After years of paralysis, Ukrainian business-related legislation is undergoing major changes. For instance, a new tax code came into effect in the New Year, and we can already hear the protests associated with the proposed new labor code. Meanwhile, completely undetected, a new law has quietly entered into force on January 1, 2011, entitled the Law of Ukraine No. 2297-VI "On Protection of Personal Data", dated June 1, 2010 (hereinafter the "PDP Law").
The PDP Law is based on the framework EU Directive 95/46/EC on
the protection of individuals with regard to the processing of
personal data and on the free movement of such data, but provides a
more detailed legislative base for data protection in Ukraine. The
good news is that by implementing the PDP Law, Ukraine is bringing
its legislation into closer compliance with European standards,
perhaps with the eventual hope of European integration. However,
the PDP Law leaves open the usual questions of implementation and
enforcement surrounding other Ukrainian laws.
With the above background in mind, we will provide a brief
overview of the data protection rules in Ukraine. Similar to
Directive 95/46/EC, the PDP Law applies to data processed both by
automated means and non-automated filing systems gathered by
Ukrainian legal entities and natural persons. Personal data is
defined under the PDP Law as information about an individual who
may be specifically identified. The primary sources of information
may be documents issued to an individual, documents signed by an
individual and information provided by an individual about
them.
The PDP Law does not apply to databases and personal data
processed by natural persons for non-professional personal or
household needs, journalists for their official or professional
duties, and professional creative specialists. Notably, Directive
95/46/EC does not refer to the latter two categories.
Specifically, the PDP Law applies to legal entities or natural
persons, who by law or at the consent of a data subject are granted
the right to process personal data and who confirm the purpose for
processing personal data within their databases. These are referred
to as "owners" or "controllers" of personal
databases, the latter being those companies or persons who are
contracted to process an owner's database. The law specifically
applies to licensed doctors, lawyers and notaries. While the PDP
Law does not explicitly state so, it could also be applied to such
institutions as banks, insurance companies, employment agencies,
law firms, discount card systems and other businesses that collect,
register, accumulate, store, adapt, amend, use, distribute,
transfer, sell or destroy personal data of Ukrainian
citizens.
The fundamental principle applicable to personal data processing
under the PDP Law is that all steps in data collection, storage and
processing, must have the consent of the data subject. This is not
a novelty in Ukraine, as the Law of Ukraine No. 2657 "On
Information", dated October 2, 1992, required the consent of
any individual before his/her information could be collected and
processed in Ukraine and/or abroad. However, the PDP Law expands
the consent requirement to include consent to the volume, purpose,
content and amendment to personal data. Pursuant to the PDP Law,
any data processed must be collected for a specific, lawful purpose
and must be precise, accurate and, where necessary, kept
up-to-date. Note that there is no mention of marketing purposes
anywhere in its text.
As a narrow exception, the processing of personal data in Ukraine
may be effectuated without consent only in the interests of
national security, human rights, protection of the individual in
question's vital interests (until such time as consent may be
given) and "economic welfare". The PDP Law does not
further elaborate on the definition of "economic
welfare," whereas Directive 95/46/EC is only a bit more
specific in stating "important economic or financial interests
of a Member State or of the European Union".
The PDP Law does not permit the processing of personal data
regarding race or ethnicity, political, religious or ideological
conviction, membership in a political party and professional unions
or health or sex life. It is interesting to note that while
Directive 95/46/EC does not mention "membership in a political
party", Ukraine (which is notorious for having many
politicians who double as businessmen or oligarchs) has
specifically restricted the storage and processing of data that
reveals any political party affiliation. The aforementioned
restrictions do not apply in cases when such personal data is
processed upon the unambiguous consent of the data subject or when
it is necessary to process personal data to exercise rights and
perform obligations in labor relations according to law.
Importantly, under the PDP Law, all data subjects enjoy certain
integral and inviolable rights, such as the rights to (i) know the
location of all databases containing their personal data, (ii) the
receipt of full information about the owner or controller of their
personal data, (iii) free of charge access to their personal data,
(iv) demand changes, restriction or destruction of personal data,
(v) object, on legitimate grounds, to the processing of their
personal data by state bodies, etc. Data subjects also have the
right to protection of their personal data by the public authority
responsible for data protection issues, specifically with respect
to any damages incurred from unlawful disclosure and the provision
of false personal data to third parties, including information
which can damage an individual's business reputation. Data
subjects must be notified in writing of all of their rights
connected to their personal data held in any database.
The PDP Law requires state registration of all databases
containing personal data. For this purpose, the state personal data
protection body will maintain a state register of personal
databases if and when the Cabinet of Ministers approves the said
state body's regulations. As of today, the Ukrainian government
has yet to create the executive body charged with data protection
issues.
Generally, the registration procedure will entail the submission
by the database owner of an application containing information
about the owner, the name and location of the database, the purpose
for processing personal data in the database, the controller(s), if
any, of the database, and confirmation of all personal data
protection measures provided by law. If all registration documents
are in order, the owner of the database will receive a certificate
of registration within ten working days.
While an individual's access to his or her personal data is
free of charge, third parties may access personal data only with
the consent of the data subject and payment of the owner's fees
(set by the Cabinet of Ministers) for issuing a data subject's
personal information. The owner's or controller's employees
are obligated to use or disclose personal data only within their
official capacity, and this obligation remains with such employees
even after they have left their official position. Of course, the
data subjects must be notified regarding the transfer of their
personal data to third parties if their consent was subject to such
condition.
Personal data may also be transferred to foreign personal data
processors on the condition that their countries have a sufficient
level of data protection, presumably comparable to Directive
95/46/EC, the relevant permit, and the recipient uses the personal
data for the same purposes for which it was collected. Naturally,
this provision brings up a number of difficult issues, including
but not limited to: who issues the said permit and when? How will
the Ukrainian authorities verify whether countries other than EU
Member States have the required data protection rules? How can the
issue of the collection purpose be controlled or verified?
Overall, the Ukrainian PDP Law covers all of the issues required
by Directive 95/46/EC as well as issues more relevant to Ukrainian
society, such as state use, business reputation and labor
protection. While the time is moving quickly toward the January 1st
effective date, it is highly doubtful that the Ukrainian government
will be able to resolve some of the open-ended issues left by the
PDP Law. Alas, the Ukrainian government has not yet created the
relevant public authority responsible for monitoring personal data
protection issues, it has not yet set up the electronic database of
registered owners and controllers of personal data, and it has not
yet issued the model procedure for processing personal data,
including personal data deemed banking secrets, as required by the
PDP Law. With the tax and labor codes in the forefront of the
battleground, it seems that these issues may remain open for quite
some time despite the existence of the PDP Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.