Ukraine: Getting The Deal Through - Data Protection & Privacy 2014

Last Updated: 30 September 2013
Article by Oleksander Plotnikov and Oleksander Zadorozhnyy

Law and the regulatory authority

1 Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Have any international instruments on privacy or data protection been adopted in your jurisdiction?

The legislative framework in the sphere of protection of PII in Ukraine consists of the Constitution of Ukraine, international conventions, Laws of Ukraine, the Decrees of the President of Ukraine, the relevant Resolutions of the Cabinet of Ministers of Ukraine, as well as the Decrees of the Ministry of Justice of Ukraine and various regulations of the State Service on Protection of Personal Data. The principal laws are:

  • the Law of Ukraine on Protection of Personal Data (Data Protection Law) dated 1 June 2010 and effective from 1 January 2011, with consequent amendments;
  • the Law of Ukraine on Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Regarding Supervisory Authorities and Trans-border Data Flows, dated 6 July 2010. Ukraine has been a party to this Convention since 1 January 2011;
  • the Law of Ukraine on Introduction of Amendments to Certain Legislative Acts of Ukraine Regarding Increasing Liability for Violation of Legislation on Protection of Personal Data, dated 2 June 2011;
  • the Law of Ukraine on Amendments to Certain Legislative Acts of Ukraine on Improvement of the Personal Data Protection System, dated 3 July 2013; and
  • the Law of Ukraine on Information dated 2 October 1992. It should be noted that legislation in the sphere of protection of PII in Ukraine changes fairly often.

Ukraine is also a party to the European Convention on Human Rights and Fundamental Freedoms since 1997.

2 Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the powers of the authority.

At present the State Service on Protection of Personal Data (Service) is the central body of executive power, responsible for overseeing the Data Protection Law. It has, inter alia, the powers to register personal databases and maintain the State Register of Personal Databases, as well as to carry out scheduled and ad hoc inspections, impose mandatory orders on data owners and draw up administrative protocols in case of violations. It is also entrusted with the coordination of the corporate codes of conduct of professional associations, as well as issuing recommendations as to practical implementation of legislation in the sphere of protection of PII. The Service reports on its activity to the president, the Cabinet of Ministers and the Ukrainian parliament.

However, starting from 1 January 2014 the authorities of the Service will be transferred to the Human Rights Commissioner of the Parliament of Ukraine (Ombudsman). Thus, thereafter the Ombudsman will be responsible for overseeing the Data Protection Law. However, the obligation to register personal databases will be cancelled from 2014. At the same time, in separate cases the owners of personal data will be required to notify the Ombudsman about the processing of personal data.

3 Breaches of data protection Can breaches of data protection lead to criminal penalties? How would such breaches be handled?

Breaches of data protection can lead to civil, administrative or criminal liability. Criminal liability is foreseen for illegal collection, storage, use, disposal, dissemination and alteration of confidential information about a certain person. In the case of such violation a criminal case will be initiated and investigated, and the final judgment made by a competent court.

Scope

4 Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Ukrainian Data Protection Law does not apply to processing PII by an individual exclusively for personal or household needs; or by an art or literature worker, including a journalist, for professional aims, provided that a balance between the right of non-interference of private life and the right to self-expression are ensured.

5 Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

These issues are regulated by other laws, but the Data Protection Law establishes a general principle under which the processing of personal data is not allowed without the consent of the individual, except for cases established by law, or in the interests of national security, economic welfare and human rights. Personal data is also referred to as information with limited access by the Data Protection Law.

6 Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

After the Data Protection Law became effective certain legislative acts in the health-care sector have been amended in order to comply with the Data Protection Law. For example, the Regulation on the Electronic Register of Patients, approved by the Resolution of the Cabinet of Ministers of Ukraine No. 546 on 6 June 2012, also provides that where the personal data of a patient is included in the Electronic Register of Patients, health-care institutions must obtain a patient's consent for processing his or her personal data.

The Deposit Guarantee Fund adopted the Order of Processing of Personal Data in the Sphere of Ensuring the Functioning of the System of Guaranteeing the Deposits of Individuals with its Decision No. 9 on 12 July 2012. The mentioned Order sets forth general requirements for organisational and technical measures for the protection of personal data during its processing in the personal databases of depositors-individuals and other individuals in the sphere of individual deposit protection. Ukrainian legislation also contains specific statutory rules regulating the protection of banking secrecy (information on the activity and financial standing of the client, which becomes known to the bank during the process of servicing the client and relations with him or her or with third parties while rendering of services of the bank). Processing and disclosure of banking secrecy is regulated by the Law on Banks and the Banking Activity and the relevant regulations of the National Bank of Ukraine. Credit history is also deemed to be confidential information and the peculiarities of its collection, processing and use are regulated by the Law on Organisation of Formation and Circulation of Credit Histories.

7 PII formats

What forms of PII are covered by the law?

The Data Protection Law applies to the activity on processing of personal data, which is executed fully or partially with the use of automatised means, as well as to the processing of personal data, which is contained in the card files or is intended to be included in the card files with the use of non-automated measures.

8 Extraterritoriality

Is the reach of the law limited to data owners and data processors established or operating in the jurisdiction?

The Data Protection Law does not contain an explicit provision in this respect; however, taking into account the other provisions of the Data Protection Law, its territorial application is limited to the territory of Ukraine only.

9 Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide services to owners?

The Data Protection Law covers the processing of personal data, which, according to the Data Protection Law, includes any action or a number of actions such as collection, registration, accumulation, storage, adaptation, change, renewal, use and distribution (dissemination, realisation, transfer), depersonalisation or elimination of personal data, including with the use of information (automated) systems. Also, the Data Protection Law distinguishes between the owner of the personal data, the manager of the personal data and a third party. While the manager of personal data is a natural person or a legal entity empowered by the data owner or the law to process personal data on behalf of the data owner, the third party is any legal entity or individual, except for the individual concerned, the owner and the manager of the personal data (from 2014 this also includes the Ombudsman), to whom the owner or the manager of the personal data transfers the personal data in accordance with the law.

Apart from the manager of the personal data and a third party, the data owner (currently a legal entity or an individual who has obtained the consent of an individual to process personal data or is entitled to process personal data under the law) is responsible for registration of the respective database (until the end of 2013 only), for approval of the aim of processing personal data, for establishing the contents and the procedures of processing personal data, for obtaining an individual's consent for personal data processing and for informing an individual of his or her rights in connection with the personal data processing.

Legitimate processing of PII

10 Legitimate processing - grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner's legal obligations or if the individual has provided consent? Give details.

According to the general statutory rule processing of personal data is not allowed without consent of the individual (at which he or she can limit the right to process personal data by way of corresponding reservation), except for cases established by a law, and only in the interests of national security, economic welfare and human rights. The law also establishes that in the event that the processing of personal data is required for protection of vitally important interests of the person, the processing of such personal data is allowed without consent of the individual, but only until it becomes possible to obtain his or her consent.

In addition, each personal database must be registered with the Service (see question 2).

11 Legitimate processing - types of data

Does the law impose more stringent rules for specific types of data?

It is prohibited to process personal data on racial or ethnic origin, political, religious or outlook opinions, membership in political parties and professional associations, sentencing to criminal punishment, as well as data relating to health, sex life, biometric or genetic data (with the last two items to become effective from 2014). Such prohibition does not, however, apply in a number of cases, established by law. Among these exceptions are cases when a person provides explicit consent to processing such data, when processing such data is required within the scope of labour relations according to the law and this information is duly secured, when the concerned data was made explicitly public by the respective individual or when it is part of an investigative activity or counter-terrorism and is executed by a state body within its authorities determined by law.

Data handling responsibilities of owners of PII

12 Notification

Does the law require owners of PII to notify individuals whose data they hold? What must the notice contain and when must it be provided?

The law requires that the individual must be notified by the owner or manager of the personal data about the owner of personal data, the composition and contents of the collected personal data, his or her rights under the Data Protection Law, the purpose of collection of personal data, and any persons to whom his or her personal data is transferred. Such notification is due at the moment of collection of personal data from the individual or within 30 business days from the start of the collection of personal data. The 10-business day term is established for notification on transfer of personal data to third parties, unless the terms of the provided consent or the law establish otherwise. The same term is also established for notifications on change, deletion or erasing of personal data or restriction of access to it.

The Data Protection Law also establishes that if there is a change in the purpose of processing of personal data, which is incompatible with the initial purpose, in order to further process the personal data the owner of the personal data must obtain the consent of the respective individual for processing his or her personal data in accordance with the new purpose.

13 Exemption from notification

When is notice not required (for example, where to give notice would be disproportionate or would undermine another public interest)?

The above notification on the transfer of personal data to third parties is not required if the transfer is executed as a part of an investigative activity or counter-terrorism; by state bodies or local bodies within realisation of their statutory powers; or with historical, statistical or scientific purposes or if the notification of the subject of personal data is executed under the law.

14 Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

There is no such obligation for owners of personal data under the effective legislation.

15 Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

The Data Protection Law does not impose any particular standards in relation to quality, currency or accuracy. It provides that personal data has to be precise, true and should be updated as the need arises as determined by the aim of its processing.

Changes and amendments to personal data must be introduced by the owners or managers of personal data based on the application of a subject of the personal data or based on the application of other persons, related to personal data, if the person consented to this or the respective change is made based on the court judgment that entered into force. Starting from 2014, changes and amendments will also have to be introduced by the owners or managers of the personal data upon the order of the Ombudsman or the authorised officials of the secretariat of the Ombudsman.

The change of incorrect personal data is effected immediately after the discovery of the error.

16 Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

The Data Protection Law provides that the composition and contents of personal data shall be commensurate with, adequate and not excessive with regards to the established purpose of their processing.

The duration of personal data processing is determined very vaguely. Namely, according to the Data Protection Law personal data shall be processed within a term, not exceeding the necessary term for its lawful designation.

According to the law personal data must be deleted from the database in the following cases:

  • expiry of the term of personal data keeping, determined by an individual's consent or by law;
  • termination of the legal relationship between an individual and the owner or manager of the personal data, unless otherwise established by law; and
  • a court decision requiring deletion of the personal data becomes effective.

In practice, it is advisable to establish the term of the personal data processing in internal regulations on personal data processing, as well as in the individual's consent, if possible.

17 Finality principle

Are the purposes for which PII can be used by owners restricted? Has the 'finality principle' been adopted?

The processing of personal data must be carried out for precise and lawful purposes, depending upon the consent of a person or in cases foreseen by laws of Ukraine.

In the event that the purpose of the personal data processing changes to a purpose incompatible with the initial purpose, new consent from the respective person must be obtained.

18 Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

In the case of a change of purpose of personal data processing to a purpose incompatible with the old purpose, new consent from the respective person must be obtained. The Data Protection Law does not establish any precise exceptions from this rule, but personal data may be used for the new purpose without a person's consent if it is required or allowed by a law in the interests of national security, economic welfare and human rights until it becomes possible to obtain the consent of the person.

Security obligations

19 Security obligations

What security obligations are imposed on data owners and entities that process PII on their behalf?

Security obligations of the PII owner stipulated by the Data Protection Law and resolutions of the Service are very broad and do not contain any requirements regarding technical matters. The Data Protection Law establishes that personal data refers to information with limited access. Therefore, the use of personal data by employees of the PII owner must be carried out only in accordance with their professional or labour duties. Such employees may not disclose in any way the information that has become known to them or entrusted to them in the course of their professional or labour duties. Such obligation continues after they terminate the activity, connected with personal data processing, except for cases established by law.

In addition, it is envisaged that the owner of the personal data must ensure the protection of personal data and determine either a structural unit or an employee responsible for protection of PII. Private entrepreneurs, including licensed medical doctors, attorneys and notaries must personally ensure protection of personal data in accordance with the law.

In the case of disclosure of PII, the PII owner must ensure compliance with the established regime of PII protection.

Furthermore, the law stipulates that access to PII may be provided to a third person exclusively if such a person is able to fulfil the provisions of the Data Protection Law and does not refuse to honour the respective provisions.

20 Notification of security breach

Does the law include obligations to notify the regulator or individuals of breaches of security?

Currently the law does not provide for such obligation. Internal controls

21 Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer's legal responsibilities?

The appointment of a personal data protection officer or a responsible structural unit for data protection is mandatory. The Data Protection Law, however, does not establish the scope of such unit or officer's responsibilities. The Standard Order for Processing of Personal Data in Personal Databases, approved by the Service on 30 December 2011, provides that such officer, inter alia, must inform the employees on the requirements as to data protection, organise the work with data protection by respective employees, organise the processing of inquiries related to personal data, ensure access to personal data, inform the owner or the manager of the personal database on the breaches of established procedures for personal data processing and on measures necessary for the processing of personal data in accordance with the law.

Starting from 2014, the information on the responsible structural unit or officer for data protection will need to be notified to the Ombudsman, who will make it public. It is also established that such structural unit or officer will organise the work related to the protection of personal data at its processing, which includes informing and consulting the owner or manager of personal data on matters of adherence to the personal data protection laws and interaction with the Ombudsman regarding prevention and elimination of violations of legislation in this sphere.

22 Record keeping

Are owners of PII required to maintain any internal records or establish internal processes or documentation?

The owners of personal databases are required to establish internal processes for processing personal data, but there is no explicit obligation to maintaining any internal records.

Registration and notification

23 Registration

Are owners and processors of PII required to register with the supervisory authority? Are there any exemptions?

The owners of PII are required to register their PII databases and changes to them with the Service. According to the law, such registration is performed on an application basis. The Data Protection Law currently does provide for several exemptions to the registration requirement: for databases related to ensuring and realising labour relations; and databases of members of the public, religious organisations, professional unions and political parties.

Starting from 2014, the registration of personal databases will no longer be required. Due to the abolishment of the state registration of personal databases, the amended Data Protection Law stipulates that the owner of personal data will inform the Ombudsman about the processing of personal data if such processing constitutes a special risk for rights or freedoms of personal data subjects. It is also stipulated that the Ombudsman determines at his or her own discretion the types of personal data processing that constitutes a special risk to the rights or freedoms of personal data subjects, the categories of subjects obliged to notify the Ombudsman, as well as the form and the procedure for submitting such notices.

24 Formalities

What are the formalities for registration?

In order to register a personal database, the owner of such database should submit to the Service a corresponding application and obtain the certificate on state registration of personal database. According to the Data Protection Law the application shall contain the following information:

  • information about the PII owner;
  • name and address of location of the personal database;
  • purpose of the personal data processing;
  • third parties to whom personal data is transferred;
  • information on cross-border transfer of personal data;
  • information about the managers of the personal database (if any); and
  • acknowledgement of the obligation to fulfil provisions of the legislation on personal data protection.

The Service must adopt a decision on registration of personal database within 30 business days of receipt.

Currently no fee is payable for registration of personal databases or changes to personal databases.

The owner of personal database must inform the Service of any change of information necessary for the registration of personal database no later than 10 business days following such change.

25 Penalties

What are the penalties for a data owner or processor for failure to make or maintain an entry on the register?

Administrative liability is provided for failure to register a personal database or the amendments to it with the Service. Thus, a failure to register a personal database with the Service triggers a fine in amount of 5,100 to 17,000 hryvnas. Failure to notify the Service or untimely notification of the Service on change of information, which is submitted for the state registration of a personal database, entails a fine in amount of 1,700 to 6,800 hryvnas.

The fine may be imposed only by a court.

26 Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

The Service may reject the registration only on formal grounds (ie, if the application for registration does not contain any of the necessary information which under the Data Protection Law is necessary for the application).

27 Public access

Is the register publicly available? How can it be accessed?

Effective legislation provides that state bodies, local authorities, state enterprises, institutions, organisations, other legal entities and individuals obtain access to the Register of Personal Databases through a website, managed by the administrator of the Register (currently a relevant division of the Ministry of Justice of Ukraine) by way of searching and review of information (including name of the personal database, information on the owner of personal database, the purpose of processing personal data etc) on personal databases. Currently, the website is https://rbpd.informjust.ua.

28 Effect of registration

Does an entry on the register have any specific legal effect?

The only legal effect is that the statutory requirements regarding personal database registration shall be deemed fulfilled.

Transfer and disclosure of PII

29 Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

At present, the Data Protection Law does not contain a specific provision in this respect. At the same time, it is established that the use of personal data by the owner of personal data includes, inter alia, actions on granting full or partial rights to the processing of personal data to other entities related to personal data, which is carried out upon the consent of the individual or in accordance with the law.

30 Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

According to the Data Protection Law the PII owner shall ensure fulfilment of the established data protection regime while disclosing the PII.

A recipient of the PII shall take measures aimed at compliance with the Data Protection Law prior to receipt of the respective PII. According to the general rule, the disclosure of PII is only possible provided the persons consent to it. Disclosure of PII without the consent of the relevant individual or his or her authorised person is allowed in cases established by law and only (if this is necessary) in the interests of national security, economic welfare and human rights.

An access to PII may be provided to a third person exclusively if such a person is able to fulfil the provisions of the Data Protection Law and does not refuse to honour the respective provisions.

31 Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

The Data Protection Law establishes that the transfer of personal data abroad may be performed exclusively provided that the receiving state ensures due protection of personal data and in cases stipulated by the law of Ukraine or an international treaty of Ukraine.

Further, the Data Protection Law sets forth that EEA countries and those states that signed the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data are recognised as ensuring the due level of protection of personal data. Therefore, the transfer of personal data to these countries is allowed because the international treaties of Ukraine provide for such opportunity. In addition, the Cabinet of Ministers of Ukraine should determine the list of countries that are deemed to be compliant. However, as of today there is no such list.

Personal data may be transferred (disseminated) only for the purpose for which it was collected.

At the same time, the Data Protection Law further provides other cases when the cross-border transfer of personal data is possible:

(1) the subject of personal data granting direct consent for such transfer;

(2) the necessity to conclude or perform the transaction between the owner of the personal data and the third party - the subject of the personal data in favour of the subject of the personal data;

(3) the need to protect the vitally important interests of the subject of the personal data;

(4) the need to protect the public interest, establish, implement and support legal claims;

(5) the holder of the personal data granting corresponding guarantees of non-interference with the private and family life of the subject of personal data.

Therefore, the obtaining of consent of the individual would not be required if the cross-border transfer of personal data falls within one of the above cases (items 2-5 above).

It should be noted that the previous wording of the Data Protection Law explicitly stated that the consent of the subject of personal data is necessary for the cross-border transfer of personal data. However, the present edition of the same Law is not that precise any longer.

32 Notification of transfer

Does transfer of PII require notification to or authorisation from a supervisory authority?

No such notification to the Service is currently required. Although the individual shall be informed about such transfer in accordance with the Data Protection Law.

33 Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

There is currently no such requirement of further transfer notification.

Rights of individuals

34 Access

Do individuals have the right to see a copy of their personal information held by PII owners? Describe any limitations to this right. Individuals enjoy free-of-charge access to their personal data. The Data Protection Law provides that upon receipt of a written application an individual will be informed within no more than 30 calendar days whether his or her personal data are stored in a certain database and the contents of that data.

35 Other rights

Do individuals have other substantive rights?

Individuals have certain other substantive rights, in particular to know where, by whom and for what purpose their personal data is being processed; to obtain information on third parties to whom their personal data is transferred and the terms of granting access to personal data; to present a motivated demand to the owner of the personal data with an objection against processing their personal data; to present a motivated demand on a change or elimination of their personal data by the owner or the manager of the personal database, if such personal data is processed illegally or is false. Most importantly, in case of a breach of their rights in the sphere of the protection of personal data, individuals are entitled to address the authorised state bodies and officials or a court for protection, as well as make reservations as regards the limitation of the right for processing their personal data, granting the consent or recalling consent to process their personal data.

36 Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Improper processing of personal data may be a ground for a civil action on the part of an individual, whose rights have been violated. It should be noted that the Data Protection Law does not contain any specific provisions is this respect. Therefore, individuals claiming damages or compensation shall be guided by the general provisions of the civil legislation.

Update and trends

Legislation in the sphere of the protection of personal data in Ukraine is subject to constant change. For example, the Law of Ukraine on Amendments to Certain Legislative Acts of Ukraine on Improvement of the Personal Data Protection System, dated 3 July 2013, is still awaiting the signature of the president as of the date of this publication. Initially, it was adopted by the Ukrainian parliament in the middle of May. However, the president vetoed it because the law foresaw the destruction of the State Register of Personal Databases, which contains a large volume of information that can be used for the purposes of data protection. The law was adopted for the second time in July after consideration of the president's suggestions. The likelihood of this law being signed is quite high. If signed, the law will become effective on 1 January 2014 and will change certain provisions of the effective Personal Data Protection Law, inter alia, replacing the Service with the Ombudsman and eliminating the necessity to register personal databases.

Another trend in the sphere of personal data protection relates to inspections undertaken by the Service. Recently, these inspections seem to focus more on those entities, which are trading through the internet (eg, internet shops and internet providers) with a particular focus on the regulation of gathering of personal data using internet technologies (such as cookies). Generally, cookies are not regulated in Ukraine. Therefore, Ukrainian companies currently tend to draft internal regulations on the use of cookies and other internet technologies as regards their use for purposes of collecting the personal data of the clients. The explanations of the Service are expected to follow soon.

37 Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

The Service is currently authorised to consider claims from legal entities and individuals and to issue mandatory demands (orders) on elimination of the violation of the Data Protection Law. Starting from 2014 such authorities will be vested with the Ombudsman.

The enforcement of rights is possible only based on a court decision.

Exemptions, derogations and restrictions

38 Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

No further particular derogations, exclusions or limitations are currently in place.

Supervision

39 Judicial review

Can data owners appeal against orders of the supervisory authority to the courts?

Yes, data owners may appeal against orders of the supervisory authority to the courts. Taking into consideration that personal data protection is rather new to Ukraine, the court practice in this regard has not yet been formed, but it will certainly emerge over the coming years.

40 Criminal sanctions

In what circumstances can owners of PII be subject to criminal sanctions?

Criminal liability is foreseen for illegal collection, storage, use, disposal, dissemination and change of confidential information about a certain person. Pursuant to the Law of Ukraine on Information, confidential information about a certain person includes any personal data of an individual. Foreseen punishment for commitment of such a crime is a fine in the amount of 8,500 to 17,000 hryvnas, corrective labour for up to two years, arrest for up to six months, or custodial restraint for up to three years.

41 Internet use

Describe any rules on the use of 'cookies' or equivalent technology.

This particular matter is not currently regulated in Ukraine. The Service has not issued specific explanations in this regard either.

42 Electronic communications marketing

Describe any rules on marketing by e-mail, fax or telephone.

These particular matters are currently not regulated in Ukraine.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Oleksander Plotnikov
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Law Practice Management
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.