Liability for violation of personal data protection legislation


Almost all companies operating in Ukraine have been facing problems in the process of adjusting their business activities to the new Ukrainian personal data protection legislation. The Law of Ukraine “On Personal Date Protection” (the “Law”), which became effective on 1 January 2011, sets new rules for collecting, storing, using, processing and transferring personal data. The Law contains many questionable provisions, which interpretation is often problematic even for the State Service of Ukraine for the Personal Data Protection (the “State Service”).

The issue becomes even more topical now, as starting from 1 January 2012 the Law of Ukraine “On Amending Certain Legislative Acts of Ukraine Regarding Violations of Legislation on the Personal Data Protection”, increasing liability for violating the Law, will become effective. The said law provides for serious penalties for companies found in breach of it (up to USD 2,000 in fines for each single violation and up to five years of imprisonment of the company's CEO). Therefore, it is absolutely necessary for all entities operating in Ukraine to become compliant with the Law by the above date.

The Law requires, among others, to register with the State Service databases containing personal data (e.g. passport details) of all employees, clients, customers, end consumers and any other business partners of all companies doing business in Ukraine. The companies have been facing various problems, while registering their databases (e.g., a formalistic approach by the State Service to processing submitted information). Considering that most of the companies and individuals operating in Ukraine have decided to register their databases only recently and almost simultaneously, the State Service often misses the statutory set terms for registering databases, including due to the lack of the registration certificates.

Moreover, under the Law the company must obtain a written consent from each employee, client, end consumer or any other business partner for collecting, processing, storing, using and transferring his or her personal data to any third parties, including abroad. The Law also mandates organizations making such transfers to ensure that a respective third party maintains an adequate level of protection of the transferred data, as well as to observe several other requirements.

In view of that the State Service has already started to inspect the company’s compliance with the personal data protection legislation and intends to make sure that the Law and supplementary legislation is observed in Ukraine, a sound corporate personal data protection programs should be developed by every entity doing business in Ukraine. To reduce the risk of being prosecuted for breaching the Law the corporate program should include developing model internal documentation (e.g. policies, regulations, orders, letters of consent, personal data protection clauses in the contracts, documents on the cross-border data transfers, etc.).

For more information, please contact Svitlana Kheda or Nataliya Mykolska.

Related news

01 June 2023


Aligning Ukraine’s competition laws with EU regulations: a work in progress
23 May 2023


IP STARS named Yaroslav Ognevyuk Trade mark star 2023
15 May 2023


Regulatory Sandbox for Innovative Products Launched in Ukraine
Notification cookies

We use cookies to analyze the behavior of visitors
of our website and improve it. By using our website, you consent to these cookies in accordance with our Cookie Policy.