February 28, 2022

Draft Law of Ukraine on Data Protection 

On June 9, 2021, the Parliament of Ukraine - Verkhovna Rada registered the draft law on “Protection of Personal Data” (“Draft Law”), proposing to replace the existing PDP  Law and to implement the General Data Protection Regulation in Ukraine. Read more about this here.

According to the Plan of Actions related to fulfilling the EU-Ukraine Association Agreement that entered into effect in 2017, Ukraine committed to bring its data protection legislation into compliance with the GDPR. In that respect, on June 9, 2021, the Parliament of Ukraine - Verkhovna Rada registered the draft law on “Protection of Personal Data” (“Draft Law”), proposing to replace the existing PDP  Law and to implement the General Data Protection Regulation in Ukraine.

What is the primary law for data protection?

Currently, in Ukraine, the main legislative act that governs the processing of personal data is the Law of Ukraine on Personal Data Protection No 2297-VI of June 1, 2010 (“PDP Law”). The law regulates legal relations involving the protection and processing of personal data. It aims to protect the fundamental rights and freedoms of natural persons, particularly the right to privacy concerning the processing of personal data. Several amendments were made to the PDP Law in 2012 and 2014 to align with the laws of major economies. Furthermore, certain data protection issues are regulated by guidelines specifically developed to implement the Data Protection Law issued by the Ukrainian Parliament Commissioner for Human Rights (Ombudsman). However, the data protection law of Ukraine is not a comprehensive regulation such as its counterparts, including GDPR and LGPD

When will the Draft Law come into effect?

To become law, the Draft Law must undergo two hearings in Parliament. It is also likely that several provisions of the Draft Law may be subject to further changes and additions, thus lengthening the process. With all that said, it is not known when Ukrainian legislators will complete the whole law adoption process, and the new data protection law would enter into effect.

What are the critical updates in the Draft Law?

The new law aims to bring the data protection legislation of Ukraine in line with the GDPD standards. With this in mind, the draft law introduces several GDPR-like features, including:

  • new principles of the data processing (such as lawfulness, fairness, transparency, data minimization, purpose limitation, storage limitation, accountability, etc.);
  • updated legal grounds of data processing and additional legal grounds of “legitimate interests”;
  • unified and extended GDPR-like terminology;
  • updated concept of sensitive data with a comprehensive list of legal grounds for processing such data;
  • new data protection rules about video surveillance;
  • new data protection rules concerning the use of tracking technologies in electronic communications;
  • new requirements for data processing agreements, etc.

What is the territorial application of the Draft Law?

Unlike GDPR, the draft law does not specify the territorial application of the law. That is why it is not expected that the law would apply outside of Ukraine, as in the case of most comprehensive data protection laws. However, it must be noted that, since the draft law would have to undergo parliamentary hearings before becoming law, it could well be possible that the Draft Law would introduce changes in this respect. 

What are the rules on international data transfers?

The provisions of the Draft Law on cross-border data transfers mirror the provisions of the GDPR relating to international data transfers. Personal data transfers are subject to new rules. Accordingly, the following countries and/or international organizations are considered to provide an adequate level of protection for personal data:

  1. The countries that are subject to the GDPR, meaning the member states of the European Economic Area (“EEA”);
  2. The countries that are subject to the Amending Protocol to the Convention for the Protection of Individuals concerning the Processing of Personal Data (commonly known as the “Convention 108+”);
  3. The countries considered by the Ukrainian data protection authority to provide an adequate level of protection.

Furthermore, the draft law includes appropriate safeguards and Binding Corporate Rules (“BCRs”), as does the GDPR, as a means to transfer personal data to countries without an adequate level of protection. 

Are there rules relating to data breach notifications?

The Draft Law is set to introduce GDPR-like data breach notifications. That means the new law will introduce a requirement for data controllers to notify data breaches to the competent authority when it is likely to lead to high risks for the rights and freedoms of data subjects. Besides, the controller would have to notify the affected data subjects if the data breach will likely bring high risk. 

What is the data protection authority under the Draft Law?

The Ukrainian Parliament Commissioner for Human Rights (“Ombudsman”) has been acting as the data protection authority (“DPA”) in Ukraine since January 1, 2014, under the existing data protection regime. The Draft Law brings changes in this regard, and the definition of the data protection authority under the Draft Law refers to a standalone law that would regulate the DPA. 

On September 29, 2021, the Draft Law on the National Commission for Personal Data Protection and Access to Public Information was presented by a joint initiative composed of the Parliamentary Committees on Digitalization and Human Rights Protection together with the Ukrainian Parliament Commissioner for Human Rights and the Joint EU and European Council project. This draft law proposes to create an independent government agency that would be responsible for policymaking by adopting mandatory regulations and enforcement relating to data privacy and access to public information. 

The main powers of the Commission include:

  • Investigation of possible violations of the law of Ukraine “On Personal Data Protection” based on complaints and by its initiative;
  • Collection of written explanations from government and private organizations as well as individuals about the circumstances that may indicate a violation of the law of Ukraine “On Personal Data Protection”;
  • Issuing fines to controllers and processors of personal data;
  • Applying to the courts for enforcement of the law of Ukraine “On Personal Data Protection”;

The Commission would have inspective powers concerning data controllers and processors based on complaints on data privacy and the Commission’s initiative. 

What are the monetary penalties?

The Draft Law introduces a new range of different administrative fines imposed on natural and legal persons violating the data protection law. It must be noted that the Draft Law significantly increases the cost of penalties compared to the existing law. 

The fines differ depending on the type of violations and how severe the violations are. Suggested monetary penalties are specified as:

  • for individuals – from 10,000 UAH (approximately 300 EUR ) to 300,000 UAH (approximately 9,000 EUR ), and
  • for legal entities – from 30,000 UAH (approximately 900 EUR) or 0.05 percent of the total annual turnover to 5 percent of the total annual turnover (but not less than 300,000 UAH (approximately 9,000 EUR)).

Suppose the violations are repeated within a year. In that case, the Draft Law may impose monetary fines that is 200 percent of the penalty imposed within such a year for a similar prior violation.

If an organization commits several different violations within one processing action, the total amount of the monetary penalty must not exceed the amount of penalty for the most severe violation. The maximum amount of monetary fines may reach:

  • for individuals – up to 20 million UAH (approximately 606,000 EUR); and
  • for legal entities – up to 150 million UAH (approximately 4.5 million EUR ) or 8 percent of the total annual turnover of the previous year. 

Is there a requirement to appoint a DPO?

The requirement to appoint a data protection officer (“DPO”) already existed under the existing data protection law in the case of processing of special categories of personal data (high-risk data). The Draft Law expands this requirement in a GDPR-like fashion. Accordingly, organizations will have to appoint a DPO in the following situations:

  • where regular, systematic, or large-scale monitoring of actions of data subjects is involved; 
  • where large-scale processing of data takes place; and 
  • where sensitive or biometric personal data is processed.

GDPR and the Draft Law

The current law of Ukraine was not comprehensive and was not in line with the GDPR standards. However, legislative reform has been initiated, and a new law similar to the GDPR has been drafted and registered with the Verkhovna Rada - Parliament of Ukraine.

The new law is not expected to take the force of law any time soon, but the law will likely be in force by the end of 2023 if no further significant change is required. 

Read about the Swiss Federal Data Protection Act.