Arzinger
What law(s) specifically govern personal data / information?
The Law of Ukraine on Personal Data Protection (the Law).
What are the key data protection principles in this jurisdiction?:
The key data protection principles are:
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation;
- integrity and confidentiality.
What is the supervisory authority / regulator in charge of data protection?
Ukrainian Parliament Commissioner on Human Rights (DPA).
Is there a requirement to register with a supervisory authority / regulator?
In the case of collection and processing of sensitive data it’s necessary to notify the supervisory authority/regulator. The term is 30 working days since the start of the data processing. Any amendments to the filed information shall be notified within 10 working days. Notification is free of charge.
The form used for notification can be found here:
http://www.ombudsman.gov.ua/ua/page/zpd/povidomlennya/formi-zayav/ . This information will be published on the website of the regulator.
Is there a requirement to notify the supervisory authority / regulator?
There is an obligation to notify the DPA in case of processing of personal data which constitutes a considerable risk for rights and freedoms of data subjects (mentioned above). Such notification should be conducted within 30 working days of the processing of such personal data and any amendments should be notified within 10 working days respectively (Art. 9 of the Law).
Such notification is not necessary in the following cases:
- the processing of personal data is conducted only for the purpose of administrating a register for the provision of public information and such register is in the public domain;
- the processing of personal data of the members of a civil organisation, political parties and/or organisations, trade unions related to philosophical beliefs, which is conducted for internal purposes of such organisations without transfer of such data to any third parties without the data subject's prior consent;
- processing of personal data is necessary for fulfilment of the data controller’s obligations in the sphere of labour relations under the law (Procedure of Notification of Ukrainian Parliament Commissioner for Human Rights on Processing of Personal Data, which Constitutes an Extra Risk for Human Rights and Freedoms, on the Department or the Person Responsible for Organization of Work Related to Protection of Personal Data During Its Processing and Publishing of Information adopted under the Order of Ukrainian Parliament Commissioner for Human Rights No 1/02-14 dated January 8, 2014).
Is it possible to register with / notify the supervisory authority / regulator online?
A draft notification can be accessed here - http://www.ombudsman.gov.ua/ua/page/zpd/povidomlennya/formi-zayav/
Options for notification:
- mailing to the address: Ukraine, Kyiv, 21/8 Institutskaya Str., 01008,
- e-mail: [email protected]
- fax: 044-253-75-89
- direct filing to the authority: Ukraine, Kyiv, 21/8 Institutskaya Str., 01008.
What are the key data subject rights under the data protection laws of this jurisdiction?
The basic principle is that personal data processing should be conducted openly and transparently as well as by means and in a way which is compliant with the purposes of such processing (Art. 6 of the Law).
In view of this, data subjects are entitled to a number of rights related to the processing of personal data, namely (should they be requested by data subject):
- to know the sources of collection and location of their personal data, purposes of personal data processing, location or residence of data controller or data processor;
- to get information on conditions of access to personal data, in particular which third parties their personal data is transferred to;
- to know the scope of personal data collected and processed during a period of 30 days as of the date of receiving the respective request (i.e. right to access); and
- to be informed of the mechanism of processing of personal data by automatic means (Art. 8 of the Law).
Is there a requirement to appoint a data protection officer (or equivalent)?
General Requirements:
Controllers and processors who engage in processing activities that require notification to the DPA (i.e., processing that poses a significant risk to individuals’ rights, under Art. 9 of the Law) must establish a department or designate a person responsible for personal data protection. The information of the responsible department or person must be provided to the DPA and the DPA will make this information public (Art. 8 of the Law).
Business practice:
- prior to the General Data Protection Regulation ((EU) 2016/679) (GDPR) entering into force, Ukrainian companies were not routinely appointing data protection officers even despite a direct requirement under Ukrainian law,
- compliance officers and legal departments are usually responsible for data protection issues in Ukrainian companies.
Qualifications/Location:
The Law does not specify the required qualifications of the DPO.
The Law provides no guidance whether the DPO must be physically located in the country of the Owner (or Administrator) of the personal data.
Duties/Responsibilities:
The responsible department or person must:
- inform and advise the controller or processor on compliance with the Law;
- interact with the DPA on the prevention and elimination of law violations;
- ensure that individuals are able to exercise their rights under the Law;
- have access to any personal data processed by the controller and to all premises where such data are processed;
- notify the controller or processor of any violations of the personal data legislation;
- analyse threats to the security of personal data.
(Art. 24, Section 3.18, Model Procedure on Processing of Personal Data dated 13.02.2014)
Business practice: in case Ukrainian companies fall under GDPR provisions a person responsible for data protection should follow the GDPR requirements regarding DPO's.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
There is no obligation on any entities to give notice in the event of a data security breach; however, controllers and processors must document/log violations in the course of processing and develop action plans in the event of unauthorised access to personal data (Section 3, Ordinary Procedure of Personal Data Processing adopted under the Order of Ukrainian Parliament Commissioner for Human Rights No 1/02-14 dated 08 January 2014).
A person/department responsible for data protection is obliged to notify the head of the company on data breaches as well as analyse other security risks (Section 3.18 of the Ordinary Procedure of Personal Data Processing adopted under the Order of Ukrainian Parliament Commissioner for Human Rights No 1/02-14 dated 08 January 2014).
Despite this, there are no provisions on notification either of the DPA or data subjects. We expect that such provisions will be included to Ukrainian law after its harmonisation with GDPR.
Does this jurisdiction have any specific data breach notification requirements?
There are no mandatory provisions relating to data breach notifications. The Model Procedure on Processing of Personal Data dated 13.02.2014 contains a number of provisions on this matter:
- The DPO should interact with DPA on any data breaches as the case may be (but it’s not applicable in practice),
- The DPO should record the facts of data breaches in documents,
- The DPO should notify the head of company on any data breaches.
There are no specific requirements on notification either of the DPA or data subjects on any data breaches. The respective timeframes are not also settled.
What restrictions apply to the international transfer of personal data / information?
There are a number of requirements:
- to notify data subjects of data transfers to third parties,
- to conclude a written agreement between a data controller and a data processor abroad,
- to notify data subject's on cross-border data transfer,
- there may be the following legal grounds for data transfer:
- case 1 - if the country is an EEA member or a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (par. 3 of Art. 29 of the Law of Ukraine “On Personal Data Protection”),
- case 2 - if there are any of the “additional grounds”: (1) consent of data subject, (2) contract between data controller and third party for the benefits of data subject, (3) necessity to protect vital interests of data subjects, (4) processing is necessary for the performance of a task carried out in the public interest, fulfilment of legal obligation, (5) there are warranties of data controller on non-interference to private life of data subjects (par. 4 of Art. 29 of the Law of Ukraine “On Personal Data Protection”).
During the state of war and 6 months after it ends, there is a simplified regime for international transfer of personal data related to health protection.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No. Ukrainian law does not contain any references to the nationality/residence of individuals whose personal data is protected – in view of this it is presumed that territorial principle applies meaning that personal data related to all persons within the territory of Ukraine is protected.
What rules specifically deal with marketing?
Privacy policy
Ukrainian law does not contain any direct rules on the necessity of either of terms of use or privacy policy for e-commerce purposes. Despite this, failure to notify Ukrainian purchasers of the terms and conditions of purchase should be considered as breach of civil rules, consumer rights protection legislation and competition rules. In addition, failure to notify of personal data processing should be considered as a breach of transparency and notification obligations as well. In view of this it’s recommended to draft and publish both documents for e-commerce purposes.
There are no strict rules on the requirements of a privacy policy in Ukraine, but it should include all aspects which purchaser’s should be notified of (mentioned above) – for instance, the scope of personal data collection, processing operations, legal grounds for data processing, data subject rights related to data protection, data erasure etc.
Subscriptions, direct marketing
Under Ukrainian E-commerce Law a “commercial message” is an electronic message in any form created for the purpose of direct/indirect promotion of goods/services or business reputation of a person who conducts commercial or independent professional activities. In addition it’s necessary to follow the rules stipulated under the Law of Ukraine on Advertisement.
The E-commerce Law also includes the below rules of communication:
- it shall be delivered to customers only under their explicit consent (please find the requirements for consent in part 4 above). When consent is withdrawn, the company should stop sending any messages to the customers;
- If no such consent is received it’s possible to send to the customers electronic messages, but in this case the Company should ensure opt-out option meaning that the customers should be enabled to unsubscribe any time.
It’s prohibited to demand from the customers to pay any extra fee for receiving of such electronic messages (i.e. no additional fee can be charged by telecom operators/providers, payment system operators, hosting providers, and internet access providers etc.).
Requirements of electronic marketing:
- it should be directly identified;
- it should provide the customers with direct and easy access to information on the company’s legal status as a seller of goods/provider of services;
- electronic messages on sales, benefits, presents etc. should be clearly identified, the respective rules of receiving of such sales, benefits, presents etc. should be explicitly provided to the customers without any ambiguity, in additions Ukrainian advertisement laws should be followed;
- information on the price of goods/services should contain the information on inclusion of taxes and delivery (if applicable).
It’s also advised:
- to include as detailed information on subscriptions and direct marketing as possible in the privacy policy;
- to make the “unsubscribe” option as easy as possible: to explain the respective procedure under the privacy policy and to include a link/button “unsubscribe” to all electronic messages;
- to insert the box for giving consent on subscription with a link to the Privacy policy on the web-platform for e-commerce.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
There is the newly-adopted Law of Ukraine “On Electronic Communications” effective since 01.01.2022.
Under Ukrainian E-commerce Law “commercial message” is an electronic message in any form created for the purpose of direct/indirect promotion of goods/services or business reputation of a person who conducts commercial or independent professional activities. In addition it’s necessary to follow the rules stipulated under the Law of Ukraine on Advertisement.
The E-commerce Law includes the below rules of communication:
- it shall be delivered to customers only under their explicit consent. When consent is withdrawn the Company should stop sending any messages to the customers;
- if no such consent is received it’s possible to send to the customers electronic messages, but in this case the Company should ensure opt-out option meaning that the customers should be enabled to unsubscribe any time.
Please note that since 01.01.2022 the respective option with the opt-out is expected to be amended (as the Law of Ukraine on Electronic Communications is likely to enter into force).
It’s prohibited to demand from the customers to pay any extra fee for receiving of such electronic messages (i.e. no additional fee can be charged by telecom operators/providers, payment system operators, hosting providers, and internet access providers etc.).
"Consent should be:
- freely given (i.e. conscious decision taken without enforcement and threats); and
- informed (i.e. a decision on processing of personal data taken voluntary, competently and on a basis of full, objective and comprehensive information on prospect processing of personal data).
Consent should contain the purpose of personal data processing. There are additional requirements relating to the purpose:
- in case of amending the purpose, the respective consent should be received again,
- consent should be proportional to the purposes of personal data processing (for example, personal data should be collected in the scope necessary for fulfilment of the designated purposes).
Data subject’s rights related to consent:
- the data subject may impose a set of limitations when giving such consent,
- only the data subject may amend personal data provided under the consent,
- having provided consent further, the data subject is entitled to control processing of personal data. It means that the data subject is entitled to make a request with reasonable periodicity and get the information, which was previously included with consent,
- the data subject is entitled to withdraw consent.
The below information must be included to the consent:
- who is the data controller (name, address, telephone of data processor),
- what are the purposes of processing of personal data (purpose should be specified),
- what personal data will be processed (full list),
- what types of processing operations are applied,
- who is the data processor and what is a scope of their rights,
- which third parties personal data may be transferred to, for what purposes and on which legal ground,
- what is a retention period for personal data,
- what are the conditions of consent withdrawal and what are the respective consequences,
- information on the rights provided under legislation on personal data protection.
Requirements to form of provision of information in the consent:
- in full scope,
- in a simple and understandable form.
Form of consent:
- written form or
- electronic form (the E-Commerce Law permits individuals to provide their consent electronically (by ticking a box) in the course of their registration with a seller’s trading system, provided that the seller’s trading system is set up so that it is not able to process the personal data until the consent box is ticked).
Under the E-commerce law it's provided that unless the consent is received it’s possible to send to the customers electronic messages, but in this case the company should ensure opt-out option meaning that the customers should be enabled to unsubscribe any time.
Such messages should be sent free of charge.
At the same time since 01.01.2022 the Law of Ukraine "On electronic communications" is expected to enter into force. It contains a number of provisions on protection of end-users from spam. There is a statement providing the following:
- telephone numbers/other kinds of network ID can be used for sending marketing messages, selling goods/rendering services;
- telephone numbers/other kinds of network ID should be previously received by the company within the process of selling goods/rendering services;
- such communication should be based on the end user's consent only (including in e-form) AND with the opt-out option provided free of charge, anytime, in simple and understandable form.
"Requirements for electronic messages:
- it should be directly identified
- it should enable the customers with direct and easy access to the information on the Company’s legal status as a seller of goods/provider of services
- electronic messages on sales, benefits, presents etc. should be clearly identified, the respective rules of receiving of such sales, benefits, presents etc. should be explicitly provided to the customers without any ambiguity, in additions Ukrainian advertisement laws should be followed
- information on price of goods/services should contain the information on inclusion of taxes and delivery (if applicable).
It’s also advised:
- to include as detailed information on subscriptions and direct marketing as possible to the privacy policy
- to make “unsubscribe” option as easy as possible: to explain the respective procedure under the privacy policy and to include a link/button “unsubscribe” to all electronic messages
- to insert the box for giving consent on subscription with a link to the Privacy policy on the web-platform."
What rules specifically deal with cookies?
Ukrainian laws do not have any specific requirements or regulation in respect of cookies. But as cookies are still considered as personal data it’s advised to:
- take care on adherence to data protection rules when collecting and processing cookies (both operational duration cookies and cookies will still be used for profiling, ads/monetization);
- any privacy policy should contain provisions on cookies;
- pop-up notice on cookies should be inserted to the web-site (switching the cookies bot off should be a subject to extra legal advice).
What are the consequences of non compliance with data protections laws (including marketing laws)?
Criminal Sanctions:
Criminal sanctions are possible only against individuals, not companies, which are only subject to administrative sanctions In view of this directors or responsible officials who can be made responsible.
- Breach of inviolability of private life (Art. 182 of the Criminal Code of Ukraine)
Illegal collection, storage, use, delete and sharing of confidential information on the data subject, illegal amendment of such information may lead to imposing of fine (approximately USD 340 to USD 680) or involving to corrective labour for the period of up to 2 years or arresting for a term of up to 6 months or custodial restraint for the period of up to 3 years.
In case these actions were repeated or they led to substantial damage (i.e. USD 3800 and more) to rights and freedoms of the data subject, the following sanctions may be imposed: arrest for a term 3-6 months or custodial restraint for a period of 3-5 years or imprisonment for the same period.
- Illegal collection for further use or use of trade secret or bank secret (Art. 231 of the Criminal Code of Ukraine)
Personal data may constitute trade secrets or bank secrets of the company. In view of this it’s possible to use remedies applicable for these categories of data, inter alia, imposing to criminal responsibility (Art. 231, 232 and 362).
In case deliberate actions were taken to get trade secret/bank secrets for further disclosure or any other use or such trade secrets/bank secrets were committed and led to substantial damages, a fine to the amount of USD 2000 – 5500).
- Illegal disclosure of trade secrets or bank secrets (Art. 232 of the Criminal Code of Ukraine)
Under Ukrainian law illegal disclosure of trade secrets or bank secrets is prohibited. Commitment of this offence leads to imposing of a fine (approximately USD 630 – USD 1890) with prohibition of taking up respective positions for up to 3 years.
There are a set of facts necessary for declaring the offence and initiating criminal proceeding. And namely, for the purpose of initiation of the criminal proceedings it will be necessary:
- to prove that the disclosed information may be considered as confidential information/trade secret,
- to prove that disclosure of data was made with a wilful intent.
- Unauthorised actions with information, which is processed or stored in the electronic computing machines (computers), automated systems, computer networks, committed by a person authorised to access to such information (Art. 362 of the Criminal Code of Ukraine)
The sanction for such a crime is imprisonment for up to 3 years with revocation of right to hold the respective posts and be involved to the same sphere for 3 years too.
- To prevail in such proceedings the following should be proved:
- the information, which unauthorised access was gained to, should be such as stored in the computer and be with limited access,
- there should be unauthorised interception or copying of such information (meaning the internal corporate rules on processing of such information should contain direct prohibition of copying such information and such prohibition should be breached),
- such unauthorised disclosure of the information should lead to transmission of the information to third parties.
Administrative/Civil Penalties:
As regards personal data the following types of penalties are envisaged:
- failure to notify or untimely notification of DPA on personal data processing or amendment of such data, undue notification (provision of incomplete or inaccurate data) will lead to imposing of fine (for individuals - USD 70-140, for officials – USD 140-280), fail to fulfil the recommendations of the DPA on prevention or improvement of breaches related to personal data protection will lead to imposing of fine (for individuals - USD 140-200, for officials – USD 200 - 680). In case of repeated actions mentioned above during the following year the fine to the amount of USD 200 – 300 for individuals and USD 300 – USD 1400 for officials may be imposed (Art. 188-39 of the Code of Ukraine on Administrative Offences),
- in the case of a data breach (meaning breach of confidentiality or breach of rights and freedoms of data subjects) caused with undue data protection measures a fine to the amount of USD 60 – 340 for individuals and USD 180 – 680. In case of repeated actions mentioned above during the following year the fine to the amount of USD 680 – 1360 may be imposed (Art. 188-39 of the Code of Ukraine on Administrative Offences),
- In case of refusal to fulfil legitimate demands of the DPA the fine may be also imposed (to the amount USD 60 – 140) (Art. 188-40 of the Code of Ukraine on Administrative Offences),
As previously noted personal data may be also considered as confidential information and trade secrets within companies, so illegal disclosure and use of such data may be considered as unfair competition:
- administrative responsibility of individuals committed disclosure of personal data (Art. 164-3 of the Code of Ukraine on Administrative Offences) - a fine in the amount of USD 6-11 may be stipulated.
- administrative responsibility of companies committed an act of unfair competition with illegal use of disclosed personal data (Section 4 of the Unfair Competition Law). The respective claim should be filed directly to Ukrainian antimonopoly authorities and the facts, indicated by this claim, should be proved by the documents or any other evidence. There are four types of illegal actions related to confidential information/trade secret, which are considered as actions of unfair competition: unlawful collection of trade secret, disclosure of trade secret, inclination to disclosure of trade secret, unlawful use of trade secret. The fine imposed for any actions considered as unfair competition is up to 5 % of company’s annual turnover for the last reporting year preceding the year in which the penalty is imposed.
Business practice:
Recently for the first time in a long period the AMCU issued the decision in such category of cases. The fine to the amount of about USD 13 500 was imposed on LLC "Ergon-Electric" (about 3%) for unlawful use of trade secrets (including personal data in the databases of the company). While deciding the fine amount the following were considered as crucial: (1) it was the first time, when LLC "Ergon-Electric" committed infringement, (2) the infringement was ongoing at the moment of taking the Decision. Importantly, the AMCU considered the non-disclosure agreements, signed by the fired employees, which contain prohibition to disclose any confidential information/trade secrets as satisfactory evidence of the presence of obligation to not disclose confidential information/trade secrets.
Private Right of Action:
Individuals have the right to have remedies applied in case of violations of the law (Art. 8 of the Law).
The main goal of initiation of a civil proceeding is recovery of damages caused by illegal disclosure of the company’s confidential information. To prevail in such a proceeding the following aspects should be proved: (1) unauthorised actions (i.e. deliberate disclosure of the company’s confidential information), (2) damages (general or consequential damages (loss of profit)), (3) the cause and effect relationship between the data breach and caused damages. The subject of such claims should be recovery of damages caused by unauthorised disclosure of the company’s confidential information. The amount of the action will rely on the results of the assessment of damages by an expert.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
GDPR is not mandatory for the collection and processing of personal data in Ukraine. Instead Ukrainian law “On Personal Data Protection” (in UA - https://zakon.rada.gov.ua/laws/show/2297-17 ) applies.
To comply with local privacy requirements multinational organisations should follow such rules:
- understand what categories of data are collected and processed, what is the character of such data (open data, personal data, confidential information etc.),
- in case of collection and processing of sensitive data specific rules apply,
- to follow data subjects’ rights,
- to designate the purpose of data collection and processing,
- to define legal basis for data collection and processing,
- to conclude agreements between data controllers and data processors,
- to notify on any third parties, which data is transferred to,
- to notify on any cross-border data transfers,
- to delete data in due time and manner.
What upcoming data protection developments should multinational organisations be aware of?
Currently the new law of Ukraine “On Personal Data Protection” is under development (to proceed with the obligations of the Ukraine on personal data protection under the EU/Ukraine association agreement).
In addition, on 12 January 2021, the new Law of Ukraine “On Electronic Communications” was signed by the President of Ukraine and it contains some particular provisions on personal data protection.