Law of Ukraine

“On Amendment of Certain Legislative Acts of Ukraine Regarding Improvement of the Personal Data Protection System”

Date of entry into force:
January 1, 2014

The Law amends Articles 188-19, 188-39 and 188-40 of the Code on Administrative Offences of Ukraine, which clarify the elements of the following administrative offences:
  • failure to observe lawful demands of the Accounting Chamber or a people’s deputy of Ukraine;
  • violation of the legislation in the sphere of personal data protection;
  • failure to observe lawful demands of the Authorized Human Rights Representative of the Verkhovna Rada of Ukraine.

The Law of Ukraine “On Personal Data Protection” regulates the legal relations associated with the protection and processing of personal data, and aims to protect the fundamental human and civil rights, in particular, the right of privacy, in connection with the processing of personal data.

The Law excludes parts 3 and 4 from Article 1 of the Law of Ukraine “On Personal Data Protection”, according to which the Law of Ukraine “On Personal Data Protection” does not apply to:
  • processing of personal data carried out by a natural person exclusively for personal or household needs;
  • processing of personal data carried out by a creative or literary worker, including journalists, for professional reasons, in order to ensure a balance between the right to privacy and the right to self-expression.

Amendments to Article 2 of the Law of Ukraine “On Personal Data Protection” clarify the definitions of terms “owner of personal data”, “subject of personal data” and “third party”.

The Law amends Article 4 of the Law of Ukraine “On Personal Data Protection”, which includes the Authorized Human Rights Representative of the Verkhovna Rada of Ukraine (formerly – the authorized state body in the issues of personal data protection) in the list of parties of relations connected with personal data.

Amendments to Article 6 of the Law of Ukraine “On Personal Data Protection” establishes the following:
  • in case the designated purpose of personal data processing is changed, and the new purpose is incompatible with the previous one, the owner of personal data must procure the consent of the subject of personal data to further processing of the latter’s personal data as per the changed purpose, unless otherwise provided for by the law;
  • personal data is processed in a form that allows identification of the natural person it concerns only insofar it is required for the lawful purposes with which it was gathered or processed, and no longer than that. Further processing of personal data for historical, statistical or research purposes can be carried out provided they are insured appropriate protection;
  • the standard procedure for personal data processing is determined by the authorized body in the issues of personal data protection.

According to the new version of part 1, Article 7 of the Law of Ukraine “On Personal Data Protection”, it is forbidden to process personal data about a person’s race, ethnicity, political opinions, religious beliefs and world outlooks, membership in political parties and professional unions, criminal convictions, as well as data concerning a person’s health, sex life, biometric or genetic data. However, this provision does not apply, in particular, when personal data procession is related to court judgments, operational investigation, counter-intelligence or counter-terrorism, and is carried out by a state body within the scope of its authority determined by the law (new version of paragraph 7, part 2, Article 7 of the Law of Ukraine “On Personal Data Protection”).

Amendments to Article 8 of the Law of Ukraine “On Personal Data Protection” clarify the rights of a subject of personal data.

The new version of Article 9 of the Law of Ukraine “On Personal Data Protection” envisages that the owner of personal data shall notify the Authorized Human Rights Representative of the Verkhovna Rada of Ukraine (hereinafter referred to as “Authorized Representative”) about processing of personal data that poses particular risk to the rights and freedoms of the subjects of such personal data, within 30 days of the start such processing. Types of processing of personal data that poses particular risk to the rights and freedoms of the subjects of such personal data, and the categories of entities that the notification requirement applies to are determined by the Authorized Representative. The notification of the personal data procession is submitted according to the form and procedure determined by the Authorized Representative. The owner of personal data shall inform the Authorized Representative of any changes in the information that must be notified, within 10 working days of such change. Information provided under this Article must be published on the official website of the Authorized Representative, in the form determined by the Authorized Representative.

The Law amends Article 11 of the Law of Ukraine “On Personal Data Protection”, including the following into the list of reasons to process personal data:
  • fulfilling an obligation provided for by the law by the owner of personal data;
  • protecting the lawful interests of the owner of personal data or a third party receiving personal data, except for cases when the need to protect the fundamental rights and freedoms of the subject of personal data in connection with processing of their data surpass the above interests.

According to the new version of part 2, Article 12 of the Law of Ukraine “On Personal Data Protection”, the subject of personal data is informed about the owner of personal data, the composition and content of collected personal data, their rights determined by the Law of Ukraine “On Personal Data of Protection”, the purpose of personal data collection, and the entities to whom their personal data is transferred:
  • at the time of personal data collection, if personal data is collected from the subject of personal data;
  • in other cases, within 30 days of personal data collection.

Amendments to Article 15 of the Law of Ukraine “On Personal Data Protection” clarifies the procedure for deletion or destruction of personal data.

According to amended part 1, Article 18 of the Law of Ukraine “On Personal Data Protection”, the decision to delay or deny access to personal data can be contested up to the Authorized Representative (formerly – up to the court).

Owners or administrators of personal data must also make changes to personal data at the request of other parties to relations connected with personal data, with the consent of the subject of personal data, or if the changes are made according to the instruction of the Authorized Representative or by an effective court ruling (new version of part 2, Article 20 of the Law of Ukraine “On Personal Data Protection”).

According to amended Article 22 of the Law of Ukraine “On Personal Data Protection”, adherence to legislation on personal data protection is controlled by the following bodies, within the authority provided for by the law:
  • the Authorized Representative;
  • courts.

The Law presents a new version of Articles 23-25 of the Law of Ukraine “On Personal Data Protection”, which provide for the following, respectively:
  • authority of the Authorized Representative in the sphere of personal data protection;
  • ensuring protection of personal data;
  • limitation of the scope of the Law of Ukraine “On Personal Data Protection”.

The Law also amends the Law of Ukraine “On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Regarding Supervisory Authorities and Transborder Data Flows”, according to which, the body authorized according to paragraph 2, Article 13 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is the Authorized Representative (formerly – the Ministry of Justice of Ukraine). According to Article 12 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the Parties agree to render each other mutual assistance in order to implement this Convention. For that purpose:
  • each Party shall designate one or more authorities, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;
  • each Party which has designated more than one authority shall specify in its communication referred to in the previous sub-paragraph the competence of each authority.
Warning! The information is outdated due to the fact that this section is temporarily not updated!


on top