In June 2021 a Draft Law “On Personal Data Protection” (“Draft Law”) was registered in the Ukrainian Parliament, following Ukraine’s obligations under the EU Association Agreement. The main goal of the proposed Draft Law is to replace the current personal data (“PD”) protection system and to bring the national regulation closer to GDPR standards. The Draft Law is expected to be considered in Parliament by the end of the current year and to become effective in 2023. The data protection reform also envisages a new data protection authority in Ukraine - the National Commission on Personal Data Protection and Access to Public Information. The respective draft law was registered with the Parliament on 18 October 2021.
The Draft Law imposes new strict obligations on PD controllers and processors. The businesses will likely be required to review their current data protection systems in order to be compliant with the new rules: from new PD processing consent forms and policies to new obligatory actions and notifications to be executed.
The Draft Law introduces the following amendments to the existing regulation.
1. New higher fines
The Draft Law establishes a detailed system of fines for different types of PD protection violations. Fines can be imposed of up to ca. EUR 625 thousand for individuals and ca. EUR 4.6 million (or 8% of the aggregate annual turnover) for legal entities. These fines are doubled for a subsequent violation committed within a year of the first PD protection violation.
2. Broader scope of a PD subject’s rights
The Draft Law adds clarifying details to the existing regulation of PD subject rights and introduces certain new rights, such as the right to be forgotten, the right to data portability, etc.
3. Additional obligations for PD controllers and processors
The Draft Law details existing procedures for PD processing (e.g., technical measures for PD protection), as well as introduces new obligations, for example, PD breach notification to the controlling authority and to the PD subject.
4. Regulation of data controller-processor relations and others
The Draft Law introduces new regulations for “joint controllers”, provides detailed requirements for agreements between controllers and processors, and also presents additional rules for sub-processors.
5. PD processing by employers
The Draft Law provides separate rules and procedures in addition to those covering general PD processing by employers. The rules cover various particularities of such processing, starting from the source of PD collection to terms for health data collection, etc. The rules also apply to the PD of job applicants.
6. PD processing by telecom companies
The Draft Law also provides for additional PD requirements to be imposed on telecom services providers, though, unsurprisingly, the “telecom authority” (National Commission for the State Relations of Communications and Informatization) is lobbying to modify the suggested amendments, and thus the final version may be different. As of now, the Draft Law:
- sets out general requirements to technical and organizational means of PD protection by telecom providers,
- establishes the requirement to notify users about risks to the security of the telecom communication systems or services and reimbursement related to this,
- establishes the requirement to provide certain data at the request of the controlling authority,
- introduces a procedure of requests users can make concerning unsolicited calls,
- requires additional notification to the “telecom authority” in the event of PD leakage.
7. Special rules for certain types of PD processing.
The Draft Law will also cover specific aspects of PD processing related to:
- video-surveillance, as well as surveillance by means of taking screen shots of video-recording;
- PD processing related to (photo-, video-, audio-) recording of public events;
- PD processing for the purposes of direct marketing, election campaigns, political advertising;
- PD processing for the purposes of journalistic or creative activities.
8. Large-scale PD processing.
The Draft Law introduces the notion of “large-scale PD processing”, which is defined as the processing of significant amount of PD on a regional, national, or international level that might have a significant impact on a large number of PD subjects and might lead to their rights being significantly compromised. Companies conducting such large-scale PD processing are subject to additional requirements, such as appointment of a person responsible for PD protection and adopting a Code of Conduct for PD Protection Matters.
9. Additional requirements for non-residents.
A non-resident or a person operating outside of Ukraine will have to appoint a representative responsible for PD processing matters in Ukraine if such a non-resident systematically:
- processes PD in connection with offering (marketing) of goods, works or services (even if free of charge) to PD subjects located in Ukraine;
- processes PD in connection with the monitoring of PD subjects’ behaviour in Ukraine;
- processes PD of Ukrainian citizens.
The scope of actions the representative will be authorized to perform is quite broad: up to representation of the data controller/processor in court.
10. Transborder transfer of PD.
In general, the Draft Law remains consistent with the current approach to transborder transfers, while also introducing certain new procedures, e.g., rules for transborder PD transfers within a group of related companies (requiring adoption of respective corporate rules and their further approval by the controlling authority).
In addition, the Draft Law covers many other matters that are not currently regulated: PD tracking, minors’ PD processing, PD processing after an individual’s death, more detailed regulation of sensitive data processing, and others.
For more information on the Personal Data Protection regulation and amendments to it, please contact your regular CMS advisor or local CMS expert: Maria Orlyk, Olga Belyakova, Diana Valyeyeva, and Mykola Heletiy.