Data protection and cybersecurity laws in Ukraine

In Ukraine, the main legal act that governs processing (collection, use, storage, etc) of personal data is the Law of Ukraine on Personal Data Protection No 2297-VI dated 1 June 2010 (“PDP Law”).

Link to the PDP Law in Ukrainian and to the unofficial English translation.

The PDP Law regulates processing of personal data, which is broadly defined as any action or a combination of actions with personal data, including collection, storage, usage, transfer etc.

In terms of the jurisdictional scope of application, the PDP Law does not explicitly specify it. However, it may be interpreted to apply to all personal data processed in the territory of Ukraine (irrespective of whether it is processed by a foreign or a Ukrainian entity) as well to data transfers from Ukraine.

Other legislation includes:

• Guidelines on Processing of Personal Data adopted by the Order of Ukrainian Parliament Commissioner for Human Rights No 1/02-14, dated 8 January 2014;
• Guidelines on the Execution of Control by Ukrainian Parliament Commissioner for Human Rights over Adherence to Personal Data Protection Legislation adopted by the Order of Ukrainian Parliament Commissioner for Human Rights No 1/02-14, dated 8 January 2014;
• Guidelines on Notifying the Ukrainian Parliament Commissioner for Human Rights regarding the Processing of High-Risk Personal Data, a Department or a Person Responsible for Organizing Work related to Personal Data Protection in connection with its Processing, and Publishing of Such Data adopted by the Order of Ukrainian Parliament Commissioner for Human Rights No 1/02-14, dated 8 January 2014.  

The Ukrainian Parliament Commissioner for Human Rights  (Уповноважений Верховної Ради України з прав людини) (“Ombudsman”): https://www.ombudsman.gov.ua/en/page/zpd/

The changes to the personal data protection legislation may be introduced as part of aligning national personal data protection legislation with the GDPR standards. In October 2017, the EU-Ukraine Association Agreement Implementation Plan was adopted including the steps for aligning national personal data protection legislation with the GDPR. The Ombudsman is currently in the process of developing the respective draft laws.

It is also constantly being amended in relation to measures necessary to combat the coronavirus (COVID-19) pandemic. These include allowing processing of certain types of high-risk data for the stated purposes without a data subject’s consent. This relates exclusively to specific entities that are appointed by the government to carry out certain functions in the respective sphere (i.e. the entity managing the mobile application for tracking people who are in quarantine).

Administrative sanctions:

• Failure to notify or late notification of the Ombudsman in respect of processing of high-risk data, or amendments to such data (fine of up to UAH 34,000 (ca. EUR 1,000));
• Failure to execute actions as lawfully requested by the Ombudsman necessary to prevent or eliminate a breach of the personal data legislation (fine of up to UAH 34,000 (ca. EUR 1,000));
• Non-compliance with the personal data legislation resulting in unauthorised access to personal data (fine of up to UAH 34,000 (ca. EUR 1,000).

Criminal sanctions:

• Illegal collection of personal data; or storage or dissemination of personal data (imprisonment for up to five years).

Others: 

• A data subject may also seek compensation in court for civil damages caused by a breach of personal data protection rules.

In practice, the Ombudsman first issues a warning to an offender with a request to cease the breach of personal data protection rules. An administrative fine may then be imposed if the offender does not comply with the warning. Criminal liability may be imposed only for extremely serious data protection-related offences (we are not aware of any such precedent).

The PDP Law does not require notification or registration before processing personal data.

Data controllers or processors processing high-risk data, however, must notify the Ombudsman within 30 days of commencement of processing of this data.

Data controllers must comply with the following obligations:

• Personal data must be processed openly and transparently;
• The means of processing personal data must correspond to the purpose of the processing;
• Personal data must be protected from accidental loss, destruction, or unauthorised processing and access.

The PDP Law also sets out certain requirements for securing protection measures during the processing of data.

The PDP Law grants data subjects a broad scope of rights, including the right to:

• Submit an objection to the processing of their personal data;
• Access their own personal data;
• Define certain restrictions and reservations with respect to any element of their data’s processing;
• Submit a justified request to rectify or delete personal data by any data controller or processor, if the data is processed illegally or is inaccurate in any respect;
• Obtain information on the terms of third parties' access to their personal data, including information about third parties to whom their personal data are transferred;
• Revoke consent to data processing.

Access to personal data (and thus, further processing) by a third party shall only be granted under the terms of the consent by the personal data subject and only provided that such third party agrees to comply with the PDP Law and is in fact capable to ensure such compliance. 

Personal data may be transferred only to countries that provide an adequate level of personal data protection.

It is assumed that the following countries provide such level of protection:

• European Economic Area (EEA) member states;
• Countries ratifying the Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Data Processing Convention).

Additionally, cross-border personal data transfers are only possible if one of the following conditions is satisfied:

• The data subject grants express consent to the transfer;
• The data controller and the data subject need to enter into or perform an agreement for the benefit of the data subject;
• The data transfer is necessary to protect the vital interests of the relevant data subject;
• The data transfer is necessary to protect the public interest or pursue legal remedies;
• The data controller has provided relevant guarantees to protect the data subject's privacy.   

Intra-group cross-border transfers of personal data between different legal entities belonging to the same corporate group are subject to these rules.

The processing of high-risk data requires prior appointment of a data protection officer. There are no requirements regarding qualifications or skills of this person, and the PDP Law contains several functions, which are to be performed by the officer.

All participants of data processing relationships, including data controllers and data processors, must ensure that certain personal data are protected from:

• Accidental loss;
• Destruction;
• Unauthorised processing and access.

The PDP Law also sets out certain requirements with respect to use of personal data by data controller’s employees, including use of data only in light of and to the extent provided by their professional duties, prohibition of disclosure of any personal data (save for the cases provided by law), etc. Those data controllers, which process high-risk data, must appoint data protection officers.

The PDP Law does not require notification of personal data security breaches, but data subjects should be informed about any amendment, deletion, or destruction of their personal data within ten business days.

Under the general rule provided by the Law of Ukraine on Electronic Commerce, commercial electronic communication may be sent to a recipient only provided such a recipient provided his/her consent to the receipt of such communication. The exemption from this rule states that commercial electronic communication may be sent with no consent of a recipient only provided that the recipient may unsubscribe from such notifications. 

Data controllers may place cookies or similar technologies on data subjects' computers with their prior consent. The consent may be provided in an electronic form if the user is provided with the opportunity to read the privacy policy before providing electronic consent.

Moderate

N/A

• The Law of Ukraine No 2163-VIII of 5 October 2017 on the Basic Principles of Cybersecurity of Ukraine (Cybersecurity Law)
• The Decree of the President of Ukraine No 96/2016 of 15 March 2016 “On the Cyber Security Strategy of Ukraine” (Cybersecurity Strategy)
• The Resolution of the Cabinet of Ministers of Ukraine No 518 of 19 June 2019 “On the Adoption of the General Requirements to the Cybersecurity of the Critical Infrastructure Objects” (Cybersecurity Requirements Resolution)
• The Resolution of the Cabinet of Ministers of Ukraine No 943 of 9 October 2020 “On Certain Questions of the Critical Infrastructure Objects” (Critical Infrastructure Resolution)

The list of the critical infrastructure objects and the respective register are yet to be established.

• Cybersecurity Law: affects companies and institutions listed as ‘critical infrastructure’, which is defined rather broadly and may potentially apply to any company active in certain sectors of economy, like chemicals, energy, transport, etc., and, which are included into a special register. However, the mentioned register has not been launched yet. 
• Cybersecurity Strategy: sets out actions aimed at increasing overall cyber security to efficiently tackle and combat cyber crimes and threats, involving propaganda, espionage and cyber-attacks
• Cybersecurity Requirements Resolution: sets out cybersecurity requirements to the critical infrastructure objects.
• Critical Infrastructure Resolution: sets out the criteria for the formation of the list of critical infrastructure objects of Ukraine.

• The State Service of Special Communications and Information Protection of Ukraine
• The Cyberpolice Department of the National Police of Ukraine

Major obligations of the above authorities are:

• Implementation of a public policy concerning cybersecurity in Ukraine.
• Prevention of cyberthreats and cybercrimes.
• Reporting of cybersecurity incidents.

Major offences concerning cybersecurity are envisaged by Articles 360-363 of the Criminal Code of Ukraine, including creation and distribution of harmful software, unauthorised actions with information, etc. The sanctions for such offences may include a fine, custodial restraint, or imprisonment.

Yes. The Computer Emergency Response Team (CERT) of Ukraine, a special subdivision of the State Service of Special Communications and Information Protection of Ukraine provides the protection for state telecommunication systems and reacts on the computer security incidents in Ukraine.

Cybersecurity Strategy provides the general response structure for handling cybersecurity crises and incidents.

N/A

• The Cyberpolice Department of the National Police of Ukraine
• The Computer Emergency Response Team of Ukraine