Contributed by Baker McKenzie.
What are the main data protection-related pieces of legislation and other regulations in Ukraine?
The main Ukrainian data protection law is the Law of Ukraine on Personal Data Protection (PDP) adopted in 2010. It establishes general requirements and obligations relating to the collection, processing, and use of personal data by private bodies and by the government of Ukraine.
Apart from the PDP, the main sources of personal data protection in Ukraine are:
- The Constitution of Ukraine;
- The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the additional protocol to it, ratified by Ukraine in 2010;
- The Civil Code of Ukraine;
- Respective provisions of the Code of Ukraine on Administrative Offenses and the Criminal Code establishing respective liability for personal data offenses;
- The Law of Ukraine "On Information"
- The Law of Ukraine "On Electronic Commerce"
- The Law of Ukraine "On Electronic Communications," and
- The Law of Ukraine "On Protection of Information in the Information and Telecommunication Systems"
A number of regulations approved by the Ukrainian Parliament Commissioner for Human Rights, in particular:
- Model Rules on Personal Data Processing;
- Rules on Exercising Control by the Ukrainian Parliament Commissioner for Human Rights over Compliance with the Laws on Personal Data Protection; and
- Rules for Notification of the Ukrainian Parliament Commissioner for Human Rights on the Processing of Personal Data that Constitutes a Special Risk for the Rights and Freedoms of Data Subjects, On the Structural Department or Designated Individual Responsible for Work-Related Processing of Personal Data and the Publication of Such Information.
What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)?
All of the primary definitions are embodied in the PDP. The PDP defines personal data as any information about an individual who is identified or can be specifically identified.
The Constitutional Court of Ukraine, in its Decision No. 2-rp/2012 dated January 20, 2012, held that "Personal Data" constitutes confidential personal information, access to which is limited by a person himself/herself. Such confidential personal information may include data about the individual's:
- nationality;
- education
- marital status
- religious beliefs
- health
- current address
- date and place of birth
- property status
The list of confidential personal information is not exhaustive.
Moreover, while the PDP does not provide a specific definition for sensitive data, it prescribes that certain categories of personal data are required to be processed in a special manner. Processing of such data is allowed if unambiguous consent has been given by the personal data subject or based on specifically prescribed PDP exemptions.
According to the PDP, sensitive data includes:
- personal data revealing racial or ethnic origin
- personal data revealing political opinions
- personal data revealing religious or philosophical belief
- personal data revealing trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health/medical information
- data concerning a natural person’s sex life or sexual orientation
- financial information
- personal data regarding an individual's criminal convictions or record
- location and or methods of transportation
- facts related to administrative liability
- criminal investigation measures related to a preliminary investigation and the measures envisaged by the Law of Ukraine "On Investigating Activity"
- instances of violence against a person
Turning to the definition of subjects, involved in personal data processing, according to the PDP, the controller/owner is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The processor/agent is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Personal data processing is any action or set of actions, such as collection, registration, accumulation, storage, adaptation, change, renewal, use and distribution (circulation, sale, transfer), depersonalization, and destruction of personal data, including using information (automated) systems.
Personal data processing requires consent that is defined as a voluntary expression of the individual's will to grant the permission to process his/her personal data in accordance with the stated purpose of their processing, expressed in writing or in a form that allows concluding that consent has been provided.
In the field of e-commerce, personal data subjects can provide consent by marking a checkbox, during registration. However, the system should not allow any personal data processing until the consent mark is provided.
In addition, the PDP prescribes certain cases when consent is not required, specifically:
- when it is explicitly provided for by law; and
- where the data is necessary for the purposes of maintaining national security, economic welfare, and for the protection of human rights.
Which entities fall under the data privacy regulations in Ukraine?
In general, the PDP does not limit its personal application scope. The PDP aims to protect personal data during its processing, as well as when personal data is used for purposes other than in private or certain professional circumstances.
Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?
Yes, there is a local copy requirement applicable for banking secrecy information, which only applies to banks in Ukraine.
While the PDP does not require personal data to be stored in Ukraine or to have a local copy, there are general accounting and bookkeeping standards that require keeping electronic copies or hard copies of certain documents that might contain personal data for the purposes of tax, accounting, and other compliance, for example, payroll lists, lists of employees, etc.
What rights do data subjects have under the data protection regulations in Ukraine?
Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:
- the right to access the data subject’s own personal data;
- the right to rectify/correct the data subject’s own personal data where inaccurate or incomplete;
- the right to erasure of personal data;
- the right to restrict data processing;
- the right to data portability;
- the right to object to the processing of personal data;
- the right to withdraw consent;
- the right to know about the sources of collection, location of their personal data, purpose of their processing, location and/or place of residence (temporary residence) of the Controller or Processor of Personal Data, or to seek such information from authorized persons (unless an exception applies);
- the right to receive information about the circumstances in which personal data will be accessed, in particular information about third persons to whom their personal data are transferred;
- the right to receive a response about whether their personal data is processed and information on the content of their personal data within 30 days from the moment the relevant request was received (unless an exception applies);
- the right of protection of their personal data from illegal processing and accidental loss, destruction, damage due to deliberate concealment, failure to provide them or delay in providing such data, and protection from provision of data which are inaccurate or damaging to the honor, dignity, and business reputation of an individual;
- the right to lodge complaints about the processing of their personal data to the Commissioner or courts;
- the right to use legal remedies if there is a violation of personal data protection laws;
- the right to know about any automatic mechanism of processing of personal data;
- the right to be protected from automated decisions that have legal consequences for them.
What is the territorial application of the data privacy regime in your jurisdiction?
The PDP applies to all personal data processing (i.e., acquisition, registration, accumulation, storage, adaptation, modification, restoration, use, and distribution (dissemination, sale, transfer), depersonalization, and destruction) within the territory of Ukraine. However, enforcement of the PDP against legal entities and individuals without legal presence in Ukraine is not established at the moment.
What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?
Most obligations outlined in the PDP directly pertain to data controllers/owners. However, data processors/agents may also share responsibility for compliance.
It is essential to follow the below requirements of PDP:
- obtain consent for data processing;
- сollect and process personal data for specific purposes and avoid incompatible processing;
- process only essential data for the stated purpose; maintain a record of processing activities;
- implement appropriate measures to comply with data privacy and security;
- provide training to employees, etc.
What are the regulations and best practices concerning the retention and deletion of personal data in Ukraine?
Retention of personal data refers to maintaining the established access regime for that data. The retention period is specified either in the data subject’s consent or by legal requirements. After this period expires, the personal data must be securely destroyed.
According to the PDP, personal data must be destroyed or removed in the following cases:
- when the specified storage period expires, as outlined in the data subject’s consent or by legal requirements (some data storage terms cannot be shortened by consent);
- upon termination of legal relations between the data subject and the data controller/owner or data processor/agent, unless otherwise mandated by law; and/or
- when a court decision orders the removal of an individual’s data from a personal database.
Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?
The Ukrainian Parliament's Commissioner for Human Rights (also known as the Ombudsman) (Commissioner) oversees compliance with data protection legislation.
The PDP requires legal entities and individuals processing sensitive data to file the respective notice to the Commissioner.
Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in Ukraine, and under what conditions?
The PDP requires legal entities and individuals processing sensitive data to appoint a personal data officer (DPO) or establish a specific division responsible for personal data protection.
At the same time, the PDP does not provide any specific requirements for a DPO. However, the Commissioner suggests appointing a director of the company, their deputy, HR manager, or compliance officer to the position of DPO, because the DPO will have access to all data and premises of the company.
How should data breaches be handled in your jurisdiction?
N/A. There is no requirement to report data security breaches or losses to the appropriate state authority.
The PDP provided that personal data protection regulations are enforced by the Commissioner and by the courts of Ukraine.
What are the potential penalties and fines for non-compliance with data protection regulations in Ukraine?
The Code of Ukraine on Administrative Offenses establishes administrative liability for the following violations of the PDP:
- failure to notify or delay in providing notice to the Commissioner regarding the processing of personal data or a change to the information submitted, which is subject to notification requirements under Ukrainian legislation, or submission of incomplete or false information: may result in a fine of up to approximately USD 230, and, if repeated within a year, up to approximately USD 1,150;
- non-fulfillment of legitimate requests (orders) of the Commissioner or determined state officials of the Commissioner's secretariat regarding the elimination or prevention of violations of personal data protection legislation: may result in a fine of up to approximately USD 580, and, if repeated within a year, up to approximately USD 1,150;
- non-compliance with the personal data protection procedure established by personal data protection law, which leads to illegal access to them or violation of the rights of the data subject: may result in a fine of up to approximately USD 580, and, if repeated within a year, up to approximately USD 1,150.
The criminal penalties from regulators and law enforcement for:
- illegal processing of confidential information about a person or illegal alteration of such information is punishable by a fine of approximately USD 290-580 or correctional labor for up to two years, arrest for up to six months, or limitation of freedom for up to three years. The same actions committed repeatedly, or in cases where they have caused substantial harm to the person's rights, are punished by arrest for three to six months, restriction of liberty for three to five years, or imprisonment for the same term;
- unauthorized interference in the operation of computers, automated systems, computer networks, or telecommunication networks, which leads to leakage, loss, forgery, blocking of information, distortion of the information processing, or violation of the established order of its routing is punished by a fine of approximately USD 350-580, limitation of freedom for two to five years, or imprisonment for up to three years, with or without deprivation of the right to hold certain positions or engage in certain activities for up to two years. The same actions committed repeatedly, or by a prior conspiracy of a group of persons, or in cases where they have caused substantial harm, are punished by imprisonment for three to six years with deprivation of the right to hold certain positions or engage in certain activities for up to three years.
The PDP also prescribes for private remedies:
- recovery of monetary and/or moral damages (civil action).
Non-legal: Reputational harm and, in turn, potential loss of customer confidence and business opportunities.
Are there any noticeable patterns or trends in how enforcement is carried out in Ukraine?
New challenges in data privacy and cybersecurity are associated with the ongoing Russia-Ukraine conflict, which has strengthened the issue of the need to protect personal data. Of particular note are changes regarding cloud services, processing of personal data during the period of martial law, providing medical services, and statistical activities.
The Commissioner is not very active with its enforcement activities at the moment because of the upcoming reform in the sphere of personal data protection. But gradually, the situation may change in the course of the next several years, depending on when the data privacy reform will be adopted and the National Commission for Personal Data Protection and Access to Public Information will be established.
How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in Ukraine?
According to a recently adopted Law of Ukraine "On advertising," providers of video-sharing and information-sharing platforms, as well as audio and audiovisual services providers, are prohibited from processing personal data collected or otherwise obtained from children for commercial purposes such as direct marketing and profiling, including behavioral advertising.
Are there any expected changes in data protection on the horizon in the next 12 months in Ukraine?
Given the significant changes in international and, in particular, European standards of personal data protection, the Ukrainian parliament has developed two draft laws aimed at implementing the General Data Protection Regulation (EU) 2016/679 (GDPR) and the modernized Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 108+ in Ukraine.
On October 25, 2022, the Parliament of Ukraine registered the draft law "On Personal Data Protection" № 8153 (Draft Law on PPD), and, on October 11, 2021, the draft law "On the National Commission for Personal Data Protection and Access to Public Information" № 6177 (Draft Law on the DPA).
The Draft Law on PPD proposes, in particular, the following legislative novelties:
- unified and extended terminology (new terms defined: biometric data, data breach, genetic data, health data, overall annual turnover, pseudo-anonymization, profiling, data processing at massive scales, etc.);
- new principles on data processing (lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, accountability, etc.);
- updated grounds of processing and new ground of processing "legitimate interest";
- updated consent concept with clarified ways on how consent could be obtained, when consent cannot be considered as granted, and restrictions to use consent as a ground for processing when other grounds apply;
- updated concept of sensitive data with an extended list of grounds for processing such data.
In addition, the Draft Law on PPD:
- determines cases when representatives of controllers and processors not established in Ukraine shall be designated in Ukraine;
- prescribes the obligation of each controller (or the controller’s representative) to maintain a record of processing activities under its responsibility;
- obliges controllers to conduct regular data protection impact assessments (DPIA). Where the processing would result in a high risk, the controller shall have prior consultation with the data protection authority;
- specifies cases when the controller and processor shall appoint data protection officers (DPO) along with qualification requirements for such officers.
The Draft Law on PPD also prescribes a completely new range of different administrative fines that may be imposed on natural and legal persons violating the data protection regulations. The amount of fines differs depending on the severity of violations. For the most severe violations, the fine framework might be up to 5% of the company’s annual turnover, but not less than UAH 300,000 (approximately USD 10,100) per violation.
Turning to the second legislative initiative, the Draft Law on the DPA proposes to establish an independent government agency that would be responsible for both policymaking (adopting mandatory regulations) and enforcement (prosecuting infringers) in the sphere of data privacy and access to public information.
The National Commission for Personal Data Protection and Access to Public Information would have quasi-investigative functions and would be able to investigate violations with the help of experts in technology and other spheres.
The main powers of the DPA would be the following:
- obtain information necessary for its activities, including confidential and with restricted access, from any individual company or organization;
- receive access to information and telecommunication systems, registers, and data banks, including information with limited access — the owner (administrator) of which are state bodies or local authorities — using state, including government, means of communication and communications, special communication networks and other technical means;
- receive information from databases, and registers of foreign countries, including paid information, if that is required for access to information;
- investigate possible violations of the law of Ukraine “On Personal Data Protection” and the law of Ukraine "On Access to Public Information" based on complaints but also based on its own initiative;
- collect from government and private companies, organizations, employees, and individuals written explanations on the circumstances that may indicate a violation of the corresponding laws;
- apply to the courts for enforcement of corresponding laws;
- issue fines to controllers and processors of personal data;
- have access to personal data processed by the controller and/or processor and necessary for the performance of its duties.
The Draft Law on the DPA establishes new (additional) fines. The non-compliance with decisions/requests of the DPA and/or non-provision of the access of the DPA for the purposes of investigating the activities of the company or individual would result in:
- a fine in the amount of UAH 20,000 to UAH 100,000 (approximately USD 678 to USD 3,390) for individuals, and for legal entities in the amount of 0.5% to 1% of the total annual turnover of such legal entity for the previous year, but not less than 3,000 tax-free minimum incomes (approximately USD 1,729);
- a fine of 200% of the previous fine for each next non-compliance.
The Parliament is expected to adopt both drafts and other necessary regulatory norms to launch the data privacy reform as a part of the integration into the EU Digital Single Market, implementation of the EU legislation as required by the EU-Ukraine Association Agreement, and the wider government digital agenda. However, taking into account the martial law in Ukraine, it is not yet clear when these drafts will get back to the Parliament's agenda.