Update on Ukrainian Law on Data Protection

The Law of Ukraine No. 2297-VI “On Protection of Personal Data”, dated June 1, 2010 (hereinafter the “PDP Law”) quietly came into force on January 1, 2011. Since then, it has undergone numerous revisions due to the bureaucracy’s inability to implement the strict provisions of the original text.

In the early stages of its legal force, numerous companies scrambled to register their personal databases in a timely manner, rendering a huge log-jam of registration applications with the State Service of Ukraine on Personal Data Protection. Soon, the government realized that the State Service simply was not capable of handling the enormous workload involved in registering various types of databases with personal information. This realization has brought about significant changes in the PDP Law, which will come into legal force on January 1, 2014.

As a background, the PDP Law is based on the framework EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, but provides a more detailed legislative base for data protection in Ukraine. The good news is that by implementing the PDP Law, Ukraine showed signs of bringing its legislation into closer compliance with European standards, perhaps with the eventual hope of European integration. However, the PDP Law left open the usual questions of implementation and enforcement surrounding other Ukrainian laws.

With the above in mind, we will provide a brief overview of the data protection rules in Ukraine. Similar to Directive 95/46/EC, the PDP Law applies to data processed both by automated means and non-automated filing systems gathered by Ukrainian legal entities and natural persons. Personal data is defined under the PDP Law as information about an individual who may be specifically identified. The primary sources of information may be documents issued to an individual, documents signed by an individual and information provided by an individual about them. Late 2012 amendments to the PDP Law further clarified that the PDP Law does not apply to personal data processing performed by an individual exclusively for personal or consumer needs and to personal data processing performed by so-called “creative specialists” or journalists for professional purposes provided that a balance is maintained between the right to personal privacy and the right of self-expression. Notably, Directive 95/46/EC does not refer to the latter two categories.

Specifically, the PDP Law applies to legal entities or natural persons, who by law or at the consent of a data subject are granted the right to process personal data and who confirm the purpose and method for processing personal data within their databases and store such databases. These are referred to as “owners” or “controllers” of personal data, the latter being those companies or persons who are contracted to process an owner’s database of personal information. The law specifically applies to licensed doctors, lawyers and notaries. While the PDP Law does not explicitly state so, it could also be applied to such institutions as banks, insurance companies, employment agencies, law firms, discount card systems and other businesses that collect, register, accumulate, store, adapt, amend, use, distribute, transfer, sell or destroy personal data of Ukrainian citizens.

The fundamental principle applicable to personal data processing under the PDP Law is that all steps in data collection, storage and processing, must in the very least have the consent of the data subject. This is not a novelty in Ukraine, as the Law of Ukraine No. 2657 “On Information”, dated October 2, 1992, required the consent of any individual before his/her information could be collected and processed in Ukraine and/or abroad. However, the PDP Law expands the consent requirement to include consent to the volume, purpose, content, destruction of and amendment to personal data. Pursuant to the PDP Law, any data processed must be collected for a specific, lawful purpose and must be precise, accurate and, where necessary, kept up-to-date. Personal data may also be processed on the basis of an agreement between the data subject and the data owner.

As a narrow exception, the processing of personal data in Ukraine may be effectuated without consent only in the interests of national security, human rights, protection of the individual in question’s vital interests (until such time as consent may be given) and “economic welfare”. The PDP Law does not further elaborate on the definition of “economic welfare,” whereas Directive 95/46/EC is only a bit more specific in stating “important economic or financial interests of a Member State or of the European Union, including monetary, budgetary and taxation matters”.

The PDP Law does not permit the processing of personal data regarding race or ethnicity, political, religious or ideological conviction, membership in a political party and professional unions, criminal charges or criminal convictions, or health or sex life. It is interesting to note that while Directive 95/46/EC does not mention “membership in a political party”, Ukraine (which is notorious for having many politicians who double as businessmen or oligarchs) has specifically restricted the storage and processing of data that reveals any political party affiliation. The aforementioned restrictions do not apply in cases when such personal data is processed upon the unambiguous consent of the data subject or when it is necessary to process personal data to exercise rights and perform obligations in labor relations according to law.

Importantly, under the PDP Law, all data subjects enjoy certain integral and inviolable rights, such as the rights to (i) know the location of all databases containing their personal data, (ii) receive full information about the owner or controller of their personal data, (iii) access their personal data free of charge, (iv) demand substantiated changes, restriction or destruction of personal data, (v) appeal, on legitimate grounds, to the processing of their personal data to courts, etc. Data subjects also have the right to protection of their personal data by the public authorities responsible for data protection issues, specifically with respect to any damages incurred from unlawful disclosure and the provision of false personal data to third parties, including information which can damage an individual’s business reputation. This somewhat over encompassing right includes the right to appeal to the said public authority for protection of an individual’s data protection rights and the right to use any other legal means provided by law for such protection (i.e., the Ukrainian judicial system). Data subjects must be notified in writing of all of their rights connected to their personal data held in any database either at the time of collection or within 30 working days (formerly 10 days) of collection.

The original version of the PDP Law required state registration of any and all databases containing personal data. This requirement was reluctantly met by most companies by registering their employee, client and contractor databases. The registration requirement will be abolished for 2014 and data owners will simply need to notify the Ombudsman (Ukrainian Parliament Commission for Human Rights) within 30 working days from the date of the commencement of processing regarding the processing of personal data which constitutes a “special risk for the rights and freedoms of personal data subjects”.

The Ombudsman is tasked with determining which types of personal data processing are “high risk” and the categories of data subjects which are required to notify the Ombudsman regarding the processing of personal data. It is further tasked with determining the form and procedure for notifications. The data owner must inform the Ombudsman regarding any changes to personal data subject to notification within 10 working days of such changes. Information sent to the Ombudsman will be subject to publication on the Ombudsman’s official website. The aforementioned issues will need to be determined by the Ombudsman by October of 2013.

While an individual’s access to his or her personal data is free of charge, third parties may access personal data only with the consent of the data subject and payment of the owner’s fees, if any, for issuing a data subject’s personal information. The owner’s or controller’s employees are obligated to use or disclose personal data only within their official capacity, and this obligation remains with such employees even after they have left their official position. Of course, the data subjects must be notified regarding the transfer of their personal data to third parties if their consent was subject to such condition.

Personal data may also be transferred to foreign personal data processors on the condition that their countries have a sufficient level of data protection, presumably comparable to Directive 95/46/EC and the PDP Law, there is an international agreement in place with the recipient’s country and the recipient uses the personal data for the same purposes for which it was collected. In 2012-13, the PDP Law further clarified this issue by providing that EU countries and countries, which have signed the Council of Europe Convention for Protection of Individuals with regard to Automatic Processing of Personal Data, are deemed to have the sufficient level of data protection. In addition, the Cabinet of Ministers now publishes a list of countries which have the sufficient level of personal data protection.

The 2012-13 amendments also introduced that personal data may be transferred to a foreign personal data processor in case of (i) the data subject’s clear consent, (ii) the necessity to conclude or perform a transaction between the personal data owner and a third party in favor of the data subject, (iii) the necessity to protect the vital interests of the data subject, (iv) the necessity to protect public interests and the establishment, performance and protection of legal claims, and (v) the provision by the personal data owner of a guarantee to refrain from interference in the data subject’s personal and family life.

Due to the simplicity of the PDP Law, and the minimum amount of practical application, the collection of data by a foreign legal entity or law firm during foreign discovery proceedings may arguably be considered the processing of personal data and be subject to the above rule for foreign data collectors. However, there are several conventions in place which may regulate this issue. Other issues, such as “high risk data” notifications will require even more practical application in order to perfect the provisions of the PDP Law.

Overall, the Ukrainian PDP Law covers all of the issues required by Directive 95/46/EC as well as issues more relevant to Ukrainian society, such as state use, business reputation and labor protection. While much time has passed since the January 1, 2011 effective date, it is still doubtful that the Ukrainian government will resolve all of the open-ended issues left by the PDP Law in 2014. With the tax, customs and labor codes still in the forefront of the political battleground, it seems that perfection of the PDP Law will remain a secondary focus for the Ukrainian government.

Frishberg & Partners is a full service, Kiev-based law firm, specializing in Ukrainian law since 1991 (for more information please see www.frishberg.com).

If you have any questions, please contact This email address is being protected from spambots. You need JavaScript enabled to view it.

You should not rely upon this information for specific legal advice and should not act upon this information without independent legal counsel.

News

Frishberg & Partners 2022