Featured Galleries USUBC COLLECTION OF OVER 160 UKRAINE HISTORIC NEWS PHOTOGRAPHS 1918-1997 Holodomor Posters
NEW PERSONAL DATA PROTECTION REGIME TO TAKE EFFECT IN UKRAINE
Legal Alert: RULG-Ukrainian Legal Group, P.A.
Kyiv, Ukraine & Wash, D.C., Tue, Nov 23, 2010
WASHINGTON, D.C.-KYIV -- Effective 1 January 2011, new Law On Personal Data Protection ("the Law") takes effect confluent with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg) dated 28 January 1981 and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (Strasbourg) dated 8 November 2001, both of which have been ratified in Ukraine.
The Law stipulates the data protection rights of Ukrainian individuals, including employees. The Law so broadly defines personal data as “data” (or the totality of data) that its reach is enormous. The following is a brief summary of its main provisions.
Scope of Applicability
The Law is applicable to all owners and processors of personal data databases (except for physical persons, who create a database for personal use, journalists, who carry out their professional duties and creative figures implementing creative activity).
The Law sets requirements for gathering, processing, storing, etc. of personal data, provides for establishment of the State Register of Personal Databases, administered by the “authorized state body on data protection”, and stipulates that personal databases are subject to mandatory state registration according to the prescribed procedure. It is important to note that such “authorized state body on data protection” has not been identified yet.
Important Cautionary Notes
• Expect strong compliance challenges on January 1, 2011, since the Law will be fully functional only after all relevant regulations are adopted and take effect, and no such regulations have yet been created, especially in the important area of registration of personal databases, creating the scope for inescapable technical breach of the Law;
• Owing to the complexity and ambiguity of some provisions, recourse to formal legal advice should be obtained well in advance of any plan for compliance measures within an organization.
General Rule – Personal data, except for de-identified personal data, is restricted information.
Exceptions – Personal data regarding an individual who is a candidate for or holds an elective office (in representation bodies) or regarding a state official of the first category, does not belong to the restricted-access category, except for the information that is expressly restricted according to the Law.
Consent to Personal Data Processing – Processing of personal information without the consent of the owner of such information is generally prohibited. Exceptions include cases provided by law and only if such personal data processing is done in the interests of national security, economic security and human rights. If personal data processing is necessary for the protection of the person's vital interests, his/her personal data can be processed without
his/her consent only during the time until the consent can be obtained.
Formal Requirements for Consent – The consent must be duly documented, i.e. it must be made in writing and should state the purpose for which the person allows the processing of his/her personal data. If the purpose of personal data processing changes, a fresh consent must be obtained from the individual to use his/her personal data in accordance with the new purpose.
Notice Provisions - the Law requires notifications inter alia in the following cases:
• Initial Inclusion in Personal Database
• Transfers of Data to Third Parties
• Changes to Data
Rights of Subject of Personal Data - The Law grants a person whose personal data is lawfully maintained in a database significant information and access rights.
Registration of Personal Databases – The Law requires that each personal database be registered in the State Register of Personal Databases by the authorized state body in the sphere of personal data protection. The regulations regarding the Register and the procedure for maintaining it must be adopted by the Cabinet of Ministers of Ukraine and the authorized body has yet to be identified.
Cross-Border Transfer of Personal Data – Under the Law, personal data can be transferred to the foreigners related to such personal data only if the personal data is duly protected, provided there is the respective consent and in the cases established by the Law or by an international treaty of Ukraine, in accordance with the procedure stipulated by the Law.
Purpose of Distribution – Personal data cannot be distributed for a purpose other than the one it was collected for.
DISCLAIMER: The content of this Legal Alert is of general nature and is intended to be a descriptive introduction to relevant laws. The particular application of the law to a fact situation can differ substantially from the general rules of law illustrated in this Legal Alert. It cannot be viewed, interpreted or used as legal advice, and the authors
CONTACT: RULG-Ukrainian Legal Group, P.A., Washington, D.C. and Kyiv, Ukraine. Link: www.rulg.com.
NOTE: RULG-Ukrainian Legal Group, P.A. is a member of the U.S.-Ukraine Business Council (USUBC), Wash, D.C., www.usubc.org.