DLA Piper Intelligence

Data Protection
Laws of the World

Law

Ukraine
Ukraine

The Law of Ukraine No. 2297 VI 'On Personal Data Protection' as of 1 June 2010 (Data Protection Law) is the main legislative act regulating relations in the sphere of personal data protection in Ukraine. At 20 December 2012 Data Protection Law has been substantially amended by the Law of Ukraine 'On introducing amendments to the Law of Ukraine "On personal data protection' dated 20 November 2012 No. 5491-VI. Additional significant changes to Data Protection Law were envisaged by the Law of Ukraine 'On Amendments to Certain Laws of Ukraine regarding Improvement of Personal Data Protection System' dated 3 July 2013 No. 383-VII which came into force on 1 January 2014.

In addition to the Data Protection Law, certain data protection issues are regulated by subordinate legislation specifically developed to implement the Data Protection Law, in particular:

  • Procedure of notification of the Ukrainian Parliament's Commissioner for Human Rights on the processing of personal data, which is of particular risk to the rights and freedoms of personal data subjects, on the structural unit or responsible person that organizes the work related to protection of personal data during processing thereof (Notification Procedure)
  • Model Procedure of processing of personal data (Model Procedure)
  • Procedure of control by the Ukrainian Parliament's Commissioner for Human Rights over the adherence of personal data protection legislation.

The Data Protection Law essentially complies with EU Data Protection Directive 95/46/EC.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, executed in Strasbourg at 28 January 1981 and the Additional Protocol to the Convention regarding supervisory authorities and trans border data flows, executed in Strasbourg at 8 November 2001 have also been ratified by Ukrainian Parliament at of 6 July 2010 (Convention on Automatic Processing of Personal Data) and thus fully effective in Ukraine.

Besides, the general data protection issues are regulated by:

  • the Constitution of Ukraine dated 28 June 1996
  • the Civil Code of Ukraine dated 16 January 2003 No 435 IV
  • the Law of Ukraine 'On Information' dated 2 October 1992 No 2657 XII
  • Law of Ukraine 'On Protection of Information in the Information and Telecommunication Systems' dated 5 July 1994 No. 80/94 VR
  • the Law of Ukraine "On Electronic Commerce" dated 3 September 2015 No 675-VIII; and

  • some other legislative acts.
Last modified 25 Jan 2017
Law
Ukraine

The Law of Ukraine No. 2297 VI 'On Personal Data Protection' as of 1 June 2010 (Data Protection Law) is the main legislative act regulating relations in the sphere of personal data protection in Ukraine. At 20 December 2012 Data Protection Law has been substantially amended by the Law of Ukraine 'On introducing amendments to the Law of Ukraine "On personal data protection' dated 20 November 2012 No. 5491-VI. Additional significant changes to Data Protection Law were envisaged by the Law of Ukraine 'On Amendments to Certain Laws of Ukraine regarding Improvement of Personal Data Protection System' dated 3 July 2013 No. 383-VII which came into force on 1 January 2014.

In addition to the Data Protection Law, certain data protection issues are regulated by subordinate legislation specifically developed to implement the Data Protection Law, in particular:

  • Procedure of notification of the Ukrainian Parliament's Commissioner for Human Rights on the processing of personal data, which is of particular risk to the rights and freedoms of personal data subjects, on the structural unit or responsible person that organizes the work related to protection of personal data during processing thereof (Notification Procedure)
  • Model Procedure of processing of personal data (Model Procedure)
  • Procedure of control by the Ukrainian Parliament's Commissioner for Human Rights over the adherence of personal data protection legislation.

The Data Protection Law essentially complies with EU Data Protection Directive 95/46/EC.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, executed in Strasbourg at 28 January 1981 and the Additional Protocol to the Convention regarding supervisory authorities and trans border data flows, executed in Strasbourg at 8 November 2001 have also been ratified by Ukrainian Parliament at of 6 July 2010 (Convention on Automatic Processing of Personal Data) and thus fully effective in Ukraine.

Besides, the general data protection issues are regulated by:

  • the Constitution of Ukraine dated 28 June 1996
  • the Civil Code of Ukraine dated 16 January 2003 No 435 IV
  • the Law of Ukraine 'On Information' dated 2 October 1992 No 2657 XII
  • Law of Ukraine 'On Protection of Information in the Information and Telecommunication Systems' dated 5 July 1994 No. 80/94 VR
  • the Law of Ukraine "On Electronic Commerce" dated 3 September 2015 No 675-VIII; and

  • some other legislative acts.
Last modified 25 Jan 2017
Definitions

Definition of personal data

Data Protection Law defines ‘personal data’ as data or an aggregation of data on an individual who is identified or can be precisely identified.

Definition of sensitive personal data

There is no definition of ‘sensitive personal data’ as such envisaged by Ukrainian legislation.

At the same time, there is general prohibition to process personal data with regard to racial or ethnic origin, political, religious ideological convictions, participation in political parties and trade unions, accusation in criminal offences or conviction to criminal punishment as well as data relating to health or sex life of an individual.

Processing of the listed data is allowed if an unambiguous consent has been given by the personal data subject or based on exemptions envisaged by Data Protection Law (eg the processing is performed for the reasons of protection of vital interest of individuals, healthcare purposes, in course of criminal proceedings, anti-terrorism purposes, etc.).

Last modified 25 Jan 2017
Authority

Starting from 1 January 2014 Ukrainian Parliament's Commissioner for Human Rights (Ombudsman) is the state authority in charge of controlling the compliance with the data protection legislation.

Last modified 25 Jan 2017
Registration

Starting from 1 January 2014 requirement of obligatory registration of personal data databases has been abolished. However according to new wording of Data Protection Law personal data owners are obliged to notify the Ombudsman about personal data processing which is of particular risk to the rights and freedoms of personal data subjects within thirty working days from commencement of such processing. Pursuant to the Notification Procedure, the following types of personal data processing requires obligatory notification of the Ombudsman processing of personal data on:

  • racial, ethnic, national origin
  • political, religious ideological convictions
  • participation in political parties and/or organisations, trade unions, religious organisations or civic organisation of ideological direction
  • state of health
  • sexual life
  • biometric data
  • genetic data, and
  • conviction to criminal or administrative liability
    • taking with regards to an individual interim injunction measures
    • taking with regards to an individual of measures stipulated by the Law of Ukraine 'On investigative activities'
    • taking with regards to an individual of certain types of violence; and
    • location and/or route of an individual.

The Notification Procedure envisages that the application for notification shall contain, inter alia the following information:

  • information about the owner of personal data
  • information about the processor(s) of personal data
  • information on the composition of personal data being processed
  • the purpose of personal data processing
  • category(ies) of individuals whose personal data are being processed
  • information on third parties to whom the personal data are transferred
  • information on cross-border transfers of personal data
  • information on the place (address) of processing of personal data, and
  • general description of technical and organisational measures taken by personal data owned in order to maintain the security of personal data.

Where any of information listed above is submitted to the Ombudsman and has been changed, the owner of the personal data shall notify the Ombudsman on such changes within 10 days from the occurrence of such change.

Additionally, the Notification Procedure requires the owners of personal data to notify the Ombudsman on termination of personal data processing which is of particular risk to the rights and freedoms of personal data subjects within 10 days from the moment of such termination.

Furthermore, the Notification Procedure obliges the owners and processors of personal data processing the personal data which is of particular risk to the rights and freedoms of personal data subjects to notify the Ombudsman on establishing a structural unit or appointing a person (data protection officer) responsible for the organisation of work related to the protection of personal data during the processing thereof. Such notification shall be made within 30 days from the moment of establishing a structural unit or appointing a responsible person.

Information regarding the said notifications of the Ombudsman shall be published on the official website of the Ombudsman.

Last modified 25 Jan 2017
Data Protection Officers

Legal entities shall establish a special department or appoint a responsible person (data protection officer) to organise the work related to the protection of personal data during the processing thereof.

There are no requirements for the Data Protection Officer to be a citizen or a resident in Ukraine. However, if he or she is a foreign citizen under the general rule a work permit must be obtained for him or her to hold such position. There are no particular penalties for incorrect appointment of Data Protection Officer.

Last modified 25 Jan 2017
Collection & Processing

The Data Protection Law provides for a requirement of obtaining the consent of personal data subjects on processing their personal data. According to the Data Protection Law the consent of personal data subject shall mean voluntary expression of will of the individual (subject to his/her awareness) to permit the processing of personal data for the determined purposes, expressed in writing or in some other form which allows the owner or processor of the personal data to make a conclusion that a consent has been granted. In the area of e-commerce, consent regarding processing of personal data may be granted in the process of registration of data subjects by "ticking" the respective box for giving consent on processing of their personal data for the determined processing purposes, provided that such a system does not allow processing of personal data before the consent from the data subject. In some instances provided by Data Protection Law (eg legislative permission for processing of personal data, conclusion and execution of a transaction in favour of the personal data subject, protection of interests of the subject or owner of personal data) personal data of individuals may be processed without the consent.

Pursuant to the Data Protection Law, as a general rule personal data subjects shall be informed, at the moment of collection of their personal data, of:

  • the owner of their personal data
  • composition and content of their personal data being collected
  • their rights
  • purpose of their personal data collection, and
  • the persons to whom their personal data will be transferred.

However, in cases when the personal data of individuals have been collected based on the following grounds, the personal data subjects shall be informed of the above within 10 working days from the moment of their personal data’s collection:

  • legislative permission of the owner of personal data on processing of personal data exclusively for the purposes of fulfilling its authorities
  • conclusion and execution of a transaction, in which the subject of personal data is a party or which has been concluded in favour of the subject of personal data or for taking actions, which preceded conclusion of a transaction at the request of the subject of personal data
  • protection of vital interests of the subject of personal data, or
  • need to protect legitimate interests of the owner of personal data, third parties, except where a subject of personal data demands to stop the processing of his/her personal data and the need in protection of personal data prevails over such interest.

In addition, the Data Protection Law provides the subject of personal data with the following rights:

  • to be aware of the sources of collection, location of his/her personal data, the purpose of data processing, the address of the owner or processor of the personal data or to obtain the said information through his/her representatives
  • to obtain information as regards the conditions of providing access to personal data, in particular, information on third parties, to which his/her personal data are transferred
  • to access his/her personal data
  • to obtain a reply within 30 calendar days from the date of receipt of his/her request, informing the individual whether his/her personal data are being processed and to receive the contents of such personal data
  • to provide the owner of personal data with the reasonable request to terminate processing of his/her personal data
  • to provide a reasonable request to change or destroy his/her personal data by any owner and processor of the personal data if the data is processed illegally or is inaccurate
  • to protect of his/her personal data from unauthorised processing and accidental loss, elimination or damage with respect to intended encapsulation, not providing or the untimely providing of personal data, and also to protection from providing invalid or discrediting information regarding the individual
  • to appeal violations in the course of personal data processing to the Ombudsman or to the court
  • to introduce limitations as regards rights on its personal data processing while giving the consent
  • to use the means of legal protection in the case of violation of rights to personal data
  • to revoke its consent on personal data processing
  • to be aware of the mechanism of automatic processing of personal data, and
  • to be protected from the automated decision that has legal effect on it.

The owner of the personal data can entrust the processing of personal data to the processor of personal data under the written agreement between them. In this case the processor of personal data may process the personal data only for the purposes and in the volume provided by such agreement. The transfer of personal data to the processor of personal data can be allowed only by respective consent of the personal data subject.

Last modified 25 Jan 2017
Transfer

In accordance with Data Protection Law the personal data may be transferred to foreign counterparties only on condition of ensuring an appropriate level of protection of personal data by the respective state of the transferee. Pursuant to the Data Protection Law, such states include member-states of the European Economic Area and signatories to the EC Convention on Automatic Processing of Personal Data. The list of the states ensuring an appropriate level of protection of personal data will be determined by the Cabinet of Ministers of Ukraine.

Personal data may be transferred abroad based on one of the following grounds:

  • unambiguous consent of the personal data subject
     
  • cross-border transfer is needed to enter into or perform a contract between the personal data owner and a third party in favour of the personal data subject
     
  • necessity to protect the vital interests of the personal data subjects
     
  • necessity to protect public interest, establishing, fulfilling and enforcing of a legal requirement, or
     
  • appropriate guarantees of the personal data owner as regards non-interference in personal and family life of the personal data subject.
Last modified 25 Jan 2017
Security

The subjects of personal data relations are obliged to take appropriate technical and organisational measures to ensure the protection of personal data against unlawful processing, including against loss, unlawful or accidental elimination, and also against unauthorised access. In this regard, any owner of personal data shall determine a special department or a responsible person to organise the work related to the protection of personal data during the processing thereof.

The Model Procedure stipulates that the owners and processors of personal data shall take measures to maintain security of personal data on all stages of their processing including organisational and technical measures for the protection of personal data. Organisational measures shall include:

  • determination of a procedure of access to personal data by employees of the owner/processor of personal data
  • determine the order of recording of operations related to the processing of personal data of the subject and access to them
  • elaboration of an action plan in case of unauthorised access to personal data, damage of technical equipment or occurrence of emergency situations, and
  • regular trainings of employees which are working with personal data.

Personal data irrespective of the manner of its storage shall be processed in the way which makes unauthorised access to the data by third persons impossible.

With the purpose of maintenance of security of personal data, technical security measures shall be taken which would exclude the possibility of unauthorised access to personal data being processed and ensure proper work of technical and program complex through which the processing of personal data is performed.

Additionally, the Data Protection Law requires establishing a structural unit or appointing a responsible person within the personal data owners/processors processing the personal data which is of particular risk to the rights and freedoms of personal data subjects. Such structural unit or responsible person shall organize the work related to protection of personal data during the processing thereof.

Last modified 25 Jan 2017
Breach Notification

There is no requirement to report data security breaches or losses to the appropriate state authority.

Last modified 25 Jan 2017
Enforcement

According to Data Protection Law, the Ombudsman and Ukrainian courts are the state authorities responsible for controlling the compliance with personal data protection legislation. Failure to comply with the provisions of Data Protection Law can lead to responsibility prescribed by law.
Violation of personal data protection legislation may result in civil, criminal and administrative liability.

If the violation has led to material or moral damages, the violator can be obliged by the court to reimburse such damages.

The Code of Ukraine on Administrative Offenses envisages administrative liability for the following breaches of Ukrainian data protection legislation:

  • failure to notify or delay in providing notification to the Ombudsman on the processing of personal data or on a change of information submitted which is subject to notification under Ukrainian legislation, or submission of incomplete or false information may lead to a fine of up to EUR 243
  • non-fulfilment of legitimate requests (orders) of the Ombudsman or determined state officials of the Ombudsman's secretariat as regards the elimination or prevention of violations of personal data protection legislation may lead to a fine of up to EUR 608
  • non-fulfilment of legitimate requests of Ombudsman or its representatives may lead to a fine of up to EUR 122
  • non-observance of the established procedure for the protection of personal data which leads to unauthorised access to the personal data or violation of rights of the personal data subject may lead to a fine of up to EUR 608.

The criminal liability, prescribed by the Criminal Code of Ukraine envisages fines of up to EUR 608 or correctional works for a term of up to two years, or up to six months arrest, or up to three years of limitation of freedom for the illegal collection, storing, use, elimination, or spreading of confidential information about an individual, or an illegal change of such information.

Last modified 25 Jan 2017
Electronic Marketing

The Law of Ukraine "On Electronic Commerce" dated 3 September 2015 provides for certain legal requirements for distribution of commercial electronic messages in the area of electronic commerce. In particular, commercial electronic messages shall be distributed only subject to the consent given by individual to whom such messages are addressed. At the same time, commercial electronic messages may be distributed to an individual without his/her consent only if such individual has an option to refuse from receiving of such messages in future.

In addition, commercial electronic messages shall satisfy the following criteria:

  • commercial electronic messages shall unequivocally be identified as such;

  • the recipient shall have easy access to information regarding the person sending the message as stipulated by the Law of Ukraine "On Electronic Commerce", in particular: (i) full name of legal entity/individual; place of registration/residence; (ii) email/web-site of online shop; (iii) registration number or tax ID number/passport details (for individuals); (iv) licence data (in case if it is mandatory under the law); (v) inclusion of taxes in calculation of the price of goods/services; and (vi) price of delivery of goods (in case if delivery is performed)); and

  • commercial electronic messages regarding sales, promotional gifts, premiums etc. shall be unequivocally identified as such and conditions of receiving of such promotions shall be clearly stated to avoid their ambiguous understanding as well as shall comply with advertising legislation.  

When electronic marketing involves the processing of an individual's personal data, it should take place in compliance with the requirements of Ukrainian data protection legislation.

Considering the requirements of the Data Protection Law outlined above, in order for the use of an individual's personal data for electronic marketing purposes, there is a requirment to obtain appropriate consent from the individual which would allow for the processing of his / her personal data for such purposes.

Last modified 25 Jan 2017
Online Privacy

There is no specific legislation regulating the sphere of online privacy in Ukraine. However, the Data Protection Law applies to the extent online activities involve the processing of personal data.

Last modified 25 Jan 2017
Contacts
Natalia Pakhomovska
Natalia Pakhomovska
Partner
T +380 44 495 1789
Natalia Kirichenko
Natalia Kirichenko
Senior Associate
T +380 44 490 9575
Last modified 25 Jan 2017