On 23 July 2013 the President of Ukraine signed the Law of Ukraine No. 383-VII "On Amendments to Certain Legislative Acts of Ukraine on Improvement of the Personal Data Protection System" (hereinafter – the "Law").
As we informed earlier, the Law was adopted by the Parliament of Ukraine on 3 July 2013 with consideration of amendments suggested by the President of Ukraine based on the draft law No. 2836 as of 17 April 2013.
The Law will become effective on 1 January 2014.
The Law vests with the Cabinet of Ministers of Ukraine the obligation within three months after the Law becomes effective to ensure the transfer of applications for registration of personal databases submitted prior to the Law becoming effective and the State Register of Personal Databases to the Human Rights Commissioner of the Parliament of Ukraine (hereinafter – the "Ombudsman").
The Law amends the Code of Ukraine of Administrative Offences (hereinafter – the "Administrative Offences Code"), the Law of Ukraine "On Protection of Personal Data" and the Law of Ukraine "On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Supplementary Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Trans-Border Data Flows".
It shall be noted that the Law of Ukraine "On Protection of Personal Data" has been considerably liberalized. In particular, the state registration of personal databases has been abolished. Therefore, as of January 2014 personal data owners will not be obliged to register personal databases anymore.
The Law also sets forth that the competent authority for the personal data protection shall be the Ombudsman instead of the State Service of Ukraine on Personal Data Protection. The compliance with the personal data protection laws shall be monitored by the Ombudsman and the courts.
This amendment reflects the European practice in appointing an independent body to be responsible for adherence to the personal data protection laws.
Due to the abolishment of the state registration of personal databases the Law stipulates that the owner of personal database shall inform the Ombudsman about the processing of personal data if such processing constitutes a special risk for rights or freedoms of personal data subjects. It is also stipulated that the Ombudsman determines at his/her own discretion the types of personal data processing constituting a special risks for rights or freedoms of personal data subjects, categories of subjects obliged to notify the Ombudsman, as well as the form and the procedure for submission of such notices. The Law envisages that such information received by the Ombudsman shall be published on the Ombudsman's webpage.
The amendments introduced by the Law vest in the Ombudsman, in particular, the following powers:
- carrying out scheduled and unscheduled field and remote inspections of owners and/or administrators of personal data;
- giving instruction to owners and/or administrators of personal data to eliminate discovered violations of the personal data protection laws;
- giving recommendations in the area of the personal data protection;
- giving suggestions as to development and implementation of the state personal data protection policy;
- monitoring new personal data protection practices, trends and technologies.
New provisions of the Administrative Offences Code set forth that protocols on violation of the personal data protection laws shall be composed by representatives of the Ombudsman's office (instead of the State Service of Ukraine on Personal Data Protection). The article of the Administrative Offences Code stipulating administrative liability for violations in the sphere of personal data protection has been improved, too. In particular, now it provides for liability for non-notification or delayed notification of the Ombudsman on processing of personal data or change of information being subject to notification.
The Law also sets forth that owners of personal data, who at the moment of the enactment of the Law process personal data subject to notification to the Ombudsman, are obliged to notify the Ombudsman respectively within 6 months after the enactment of the Law.
The Law is, undoubtedly, a positive step towards harmonization of the Ukrainian personal data protection legislation with the EU laws.
We will follow the situation with the personal data protection closely and will inform you on any further developments in this sphere.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.