Personal Data Protection in Ukraine
- +380 44 490 9575, 490 9577
DLA Piper is a global law firm with a presence in more than 30 countries throughout the Americas, Asia Pacific, Europe and the Middle East, and provides a broad range of legal services to local, regional and international clients.
Areas of practice in Ukraine
The firm’s Kiev office specializes in the following fields:
— Corporate and M&A: set up and termination of businesses, corporate governance, M&A, including due diligence, corporate restructuring and reorganization; corporate investigations and compliance and legal support of day-to-day operations.
— Competition law and regulatory: permits for concentrations; for concerted practices, leniency program advice; advice on protection from unfair competition, compliance advice and audits, obtaining of preliminary conclusions from the AMCU; abuse of dominant position; advice on commercial agreements and trade practices, natural monopolies and public procurement; support during investigations by the AMCU, as well as competition litigation.
— Finance and Projects: M&A and regulatory work in the banking and finance sector, asset, debt and capital markets transactions, structured finance, project finance, real estate finance, aviation finance, debt restructuring projects, infrastructure and PPP projects, litigation in debt and insolvency-related matters.
— Real estate and construction: acquisition/sale and lease transactions for real estate and land; registration of associated rights; establishment of business presence, expansion and structuring of retail business, construction and planning matters, industrial and infrastructure projects, real estate due diligence, structuring of real estate transactions and construction investment projects, real estate contracts, mortgage lending and environmental issues.
— Tax: corporate tax, VAT and customs, tax driven restructurings (domestic and international), as well as M&A transactions from the tax perspective, tax due diligences, reviews of tax profiles of entities, tax controversy, litigation and transfer pricing.
— IP and Technology: registration and protection of IP in Ukraine and overseas, IP portfolio management, IP due diligence, structuring of IP ownership and commercialization of IP, unfair competition issues, parallel import and counterfeits, licensing and assignment agreements, IT outsourcing, internet, e-commerce, domain names and telecommunications, data protection, software and hardware, technology transfer.
— Labor: employment contracts, personnel policies, employment law audits and due diligence reviews data protection, employee rights, employment-related tax issues, termination matters, employment litigation.
Personal data protection has become an important issue for the business environment in Ukraine since 2011 when legislation regulating personal data protection was introduced. Before that, personal data protection in Ukraine was governed only by the provisions of a fundamental general nature as provided in the Constitution of Ukraine, the Civil Code of Ukraine and some other legislative acts. In this article, we provide an overview of the key legislative regulations on personal data protection in Ukraine.
The On Personal Data Protection Act of Ukraine, No.2297 VI of 1 June 2010 (the Data Protection Act), which came into effect as of 1 January 2011, constitutes the main legislative act regulating personal data protection in Ukraine.
Following the adoption of the Data Protection Act, on 6 July 2010 the Ukrainian Parliament ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 and the Additional Protocol to the Convention Regarding Supervisory Authorities and Trans-border Data Flows of 8 November 2001.
Furthermre, based on the practice of its application the Data Protection Act has been substantially amended, primarily, by virtue of the On Amendments to Certain Laws of Ukraine regarding Improvement of the Personal Data Protection System Act of 3 July 2013 No. 383-VII which has been in effect since 1 January 2014. As a result of numerous amendments introduced to the Data Protection Act it now essentially complies with the EU rules currently in effect.
Following the adoption of the Data Protection Act, the subordinate legislation listed below has been specifically developed to implement the Data Protection Act, in particular: Procedure of Notification of the Ukrainian Parliament’s Commissioner for Human Rights on the Processing of Personal Data, which is of Particular Risk to the Rights and Freedoms of Personal Data Subjects, on the Structural Unit or Responsible Person that Organizes the Work Related to Protection of Personal Data during Processing thereof (the Notification Procedure); the Model Procedure of Processing of Personal Data (the Model Procedure); the Procedure of Control by the Ukrainian Parliament’s Commissioner for Human Rights over the Adherence to Personal Data Protection Legislation.
Certain data protection issues of a general nature are regulated by the Constitution of Ukraine of 28 June 1996, the Civil Code of Ukraine of 16 January 2003, No 435 IV, the On Information Act of 2 October 1992, No 2657 XII, the On Protection of Information in the Information and Telecommunication Systems Act of Ukraine of 5 July 1994 No. 80/94 VR, the On Electronic Commerce Act of 3 September 2015, No 675-VIII and some other legislative acts.
Personal Data and Sensitive Personal Data
The Data Protection Act defines “personal data” as data or an aggregation of data on an individual who is or can be precisely identified.
It should be mentioned that although the Data Protection Act does not differentiate the commonly used term “sensitive personal data”, it establishes that personal data with regard to racial or ethnic origin, political, religious or ideological convictions, participation in political parties and trade unions, accusation in criminal offences or conviction to criminal punishment, as well as data relating to health or sex life, biometric or genetic data, are generally prohibited for processing. The processing of the listed data is allowed in case of an unambiguous consent from personal data subject or as per certain exemptions envisaged by the Data Protection Act (e.g. processing is performed for the reasons of protection of vital interest of individuals, healthcare purposes, in the course of criminal proceedings, for anti-terrorism purposes, etc.).
National Data Protection Authority
The Ukrainian Parliament’s Commissioner for Human Rights (Ombudsman) is the state authority in charge of controlling compliance with the legislation on data protection.
Collection & Processing
The provides for a requirement of obtaining the consent of personal data subjects for processing of their personal data, i.e. voluntary expression of will of the individual (subject to his/her awareness) to permit the processing of personal data for the determined purposes expressed in writing or in some other form, which allows the owner or processor of the personal data to draw a conclusion that consent has been granted. In the area of E-commerce, the consent on processing of personal data may be granted in the process of registration of data subjects in the system of the subject of E-commerce by ticking the respective box for giving consent on processing of their personal data for determined processing purposes, provided that such a system does not allow the processing of personal data prior to the ticking of the respective box by the data subject. The Data Protection Act provided for certain exceptions when personal data of individuals may be processed without consent. For example, legislative permission for processing of personal data, conclusion and execution of a transaction in favour of the personal data subject, protection of interests of the subject or owner of personal data.
Pursuant to the Data Protection Act, personal data subjects shall, as a general rule, be informed at the moment of collection of their personal data of: the owner of their personal data; composition and content of their personal data being collected; their rights; purpose of their personal data collection; the persons to whom their personal data will be transferred.
The subjects of personal data relations are obliged to take appropriate technical and organisational measures to ensure the protection of personal data against unlawful processing including loss, unlawful or accidental elimination, as well as unauthorized access. The Model Procedure stipulates that the owners and processors of personal data shall take measures to maintain security of personal data on all stages of their processing including organisational and technical measures for the protection of personal data.
The owners are obliged to notify the Ombudsman about personal data processing, which is of a particular risk to the rights and freedoms of personal data subjects, within thirty working days of commencement of such processing. The Notification Procedure envisages a specific list of such data, and establishes the notification form and procedural formalities to be observed. Furthermore, the Notification Procedure obliges the owners and processors of personal data who process the personal data, which is of particular risk to the rights and freedoms of personal data subjects, to notify the Ombudsman on establishing a structural unit or appointing a person (data protection officer) responsible for the organisation of work related to the protection of personal data during the processing thereof.
Any transfer of personal data shall be conducted on the basis of a data transfer and processing agreement between the parties to such transfer. Personal data cannot be transferred for the purpose different from the one, for which they have been collected.
Personal data shall be transferred to foreign counterparties only on condition of ensuring an appropriate level of protection of personal data by the respective state of the transferee. Such states include the member states of the European Economic Area and signatories to the EC Convention on Automatic Processing of Personal Data.
In the case of transfer of personal data to other countries, the data transfer and processing agreement between the parties to such transfer must stipulate that a proper level of protection of personal data (where a proper level may be construed as equivalent to that established by Ukrainian law) must be ensured by the recipient.
According to the Data Protection Act personal data may be transferred outside of Ukraine based on one of the following grounds:
— unambiguous consent of the personal data subject;
— cross-border transfer is needed to enter into or perform a contract between the personal data owner and a third party in favour of the personal data subject;
— necessity to protect the vital interests of the personal data subjects;
— necessity to protect the public interest, establishment, fulfilment and enforcement of a legal requirement, or
— appropriate guarantees of the personal data owner as regards the non-interference into the personal and family life of the personal data subject.
According to the Data Protection Act, the Ombudsman and Ukrainian courts are state authorities responsible for controlling compliance with legislation on protection of personal data. Violation of personal data protection legislation may result in civil, criminal and administrative liability.