Are sellers exempted from the ombudsman notification requirement?
At the end of May 2014, the Ukrainian Ombudsman representative issued explanatory letter pertaining to processing of personal data on person's location/motion paths by those business entities (the "Sellers") which use payment terminals for the purpose of sale of goods and services.
The Ombudsman representative came to conclusion that in the above case the Sellers do not process personal data pertaining to location or motion paths of a certain individual. According to the Ombudsman representative, name, surname and card number delivered to the business entities for the purpose of sale of goods/services are not sufficient to identify a person and, thus, do not fall under the definition of 'personal data processing'. The Ombudsman representative also pointed out that exact identification of the person by the Sellers is generally prohibited by specialized regulations.
Therefore, the Sellers do not have to serve the notification on processing such personal data to the Ombudsman. Nevertheless, such notification must be filed with the Ombudsman by the owners of servers to which and where such data are stored (usually banks).
Finally, it still remains questionable whether (i) the scope of personal data delivered by a person to the Seller is sufficient to identify him/her and (ii) there is a fact of personal data processing by the Sellers, even though they are exempted from the Ombudsman notification requirement.
TV & Internet business: recent court practice re personal data to note
Kiev region administrative courts have made interesting decisions in National Television Company vs. Personal Data Protection Service of Ukraine personal data case which both prove the unconditional necessity for Internet business to comply with personal data protection laws and meaningfully interpret provisions of Personal Data Protection Law.
At the end of the year 2013, The National Television Company (the "NTC") disagreed with the results (orders) of the Personal Data Protection Service of Ukraine (the "DPA") scheduled inspection and brought a lawsuit against the DPA to declare the DPA compliance orders invalid.
By way of background, the DPA compliance orders are mostly related to operation of claimant's web-site using which the latter allegedly processes personal data of its visitors where for gathering personal data both REGISTRATION and NEWS ALERT forms are used. The DPA asserted that the NTC does not ensure due compliance with personal data laws (i.e., does not obtain consents of web-site visitors to process personal data, does not duly notify them) and failed to elaborate personal data handling policies for the purpose of established processing (the "Web-site compliance orders").
Additionally, one DPA compliance order related to the alleged cooperation of the NTC with individuals. The DPA assumed that such individuals should deliver various content to the NTC which then was used by the latter for broadcasting. According to the DPA, it is inevitable for the NTC to process personal data of such individuals and, thus, personal data protection laws must be respected (the "Contractor's personal data compliance order").
In June 2014, the Kyiv Administrative Court of Appeal upheld the decision of the court of first instance and mostly ruled in favor of the DPA. In particular, the court of appeal confirmed that the NTC must follow the Web-site compliance orders to ensure compliance with personal data laws.
Nevertheless, the court of appeal agreed with the court of first instance to declare invalid the Contractor's personal data compliance order. It pointed out that indication of contractor's personal data in the relevant contract is required by laws and no consent is needed for processing such personal data. However, the court relied here on merits of the case, i.e. the claimant did not provide proof evidencing the NTC's processing of personal data of the individuals at issue. Therefore, in the meantime, the main points to note are as follows:
(i) There is no certainty re sufficiency and excessiveness of personal data as may be required for conclusion of a particular agreement with an individual. Still it needs to be considered on a case by case basis.
(ii) While considering the case the court came to conclusion that pure receiving of personal data is not qualified as 'personal data processing'. So far, it is not clear how it should correlate with storage and collection of personal data, being separate kinds of personal data processing.
(iii) In case of a dispute, it is crucial to prove before the court the fact of processing the relevant personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.