuals for commercial purposes (statistics, client acquisition, marketing, advertising, etc.). In most cases, this is data obtained directly from customers or potential customers through questionnaires. Let's look at specific examples of how such processing of personal data will comply with the Act on Protection of Personal Data, which entered into force on January 1, 2011 (hereinafter - "the Act").
Establishing what the kind of identifying information about the person will be deemed "personal data" according to the Act requires some subjective judgments. If any of the personal information is stated together with individual's first and last name, it is considered personal data. For example, if this is an address, date and place of birth, education, marital status, wealth, ethnicity, religion or the state of one's health.
Also note that a characteristic feature of personal data processing, which falls under the Act, is that it takes place wholly or partly in a specific database (e.g., paper file or electronic database). This is logical, because the work with personal data in most cases is possible and convenient only when it is collected and categorized by a certain criterion, such as alphabetically, by number of discount cards by year of birth, date of membership. The processing of personal data includes any act related to the collection, recording, accumulation, storage, adaptation, alteration, updating, use and dissemination (communication, sales, transfer), de-identifying or erasing information about an individual.
A database has an owner – an individual or legal entity who by law or by consent from the personal data subject was given the right to process this data, which states the purpose of processing personal data in this database, establishes the composition of the data and procedures for handling them. The database owner can transfer the data processing to external sources that will perform the technical tasks. The law calls such entity a manager of personal database. So, since we reviewed the basic terms of the Act, we shall now consider some cases of commercial personal data collection.
Fill out a survey and get a discount
Often, shops, restaurants and service companies from the service sector offer so-called discount programs. To obtain a discount card when purchasing personal goods (or without) the client is asked to complete a buyer's questionnaire stating their personal data.
As a general rule, you must provide your full name, address, telephone number, date of birth. Often additional data (education, occupation, income level, frequency and amount of purchases, marital status, car ownership, using the services of airlines) are collected which allows collecting quite a lot of information about the person. Special promotional rules may provide discounts and / or gifts for family members, suggesting the inclusion of personal data on the latter as well.
In reality, it is often the case that some of the questionnaire fields are marked with the symbol "*" as the so-called "required". The average consumer, being keen mainly on getting a discount, rather faithfully fills in "mandatory" fields and the entire form.
In some of the questionnaires we analyzed there was no mention what so ever as to why and how the information about the customer will be used after the issuance of discount cards. But such information can be sufficiently detailed that it requires adequate protection against illegal use. In some questionnaires in a consolidated note it was mentioned that the data will be kept confidential and will not be transferred to third parties. In some questionnaires, the purpose of collecting information was presumed in the question "How do you want to receive notification of discounts and new acquisitions?" (E.g., by mail, e-.-Mail or SMS). And only some forms clearly indicated the purpose of gathering information and who will have access to it. And very limited number of profiles studied by us were in full conformity with the requirements of the new Law of Ukraine "On protection of personal data", which is further analyzed below.
Want to get a job? Leave us your personal data
Some chains are also creating opportunities for faster communication with potential employees through questionnaires. The candidate who had chance to see his/her future place of work with his/her own eyes, such as a favorite brand clothing store or a busy cafe, may immediately ask for a job application at the reception to apply for a position of a sales clerk or a waiter.
Personal data collected from candidates, also presume that they will indicate their full name, address, telephone number and, often, information about education and work experience. As emphasized in the text of one of the forms we studied, the candidate is fully responsible for the accuracy of reported data, and should it be untruthful it could lead to denial of employment or even dismissal.
Thus, in the first place, the employer wants to protect himself against a likely false surveying. Nevertheless, the protection of personal data lies in another plane, and only a handful of employers are paying proper attention to this matter.
We value your opinion, please answer a few questions
Questioning in a depersonalized form, that is not intended to indicate subject's name, actually does not fall under the new Law of Ukraine "On protection of personal data." In this case, the company conducting the survey is primarily interested in general information, not the data about a particular person for later use. For example, some companies (cafes, hotels, event agencies) practice collecting anonymous feedback on the quality of service. Or, for example, they might conduct a secret ballot among the customers to identify the best employee.
If, however, respondents are asked to complete a personalized profile, like the above mentioned examples, then the requirements concerning the protection of personal data are in full force.
What is the right way to put together a proper questionnaire?
Thus, common to all the above situations where personal data of specific individuals is collected, is that such data can be collected only with the consent of the individual. Moreover, such consent must be documented, particularly in writing.
The next logical question here would be: isn't the very fact of completing a questionnaire enough of a consent confirmation regarding the processing of personal data? Let us tell you right off the bat – no, it isn't, if the content of the questionnaire did not disclose the following conditions: (1) clearly defined purpose for processing such data, (2) the name (albeit provisory) of the personal database in which data will be processed (e.g., stored), the name of the owner of such a database and his location; ( 3) how the personal data is going to be used, and (4) the possible transfer of data to third parties. Unfortunately, these provisions were absent from most of the profiles we analyzed. Probably one of the reasons is that the forms of questionnaires were designed back in 2010 without taking into account the provisions of the Act and they are still in use.
We believe that drafting the text of the consent to process personal data contained in the questionnaire is a very personal matter, because each company has its own way to handle the personal data on the basis of certain goals, the specifics of those surveyed and the amount of data collected.
Nevertheless, as a generic example, we can offer the following text for individual's consent that would be wise to include in the questionnaire:
"Filling the questionnaire, I [first and last name] hereby give my full consent to company "A" o process my personal data in a certain (or any) way in a manner prescribed by the Act on Protection of Personal Data, in a "Client Management" database for the purposes of [for example, advertising, distribution of commercial offers, market research, participation in discount programs]. Personal data may be shared with third parties, including other companies of the Group "A" in Ukraine and abroad, as well as their contractors, customers, and the manager of the "Client Management" database. All questions should be directed to the owner of the "Client Management" database in "Company" A "[address, phone, e-mail], or [if there is one] the administrator of the "Client Management" database in "- Company" B "[address, phone, e-mail]." The person should put their signature underneath this statement.
Other requirements of the law
In addition to documenting individual's to process his personal data, you also need to develop an internal policy for handling and protection of personal data, which would clearly state the purpose and order of data processing, and regulate other issues of personal data protection.
According to the article 6 of the Act, in case the purpose of data processing changes, you need to get a new consent from the person to process his personal data. One can minimize the need for a new agreement by specifying in the text of the primary consent all possible situations and contexts in which in the foreseeable future companies will need to process the collected personal data.
Another requirement of the Act will be mandatory for the owner of the database. According to the article 12 within ten working days from the date of the inclusion of personal data in the database the subject of personal data collection shall be notified solely in written form of his/her rights as defined by this Law, the purpose of collection and the persons to receive this personal data. In practice, if there is a large number of surveyed persons, it will be quite difficult to notify each one of them
As a less cumbersome version of the execution of the above requirements, we suggest notifying the person at the time of collecting personal data, meaning "on site". After all, the law establishes, above all, a time limit for the notification, but it does not prohibit doing it immediately upon the receipt of data from the surveyed person.
Technically, this can be executed by delivery to the person concerned a brief informative document, which would one more time state the purpose of collecting personal data and would contain the reference to persons who would receive the personal data on the customer (the respondent), and that would also include an extract from the Law on the Rights of the subject of personal data.
In order to record the fact that the said notice, with minimal paperwork, we propose to include in the questionnaire itself, in addition to the above-mentioned consent text, a paragraph on acknowledgement and the receipt of the notice. For example, the following wording can be used:
"I hereby also acknowledge that I have been advised that my personal data was included in the "Clients Management" database, that it can be transferred to third parties, including other companies of the Group "A" in Ukraine and abroad, as well as their contractors, customers, and the administrator of the "Clients Management" database. I know and understand my rights as a subject of personal data under the Law of Ukraine "On protection of personal data". "
Requirements of Article 24 of the Act include the need to designate a person responsible for organizing the work on protection of personal data during its processing. To this end, we recommend to entrust such functions to a specialist on personnel management or a system administrator (depending on who will actually collect and process personal data). These tasks may be assigned to employees based on the order issued by a top manager or based on handling and protection of personal data guidelines or policy.
The Act establishes the duty of database owner to conduct state registration of personal data. It will be required to register with the State Service of Ukraine on Protection of Personal Data, which was created on Dec. 9, 2010. Under the Act this state agency will serve as the authorized (controlling) authority for the protection of personal data. But since this agency has not started operation just yet, it is practically impossible to start implementing this requirement of the Law as of now.
Vasil Kisil & Partners
Through relentless focus on client success, the Vasil Kisil & Partners team delivers integrated legal solutions to complex business issues. In Ukraine, the Vasil Kisil & Partners brand is synonymous with great depth and breadth of legal expertise and experience, which has created superior value for our clients since 1992.
Vasil Kisil & Partners is a Ukrainian law firm that delivers integrated business law, dispute resolution services, tax law, energy and natural resources law, intellectual property law, international trade law, labour and employment law, real estate and construction law, as well as public private partnership, concessions & infrastructure law.
The firm serves international and domestic companies, as well as private individuals, dealing in agriculture, banking, chemical, construction, financial, energy, high-tech, general commodities, insurance, IT, media, metallurgy, pharmaceutical, real estate, shipbuilding, telecommunication, trading, transport, and other industries and economy sectors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.