LAW OF UKRAINE
ON PROTECTION OF PERSONAL
DATA
Article 1. Scope of Law
This Law shall regulate
relations related to the protection of personal data during their
processing.
This Law shall not apply to
activity of establishment of personal databases and possessing of
personal data in databases by:
-
Natural person exclusively
with non-professional and ordinary needs; -
Journalist
– withregardtoexecutionofhis/herprofessional
duties; -
Professional creative
employee – for purposes of creative activity. -
Article 2. Term
Definitions
In
this Law, following terms shall have the meaning hereunder assigned
to them:
–Personal
databaseshall mean a named aggregate of organized personal data in electronic
form and/or in form of personal data card file;
–Owner
of personal database(hereinafter referred to as “database owner”)
shall mean a natural or legal entity that has obtained a right to
processing of such data according to the law or to the consent of the
personal data subject, which approves the purpose of the processing
of personal data in the database, establishes the content of this
data and the procedures for its processing, in case other is
prescribed by legislation;
–State
Register of Databasesis a joint state informational system of accumulation, collection and
processing of information concerning the registered personal
databases:
–Consent
of personal data subjectshall mean any documentary, namely written, voluntary declaration of
will of a natural person with regard to granting permission to
processing of his/her personal data in accordance with formulated
perpose of its processing;
–Depersonalization
of personal datashall mean withdrawal of information that allows identifying a
person;
–Processing
of personal data(hereinafter referred to as “processing”) shall mean any action
ornumber of actions performed in
the information (automated)
system
and/or in personal data card files completely or partially, related
to
collection,
registration, accumulation, storage, adaptation, change, update, use
and spreading (distribution, realization, transfer),
depersonalization, destruction of information about a natural person;
–Personal
data shallmean information
or aggregate information about a
natural person who is identified or may be identified;
–Administrator
of personal database(hereinafter
referred to as “databaseadministrator”)
shall mean a natural person or legal entity which obtained the right
to process such data from the database owner or according to the law;
–Subject
of personal datashall mean natural person, whose personal data is preceded to
legislation;
–Third
personshall mean any person, except subject of personal data, owner or
administrator of database of personal data and Authorizes State Body
on Personal Data Protection, to whom owner of administrator of
database of personal data transfers this data according to
legislation.
Article 3. Legislation on
Protection of Personal Data
Legislation on protection of
personal data consists of the Constitution of Ukraine, this Law, the
laws of Ukraine “On Information”, “On Protection of
Information in Informational and Telecommunication Systems”,
other laws and normative and legal acts, international treaties of
Ukraine which were approved as binding by the Verkhovna Rada of
Ukraine.
Article 4. Subjects of
Relations Connected to Personal Data
1.
The subjects of relations connected
to personal data are the following:
– Personal data subject;
– Owner of personal
database;
–
Personal database administrator;
–
Third person
–
Authorized state body on matters of personal data protection;
– Other state power bodies
and local self-government institutions the authorities of which
include protection of personal data.
2.
State undertakings, public utilities and private companies, bodies of
state or local power, private entrepreneurs, who process personal
data in accordance with legislation, may be entitled to be owners of
administrators of databases of personal data.
3.
The administrator of the database which is owned by a state power
body or a local self-government body may be a legal entity which acts
in the sphere of administration of such body.
Article 5. Objects of
Protection
1.
The objects of protection are personal data that are being processed
in personal databases.
2.
Personal data, except depersonalized one, is the data with restricted
access
3.
The Law may prohibit assigning personal data to certain categories of
citizens or exhaustive list of such categories as information with
restricted access.
4.
The personal data of a natural person who claims for or holds an
elective post or position of a state official of the first category
shall not be assigned to information with restricted
access,
except of information assigned as such pursuant to the law.
Article 6. General
Requirements with Regard to Personal Data Processing
1.
The purpose of processing of personal data must be clearly formulated
in legal and other normative acts, regulations, constitutive or other
documents that regulate activity of the owner of the base of personal
data, and conform to legislation on personal data protection.
In case the purpose of
processing of personal data is changed the subject of this personal
data shall give new permission for processing of his personal data.
2. Personal data shall be
accurate, authentic, and updated where necessary.
3. The composition and
content of personal data shall be appropriate and non-excessive with
regard to the purpose of their processing.
The scope of the personal
data which may be included into the database shall be determined by
the consent of the subject of personal data.
4.
Primary sources of information about a natural person shall be the
documents issued in this person’s name; documents signed by the
person; information which a person provides about himself/herself.
5. Processing of personal
data shall be conducted for concrete and legal purposes, determined
by the consent of subject of personal data or, in certain cases
prescribed by Law.
6.
Processing of data about a natural person shall be prohibited without
such person’s consent, except for the cases stipulated by the law,
and only in the interests of national safety, economic welfare and
human rights.
7. Until the moment it is
possible to obtain the consent of the subject of personal data it may
be proceeded without consent of the its subject in case it is
necessary to protect his/her vital interests.
8. Personal data shall be
processed in the form that permits identification of a natural person
who they concern, within the term no more than it is necessary
according to their legal purpose.
9. Usage of personal data
with historical, statistical or scientific purposes may be held only
in depersonalized manner.
10. Ordinary order of the
processing of personal data in databases shall be adopted by the
authorized body in this sphere.
The order of processing of
personal data which belongs to bank secrecy shall be adopted by
National Bank of Ukraine.
Article 7. Particular
Requirements with Regard to Processing of Personal Data
1.The processing of personal
data shall be prohibited if such data is about racial or ethnic
origin, political views, religious or other convictions, membership
in political parties and trade unions, as well as data with regard to
health or sexual life.
2.
Provisions of part one of this Article shall not apply if processing
of personal data:
–
Is implemented in case the personal data subject gives a well-defined
consent to process such data;
–
Is
necessary for realization of authorities in the sphere of labor
relations
according to the law;
–
Is
necessary for protection of the interests of the personal
data subject or any other person in case of incapability
or limitation of civil capability
of the personal data subject;
–
Is
carried out by religious or civil organization of religious
orientation, a political party or trade union, created according to
national legislation in case such processing concerns only personal
data of members of these associations or persons who are in constant
touch with them with regard to the nature of their activity, and that
personal data is not transferred to the third party without consent
of personal data subjects;
–
Is
necessary for substantiation, satisfaction or protection of legal
claim;
–
Is
necessary for the purposes of health protection, provision of care or
medical treatment on condition that such data is processed by a
medical worker or another person of a health care institution which
has liabilities with regard to provision of protection of personal
data;
–
Concerns accusations in crimes, court sentences, implementation of
the authorities by a state body, as defined by the law with regard to
execution of tasks of operational and search or counterintelligence
activity, antiterrorism;
–
Concerns
the data that were disclosed by the personal data subject.
Article 8. Rights of
Personal Data Subject
1.
Personal non-property rights to personal data that each natural
person has shall be integral and inviolable.
2.
The personal data subject shall have the right to:
–
Know about the location of personal database which contains his/her
personal data, its purpose and name, location and/or place of
residence (staying) of the owner or administrator of such database,
or to issue a respective proxy to the authorized persons, except for
cases established by the law;
–
Receive the information concerning the conditions of access to
personal data, in particular information about third persons who
obtain his/her personal data from the appropriate database;
–
Access his/her personal data that are contained in a respective
personal database;
–
Receive a response with regard to whether his/her personal data is
stored in a respective personal database as well as to receive the
content of his/her personal data which are stored in such database,
no longer than in 30 days period from the moment the reques has been
received in case other is prescribed by Law;
–
Provide a motivated request with objection against processing of
his/her personal data by public authority, local authority while
performing its functions;
–
Provide a motivated request with regard to change or destruction of
his/her personal data by any owner and administrator of such
database, if such data is processed illegally or are inaccurate;
–
Protect of his/her personal data from illegal processing and
accidental loss, destruction, damage due to a deliberate concealing,
failure to provide them or provision of such data with delay, as well
as to protection from provision of information which is inaccurate or
are disgraceful for the honor, dignity and business reputation of a
natural person;
–
Address to the state power bodies and local self-government bodies
which are competent to perform protection of personal data, with
regard to protection of his/her rights to personal data;
–
Apply
measures of legal protectionin
case of violation of legislation on protection of personal data;
3.
Disposal of personal data of a natural person who has restricted
civil capacity or is adjudged incapable shall be performed by such
person’s legal representative.
Article 9. Registration
of personal databases
-
The
database of personal data shall be registered in obligatory order by
entering the appropriate information into the State Register of the
Bases of Personal data by Authorized
State Body on Personal Data Protection.
The
regulation on State Register of the Bases of Personal Data shall be
adopted by the Cabinet of Ministers of Ukraine.
-
Registration
of the bases of personal data shall be performed by the principle of
filing. -
Owner
of the base of personal data shall submit the application on
registration of its base of personal data to the Authorized State Body on Personal Data Protection.
Application shall contain:
-
Appeal
on enlisting of the base of personal data into the State Register
of the Bases of Personal Data; -
Information concerning the
owner of the base of personal data; -
Information concerning the
name and location of the base of personal data; -
Information concerning the
purpose of processing of personal data, formulated in accordance
with Articles 6 and 7 of this Law; -
Information concerning
other administrators of personal data; -
Confirmation of the
obligation on execution of the requirements on protection of
personal data, laid down by the legislation on protection of
personal data.
-
Authorized State Body on
Protection of Personal Data, in order established by the Cabinet of
Ministers of Ukraine, shall:-
Inform the applicant about
receiving of application no longer than in one day term: -
Make a decision concerning
the registration of the base of personal data within ten days
period.
-
Owner
of the database of personal data shall receive the appropriate
document confirming registration of the base of personal data at the
State Register.
-
Authorized State Body on
Protection of Personal data may refuse the registration of the base
of personal data in case the application does not meet the
requirements of the point 3 of this Article.
Article 10. Use of
Personal Data
1.
Use
of personal data means any actions of the database owner with regard
to processing of such data, their protection and provision of partial
or full right to process such personal data by other subjects of
relations related to personal data, which are performed according to
the consent of a personal data subject or according to the law.
2.
The use of personal data by the database owner shall be performed in
case he/she fulfils the conditions for protection of such data. The
database owner shall not disclose information about the personal data
subjects whose personal data is accessed by other subjects of
relations related to such data.
3.
The use of personal data by the employees of the subjects of
relations related to personal data shall be performed only according
to their professional or official and labor duties. These employees
shall undertake to prevent disclosure of personal data which was
entrusted with them or became known to them due to performance of
official or labor duties, by any possible way. Such liability shall
be valid after termination of their activity related to personal
data, except for cases established by the law.
4.
The information about a private life of a natural person shall not be
used as factor that may confirm or disprove his/her business skills.
Article 11. The Basis for
the Creation of the Right to Use Personal Data
1.
The
basis for the creation of the right to use personal data shall be the
following:
– Consent of the personal
data subject to processing of his/her personal data. The subject of
personal data shall be entitled to include a warning with regard to
limitation of processing of his/her personal data to the contract;
– Permission to processing
of personal data granted to the personal database owner according to
the law, but only for exercise of his/her authorities.
2.
Owner of the base of personal data may entitle the administrator to
process personal data by concluding appropriate agreement in writing.
3.
Administrator of the base of personal data may process it exclusively
in accordance with the purpose and extend laid down in agreement.
Article 12. Collection of
Personal Data
1.
Collection of personal data shall be an element of the process which
provides for actions to select or to arrange information about the
natural person and its placement in the personal database.
2.
Subject
of personal data shall, within ten days period from placement of
his/her personal data into the register of personal data, be notified
in writing about his/her rights under this Law, the persons who and
purpose of the collection of personal data.
3.
Notification
shall not be provided where personal data is collected from commonly
accessible sources or for temporary storage in the database for a
period no more than three months.
4.
The information collected about the natural person as well as the
information about its sources shall be provided to the personal data
subject upon his/her request, except for cases established by the
law.
Article
13. Accumulation and Storage of Personal Data
1.
Accumulation
of personal data shall provide actions with regard to unification and
systematization of information about a natural person or a group of
natural persons or placement of this data to the personal database.
2.
Storage of personal data shall provide actions with regard to
ensuring their integrity and proper mode of access to it.
Article 14. Spreading of
Personal Data
-
Spreading of personal data
shall provide actions with regard to transference of information
about a natural person from personal databases with the consent of
the personal data subject.
-
Spreading of personal data
without the consent of the personal data subject or a person
authorized by him/her shall be permitted in cases determined by the
law, and only in the interests of national safety, economic welfare
and human rights. -
Execution of requirements
of established protection mode of personal data shall be provided by
the party that spreads this data. -
The party, to which the
personal data is transferred shall previously take measures with
regard to execution of the requirements of this Law.
Article 15. Destruction
of Personal Data
-
Personal Data in personal
databases shall be destroyed according to the procedure established
by legislation.
2. Personal data in personal
databases shall be destroyed in following cases:
–
termination of period of data storage determined by the consent of
the personal data subject for processing of this data or determined
by law;
–
termination of legal relationships between the personal data subject
and the owner or administrator of the database, unless otherwise
stipulated by the law;
–
enforcement of a court decision with regard to withdrawal of data
about a natural person from a personal database.
-
Personal data collected
with violations of requirements of this Law shall be destroyed in
the personal databases according to the procedure established by the
legislation. -
Personal data collected
during execution of tasks of operational and search activity or
counterintelligence activity, anti-terrorism actions will be
destroyed in the personal databases according to the requirements of
the law.
Article16. Mode
of Access to Personal Data
-
Access to personal data of
third parties shall be determined by the permission terms between
the personal database subject and the owner of personal database as
for processing this data or according to the access mode established
by the law.
-
Access to personal data of
third parties shall not be granted, if the such party refuses to
take liabilities with regard to provision or cannot provide
execution of requirements of this Law or unable to provide for
execution of such requirements.
-
The subject of relations
related to personal data shall submit an inquiry on access to
personal data (hereinafter referred to as “inquiry”) to the
owner or administrator of the database.
4.The inquiry shall contain
the following information:
– surname, name and
patronymic, place of residence and information from an identifying
document of the person who submits inquiry (for natural
person-applicant);
– name, place of location of
a legal entity that submits an inquiry, position, surname, name and
patronymic of the person who certifies the inquiry; confirmation of
conformity of the content of inquiry with the authorities of legal
entity (for legal entities-applicants);
– surname, name and
patronymic as well as other data that enable identification of a
natural person about who such inquiry is submitted;
– information about the
personal database with regard to which the inquiry is made, or
information about the owner or administrator of such database;
– list of personal data that
are being required;
– purpose of the inquiry.
-
The term of consideration
of the inquiry with regard to its satisfaction shall not exceed ten
days from the day it was recieved.
Within this term, any owner
or administrator of the data base shall inform the person who submits
an inquiry that such inquiry shall be satisfied or that the
respective personal data is not subject to provision, with
notification about the basis specified in a respective normative and
legal act.
The inquiry shall be
satisfied within one calendar month, unless otherwise stipulated by
the law.
-
The personal data subject
shall be entitled to reception of any information about
himself/herself from any subject of relations related to personal
data without specifying the purpose of the inquiry unless other is
prescribed by law.
Article17. Deferment
or Refusal to Grant Access to Personal Data
-
Deferment or Refusal to
Grant Access to Personal Data shall not be allowed. -
Deferment in access to
personal data of third parties shall be permitted when the necessary
data cannot be provided within one month period. At that common
period of providing the access to personal data of third parties
shall not exeed the fourty five days term.
Notification on deferment
shall be presented to the third party who made an inquiry in writing
with explanation of the procedure of appeal against such decision.
The notification about
deferment of access shall contain the following:
– surname, name and
patronymic of the official;
– date of sending;
– reason of deferment;
– the term during which the
inquiry shall be satisfied.
Refusal to grant access to
personal data shall be allowed, if such access to it is prohibited
according to the law.
The notification about
refusal shall contain the following:
– surname, name and
patronymic of the official;
– date of sending;
– reason of refusal.
Article 18. Appeal
against Decision on Deferment or Refusal to Grant Access to Personal
Data
-
The decision on deferment
or refusal to grant access to personal data may be appealed against
in the authorized state body on protection of personal data, other
state power bodies and local self-governing institutions which are
competent in performance of protection of personal data, or in
court. -
If the inquiry is made by
the personal data subject, in this case the liability of proving the
lawfulness of deferment or refusal to grant access to personal data
in court shall be imposed on the owner or the administrator of the
base of personal data who received the particular inquiry.
Article19. Payment
for Access to Personal Data
-
Access of a personal data
subject to the data about him/her shall be free of charge. -
Access of other subjects of
relations, connected with personal data, to personal data of a
particular natural person or a group of persons may reqiure payment
only in case it requires the conditions prescribed by that Law. The
work related to processing of personal data as well as the work with
regard to consulting and organization of access to respective data
may be paid for. -
Amount of payment for
services on granting access to personal data by the state power
bodies shall be determined by the The Cabinet of Ministers of
Ukraine. -
The state power bodies and
local self-government institutions shall be entitled to free access
to personal data according to competence delegated to them.
Article20. Changes
and Supplements to Personal Data
-
The
owners or administrators of bases of personal data shall be binded
to
make changes or
supplements to personal data on the basis of reasoned written
requirement of the subject of personal data. -
Changes of personal data
shall also be permitted upon request of other subjects of relations
related to personal data, if the personal data subject gave his/her
consent to this or if a respective change is made according to the
court decision which entered into legal force. -
Changes of personal data in
case it is incorrect shall be performed immediately after such
incorrection was noticed.
Article 21. Notification
about Actions with Personal Data
-
The owner of personal
database shall inform the personal data subject about transfer of
personal data to the third party within 10 days period, if it is
required by the conditions of his consent or unless otherwise
established by the law. -
The above-mentioned
notifications shall not be performed in the following cases:-
of transfer of personal
data upon requests during execution of tasks of operational and
investigative activities or counterintelligence activity, and
anti-terrorist actions; -
performance by state power
bodies and the bodies of local self-government of their authorities
stipulated by the law ; -
processing of personal
data with historical, statistical or scientific purposes.
-
-
The owner of personal
database shall inform the personal data subject and the subjects of
relations related to personal data about the changes or supplements
or restriction of access to the data which was transferred to such
subjects within ten days period.
Article22. Control
over Observance of Legislation on Protection of Personal Data
1. Control over ciomplience
with legislation in the sphere of protection of personal data shall
within their competence be exercised by the following bodies:
–
authorized state power body
on matters of personal data protection;
– other state bodies and
bodies local self-government;
2.
Parliamentary control over the observance of human rights to
protection of personal data shall be exercised by the Ombudsman of
the Verkhovna Rada of Ukraine on matters of human rights according to
the law.
Article23. Authorized
State Body on Personal Data Protection
-
The authorized state body
on Personal Data Protection shall be the central executive power
body with special status entrusted with the tasks on personal data
protection and shall be established according to the legislation of
Ukraine.
The main powers of the
Authorized State Body on Personal Data Protection shall:
1) ensure the performance of
state policy in the sphere of personal data protection;
2) registers the bases of
personal data,;
3) maintains the State
Register of the Bases of Personal Data;
4) controls the execution of
legislation on matters of protection of personal data with provision
of access to the premises where processing of personal data is
performed according to legislation;
5) issues the requests on
illumination of violations of the legislation on data ptotection.
This requesrs are abligatory for exsecution;
6) considers propositions,
inquiries, appeals, claims and complaints of natural persons and
legal entities;
7) organizes and provides
for interaction with subjects of foreign relations related to
personal data issues;
8) participates in the
international organizations on matters of personal data protection.
Article24. Provision
for Protection of Personal
Data in Personal
Databases
-
The State guarantees
protection of personal data.
-
The
subjects of relations related to personal data shall undertake to
provide protection of such data from unauthorized processing,
as well as from unauthorized
access.
-
Provision
of personal data protection in personal databases shall be performed
by the owner of such database.
-
The
owner of personal database in electronic form shall provide its
protection according to the law.
-
State power bodies, the
bodies of local self-government, institutions and enterprises of all
property forms shall appoint a structural department or a
responsible person who organizes the work related to protection of
personal data during its processing.
Article 25. Limitations
on application of particular Articles of the Law
1. Limitations of rights
stipulated by Articles 8, 11 and 17 of this Law shall be implemented
only in the interests of:
– national safety, economic
welfare and human rights;
– protection of rights and
freedoms of natural persons whose personal data is being processed,
or rights of other subjects of relations related to personal data, as
well as with the purpose of anti-criminal activity;
– provision of subjects of
relations connected with personal data with the drawn up
depersonalized information with regard to personal data according to
legislation.
2. Subjects of relations
connected to personal data shall exercise their authorities within
the frameworks established by the Constitution and the laws of
Ukraine.
Article 26. Financing of
Works on Personal Data Protection
Financing of works and
measures to provide for protection of personal data shall be
performed at the expense of the State Budget of Ukraine and local
budgets, funds of the subjects of relations related to personal data.
Article 27. Application
of Provisions of This Law
1.The provisions with regard
to protection of personal data specified in this Law may be
supplemented or defined more clearly by special laws provided that
they establish requirements with regard to protection of personal
data that do not contradict the requirements of this Law.
2. Professional associations
can develop corporative codes of behavior with the purpose of
providing for the efficiency of protection of rights of personal data
subjects, assistance in application of legislation with regard to
such matters, taking into account the specifics of processing the
data about a natural person in different spheres.
Article28. Liability
for Violation of Legislation on Personal Data Protection
Violation of legislation on
personal data protection shall lead to liability established by the
law.
Article 29. International
Cooperation
1.Cooperation with foreign
subjects of relations related to personal data shall be regulated by
the Constitution of Ukraine, this Law, other normative and legal acts
and international treaties of Ukraine.
2.If the international
treaty of Ukraine which was made binding by the Verkhovna Rada of
Ukraine establishes other regulations than those stipulated by
legislation of Ukraine, the regulations of the international treaty
shall apply.
3.Transfer of personal data
to foreign subjects of relations related to personal data shall be
performed on conditions of providing appropriate protection of
personal data and with an appropriate permission in cases established
by the law or international treaty of Ukraine and according to the
order stipulated by national legislation . Personal data cannot be
spread with a purpose other than the purpose for which it was
collected.
Article 30. Final
Provisions
1.
This Law shall enter into force from 1stof January 2011.
2. Normative and legal acts
shall be valid in the part that does not contradict this Law until
they are brought in line with this Law.
3. The Cabinet of Ministers
of Ukraine, within six months from the day of enforcement of this
Law, shall do the following:
– provide for adoption of
normative and legal acts stipulated by this Law;
– provide for bringing of
its normative and legal acts in line with this Law;
–
determine the authorized state power body on matters of personal data
protection.
People’s
deputies of Ukraine:
O.
Shevchuk
(registry
card №
270)
V.
Lytvyn
(registry
card №
431)
V.
Polohalo
(registry
card №
225)
K.
Samoylyk
(registry
card №
420)