Draft Law of Ukraine on Data Protection

What is the primary law for data protection?

Currently, in Ukraine, the main legislative act that governs the processing of personal data is the Law of Ukraine on Personal Data Protection No 2297-VI of June 1, 2010 (“PDP Law”). The law regulates legal relations involving the protection and processing of personal data. It aims to protect the fundamental rights and freedoms of natural persons, particularly the right to privacy concerning the processing of personal data. Several amendments were made to the PDP Law in 2012 and 2014 to align with the laws of major economies. Furthermore, certain data protection issues are regulated by guidelines specifically developed to implement the Data Protection Law issued by the Ukrainian Parliament Commissioner for Human Rights (Ombudsman). However, the data protection law of Ukraine is not a comprehensive regulation such as its counterparts, including GDPR and LGPD. 

When will the Draft Law come into effect?

To become law, the Draft Law must undergo two hearings in Parliament. It is also likely that several provisions of the Draft Law may be subject to further changes and additions, thus lengthening the process. With all that said, it is not known when Ukrainian legislators will complete the whole law adoption process, and the new data protection law would enter into effect.

What are the critical updates in the Draft Law?

The new law aims to bring the data protection legislation of Ukraine in line with the GDPD standards. With this in mind, the draft law introduces several GDPR-like features, including:

What is the territorial application of the Draft Law?

Unlike GDPR, the draft law does not specify the territorial application of the law. That is why it is not expected that the law would apply outside of Ukraine, as in the case of most comprehensive data protection laws. However, it must be noted that, since the draft law would have to undergo parliamentary hearings before becoming law, it could well be possible that the Draft Law would introduce changes in this respect. 

What are the rules on international data transfers?

The provisions of the Draft Law on cross-border data transfers mirror the provisions of the GDPR relating to international data transfers. Personal data transfers are subject to new rules. Accordingly, the following countries and/or international organizations are considered to provide an adequate level of protection for personal data:

Furthermore, the draft law includes appropriate safeguards and Binding Corporate Rules (“BCRs”), as does the GDPR, as a means to transfer personal data to countries without an adequate level of protection. 

Are there rules relating to data breach notifications?

The Draft Law is set to introduce GDPR-like data breach notifications. That means the new law will introduce a requirement for data controllers to notify data breaches to the competent authority when it is likely to lead to high risks for the rights and freedoms of data subjects. Besides, the controller would have to notify the affected data subjects if the data breach will likely bring high risk. 

What is the data protection authority under the Draft Law?

The Ukrainian Parliament Commissioner for Human Rights (“Ombudsman”) has been acting as the data protection authority (“DPA”) in Ukraine since January 1, 2014, under the existing data protection regime. The Draft Law brings changes in this regard, and the definition of the data protection authority under the Draft Law refers to a standalone law that would regulate the DPA. 

On September 29, 2021, the Draft Law on the National Commission for Personal Data Protection and Access to Public Information was presented by a joint initiative composed of the Parliamentary Committees on Digitalization and Human Rights Protection together with the Ukrainian Parliament Commissioner for Human Rights and the Joint EU and European Council project. This draft law proposes to create an independent government agency that would be responsible for policymaking by adopting mandatory regulations and enforcement relating to data privacy and access to public information. 

The main powers of the Commission include:

The Commission would have inspective powers concerning data controllers and processors based on complaints on data privacy and the Commission’s initiative. 

What are the monetary penalties?

The Draft Law introduces a new range of different administrative fines imposed on natural and legal persons violating the data protection law. It must be noted that the Draft Law significantly increases the cost of penalties compared to the existing law. 

The fines differ depending on the type of violations and how severe the violations are. Suggested monetary penalties are specified as:

Suppose the violations are repeated within a year. In that case, the Draft Law may impose monetary fines that is 200 percent of the penalty imposed within such a year for a similar prior violation.

If an organization commits several different violations within one processing action, the total amount of the monetary penalty must not exceed the amount of penalty for the most severe violation. The maximum amount of monetary fines may reach:

Is there a requirement to appoint a DPO?

The requirement to appoint a data protection officer (“DPO”) already existed under the existing data protection law in the case of processing of special categories of personal data (high-risk data). The Draft Law expands this requirement in a GDPR-like fashion. Accordingly, organizations will have to appoint a DPO in the following situations:

GDPR and the Draft Law

The current law of Ukraine was not comprehensive and was not in line with the GDPR standards. However, legislative reform has been initiated, and a new law similar to the GDPR has been drafted and registered with the Verkhovna Rada - Parliament of Ukraine.

The new law is not expected to take the force of law any time soon, but the law will likely be in force by the end of 2023 if no further significant change is required. 

Schedule a call to learn more

Read about the Swiss Federal Data Protection Act.