The law of Ukraine does not contain an exhaustive list of data that are classified as personal, which is natural. Currently, personal data can be recognized according to three criteria:
- information or a sum of information (surname, name, patronymic, passport data, date and place of birth, marital status, bank data, property data);
- of an individual (citizen, foreigner, stateless person, but not about a company or institution);
- data that identify or can be specifically identify (that is, having such data makes it is possible to establish identity of a particular person).
Processing is any action or set of actions, such as collection, registration, accumulation, storage, adaptation, change, renewal, use and distribution, sale, transfer, depersonalization, destruction of personal data, including using (automated) information systems.
There is a category of particularly sensitive data, the processing of which is prohibited. In particular, this is the data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, the imposition of criminal penalties, as well as data related to health, sexuality, biometric or genetic data.
Of course, there are exceptions to any rule. For example, if the processing is carried out in the presence of an unambiguous consent of an individual for such processing, or this data was clearly published by the subject of personal data, the above prohibition does not apply.
The subjects of legal relations related to personal data are:
- subject of personal data – an individual whose data is processed;
- owner of personal data;
- manager of personal data;
- third party;
- Ukrainian Parliament Commissioner for Human Rights.
The owner of personal data is a natural or legal person who determines the purpose of processing personal data, establishes the composition of this data and procedures for their processing. The owner can process personal data both independently and entrust it to the manager based on a written agreement.
A personal data controller is a natural or legal person who is authorized by the owner of personal data or by law to process this data on behalf of the owner.