After years of paralysis, Ukrainian business-related legislation is undergoing major changes. For instance, a new tax code came into effect in the New Year, and we can already hear the protests associated with the proposed new labor code. Meanwhile, completely undetected, a new law has quietly entered into force on January 1, 2011, entitled the Law of Ukraine No. 2297-VI "On Protection of Personal Data", dated June 1, 2010 (hereinafter the "PDP Law").
The PDP Law is based on the framework EU Directive 95/46/EC on
the protection of individuals with regard to the processing of
personal data and on the free movement of such data, but provides a
more detailed legislative base for data protection in Ukraine. The
good news is that by implementing the PDP Law, Ukraine is bringing
its legislation into closer compliance with European standards,
perhaps with the eventual hope of European integration. However,
the PDP Law leaves open the usual questions of implementation and
enforcement surrounding other Ukrainian laws.
With the above background in mind, we will provide a brief overview of the data protection rules in Ukraine. Similar to Directive 95/46/EC, the PDP Law applies to data processed both by automated means and non-automated filing systems gathered by Ukrainian legal entities and natural persons. Personal data is defined under the PDP Law as information about an individual who may be specifically identified. The primary sources of information may be documents issued to an individual, documents signed by an individual and information provided by an individual about them.
The PDP Law does not apply to databases and personal data processed by natural persons for non-professional personal or household needs, journalists for their official or professional duties, and professional creative specialists. Notably, Directive 95/46/EC does not refer to the latter two categories.
Specifically, the PDP Law applies to legal entities or natural persons, who by law or at the consent of a data subject are granted the right to process personal data and who confirm the purpose for processing personal data within their databases. These are referred to as "owners" or "controllers" of personal databases, the latter being those companies or persons who are contracted to process an owner's database. The law specifically applies to licensed doctors, lawyers and notaries. While the PDP Law does not explicitly state so, it could also be applied to such institutions as banks, insurance companies, employment agencies, law firms, discount card systems and other businesses that collect, register, accumulate, store, adapt, amend, use, distribute, transfer, sell or destroy personal data of Ukrainian citizens.
The fundamental principle applicable to personal data processing under the PDP Law is that all steps in data collection, storage and processing, must have the consent of the data subject. This is not a novelty in Ukraine, as the Law of Ukraine No. 2657 "On Information", dated October 2, 1992, required the consent of any individual before his/her information could be collected and processed in Ukraine and/or abroad. However, the PDP Law expands the consent requirement to include consent to the volume, purpose, content and amendment to personal data. Pursuant to the PDP Law, any data processed must be collected for a specific, lawful purpose and must be precise, accurate and, where necessary, kept up-to-date. Note that there is no mention of marketing purposes anywhere in its text.
As a narrow exception, the processing of personal data in Ukraine may be effectuated without consent only in the interests of national security, human rights, protection of the individual in question's vital interests (until such time as consent may be given) and "economic welfare". The PDP Law does not further elaborate on the definition of "economic welfare," whereas Directive 95/46/EC is only a bit more specific in stating "important economic or financial interests of a Member State or of the European Union".
The PDP Law does not permit the processing of personal data regarding race or ethnicity, political, religious or ideological conviction, membership in a political party and professional unions or health or sex life. It is interesting to note that while Directive 95/46/EC does not mention "membership in a political party", Ukraine (which is notorious for having many politicians who double as businessmen or oligarchs) has specifically restricted the storage and processing of data that reveals any political party affiliation. The aforementioned restrictions do not apply in cases when such personal data is processed upon the unambiguous consent of the data subject or when it is necessary to process personal data to exercise rights and perform obligations in labor relations according to law.
Importantly, under the PDP Law, all data subjects enjoy certain integral and inviolable rights, such as the rights to (i) know the location of all databases containing their personal data, (ii) the receipt of full information about the owner or controller of their personal data, (iii) free of charge access to their personal data, (iv) demand changes, restriction or destruction of personal data, (v) object, on legitimate grounds, to the processing of their personal data by state bodies, etc. Data subjects also have the right to protection of their personal data by the public authority responsible for data protection issues, specifically with respect to any damages incurred from unlawful disclosure and the provision of false personal data to third parties, including information which can damage an individual's business reputation. Data subjects must be notified in writing of all of their rights connected to their personal data held in any database.
The PDP Law requires state registration of all databases containing personal data. For this purpose, the state personal data protection body will maintain a state register of personal databases if and when the Cabinet of Ministers approves the said state body's regulations. As of today, the Ukrainian government has yet to create the executive body charged with data protection issues.
Generally, the registration procedure will entail the submission by the database owner of an application containing information about the owner, the name and location of the database, the purpose for processing personal data in the database, the controller(s), if any, of the database, and confirmation of all personal data protection measures provided by law. If all registration documents are in order, the owner of the database will receive a certificate of registration within ten working days.
While an individual's access to his or her personal data is free of charge, third parties may access personal data only with the consent of the data subject and payment of the owner's fees (set by the Cabinet of Ministers) for issuing a data subject's personal information. The owner's or controller's employees are obligated to use or disclose personal data only within their official capacity, and this obligation remains with such employees even after they have left their official position. Of course, the data subjects must be notified regarding the transfer of their personal data to third parties if their consent was subject to such condition.
Personal data may also be transferred to foreign personal data processors on the condition that their countries have a sufficient level of data protection, presumably comparable to Directive 95/46/EC, the relevant permit, and the recipient uses the personal data for the same purposes for which it was collected. Naturally, this provision brings up a number of difficult issues, including but not limited to: who issues the said permit and when? How will the Ukrainian authorities verify whether countries other than EU Member States have the required data protection rules? How can the issue of the collection purpose be controlled or verified?
Overall, the Ukrainian PDP Law covers all of the issues required by Directive 95/46/EC as well as issues more relevant to Ukrainian society, such as state use, business reputation and labor protection. While the time is moving quickly toward the January 1st effective date, it is highly doubtful that the Ukrainian government will be able to resolve some of the open-ended issues left by the PDP Law. Alas, the Ukrainian government has not yet created the relevant public authority responsible for monitoring personal data protection issues, it has not yet set up the electronic database of registered owners and controllers of personal data, and it has not yet issued the model procedure for processing personal data, including personal data deemed banking secrets, as required by the PDP Law. With the tax and labor codes in the forefront of the battleground, it seems that these issues may remain open for quite some time despite the existence of the PDP Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.