Publication
Publication
Contacts
Eterna Law
Artem Kuzmenko
Marharyta Tatarova
Anton Hodosh
Tel: +(38) 044 490 7001
www.eterna.law
Supervisory Authority
Authorised Human Rights Representative of the Verkhovna Rada of Ukraine
National Legislation
Law of Ukraine “On Personal Data Protection”
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).
Contributed by Georgiades & Pelides LLC
Last updated May 2026
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
General data protection laws
Ukraine is a party to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, dated 1981 (the “Convention”), and the Additional Protocol to the Convention, dated 2001.
The key legislative act regulating data protection in Ukraine is the Law of Ukraine “On Personal Data Protection” No. 2297-VI, dated June 1, 2010 (the “Data Protection Law”). It regulates legal relations concerning the protection and processing of personal data and is aimed at protecting fundamental human and civil rights and freedoms, in particular the right of non-interference in personal life.
Pursuant to the EU–Ukraine Association Agreement, Ukraine has agreed to ensure an adequate level of protection of personal data in accordance with European and international standards. As an EU candidate, Ukraine must align its legislation with EU law. Draft Law No. 8153 (October 25, 2022) aims to harmonise Ukrainian law with the GDPR and Convention 108+. It was adopted at first reading on 20 November 2024 and is undergoing revision, with adoption anticipated despite delays caused by martial law.
Entry into force
Both the Convention and the Data Protection Law came into force on January 1, 2011. The EU–Ukraine Association Agreement entered into force on September 1, 2017.
Details of the competent national supervisory authority
The Authorised Human Rights Representative of the Verkhovna Rada of Ukraine (the “Ombudsman Office”)
21/8 Instytutska Str.
01008, Kyiv
Ukraine
Notification or registration scheme and timing
A personal data owner must notify the Ombudsman Office when processing Risky Data within 30 working days from the start of such processing.
Order No. 1/02-14 expands Risky Data to include categories such as national origin, political affiliation, administrative liability, investigative measures, violence-related data, and location or movement data.
Exemptions to notification
Notification is not required where data is processed: (i) for public registers; (ii) by associations for member data; or (iii) for employment-related purposes.
What is the territorial scope of application?
There are no explicit territorial provisions, but the law likely applies to processing taking place in Ukraine.
Is there a concept of a controller and a processor?
The law defines a personal data owner (controller) and a personal data manager (processor acting on behalf of the owner).
Are both manual and electronic records subject to data protection legislation?
Yes. The law applies to automated processing and structured non-automated processing within filing systems.
Are there any national derogations?
The law does not apply to personal/domestic use, journalistic or creative activities (subject to balance), or archival information. Certain provisions may be restricted for national security and similar interests. During martial law, limited transfer flexibility applies for healthcare purposes.
What is personal data?
The Data Protection Law defines personal data as details or a set of details about an individual, which is or may be explicitly identified. This includes a personal data subject’s name, address, education and any related Risky Data.
For the purposes of Ukrainian freedom of information laws, personal data may be classified as restricted or confidential information. Processing of confidential information about a person without their consent is not allowed, except in cases prescribed by law and only in the interests of national security, economic well-being or human rights.
However, personal data relating to the exercise of official powers by a person authorised to perform state or local government functions is not considered confidential information.
Is information about legal entities personal data?
No. Personal data relates only to an identifiable individual.
What are the rules for processing personal data?
Processing includes any action or set of actions such as collection, registration, storage, adaptation, use, distribution, depersonalisation or destruction of personal data.
In most cases, processing requires the consent of the personal data subject, who may withdraw such consent at any time.
Consent is not required in specific cases, including where processing is necessary: (i) for contractual purposes; (ii) for the exercise of powers granted by law; (iii) to protect vital interests; (iv) to fulfil legal obligations; or (v) to protect legitimate interests, unless overridden by the subject’s rights.
Personal data must be processed for lawful, clearly defined purposes and may not be further processed in a manner incompatible with those purposes without renewed consent.
Are there any formalities to obtain consent to process personal data?
Consent may be obtained in writing or by other means confirming it has been given, including electronically. It must be obtained prior to processing.
The data subject must be informed about: (i) the data owner; (ii) the content of the collected data; (iii) their rights; (iv) the purpose of processing; and (v) recipients of the data. This must be done at collection or within 30 working days.
Are there any special rules when processing personal data about children?
The law does not contain specific rules for children, but parents or guardians may act on behalf of minors.
Are there any special rules when processing personal data about employees?
Notification obligations do not apply when processing employment-related data where it is necessary for labour relations or where member data is processed by organisations without transfer to third parties.
What is sensitive personal data?
The law refers to “Risky Data”, which includes data relating to: (i) racial or ethnic origin; (ii) political, religious or ideological beliefs; (iii) membership in political parties or trade unions; (iv) criminal convictions; (v) health; (vi) sexual life; and (vii) biometric or genetic data.
Order No. 1/02-14 expands this list for notification purposes, meaning a broader range of data may be treated as sensitive in practice.
Are there additional rules for processing sensitive personal data?
Processing Risky Data is generally prohibited, unless specific conditions apply, including where: (i) the data subject has given unambiguous consent; (ii) processing is necessary for employment obligations; (iii) vital interests must be protected; (iv) processing is carried out by certain organisations for members; (v) it is required for health or research purposes; (vi) it relates to military records; (vii) it is carried out by state authorities for law enforcement purposes; or (viii) the data was made public by the subject.
Are there additional rules for processing information about criminal offences?
Information about criminal offences is classified as Risky Data and may only be processed by authorised bodies under strict conditions.
Are there any formalities to obtain consent to process sensitive personal data?
Consent must be unambiguous and clearly demonstrable. The personal data owner must be able to prove its existence throughout the processing period, and the purpose of processing must be objectively justified.
When must a data protection officer be appointed?
The Data Protection Law requires state and local authorities, as well as personal data owners or managers processing sensitive personal data defined by Order No. 1/02-14, to appoint or establish a compliance unit or individual (data protection officer).
Information about the compliance unit or data protection officer must be reported to the Ombudsman Office and will be publicly available.
What are the duties of the data protection officer?
The compliance unit or data protection officer: (i) informs and advises the personal data owner or manager on compliance with the Data Protection Law; and (ii) interacts with the Ombudsman Office.
Is there a general accountability obligation?
There is no formal general accountability obligation under the Data Protection Law.
However, the Ombudsman Office has the authority to request documents and information from personal data owners and managers as part of its supervisory functions. Accordingly, organisations should retain documentation relating to personal data processing activities in order to demonstrate compliance when required.
In addition, codes of conduct may be developed by personal data owners and managers to ensure effective protection of data subjects’ rights, taking into account sector-specific processing practices.
Are privacy impact assessments mandatory?
No. The Data Protection Law does not impose a requirement to conduct privacy impact assessments.
Privacy notices
Personal data subjects must be informed, either at the time of data collection or within thirty working days thereafter, about: (i) the personal data owner; (ii) the composition and content of the collected data; (iii) their rights under the Data Protection Law; (iv) the purpose of processing; and (v) the recipients of the data.
Rights to access information
Data subjects have the right to: (i) receive confirmation within thirty calendar days as to whether their personal data is being processed and obtain the content of such data; (ii) know the sources of collection, location, purpose of processing and location of the data owner or manager; (iii) receive information about conditions for granting access to their data, including third-party disclosures; (iv) access their personal data; and (v) understand details of any automated processing.
Rights to data portability
The Data Protection Law does not expressly provide for a right to data portability.
Right to be forgotten
Data subjects have the right to: (i) object to the processing of their personal data; (ii) request modification or destruction of data processed unlawfully or inaccurately; and (iii) withdraw consent.
There is no explicit concept of a “right to be forgotten” under Ukrainian law, although this may evolve as Ukraine aligns with EU standards.
Objection to direct marketing
Under Ukrainian e-commerce legislation, individuals must be able to refuse further receipt of marketing communications, and both opt-in and opt-out approaches are used in practice.
Other rights
Data subjects are entitled to: (i) protection against unlawful processing and accidental loss or destruction of personal data; (ii) protect their honour, dignity and reputation; (iii) restrict processing when giving consent; (iv) be protected from automated decisions with legal consequences; (v) submit complaints to the Ombudsman Office or courts; and (vi) seek legal remedies.
Security requirements in order to protect personal data
Personal data owners, managers and third parties must ensure protection against accidental loss or destruction and unlawful processing or access.
Appropriate organisational and technical measures should be implemented, including: (i) defined employee access procedures; (ii) logging and recording of processing operations; (iii) incident response plans; (iv) staff training; and (v) technical safeguards to prevent unauthorised access.
Personal data owners must maintain lists of employees with access to data and apply a “need-to-know” principle.
Processing activities must be documented, including collection, modification, access, transfer and deletion of data, along with responsible personnel and legal grounds. Automated systems must record such activities automatically.
Specific rules governing processing by third party agents (processors)
Processing may be delegated to a personal data manager based on a written agreement.
Notice of breach laws
Ukrainian law does not require mandatory notification of data breaches to authorities or data subjects.
However, compliance personnel must report violations internally and document them. Data collected unlawfully must be deleted or destroyed in accordance with legal procedures.
Restrictions on transfers to third countries
Personal data may only be transferred from Ukraine to recipients in third countries if an adequate level of protection is ensured by the recipient state.
States recognised as ensuring adequate protection include: (i) EEA member states; (ii) states party to the Convention; (iii) states whose capital market regulators are IOSCO signatories; and (iv) other states designated by the Cabinet of Ministers of Ukraine. The United States falls within recognised adequate jurisdictions.
Transfers are also permitted where: (i) the data subject provides unambiguous consent; (ii) the transfer is necessary for contractual purposes; (iii) it is required to protect vital interests; (iv) it is necessary for public interest or legal claims; or (v) adequate safeguards are provided by the data owner.
During martial law and for six months after, transfers are permitted for telemedicine purposes, provided they comply with the recipient country’s laws (excluding Russia and Belarus).
Personal data must not be used for purposes other than those for which it was collected.
Notification and approval of national regulator (including notification of use of Standard Contractual Clauses)
There is no requirement to obtain approval from the Ombudsman Office. There is also no concept of Standard Contractual Clauses under Ukrainian law.
Use of binding corporate rules
The Data Protection Law allows reliance on binding corporate rules, subject to approval by the Ombudsman Office.
Fines
Administrative liability is established for violations such as: (i) failure to notify the Ombudsman Office; (ii) failure to comply with its orders; and (iii) unlawful access to personal data. Fines range up to approximately EUR 320 and may increase for repeated violations.
Imprisonment
Criminal liability applies for unlawful collection, use or dissemination of confidential information, punishable by fines, corrective labour, probation or imprisonment of up to five years for serious offences.
Compensation
Data subjects may claim compensation, including moral damages, typically through court proceedings.
Other powers
Defamation claims may also be used where personal data is unlawfully disclosed.
Practice
Enforcement remains relatively limited. Administrative fines are not frequently imposed due to institutional capacity constraints, though recent trends show increasing enforcement activity. Criminal enforcement is also rare, with only small numbers of convictions annually.
ePrivacy laws
Ukraine has not implemented the EU ePrivacy Directive. Regulation of electronic marketing is governed by multiple laws including those on electronic commerce, advertising, consumer protection and electronic communications.
Ukraine’s EU candidate status is expected to drive further harmonisation with EU privacy and communications laws.
Conditions for use of cookies
Ukrainian law does not contain specific cookie regulation. In practice, cookie use is governed through general personal data protection principles, and consent is typically obtained.
Regulatory guidance on the use of cookies
Not applicable.
Conditions for direct marketing by e-mail to individual subscribers
Commercial messages generally require consent, although limited unsolicited messages are permitted if recipients can opt out. Repeated unsolicited messages may constitute spam and lead to fines or blocking.
Conditions for direct marketing by e-mail to corporate subscribers
The legal position remains unclear due to ambiguity in legislation.
Exemptions and other issues
Commercial communications must clearly identify the sender and provide accessible terms for promotions, pricing and delivery conditions.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Repeated unsolicited calls are considered aggressive practice and may result in fines and blocking measures. Use of phone numbers for marketing requires consent and must include opt-out mechanisms.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The legal framework remains unclear.
Exemptions and other issues
None.
Contents