Impact of the GDPR in Ukraine

1. Applicable legislation governing data protection in Serbia

The Law of Ukraine on Personal Data Protection No 2297-VI dated 1 June 2010 (“PDP Law”).

Guidelines on Processing Personal Data adopted by Ukrainian Parliament Commissioner for Human Rights Order No 1/02-14, dated 8 January 2014.

Guidelines on Execution of Control by the Ukrainian Parliament Commissioner for Human Rights over Adherence to Personal Data Protection Legislation adopted by Ukrainian Parliament Commissioner for Human Rights Order No 1/02-14, dated 8 January 2014.

Guidelines on Notifying the Ukrainian Parliament Commissioner for Human Rights regarding the Processing of High-Risk Personal Data, a Department or a Person Responsible for Organizing Work related to Personal Data Protection in connection with the Processing and Publishing of such Data adopted by Ukrainian Parliament Commissioner for Human Rights Order No 1/02-14, dated 8 January 2014.

2. Comparison of the national data protection legislation with the GDPR

2.1 Categories of data

Personal data in general is defined (quite similarly to the GDPR) as “information or aggregate information about a natural person who is identified or identifiable”. Ukrainian legislation further defines so-called special categories of data that are considered sensitive (again quite similar to the GDPR).

Such data includes, inter alia, data about racial or ethnic origin, political, religious or philosophical views (beliefs), membership of political parties and trade unions, data about criminal convictions, data regarding health, sex life, biometric or genetic data, etc. (a slightly more detailed list is provided by the Ukrainian Parliament Commissioner for Human Rights (“Ombudsman”) in the guidelines).

2.2 Data Controller and Processor Obligations

The data controller’s and processor’s obligations, inter alia, include:

  • notifying the data subject regarding the scope of the data being collected, the purpose of data processing, the rights of the data subject, information about the controller and the processor of the data, and persons to whom the data is transferred;
  • processing data exclusively on the grounds prescribed by the law;
  • processing data according to the purpose defined initially and agreed to by the data subject (obtain data subject’s consent when the purpose changes significantly);
  • establishing a department or appointing a person responsible for processing sensitive data (if such data is being processed);
  • complying with and satisfying the Ombudsman’s lawful requests, etc.

The controller must additionally notify the Ombudsman regarding the processing of sensitive data (as well as regarding any change related to the processing and terminating the processing of such data).

Some of the significant obligations provided for by the GDPR are not present in the Ukrainian regulation (i.e., to notify the data subject regarding cases of data breach).

2.3 Data subjects’ rights

PDP Law provides data subjects with a wide range of rights, including the right to:

  • object to the processing of their personal data by submitting a respective application;
  • access their own personal data;
  • set out necessary restrictions and limitations related to any aspect of processing their data;
  • demand rectification or deletion of personal data by any data controller or processor if such data is processed illegally or is completely or partially inaccurate;
  • obtain information regarding third parties' access to their personal data, including information about the terms of such access as well as third parties to whom their personal data are transferred; and
  • revoke consent to data processing at any time.

However, the PDP Law does not guarantee certain rights that are granted by the GDPR, e.g., the so-called “right to be forgotten”.

2.4 Protection granted

Controllers, processors of personal data and third parties (to whom the data is transferred or to whom access to data is granted) are obliged to ensure such data is protected from accidental loss or destruction, from illegal processing, including illegal destruction or access to personal data.

As already mentioned, processing of sensitive data requires additional notification to the Ombudsman.

The scope of general and technical requirements for personal data protection provided for by the PDP Law (including its storage and transfer means, for instance) is significantly less strict and detailed compared to the GDPR.

2.5 Data protection officer/Representative

Even though the GDPR defines a broader list of cases where the designation of a data protection officer is required, Ukrainian regulation is still quite similar to the GDPR in this respect since a special department must be established or a person responsible for data processing must be appointed when:

  • the processing is carried out by state or local authorities;
  • data controllers and processors process sensitive data.

Information on the specified department or responsible person must be further notified to the Ombudsman, who must ensure its publication.

2.6 Remedies

A data subject may seek compensation for damages caused by a breach of personal data protection rules in a civil court. The amount of the damages is determined on the merits of the case.

2.7 Fines

The following sanctions are prescribed for violations of PDP Law:

  • failure to notify or late notification of the Ombudsman regarding processing of high-risk data, or changes of such data results in a fine up to UAH 34,000 (ca. EUR 1,000);
  • failure to comply with a lawful request of the Ombudsman concerning the prevention or elimination of a personal data violation results in a fine of up to UAH 34,000 (ca. EUR 1,000); and
  • breach of the personal data legislation leading to unauthorized access to the personal data results in a fine up to UAH 34,000 (ca. EUR 1,000).

There are also criminal sanctions for personal data violations:

  • illegal collection, storage or dissemination of personal data may lead to imprisonment for up to five years.

As is evident from the above, the fines in Ukraine differ significantly from the EU regulation.

2.8 Other major differences

Ukrainian PDP Law does not separately regulate the processing of minors’ personal data.

3. The GDPR impact

3.1 On existing legislation and prospective rules

According to the EU – Ukraine Association Agreement, Ukraine agreed to implement European personal data protection regulation (including the GDPR) into national legislation.

3.2 In practice

In practice, even though in many respects Ukrainian personal data protection legislation is very similar to the GDPR, there are still quite a few differences and unregulated matters compared to the GDPR. In general, it provides users with a lower level of protection than the GDPR.

4. Conclusions/expectations/commentary 

Currently the sphere of personal data protection is not the main focus in terms of further legislative development. Even though the previous reform introduced in this regard aimed to bring Ukrainian regulation closer to the EU regulation, there remain a number of differences that mainly result in a lower level of protection of personal data in Ukraine.

Portrait ofMaria Orlyk
Maria Orlyk
Managing Partner
Kyiv (CMS RRH)
Portrait ofOleksandra Prysiazhniuk
Oleksandra Prysiazhniuk
Senior Associate
Kyiv (CMS RRH)
Portrait ofDiana Valyeyeva
Diana Valyeyeva
Lawyer
Kyiv (CMS RRH)