Personal data protection in Ukraine

The right to privacy is one of the guaranteed constitutional human rights (Article 32 of the Constitution of Ukraine). Personal data protection, in turn, is its integral part. In Ukraine, legal relations related to the processing of personal data are governed by the Law of Ukraine “On the Protection of Personal Data”.

The protection of personal data in Ukraine is a very complex issue. High-profile scandals and criminal cases involving leaks of personal data implore us to pay attention to the legal and technical side of the processing of information about individuals

The law of Ukraine does not contain an exhaustive list of data that are classified as personal, which is natural. Currently, personal data can be recognized according to three criteria:

  • information or a sum of information (surname, name, patronymic, passport data, date and place of birth, marital status, bank data, property data);
  • of an individual (citizen, foreigner, stateless person, but not about a company or institution);
  • data that identify or can be specifically identify (that is, having such data makes it is possible to establish identity of a particular person).

Processing is any action or set of actions, such as collection, registration, accumulation, storage, adaptation, change, renewal, use and distribution, sale, transfer, depersonalization, destruction of personal data, including using (automated) information systems.

There is a category of particularly sensitive data, the processing of which is prohibited. In particular, this is the data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, the imposition of criminal penalties, as well as data related to health, sexuality, biometric or genetic data.

Of course, there are exceptions to any rule. For example, if the processing is carried out in the presence of an unambiguous consent of an individual for such processing, or this data was clearly published by the subject of personal data, the above prohibition does not apply.

The subjects of legal relations related to personal data are:

  • subject of personal data – an individual whose data is processed;
  • owner of personal data;
  • manager of personal data;
  • third party;
  • Ukrainian Parliament Commissioner for Human Rights.

The owner of personal data is a natural or legal person who determines the purpose of processing personal data, establishes the composition of this data and procedures for their processing. The owner can process personal data both independently and entrust it to the manager based on a written agreement.

A personal data controller is a natural or legal person who is authorized by the owner of personal data or by law to process this data on behalf of the owner.

The first thing a company must do before processing personal data is to develop internal documentation

At this stage, without the help of qualified lawyers, it is easy to make mistakes, which in the future can cost a lot of money, nerves, and even brand reputation. We recommend avoiding unjustified risks and immediately contacting VigoLex specialists for help.


Get a consultation