Key legislative act regulating data protection in Ukraine
The key legislative act regulating data protection in Ukraine is the Law of Ukraine “On Personal Data Protection” No. 2297-VI, dated June 1, 2010 (the “Law”)
The Law applies to individuals and legal entities that perform any actions or a set of actions, such as collection, registration, accumulation, storage, adaptation, modification, updating, use and dissemination (distribution, sale, transfer), depersonalization, destruction of personal data, including with the use of information (automated) systems.
The Law may not apply if the data is processed:
- by an individual solely for personal or household needs;
- exclusively for journalistic and creative purposes, provided that a balance is struck between the right to respect for privacy and the right to freedom of expression.
Data controllers must comply with the following obligations:
- Personal data must be processed openly and transparently.
- The means of processing personal data must correspond to the purpose of the processing.
- Personal data must be protected from accidental loss, destruction, or unauthorised processing and access.
The Law also sets out certain requirements for securing protection measures during the processing of data.
The law provides the subject of personal data with a wide range of rights regarding the processing of his or her personal data, including:
- to know about the sources of collection, location of his/her personal data, purpose of their processing, location or place of residence (stay) of the owner or manager of personal data or to give a corresponding order to obtain this information to the persons authorized by him/her, except in cases established by law;
- to receive information on the conditions of granting access to personal data, in particular information about third parties to whom his/her personal data is transferred;
- to have access to their personal data;
- to protect their personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision thereof, as well as to protect against provision of information that is inaccurate or discrediting to the honor, dignity and business reputation of an individual, etc.
Personal data may be transferred to foreign parties to relations related to personal data only if the relevant state ensures proper protection of personal data in cases established by law or an international agreement of Ukraine.
It is assumed that the following countries provide such level of protection:
- European Economic Area (EEA) member states;
- Countries ratifying the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
The Cabinet of Ministers of Ukraine determines the list of states that ensure adequate protection of personal data.
Personal data may be transferred to foreign subjects of relations related to personal data also in the case of:
- the personal data subject provides express consent to such transfer;
- the data controller and the data subject need to enter into or perform an agreement for the benefit of the data subject;
- the data transfer is needed to protect the vital interests of personal data subjects;
- the data transfer is needed to protect the public interest, establish, fulfill and enforce a legal claim;
- provision by the personal data owner of appropriate guarantees of non-interference in the personal and family life of the personal data subject.