6 April 2017
The Ukrainian Parliament Commissioner for Human Rights (‘the Commissioner’), Valeriya Lutkovska, presented, on 31 March 2017, her annual report (‘the Report’) to Parliament, which outlines the actions her office took in 2016 in relation to data protection. In particular, the Commissioner summarised the most concerning data protection violations revealed by inspections of data controllers, and provided guidance to firms on policies to aid in compliance with Ukrainian data protection legislation.
Oleksiy Stolyarenko, Senior Associate at Baker McKenzie, told DataGuidance, “General understanding of, and compliance with, data protection legislation remains low in Ukraine, both in the private and government sectors. [In the Report] the Commissioner [highlighted violations] of the proportionality requirement, in that companies collect and process information in excess of what is reasonably necessary for the indicated purpose, the denial of access of data subjects to their personal data, and non-compliance with the reasonable terms for data processing and retention. Taking into account these violations, companies in Ukraine need to re-evaluate their personal data collection and processing policies.”
The Report outlines that the Commissioner examined 1,306 complaints from data subjects, on the basis of which her office carried out 76 inspections of data controllers, a large proportion of which included insurance operators and consumer services. In addition, the Report highlights failures of data controllers to follow and implement guarantees for, and report adequately on, the implementation of data subjects’ rights under the Law of 1 June 2010 No. 2297 on Personal Data Protection (‘the Law’). These included the lack of both adequate procedures and the technical capability of controllers’ systems to evaluate requests for access to information from law enforcement agencies, and for the use of employees’ personal data for administrative and HR purposes.
Companies must also keep accurate records of their personal data processing activities [and] establish reasonable terms for such processing
Stolyarenko commented, “In particular, the Commissioner found that companies do not keep a record of their data processing activities […] It is important to correctly identify the data that need to be collected, establish personal data flows within the organisation, and limit access to personal data. Companies must also […] establish reasonable terms for the data processing and implement a procedure for the erasure of personal data after the termination of the data processing.”
Additionally, although the Commissioner received 344 notifications of data processing from organisations, many of these included incomplete information. In particular, the Commissioner emphasised that one of the main violations was the failure to notify the Commissioner of the processing of sensitive data and of procedures for employee training on data protection compliance.
The Commissioner also announced that, with the support of the Council of Europe, the Parliament Committee on Human Rights, National Minorities and International Relations had established a working group to amend the Law in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
Stolyarenko concluded, “Even though Ukraine does not effectively enforce personal data legislation, some of the export-oriented Ukrainian companies, especially in the IT sector, must prepare for possible enforcement activities from the EU data protection authorities after the GDPR comes into force. Considering the potential for harsh fines and the lack of experience [of such companies] in dealing with personal data protection requirements, it is important for data controllers to start evaluating all of their activities as soon as possible.”
Kaveh Lahooti | Privacy Analyst