Law and the regulatory authority
1 Legislative framework
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Have any international instruments on privacy or data protection been adopted in your jurisdiction?
The legislative framework in the sphere of protection of PII in Ukraine consists of the international conventions, Laws of Ukraine, the Decrees of the President of Ukraine, the relevant Resolutions of the Cabinet of Ministers of Ukraine, as well as the Decrees of the Ministry of Justice of Ukraine and various regulations of the State Service on Protection of Personal Data. The principal laws are:
- Law of Ukraine on Protection of Personal Data (Data Protection Law) dated 1 June 2010 and effective from 1 January 2011;
- Law of Ukraine on Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Regarding Supervisory Authorities and Trans-border Data Flows, dated 6 J uly 2010. Ukraine has been a party to this Convention since 1 January 2011;
- Law of Ukraine on Introduction of Amendments to Certain Legislative Acts of Ukraine Regarding Increasing Liability for Violation of Legislation on Protection of Personal Data, dated 2 June 2011; and
- Law of Ukraine on Information dated 2 October 1992.
Ukraine is also a party to the European Convention on Human Rights and Fundamental Freedoms since 1997.
2 Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the powers of the authority.
The State Service on Protection of Personal Data (Service) is the central body of the executive power, responsible for overseeing the Data Protection Law. It has, inter alia, the powers to register personal databases and maintain the State Register of Personal Databases, as well as to carry out scheduled and ad hoc inspections, impose mandatory orders on data owners and draw up administrative protocols in case of violations.
3 Breaches of data protection
Can breaches of data protection lead to criminal penalties? How would such breaches be handled?
Breaches of data protection can lead to civil, administrative or criminal liability. Criminal liability is foreseen for illegal collection, storage, use, disposal, dissemination and alteration of confidential information about a certain person. In the case of such violation a criminal case will be initiated and investigated, and the final judgment made by a court.
4 Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The Ukrainian Data Protection Law does not apply to personal databases of individuals, created exclusively for non-professional personal or household needs; journalists in connection with carrying out official or professional duties; and professional art workers for execution of art works.
5 Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
These issues are regulated by other laws, but the Data Protection Law establishes a general principle under which the processing of personal data is not allowed without consent of the individual, except for cases established by law, or in the interests of national security, economic welfare and human rights.
6 Other laws
Identify any further laws or regulations that provide specific data protection rules for related areas.
After the Data Protection Law became effective certain legislative acts in the health-care sector have been amended in order to comply with this Law. The Regulation on Electronic Register of Patients, approved by the Resolution of the Cabinet of Ministers of Ukraine No. 546 on 6 June 2012, also provides that where the personal data of a patient is included in the Electronic Register of Patients, health-care institutions must obtain a patient's consent for processing his or her data.
Ukrainian legislation contains specific statutory rules regulating protection of banking secrecy (information on the activity and financial standing of the client, which becomes known to the bank during the process of servicing the client and relations with him or her or with third parties while rendering of services of the bank). Processing and disclosure of banking secrecy is regulated by the Law on Banks and the Banking Activity and the relevant regulations of the National Bank of Ukraine. Credit history is also deemed to be confidential information and the peculiarities of its collection, processing and use are regulated by the Law on Organisation of Formation and Circulation of Credit Histories.
7 PII formats
What forms of PII are covered by the law?
The Data Protection Law applies to personal databases, which are kept both in electronic form or in the form of card files (paper form).
Is the reach of the law limited to data owners and data processors established or operating in the jurisdiction?
The Data Protection Law does not contain an explicit provision in this respect; however, taking into account the other provisions of the Data Protection Law, its territorial application is limited to the territory of Ukraine. 9 Covered uses of PII Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide services to owners? The Data Protection Law covers the processing of personal data, which, according to the Data Protection Law, includes any action or number of actions connected with collection, registration, accumulation, storage, adaptation, change, renewal, use and distributing (dissemination, realisation, transfer), depersonalisation, elimination of data on an individual. Also, the Data Protection Law distinguishes between the owner of the personal database, the manager of the personal database and a third party. While the manager of a personal database is empowered by the owner of a personal data base to process personal data, the third party is any legal entity or individual to whom the owner or the manager of the personal data base transfers the personal data.
Apart from the manager of a personal database and a third party, the owner of the personal database is responsible for registration of the respective database, for obtaining of an individual's consent for personal data processing, for informing an individual of his or her rights in connection with the personal data processing.
Legitimate processing of PII
10 Legitimate processing – grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner's legal obligations or if the individual has provided consent? Give details.
According to the general statutory rule processing of personal data is not allowed without consent of the individual (at which he or she can limit the right to process its personal data by way of corresponding reservation), except for cases established by a law, and only in the interests of national security, economic welfare and human rights. The law also establishes that in the event that the processing of personal data is required for protection of vitally important interests of the person, the processing of such personal data is allowed without consent of the individual, but only until it becomes possible to obtain his or her consent.
In addition, each personal database must be registered with the Service (see question 2).
11 Legitimate processing – types of data
Does the law impose more stringent rules for specific types of data?
It is prohibited to process personal data on racial or ethnic origin, political, religious or outlook opinions, membership in political parties and professional associations, as well as data relating to health or sex life. Such prohibition does not, however, apply in a number of cases, established by law. Among these exceptions are cases when a person provides explicit consent to processing such data, when processing such data is required within the scope of labour relations according to the law, and when the concerned data was made public by the respective individual.
Data handling responsibilities of owners of PII
Does the law require owners of PII to notify individuals whose data they hold? What must the notice contain and when must it be provided?
The law requires that the individual must be notified exclusively in writing within 10 business days of the date of inclusion of his or her personal data in the personal database, on his or her rights under the law, the purpose of collection of data and any persons to whom his or her personal data is transferred. The same term is established for notification on transfer of personal data to third parties, unless the terms of the provided consent or the law establish otherwise. A term of 10 business days is also established for notifications on change or erasing of personal data or restriction of access to it.
13 Exemption from notification
When is notice not required (for example, where to give notice would be disproportionate or would undermine another public interest)?
The above notification on inclusion of personal data in the personal database is not required if personal data is collected from publicly available sources. The above notification on transfer of personal data to third parties is not required if the transfer is executed as a part of investigative activity or fighting against terrorism; by state bodies or local bodies within realisation of their statutory powers; or with historical, statistical or scientific purposes.
14 Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
There is no such obligation for owners of personal databases under the effective legislation.
15 Data accuracy
Does the law impose standards in relation to the quality, currency and accuracy of PII?
The Data Protection Law does not impose any particular standards in relation to quality, currency or accuracy. It provides that personal data has to be precise, true and, if necessary, should be updated.
Changes and amendments to personal databases shall be introduced based on the application of a subject of personal data or based on the application of other persons, related to personal data, if the person consented to this or the respective change is made based on the court judgment that entered into force. The change of incorrect personal data is effected immediately after the discovery of incorrectness.
16 Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?
The Data Protection Law provides that the composition and contents of personal data shall be commensurate with and not excessive with regards to the established purpose of their processing. The volume of personal data is determined by the terms of the consent of the individual for processing of his or her personal data.
The duration of personal data processing is determined very vaguely. Namely, according to the Data Protection Law personal data shall be processed within a term, not exceeding the necessary term for its lawful designation.
According to the law personal data must be deleted from the database in the following cases:
- completion of the term of personal data keeping, determined by an individual's consent or by law;
- termination of legal relationship between an individual and owner of the personal database; and
- a court decision requiring deletion of the personal data becomes effective.
In practice, it is advisable to establish the term of the personal data processing in internal regulations on personal data processing, as well as in the individual's consent, if possible.
17 Finality principle
Are the purposes for which PII can be used by owners restricted? Has the 'finality principle' been adopted?
The processing of personal data must be carried out for precise and lawful purposes, depending upon the consent of a person or in cases foreseen by laws of Ukraine.
In the event that the purpose of the personal data processing changes, new consent from the respective person must be obtained.
18 Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
In the case of change of purpose of personal data processing, new consent from the respective person must be obtained. The Data Protection Law does not establish any precise exceptions from this rule, but personal data may be used for the new purpose without a person's consent if it is required or allowed by a law in the interests of national security, economic welfare and human rights.
19 Security obligations
What security obligations are imposed on data owners and entities that process PII on their behalf? Security obligations of the PII owner stipulated by the Data Protection Law and resolutions of the Service are very broad and do not contain any requirements regarding technical matters.
The Data Protection Law establishes that personal data refers to information with limited access. Therefore, the use of personal data by employees of the PII owner must be carried out only in accordance with their professional or labour duties. Such employees may not disclose in any way the information that has become known to them or entrusted to them in the course of their professional or labour duties. Such obligation continues after they terminate the activity, connected with personal data processing, except for cases established by law.
In addition, it is envisaged that the owner of the personal database must ensure the protection of personal data and determine either a structural unit or an employee responsible for protection of PII. Private entrepreneurs, including licensed medical doctors, lawyers and notaries must personally ensure protection of personal data in accordance with the law.
In the case of disclosure of PII, the PII owner must ensure compliance with the established regime of PII protection.
Furthermore, the law stipulates that access to PII may be provided to a third person exclusively if such a person is able to fulfil the provisions of the Data Protection Law and does not refuse to honour the respective provisions.
20 Notification of security breach
Does the law include obligations to notify the regulator or individuals of breaches of security?
Currently the law does not provide for such obligation. Internal controls
21 Data protection officer
Is the appointment of a data protection officer mandatory? What are the data protection officer's legal responsibilities?
The appointment of a personal data protection officer or a responsible structural unit for data protection is mandatory. The Data Protection Law, however, does not establish the scope of such unit or officer's responsibilities. The Standard Order for Processing of Personal Data in Personal Databases, approved by the Service on 30 December 2011, provides that such officer, inter alia, must inform the employees on the requirements as to data protection, organise the work with data protection by respective employees, organise the processing of inquiries related to personal data, ensure access to personal data, inform the owner or the manager of the personal database on the breaches of established procedures for personal data processing and on measures necessary for the processing of personal data in accordance with the law.
22 Record keeping
Are owners of PII required to maintain any internal records or establish internal processes or documentation?
The owners of personal databases are required to establish internal processes for processing personal data, but there is no explicit obligation to maintaining any internal records.
Registration and notification
Are owners and processors of PII required to register with the supervisory authority? Are there any exemptions?
The owners of PII are required to register their PII databases and changes to them with the Service. According to the law such registration is performed on an application basis. The Data Protection Law does not provide for exemptions to the registration requirement.
What are the formalities for registration?
In order to register a personal database, the owner of such database should submit to the Service a corresponding application and obtain the certificate on state registration of personal database. According to the Data Protection Law the application shall contain the following information:
- information about the PII owner;
- name and address of location of the personal database;
- purpose of the personal data processing;
- information about the managers of personal database (if any); and
- acknowledgement of the obligation to fulfil provisions of the legislation on personal data protection.
The Service will inform the applicant no later than next business day following the application of its receipt and must adopt a decision on registration of personal database within 10 business days of receipt.
Currently no fee is payable for registration of personal databases or changes to personal databases.
The owner of personal database must inform the Service of any change of information necessary for the registration of personal database no later than 10 business days following such change.
Currently, the Service is overloaded with applications for registration of databases and continually fails to adhere to the aforementioned one-day and 10-day terms for notification and registration.
What are the penalties for a data owner or processor for failure to make or maintain an entry on the register?
Administrative liability is provided for failure to register the database or the amendments to it with the Service. Thus, a failure to register a personal database with the Service triggers a fine in amount of 5,100 to 17,000 hryvnas. Failure to notify the Service or untimely notification of the Service on change of information, which is submitted for the state registration of a personal database, entails a fine in amount of 1,700 to 6,800 hryvnas.
The fine may be imposed only by a court.
26 Refusal of registration
On what grounds may the supervisory authority refuse to allow an entry on the register?
The Service may reject the registration only on formal grounds (ie, if the application for registration does not contain any of the necessary information which under the Data Protection Law is necessary for the application).
27 Public access
Is the register publicly available? How can it be accessed?
Effective legislation provides that state bodies, local authorities, state enterprises, institutions, organisations, other legal entities and individuals obtain access to the Register of Personal Databases through a website, managed by the administrator of the Register (currently a relevant division of the Ministry of Justice of Ukraine) by way of searching and review of information (including name of the personal database, information on the owner of personal database, the purpose of processing personal data) on personal databases. Currently, the website is https://rbpd.informjust.ua.
28 Effect of registration
Does an entry on the register have any specific legal effect?
The only legal effect is that the statutory requirements regarding personal data registration shall be deemed fulfilled.
Transfer and disclosure of PII
29 Transfer of PII
How does the law regulate the transfer of PII to entities that provide outsourced processing services?
According to the law the PII owner may transfer the PII database to a separate processor (manager) for outsourced processing based on a written contract with such a processor.
The processor may process the personal data only for the purpose and to the extent stipulated by the respective agreement with the PII owner.
30 Restrictions on disclosure
Describe any specific restrictions on the disclosure of PII to other recipients.
According to the Data Protection Law the PII owner shall ensure fulfilment of the established data protection regime while disclosing the PII.
A recipient of the PII shall take measures aimed at compliance with the Data Protection Law prior to receipt of the respective PII.
An access to PII may be provided to a third person exclusively if such a person is able to fulfil the provisions of the Data Protection Law and does not refuse to honour the respective provisions.
31 Cross-border transfer
Is the transfer of PII outside the jurisdiction restricted?
The transfer of the PII outside Ukraine is not restricted. The Data Protection Law establishes that transfer of personal data abroad may be performed exclusively according to the procedure established by the legislation, subject to due protection of personal data; corresponding permit; and in cases stipulated by a law of Ukraine or the international treaty of Ukraine. Personal data may be transferred (disseminated) only for the purpose for which it was collected.
From the above wording many issues remain unclear, for example, how to determine whether a foreign entity has the due level of protection of personal data, what permit is required and who shall grant it, and what is the established procedure, etc. Only the main prerequisites for export of personal data can be easily identified:
- corresponding written consent of the respective individual for such transfer;
- ensuring due protection of the PII; and
- compliance with the purpose for which the personal data was collected.
There is currently no statutory procedure for obtaining the necessary permit and the procedure for transfer of personal data abroad is not established. Thus, the respective provisions of the Data Protection Law may be ignored until the required procedures are adopted and implemented.
32 Notification of transfer
Does transfer of PII require notification to or authorisation from a supervisory authority?
No such notification is currently required. Please refer to the above question for more details.
Update and trends
The Data Protection Law is rather new to Ukraine. A lack of culture and history in handling personal data in Ukraine entails the underestimation of the importance of this law and of the implications of its violation. Also, regulatory acts in this sphere are few, and some of the issues are still open and sometimes unclear not only to experts but also to the Service.
The Service is currently overloaded with applications on registration of personal databases and complaints for violations of use of personal data. Taking into account the limited personnel of the Service, not all applications and complaints are processed in a timely manner; only those complaints that appear to be urgent or repeated are processed by the Service immediately.
Another discussed topic is the liability for breach of the requirements of the Data Protection Law.
The Data Protection Law contains a lot of unclear and puzzling provisions. Not all of those provisions can be fulfilled in practice. There have been numerous discussions of the law since it has been adopted. As a result, several initiative groups have prepared amendments to the law aimed at making it more clear and consistent. However, only one draft law, prepared by the Cabinet of Ministers of Ukraine, was registered with the Ukrainian parliament. This draft law does not address most of the disputable issues of the current law. Moreover, due to the elections to the parliament scheduled on October, this draft law is unlikely to be considered by the end of 2012.
33 Further transfer
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
There is currently no such requirement of further transfer notification.
Rights of individuals
Do individuals have the right to see a copy of their personal information held by PII owners? Describe any limitations to this right.
Individuals enjoy free-of-charge access to their personal information. This includes the right to see a copy of personal information held by the owners of personal databases.
The Data Protection Law provides that upon receipt of a written application an individual will be informed within no more than 30 calendar days whether his or her personal data are stored in a certain database and the nature of that data.
35 Other rights
Do individuals have other substantive rights?
Individuals have certain other substantive rights, in particular to know where, by whom and for what purpose their personal data are being processed; to present a motivated demand with objection against processing of their personal data by state bodies, local bodies at execution of the powers by the latter; to present a motivated demand on change or elimination of their personal data by the owner or the manager of the personal database, if such personal data are processed illegally or are false. Most importantly, in case of breach of their rights in the sphere of protection of personal data, individuals are entitled to address the Service or a court for protection.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
Improper processing of personal data may be a ground for a civil action on the part of an individual, whose rights have been violated. It should be noted that the Data Protection Law does not contain any specific provisions is this respect. Therefore, individuals claiming damages or compensation shall be guided by the general provisions of the civil legislation.
Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?
The Service is authorised to consider claims from legal entities and individuals and to issue mandatory demands (orders) on elimination of the violation of the Data Protection Law.
The enforcement of rights is possible only based on a court decision.
Exemptions, derogations and restrictions
38 Further exemptions and restrictions
Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.
No further particular derogations, exclusions or limitations are in place.
39 Judicial review
Can data owners appeal against orders of the supervisory authority to the courts?
Yes, data owners may appeal against orders of the supervisory authority to the courts. Taking into consideration that personal data protection is rather new to Ukraine, the court practice in this regard has not yet been formed, but it will certainly emerge over the coming years.
40 Criminal sanctions
In what circumstances can owners of PII be subject to criminal sanctions?
Criminal liability is foreseen for illegal collection, storage, use, disposal, dissemination and change of confidential information about a certain person. Pursuant to the Law of Ukraine on Information, confidential information about a certain person includes any personal data of an individual. Foreseen punishment for commitment of such a crime is a fine in the amount of 8,500 to 17,000 hryvnas, corrective labour for up to two years, arrest for up to six months, or custodial restraint for up to three years.
41 Internet use
Describe any rules on the use of 'cookies' or equivalent technology.
This particular matter is not currently regulated in Ukraine.
42 Electronic communications marketing
Describe any rules on marketing by e-mail, fax or telephone.
These particular matters are currently not regulated in Ukraine.
Originally published in Getting The Deal Through, 2013
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.