Personal Data Protection in Ukraine: 7 Steps for Ukrainian Businesses
Are you conducting business in Ukraine? Do you want to avoid fines and reputational losses due to violations of personal data protection legislation? Are you confident that your business complies with all the requirements of the Law? If this question has given you pause, it is time to think about how to bring your business into compliance with the legislation.
Personal data protection is not boring bureaucracy, but a necessity for every business that processes personal data of clients, employees, and other data subjects. Complying with the Law of Ukraine “On Personal Data Protection” not only reduces the risk of fines — it is a signal to partners and clients: yes, we can be trusted!
In this article we will examine the key steps that will help Ukrainian businesses ensure effective personal data protection and avoid negative legal consequences.
A Few Words About Ukrainian Legislation
The Law of Ukraine “On Personal Data Protection” entered into force at the beginning of 2011 and became the first regulatory act in Ukraine to systematically regulate matters of processing and protecting personal data.
In addition to the Law itself, it is worth paying attention to three important subordinate acts:
- Standard Procedure for Processing Personal Data;
- Procedure for the Commissioner’s Supervision of Compliance with Personal Data Protection Legislation;
- Procedure for Notifying the Commissioner of Personal Data Processing That Poses a Special Risk to the Rights and Freedoms of Personal Data Subjects.
However, more than ten years have passed since the adoption of this law, and it has become significantly outdated given the modern development of information technologies. Moreover, it was based on Convention 108, which has now been superseded by a newer law — the GDPR.
Do we need an update to the legislation? Unquestionably, yes! Work is underway in Ukraine on updating the legislation in the field of personal data protection to bring it into line with European standards, in particular the GDPR.
The new draft law currently under consideration is intended to replace the current Law and remedy its shortcomings. However, when exactly this will happen is unknown. Ukrainian companies must therefore comply with the current legislation, as its requirements remain mandatory and violations can lead to legal consequences.
Key Provisions of the Law and Differences from the GDPR
You can read more about this topic in our previous publication: CCPA, GDPR, Law of Ukraine “On Personal Data Protection.” Are They the Same?
| Provision | Law | GDPR |
|---|---|---|
| Scope of application | The Law is a national-level legislative act, so its effect extends to the processing of personal data on the territory of Ukraine. Accordingly, companies that conduct activities on the territory of Ukraine must ensure compliance with its provisions. | The GDPR clearly defines the boundaries of its territorial jurisdiction, specifying that its effect extends to: the processing of personal data by a controller or processor registered on the territory of the EU; the processing of personal data by a controller or processor registered outside the territory of the EU who nonetheless process data of individuals located in the EU. |
| Personal data | The Law defines personal data as information or a set of information about an individual who is identified or can be specifically identified. | Personal data under the GDPR is a broader and more detailed category. |
| Legal bases | The Law establishes six bases on which the processing of a data subject’s personal data may be lawfully carried out. The primary basis is the data subject’s consent to the processing of their personal data. Other bases include the necessity of performing a contract with the data subject, the necessity of protecting the vital interests of the data subject, the necessity for the controller to fulfill the obligations placed upon them, etc. | The same bases are also provided for in the GDPR, but with slightly different wording. |
| Main roles | The Law clearly distinguishes the concepts of: the personal data owner, who determines the purpose and means of data processing; and the personal data administrator, who processes data on the instructions of the owner. | The concepts of personal data owner and administrator are very similar to those established in the GDPR for the controller and processor. |
| Data subject | Under the Law, a data subject is defined as an individual whose personal data is being processed. In its current version, the Law does not contain special provisions regarding the processing of data of minors. | The GDPR establishes that a data subject is an individual who is identified or can be identified. The GDPR establishes that for the processing of data of a person under 16 years of age, the consent of their parents or guardians must be obtained. |
| Rights of the data subject | The rights provided for by the Law are the same as in the GDPR, with the exception of the right to data portability. The list of such rights is contained in Article 8 of the Law. | The GDPR grants data subjects the right of access, the right to rectification, the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to be informed, the right to data portability, the right to object (right to refuse), the right not to be subject to a decision based solely on automated processing, and the right to withdraw consent. |
| Liability | The text of the Law contains a reference to the fact that established liability arises under the legislation for violations of its requirements. At the legislative level, the main body of liability is provided for in Article 188-39 of the Code of Administrative Offences of Ukraine (in the form of fines of varying amounts). In addition, Article 182 of the Criminal Code of Ukraine establishes liability for the dissemination of confidential information about a person or the unlawful modification of such information (up to restriction of liberty for a period of 3 years). | The GDPR introduced a clear distinction between types of penalties: 2% of total annual turnover or €10 million, whichever is higher — for violations of provisions on the processing of data of minors, obligations of the controller and processor, etc.; or 4% of total annual turnover or €20 million, whichever is higher — for violations of provisions on the principles of data processing, the rights of data subjects, the transfer of data to third countries, etc. |
Special Requirements of the Law of Ukraine on Personal Data Protection
Obligation to notify the Commissioner of the Verkhovna Rada of Ukraine for Human Rights of the processing of sensitive data
The personal data owner must notify the Commissioner of the Verkhovna Rada of any types of processing of personal data that pose a special risk to the rights and freedoms of personal data subjects.
Such types of processing include the processing of personal data regarding, in particular:
- racial, ethnic, and national origin;
- political, religious, or ideological beliefs;
- membership in political parties and/or organizations, trade unions, religious organizations, or public organizations of an ideological orientation;
- state of health, sexual life;
- biometric data, genetic data;
- administrative or criminal liability;
- the application of pre-trial investigation measures in respect of a person;
- the commission of various types of violence against a person;
- the location and/or routes of movement of a person.
Such a notification is submitted in the form and in accordance with the procedure defined by the Commissioner of the Verkhovna Rada.
Appointment of a structural unit or responsible person who organizes the work related to personal data protection
In state authorities, local self-government bodies, as well as in personal data owners or administrators that carry out personal data processing subject to notification pursuant to the Law, the company must establish (designate) a structural unit or responsible person who organizes the work related to personal data protection during their processing.
Information about such a unit or person is communicated to the Commissioner in accordance with the Law.
Cross-border transfer of personal data outside Ukraine
For the cross-border transfer of personal data, the personal data owner is obliged to ensure that the recipient country provides an adequate level of protection. In addition, the personal data owner may transfer personal data in the event of:
- the unambiguous consent of the personal data subject;
- the conclusion or performance of a transaction in the interests of the personal data subject;
- the protection of the vital interests of the personal data subject;
- the protection of the public interest or legal requirements;
- the provision of guarantees of non-interference in the private life of the personal data subject.
It is important to note that amendments to Article 30 of the Law of July 29, 2022, permit the transfer of personal data to foreign entities for the provision of medical and rehabilitation assistance using telemedicine during martial law and for six months after its termination. Personal data must be protected in accordance with the legislation of the country where medical practice is carried out.
A Step-by-Step Plan for Businesses to Ensure Compliance with the Law on Personal Data Protection
Step 1. Conduct a personal data audit
- Determine what personal data you collect (full name, contact information, payment information, etc.).
- Make sure you have legal bases for processing the data (consent, contract, legitimate interest).
- Assess whether sensitive personal data is being processed (health status, biometric data, political views).
- Determine whether your company is subject to the obligation to notify the Commissioner of the Verkhovna Rada for Human Rights. To do this it is necessary to:
- assess whether your company processes personal data that poses a special risk to the rights and freedoms of personal data subjects;
- submit a notification to the Commissioner of the Verkhovna Rada for Human Rights of the processing of such personal data (if necessary).
Step 2. Define the procedure for processing personal data
At this stage it is important to clearly define all aspects of personal data processing in your company. Formulate a detailed processing procedure, in particular:
- the method of collecting and accumulating personal data;
- the period and conditions for storing personal data;
- the conditions and procedure for changing, deleting, or destroying personal data;
- the conditions and procedure for transferring personal data and the list of third parties to whom personal data may be transferred;
- the procedure for access to personal data by persons who carry out processing, as well as by personal data subjects;
- measures to ensure the protection of personal data;
- the procedure for preserving information about operations related to the processing of personal data and access to them.
Step 3. Prepare internal documentation
- Develop a Privacy Policy — it must contain the purpose of collecting personal data, the rights of the data subject, the processing procedure, and other provisions in accordance with the Law.
- Create internal personal data processing policies for employees who have access to such data and define the obligations and rights of persons responsible for organizing the work related to personal data protection during their processing.
- Conclude written agreements with personal data administrators (for example, with IT contractors, CRM services, etc.).
- Develop other documentation related to the processing of personal data.
Step 4. Appoint a responsible person for personal data protection (where necessary)
If your business is subject to the requirements for appointing a structural unit or responsible person who organizes the work related to personal data protection (for example, if you process sensitive personal data), you are obliged to:
- Assess whether processing of personal data that poses a special risk to the rights and freedoms of personal data subjects is being carried out.
- Appoint such a responsible person or create a separate unit to monitor compliance with the legislation.
Step 5. Assess the compliance of countries for the transfer of personal data (where necessary)
If you plan to carry out cross-border transfer of personal data it is necessary to:
- Check whether such a country (1) is part of the European Economic Area, (2) has signed Council of Europe Convention No. 108, or (3) is a member of IOSCO.
- If none of the above applies — check the list of states defined by the Cabinet of Ministers of Ukraine (in particular, those contained in Resolution No. 910).
- Check whether another method of transfer provided for by the Law can be applied.
Step 6. Ensure the security and protection of personal data
- Define the list and composition of measures aimed at the security of personal data processing, taking into account the requirements of legislation in the fields of personal data protection and information security, in particular measures aimed at preventing their accidental loss or destruction, unlawful processing, including unlawful destruction or access to personal data.
- Implement technical and organizational security measures:
- Encryption and data backup.
- Access control (minimizing access to personal data to authorized persons only).
- Development of an action plan in the event of unauthorized access to personal data, damage to technical equipment, or emergency situations.
Step 7. Regularly review and update policies
- Analyze changes in legislation (in particular, the forthcoming new law on personal data).
- Regularly update the privacy policy, internal documentation, and agreements.
- Train employees on personal data protection rules.
Conclusion
Although the Law of Ukraine “On Personal Data Protection” is significantly inferior to the GDPR in terms of the level of detail and no longer fully corresponds to modern realities and European standards, its requirements remain mandatory for all companies that work with personal data.
The expected new personal data protection law is intended to remedy the current shortcomings, make Ukrainian legislation more effective, and bring it closer to EU standards. However, businesses already need to pay attention to the proper processing of personal data, the implementation of security policies, and the raising of employee awareness, in order to minimize risks and prepare for new rules.
Therefore, compliance with the requirements of the Law is not only an obligation, but an investment in the future of your business.
Do not delay — if you have questions or need an audit and the preparation of documentation, contact us and we will promptly help your business comply with all requirements of personal data protection legislation.
