We would like to inform you that the Law of Ukraine No. 3454
"On Amendments to Certain Legislative Acts of Ukraine to
Increase Liability for Violation of Personal Data Protection
Law" comes into force on July 1, 2012.
The key provision of this law establishes liability for company
officials in case they fail to register personal data base with
Ukrainian authorities. For now, such liability is in the form of
monetary (administrative) fine equal up to 17,000 UAH (about 2,000
USD). Note, however, that the Criminal Code will be also amended
accordingly in light of such changes, providing for arrest of any
guilty officials for up to six (6) months or even imprisonment for
a period of up to three (3) years.
The said registration of the personal data is only one of the
material aspects, contained in the Law of Ukraine No. 2297
– VI "On Personal Data Protection," dated June
1, 2010, which came into force as of January 1, 2011 (hereinafter,
"the Law"). Apart from registration of personal data
base, the Law involves the following two other basic
responsibilities for the owner of personal data base:
obtaining a consent for processing of personal data;
notification of the person (i.e., subject of personal data)
about his/her rights.
Thus, the personal data that is contained in the data base may
be processed exclusively on the basis of the legal grounds. The key
to compliance is obtaining written consent of the person whose
personal data is processed, for effectuating such processing.
Importantly, the Law prohibits processing of personal data on
racial or ethnic origin, political, religious or philosophical
beliefs, membership in political parties and trade unions, as well
as data concerning health or sexual life (unless unambiguous
consent of the person is obtained).
Based on the foregoing, in light of employment relationship any
employer is technically considered to be an owner of personal data.
Accordingly, an employee can be allowed to work only after
obtaining his/her consent for processing his/her personal data.
Similar to the employment relationship, any holder of personal data
should obtain relevant consent from its clients, customers,
contractors and any other subject of personal data.
To summarize, in order to bring into compliance the relationship
between the holders of the personal data base and the subjects of
personal data, it is necessary to obtain the respective consent
from the subjects of personal data, granting the permission to
process such data.
In light of the foregoing requirements, please let us know if
you wish to receive a draft of the application, which you may offer
to the subjects of personal data in order to obtain their consent.
Alternatively, your company's officials may be held liable for
any fines resulting from failure to comply with this
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.
A US district court in New York has recently ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
In a decision earlier this month, a US district court in New York has ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
On 21 December 2012, the Article 29 Working Party, an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of the EU Member States, issued a press release announcing the possibility to adopt Binding Corporate Rules for processors.
It is well known that the EU rules on personal data protection (set out in Directive 95/46/EC and implementing national law) are rather stringent when it comes to the transfer of personal data outside the European Economic Area (EEA), including the input of personal data originating in the EU on a server outside the EEA.