Application of GDPR in Ukraine: Case Analysis
GDPR, as one of the most influential personal data protection acts, has a distinctive feature in its scope — extraterritoriality, meaning the extension of the law’s reach beyond the EU. Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criteria:
- “establishment” — means that the processing of personal data is carried out by an establishment located on the territory of the EU;
- “targeting” — may be applicable through the processing of personal data carried out by a controller or processor located outside the EU.
If one of the two criteria is met, the provisions of the GDPR will apply to the processing of personal data. It is therefore critically important for controllers and processors — including Ukrainian companies — to conduct a thorough analysis of their personal data processing activities in order to determine whether such processing falls within the scope of the GDPR. Let us examine several likely scenarios for Ukrainian businesses.
Ukrainian Company Provides Services to EU Residents
Since the GDPR does not contain a definition of “establishment,” the Court of Justice of the EU in the Weltimmo case (C-230/14) noted that the concept of “establishment” extends to any real and effective activity — even a minimal one — carried out on the basis of stable arrangements. Such arrangements arise, for example, when services are provided online. At the same time, the place of data processing is irrelevant if the establishment’s activity is directed at the European market — the GDPR will apply in any case.
Therefore, regardless of the fact that the company is registered or incorporated in Ukraine, only the “targeting” criterion directed at the European market is taken into account. If you plan to sell your goods and services to the EU (for example, through an online store) — you will have to comply with the provisions of the GDPR. Be particularly careful, therefore, if you add regional languages of EU countries, local currencies, or other signs of targeting a specific market to your website — the regulator pays attention to these if it receives a complaint from a consumer about the company’s non-compliance with GDPR requirements.
B2B Cooperation with a European Partner
Let us consider a situation where a Ukrainian company provides its services to a European company (for example, a European company uses a Ukrainian CRM platform to sell services to its clients). In this case, the key factor determining the application of GDPR provisions to the Ukrainian company is its role as a processor. In order to determine whether the data processing carried out by the processor falls within the scope of the GDPR pursuant to Article 3(2), it is necessary to check whether the controller transfers personal data of EU residents to the processor. This includes both persons permanently residing in EU member states and visitors to those countries — for example, if the controller sells services to tourists staying in European hotels.
It is the controller that decides what data to transfer to other companies for further processing. Even if the processor offers a comprehensive technical solution for the collection and processing of data, the controller remains responsible for the use of that solution, including for the processing of personal data.
Therefore, if the data processing activity carried out by the controller relates to the offering of goods or services or to the monitoring of the behavior of individuals in the European Union, any processor entrusted with carrying out such data processing activity on behalf of the controller will be subject to the GDPR, directly or indirectly.
Please note: if you open a local European company to work with clients in the EU (or clients interested in the European market), the GDPR will apply directly. The GDPR contains obligations for both controllers and processors, so even if you create a B2B solution and provide it as software for use by other companies, this will not constitute an exception from the GDPR.
In most cases, companies that create B2B solutions must comply with GDPR requirements indirectly — through special data processing contracts concluded between the controller in the EU and the processor outside the EU. These agreements often replicate the requirements of the GDPR, often with additional specification and the controller’s own rules, and a breach of this agreement may lead both to problems with the European client (since they will be responsible for the GDPR violation in that case and will have to respond to complaints and claims from data subjects) and to problems with European regulators (inspections, requests, and even a ban on operating in a specific market, as in the case of Clearview AI).
GDPR Compliance as a Competitive Advantage
Companies whose activities are not subject to GDPR norms, or which are only preparing to enter the European market, often decide independently to comply with GDPR requirements in their work with personal data.
Such a decision is not only adherence to best practices in personal data protection, but also a competitive advantage. The GDPR is considered one of the strictest personal data protection laws. Compliance with it therefore resolves several operational problems at once:
- increased user trust in your product;
- coverage of the requirements of several personal data protection laws of other countries at once, since many of them are built on the basis of the GDPR;
- easier interaction with users for support teams — they apply a single data handling script regardless of the physical location of the client or user;
- easier negotiations with corporate clients that have programs for verifying their contractors and business partners with respect to GDPR requirements, and so on.
In addition, some GDPR requirements can only be met if prepared for in advance — for example, with regard to adequate information security measures and data protection by design/default. This way you will be able to avoid an endless cycle of technical debt, as you will have all the necessary systems and modules for data processing in place and will be able to attract new clients immediately, without spending time on additional development, testing, and release.
Read more about privacy legislation in 2026: what are the key acts, regulations, and laws in the world?
Regulatory Practice Regarding the Extraterritorial Application of GDPR
SAN-2020-016 (CNIL, France)
At the time of the audit, the company’s director informed CNIL that the company’s operational activities were being carried out from Morocco and that he intended in the near future to cease the company’s activities in France and transfer them entirely to Morocco, and therefore the GDPR did not apply in this case.
Pursuant to Article 3 of the GDPR, CNIL retained its jurisdiction and confirmed the application of the GDPR, since the company was registered in France and sent its advertising messages exclusively to a French audience.
161/2022 (APD/GBA, Belgium)
A data subject had twice received marketing emails from a controller in the USA. This controller aimed to create a platform for discussing the challenges and achievements of Jewish women, offering writing workshops and selling a book that was available only in English. The controller did not accept euros as a payment currency. The book could only be delivered to addresses in the USA, Canada, and Israel. The data subject claimed to have never had any contact with the controller.
The regulator determined that there was no “offering of goods and services” specifically to data subjects in the EEA. Such an “offering of goods and services” must be understood as an offering directed specifically, and not incidentally, at data subjects in the EEA. In the present case, the only available language for the book and the workshops was English, the book could only be delivered to the USA, Canada, and Israel, and payment was only possible in dollars and shekels. Accordingly, there was no offering of goods and services.
Do the GDPR Requirements Apply to Your Company?
Contact us for assistance with GDPR compliance.
If you have questions or difficulties with complying with GDPR requirements, we will be happy to help you! The lawyers of Legal IT Group have extensive successful experience in advising on and implementing GDPR compliance for businesses.
