Key contacts
14 June 2021

Draft data protection law submitted to the Ukrainian Parliament

On 7 June 2021, the draft Law of Ukraine No. 5628 “On Personal Data Protection” (the “Draft Law”) was submitted to the Ukrainian Parliament. The aim of the Draft Law is:

  • to fulfil Ukraine’s commitments under the EU-Ukraine Association Agreement regarding the alignment of Ukrainian laws to the EU standards (including GDPR) and
  • to increase the trust of investors and engage investments in the Ukrainian economy, especially in the IT and telecommunications sectors

Who it will affect

Similar to the current data protection law, the Draft Law will apply to all the processing activities occurring in Ukraine.

Each entity, whether a private commercial company or a public authority, processes at least the data of its employees and business partners. Even this is enough for the Draft Law to apply to such entities.

Unlike the GDPR, the Draft Law should not have an extraterritorial effect.

Since the EU regulations on confidentiality and cybersecurity exist in parallel and supplement each other, it should also be expected that the Draft Law will impact to a certain extent the upcoming regulations in the Ukrainian cybersecurity sector.

Key changes expected

The majority of the Draft Law provisions are based on the GDPR, as well as separate pieces of the EU case law and best practices. The following key issues should be considered by all processing parties in Ukraine.

Liability and penalties

Significant increase in the level of penalties for a violation of the Draft Law has the aim to encourage processing parties to treat personal data and its protection much more seriously.

Suggested financial penalties for committing a violation of the Draft Law vary depending on the type of a violation:

  • for individuals – from UAH 10,000 (app. EUR 300) to UAH 300,000 (app. EUR 9,000) and
  • for legal entities – from UAH 30,000 (app. EUR 900) or 0.05 per cent of the total annual turnover to 5 per cent of the total annual turnover (but not less than UAH 300,000 (app. EUR 9,000))

Repeated violations within a year may lead to a fine in the amount of 200% of the penalty imposed within such year for the prior similar violation.

If a data processing party conducts several different violations of the Draft Law within one processing action, the total amount of the financial penalty should not exceed the amount of penalty for the most severe violation.

The maximum financial penalties for the violations may reach:

  • for individuals – up to UAH 20 mln (app. EUR 606,000) and
  • for legal entities – up to UAH 150 mln (app. EUR 4.5 mln) or 8 per cent of the total annual turnover of the previous year

Data protection authority

Although the Draft Law does not specify a new independent status of the re-launched Ukrainian data protection authority (DPA) and its obligations (which will probably be outlined in a separate legal act), it demonstrates the wide range of areas where the DPA is likely to be involved in, such as:

  • granting the adequate status to particular countries / international organisations
  • approval of binding corporate rules
  • development and approval of recommendations regarding a qualification exam for the position of a data protection officer (DPO) at a public authority
  • providing prior consultations to data controllers within the data protection impact assessment (DPIA)
  • receiving notifications regarding data breaches
  • receiving access to documents and premises of the processing parties
  • approval of a typical regulation on video surveillance
  • conducting control over processing data about criminal convictions
  • reviewing complaints
  • approval of regulatory acts of public authorities related to data processing activities
  • approval of the typical agreement with data processors
  • performing periodic inspections and
  • imposing penalties for violations of the Draft Law

Cross-border data transfers

The Draft Law foresees several legal bases for data transfers abroad. The list of such legal bases would now be more aligned to the EU standards:

  • Safe transfers:
    1. the importing country / international organisation ensures an adequate level of data protection:
      • those subject to the GDPR and/or Convention 108+
      • other countries/organisations that are considered by the Ukrainian DPA to provide an adequate level of data protection (analogue of the adequacy decision provided by the EU Commission)
    2. controller/processor ensures an adequate level of data protection (with or without the DPA approval)
    3. there are Binding Corporate Rules developed under the requirements of the Draft Law in place when the transfer is performed within one group of companies
  • Unsafe transfers can be performed under certain circumstances (known as derogations under the GDPR) that are copied from the GDPR, including a transfer for the exercise of the right of freedom of expression.

New obligation of data breach notification

Similar to the GDPR, the Draft Law establishes the obligation for the data controllers to notify the Ukrainian DPA about the data breach when it is likely to lead to risks for rights and freedoms of data subjects.

The notification would also need to be submitted to the data subjects in case of high risk to their rights resulting from the data breach.

Data protection impact assessment

Another new obligation for data controllers would be the obligation to conduct the DPIA before launching any processing actions if the use of new technologies and the nature, scope, context and purposes of the processing are likely to result in a high risk to the rights and freedoms of data subjects.

On a separate note, the Draft Law provides for certain rules that are not specifically addressed in the GDPR, but which are reflected in some guidance issued by the EU authorities (e.g., EDPB), for instance, regarding:

  • processing personal data on the Internet, during video surveillance or video recording of public events
  • direct marketing issues
  • processing of data by employers
  • specifics of processing personal data by law enforcement authorities and
  • specifics of processing personal data in the field of electronic communications

When to expect

Currently, the Draft Law is in its initial stage of review by the parliamentary committees. The Draft Law is expected to become effective from 1 January 2023, while the Government would have three months afterward to adopt the necessary regulatory acts for the Draft Law to apply efficiently.

Please feel free to reach out to Sayenko Kharenko’s data protection team for any legal support your company may need to prepare for the new data protection standard in Ukraine. We also had the honour to provide our input to the respecting working group of the Verkhovna Rada and to support its efforts to finalise and establish the Draft Law.


More News
Show More