Law and the regulatory authority
1 Legislative framework
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Have any international instruments on privacy or data protection been adopted in your jurisdiction?
The legislative framework in the sphere of protection of PII in Ukraine consists of the Constitution of Ukraine, international conventions, Laws of Ukraine, the Decrees of the President of Ukraine, the relevant Resolutions of the Cabinet of Ministers of Ukraine, as well as the Decrees of the Ministry of Justice of Ukraine and various regulations of the State Service on Protection of Personal Data. The principal laws are:
- the Law of Ukraine on Protection of Personal Data (Data Protection Law) dated 1 June 2010 and effective from 1 January 2011, with consequent amendments;
- the Law of Ukraine on Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Regarding Supervisory Authorities and Trans-border Data Flows, dated 6 July 2010. Ukraine has been a party to this Convention since 1 January 2011;
- the Law of Ukraine on Introduction of Amendments to Certain Legislative Acts of Ukraine Regarding Increasing Liability for Violation of Legislation on Protection of Personal Data, dated 2 June 2011;
- the Law of Ukraine on Amendments to Certain Legislative Acts of Ukraine on Improvement of the Personal Data Protection System, dated 3 July 2013; and
- the Law of Ukraine on Information dated 2 October 1992. It should be noted that legislation in the sphere of protection of PII in Ukraine changes fairly often.
Ukraine is also a party to the European Convention on Human Rights and Fundamental Freedoms since 1997.
2 Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the powers of the authority.
At present the State Service on Protection of Personal Data (Service) is the central body of executive power, responsible for overseeing the Data Protection Law. It has, inter alia, the powers to register personal databases and maintain the State Register of Personal Databases, as well as to carry out scheduled and ad hoc inspections, impose mandatory orders on data owners and draw up administrative protocols in case of violations. It is also entrusted with the coordination of the corporate codes of conduct of professional associations, as well as issuing recommendations as to practical implementation of legislation in the sphere of protection of PII. The Service reports on its activity to the president, the Cabinet of Ministers and the Ukrainian parliament.
However, starting from 1 January 2014 the authorities of the Service will be transferred to the Human Rights Commissioner of the Parliament of Ukraine (Ombudsman). Thus, thereafter the Ombudsman will be responsible for overseeing the Data Protection Law. However, the obligation to register personal databases will be cancelled from 2014. At the same time, in separate cases the owners of personal data will be required to notify the Ombudsman about the processing of personal data.
3 Breaches of data protection Can breaches of data protection lead to criminal penalties? How would such breaches be handled?
Breaches of data protection can lead to civil, administrative or criminal liability. Criminal liability is foreseen for illegal collection, storage, use, disposal, dissemination and alteration of confidential information about a certain person. In the case of such violation a criminal case will be initiated and investigated, and the final judgment made by a competent court.
4 Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The Ukrainian Data Protection Law does not apply to processing PII by an individual exclusively for personal or household needs; or by an art or literature worker, including a journalist, for professional aims, provided that a balance between the right of non-interference of private life and the right to self-expression are ensured.
5 Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
These issues are regulated by other laws, but the Data Protection Law establishes a general principle under which the processing of personal data is not allowed without the consent of the individual, except for cases established by law, or in the interests of national security, economic welfare and human rights. Personal data is also referred to as information with limited access by the Data Protection Law.
6 Other laws
Identify any further laws or regulations that provide specific data protection rules for related areas.
After the Data Protection Law became effective certain legislative acts in the health-care sector have been amended in order to comply with the Data Protection Law. For example, the Regulation on the Electronic Register of Patients, approved by the Resolution of the Cabinet of Ministers of Ukraine No. 546 on 6 June 2012, also provides that where the personal data of a patient is included in the Electronic Register of Patients, health-care institutions must obtain a patient's consent for processing his or her personal data.
The Deposit Guarantee Fund adopted the Order of Processing of Personal Data in the Sphere of Ensuring the Functioning of the System of Guaranteeing the Deposits of Individuals with its Decision No. 9 on 12 July 2012. The mentioned Order sets forth general requirements for organisational and technical measures for the protection of personal data during its processing in the personal databases of depositors-individuals and other individuals in the sphere of individual deposit protection. Ukrainian legislation also contains specific statutory rules regulating the protection of banking secrecy (information on the activity and financial standing of the client, which becomes known to the bank during the process of servicing the client and relations with him or her or with third parties while rendering of services of the bank). Processing and disclosure of banking secrecy is regulated by the Law on Banks and the Banking Activity and the relevant regulations of the National Bank of Ukraine. Credit history is also deemed to be confidential information and the peculiarities of its collection, processing and use are regulated by the Law on Organisation of Formation and Circulation of Credit Histories.
7 PII formats
What forms of PII are covered by the law?
The Data Protection Law applies to the activity on processing of personal data, which is executed fully or partially with the use of automatised means, as well as to the processing of personal data, which is contained in the card files or is intended to be included in the card files with the use of non-automated measures.
Is the reach of the law limited to data owners and data processors established or operating in the jurisdiction?
The Data Protection Law does not contain an explicit provision in this respect; however, taking into account the other provisions of the Data Protection Law, its territorial application is limited to the territory of Ukraine only.
9 Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide services to owners?
The Data Protection Law covers the processing of personal data, which, according to the Data Protection Law, includes any action or a number of actions such as collection, registration, accumulation, storage, adaptation, change, renewal, use and distribution (dissemination, realisation, transfer), depersonalisation or elimination of personal data, including with the use of information (automated) systems. Also, the Data Protection Law distinguishes between the owner of the personal data, the manager of the personal data and a third party. While the manager of personal data is a natural person or a legal entity empowered by the data owner or the law to process personal data on behalf of the data owner, the third party is any legal entity or individual, except for the individual concerned, the owner and the manager of the personal data (from 2014 this also includes the Ombudsman), to whom the owner or the manager of the personal data transfers the personal data in accordance with the law.
Apart from the manager of the personal data and a third party, the data owner (currently a legal entity or an individual who has obtained the consent of an individual to process personal data or is entitled to process personal data under the law) is responsible for registration of the respective database (until the end of 2013 only), for approval of the aim of processing personal data, for establishing the contents and the procedures of processing personal data, for obtaining an individual's consent for personal data processing and for informing an individual of his or her rights in connection with the personal data processing.
Legitimate processing of PII
10 Legitimate processing - grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner's legal obligations or if the individual has provided consent? Give details.
According to the general statutory rule processing of personal data is not allowed without consent of the individual (at which he or she can limit the right to process personal data by way of corresponding reservation), except for cases established by a law, and only in the interests of national security, economic welfare and human rights. The law also establishes that in the event that the processing of personal data is required for protection of vitally important interests of the person, the processing of such personal data is allowed without consent of the individual, but only until it becomes possible to obtain his or her consent.
In addition, each personal database must be registered with the Service (see question 2).
11 Legitimate processing - types of data
Does the law impose more stringent rules for specific types of data?
It is prohibited to process personal data on racial or ethnic origin, political, religious or outlook opinions, membership in political parties and professional associations, sentencing to criminal punishment, as well as data relating to health, sex life, biometric or genetic data (with the last two items to become effective from 2014). Such prohibition does not, however, apply in a number of cases, established by law. Among these exceptions are cases when a person provides explicit consent to processing such data, when processing such data is required within the scope of labour relations according to the law and this information is duly secured, when the concerned data was made explicitly public by the respective individual or when it is part of an investigative activity or counter-terrorism and is executed by a state body within its authorities determined by law.
Data handling responsibilities of owners of PII
Does the law require owners of PII to notify individuals whose data they hold? What must the notice contain and when must it be provided?
The law requires that the individual must be notified by the owner or manager of the personal data about the owner of personal data, the composition and contents of the collected personal data, his or her rights under the Data Protection Law, the purpose of collection of personal data, and any persons to whom his or her personal data is transferred. Such notification is due at the moment of collection of personal data from the individual or within 30 business days from the start of the collection of personal data. The 10-business day term is established for notification on transfer of personal data to third parties, unless the terms of the provided consent or the law establish otherwise. The same term is also established for notifications on change, deletion or erasing of personal data or restriction of access to it.
The Data Protection Law also establishes that if there is a change in the purpose of processing of personal data, which is incompatible with the initial purpose, in order to further process the personal data the owner of the personal data must obtain the consent of the respective individual for processing his or her personal data in accordance with the new purpose.
13 Exemption from notification
When is notice not required (for example, where to give notice would be disproportionate or would undermine another public interest)?
The above notification on the transfer of personal data to third parties is not required if the transfer is executed as a part of an investigative activity or counter-terrorism; by state bodies or local bodies within realisation of their statutory powers; or with historical, statistical or scientific purposes or if the notification of the subject of personal data is executed under the law.
14 Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
There is no such obligation for owners of personal data under the effective legislation.
15 Data accuracy
Does the law impose standards in relation to the quality, currency and accuracy of PII?
The Data Protection Law does not impose any particular standards in relation to quality, currency or accuracy. It provides that personal data has to be precise, true and should be updated as the need arises as determined by the aim of its processing.
Changes and amendments to personal data must be introduced by the owners or managers of personal data based on the application of a subject of the personal data or based on the application of other persons, related to personal data, if the person consented to this or the respective change is made based on the court judgment that entered into force. Starting from 2014, changes and amendments will also have to be introduced by the owners or managers of the personal data upon the order of the Ombudsman or the authorised officials of the secretariat of the Ombudsman.
The change of incorrect personal data is effected immediately after the discovery of the error.
16 Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?
The Data Protection Law provides that the composition and contents of personal data shall be commensurate with, adequate and not excessive with regards to the established purpose of their processing.
The duration of personal data processing is determined very vaguely. Namely, according to the Data Protection Law personal data shall be processed within a term, not exceeding the necessary term for its lawful designation.
According to the law personal data must be deleted from the database in the following cases:
- expiry of the term of personal data keeping, determined by an individual's consent or by law;
- termination of the legal relationship between an individual and the owner or manager of the personal data, unless otherwise established by law; and
- a court decision requiring deletion of the personal data becomes effective.
In practice, it is advisable to establish the term of the personal data processing in internal regulations on personal data processing, as well as in the individual's consent, if possible.
17 Finality principle
Are the purposes for which PII can be used by owners restricted? Has the 'finality principle' been adopted?
The processing of personal data must be carried out for precise and lawful purposes, depending upon the consent of a person or in cases foreseen by laws of Ukraine.
In the event that the purpose of the personal data processing changes to a purpose incompatible with the initial purpose, new consent from the respective person must be obtained.
18 Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
In the case of a change of purpose of personal data processing to a purpose incompatible with the old purpose, new consent from the respective person must be obtained. The Data Protection Law does not establish any precise exceptions from this rule, but personal data may be used for the new purpose without a person's consent if it is required or allowed by a law in the interests of national security, economic welfare and human rights until it becomes possible to obtain the consent of the person.
19 Security obligations
What security obligations are imposed on data owners and entities that process PII on their behalf?
Security obligations of the PII owner stipulated by the Data Protection Law and resolutions of the Service are very broad and do not contain any requirements regarding technical matters. The Data Protection Law establishes that personal data refers to information with limited access. Therefore, the use of personal data by employees of the PII owner must be carried out only in accordance with their professional or labour duties. Such employees may not disclose in any way the information that has become known to them or entrusted to them in the course of their professional or labour duties. Such obligation continues after they terminate the activity, connected with personal data processing, except for cases established by law.
In addition, it is envisaged that the owner of the personal data must ensure the protection of personal data and determine either a structural unit or an employee responsible for protection of PII. Private entrepreneurs, including licensed medical doctors, attorneys and notaries must personally ensure protection of personal data in accordance with the law.
In the case of disclosure of PII, the PII owner must ensure compliance with the established regime of PII protection.
Furthermore, the law stipulates that access to PII may be provided to a third person exclusively if such a person is able to fulfil the provisions of the Data Protection Law and does not refuse to honour the respective provisions.
20 Notification of security breach
Does the law include obligations to notify the regulator or individuals of breaches of security?
Currently the law does not provide for such obligation. Internal controls
21 Data protection officer
Is the appointment of a data protection officer mandatory? What are the data protection officer's legal responsibilities?
The appointment of a personal data protection officer or a responsible structural unit for data protection is mandatory. The Data Protection Law, however, does not establish the scope of such unit or officer's responsibilities. The Standard Order for Processing of Personal Data in Personal Databases, approved by the Service on 30 December 2011, provides that such officer, inter alia, must inform the employees on the requirements as to data protection, organise the work with data protection by respective employees, organise the processing of inquiries related to personal data, ensure access to personal data, inform the owner or the manager of the personal database on the breaches of established procedures for personal data processing and on measures necessary for the processing of personal data in accordance with the law.
Starting from 2014, the information on the responsible structural unit or officer for data protection will need to be notified to the Ombudsman, who will make it public. It is also established that such structural unit or officer will organise the work related to the protection of personal data at its processing, which includes informing and consulting the owner or manager of personal data on matters of adherence to the personal data protection laws and interaction with the Ombudsman regarding prevention and elimination of violations of legislation in this sphere.
22 Record keeping
Are owners of PII required to maintain any internal records or establish internal processes or documentation?
The owners of personal databases are required to establish internal processes for processing personal data, but there is no explicit obligation to maintaining any internal records.
Registration and notification
Are owners and processors of PII required to register with the supervisory authority? Are there any exemptions?
The owners of PII are required to register their PII databases and changes to them with the Service. According to the law, such registration is performed on an application basis. The Data Protection Law currently does provide for several exemptions to the registration requirement: for databases related to ensuring and realising labour relations; and databases of members of the public, religious organisations, professional unions and political parties.
Starting from 2014, the registration of personal databases will no longer be required. Due to the abolishment of the state registration of personal databases, the amended Data Protection Law stipulates that the owner of personal data will inform the Ombudsman about the processing of personal data if such processing constitutes a special risk for rights or freedoms of personal data subjects. It is also stipulated that the Ombudsman determines at his or her own discretion the types of personal data processing that constitutes a special risk to the rights or freedoms of personal data subjects, the categories of subjects obliged to notify the Ombudsman, as well as the form and the procedure for submitting such notices.
What are the formalities for registration?
In order to register a personal database, the owner of such database should submit to the Service a corresponding application and obtain the certificate on state registration of personal database. According to the Data Protection Law the application shall contain the following information:
- information about the PII owner;
- name and address of location of the personal database;
- purpose of the personal data processing;
- third parties to whom personal data is transferred;
- information on cross-border transfer of personal data;
- information about the managers of the personal database (if any); and
- acknowledgement of the obligation to fulfil provisions of the legislation on personal data protection.
The Service must adopt a decision on registration of personal database within 30 business days of receipt.
Currently no fee is payable for registration of personal databases or changes to personal databases.
The owner of personal database must inform the Service of any change of information necessary for the registration of personal database no later than 10 business days following such change.
What are the penalties for a data owner or processor for failure to make or maintain an entry on the register?
Administrative liability is provided for failure to register a personal database or the amendments to it with the Service. Thus, a failure to register a personal database with the Service triggers a fine in amount of 5,100 to 17,000 hryvnas. Failure to notify the Service or untimely notification of the Service on change of information, which is submitted for the state registration of a personal database, entails a fine in amount of 1,700 to 6,800 hryvnas.
The fine may be imposed only by a court.
26 Refusal of registration
On what grounds may the supervisory authority refuse to allow an entry on the register?
The Service may reject the registration only on formal grounds (ie, if the application for registration does not contain any of the necessary information which under the Data Protection Law is necessary for the application).
27 Public access
Is the register publicly available? How can it be accessed?
Effective legislation provides that state bodies, local authorities, state enterprises, institutions, organisations, other legal entities and individuals obtain access to the Register of Personal Databases through a website, managed by the administrator of the Register (currently a relevant division of the Ministry of Justice of Ukraine) by way of searching and review of information (including name of the personal database, information on the owner of personal database, the purpose of processing personal data etc) on personal databases. Currently, the website is https://rbpd.informjust.ua.
28 Effect of registration
Does an entry on the register have any specific legal effect?
The only legal effect is that the statutory requirements regarding personal database registration shall be deemed fulfilled.
Transfer and disclosure of PII
29 Transfer of PII
How does the law regulate the transfer of PII to entities that provide outsourced processing services?
At present, the Data Protection Law does not contain a specific provision in this respect. At the same time, it is established that the use of personal data by the owner of personal data includes, inter alia, actions on granting full or partial rights to the processing of personal data to other entities related to personal data, which is carried out upon the consent of the individual or in accordance with the law.
30 Restrictions on disclosure
Describe any specific restrictions on the disclosure of PII to other recipients.
According to the Data Protection Law the PII owner shall ensure fulfilment of the established data protection regime while disclosing the PII.
A recipient of the PII shall take measures aimed at compliance with the Data Protection Law prior to receipt of the respective PII. According to the general rule, the disclosure of PII is only possible provided the persons consent to it. Disclosure of PII without the consent of the relevant individual or his or her authorised person is allowed in cases established by law and only (if this is necessary) in the interests of national security, economic welfare and human rights.
An access to PII may be provided to a third person exclusively if such a person is able to fulfil the provisions of the Data Protection Law and does not refuse to honour the respective provisions.
31 Cross-border transfer
Is the transfer of PII outside the jurisdiction restricted?
The Data Protection Law establishes that the transfer of personal data abroad may be performed exclusively provided that the receiving state ensures due protection of personal data and in cases stipulated by the law of Ukraine or an international treaty of Ukraine.
Further, the Data Protection Law sets forth that EEA countries and those states that signed the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data are recognised as ensuring the due level of protection of personal data. Therefore, the transfer of personal data to these countries is allowed because the international treaties of Ukraine provide for such opportunity. In addition, the Cabinet of Ministers of Ukraine should determine the list of countries that are deemed to be compliant. However, as of today there is no such list.
Personal data may be transferred (disseminated) only for the purpose for which it was collected.
At the same time, the Data Protection Law further provides other cases when the cross-border transfer of personal data is possible:
(1) the subject of personal data granting direct consent for such transfer;
(2) the necessity to conclude or perform the transaction between the owner of the personal data and the third party - the subject of the personal data in favour of the subject of the personal data;
(3) the need to protect the vitally important interests of the subject of the personal data;
(4) the need to protect the public interest, establish, implement and support legal claims;
(5) the holder of the personal data granting corresponding guarantees of non-interference with the private and family life of the subject of personal data.
Therefore, the obtaining of consent of the individual would not be required if the cross-border transfer of personal data falls within one of the above cases (items 2-5 above).
It should be noted that the previous wording of the Data Protection Law explicitly stated that the consent of the subject of personal data is necessary for the cross-border transfer of personal data. However, the present edition of the same Law is not that precise any longer.
32 Notification of transfer
Does transfer of PII require notification to or authorisation from a supervisory authority?
No such notification to the Service is currently required. Although the individual shall be informed about such transfer in accordance with the Data Protection Law.
33 Further transfer
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
There is currently no such requirement of further transfer notification.
Rights of individuals
Do individuals have the right to see a copy of their personal information held by PII owners? Describe any limitations to this right. Individuals enjoy free-of-charge access to their personal data. The Data Protection Law provides that upon receipt of a written application an individual will be informed within no more than 30 calendar days whether his or her personal data are stored in a certain database and the contents of that data.
35 Other rights
Do individuals have other substantive rights?
Individuals have certain other substantive rights, in particular to know where, by whom and for what purpose their personal data is being processed; to obtain information on third parties to whom their personal data is transferred and the terms of granting access to personal data; to present a motivated demand to the owner of the personal data with an objection against processing their personal data; to present a motivated demand on a change or elimination of their personal data by the owner or the manager of the personal database, if such personal data is processed illegally or is false. Most importantly, in case of a breach of their rights in the sphere of the protection of personal data, individuals are entitled to address the authorised state bodies and officials or a court for protection, as well as make reservations as regards the limitation of the right for processing their personal data, granting the consent or recalling consent to process their personal data.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
Improper processing of personal data may be a ground for a civil action on the part of an individual, whose rights have been violated. It should be noted that the Data Protection Law does not contain any specific provisions is this respect. Therefore, individuals claiming damages or compensation shall be guided by the general provisions of the civil legislation.
Update and trends
Legislation in the sphere of the protection of personal data in Ukraine is subject to constant change. For example, the Law of Ukraine on Amendments to Certain Legislative Acts of Ukraine on Improvement of the Personal Data Protection System, dated 3 July 2013, is still awaiting the signature of the president as of the date of this publication. Initially, it was adopted by the Ukrainian parliament in the middle of May. However, the president vetoed it because the law foresaw the destruction of the State Register of Personal Databases, which contains a large volume of information that can be used for the purposes of data protection. The law was adopted for the second time in July after consideration of the president's suggestions. The likelihood of this law being signed is quite high. If signed, the law will become effective on 1 January 2014 and will change certain provisions of the effective Personal Data Protection Law, inter alia, replacing the Service with the Ombudsman and eliminating the necessity to register personal databases.
Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?
The Service is currently authorised to consider claims from legal entities and individuals and to issue mandatory demands (orders) on elimination of the violation of the Data Protection Law. Starting from 2014 such authorities will be vested with the Ombudsman.
The enforcement of rights is possible only based on a court decision.
Exemptions, derogations and restrictions
38 Further exemptions and restrictions
Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.
No further particular derogations, exclusions or limitations are currently in place.
39 Judicial review
Can data owners appeal against orders of the supervisory authority to the courts?
Yes, data owners may appeal against orders of the supervisory authority to the courts. Taking into consideration that personal data protection is rather new to Ukraine, the court practice in this regard has not yet been formed, but it will certainly emerge over the coming years.
40 Criminal sanctions
In what circumstances can owners of PII be subject to criminal sanctions?
Criminal liability is foreseen for illegal collection, storage, use, disposal, dissemination and change of confidential information about a certain person. Pursuant to the Law of Ukraine on Information, confidential information about a certain person includes any personal data of an individual. Foreseen punishment for commitment of such a crime is a fine in the amount of 8,500 to 17,000 hryvnas, corrective labour for up to two years, arrest for up to six months, or custodial restraint for up to three years.
41 Internet use
Describe any rules on the use of 'cookies' or equivalent technology.
This particular matter is not currently regulated in Ukraine. The Service has not issued specific explanations in this regard either.
42 Electronic communications marketing
Describe any rules on marketing by e-mail, fax or telephone.
These particular matters are currently not regulated in Ukraine.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.