(LEGAL ISSUES IN THE ACTIVITIES OF DATA PROTECTION OFFICER: СONTENTS AND PECULIARITIES FOR OIL AND GAS HOLDING COMPANIES)
The article summarizes the main aspects of the requirements set out in the EU for the protection of personal data, including the requirements for one of the special roles, namely data protection officers. The issue of the proper legal provision of an adequate level of personal data protection is now equally important and recent, especially in view of the occurrence of complex risks, and this is recognized in the papers of Russian and foreign experts.
This article presents the detailed analysis of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”. It sets out the authors’ view of the compliance issue in a broad interpretation, including taking into account the requirements of the new ISO/IEC standards adopted in 2022, in which the obligation to ensure the protection of valuable company data (including personal data) is explicitly defined.
A comprehensive approach to solving this issue is presented: the application of the institution of data protection officers and the requirements of modern ISO/IEC standards in the activities of oil and gas holding companies. The materials of this article can be applied in practice for companies communicating with European partners and seeking to comply strictly with personal data protection requirements.
A.S. Oreshkina, Gazprom International Limited (Kaliningrad, Russia), email@example.com
I.I. Livshits, DSc in Engineering, Professor, ITMO University (Saint Petersburg, Russia), Livshitz.firstname.lastname@example.org
E.O. Sokolov, ITMO University, Gazprom International Limited
European Commission. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504 [Accessed: 13 April 2023].
Vasilyeva YaYu. Legal problems of transboundary transfer of personal data in the context of GDPR. In: Sinyukov VN (ed.) Traditions and innovations in the system of modern Russian law: Proceedings of the XX International Conference of Young Scientists. Vol. 3, 9–10 April 2021, Moscow, Russia. Moscow: Kutafin Moscow State Law University (MSAL); 2021. p. 302–304. (In Russian)
Mishin PS. GDPR and the Federal Law-152: Technical requirements for the protection of personal data. In: Kutafin Moscow State Law University (MSAL) Transformation of legal institutions: History and modernity. Trends in the development of private law: Proceedings of the 1st All-Russian and 7th International Scientific and Practical Conference, 26 February – 14 May 2021, Moscow, Russia. Moscow: Blok-Print; 2021. p. 240–241. (In Russian)
Shamraev AV. Legal aspects of cross-border data transfers between EU and USA. International Public and Private Law [Mezhdunarodnoe publichnoe i chastnoe pravo]. 2022; (4): 4–7. https://doi.org/10.18572/1812-3910-2022-4-4-7. (In Russian)
Belskaya NL. Legal regulation of relations in the field of personal data protection: International aspect. In: Aleksandrova LD, Selivanova MA (eds.) Digital impact: Society, economy, innovation: Proceedings of the 2nd International Scientific and Practical Conference, 21–22 April 2022, Moscow, Russia. Kirov, Russia: Interregional Center for Innovative Technologies in Education [Mezhregional’nyj centr innovacionnyh tehnologij v obrazovanii]; 2022. p. 15–19. (In Russian)
Oguy A, Tashbekov B. Legal protection of personal data: Legislation of the Republic of Uzbekistan, Japan, EU and USA. In: Ivanovskaya II, Posnova MV (eds.) Research solutions for sustainable development: Proceedings of the International Research Contest, 9 March 2022, Petrozavodsk, Russia. Petrozavodsk, Russia: ICSP “New Science”; 2022. p. 105–116. (In Russian)
Livshitz II. Data privacy assurance for remote work. Energy Security and Energy Saving [Energobezopasnost’ i energosberezhenie]. 2022; (1): 57–62. https://doi.org/10.18635/2071-2219-2022-1-57-62. (In Russian)
Bryukhovetsky KA, Livshitz II. An analysis of a General Data Protection Regulation impact on fuel and energy companies. Energy Security and Energy Saving. 2020; (5): 55–63. https://doi.org/10.18635/2071-2219-2020-5-55-63. (In Russian)
Livshitz II. Assessment of the impact of General Data Protection Regulation on enterprise security in the Russian Federation. Cybersecurity Issues [Voprosy kiberbezopasnosti]. 2020; 38(4): 66–75. https://doi.org/10.21681/2311-3456-2020-04-66-75. (In Russian)
Chhetri TR, Kurteva A, DeLong RJ, Hilscher R, Korte K, Fensel A. Data protection by design tool for automated GDPR compliance verification based on semantically modelled informed consent. Sensors. 2022; 22(7): article ID 2763. https://doi.org/10.3390/s22072763.
Merlec MM, Lee YK, Hong S-P, In HP. A smart contract-based dynamic consent management system for personal data usage under GDPR. Sensors. 2021; 21(23): article ID 7994. https://doi.org/10.3390/s21237994.
Zanker M, Bureš V, Cierniak-Emerych A, Nehéz M. The GDPR at the organization level: A comparative study of eight European countries. E & M Ekonomie a Management. 2021; 24(2): 207–222. https://doi.org/10.15240/tul/001/2021-2-013.
Delgado-von-Eitzen C, Anido-Rifón L, Fernández-Iglesias MJ. Application of blockchain in education: GDPR-compliant and scalable certification and verification of academic information. Appl. Sci. 2021; 11(10): article ID 4537. https://doi.org/10.3390/app11104537.
Barabashev AG, Ponomareva DV. Personal data protection and research activities: EU legal regulation experience. Actual Problems of Russian Law [Aktual’nye problemy rossijskogo prava]. 2019; 103(6): 186–194. https://doi.org/10.17803/1994-1471.2019.103.6.186-194. (In Russian)
ISO. ISO/IEC 27001:2022. Information security management systems – Requirements. Available from: https://www.iso.org/standard/27001 [Accessed: 13 April 2023]. (Available upon purchase)
ISO. ISO 22301:2019. Security and resilience – Business continuity management systems – Requirements. Available from: https://www.iso.org/standard/75106.html [Accessed: 13 April 2023]. (Available upon purchase)
ISO. ISO/IEC 27005:2022. Information security, cybersecurity and privacy protection – Guidance on managing information security risks. Available from: https://www.iso.org/standard/80585.html [Accessed: 13 April 2023]. (Available upon purchase)
ISO. ISO 31000:2018. Risk management – Guidelines. Available from: https://www.iso.org/standard/65694.html [Accessed: 13 April 2023]. (Available upon purchase)
IEC. IEC 31010:2019. Risk management – Risk assessment techniques. Available from: https://www.iso.org/standard/72140.html ([Accessed: 13 April 2023]. (Available upon purchase)