Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ukraine - Data Protection Overview
Back

Ukraine - Data Protection Overview

September 2021 

1. Governing Texts

Please note the process for updating our Ukraine content will be extended due to the current situation in the region.

Given Ukraine is not a part of the EU, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') does not directly apply in its territory. Meanwhile, according to the Plan of Actions related to fulfilment of the EU-Ukraine Association Agreement, as approved by the Cabinet of Ministers of Ukraine on 25 October 2017 No 1106 (only available in Ukrainian here), Ukraine committed to bring its data protection legislation into compliance with the GDPR by 25 May 2018. In that respect a draft Law on Personal Data Protection (only available in Ukrainian here) ('the Draft Law') has been developed and registered with Parliament of Ukraine ('Parliament') in June 2021. The Draft Law is aimed at bringing the local data protection legislation in Ukraine into compliance with the GDPR, including the terminology, data subjects' rights, obligations of controllers and processors, etc. The Draft Law should pass all necessary steps to be adopted into law, i.e. it should undergo two hearings in Parliament. To date it is not clear when the whole law adoption process will be completed.

1.1. Key acts, regulations, directives, bills

The following laws and regulations regulate data protection in Ukraine:

  • the Law of 1 June 2010 No. 2997-VI on Personal Data Protection (as amended) (only available in Ukrainian here) ('the Law') which was adopted by the Parliament on 1 June 2010 and became effective on 1 January 2011, regulates, inter alia, personal data processing; and
  • on 3 July 2013, the Parliament adopted amendments to a range of laws related to data protection, including the Law. The laws which introduces such amendments include the Law of 23 February 2012 No. 4452-VI (only available in Ukrainian here) and the Law of 20 November 2012 No. 5491-VI (only available in Ukrainian here) (collectively 'the Amendments'). The Amendments have been effective since 1 January 2014 and have fundamentally changed the substance of the whole data protection system of Ukraine. Other changes to the Law were introduced between 2014-2017. 

In addition to enacting the Law, the Parliament also ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108/81 ('Convention 108'), on 6 July 2010.

1.2. Guidelines

The Ukraine Parliamentary Commissioner for Human Rights ('the Ombudsman') commenced activity as the data protection authority on 1 January 2014. Since then, the Ombudsman has been active in issuing new regulations as required by the Amendments.

Specifically, the following legislative acts in relation to data protection have been adopted by the Ombudsman:

  • The Sample Order of Personal Data Processing (only available in Ukrainian here);
  • The Order of Conducting by the Ombudsman of Supervision over Compliance with Personal Data Protection Laws (only available in Ukrainian here);
  • The Order on Notification of the Ombudsman About Special Risk Data (only available in Ukrainian here); and
  • The Order of Procuring the Materials on Administrative Offences (only available in Ukrainian here).

In addition to these pieces of legislation, the Ombudsman has produced several clarification letters which bring clarity to how certain provisions of the Law should be used, including with respect to the banking sphere, and video surveillance in public places, etc.

In the first quarter of each year the Ombudsman issues a report, which covers, inter alia, the results of her office's work in the data protection sphere, including a summary of their enforcement actions, the nature of the most common breaches in data privacy matters, etc.

1.3. Case law

On 20 January 2012, the Constitutional Court of Ukraine adopted its Decision in Case No. 1/9 2012 on the official interpretation of the provisions of the second paragraph of Article 32 and Article 34 (3) of the Constitution of Ukraine (only available in Ukrainian here) ('the Decision') which provided an interpretation on the status of information concerning the personal and family life of an individual, and also confirmed the legal status of the rule regarding the mandatory need to obtain a data subject's consent for the collection, storage, use and dissemination of such information by any person, including state and local bodies. The Decision has the status of law and compliance with it is mandatory.

2. Scope of Application 

2.1. Personal scope

The Law aims to protect personal data during its collection, storage, and processing, as well as when personal data is used for purposes other than in private or certain professional circumstances.

2.2. Territorial scope

Although the Law is not explicit about its territorial scope, the interpretation and practice suggest that it is applicable to a wide range of organisations (both inside and outside Ukraine), which process personal data in the territory of Ukraine, including cross border data transfers.

2.3. Material scope

The Law defines personal data as data, or the collection of data, relating to an identified or specifically identifiable natural person.

In relation to the processing of personal data, the following are exempted from the ambit of the Law:

  • individuals processing data for their personal or household needs;
  • relationships related to obtaining archive information of repressive authorities; and
  • the processing of personal data exclusively for journalistic and creative purposes, provided that the balance between the right to respect of personal life and the right to free expression of views are given due regard.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Before 1 January 2014, the Law required the establishment of a special authority with responsibility for supervising compliance with the Law's provisions. Such an authority was established by the President's Order of 9 December 2010, No. 1085/2010 (only available in Ukrainian here) ('the Order'). Under the Order, the State Service of Ukraine for Personal Data Protection ('the Authority') enjoyed the status of a central governmental body.

However, according to the Amendments, starting from 1 January 2014, the Ombudsman took over the jurisdiction of the Authority, and became in charge of almost all issues related to data protection. The Authority, in turn, has been liquidated. The above changes claim to bring Ukrainian law into compliance with the EU standards, and specifically in relation to the independent functioning of a state body regulating data protection. It is believed that the Ombudsman is independent from government bodies and other state bodies, and is thereby able to perform its data protection function. To date, the Ombudsman seems to be active and even proactive in the sphere of data protection and has passed several important regulations (see section on guidlines above).

3.2. Main powers, duties and responsibilities

The Ombudsman has the following enforcement powers:

  • the power to conduct planned and unplanned inspections of data controllers and data processors;
  • the right of access the data controller's and data processor's premises for inspections;
  • in case of discovery of any breaches of the data protection law, the power to:
    • issue administrative protocols;
    • impose administrative liability to be fully enforced in court; and
  • general powers and authorities such as proposing amendments to the laws concerning data protection issues, etc.

4. Key Definitions

Data controller: Individuals or legal entities that determine the goals of personal data processing, and the amount and method of processing.

Data processor: Individuals or legal entities authorised by the data controller or by applicable laws to process personal data.

Personal data: Data or the collection of data, relating to an identified or specifically identifiable natural person.

Sensitive data: Is data that relates to racial or ethnic origin, political, religious or philosophical beliefs, political party or trade union membership, data concerning the health or sex life, and the biometric and genetic data of a data subject.

Health data: Health data is not defined under the Law.  

Biometric data: Biometric data is not defined under the Law.  

Pseudonymisation: Pseudonymisation is not defined under the Law.  

Special risk data: Refers to data which comprises a special risk for the rights and freedoms of individuals.

Data subject: Individual whose personal data is processed.

Third parties: Any other persons or entities that receive personal data from a data controller or a data processor, for a specific purpose.

5. Legal Bases

5.1. Consent

The Law provides that any individuals concerned must give their consent to the processing of their personal data (except for anonymised data), where such data is deemed to be restricted-access information. Importantly, the definition of consent to data processing was reintroduced to the Law at the end of May 2014 (it had formerly been removed for some time). Consent is now defined as the voluntary, informed permission of individuals with respect to the processing of their personal data according to the defined purpose of processing. This permission must be expressed in writing or in a form which enables verification that such consent was actually provided. With respect to minors, consent should be provided by one of their parents or by a guardian (as applicable).

Notification of the processing of certain personal data about individuals is usually not sufficient; the data controller must generally obtain explicit consent. There is no specific requirement for a strict 'working' consent form. However, the Ombudsman has released an indicative consent form, which seems to be appropriate only for written consent (it appears to have requirements which are excessive or unnecessary for electronic consent). In any event, a business is free to use its own corporate templates for consent, provided that they comply with the requirements of the Law. When giving their consent to the processing of personal data, data subjects are entitled to limit the scope of the data processing activity undertaken by the database owner.

In the e-commerce sphere, a data subject's consent may be provided during their registration in the respective communication system of the e-commerce subject, by way of ticking the 'consent box' in the system, and only provided that such a system does not allow the processing of personal data before the box was ticked by a data subject.

Furthermore, the Law establishes certain cases when consent is not required, specifically:

  • when it is explicitly provided for by law; and
  • where the data is necessary for the purposes of maintaining national security, economic welfare, and for the protection of human rights.

5.2. Contract with the data subject

Personal data may be processed by a data controller when an authorisation to process personal data is granted to the data controller by law exclusively for the performance of its authorities (for instance as an employer).

5.3. Legal obligations

The controller can process personal data in connection with:

  • the conclusion or performance of an agreement to which a data subject is a party; or
  • an agreement which is concluded for the benefit of the data subject.

5.4. Interests of the data subject

The controller is allowed to process personal data when it is necessary to protect the relevant person's vital interests.

5.5. Public interest

The data processing is necessary to perform the data controller's legal obligations.

5.6. Legitimate interests of the data controller

Data processing is justified when it is necessary to protect the legitimate interests of the data controller or third parties to which the personal data is transferred, except for cases when necessity to protect the data subject's basic rights and freedoms overrides these interests.

5.7. Legal bases in other instances

Not applicable. 

6. Principles 

Openness and transparency: Processing of personal data should be conducted openly and transparently with use of means and in a manner which meets the purposes of such data processing.

Accuracy: Personal data must be precise and accurate and be updated to the extent needed.

Data minimisation: The content and the volume of personal data must be relevant to, adequate, and not excessive as regards the defined purpose of processing

7. Controller and Processor Obligations

The majority of obligations under the Law apply directly to data controllers, although responsibility for compliance may also extend to data processors. However, certain obligations expressly apply to both data controllers and data processors, including to enter changes to a subject's personal data on the basis of their substantiated written demand.

Additionally, data processors must respect the data subjects' rights, listed below.

7.1. Data processing notification

The Law initially introduced a mandatory requirement on data controllers to register any database with the State Register of Personal Data Databases. However, since 1 January 2014, businesses no longer have to register their databases that contain personal data. Instead, data controllers have to notify the Ombudsman about the processing of Special Risk Data.

7.2. Data transfers

The Law requires that personal data can only be transferred to countries which provide an adequate level of data protection. Specifically, the Law outlines that the members of the European Economic Area ('EEA'), as well as all other countries who joined Convention 108, would be considered to provide an adequate level.

The above list is not exhaustive, and the Law provides that other countries that provide an adequate level of data protection (i.e. non-EEA members and non-members of Convention 108) will be defined separately by the Cabinet of Ministers. This is of central importance in terms of business activity in Ukraine, where business relations have been developed with, inter alia, the USA and Canada, despite both of these countries being outside the EEA and Convention 108. Until now, no such list has been developed and adopted by the Cabinet of Ministers.

The Law offers five alternative grounds which may serve as a legal justification for cross border data transfer and provide business entities some room to process personal data internationally.

These grounds are:

  • the provision of unambiguous consent by the data subject;
  • the necessity to conclude or fulfil an agreement between the data controller and a third party for the benefit of the data subject;
  • the necessity to protect vital interests of the data subject;
  • the necessity to protect public interest or pursue legal remedies; and
  • the provision for relevant guarantees by the data controller regarding the non-interference with the private and family life of the data subject.

Third party access to personal data

According to the Law, third party access to personal data should be governed by the terms and conditions of the data subjects' consent to the processing of their personal data. If the consent provided by the data subjects covers the possibility of the database owner to provide access to third parties, then the provision of such access will be permitted.

Further to this, the Law explicitly states that a third party may not be granted access to certain personal data if it refuses, or is unable to commit to, or is unable to fulfil the provisions of the Law (including those regarding the protection of personal data).

In order to access personal data, third parties must make an official request to the database owner. The request must contain information relating to:

  • the full name and contact details of the third party;
  • the name and other details of the individual whose personal data is requested which enables the owner to identify the individual;
  • the database from which the request is being made, or the owner/manager of the database;
  • the list of personal data requested; and
  • the purpose and/or legal grounds of the request.

Third party access to personal data may be chargeable, by an amount to be decided by the Government of Ukraine ('the Government') for the state authorities, and, in the private sector, by companies themselves. However, unlike third parties, individuals have the right to free access to their personal data stored in a database.

7.3. Data processing records

The Law does not set out such obligation for controllers and processors.

7.4. Data protection impact assessment

There is no general obligation with regard to Data Protection Impact Assessments ('DPIA')

7.5. Data protection officer appointment

There is generally no obligation to appoint a data protection officer ('DPO') under the Law or other laws in Ukraine except for the cases where a data controller processes Special Risk Data.

7.6. Data breach notification

There is no general obligation with regard to data breach notifications to the regulator under the Law or other laws in Ukraine. Such obligations may, however, be provided in the data subject's consent and/or any commercial agreement between data controllers and data processors/third parties.

7.7. Data retention

According to the Law, personal data must be destroyed or removed in the following cases:

  • the expiry of the time frame of the storage of data, specified if the data subject's consent agreement for the processing of said data or by law (in certain cases the law defines the term of storage of specific data, which cannot be amended (shortened) by the consent);
  • the termination of legal relations between the data subject and the data controller or data processor, unless otherwise provided by law; and/or
  • the effect of a court decision on the removal of the data of an individual from a personal database.

Additionally, personal data must be destroyed or removed in other circumstances prescribed by law.

Retention of personal data implies actions aimed at the preservation of the established regime of access to such data.

The retention term shall be provided in the data subject's consent or by law. Upon expiration of such term the personal data shall be destroyed.

7.8. Children's data

There is no separate provision in the Law which would touch upon the regulation of processing children's data. Therefore, in this context general rules apply, i.e that parents or guardians should provide consent to processing of children's data, unless otherwise provided by law. This does not relate to the legitimacy of the processing and some exceptions may apply. Under the general rule, children are persons under the age of 18. In some cases, provided by law children may generally enter into contracts from the age of 16, which implies that they can provide consent to processing of their data with the specifically defined purpose (related to entering into respective contracts) before they reach 18 years old.

7.9. Special categories of personal data

Sensitive data

Notably, the processing of sensitive personal data is explicitly prohibited.

The Law further provides for a range of exemptions from the rule relating to the processing of sensitive personal data. In particular, this restriction does not apply to cases where the processing of personal data concerns, inter alia:

  • sentences in criminal cases;
  • the provision of some medical services by medical practitioners bound by professional non-disclosure obligations; and
  • personal data which was made publicly available by the data subject.

Special risk data

The Law also includes a definition of another type of data: 'data which comprises a special risk for the rights and freedoms of individuals' ('Special Risk Data'). In turn, the Ombudsman has established a list of the types of Special Risk Data (Article 1.2 of the procedure for notification about the processing of personal data which is of a particular risk (only available in Ukrainian here), which is not entirely the same as sensitive data.

Specifically, in addition to sensitive data, the following are recognised as Special Risk Data:

  • nationality;
  • an individual's location and routes of movement; and
  • information as to whether an individual has suffered from violence or other abuse.

The Law provides for a slightly different regime for Special Risk Data. In particular, a data controller must notify the fact of processing Special Risk Data to the Ombudsman. This is a post-factum notification, which should be made within 30 days of beginning the processing of Special Risk Data. The notification is subject to a formal procedure adopted by the Ombudsman. At the same time, some exemptions apply (e.g. processing of certain Special Risk Data for employment purposes).

7.10. Controller and processor contracts

Data controllers and data processors should have an agreement in writing in order to enable a data processor to perform processing functions. The agreement should at least contain the purpose and the kind of processing. There is no set form of that agreement and therefore a controller and a processor are free to enter into the agreement (or incorporate the processing agreement into any other agreement between themselves in writing).

8. Data Subject Rights

Under the Law, data subjects have several rights relating to their data, including:

  • to know the location of the personal database containing their personal data;
  • to obtain information about the access of third parties to their personal data;
  • to access their personal data;
  • to obtain the contents of their stored personal data;
  • to object to the processing of their personal data by the data controller;
  • to request the modification or the deletion of their personal data by any data controller or data processor;
  • to withdraw their consent to the processing of their personal data; and
  • to be protected against automated decisions which have legal implications for them.

8.1. Right to be informed

Please see section on data subject rights above. 

8.2. Right to access

Please see section on data subject rights above. 

8.3. Right to rectification

Please see section on data subject rights above. 

8.4. Right to erasure

Please see section on data subject rights above. 

8.5. Right to object/opt-out

Please see section on data subject rights above. 

8.6. Right to data portability

Please see section on data subject rights above. 

8.7. Right not to be subject to automated decision-making

Please see section on data subject rights above. 

8.8. Other rights

Please see section 8on data subject rights above. 

9. Penalties 

In June 2011 the Parliament adopted the Law of 2 June 2011 No. 3454-VI on Amendments to Certain Legislative Acts of Ukraine Concerning the Strengthening of Responsibility for Violation of Legislation on Personal Data (only available in Ukrainian here) ('the Liability Law'), which strengthens administrative and criminal liability for failure to comply with data protection laws. The Liability Law amends the Criminal Code of 5 April 2001 No. 2341-III (only available in Ukrainian here), the Code of Administrative Offences of 7 December 1984 No. 8073-X (only available in Ukrainian here), the Criminal Procedure Code of 12 December 1960 (only available in Ukrainian here), and the Law of Ukraine of 2 October 1992 No. 2657-XII 'On Information' (only available in Ukrainian here), to establish individual responsibility for violations of legislation on personal data protection. Before the enactment of this law, the regulation of such liability was vague, and the strength of the sanctions which could be imposed was too weak to be a deterrent for any infringers.

The Liability Law has been fully effective since mid-2012 and has been further altered by the Amendments, with came into effect from 1 January 2014.

Although the Amendments narrowed the administrative liability for infringements in the data protection area (mostly due to the abolition of the obligation on data controllers to register personal databases), some sanctions for non-compliance with certain data protection rules still exist. For example, failure to inform the Ombudsman of processing of eligible personal data may result in a fine in an amount of up to UAH 34,000 (approx. €1,100). Furthermore, illegal collection, storage, or dissemination of personal data could even lead to criminal liability, including the imposition of large fines, or even imprisonment for a term of up to five years.

9.1 Enforcement decisions

Within 2020 the Ombudsman received over 2,000 data protection complaints, of which the majority related to breach of data protection rights in the course of debt collection (almost 1500 cases). Another big portion of the claims related to non-legitimate disclosure of personal data via Internet and social networks and messengers.