November 2023

1. Governing Texts

Given Ukraine is not a part of the EU, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') does not directly apply in its territory. Meanwhile, according to the plan of actions related to fulfillment of the EU-Ukraine Association Agreement, as approved by the Cabinet of Ministers of Ukraine ('the Cabinet of Ministers') on October 25, 2017 No. 1106 (only available in Ukrainian here), Ukraine committed to bring its data protection legislation into compliance with the GDPR by May 25, 2018. In that respect, a draft Law on Personal Data Protection (only available in Ukrainian here) ('the Draft Law') was developed and registered with the Parliament of Ukraine ('Parliament') in June 2021. However, later on, the Draft Law was rejected by the Parliament on August 16, 2022. After the failure to adopt the Draft Law into law, another draft law (only available in Ukrainian here) ('the Second Draft Law') was registered with the Parliament on October 25, 2022. The Second Draft Law aims to bring the local data protection legislation into compliance with the GDPR, including the terminology, data subjects' rights, obligations of controllers and processors, etc. The Second Draft Law should pass all necessary steps to be adopted into law, i.e., it should undergo two hearings in the Parliament. To date, it is not clear when the whole law adoption process will be completed.

Personal Data Protection during Martial Law

In 2022, shortly after the introduction of martial law in Ukraine, the Commissioner issued clarifications regarding personal data protection during martial law (only available in Ukrainian here) ('the Martial Law Clarifications'). In particular, in the Martial Law Clarifications, the Commissioner specified that prohibitions on the processing of certain sensitive and high-risk data (e.g., racial and ethnic origin, political and religious beliefs, membership in political organizations, some health data) does not apply if such processing relates to court convictions, counterintelligence activity, fight against terrorism, and provided that the respective state authority conducts such actions within the scope of their competence granted by law.

The Commissioner has also drawn attention to some practical recommendations aimed to protect the masses against cybercrimes, fraudulent actions, as well as some peculiarities of data protection while granting addressed charity.

1.1. Key acts, regulations, directives, bills

The following laws and regulations regulate data protection in Ukraine:

• the Law of 1 June 2010 No. 2997-VI on Personal Data Protection (as amended) ('the Law') which was adopted by the Parliament on June 1, 2010, and became effective on January 1, 2011, regulates, inter alia, personal data processing;
• on July 3, 2013, the Parliament adopted amendments to the range of laws related to data protection, including the Law. The laws that introduce such amendments include the Law of 23 February 2012 No. 4452-VI (only available in Ukrainian here) and the Law of 20 November 2012 No. 5491-VI (only available in Ukrainian here) (collectively 'the Amendments'). The Amendments have been effective since January 1, 2014, and have fundamentally changed the substance of the whole data protection system of Ukraine. Other changes to the Law were introduced between 2014-2017; and
• in addition to enacting the Law, the Parliament also ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108/81 ('Convention 108'), on July 6, 2010.

1.2. Guidelines

The Ukraine Parliamentary Commissioner for Human Rights ('the Commissioner') commenced activity as the data protection authority on January 1, 2014. Since then, the Ombudsman has been active in issuing new regulations as required by the Amendments.

Specifically, the following legislative acts in relation to data protection have been adopted by the Commissioner:

• the Sample Order of Personal Data Processing (only available in Ukrainian here);
• the Order of Conducting by the Ombudsman of Supervision over Compliance with the Personal Data Protection Laws (only available in Ukrainian here);
• the Order on Notification of the Ombudsman About Special Risk Data (only available in Ukrainian here); and
• the Order of Procuring the Materials on Administrative Offences (only available in Ukrainian here).

In addition to these pieces of legislation, the Commissioner has produced several clarification letters that clarify how certain provisions of the Law should be used, including with respect to the banking sphere, and video surveillance in public places. In the first quarter of each year, the Ombudsman issues a report, which covers, among other things, the results of the office's work in the data protection sphere, including a summary of the enforcement actions, and the nature of most common breaches in data privacy matters. 

1.3. Case law

On January 20, 2012, the Constitutional Court of Ukraine adopted its Decision in Case No. 1/9 2012 (available for download here) on the official interpretation of the provisions of Article 32(2) and Article 34(3) of the Constitution of Ukraine (only available in Ukrainian here) ('the decision') which provided an interpretation on the status of information concerning the personal and family life of an individual, and also confirmed the legal status of the rule regarding the mandatory need to obtain a data subject's consent for the collection, storage, use, and dissemination of such information by any person, including state and local bodies. The decision has the status of law and compliance with it is mandatory.

2. Scope of Application

2.1. Personal scope

The Law aims to protect personal data during its collection, storage, and processing, as well as when personal data is used for purposes other than in private or certain professional circumstances.

2.2. Territorial scope

Although the Law is not explicit about its territorial scope, the interpretation and practice suggest that it is applicable to a wide range of organizations (both inside and outside Ukraine), that process personal data in the territory of Ukraine, including transborder data transfers.

2.3. Material scope

The Law defines personal data as data, or the collection of data, relating to an identified or specifically identifiable natural person.

In relation to the processing of personal data, the following are exempted from the scope of the law:

• individuals processing data for their personal or household needs;
• relationships related to obtaining archive information of repressive authorities; and
• the processing of personal data exclusively for journalistic and creative purposes, provided that the balance between the right to respect of personal life and the right to free expression of views are given due regard.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Before January 1, 2014, the Law required the establishment of a special authority with responsibility for supervising compliance with the Law's provisions. Such an authority was established by the President's Order of 9 December 2010, No. 1085/2010 (only available in Ukrainian here) ('the Order'). Under the Order, the State Service of Ukraine for Personal Data Protection ('the Authority') enjoyed the status of a central governmental body.

However, according to the Amendments, starting from January 1, 2014, the Commissioner took over the jurisdiction of the Authority, and became in charge of almost all issues related to data protection. The Authority, in turn, has been liquidated. The above changes claim to bring Ukrainian law into compliance with the EU standards, and specifically in relation to the independent functioning of a state body regulating data protection. It is believed that the Commissioner is independent from government bodies and other state bodies and is thereby able to perform its data protection function. To date, the Commissioner seems to be active and even proactive in the sphere of data protection and has passed several important regulations (see section Guidelines above).

3.2. Main powers, duties and responsibilities

The Commissioner has the following enforcement powers:

• the power to conduct planned and unplanned inspections of data controllers and data processors;
• the right to access the data controller's and data processor's premises for inspections;
• in case of discovery of any breaches of the data protection law, the power to:
  • issue administrative protocols;
  • impose administrative liability to be fully enforced in court; and
• general powers and authorities such as proposing amendments to the laws concerning data protection issues, etc.

4. Key Definitions

Data controller: Not applicable.

Data processor: Not applicable.

Personal data: Not applicable.

Sensitive data: Not applicable.

Health data: Not applicable.

Biometric data: Not applicable.

Pseudonymization: Not applicable.

5. Legal Bases

5.1. Consent

The Law provides that any individuals concerned must give their consent to the processing of their personal data (except for anonymized data), where such data is deemed to be restricted information. Importantly, the definition of consent to data processing was reintroduced to the Law at the end of May 2014 (it had formerly been removed for some time). Consent is now defined as the voluntary, informed permission of individuals with respect to the processing of their personal data according to the defined purpose of processing. This permission must be expressed in writing or in a form that enables verification that such consent was actually provided. With respect to minors, consent should be provided by one of their parents or by a guardian (as applicable). Notification of the processing of certain personal data about individuals is usually not sufficient; the data controller must generally obtain explicit consent. There is no specific requirement for a strict 'working' consent form. In any event, a business is free to use its own corporate templates for consent, provided that they comply with the requirements of the Law. When giving their consent to the processing of personal data, data subjects are entitled to limit the scope of the data processing activity undertaken by the database owner.

In the e-commerce sphere, a data subject's consent may be provided during their registration in the respective communication system of the e-commerce subject, by way of ticking the 'consent box' in the system, and only provided that such a system does not allow the processing of personal data before the box was ticked by a data subject.

Furthermore, the Law establishes certain cases when consent is not required, specifically:

• when it is explicitly provided for by law; and
• where the data is necessary for the purposes of maintaining national security, economic welfare, and for the protection of human rights.

5.2. Contract with the data subject

The controller can process personal data in connection with:

•  the conclusion or performance of an agreement to which a data subject is a party; or
• a contract which is concluded for the benefit of the data subject.

5.3. Legal obligations

Personal data may be processed by the data controller when authorization to process personal data is granted to the data controller by law exclusively for the performance of its competencies (for instance, as an employer).

5.4. Interests of the data subject

The controller is allowed to process personal data when it is necessary to protect the relevant person's vital interests.

5.5. Public interest

Confidential personal can be processed without the data subject's consent in the cases determined by law, and only in the interests of national security, economic welfare, and human rights. 

5.6. Legitimate interests of the data controller

Data processing is justified when it is necessary to protect the legitimate interests of the data controller or third parties to which the personal data is transferred, except for the cases when necessity to protect the data subject's basic rights and freedoms overcomes these interests.

5.7. Legal bases in other instances

Please see other peculiarities of personal data protection during martial law in the section Personal Data Protection during Martial Law above. 

6. Principles

Openness and transparency: Processing of personal data should be conducted openly and transparently with the use of means and in a manner that meets the purposes of such data processing.

Accuracy: Personal data must be precise and accurate and be updated to the extent needed.

Data minimization: The content and the volume of personal data must be relevant to, adequate, and not excessive as regards the defined purpose of their processing.

7. Controller and Processor Obligations

The majority of the obligations under the Law apply directly to data controllers, although the responsibility for compliance may also extend to data processors. However, certain obligations expressly apply to both data controllers and data processors, including making changes to a subject's personal data on the basis of their substantiated written demand.

Additionally, data processors must respect the data subjects' rights, listed below.

7.1. Data processing notification

The Law initially introduced a mandatory requirement for data controllers to register any database with the State Register of Personal Data Databases. However, since January 1, 2014, businesses no longer have to register their databases that contain personal data. Instead, data controllers have to notify the Commissioner about the processing data which comprises a special risk for the rights and freedoms of individuals ('Special Risk Data'). 

7.2. Data transfers

The Law requires that personal data can only be transferred to countries that provide an adequate level of data protection. Specifically, the Law outlines that the members of the European Economic Area ('EEA'), as well as all other countries who joined Convention 108, would be considered to provide an adequate level.

The above list is not exhaustive, and the Law provides that other countries that provide an adequate level of data protection (i.e., non-EEA members and non-members of Convention 108) will be defined separately by the Cabinet of Ministers. This is of central importance in terms of business activity in Ukraine, where business relations have been developed with, inter alia, the USA and Canada, despite both of these countries being outside the EEA and Convention 108. Until now, no such list has been developed and adopted by the Cabinet of Ministers.

The Law offers five alternative grounds that may serve as a legal justification for cross-border data transfer and provide business entities some room to process personal data internationally.

These grounds are:

• the provision of unambiguous consent by the data subject;
• the necessity to conclude or fulfill an agreement between the data controller and a third party for the benefit of the data subject;
• the necessity to protect the vital interests of the data subject;
• the necessity to protect the public interest or pursue legal remedies; and
• the provision for relevant guarantees by the data controller regarding the non-interference with the private and family life of the data subject.

In July 2022 new amendments were introduced to the Law due to the martial law status in Ukraine (caused by the war). Specifically, those relate to the transfer of personal data during the period of martial law (so far established until November 15, 2023, with a high probability to be extended further) and six months thereafter. According to the amendments, transfers of personal data to foreign parties which is necessary for the provision of medical or rehabilitation aid or telemedicine, may be done by applying the respective data protection methods governed by the laws of jurisdiction where respective medical practitioners or medical establishment were granted the right to conduct such medical practice. That basically means that the methods of processing the above-specified personal data may differ from those provided by the law for a limited amount of time (i.e., until the end of martial law plus six months).

Third-party access to personal data

According to the Law, third-party access to personal data should be governed by the terms and conditions of the data subjects' consent to the processing of their personal data. If the consent provided by the data subjects covers the possibility of the database owner providing access to third parties, then the provision of such access will be permitted. Further to this, the Law explicitly states that a third party may not be granted access to certain personal data if it refuses, is unable to commit to, or is unable to fulfill the provisions of the Law (including those regarding the protection of personal data).

In order to access personal data, third parties must make an official request to the database owner. The request must contain information relating to:

• the full name and contact details of the third party;
• the name and other details of the individual whose personal data is requested which enables the owner to identify the individual;
• the database from which the request is being made, or the owner/manager of the database;
• the list of personal data requested; and
• the purpose and/or legal grounds of the request.

Third-party access to personal data may be chargeable, by an amount to be decided by the Government of Ukraine ('the Government') for the state authorities, and, in the private sector, by companies themselves. However, unlike third parties, individuals have the right to free access to their personal data stored in a database.

7.3. Data processing records

The Law does not set out such obligation for controllers and processors.

7.4. Data protection impact assessment

There is no general obligation with regard to Data Protection Impact Assessment ('DPIA').

7.5. Data protection officer appointment

There is generally no obligation to appoint a data protection officer ('DPO') under the Law or other laws in Ukraine except for cases where a data controller processes Special Risk Data.

7.6. Data breach notification

There is no general obligation with regard to data breach notification to the regulator under the Law or other laws in Ukraine. Such obligations may, however, be provided in the data subject's consent and/or any commercial agreement between data controllers and data processors/third parties.

7.7. Data retention

According to the Law, personal data must be destroyed or removed in the following cases:

• the expiry of the time frame of the storage of data, specified in the data subject's consent agreement for the processing of said data or by law (in certain cases the law defines the term of storage of specific data, which cannot be amended (shortened) by the consent);
• the termination of legal relations between the data subject and the data controller or data processor, unless otherwise provided by law; and/or
• the effect of a court decision on the removal of the data of an individual from a personal database.

Additionally, personal data must be destroyed or removed in other circumstances prescribed by law. Retention of personal data implies actions aimed at the preservation of the established regime of access to such data. The retention term shall be provided in the data subject's consent or by law. Upon expiration of such term, the personal data shall be destroyed.

7.8. Children's data

There is no separate provision in the Law that would touch upon the regulation of processing children's data. Therefore, in this context general rules apply, i.e., that parents or guardians should provide consent to processing of children's data unless otherwise provided by law. This does not relate to the legitimacy of the processing and some exceptions may apply. Under the general rule, children are persons under the age of 18. In some cases, provided by law, children may generally enter into contracts from the age of 16, which implies that they can provide consent to the processing of their data with the specifically defined purpose (related to entering into respective contracts) before they reach 18 years old.

7.9. Special categories of personal data

Sensitive data

Notably, the processing of sensitive personal data is explicitly prohibited.

The Law further provides for a range of exemptions from the rule relating to the processing of sensitive personal data. In particular, this restriction does not apply to cases where the processing of personal data concerns, inter alia:

• sentences in criminal cases;
• the provision of some medical services by medical practitioners bound by professional non-disclosure obligations; and
• personal data which was made publicly available by the data subject.

Please also see additional comments regarding medical data in item Other Legal Bases above and the section on protection of personal data during martial law below.

Special risk data

The Law also includes a definition of  Special Risk Data. In turn, the Commissioner has established a list of the types of Special Risk Data (Article 1.2 of the procedure for notification about the processing of personal data that is of a particular risk (only available in Ukrainian here)), which is not entirely the same as sensitive data.

Specifically, in addition to sensitive data, the following are recognized as Special Risk Data:

• nationality;
• an individual's location and routes of movement; and
• information as to whether an individual has suffered from violence or other abuse.

The Law provides for a slightly different regime for Special Risk Data. In particular, a data controller must notify the fact of processing Special Risk Data to the Commissioner. This is a post-factum notification, which should be made within 30 days of beginning the processing of Special Risk Data. The notification is subject to a formal procedure adopted by the Commissioner. At the same time, some exemptions apply (e.g., processing of certain Special Risk Data for employment purposes).

7.10. Controller and processor contracts

Data controllers and data processors should have an agreement in writing in order to enable a data processor to perform processing functions. The agreement should at least contain the purpose and the kind of processing. There is no set form of that agreement and therefore a controller and a processor are free to enter into the agreement (or incorporate the processing agreement into any other agreement between themselves in writing).

8. Data Subject Rights

Under the Law, data subjects have several rights relating to their data, including:

• to know the location of the personal database containing their personal data;
• to obtain information about the access of third parties to their personal data;
• to access their personal data;
• to obtain the contents of their stored personal data;
• to object to the processing of their personal data by the data controller;
• to request the modification or the deletion of their personal data by any data controller or data processor;
• to withdraw their consent to the processing of their personal data; and
• to be protected against automated decisions that have legal implications for them.

8.1. Right to be informed

See the section on data subject rights above.

8.2. Right to access

See the section on data subject rights above.

8.3. Right to rectification

See the section on data subject rights above.

8.4. Right to erasure

See the section on data subject rights above.

8.5. Right to object/opt-out

See the section on data subject rights above.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

See the section on data subject rights above.

8.8. Other rights

Not applicable.

9. Penalties

In June 2011 the Parliament adopted the Law of 2 June 2011 No. 3454-VI on Amendments to Certain Legislative Acts of Ukraine Concerning the Strengthening of Responsibility for Violation of Legislation on Personal Data (only available in Ukrainian here) ('the Liability Law'), which strengthens administrative and criminal liability for failure to comply with data protection laws. The Liability Law amends the Criminal Code of 5 April 2001 No. 2341-III (only available in Ukrainian here), the Code of Administrative Offences of 7 December 1984 No. 8073-X (only available in Ukrainian here), the Criminal Procedure Code of 12 December 1960 (only available in Ukrainian here), and the Law of Ukraine of 2 October 1992 No. 2657-XII 'On Information' (only available in Ukrainian here), to establish individual responsibility for violations of legislation on personal data protection. Before the enactment of this law, the regulation of such liability was vague, and the strength of the sanctions that could be imposed was too weak to be a deterrent for any infringers.

The Liability Law has been fully effective since mid-2012 and has been further altered by the Amendments, which came into effect from January 1, 2014.

Although the Amendments narrowed the administrative liability for infringements in the data protection area (mostly due to the abolition of the obligation on data controllers to register personal databases), some sanctions for non-compliance with certain data protection rules still exist. For example, failure to inform the Commissioner of the processing of eligible personal data may result in a fine in the amount of up to UAH 34,000 (approx. $940). Furthermore, illegal collection, storage, or dissemination of personal data could even lead to criminal liability, including the imposition of large fines, or even imprisonment for a term of up to five years.

9.1 Enforcement decisions

According to the annual report of the Commissioner (only available in Ukrainian here) within 2022 the Commissioner received 844 data protection complaints, of which the majority related to unlawful processing of personal data (60%). Another big portion of the claims related to the breach of the right to access of information about themselves.