We are gradually and steadily approaching EU standards. A confirmation of this statement is that the Law of Ukraine "On Personal Data Protection" was adopted by the Parliament of Ukraine on June 1, 2010 and is effective since January 1, 2011. The latter is also the date when the Law of Ukraine "On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows" came into legal force.

Ukrainian authorities started developing this comprehensive legislative act quite a long time ago – back in the 1990s. That is why this Law is, like no other, an extremely long-awaited instrument, with its current importance increasing from year to year.

The right to personal data protection arises out of an individual's right to respect for his private and family life, which is stated in Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) as of 1950 (ratified by Ukraine in 1997). In 2001, a draft law was developed in Ukraine, which was based on the concept of personal data privacy as a personal non-property right. The Law enacted by the Verkhovna Rada of Ukraine in 2006, however, embodied an opposite personal data concept, which was based exclusively on a property right and provided for ownership right on personal data. The President of Ukraine Viktor Yushchenko, however, vetoed that law. The new Law represented a victory of the previous concept of personal data protection as everyone's personal non-property right. Both approaches appear to coexist in the EU practice because both of them have a common feature, namely the prohibition of personal data processing without an individual's consent.

As provided by the new Law, a personal data concept may relate to any identification data regarding an individual. In practice, it should be noted that if any particular data on an individual is combined with his/her name and surname, they should be regarded as personal data. By way of example, this may be an address, date and place of birth, education, family and property status, nationality, religious affiliation, and health status.

It should be additionally emphasized that the new Law has not explicitly adopted the concept of personal data division into non-sensitive and sensitive personal data, which is used by most of the EU states and by the Russian Federation. The latter, however, may not be treated as a significant shortcoming of the Law, especially since we have recently been observing gradual departure of the EU states from such approach.

According to the new Law, the personal database concept includes a paper card index file or an electronic database of employees containing data on their background, social status, or a client database maintained by insurance companies, banks, medical institutions, etc.

Pursuant to earlier legislation, personal data collection, processing, storage and usage required a prior consent of an individual. In accordance with the new Law, such consent must be documented, in particular, must be given in writing. The consent to personal data processing must be given for the specific and explicitly defined purpose for which an individual allows the processing of his/her personal data, which shall be stated in the database holder's documents. In accordance with this rule of the Law, it would be recommended to develop a regulation on personal data processing and protection to specify the personal data processing purpose and its procedure and to cover other personal data protection issues. As provided in Article 6 of the Law, if the purpose of personal data processing changes, a new consent must be obtained from an individual for his/her personal data processing. Pursuant to Article 21 of the Law, an individual shall be notified of his/her personal data transfer to a third party within 10 business days if required by his/her consent or unless otherwise provided by the Law. Therefore, it would be advisable to expressly specify a waiver of notice of personal data transfer in the text of consent. Pursuant to Article 24 of the Law, which provides that a responsible employee shall be designated to arrange for personal data protection, we recommend that such functions be vested in an HR manager or a IT system administrator (depending on who will actually deal with the personal data collection and processing). Such functions may be vested in them by an order to be issued by a director or may be specified in a regulation on personal data processing and protection.

The Law refers to a body that shall act as a controlling authority or, within the meaning of the Law, "an authorized body for personal data protection". The State Service for Personal Data Protection has been established on December 9, 2010; nevertheless, practical launch of its work is still awaited. The content and scope of authority of this body is, however, not properly defined to date. Speaking about the legally prescribed right of access to premises where personal data is processed, it was met with fair criticism.

The Law provides for an obligation of personal database registration with the aforesaid controlling authority. Such obligation is vested in a database holder, although, in some countries, the mandatory registration procedure applies to database processing companies (service providers) only.

Although the Law is of great importance and necessity today, its current version is a rather general (framework) document. Thus, to ensure the proper implementation of the personal data protection provisions, a great deal of subordinate legislation should be enacted to expressly specify the scope of application of this Law, including in respect of separate categories of companies (insurance companies, banks, etc.). Thus, it would be worthwhile to postpone the effectiveness date of this Law for some time, at least until the required subordinate legislation is enacted. Furthermore, some provisions of this Law should be amended, e.g. the Law should provide that databases shall not be registered if an individual and a database holder are connected by a labor contract or a civil law contract.

Vasil Kisil & Partners

Through relentless focus on client success, the Vasil Kisil & Partners team delivers integrated legal solutions to complex business issues. In Ukraine, the Vasil Kisil & Partners brand is synonymous with great depth and breadth of legal expertise and experience, which has created superior value for our clients since 1992.

Vasil Kisil & Partners is a Ukrainian law firm that delivers integrated business law, dispute resolution services, tax law, energy and natural resources law, intellectual property law, international trade law, labour and employment law, real estate and construction law, as well as public private partnership, concessions & infrastructure law.

The firm serves international and domestic companies, as well as private individuals, dealing in agriculture, banking, chemical, construction, financial, energy, high-tech, general commodities, insurance, IT, media, metallurgy, pharmaceutical, real estate, shipbuilding, telecommunication, trading, transport, and other industries and economy sectors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.