Data Protected - Ukraine
Last updated March 2020
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
Ukraine is a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dated 1981 (the “Convention”) and the 2001 Additional Protocol.
The Law of Ukraine “On Personal Data Protection” (No. 2297 VI, dated 1 June 2010) (the “Data Protection Law”) is the key legislative act regulating data protection in Ukraine. The Data Protection Law contains similar provisions to those in the Convention
Pursuant to the EU–Ukraine association agreement, Ukraine has agreed to implement the highest European and international data protection standards, including those contained in the Conventions of the Council of Europe. As a prospective member of the European Union, Ukraine has an obligation to align its legislation with that of the European Union. Ukraine has already adopted a number of EU Directives and Regulations. However, neither the GDPR nor the Data Protection Directive has yet been implemented, possibly because there is currently less public interest in this topic.
Entry into force
Both the Convention and the Data Protection Law came into force on 1 January 2011. The EU–Ukraine association agreement entered into full force and effect on 1 September 2017.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The Ukrainian Parliament Commissioner for Human Rights (the “Ombudsman Office”)
21/8 Instytutska Str.
01008 Kyiv
Ukraine
Notification or registration scheme and timing
A controller must notify the Ombudsman Office when processing Risky Data (as defined below) within 30 business days from the commencement of such processing. There is no charge for notification and no approval from the Ombudsman Office is required.
Exemptions to notification
Notification is not required where data is processed: (i) for the purpose of maintaining registers for disclosure to the public (public data); (ii) by political parties or organisations, trade unions, employer associations, religious organisations, social organisations of ideological orientation; or (iii) by a controller to exercise rights and perform obligations for employment purposes.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The Data Protection Law applies to controllers and processors operating in Ukraine and regulates cross-border data transfer. When personal data is transferred from Ukraine to controllers, processors or other recipients in third countries or to international organisations, the level of adequate protection should be provided by the recipient state. The following countries are recognised as providing an adequate level of personal data protection: (i) members states of the European Economic Area (EEA); (ii) states which are signatories to the Convention; and (iii) other states defined as such by the Cabinet of the Ministers of Ukraine.
The Data Protection Law does not apply where data is processed: (i) by an individual for personal purposes; or (ii) for journalistic or artistic purposes if the balance between privacy and freedom of speech is maintained.
There are no specific rules for storing the personal data of Ukrainian citizens.
Is there a concept of a controller and a processor?
Under the Data Protection Law, a controller is a natural or legal person (including an individual entrepreneur, public authority, agency or other body), who determines: (i) the purpose of processing the personal data; and (ii) the scope of the data collected and the processing procedure.
By contrast, a processor is a person (including an individual entrepreneur, natural or legal person, public authority, agency or other body) authorised to process personal data on behalf of a controller or where required to do so by Ukrainian law.
The majority of the privacy compliance rules apply to controllers, while a processor’s duties mainly refer to data security and using personal data for the same purpose as designated by the controller.
Are both manual and electronic records subject to data protection legislation?
Yes, the Data Protection Law applies to “personal databases” which are compilations of personal data recorded in either electronic or manual form. Sometimes personal data can be compiled outside databases and still fall in the scope of the Data Protection Law.
Are there any national derogations?
No.
_____________________________________________________________________ Top
Personal Data
What is personal data?
The Data Protection Law defines personal data as any information that identifies or allows the identification of a data subject. This includes a data subject’s name, address, education and any related Risky Data (as defined below).
Personal data may be treated as “information with restricted access” for the purposes of the Laws of Ukraine “On Information” (No. 265-XII, dated 2 October 1992) and “On Access to Public Information” (No. 2939-VI, dated 13 January 2011). However, personal data on the state officers may not be treated as “information with restricted access” if it relates to their public activity. Information contained in official tax filings and information on receipt of any state or municipal funds is also not to be treated as “information with restricted access”. Ukrainian laws may also treat other information as not being “information with restricted access”.
Is information about legal entities personal data?
No. Personal data is defined as information on natural persons who can be identified.
What are the rules for processing personal data?
The term “processing” has quite a broad definition and includes any one or a combination of the collection, registration, accumulation, storage, adaptation, alteration, updating, distribution, circulating, removal, depersonalisation or other similar usage of personal data.
It is a statutory requirement to obtain a data subject’s consent before processing personal data. A data subject is also entitled to withdraw consent in relation to the processing of their personal data.
A data subject’s consent is not required: (i) for the conclusion and execution of an agreement transaction when the data subject is party to such a transaction or when such a transaction is concluded in favour of the data subject, or for activities that have been completed prior to the transaction at the request of the data subject; (ii) for the protection of the vital interests of the data subject; (iii) when it is necessary to perform the controller’s obligation, which is prescribed by law; and (iv) where necessary to protect the legitimate interests of the controller, or third parties, except when the data subject requires processing of his/her personal data to cease and the needs of personal data protection prevail over such interest.
The purposes of processing personal data must be lawful, clear and defined prior to the commencement of any data processing. Personal data may only be obtained for one or more specified and lawful purposes, and may not be further processed in any manner incompatible with the original purpose or purposes without the data subject’s renewed consent.
Are there any formalities to obtain consent to process personal data?
Consent may be obtained in writing or by any other means where consent can be documented (i.e. electronically, with a digital signature, password etc.). Consent must be obtained prior to the start of data processing or in some cases within 30 business days from the day of collection. Where risky data is being processed, consent should be explicit. The data subject must be notified of the categories of personal data being collected, the purpose of the collection, any third parties that may be able to access the personal data and the statutory privacy rights.
Are there any special rules when processing personal data about children?
The Data Protection Law does not contain specific rules relating to children but, under general civic law, parents may act on behalf of minors, including providing consent required for data protection.
Are there any special rules when processing personal data about employees?
The requirement of giving a notification to the Ombudsman Office when processing employment-related Risky Data is not necessary when a controller is exercising their rights and performing obligations for employment purposes or as an employer association with respect to its employees as data subjects in question.
Further, risky data relating to employer associations' members can be processed by the association (e.g. trade union) without the members' consent.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Although the Data Protection Law does not define “sensitive personal data”, the term risky data (“Risky Data”) is used instead and has the same scope. Risky Data means personal data consisting of information as to (i) race, ethnic origin and nationality; (ii) political, philosophical and religious beliefs; (iii) membership of political parties, trade unions and other organisations; (iii) health; (iv) sexual life; (v) biometric data; (vi) genetic data; (vii) committed crimes or offences; (viii) any pre-trial procedures applied to the person; (ix) any investigative procedures against the person; (x) violence against the person; and (xi) location and travel routes.
Are there additional rules for processing sensitive personal data?
In Ukraine, Risky Data cannot be processed without an individual’s consent. However, the Data Protection Law provides exceptions where Risky Data can be processed without consent, including where: (i) an individual provides explicit consent; (ii) such processing is required within the framework of labour relations; (iii) the Risky Data was made public by the individual; (iv) it is necessary for the protection of the individual’s vital interests in the event the individual is unable to give consent; (v) it is carried out by political parties or organisations, trade unions, employer associations, religious organisations, social organisations of ideological orientation on its members; (vi) it is necessary for healthcare reasons; (vii) it is necessary for the substantiation, satisfaction or protection of a legal claim; or (viii) a governmental body requires it for a court judgment, investigative activities or anti-terrorism purposes.
The processing of Risky Data must be notified to the Ombudsman Office in accordance with the procedures established by the Ombudsmen Office. There must be a dedicated structural unit or a data protection officer and the controller shall properly notify the Ombudsman Office on the establishment/appointment of such a unit or officer.
Are there additional rules for processing information about criminal offences?
Information about criminal offences is treated as Risky Data (see above). The confidential nature of criminal investigations considerably narrows the list of authorised persons that may process such information.
Are there any formalities to obtain consent to process sensitive personal data?
The procedure of getting consent is the same as for normal personal data, but the consent should be explicitly given.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
The Data Protection Law stipulates that state and local bodies, as well as controllers, that process Risky Data must appoint a data protection officer and provide the Ombudsman Office with the officer’s details. The Data Protection Law is silent as to whether the outsourcing of data protection officers is allowed. If a company has no data protection officer or structural unit, the company’s CEO is liable for privacy incompliance by default.
What are the duties of a data protection officer?
A data protection officer (i) advises the controller and processor on compliance with the Data Protection Law; and (ii) co-operates with the Ombudsman Office to prevent and eliminate personal data breaches. There are no rules on data breach in Ukraine.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no accountability obligation under the Data Protection Law. Professional, self-governing and other public associations or legal entities may draft data protection codes to ensure the effective protection of an individual’s rights. However, the Data Protection Law implies that companies engaged in the processing of personal data should adopt policies or effect similar procedures on personal data processing.
Are privacy impact assessments mandatory?
No.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
The Data Protection Law sets out information that a controller must provide to a data subject, namely: (i) the scope and contents of the personal data being collected and processed; (ii) information about the controller and processor handling the personal data; (iii) the purpose of processing the personal data; (iv) the details of any entities and/or persons to whom the personal data may be transferred; and (v) the data subject’s statutory rights.
Where the controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller shall get the updated consent.
Rights to access information
The Data Protection Law gives data subjects the right to obtain, upon request, information on: (i) the sources of collection, location of his/her personal data; (ii) the purpose of data processing; (iii) the address of the collector or processor of the personal data; (iv) conditions of access to the personal data; and (v) the third parties or other recipients to whom the data is transferred.
Data subjects also have a right to access their personal data in the relevant database. Data subjects have the right to know whether their personal data is being stored in a personal database and to know the scope of personal data held. Such answers must be provided by the personal data owner (processor) not later than 30 calendar days from the date of request, unless otherwise provided by Ukrainian laws. A subject access request is free of charge.
Rights to data portability
The Data Protection Law does not contain an express provision or prohibition on rights to data portability.
Right to be forgotten
A data subject may file a claim through the court: (i) objecting to data processing by a controller; or (ii) seeking rectification or deletion of personal data. However, there is no clear concept of the right to be forgotten in Ukraine.
Objection to direct marketing
The Law of Ukraine "On Electronic Commerce" (No. 675-VIII, dated 3 September 2015) provides that commercial electronic messages may be distributed to an individual without his/her consent only if such individual has an option to refuse the receiving of such messages in future. Opt-in and opt-out principles sometimes are used in practice.
Other rights
A data subject is also entitled to: (i) restrict the processing of their personal data; (ii) withdraw consent in relation to the processing of their personal data; (iii) introduce limitations as regards rights on their personal data processing while giving the consent; (iv) know the mechanics of the automated processing of personal data; and (v) be protected against automated decisions that have legal effect.
The data subject also has a right to protection from illegal processing, loss, deletion, and damage of personal data, as well as from the provision of unreliable information which discredits his/her honour, dignity and business reputation.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
The Data Protection Law provides that the controller and/or processor must ensure that personal data is protected against unlawful processing, including loss, unlawful or accidental deletion, as well as against unauthorised access.
To ensure the security of personal data during processing, the controller and processor must take security measures. In particular, the controller and/or processor must implement: (i) an employee data access procedure; (ii) a procedure for access to data operations; (iii) a plan in case of unauthorised access of personal data, damage to technical equipment, emergencies; and (iv) regular training for employees who work with personal data.
The controller and/or processor maintain the list of employees that have access to personal data and are responsible for determining the level of access that employees have to a data subject’s personal data. Each of these employees shall have only access to personal data (or parts thereof) that are necessary for the performance of their employment (“need to know” principle).
The controller and/or processor maintain a record of all access to and transactions related to the processing of the personal data. In accordance with the stated purpose of processing personal data, the controller and/or processor must store information about: (i) the date, time and source of collection of the personal data; (ii) any amendments to the personal data; (iii) access to personal data; (iv) transfer (copying) of the personal data; (v) the date and time of removal or destruction of personal data; (vi) any employee who has completed one of the aforementioned operations; and (vii) the purpose and grounds for modifying, viewing, transmitting and deleting or destroying personal data.
Specific rules governing processing by third party agents (processors)
The controller must ensure that any data processing carried out by a processor is under a written agreement.
Notice of breach laws
There is no requirement to report data security breaches or losses to the appropriate state authority or to the data subject. However, the controller must maintain records of any such data breaches.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
When personal data is transferred from Ukraine to controllers, processors or other recipients in third countries or to international organisations, the level of adequate protection should be provided by the recipient state. The following countries are recognised as providing adequate protection of personal data: (i) EEA member states; (ii) states which are signatories to the Convention; and (iii) other states defined as such by the Cabinet of the Ministers of Ukraine. The U.S. has not been explicitly mentioned as a privacy-safe country, and the Privacy Shield option is inapplicable.
Personal data may be transferred to third countries in the following cases: (i) consent for the transfer is obtained from the data subject; (ii) the transfer is necessary to conclude and execute a transaction between an owner of personal data and a third party in favour of the data subject; (iii) the transfer is necessary to protect the vital interests of the data subject; (iv) the transfer is necessary to protect public interest, establishment, execution and provision of a legal claim; or (v) the owner of the database provides appropriate guarantees in relation to non-interference in the personal and family life of the data subject. In order to streamline data transfer, the recommendation is to obtain explicit consent for such data transfer.
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no obligation to obtain the approval of the Ombudsman Office. There is no concept of Model Contracts.
Use of binding corporate rules
The Data Protection Law allows professional organisations to rely on the binding corporate rules in order to obtain effective protection of personal data to transfer personal data outside Ukraine. Such organisations may apply to the Ombudsman Office for conclusion concerning those rules. Presently, few companies follow the binding corporate rules that are approved in certain industries.
_____________________________________________________________________ Top
Enforcement
Fines
The Code of Ukraine on Administrative Offences establishes administrative liability for violation of the data protection legislation, in particular for: (i) failure to notify or late notification of the Ombudsman Office of the processing of Risky Data, or amendments to Risky Data (fine of an amount equivalent to up to EUR 250); (ii) non-compliance with legitimate demands of the Ombudsman Office, which are issued as orders, or determined by the governmental officials of the Ombudsman Office’s secretariat aimed at the elimination or prevention of violations of personal data protection legislation (fine of an amount equivalent to up to EUR 600); and (iii) non-compliance with data protection procedures, which resulted in an unlawful access to the personal data or violation of a data subject’s rights (fine of an amount equivalent to up to EUR 600).
Imprisonment
Under the Criminal Code of Ukraine, the illegal collection, storage, use, disposal, dissemination and change of confidential information relating to a certain person attracts penalties, including: (i) fines of up to EUR 600; (ii) corrective labour for up to two years; (iii) arrest for up to six months; or (iv) up to three years’ limitation of freedom. In cases of repeat offences or offences causing grave harm to human right, the maximum criminal sentence is 5 years of imprisonment.
Criminal liability is imposed only if a considerable human rights violation has occurred.
Compensation
Data subjects have a right to compensation for damage, including moral damage for suffering or distress. However, such compensation generally requires application to the court.
Other powers
A claim for defamation is another available remedy where false information has been disseminated on a data subject.
Practice
Fines: The enforcement of administrative liability for privacy incompliance and the imposition of administrative fines under the Code of Ukraine on Administrative Offences are not very common and there have been only approximately 300 such cases. This is explained by the low capacity of the Ombudsman Office to document proof of offense, and the evolving practice of this area of law. For a considerable proportion of cases which have been considered by the courts, the limitation period for imposing fines has lapsed, or the proof of privacy incompliance was poor, and thus the proceedings in these matters have been terminated without holding the alleged offender liable. The factual background in many cases related to the illegal disclosure of personal data online, data on debtors, data disclosed by municipal authorities or state officers and so on. However, the limited number of cases prevents the delivery of a well-structured analysis.
Holding bad actors liable under the Criminal Code of Ukraine is not a widespread practice, and there are no landmark court decisions which would be of professional interest or helpful tools to interpret the Data Protection Law.
Other enforcement action: In practice, the Ombudsman Office normally first issues a warning requesting that the violation of the Data Protection Law ceases. Administrative fines may then be imposed if the guilty party does not comply with this warning. It is rare for criminal liability to result from cases related to the illegal disposal of confidential information.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
Ukraine is not an EU Member State and, therefore, has not implemented the Privacy and Electronic Communications Directive. Regulations on direct marketing by email, fax and telephone are stated in other laws such as the Law of Ukraine "On Electronic Commerce" (No. 675-VIII, dated 3 September 2015), the Law of Ukraine “On Advertising” (No. 270/96-BP, dated 3 July 1996), the Law of Ukraine “On Consumer Protection” (No. 1023-XII, dated 12 May 1991) and the Resolution of Cabinet of Ministers of Ukraine on Approval of Rules on Provision and Receipt of Telecommunication Services (No.295, dated 11 April 2012).
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
There are no special rules for cookies. Certain websites apply cookies consent or cookies policies.
Regulatory guidance on the use of cookies
Not adopted.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
The Law of Ukraine "On Electronic Commerce" sets forth that commercial electronic messages shall be distributed only subject to the consent given by an individual to whom such messages are addressed. At the same time, commercial electronic messages may be distributed to an individual without his/her consent only if such individual has an option to refuse the receiving of such messages in future.
In addition, commercial electronic messages must satisfy the criteria set out below: (i) commercial emails must be clearly identified; (ii) the sender must provide the recipient with direct and easy access to the message with the information about the seller; (iii) commercial emails on discounts, bonuses, promotional gifts, etc. must be clearly identified and the conditions for their receipt must be definite and comply with requirements for advertisements; and (iv) the message must contain information on the inclusion of taxes in the price of goods and information on the cost of delivery. Aggressive spam and advertising which ignores a consumer’s objections will be regarded as a violation of a consumer’s right.
Conditions for direct marketing by e-mail to corporate subscribers
The laws of Ukraine relating to direct marketing by email do not apply to corporate subscribers.
Exemptions and other issues
Not applicable.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Repetitive direct marketing calls to a consumer are prohibited without that consumer’s consent.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The laws of Ukraine relating to direct marketing by telephone do not apply to corporate subscribers.
Exemptions and other issues
None.
_____________________________________________________________________ Top