At present, personal data protection in Ukraine is governed by Article 32 of the Constitution of Ukraine, Articles 23 and 31 of the Law of Ukraine "On Information", and Articles 200 and 302 of the Civil Code of Ukraine. According to applicable laws, it is allowed to collect, process, store and use personal data subject to the following:
- If a prior consent has been obtained from an interested person; and
- If a person has been notified of the contents of data collected, as well as how, by whom and wherefore such personal data would be used in future.
The adopted Law of Ukraine "On Personal Data Protection" No. 2297-VI as of June 1, 2010, (hereinafter – the Law) takes effect on January 1, 2011. It regulates issues of processing personal data in special databases by legal entities and individual entrepreneurs in terms of their business. It does not cover processing personal data by individuals for their personal or household needs, or in relation to journalistic or creative activities. The Law also shall not be applied to processing of any data regarding legal entities. In the context of employment relations, the Law will refer to, first of all, companies maintaining databases of employees, officer candidates, interns, freelancers, etc.
In 2011, Ukraine will also ratify the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Transborder Data Flows after respective ratification Law dated July 6, 2010 No. 2438-VI will take effect on January 1, 2011. This Convention regulates operations of international companies regarding cross-border personal data transmission.
The Law defines personal data as any data or a set of data on any individual that may lead or may have lead to the identification of the individual. The notion of personal data is quite general and may refer to any identification information regarding an individual. Thus, if any particular data on an individual is associated with his or her name, it should be regarded as personal. It should be added that according to Article 23 of the Law of Ukraine "On Information", key data on an individual (personal data) includes his/her nationality, education, family status, religious affiliation, health status, address, as well as the date and place of birth. Pursuant to Decision of the Constitutional Court of Ukraine No. 5-зп dated October 30, 1997, personal data also includes a property status and medical information (a health certificate of an individual, his/her past medical history, purposes of proposed examination and individual care, prognosis of his/her disease possible progress, including data on any risks available for his/her life and health).
Article 2 of the Law introduces the notion of the personal data subject, which means an individual in relation to which his or her personal data is processed according to the law, as well as the notion of the personal database meaning a denominate set of ordered personal data available in an electronic form and/or as a card index file. The Law also establishes the term personal database owner, which means an individual or a legal entity that is entitled by the law or upon consent of a personal data subject to process such data and approves the purpose of personal data processing in this database, as well as establishes composition and processing procedures thereof, unless otherwise provided by the law.
The card index file of all employees containing their age, date and place of birth, place of residence, identification code, social status entitling to any legally prescribed benefits (single mothers, women with children under the age of three, Chernobyl disaster victims, minors) shall be considered a personal database within the meaning of the Law. Likewise, personal databases shall also include a list of drivers indicating their driving license category, driving experience, qualification, information on fines, if any, or a list of employees indicating their special qualification documents, certificates, awards or academic degrees.
As it was mentioned above, effective legislation requires that consent shall be obtained from a person for his or her personal data processing. In addition, the Law introduces a set of additional requirements for obtaining such consent and outlines a personal data processing procedure.
First, Article 2 of the Law requires that a prior documented consent must be obtained, while effective legislation requires a prior consent only. Second, the consent to personal data processing shall be given for the specific and explicitly defined purpose, which shall be specified in the internal documents of a personal data processing company. For instance, this may be a regulation on personal data processing and protection or an order on personal data collection, etc. As provided in Article 6 of the Law, in the event of any change in the personal data processing purpose, a person shall give his or her consent to his/her personal data processing for such amended purpose.
Article 2 of the Law provides an expanded list of data processing forms, i.e. personal data processing means any operation or a set of operations performed, in full or in part, in an (automated) data system and/or card index files of personal data that are related to the collection, registration, accumulation, storage, adaptation, alteration, renewal, use and dissemination (distribution, sale, transfer), depersonalization, or destruction of data on a person. It should be highlighted that personal data processing may involve one or several operations mentioned above, but such operations must be performed, in full or in part, in a personal database.
Besides, the Law establishes additional requirements for certain forms of personal data processing. Thus, the dissemination of personal data involves data transfer by a personal database owner to a third party. In this regard, Article 14 of the Law states that a personal data protection regime shall be provided by the personal database owner. At the same time, a third party that receives such data should also comply with the provisions of the Law, in particular those pertaining to the processing purpose and scope of the processing forms consented to by a person.
The personal database owner shall notify a concerned person of the personal data transfer to a third party within 10 business days if required by the terms and conditions of his or her consent, or unless otherwise provided by the law (Article 21 of the Law). Therefore, in order to avoid any disputes, we would recommend that you indicate the waiver of notice of data transfer to a third party in the text of a letter of consent to personal data processing.
The Law also says that the owner of a personal database may hand it over to another entity - the database administrator - for its further processing for the purposes and to the extent stipulated in a written agreement with the database owner. These provisions will govern personal data processing by outsourced specialized companies.
The Law further imposes restrictions on the processing of certain types of personal data. Thus, Article 7 prohibits the processing of personal data about racial or ethnic origin, political opinions, religious or other beliefs, political affiliations and trade union memberships, health, and sex life. Meanwhile, this ban does not apply, if such processing is required, in particular, for the purposes of exercising rights and performing obligations in the context of employment relations in accordance with the law. Thus, for example, companies are not prohibited from keeping a database on the trade union memberships of their employees, because trade union membership entitles employees to certain guarantees.
Article 24 of the Law provides that companies should designate a structural unit or a responsible officer to take relevant measures to ensure the protection of personal data in processing. We recommend that such responsible officer be appointed from among those employees who are directly involved in personal data processing, such as human resource managers or system administrators.
Under the current Law of Ukraine "On Information" (Article 31), before using any personal information, all entities collecting such information must register their personal databases according to the procedure approved by the Cabinet of Ministers of Ukraine. However, no such state registration procedure has been approved.
The Law sets out a more detailed database registration procedure. Article 9 provides that a personal database owner who wants to register his/her database must file an application with the relevant authority. Such application should contain information about the owner, the database name and location, the data processing purpose, other database administrators, and an undertaking to protect personal data. The database will be registered in the State Personal Database Register by the competent personal data protection authority within 10 business days. No such authority has been set up yet.
Therefore, after the Law enters into effect, a company running a personal database should:
- Issue an internal regulation, order or other document to set forth personal data processing purposes, personal data content and scope, and personal data processing procedures;
- Inform the persons concerned of the personal data processing purpose and obtain their prior written consent covering all forms of personal data processing that may be used in future; and
- Designate an officer or a unit responsible for ensuring personal data protection.
Even though the Law enters into effect on January 1, 2011, we recommend taking early steps to bring the company in compliance with its requirements. Should you have any additional questions in this regard, please, contact VKP experts Oksana VOYNAROVSKA at Voynarovska@vkp.kiev.ua or Vladyslav PODOLYAK at Podolyak@vkp.kiev.ua.
Vasil Kisil & Partners
Through relentless focus on client success, the Vasil Kisil & Partners team delivers integrated legal solutions to complex business issues. In Ukraine, the Vasil Kisil & Partners brand is synonymous with great depth and breadth of legal expertise and experience, which has created superior value for our clients since 1992.
Vasil Kisil & Partners is a Ukrainian law firm that delivers integrated business law, dispute resolution services, tax law, energy and natural resources law, intellectual property law, international trade law, labour and employment law, real estate and construction law, as well as public private partnership, concessions & infrastructure law.
The firm serves international and domestic companies, as well as private individuals, dealing in agriculture, banking, chemical, construction, financial, energy, high-tech, general commodities, insurance, IT, media, metallurgy, pharmaceutical, real estate, shipbuilding, telecommunication, trading, transport, and other industries and economy sectors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.