Data Protected - Ukraine
Last updated February 2023
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
Ukraine is a party to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, dated 1981 (the “Convention”), which was the first legally binding international instrument in the data protection field, and the Additional Protocol to the Convention, dated 2001.
The key legislative act regulating data protection in Ukraine is the Law of Ukraine “On Personal Data Protection” No. 2297-VI, dated June 1, 2010 (the “Data Protection Law”). It regulates legal relations concerning the protection and processing of personal data and is aimed at protecting fundamental human and civil rights and freedoms, in particular the right of non-interference in personal life, in connection with personal data processing, and contains similar provisions to those in the Convention.
Also, pursuant to the EU–Ukraine Association Agreement, Ukraine has agreed to ensure an adequate level of protection of personal data in accordance with the highest European and international standards, including the relevant Council of Europe instruments. As an EU candidate, Ukraine has an obligation to align its legislation with that of the European Union. Ukraine has already adopted a number of EU Directives and Regulations. Thus, a Draft Law No. 8153, dated October 25, 2022, was submitted to the Parliament of Ukraine to harmonise the Data Protection Law with the provisions of the European General Data Protection Regulation (the “GDPR”), and of the Amending Protocol to the Convention dated 2018. However, the GDPR has not yet been implemented because of the war in Ukraine. At the same time, Draft Law No. 8153 has a good chance of being adopted in the near future.
Entry into force
Both the Convention and the Data Protection Law came into force in Ukraine on January 1, 2011. The EU–Ukraine Association Agreement entered into full force and effect on September 1, 2017.
National Supervisory Authority
Details of the competent national supervisory authority
The Authorised Human Rights Representative of the Verkhovna Rada of Ukraine (the “Ombudsman Office”)
21/8 Instytutska Str.,
Notification or registration scheme and timing
A personal data owner must notify the Ombudsman Office when processing Risky Data (as defined below) within 30 working days from the date of the beginning of such processing.
The Order of the Authorised Human Rights Representative of the Verkhovna Rada of Ukraine No. 1/02-14, dated January 8, 2014 (the “Order No. 1/02-14”), expands the list of Risky Data for the purposes of the obligation to notify the Ombudsman Office. In addition to processing of the Risky Data (as defined below), the notification must be served when processing the following sensitive data: (i) national origin; (ii) membership in political organisations, religious organisations, public persuasion organisations; (iii) bringing a person to administrative liability; (iv) the application of measures against a person within the framework of a pre-trial investigation; (v) any detective and search operations against a person; (vi) committing certain types of violence against a person; and (vii) location and/or routes of movement of a person.
Exemptions to notification
According to the Order No. 1/02-14, notification is not required where data is processed: (i) for the sole purpose of maintaining a register for providing information to the public, which is open to the general public; (ii) by public associations, political parties and/or organisations, trade unions, employers’ associations, religious organisations, or public persuasion organisations, provided that the processing concerns exclusively the personal data of members of these associations and is not transferred without their consent; or (iii) by a personal data owner in order to exercise its rights and perform its obligations in the field of labour relations in accordance with the law.
Scope of Application
What is the territorial scope of application?
There are no explicit provisions in the Data Protection Law setting out its territorial application but in accordance with the general principles of Ukrainian law, it is likely to apply to personal data processed in the territory of Ukraine.
Is there a concept of a controller and a processor?
Under the Data Protection Law, a personal data owner is a natural or legal person (including an individual entrepreneur, public authority, agency or other body) who determines: (i) the purpose of personal data processing; (ii) the composition of this data; and (iii) the procedures for its processing, unless otherwise specified by law.
Along with a personal data owner, there is also the concept of the personal data subject, which is an individual whose personal data is being processed.
By contrast, a personal data manager is a natural or legal person who is granted the right by the personal data owner or by law to process this data on behalf of the owner.
The majority of the privacy compliance rules apply to personal data owners, while a manager’s duties mainly refer to data security and processing personal data for the purpose designated by the owner.
Are both manual and electronic records subject to data protection legislation?
Yes. The Data Protection Law applies to personal data processing by automated means in whole or in part, as well as to processing of personal data contained in or to be entered into the “filing system” by non-automated means. “Filing system” means any structured personal data available according to certain criteria. However, non-automated processing of personal data outside the filing system is not covered by the provisions of the Data Protection Law.
Are there any national derogations?
The Data Protection Law does not apply where data is processed: (a) by an individual solely for personal or domestic needs; (b) solely for journalistic and creative purposes, given a balance is ensured between the right to respect for private life and the right to freedom of expression; and (c) for the receipt of archival information of repressive bodies.
Specific articles of the Data Protection Law can be disapplied in cases provided by law, to the extent required in a democratic society in the interests of national security, economic welfare or protection of the rights and freedoms of personal data subjects or other persons.
During martial law, the transfer of personal data can be made to recipients in third countries where necessary for the provision of medical assistance and/or rehabilitation assistance using telemedicine, so long as it is carried out in accordance with the legislation of the recipient state (except for Russia and Belarus).
What is personal data?
The Data Protection Law defines personal data as details or a set of details about the individual, which is or may be explicitly identified. This includes a personal data subject’s name, address, education, any related Risky Data (as defined below) etc.
For the purposes of Ukrainian freedom of information laws, personal data may be in some cases classified as “restricted information” or “confidential information about a person” by law (in particular, for the purposes of the Laws of Ukraine “On Information” No. 2657-XII dated October 2, 1992, and “On Access to Public Information” No. 2939-VI, dated January 13, 2011) or by a relevant person.
It is not allowed to process personal data without the consent of the individual if it is “confidential information”, except for the cases specified by law, and only in the interests of national security, economic well-being and human rights.
Is information about legal entities personal data?
No. Personal data is defined as information on an individual, which is or may be explicitly identified.
What are the rules for processing personal data?
The term “processing” has quite a broad definition and includes any one action or set of actions such as collection, registration, accumulation, storage, adaptation, change, renewal, use and distribution (circulation, sale, transfer), depersonalisation, and destruction of personal data, including with the use of information (automated) systems.
In most cases, it is necessary to obtain a personal data subject’s consent before processing the individual’s personal data. A personal data subject is entitled to withdraw consent in relation to the processing of its personal data.
However, consent is not required: (i) in the case of conclusion and execution of a transaction to which the personal data subject is a party or which was concluded in favour of the personal data subject or when the personal data processing is necessary for the implementation of measures preceding the transaction conclusion at the request of the personal data subject (it is presumed that the fact of transaction conclusion by the personal data subject equals its consent for personal data processing); (ii) when permission for personal data processing was granted to the personal data owner by law and solely for the exercise of its powers; (iii) when the personal data processing is necessary for the protection of the personal data subject’s vital interests (processing is allowed without consent until it becomes possible to obtain such consent); (iv) when the personal data processing is necessary for the fulfilment of the personal data owner’s legal obligations; (v) when the personal data processing is necessary for the protection of the legitimate interests of the personal data owner or a third party to whom the personal data is transferred, except in cases where the requirement to protect the fundamental rights and freedoms of the personal data subject in connection with the data processing of the latter prevails over such interests; or (vi) in cases determined by law and only in the interests of national security, economic welfare or human rights and also for the all-Ukrainian population census conduction.
The purposes of processing personal data must be lawful, clear and defined prior to the commencement of any data processing. Personal data may only be obtained for one or more specified and lawful purposes, and may not be further processed in any manner incompatible with the original purpose or purposes without the personal data subject’s renewed consent.
Where the personal data owner intends to further process the personal data for a new purpose incompatible with the previous one, it is required to obtain the personal data subject’s consent for the changed purpose, unless otherwise provided for by law.
Are there any formalities to obtain consent to process personal data?
Consent may be obtained in writing or by any other means that evidence consent has been provided (i.e. electronically, with a digital signature, etc.). Consent must be obtained prior to the start of the personal data processing or, in some cases, within 30 business days from the day of its collection.
To obtain consent, the personal data subject must be informed about the personal data owner, composition and content of the collected personal data, the personal data subject’s rights defined by the Data Protection Law, the purpose of collecting the personal data, and the persons to whom the relevant personal data may be transferred.
Are there any special rules when processing personal data about children?
The Data Protection Law does not contain specific rules relating to children, but, under general civil law, parents or guardians may act on behalf of minors, including providing consent required for personal data processing.
Are there any special rules when processing personal data about employees?
The obligation to notify the Ombudsman Office (see above) does not apply when processing employment-related sensitive personal data when: (i) a personal data owner exercises its rights and performs its obligations in the field of labour relations; and (ii) trade unions or employers’ associations process personal data of their members (so long as it is not transferred to a third party without consent).
Sensitive Personal Data
What is sensitive personal data?
Although the Data Protection Law does not explicitly define the term “sensitive personal data” or “risky data”, some of its provisions apply to the following list of “Risky Data” being personal data on: (i) racial or ethnic origin; (ii) political, religious or ideological beliefs; (iii) membership in political parties and trade unions; (iv) criminal convictions; (v) health; (vi) sexual life; and (vii) biometric or genetic data.
At the same time, it is important to note that Order No. 1/02-14 expands the list of Risky Data for the purposes of the obligation to notify the Ombudsman Office, so that the list of sensitive personal data for such purposes is wider than the list of Risky Data provided by the Data Protection Law and includes, in addition to Risky Data, the categories identified in the Notification or registration scheme and timing above.
Are there additional rules for processing sensitive personal data?
The general rule is that the processing of Risky Data is prohibited. However, the Data Protection Law provides exceptions where: (i) the personal data subject has provided unambiguous consent; (ii) the processing is required for the exercise of the owner’s rights and obligations in the field of labour relations in accordance with the law, subject to adequate protection; (iii) the processing is required to protect the vital interests of the personal data subject or other person in the event of incapacity or restriction of the civil legal capacity of the personal data subject; (iv) the personal data is processed by a religious organisation, public persuasion organisation, political party or trade union, provided that the processing only relates to members of these associations or persons who maintain constant contact with them, and personal data is not transferred to a third party without the personal data subject’s consent; (v) the processing is required to justify, satisfy or protect a legal claim; (vi) the processing is required for the purpose of health protection; (vii) the processing is required to ensure the maintenance of military records of conscripts and reservists; (viii) the processing concerns court sentences, fulfilment of detective and search or counterintelligence operations, or the fight against terrorism, and is carried out by a state body within the scope of its powers as defined by law; or (ix) the processing concerns data that has been explicitly made public by the personal data subject.
Are there additional rules for processing information about criminal offences?
Information about criminal offences is considered as Risky Data (see above). The confidential nature of criminal investigations considerably narrows the list of authorised persons that may process such information.
Are there any formalities to obtain consent to process sensitive personal data?
The procedure of getting consent is the same as for usual personal data, but the consent should be unambiguous. It means that there should be no doubt about the provision of consent, and the personal data owner must be able to confirm its existence during the entire period of processing.
Data Protection Officers
When must a data protection officer be appointed?
The Data Protection Law stipulates that state and local authorities, as well as personal data owners or managers which process sensitive personal data defined by the Order No. 1/02-14 must appoint/establish a compliance unit or individual (data protection officer). Information on the compliance unit or data protection officer must be reported to the Ombudsman Office and will be published.
What are the duties of a data protection officer?
The compliance unit or data protection officer: (i) informs and advises the personal data owner or manager on compliance with the Data Protection Law; and (ii) interacts with the Ombudsman Office.
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no accountability obligation under the Data Protection Law. However, it is possible to develop codes of conduct to ensure effective protection of the rights of personal data subjects and compliance with Data Protection Law, taking into account the specifics of personal data processing in various fields.
Are privacy impact assessments mandatory?
Rights of Data Subjects
Under the Data Protection Law, personal data subjects must be notified, either at the moment of personal data collection (if personal data is collected from the personal data subject) or within thirty working days from the date of personal data collection (in other cases), about: (i) the personal data owner; (ii) composition and content of the collected personal data; (iii) the personal data subject’s rights as defined by the Data Protection Law; (iv) the purpose of collecting personal data; and (v) the persons to whom the relevant personal data may be transferred.
Rights to access information
The Data Protection Law grants personal data subjects the right to: (i) not later than thirty calendar days from the date of request receipt, except in cases provided for by law, receive a response on whether their personal data is being processed, as well as receive the content of such personal data; (ii) know about the sources of collection, location of their personal data, purpose of its processing, and location of the personal data owner or manager – the personal data subjects may ask that this information is provided to persons authorised by them; (iii) receive information about the conditions for granting access to personal data, in particular information about third parties to whom their personal data is transferred; (iv) access their personal data; and (v) know details of any automatic personal data processing.
Rights to data portability
The Data Protection Law does not contain an express provision or prohibition on rights to data portability.
Right to be forgotten
According to the Data Protection Law, personal data subjects have a right to: (i) submit a reasonable request to the personal data owner with an objection to the processing of their personal data; (ii) submit a reasonable request for modification or destruction of their personal data by any personal data owner and manager if this data is processed illegally or is unreliable; or (iii) withdraw consent to the personal data processing.
However, there is no clear concept of the right to be forgotten in Ukraine. This might in due course be established in connection with the European integration processes in Ukraine.
Objection to direct marketing
The Law of Ukraine “On Electronic Commerce” No. 675-VIII, dated September 3, 2015, provides that commercial electronic messages may be sent to a person without its consent only provided that it may refuse further receipt of such messages. Opt-in and opt-out principles sometimes are used in practice.
Personal data subjects are also entitled to: (i) protect their personal data from illegal processing and accidental loss, destruction, damage due to deliberate concealment, failure to provide data or its untimely provision, as well as protect against providing information that is unreliable or discredits the individual’s honour, dignity and business reputation; (ii) make reservations regarding the restriction of the right to process their personal data when providing consent; (iii) be protected from an automated solution that has legal consequences for the personal data subject; (iv) submit complaints about their personal data processing to the Ombudsman Office or to court; and (v) apply legal remedies in the case of violation of legislation on personal data protection.
Security requirements in order to protect personal data
The Data Protection Law provides that the personal data owners, managers and third parties are obliged to ensure personal data protection from accidental loss or destruction, and from illegal processing, including illegal destruction or access to personal data.
To ensure the security of personal data during processing, personal data owners and managers must take security (including organisational and technical) measures. Those measures might include: (i) an employee data access procedure; (ii) a procedure for the recording of operations related to personal data processing and access to them; (iii) a plan in case of unauthorised access to personal data, damage to technical equipment, or emergencies; (iv) regular training for employees who work with personal data; and (v) any special technical measures ensuring the exclusion of unauthorised access to personal data.
Personal data owners and managers must maintain the list of employees who have access to personal data, and are responsible for determining the level of access that employees have to a subject’s personal data. Each of these employees shall have only access to personal data (or parts thereof) which are necessary for the performance of its professional or service or labour duties (“need to know” principle).
The personal data owners and managers must maintain a record of all operations related to personal data processing and access to them. In accordance with the stated purpose, they must store information about: (i) the date, time and source of collection of the personal data; (ii) any amendments to personal data; (iii) access to personal data (viewing of personal data); (iv) any transfer (copying) of personal data; (v) the date and time of deletion or destruction of personal data; (vi) any employee who has committed one of the aforementioned operations; and (vii) the purpose of and grounds for modifying, viewing, transferring and deleting or destroying personal data.
Specific rules governing processing by third party agents (processors)
The personal data owner can entrust the personal data processing to the personal data manager in accordance with a written agreement.
Notice of breach laws
Ukrainian legislation does not establish a direct obligation to report data security breaches or losses to the appropriate state authority or to the personal data subject.
However, the compliance unit or data protection officer (if any) must: (i) in the case of detection of violations of the personal data protection legislation, inform the head of the personal data owner/manager about it in order to take the necessary measures; and (ii) document the facts of violations of the processing and protection of personal data processes.
Moreover, the Data Protection Law provides that personal data collected in violation of the requirements of this law shall be subject to deletion or destruction in accordance with a procedure prescribed by law.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
Personal data can only be transferred from Ukraine to recipients in third countries if an adequate level of protection is ensured by the relevant state. The following states are recognised as ensuring an adequate level of personal data protection: (i) member states of the European Economic Area (EEA); (ii) states which are signatories to the Convention; and (iii) other states defined as such by the Cabinet of the Ministers of Ukraine. The U.S. is included on the list of states recognised as ensuring an adequate level of personal data protection in the Resolution of the Cabinet of the Ministers of Ukraine No. 910, dated August 16, 2022.
Personal data may also be transferred to recipients in third countries if: (i) the personal data subject has granted unambiguous consent to such a transfer; (ii) it is necessary to conclude or execute a transaction between the personal data owner and the personal data subject (or a third party where the transaction is in favour of the personal data subject); (iii) it is necessary to protect the vital interests of personal data subjects; (iv) it is necessary to protect the public interest, or to establish, implement and ensure a legal requirement; or (v) for the provision by the personal data owner of appropriate guarantees of non-interference in the personal and family life of the personal data subject.
Also, during martial law, the transfer of personal data to recipients in third countries is permitted where necessary for the provision of medical assistance and/or rehabilitation assistance using telemedicine, where such processing is carried out in accordance with the legislation of the recipient state (except for Russia and Belarus).
Personal data may not be disseminated for any purpose other than that for which it was collected.
In order to streamline personal data transfer, it is common in Ukraine to obtain unambiguous consent for any such data transfer.
Notification and approval of national regulator (including notification of use of Standard Contractual Clauses)
There is no obligation to obtain the approval of the Ombudsman Office. There is no concept of Standard Contractual Clauses. However, the standard procedure for personal data processing is established by the Ombudsman Office.
Use of binding corporate rules
The Data Protection Law allows professional organisations to rely on binding corporate rules in order to obtain effective protection of personal data to transfer personal data outside Ukraine. Such organisations may apply to the Ombudsman Office for approval of those rules..
The Code of Ukraine on Administrative Offences establishes administrative liability for violation of the data protection legislation, in particular for: (i) failure to notify or late notification of the Ombudsman Office of the processing of sensitive personal data, or amendments to such data (fine of an amount equivalent to up to EUR 170); (ii) non-compliance with legitimate demands of the Ombudsman Office, which are issued as orders, or determined by the governmental officials of the Ombudsman Office’s secretariat, aimed at the elimination or prevention of violations of personal data protection legislation (fine of an amount equivalent to up to EUR 425); and (iii) non-compliance with data protection procedures, which resulted in unlawful access to the personal data or violation of a personal data subject’s rights (fine of an amount equivalent to up to EUR 425).
If those actions are committed repeatedly during the year the amount of the fine is increased up to 2-2.5 times.
Under the Criminal Code of Ukraine, the illegal collection, storage, use, destruction, dissemination of confidential information about a person or illegal alteration of such information shall be punishable by: (i) a fine of an amount equivalent to up to EUR 425; or (ii) correctional labour for a term of up to two years; or (iii) criminal detention for a term of up to six months; or (iv) restriction of liberty for a term of up to three years.
If those actions are committed repeatedly, or if they have caused substantial damage to the rights, freedoms and interests of a person, they shall be punishable: (i) by criminal detention for a term of three to six months; (ii) by restriction of liberty for a term of three to five years; or (iii) by imprisonment for the same term.
Personal data subjects have a right to compensation for damage, including moral damage for suffering or distress. However, such compensation generally requires application to court.
A claim for defamation is another available remedy if false information has been disseminated on a data subject.
Fines: The enforcement of administrative liability for non-compliance and the imposition of administrative fines under the Code of Ukraine on Administrative Offences is not very common. This is explained by the limited capacity of the Ombudsman Office to investigate and the evolving practice of this area of law. In a significant number of cases before the courts, the statute of limitations for imposing fines had expired, or the evidence of non-compliance with confidentiality was insufficient, so the proceedings in these cases were dismissed without a conviction. The factual basis in many cases related to the illegal disclosure of personal data on the Internet, data about debtors, data disclosed by municipal authorities or public officials, etc. However, the latest judicial practice indicates an increase in the number of cases when guilty persons were brought to administrative responsibility for violating the legislation on the protection of personal data.
Imprisonment: Holding bad actors liable in the field of personal data protection under the Criminal Code of Ukraine is not a widespread practice, and there are no landmark court decisions.
Other enforcement action: In practice, the Ombudsman Office usually issues a warning first, demanding that the breach stop. Administrative fines may then be imposed if the guilty party does not comply with this warning. It is rare for criminal liability to result from cases related to the illegal disposal of confidential information and it usually arises with the accumulation of different criminal offences.
ePrivacy | Marketing and cookies
Ukraine is not yet an EU Member State and, therefore, has not implemented the ePrivacy Directive.
The regulations of direct marketing by email, fax and telephone are set out in the Law of Ukraine “On Electronic Commerce” (No. 675-VIII, dated September 3, 2015), the Law of Ukraine “On Advertising” (No. 270/96-BP, dated July 3, 1996), the Law of Ukraine “On Consumer Rights Protection” (No. 1023-XII, dated May 12, 1991), the Law of Ukraine “On Electronic Communications” (No. 1089-IX, dated December 12, 2020) and the Resolution of Cabinet of Ministers of Ukraine on Approval of Rules on Provision and Receipt of Telecommunication Services (No. 295, dated April 11, 2012).
However, on June 23, 2022, the European Council granted Ukraine the status of a candidate for accession to the EU. Thus, it is expected that Ukraine will soon implement EU regulations in the field of ePrivacy. Thus, the Draft Law No. 8153, dated October 25, 2022, is also aimed at harmonisation of Ukrainian legislation with ePrivacy Directive.
There are no specific rules for cookies to date, but most websites seek consent to cookies.
Conditions for direct marketing by e-mail to individual subscribers
Under the Law of Ukraine “On Electronic Commerce”, commercial electronic messages can only be sent where the person to whom such messages are addressed gives consent. However, the Law also states that commercial electronic messages may be sent to a person without consent if they can object to further messages.
Aggressive spam and advertising that ignores a person’s objection will be considered a violation of e-commerce legislation. In particular, the Law of Ukraine “On Electronic Communications” defines “spam” as electronic, text and/or multimedia messages that are sent without the prior consent of users repeatedly (more than five messages to one subscriber), except for messages from the provider of electronic communication services regarding the provision of electronic communication services or messages from state authorities or local self-government bodies on issues that fall under their authority.
Thus, in fact, based on these provisions, business can send not more than five commercial electronic messages to a particular user without their prior consent provided they give them the right to refuse further receipt of such messages. However, taking into account the ambiguity of the wordings used in current legislation governing this area, it is preferable to obtain the user’s consent in any case. At the same time, the Law does not establish requirements for the form of obtaining such consent, but a business should be ready to confirm this fact at any time.
Conditions for direct marketing by e-mail to corporate subscribers
The issue of application of the Ukrainian laws relating to direct marketing by email to corporate subscribers is unclear due to ambiguities in the legislation.
Exemptions and other issues
In addition, a commercial electronic message must: (i) be clearly identified; (ii) provide direct and simple access to the information about the seller (contractor, supplier); (iii) ensure discounts, bonuses, promotional gifts, etc. are clearly identified and the terms of their receipt are accessible and posted in a way that prevents ambiguous interpretation and meets the requirements of advertising legislation; and (iv) where it relates to goods, works or services, include information on the inclusion of taxes in their cost and, in the case of delivery of goods, information on the cost of delivery.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Making repeated calls without the consumer’s consent is prohibited as an aggressive business practice.
Businesses may use a consumer’s telephone number obtained when selling goods or providing services to send advertisements for the purpose of the same only with the consent of the consumer, including in electronic form, and if such consumers are given the opportunity free of charge at any time in a simple and understandable way to refuse the use of their data.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The issue of application of the Ukrainian laws relating to direct telephone marketing to corporate subscribers is unclear due to ambiguities in the legislation.
Exemptions and other issues