Data Law Nav­ig­at­or | Ukraine

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last reviewed 8 October 2018

Risk scale

Laws

  • Law of Ukraine on Personal Data Protection (PDP Law), dated 1 June 2010.
  • Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Data Processing Convention), ratified by the Ukrainian Parliament on 6 July 2010.

Authority

Human Rights Ombudsman (Уповноважений Верховної Ради України з прав людини): www.ombudsman.gov.ua/ua/page/zpd/

Anticipated changes to law

The changes to the PDP Law may be introduced as part of aligning national personal data protection legislation with GDPR (for more details see question below).

If applicable: stage of legislative implementation of GDPR

According to the EU-Ukraine Association Agreement, Ukraine has committed itself to bring national personal data protection legislation to GDPR standards. Link to official GDPR translation into Ukrainian: http://aphd.ua/gdpr-ofitsiinyi-ukranskyi-pereklad-/. In October 2017, the EU-Ukraine Association Agreement Implementation Plan was adopted including the steps for aligning national personal data protection legislation with GDPR. At the moment we are not aware of the respective draft laws submitted to the Parliament for the implementation of the aforementioned plan.

Scope

PDP Law applies to the following parties:

  • Data subjects, who are natural persons whose personal data is processed.
  • Data controllers, who are natural persons or legal entities that determine:
    • the goals of the personal data processing; and
    • the amount and method of processing.
  • Data processors, which are natural persons or legal entities permitted by the data controller or under applicable laws to process personal data.
  • Third parties, who are any additional persons or entities that receive personal data from a data controller or data processor, for a specific purpose.

PDP Law does not explicitly specify its jurisdictional scope. However, it may be interpreted to:

  • Apply to all personal data processed in the territory of Ukraine.

Have extraterritorial application with respect to data transfers to and from Ukraine.

Penalties/enforcement

PDP Law sets out various levels of liability for breach of data protection rules, including monetary sanctions and criminal liability. Such liability is further set out in, inter alia, the Code of Administrative Offences and Criminal Code of Ukraine, including but not limited to the following:

  • Financial sanctions in an amount up to UAH 34,000, including for non-compliance with the PDP Law resulting in unauthorized access to the personal data.
  • Criminal liability, including imprisonment for up to five years, for illegal:
  • collection of personal data; or
  • storage or dissemination of personal data.

A data subject may seek compensation in court for damages caused by a breach of personal data protection rules.

Registration / notification

PDP Law does not require notification or registration before processing personal data.

Data controllers or processors processing special risk data, however, must notify the Ombudsman within 30 days of commencement of processing of this data.

Main obligations and processing requirements

Data controllers must comply with the following obligations:

  • Personal data must be processed openly and transparently.
  • The means of processing personal data must correspond to the purpose of the processing.
  • Personal data must be protected from accidental loss, destruction, or unauthorised processing and access.

PDP Law also sets out certain requirements for securing protection measures during the processing of data

Data subject rights

PDP Law grants data subjects a broad scope of rights, including the right to:

  • Submit an objection to the processing of their personal data.
  • Access their own personal data.
  • Define certain restrictions and reservations with respect to any element of their data’s processing.
  • Submit a justified request to rectify or delete personal data by any data controller or processor, if the data is processed illegally or is inaccurate in any respect.
  • Obtain information on the terms of third parties' access to their personal data, including information about third parties to whom their personal data are transferred.
  • Revoke consent to data processing.

Processing by third parties

Processing of data on behalf of data controllers is executed by data processors. The PDP Law requires data processors processing data on behalf of a data controller to enter into a contract with the data controller. The contract must specify the purpose and extent of the data processing, and the data processor must process personal data only to the extent provided for in the contract.

Transfers out of country

Personal data may be transferred only to countries that provide an adequate level of personal data protection, including:

  • European Economic Area (EEA) member states.
  • Countries ratifying the Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Data Processing Convention).

Additionally, cross-border personal data transfers are only possible if one of the following conditions is satisfied:

  • The data subject grants express consent to the transfer.
  • The data controller and the data subject need to enter into or perform an agreement for the benefit of the data subject.
  • The data transfer is necessary to protect the vital interests of the relevant data subject.
  • The data transfer is necessary to protect the public interest or pursue legal remedies.
  • The data controller has provided relevant guarantees to protect the data subject's privacy.

Intragroup cross-border transfers of personal data between different legal entities belonging to the same corporate group are subject to the foregoing rules.

Data Protection Officer

The processing of special risk data requires the prior appointment of a data protection officer. There are no requirements regarding qualifications or skills of this person, and the PDP Law contains only several functions, which are to be performed by the officer.

Security

All participants of data processing relationships, including data controllers and data processors, must ensure that certain personal data are protected from:

  • Accidental loss.
  • Destruction.
  • Unauthorised processing and access.

PDP Law also sets out certain requirements with respect to use of personal data by data controller’s employees, including use of data only in light of and to the extent provided by their professional duties, prohibition of disclosure of any personal data (save for the cases provided by law), etc. Those data controllers, which process high-risk data, must appoint data protection officers.

Breach notification

PDP Law does not require notification of personal data security breaches, but data subjects should be informed about any amendment, deletion, or destruction of their personal data within ten business days.

Direct marketing

Under the general rule provided by the Law of Ukraine on Electronic Commerce, commercial electronic communication may be sent to a recipient only provided such a recipient provided his/her consent to the receipt of such communication. The exemption from this rule states that commercial electronic communication may be sent with no consent of a recipient only provided the recipient may unsubscribe from such notifications. 

Cookies

Under the general rule provided by the Law of Ukraine on Electronic Commerce, commercial electronic communication may be sent to a recipient only provided such a recipient provided his/her consent to the receipt of such communication. The exemption from this rule states that commercial electronic communication may be sent with no consent of a recipient only provided the recipient may unsubscribe from such notifications. 

Useful links

 

Cyber Security

Last reviewed 8 October 2018

Risk scale

Laws and regulations

  • The Law of Ukraine No 2163-VIII of 5 October 2017 on the Basic Principles of Cybersecurity of Ukraine (Cybersecurity Law)
  • The Decree of the President of Ukraine No 96/2016 of 15 March 2016 “On the Cyber Security Strategy of Ukraine” (Cybersecurity Strategy) 

Anticipated changes to law

On 9 May 2018, the Cybersecurity Law has come into effect.

A number of secondary legislation for the implementation of Cybersecurity Law is yet expected to be adopted by the Cabinet of Ministers of Ukraine (CMU) and the National Bank of Ukraine (for the banking sector).

Application 

  • Cybersecurity Law: affects companies and institutions listed as ‘critical infrastructure’, which is defined rather broadly and may potentially apply to any company active in certain sectors of economy, like chemicals, energy, transport, etc., and, which are included into a special register. However, the mentioned register has not been launched yet and criteria of who is to be included into it are yet to be developed by the government.
  • Cybersecurity Strategy: sets out actions aimed at increasing overall cyber security to efficiently tackle and combat cyber crims and threats, involving propaganda, espionage and cyber-attacks

Authority

The State Service of Special Communications and Information Protection of Ukraine: www.dsszzi.gov.ua/

The Cyberpolice Department of the National Police of Ukraine: https://cyberpolice.gov.ua/

Key obligations

Major obligations of the above authorities are:

  • Implementation of a public policy concerning cybersecurity in Ukraine.
  • Prevention of cyberthreats and cybercrimes.
  • Reporting of cybersecurity incidents.

Penalties/Enforcement

Major offences concerning cybersecurity are envisaged by Articles 360-363 of the Criminal Code of Ukraine, including, creation and distribution of harmful software, unauthorized actions with information, etc.

Penalties for the abovementioned cybercrimes are fine up to UAH 800,000 (ca. EUR 25,000), or imprisonment of up to 6 years.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. The Computer Emergency Response Team of Ukraine, a special subdivision of the State Service of Special Communications and Information Protection of Ukraine provides the protection for state telecommunication systems and reacts on the computer security incidents in Ukraine.

Is there a national incident management structure for responding to cybersecurity incidents?

Cybersecurity Strategy provides generally response structure for handling cybersecurity crises and incidents.

Other cybersecurity initiatives

We are not aware at the moment.

Useful links

 

< back to Overview

Authors

Picture of Olga Belyakova
Olga Belyakova
Partner
Kyiv (Volodymyrska Street)