Processing of personal data in Ukraine after introducing martial law

On 24 February 2022, Ukraine introduced martial law throughout the whole country due to Russian aggression against Ukraine. Among other things, martial law affected some fundamental rights, such as the right to privacy. This, in turn, impacts the processing of personal data. Below are some issues to be considered within this period.

Legal basis for processing personal data within Ukraine

When it comes to the territory of Ukraine, there are two groups of individuals engaged or employed in Ukraine – those who have relocated or are dynamically relocating to other regions of Ukraine and those who stayed where they permanently reside. Regardless of their choice, compliant companies need a legitimate legal basis to process information about the location and travel routes of their employees/independent contractors, their health, availability of vehicles and spare residence, etc.

An employer/customer can primarily rely on the data subject’s consent to process such data. If no data subject consent is in place, the employer/customer may consider obtaining it via email or through ticking the box in the e-consent form (telecom sector functions as usual, so it should be a viable option). Moreover, most employees/independent contractors voluntarily provide such additional information to ensure their safety and receive any possible assistance from their employers/customers. Since the anticipated processing would likely relate to sensitive personal data, the double opt-in mechanism is advisable to ensure obtaining explicit consent.

Suppose no data subject consent is in place, nor is there an opportunity to obtain it in electronic form. In that case, the employer/customer may consider processing personal data on other legal bases stipulated by the Personal Data Protection Law. In particular, it allows processing in those cases where it is required for protecting:

  • the vital interests of data subjects. There is no definition or official guidance on what vital interests of data subjects should mean. In practice, it usually means the constitutional rights and freedoms of individuals. The need of protecting the vital interests of data subjects is a legitimate basis for domestic processing of personal data, cross-border data transfer, and processing of sensitive personal data. Importantly, the employer/customer can rely on the need to protect the vital interests of data subjects as long as it is impossible to obtain the data subject’s consent. Once obtaining the consent is possible, the customer/employer must obtain it.
  • the legitimate interests of a data controller or a third party to which personal data is transferred. The Personal Data Protection Law also stipulates that the need to protect the mentioned legitimate interests should outweigh the need to protect personal data. The latter should be discussed and decided upon on a case-by-case basis. Notably, legitimate interest is not a valid legal basis for processing sensitive personal data and cross-border transfer of personal data to a third country that does not ensure adequate personal data protection (e.g., the USA).

In any case, before relying on either of the above legal bases, it is advisable for the employer/customer to prepare a document in substantiation of the anticipated processing.

Notifications

In addition to defining the proper legal basis for personal data processing, the employer/customer shall also notify data subjects about personal data processing. The notification must contain the following information: (i) information about the data controller (e.g., name, registered address); (ii) scope (categories) of personal data collected; (iii) rights of the data subject under the Personal Data Protection Law; (iv) purpose of personal data collection; and (v) third parties to whom personal data may be transferred. The notification shall be made on the day of collection (if collected from a data subject) or within thirty (30) business days after collection (in all other cases).

The processing of some personal data may require notification of the Ukrainian Data Protection Authority. Relevant sensitive personal data which processing is subject to notification includes: (i) health; (ii) biometrical data; (iii) genetic data; (iv) committed crimes or offences; (v) any pre-trial procedures applied to the person; (vi) any investigative procedures against the person; (vii) violence against the person; and (viii) location and travel routes. In this regard, the processing of sensitive data is excluded from the notification obligation if the processing is necessary to exercise rights or carry out obligations in the field of employment as stipulated by law. No such exemption applies to processing within the relations between the customer and independent contractor and/or where there is the need to protect the data subject’s vital interests or legitimate interest that goes beyond the employer’s rights and obligations within employment relations.

Legal basis for processing personal data outside Ukraine

In the case of the individuals who are engaged or employed in Ukraine but are located outside of Ukraine, the personal data and privacy laws of the country of their location should be taken into account, e.g., the GDPR. It should be assessed and decided on a case-by-case basis whether the data subject’s consent obtained in Ukraine and/or other Ukrainian privacy documents suffice to comply with the country’s personal data and privacy laws where employee/independent contractor temporarily resides.

Use of software and mobile applications

It is crucial under the current circumstances to carefully assess privacy policies and supporting privacy documents of software and mobile applications used at the personal and corporate levels. In particular, this applies to the so-called SOS software and apps (i.e., as used by employers/customers for collecting and processing data about the location and place of residence of their employees/independent contractors) and messengers.

The latter became particularly interesting given the possible turning off of mobile and Wi-Fi connection in active combat areas.

On a separate note, it is crucial to assess all the third countries where personal data from such software or apps may be transferred. This is to avoid any leakage of data to the Russian authorities.

Data processing agreements and force-majeure

The Ukrainian Chamber of Commerce and Industry issued a general statement confirming that military aggression of the Russian Federation against Ukraine has led to the imposition of martial law from 05:30 am (Kyiv time), 24 February 2022 and thus shall be considered as a force-majeure. 

Initially, the Ukrainian Parliament approved the martial law for 30 days. On 15 March 2022, the Ukrainian Parliament approved the extension of the martial law period until 25 April 2022.

The data processing agreements with Ukrainian companies include force-majeure clauses and specific conditions for processing in this respect. The parties may apply them starting from 24 February 2022 for 30 days without the necessity to obtain an individual decision from the Ukrainian Chamber of Commerce and Industry. Due to the recent extension of the martial law, it is expected that the Ukrainian Chamber of Commerce and Industry will update its position/issue a new statement to extend the period of force-majeure circumstances in Ukraine until 25 April 2022.

Re-assessment regarding the transfer of personal data to Ukraine

Given the court decision in the Schrems II case, European companies started performing transfer impact assessments for transfers of personal data of EU residents to third countries. This includes, among other things, the assessment of legal regimes of such third countries and the possibility of access by law enforcement authorities to personal data.

Under the current circumstances, when Ukrainian martial law allows for the restriction of a constitutional right to protect private life, which includes the right to privacy, EU companies may need to re-assess their transfers of personal data to Ukraine. The Norwegian data protection authority has already provided Norwegian companies with such a recommendation.[1]

We suggest EU companies contact their partners in Ukraine regarding any changes in processing activities and, where needed, assess the safety of transfers of personal data to and its further processing in Ukraine. Based on such assessments, EU companies may need to introduce additional safeguards or temporarily terminate transfers of personal data to Ukraine.

Information contained in this overview is for general information purposes only, does not constitute legal or other professional advice, and should not be relied upon as a substitute for specific professional advice tailored to particular circumstances.

[1] The statement is in Norwegian. It can quickly be translated into English using your browser’s ‘Translate this page’ tool.

Related news

02 February 2023

News

Sayenko Kharenko and Breathe Charity Fund are long-term partners of St. Valentine’s Day Blood Donation
02 February 2023

News

Doing everything you can to bring victory closer: the report of the “Breathe” Charity Fund for January
31 January 2023

News

New procedure for the reservation of employees during martial law
Notification cookies

We use cookies to analyze the behavior of visitors
of our website and improve it. By using our website, you consent to these cookies in accordance with our Cookie Policy.