Global Data and Cyber Handbook

Ukraine

Select a Topic
Start Comparison
Key Data & Cybersecurity Laws
Jump to
Key Data & Cybersecurity Laws Start Comparison
How are data and cybersecurity laws/regulations implemented?

Last review date: 23 December 2024

☒         omnibus — all personal data

☒         constitutional

What are the key data privacy laws and regulations?

Last review date: 23 December 2024

The main Ukrainian data protection law is the Law of Ukraine “On Personal Data Protection” ("PDP") adopted in 2010. It establishes general requirements and obligations relating to the collection, processing and use of Personal Data by private bodies and by the government of Ukraine.

Although recently the Parliament of Ukraine adopted as a basis draft law No. 8153 “On Personal Data Protection” and PDP might be replaced in the nearest future, it stays valid for now.

Apart from the PDP, the main sources of Personal Data protection in Ukraine are:

  • The Constitution of Ukraine
  • The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and Additional Protocol to it, ratified by Ukraine in 2010
  • The Civil Code of Ukraine
  • A number of regulations approved by the Ukrainian Parliament Commissioner for Human Rights, in particular:
    • Model Rules on Personal Data Processing
    • Rules on Exercising Control by the Ukrainian Parliament Commissioner for Human Rights over Compliance with the Laws on Personal Data Protection, and
    • Rules for Notification of the Ukrainian Parliament Commissioner for Human Rights on the Processing of Personal Data that Constitutes a Special Risk for the Rights and Freedoms of Data Subjects, On the Structural Department or Designated Individual Responsible for Work-Related Processing of Personal Data and the Publication of Such Information
  • Respective provisions of the Code of Ukraine on Administrative Offenses and the Criminal Code establishing respective liability for Personal Data offences
  • The Law of Ukraine "On Information"
  • The Law of Ukraine "On Electronic Commerce"
  • The Law of Ukraine "On Electronic Communications," and
  • The Law of Ukraine "On Protection of Information in the Information and Telecommunication Systems"
What are the key cybersecurity laws and regulations?

Last review date: 23 December 2024

The main source is the Law of Ukraine “On the Basic Principles of Cybersecurity in Ukraine” regulates the legal and organizational framework for ensuring cybersecurity. It defines basic terms (cybersecurity, cyber threat, cyber incident, etc.), establishes the basic principles of state cybersecurity policy, defines cybersecurity actors, regulates coordination between them to efficiently respond to cyber threats, and provides for the basis for international cooperation in the field of cybersecurity.

In addition, there are certain laws and regulations in the field of protection of cybersecurity:

  • The Budapest Convention on Cybercrime
  • Resolution of the Ukrainian National Security and Defense Council on the Cybersecurity Strategy of Ukraine, approved by Presidential Decree
  • Resolution of the Ukrainian National Security and Defense Council "On the National Security Strategy of Ukraine," approved by Presidential Decree, and

The Decree of the Cabinet Ministers of Ukraine "On Approval of the Concept of Establishment of a State System for Critical Infrastructure Protection

What are the key laws and regulations relating to non-personal data?

Last review date: 23 December 2024

The term non-personal data is not represented in the Ukrainian legislation directly. However, the following laws and regulations encompass data, possibly falling under the term in question:

  • The Constitution of Ukraine
  • The Civil Code of Ukraine
  • The Law of Ukraine “On Personal Data Protection”
  • The Law of Ukraine "On Information"
  • The Law of Ukraine "On Electronic Commerce"
  • The Law of Ukraine "On Electronic Communications”

The Law of Ukraine "On Protection of Information in the Information and Telecommunication Systems", and

Are new or material changes to those key data and cybersecurity laws anticipated in the near future?

Last review date: 23 December 2024

Yes.

Given the significant changes in international and, in particular, European standards of personal data protection, the Ukrainian parliament has developed two draft laws aimed at implementing the General Data Protection Regulation (EU) 2016/679 (GDPR) and the modernized Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 108+ in Ukraine.

On 11 October 2021, the draft law "On the National Commission for Personal Data Protection and Access to Public Information" № 6177 (Draft Law on the DPA). On 20 November 2024, the Parliament of Ukraine adopted Law No. 8153 “On Personal Data Protection” (“Draft Law on PPD”), which means that it may be adopted as a whole in the nearest future.

The Draft Law on PPD proposes, in particular, the following legislative novelties:

  • unified and extended terminology (new terms defined: biometric data, data breach, genetic data, health data, overall annual turnover, pseudo-anonymization, profiling, data processing at massive scales, etc.)
  • new principles on data processing (lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, accountability, etc.)
  • updated grounds of processing and new ground of processing "legitimate interest"
  • updated consent concept with clarified ways on how consent could be obtained, when consent cannot be considered as granted, and restrictions to use consent as a ground for processing when other grounds apply
  • updated concept of sensitive data with an extended list of grounds for processing such data

    In addition, the Draft Law on PPD:

  • determines cases when representatives of controllers and processors not established in Ukraine shall be designated in Ukraine
  • prescribes obligation of each controller (or the controller’s representative) to maintain a record of processing activities under its responsibility
  • obliges controllers to conduct regular data protection impact assessments (DPIA). Where the processing would result in a high risk, the controller shall have prior consultation with the data protection authority
  • specifies cases when controller and processor shall appoint data protection officers (DPO) along with qualification requirements for such officers

The Draft Law on PPD also prescribes a completely new range of different administrative fines that may be imposed on natural and legal persons violating the data protection regulations. The amount of fines differs depending on the severity of violations. For the most severe violations, the fine framework might be up to 5% of the company’s annual turnover, but not less than UAH 300,000 (approximately USD 10,100) per each violation.

Turning to the second legislative initiative, the Draft Law on the DPA proposes to establish an independent government agency that would be responsible for both policymaking (adopting mandatory regulations) and enforcement (prosecuting infringers) in the sphere of data privacy and access to public information.

The National Commission for Personal Data Protection and Access to Public Information would have quasi-investigative functions and would be able to investigate violations with the help of experts in technology and other spheres.

The main powers of the DPA would be the following:

  • obtain information necessary for its activities, including confidential and with restricted access, from any individual company or organization
  • receive access to information and telecommunication systems, registers, data banks, including information with limited access — the owner (administrator) of which are state bodies or local authorities — using state, including government, means of communication and communications, special communication networks and other technical means
  • receive information from databases, registers of foreign countries, including paid information, if that is required for access to information
  • investigate possible violations of the law of Ukraine “On Personal Data Protection” and the law of Ukraine "On Access to Public Information" based on complaints but also based on its own initiative
  • collect from government and private companies, organizations, employees and individuals written explanations on the circumstances that may indicate a violation of the corresponding laws
  • apply to the courts for enforcement of corresponding laws
  • issue fines to controllers and processors of personal data
  • have access to personal data processed by the controller and/or processor and necessary for the performance of its duties

    The Draft Law on the DPA establishes new (additional) fines. The non-compliance with decisions/requests of the DPA and/or non-provision of the access of the DPA for the purposes of investigating the activities of the company or individual would result in:

  • a fine in the amount of UAH 20,000 to UAH 100,000 (approximately USD 678 to USD 3,390) for individuals, and for legal entities in the amount of 0.5% to 1% of the total annual turnover of such legal entity for the previous year, but not less than 3,000 tax-free minimum incomes (approximately USD 1,729)
  • a fine of 200% from the previous fine for each next non-compliance

The Parliament is expected to adopt both drafts and other necessary regulatory norms to launch the data privacy reform as a part of the integration to the EU Digital Single Market, implementation of the EU legislation as required by the EU-Ukraine Association Agreement, and the wider government digital agenda. However, taking into account the martial law in Ukraine, it is not yet clear when these drafts will get back to the Parliament's agenda.

{{ $store.state.loadingScreen.message }} ...