On 7 June 2021, the draft Law of Ukraine No. 5628 “On Personal Data Protection” (the “Draft Law”) was submitted to the Ukrainian Parliament. The aim of the Draft Law is:
Who it will affect
Similar to the current data protection law, the Draft Law will apply to all the processing activities occurring in Ukraine.
Each entity, whether a private commercial company or a public authority, processes at least the data of its employees and business partners. Even this is enough for the Draft Law to apply to such entities.
Unlike the GDPR, the Draft Law should not have an extraterritorial effect.
Since the EU regulations on confidentiality and cybersecurity exist in parallel and supplement each other, it should also be expected that the Draft Law will impact to a certain extent the upcoming regulations in the Ukrainian cybersecurity sector.
Key changes expected
The majority of the Draft Law provisions are based on the GDPR, as well as separate pieces of the EU case law and best practices. The following key issues should be considered by all processing parties in Ukraine.
Liability and penalties
Significant increase in the level of penalties for a violation of the Draft Law has the aim to encourage processing parties to treat personal data and its protection much more seriously.
Suggested financial penalties for committing a violation of the Draft Law vary depending on the type of a violation:
Repeated violations within a year may lead to a fine in the amount of 200% of the penalty imposed within such year for the prior similar violation.
If a data processing party conducts several different violations of the Draft Law within one processing action, the total amount of the financial penalty should not exceed the amount of penalty for the most severe violation.
The maximum financial penalties for the violations may reach:
Data protection authority
Although the Draft Law does not specify a new independent status of the re-launched Ukrainian data protection authority (DPA) and its obligations (which will probably be outlined in a separate legal act), it demonstrates the wide range of areas where the DPA is likely to be involved in, such as:
Cross-border data transfers
The Draft Law foresees several legal bases for data transfers abroad. The list of such legal bases would now be more aligned to the EU standards:
New obligation of data breach notification
Similar to the GDPR, the Draft Law establishes the obligation for the data controllers to notify the Ukrainian DPA about the data breach when it is likely to lead to risks for rights and freedoms of data subjects.
The notification would also need to be submitted to the data subjects in case of high risk to their rights resulting from the data breach.
Data protection impact assessment
Another new obligation for data controllers would be the obligation to conduct the DPIA before launching any processing actions if the use of new technologies and the nature, scope, context and purposes of the processing are likely to result in a high risk to the rights and freedoms of data subjects.
On a separate note, the Draft Law provides for certain rules that are not specifically addressed in the GDPR, but which are reflected in some guidance issued by the EU authorities (e.g., EDPB), for instance, regarding:
When to expect
Currently, the Draft Law is in its initial stage of review by the parliamentary committees. The Draft Law is expected to become effective from 1 January 2023, while the Government would have three months afterward to adopt the necessary regulatory acts for the Draft Law to apply efficiently.
Please feel free to reach out to Sayenko Kharenko’s data protection team for any legal support your company may need to prepare for the new data protection standard in Ukraine. We also had the honour to provide our input to the respecting working group of the Verkhovna Rada and to support its efforts to finalise and establish the Draft Law.