| In English
Viche 2014 14

14, 2014

Rights and Obligations of Third Parties in Legal Relationships Regarding Circulation and Processing of Personal Data in Ukraine

It is established that the legal status of third parties in relationships regarding circulation and processing of personal data is poorly examined in the works of scholars and scientists, and requires to be improved in the legal documents. Based on comparative analysis of scientific literature and regulatory definitions of third party, the latter is defined as any person to whom the owner or the administrator of personal data transfers personal data, with the exception of the subject of these personal data and the Commissioner of the Verkhovna Rada of Ukraine for Human Rights (in cases when they performs functions to control the protection of personal data), and who carries out further circulation and processing of personal data within the limits specified by the transfer agreement and consent of the subject of personal data or the law. It is proposed to exclude the notion recipient contained in Article 2 of the Law of Ukraine On Protection of Personal Data. The legal capacity of a third party in relationships regarding circulation and processing of personal data is explored. The rights and obligations of a third party are identified.
Keywords: circulation of personal data, processing of personal data, recipient, personal data, legal status, legal relationships, subjects of legal relationships, third party

Modern development of society is characterized by daily and total penetration of information and communication systems to all the areas of a persons life. Today, almost everyone has to deal with the information environment and daily acts both as the medium and as the user of data (including personal information). Therefore, during the formation and development of the information society in Ukraine, activities of the state and relevant authorities should be focused on guaranteeing the compliance with principles of privacy, in particular, in the context of circulation and processing of personal data.

In Ukraine, the appropriate controlling body is currently acting in this sphere, and the lawmakers have adopted a series of legislative acts to regulate the relationships regarding processing of personal data. However, these documents do not still distinguish between the process of circulation of personal data and the process of their processing [Rizak, 2013b: 26]. In particular, the Law of Ukraine On Protection of Personal Data 2297­VI of 1 June 2010 [2] aims at ensuring privacy in the context of circulation and processing of personal data and determines the subjects of legal relationships regarding personal data, in particular, the third parties involved in relationships concerning usage of personal information. That is why determination of basic rights and obligations of third parties in the relationships regarding circulation and processing of personal data requires special attention resulting in their further study and research.

The purpose of the article is to determine the place and the role of third parties in the system of subject matter of legal relationships regarding circulation and processing of personal data. In order to achieve this purpose, it is necessary to solve the following tasks: to define the concept of a third party to relationships regarding circulation and processing of personal data; to determine basic rights and obligations vested in the third party in the relationships concerned.

First of all, it should be noted that the legal relationships regarding circulation and processing of personal data, as well as any other relationships arising between the subjects of legal relationships have appropriate composition of elements, i.e. include participants of legal relationships, their rights and obligations, something that causes these relationships, and specific legal facts. As it has been mentioned before, in accordance with Article 4 of the Law of Ukraine On Protection of Personal Data, the subjects of relationships connected with personal data are: a subject of personal data, an owner of personal data, an administrator of personal data, a third party, and the Commissioner of the Verkhovna Rada of Ukraine for Human Rights (as the controlling state authority for protection of personal data) [2]. Moreover, Article 2 of this Law specifies that:

the subject of personal data is an individual whose personal data are processed;

the owner of personal data is an individual or a legal entity who/which defines the purpose of processing of personal data, establishes their composition and procedures for processing thereof, unless otherwise provided by the law;

the administrator of personal data is an individual or a legal entity to whom the owner of personal data or the law gives the right to process these data on behalf of their owner;

the third party is any person, with the exception of the subject of personal data, the owner or the administrator of personal data, and the Commissioner of the Verkhovna Rada of Ukraine for Human Rights, to whom the owner or the administrator transfers their personal data [2].

By analyzing definitions of the concepts of 'an owner', 'an administrator', and 'a subject' of personal data, one can conclude that the main subjects of legal relationships regarding circulation and processing of personal data are a subject of personal data, an owner of personal data, and a third party that receives personal data from their owner or administrator in order to provide further circulation and processing thereof.

Based on that, we can determine who the third parties are and what rights and obligations they are vested in legal relationships regarding circulation and processing of personal data.

Apart from the above­mentioned definition of a third party provided by the Law of Ukraine On Protection of Personal Data, one should pay attention to the definition contained in Article 2 of the Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data that is formulated as follows: third party shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data [1].

In his study, V. Herbut considers third party as any person, except the subject of personal data, the owner or the administrator of personal database, and the commissioner of the state authority for personal data protection, to whom the owner or the administrator of a personal database transfers their personal data according to the law [Herbut, 2003: 180]. The author holds the same opinion concerning the definition of a third party but additionally notes that, in the context of the Law of Ukraine On Protection of Personal Data, for example, agencies of the Pension Fund and tax inspection, army recruitment and employment offices, etc. to which personal data are transferred in accordance with the law; as well as insurance companies, banks, and other enterprises, institutions and organizations being under private ownership to which personal data are transferred with the consent from their subject may also act as the third parties regarding specific personal data [Rizak, 2013a: 193].

It should be noted that, in cases when the owner of personal database is the enterprise, institution or organization engaged in circulation and/or processing of these data, local authorities, executive bodies of different social funds, inspections and services which receive such personal data in accordance with the law are also obliged to act as the third parties. Acting as the third parties these state authorities, inspections and services are obliged to take measures in order to fulfill the requirements of the law on protection of personal data that are ensured by the set of their respective rights and obligations [Kirin, 2013: 60]. The list of such rights and obligations is determined due to the role which state authorities play in a particular case in future, i.e. they act as the owners, administrators of personal data bases or solely as the third parties [Boiko, 2011: 143]. Some scientific sources also suggest that third parties process the data or a part of the data provided to them for the purposes determined by the law or for the purposes of the statutory activity of a third party with the consent from the subject of personal data [8, 2012: 63].

In turn, pursuant to Item 1.12 of the Regulation on processing and protection of personal data of the physical persons citizens of Ukraine, foreigners, stateless persons or people acting in their interests who appeal to the Commissioner of the Verkhovna Rada of Ukraine for Human Rights in order to observe the rights and freedoms of man and of the citizen under the Law of Ukraine On Appeals of Citizens approved by the Order of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights 5/02­13 of 17 January 2013, third parties are the persons related to solving the case when personal data of the person who appeals are transferred to them in accordance with the law (Article 10 of the Law of Ukraine On Appeals of Citizens) [3].

Based on the analysis of scientific positions and regulatory definitions, one can conclude that a person who is not the subject of personal data, the owner or the administrator of these data, does not act as the controlling body for protection of personal data and is involved into the process of obtaining personal data from their owner or administrator may be defined as a third party to these legal relationships regarding transfer of personal data. In most cases, such a third person already has the status of the owner or the administrator of other personal data or is obliged to gain this status under the law after receiving of the personal data.

Taking into account the above­mentioned facts, we consider that it is necessary to amend Article 2 of the Law of Ukraine On Protection of Personal Data as follows:

1) Paragraph 9 recipient is a physical person or a legal entity to be provided with personal data including a third party is to be excluded;

2) Paragraph 13 is to be outlined in a new version:

third party is any person to whom the owner or the administrator of personal data transfers personal data, with the exception of the subject of these personal data and the Commissioner of the Verkhovna Rada of Ukraine for Human Rights (in cases when they performs functions to control the protection of personal data), and who carries out further circulation and processing of personal data within the limits specified by the transfer agreement and consent from the subject of personal data or the law.

In addition, one should pay attention to another peculiarity of relationships regarding circulation and processing of personal data provided by Article 16 of the Law of Ukraine On Protection of Personal Data which states that the order of access to personal data of the third parties is determined by the conditions of consent from the subject of personal data granted to the owner of personal data for processing of these data or under requirements of the law, and the order of access of the third parties to personal data disposed by the administrator of public information is specified by the Law of Ukraine On Access to Public Information [2]. In this case, third parties direct an inquiry on access to personal data to the owner of personal database. According to Article 21 of the Law, after having received the inquiry on transfer of personal data to a third party, the owner of personal data inform the subject of personal data thereof within ten working days if the conditions of their consent require to do so or unless otherwise provided by the law [2].

It should be noticed that the transfer of personal data to third parties is allowed when it is carried out in the minimum required amounts and only in order to perform tasks that correspond to the objective reason for transfer of the data concerned. However, the third party is not granted access to personal data if the relevant party refuses undertaking obligations to ensure the fulfillment of law requirements or is not able ensuring them [3]. Thus, analyzing provisions of the current legislation, one can observe that neither the Law of Ukraine On Protection of Personal Data nor any other regulatory legal act specifically defines the rights and obligations of third parties as one of the subjects of legal relationships regarding personal data.

We therefore propose to define the basic rights of third parties in the relationships regarding circulation and processing of personal data. We believe that such rights of third parties are to include:

the right to obtain personal data from the owners and administrators of personal data within the limits specified by conditions of the consent from subjects of these personal data;

the right to circulation and/or processing of personal data for a specified purpose and/or under the legal basis according to which they were obtained;

the right to form their own personal databases.

Exploring the obligations of a third party, one can refer to Article 24 of the Law of Ukraine On Protection of Personal Data which states that the owners, administrators of personal data, and the third parties are obliged:

to ensure protection of personal data against accidental losses and destruction;

to ensure protection of personal data against unlawful processing, including unlawful destruction of or access to personal data [2].

However, we believe that the list of obligations determined by this Law of Ukraine is incomplete, and, therefore, propose to supplement it. Thus, in legal relationships regarding circulation and processing of personal data the third parties are also obliged:

to reveal clearly defined purpose and goals for receiving personal data from their owners and/or administrators;

to adjust the limits of circulation and/or processing of personal data due to the changes in the consent from the subject of personal data, including termination of circulation and/or processing of personal data in the case of receiving information on the recall of the consent from the subject of personal data or its replacement by the one that does not allow third parties continuing circulation and/or processing of these data;

to delete or destroy personal data in cases provided by the law;

to acquire under procedure determined by the law the legal status of the owner and/or administrator of personal data after receiving such data from their owner and/or administrator;

depending on the acquired status of the owner and/or administrator, to perform other obligations prescribed by the law.

While determining obligations of third parties in legal relationships regarding circulation and processing of personal data it is useful to note that the persons having access to them (in particular, carrying out their processing) are obliged to prevent any disclosure of personal data that were entrusted or became known to them in connection with their professional, official or employment duties. This obligation is binding even after they terminate the activities related to personal data, except as required by law.

It should also be noted that the third parties have not to keep personal data for a longer time than it is necessary for the purpose of storing these data, and, in any case, than the period of storage of the data specified by the consent from the subject of personal data to processing of these data [Chernobai, 2006: 63].

Thus, having analyzed the above­mentioned facts one can conclude that the rights and obligations of third parties in relationships regarding circulation and processing of personal data are not sufficiently covered both in the works of scientists and researchers and in the current regulatory legal documents. Most of publications are devoted to the so­called top three subjects of relationships regarding circulation and processing of personal data: 1) the subject of personal data; 2) the owner of personal data; 3) the administrator of personal data. In our view, this is a significant drawback.

Based on the legally foreseen definitions of concepts of recipient and third party, we believe that determination of the term recipient is unnecessary and, therefore, leads to ambiguities of understanding of the legal status of this subject of legal relationships regarding circulation and processing of personal data. So, we suggest excluding Paragraph 9 of Article 2 of the Law of Ukraine On Protection of Personal Data.

Comparative analysis of scientific literature and regulatory definition of the concept of third party and the legal status of third parties in relationships regarding circulation and processing of personal data indicates
the need for revising the definition set forth in
Paragraph 13 of Article 2 of the Law of Ukraine On Protection of Personal Data which should be embodied as follows:

third party is any person to whom the owner or the administrator of personal data transfers personal
data, with the exception of the subject of these personal data and the Commissioner of the Verkhovna Rada of Ukraine for Human Rights (in cases when they performs functions to control the protection of personal data), and who carries out further circulation and processing of personal data within the limits specified by the transfer agreement and consent from the subject of personal data or the law.

It should be emphasized that the Law of Ukraine On Protection of Personal Data does not clearly determine the rights and obligations of third parties that affects the efficiency of the process of circulation and processing of personal data in terms of ensuring their inviolability. Based on the analysis of regulatory acts, the author proposes to define the following rights and obligations of third parties in relationships regarding circulation and processing of personal data:

the right to obtain personal data from the owners and administrators of personal data within the limits specified by conditions of the consent from subjects of these personal data;

the right to circulation and/or processing of personal data for a specified purpose and/or under the legal basis according to which they were obtained;

the right to form their own personal databases;

the obligation to reveal clearly defined purpose and goals for receiving personal data from their owners and/or administrators;

the obligation to adjust the limits of circulation and/or processing of personal data due to the changes
in the consent from the subject of personal data including termination of circulation and/or processing
of personal data in the case of receiving information on the recall of the consent from the subject of personal data or its replacement by the one that does not allow third parties continuing circulation and/or processing of these data;

the obligation to delete or destroy personal data in cases provided by the law;

the obligation to acquire under procedure determined by the law the legal status of the owner and/or administrator of personal data after receiving personal data from their owner and/or administrator.

Depending on the acquired status of the owner and/or administrator, the third parties further exercise other rights and obligations envisaged by the law.

 

References

1. . 95/46/ 24 1995 . [Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data], <http://zakon4.rada.gov.ua/laws/show/994_242/print1360150843706940>

2. . 2297­VI 1 2010 . [On Protection of Personal Data. The Law of Ukraine 2297­VI, 1 June 2010], <http://zakon2.rada.gov.ua/laws/show/2297­17>

3. , , , , , , 5/02­13 17 2013 .
[The Regulation on processing and protection of personal data of the physical persons citizens of Ukraine, foreigners, stateless persons or people acting in their interests who appeal to the Commissioner of the Verkhovna Rada of Ukraine for Human Rights in order to observe the rights and freedoms of man and of the citizen under the Law of Ukraine On Appeals of Citizens approved by the Order of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights 5/02­13,
17 January 2013], <http://www.ombudsman.gov.ua/index.php?option=com_content&view=article&id=3442:2014­01­20­12­37­45&catid=202:2011­11­25­14­59­08>

4. Boiko I. (2011) ­ [Custody and protection of personal data by administrative and legal means], ³ 쳿 , 4 (67): 144151.

5. Chernobai A. (2006) : . . . : . 12.00.05 [Legal means of protection of personal data of the employee: Dissertation for the Ph.D. in Law: specialty 12.00.05]. .

6. Herbut V. (2003) [Legal relationships in the sphere of protection of personal data regarding health condition of a person], ­ , 1: 177183.

7. Kirin R. (2013) [Administrative tact while using personal data and the means of its substantiation], ³ , 95: 5863.

8. Personal database, owner of the database, administrator of the database, third parties: Defining the concepts. Proceedings of the Seminar Organization of work to implement provisions of the Law of Ukraine On Protection of Personal Data, Chernivtsi, 15 December 2011. : ̳ ­ , 2012.

9. Rizak M. (2013a) () : [The owner (administrator) of personal database: Specific issues], ­ , 1: 192198.

10. Rizak M. (2013b) : [Correlation between concepts of circulation and processing of personal data: Terminological aspects], ³, 8: 2526.

Mykhailo RIZAK