LAW OF UKRAINE
ON PROTECTION OF PERSONAL DATA
Article 1. Scope of Law
This Law shall regulate legal relations involving protection and processing of personal data and aim to protect the fundamental rights and freedoms of natural persons, particularly the right to privacy in relation to the processing of personal data.
This Law shall apply to personal data processing activities performed, fully or partially, with the use of automated means, as well as processing of personal data stored in a file folder, or assigned to be included in it, with the use of non-automated means.
This Law shall not apply to data processing activities performed by a natural person solely for personal or domestic needs.
The provisions of this Law shall not apply to data processing activities performed by a creative or literature professional, particularly a journalist, for professional purposes provided that an appropriate balance is ensured between the right to privacy and the right to freedom of expression.”
Article 2. Term Definitions
In this Law, following terms shall have the meaning hereunder assigned to them:
– Base of personal data shall mean a named aggregate of organized personal data in electronic form and/or in a form of a filing system;
– Controller of personal data shall mean a natural or legal entity that has obtained a right to processing of such data according to the law or to the consent of the personal data subject, which approves the purpose of the processing of personal data in the base of personal data, establishes the content of this data and the procedures for its processing, in case other is prescribed by legislation;
– State Register of the base of personal datais a joint state informational system of accumulation, collection and processing of information concerning the registered personal base of personal data;
– Personal data subject’s consent shall mean a voluntary declaration of will by a natural person, provided he/she has been properly informed, to grant permission to process his/her personal data in accordance with the purpose of processing stated in writing or in any other form that allows to conclude that the permission has been granted;;
– Depersonalization of personal data shall mean withdrawal of information that allows directly or indirectly identifying a person;
– Filing system shall mean any structured set of personal data which are accessible according to specific criteria whether centralized, decentralized, or dispersed on a functional or geographical basis;
– Processing of personal data (hereinafter referred to as “processing”) shall mean any operation or set of operations such as collection, registration, accumulation, storage, adaptation, alteration, updating, use and dissemination (distribution, sale, transfer), depersonalization, or destruction of personal data which may involve the use of information (automated) systems;
– Recipient shall mean a natural or legal person, including a third party, to whom personal data is disclosed;
– Personal data shall mean information or aggregate information about a natural person who is identified or may be identified;
– Processor of personal data shall mean a natural person or legal entity which obtained the right to process such data on behalf of the controller of personal data or according to the law;
– Subject of personal data shall mean natural person, whose personal data is preceded to legislation;
– Third person shall mean any person, except subject of personal data, controller or processor of personal data and Authorizes State Body on Personal Data Protection, to whom controller or processor of personal data transfers this data according to legislation.
Article 3. Legislation on Protection of Personal Data
Legislation on protection of personal data consists of the Constitution of Ukraine, this Law, the laws of Ukraine “On Information”, “On Protection of Information in Informational and Telecommunication Systems”, other laws and normative and legal acts, international treaties of Ukraine which were approved as binding by the Verkhovna Rada of Ukraine.
Article 4. Subjects of Relations Connected to Personal Data
1. The subjects of relations connected to personal data are the following:
– Personal data subject;
– Controller of personal data;
– Processor of personal data;
– Third person
– Authorized state body on matters of personal data protection;
2. State undertakings, public utilities and private companies, bodies of state or local power, private entrepreneurs, who process personal data in accordance with legislation, may be entitled to be controllers or processors of personal data.
3. The processor of personal data which is owned by a state power body or a local self-government body may be a legal entity which acts in the sphere of administration of such body.
4. A personal data controller may authorize personal data processor to process personal data in accordance with a contract executed in writing.
5. A personal data processor may process personal data solely for the purpose and to the extent established by the contract.
Article 5. Objects of Protection
1. The objects of protection are personal data.
2. Personal data, except depersonalized one, is the data with restricted access
Article 6. General Requirements with Regard to Personal Data Processing
1. The purpose of processing of personal data must be clearly formulated in legal and other normative acts, regulations, constitutive or other documents that regulate activity of the controller of personal data, and conform to legislation on personal data protection.
Personal data shall be processed in an open and transparent manner using the means and methods that are adequate for the established purposes of such processing.
In case the purpose of processing of personal data is changed the subject of this personal data shall give new permission for processing of his personal data according to the new purpose in case if the new purpose of processing is incompatible with the previous one.
2. Personal data shall be accurate, authentic, and updated where necessary for the stated purpose of their processing.
3. The composition and content of personal data shall be relevant, adequate and non-excessive with regard to the purpose of their processing.
4. Primary sources of information about a natural person shall be the documents issued in this person’s name; documents signed by the person; information which a person provides about himself/herself.
5. Processing of personal data shall be conducted for concrete and legal purposes, determined by the consent of subject of personal data or, in certain cases prescribed by Law.
6. Processing of data about a natural person shall be prohibited without such person’s consent, except for the cases stipulated by the law, and only in the interests of national safety, economic welfare and human rights.
7. Until the moment it is possible to obtain the consent of the subject of personal data it may be proceeded without consent of the its subject in case it is necessary to protect his/her vital interests.
8. Personal data shall be processed in the form that permits identification of a natural person who they concern, within the term no more than it is necessary according to their legal purpose.
9. Personal data may be processed for historical, statistical or scientific purposes only on condition that adequate level of its protection is ensured.
10. A standard procedure for processing personal data stored in bases of personal data shall be adopted by a central executive agency responsible for development of the government’s personal data protection policy.
The order of processing of personal data in the sphere of operation of the deposit guarantee system is approved by Deposit Guarantee Fund.
Article 7. Particular Requirements with Regard to Processing of Personal Data
1.The processing of personal data shall be prohibited if such data is about racial or ethnic origin, political views, religious or other convictions, membership in political parties and trade unions, criminal charges or convictions as well as data with regard to health or sexual life.
2. Provisions of part one of this Article shall not apply if processing of personal data:
– Is implemented in case the personal data subject gives a well-defined consent to process such data;
– Is necessary for performance of duties of a controller in the sphere of labor relations according to the law in case if that an adequate level of protection is ensured;
– Is necessary for protection of the vital interests of the personal data subject or any other person in case of incapability or limitation of civil capability of the personal data subject;
– Is carried outwith adequate protection safeguards by religious or civil organization of religious orientation, a political party or trade union, created according to national legislation in case such processing concerns only personal data of members of these associations or persons who are in constant touch with them with regard to the nature of their activity, and that personal data is not transferred to the third party without consent of personal data subjects;
– Is necessary for substantiation, satisfaction or protection of legal claim;
– Is necessary for the purposes of health protection, medical diagnosis, provision of care, medical treatment or services provided that the data is processed by a health professional or another employee of a health care institution responsible for personal data protection and to whom the laws on medical confidentiality apply;;
– Concerns accusations in crimes, court sentences, implementation of the authorities by a state body, as defined by the law with regard to execution of tasks of operational and search or counterintelligence activity, antiterrorism;
– Concerns the data that were disclosed by the personal data subject.
Article 8. Rights of Personal Data Subject
1. Personal non-property rights to personal data that each natural person has shall be integral and inviolable.
2. The personal data subject shall have the right to:
– Know about the location of base of personal data which contains his/her personal data, its purpose and name, location and/or place of residence (staying) of the controller or processor of such personal data, or to issue a respective proxy to the authorized persons, except for cases established by the law;
– Receive the information concerning the conditions of access to personal data, in particular information about third persons who obtain his/her personal data;
– Access his/her personal data;
– Receive a response with regard to whether his/her personal data is stored in a respective base of personal data as well as to receive the content of his/her personal data hich are stored in such base of personal data, no longer than in 30 days period from the moment the request has been received in case other is prescribed by Law;
– Submit motivated requests to a personal data controller objecting against processing his/her personal data;
– Provide a motivated request with regard to change or destruction of his/her personal data by any controller and processor of such personal data, if such data is processed illegally or are inaccurate;
– Protect of his/her personal data from illegal processing and accidental loss, destruction, damage due to a deliberate concealing, failure to provide them or provision of such data with delay, as well as to protection from provision of information which is inaccurate or are disgraceful for the honor, dignity and business reputation of a natural person;
– Lodge complaints regarding the processing of his/her personal data to government agencies and officials responsible for personal data protection or directly to a court;
– Apply measures of legal protection in case of violation of legislation on protection of personal data;
– When granting consent, make reservations to restrict the right to process his/her personal data;
– Withdraw consent to personal data processing;
– Be informed of the procedure for automated processing of personal data;
– be safeguarded against an automated decision having legal implications for the person.
3. Disposal of personal data of a natural person who has restricted civil capacity or is adjudged incapable shall be performed by such person’s legal representative.
Article 9. Registration of bases of personal data
1. The base of personal data shall be registered in obligatory order by entering the appropriate information into the State Register of the Bases of Personal data by Authorized State Body on Personal Data Protection.
The regulation on State Register of the Bases of Personal Data shall be adopted by the Cabinet of Ministers of Ukraine.
2. Registration of the bases of personal data shall be performed by the principle of filing.
A personal data controller shall be relieved of the duty to register the following bases of personal data:
databases used for supporting and managing labor relations;
membership databases of non-governmental and religious organizations, trade unions,
and political parties.
3. Controller of personal data shall submit the application on registration of its base of personal data to the Authorized State Body on Personal Data Protection.
Application shall contain:
– Appeal on enlisting of the base of personal data into the State Register of the Bases of Personal Data;
– Information concerning the controller of personal data;
– Information concerning the name and location of the base of personal data;
– Information concerning the purpose of processing of personal data, formulated in accordance with Articles 6 and 7 of this Law;
– Information about composition of personal data being processed;
– Information about the third parties to whom personal data are transferred;
– Information about cross border transfers of personal data;
– Information concerning other processors of personal data;
– Confirmation of the obligation on execution of the requirements on protection of personal data, laid down by the legislation on protection of personal data.
4. Authorized State Body on Protection of Personal Data, in order established by the Cabinet of Ministers of Ukraine, shall:
– Make a decision concerning the registration of the base of personal data within thirty days period.
Controller of personal data shall receive the appropriate document confirming registration of the base of personal data at the State Register.
5. Authorized State Body on Protection of Personal data may refuse the registration of the base of personal data in case the application does not meet the requirements of the point 3 of this Article.
Article 10. Use of Personal Data
1. Use of personal data means any actions of the controller of the personal data with regard to processing of such data, their protection and provision of partial or full right to process such personal data by other subjects of relations related to personal data, which are performed according to the consent of a personal data subject or according to the law.
2. The use of personal data by the controller of personal data shall be performed in case he/she fulfils the conditions for protection of such data. The controller of the personal data shall not disclose information about the personal data subjects whose personal data is accessed by other subjects of relations related to such data.
3. The use of personal data by the employees of the subjects of relations related to personal data shall be performed only according to their professional or official and labor duties. These employees shall undertake to prevent disclosure of personal data which was entrusted with them or became known to them due to performance of official or labor duties, by any possible way. Such liability shall be valid after termination of their activity related to personal data, except for cases established by the law.
4. The information about a private life of a natural person shall not be used as factor that may confirm or disprove his/her business skills.
Article 11. Grounds for Processing of Personal Data
1. The grounds for processing of personal data shall be the following:
1) a personal data subject’s consent to his/her personal data processing;
2) a permission for processing personal data granted to a personal data controller in accordance with the law solely for the purpose of exercising his/her functions;
3) conclusion and performance of a legal contract to which a personal data subject is a party or which is concluded in favor of a personal data subject, or to perform actions leading to the conclusion of a legal contract at the request of a personal data subject;
4) protection of vital interests of a personal data subject;
5) protection of legitimate interests of personal data controllers or third parties except where a personal data subject requests to stop processing his/her personal data and the need to protect personal data overrides those interests.
Article 12. Collection of Personal Data
1. Collection of personal data shall be an element of the process which provides for actions to select or to arrange information about the natural person.
2. At the moment of personal data collection or in cases stipulated by article 11, section 1, paragraphs 2-5 of this Law, a personal data subject shall, within ten working days from the day of collection of his/her personal data, be informed of the personal data controller’s identity, the composition and content of the personal data collected, the rights of the data subject established by this Law, the purpose of data collection, and the persons to whom his/her personal data are transferred.
Article 13. Accumulation and Storage of Personal Data
1. Accumulation of personal data shall provide actions with regard to unification and systematization of information about a natural person or a group of natural persons or placement of this data to the base of personal data.
2. Storage of personal data shall provide actions with regard to ensuring their integrity and proper mode of access to it.
Article 14. Spreading of Personal Data
1. Spreading of personal data shall provide actions with regard to transference of information about a natural person with the consent of the personal data subject.
2. Spreading of personal data without the consent of the personal data subject or a person authorized by him/her shall be permitted in cases determined by the law, and only where necessary in the interests of national safety, economic welfare and human rights.
3. Execution of requirements of established protection mode of personal data shall be provided by the party that spreads this data.
4. The party, to which the personal data is transferred shall previously take measures with regard to execution of the requirements of this Law.
Article 15. Removal or Destruction of Personal Data
1. Personal Data shall be deleted or destroyed according to the procedure established by legislation.
2. Personal data shall be destroyed in following cases:
– termination of period of data storage determined by the consent of the personal data subject for processing of this data or determined by law;
– termination of legal relationships between the personal data subject and the controller or processor of the personal data, unless otherwise stipulated by the law;
– enforcement of a court decision with regard to withdrawal of data about a natural person.
3. Personal data collected with violations of requirements of this Law shall be destroyed according to the procedure established by the legislation.
4. Personal data collected during execution of tasks of operational and search activity or counterintelligence activity, anti-terrorism actions will be according to the requirements of the law.
Article 16. Mode of Access to Personal Data
1. Access to personal data of third parties shall be determined by the permission terms between the base of personal data subject and the controller of the base of personal data as for processing this data or according to the access mode established by the law.
2. Access to personal data of third parties shall not be granted, if the such party refuses to take liabilities with regard to provision or cannot provide execution of requirements of this Law or unable to provide for execution of such requirements.
3. The subject of relations related to personal data shall submit an inquiry on access to personal data (hereinafter referred to as “inquiry”) to the controller or processor of personal data.
4.The inquiry shall contain the following information:
– surname, name and patronymic, place of residence and information from an identifying document of the person who submits inquiry (for natural person-applicant);
– name, place of location of a legal entity that submits an inquiry, position, surname, name and patronymic of the person who certifies the inquiry; confirmation of conformity of the content of inquiry with the authorities of legal entity (for legal entities-applicants);
– surname, name and patronymic as well as other data that enable identification of a natural person about who such inquiry is submitted;
– information about personal data with regard to which the inquiry is made, or information about the controller or processor of such personal data;
– list of personal data that are being required;
– purpose of and/or legal grounds for the inquiry.
5. The term of consideration of the inquiry with regard to its satisfaction shall not exceed ten days from the day it was received.
Within this term, any controller or processor of personal data shall inform the person who submits an inquiry that such inquiry shall be satisfied or that the respective personal data is not subject to provision, with notification about the basis specified in a respective normative and legal act.
The inquiry shall be satisfied within one calendar month, unless otherwise stipulated by the law.
6. The personal data subject shall be entitled to reception of any information about himself/herself from any subject of relations related to personal data provided that he/she presents the information specified in section 4, paragraph 1 of this article other is prescribed by law.
Article 17. Deferment or Refusal to Grant Access to Personal Data
1. Deferment or Refusal to Grant Access to Personal Data shall not be allowed.
2. Deferment in access to personal data of third parties shall be permitted when the necessary data cannot be provided within one month period. At that common period of providing the access to personal data of third parties shall not exeed the fourty five days term.
Notification on deferment shall be presented to the third party who made an inquiry in writing with explanation of the procedure of appeal against such decision.
The notification about deferment of access shall contain the following:
– surname, name and patronymic of the official;
– date of sending;
– reason of deferment;
– the term during which the inquiry shall be satisfied.
Refusal to grant access to personal data shall be allowed, if such access to it is prohibited according to the law.
The notification about refusal shall contain the following:
– surname, name and patronymic of the official;
– date of sending;
– reason of refusal.
Article 18. Appeal against Decision on Deferment or Refusal to Grant Access to Personal Data
1. A decision on postponement or refusal of access to personal data can be appealed in court.
2. If the inquiry is made by the personal data subject, in this case the liability of proving the lawfulness of deferment or refusal to grant access to personal data in court shall be imposed on the controller or the processor of personal data who received the particular inquiry.
Article 19. Payment for Access to Personal Data
1. Access of a personal data subject to the data about him/her shall be free of charge.
2. Access of other subjects of relations, connected with personal data, to personal data of a particular natural person or a group of persons may reqiure payment only in case it requires the conditions prescribed by that Law. The work related to processing of personal data as well as the work with regard to consulting and organization of access to respective data may be paid for.
3. Amount of payment for services on granting access to personal data by the state power bodies shall be determined by the The Cabinet of Ministers of Ukraine.
4. The state power bodies and local self-government institutions shall be entitled to free access to personal data according to competence delegated to them.
Article 20. Changes and Supplements to Personal Data
1. The controllers or processors of personal data shall be binded to make changes or supplements to personal data on the basis of reasoned written requirement of the subject of personal data.
2. Changes of personal data shall also be permitted upon request of other subjects of relations related to personal data, if the personal data subject gave his/her consent to this or if a respective change is made according to the court decision which entered into legal force.
3. Changes of personal data in case it is incorrect shall be performed immediately after such incorrection was noticed.
Article 21. Notification about Actions with Personal Data
1. The controller of personal data shall inform the personal data subject about transfer of personal data to the third party within 10 days period, if it is required by the conditions of his consent or unless otherwise established by the law.
2. The above-mentioned notifications shall not be performed in the following cases:
– of transfer of personal data upon requests during execution of tasks of operational and investigative activities or counterintelligence activity, and anti-terrorist actions;
– performance by state power bodies and the bodies of local self-government of their authorities stipulated by the law ;
– processing of personal data with historical, statistical or scientific purposes.
3. The controller of personal data shall inform the personal data subject and the subjects of relations related to personal data about the changes or supplements or restriction of access to the data which was transferred to such subjects within ten days period.
4. Apersonal data subject is notified in accordance with the requirements established by article 12, section 2 of this Law.
Article 22. Control over Observance of Legislation on Protection of Personal Data
1. Control over ciomplience with legislation in the sphere of protection of personal data shall within their competence be exercised by the following bodies:
– authorized state power body on matters of personal data protection;
– other state bodies;
2. Parliamentary control over the observance of human rights to protection of personal data shall be exercised by the Ombudsman of the Verkhovna Rada of Ukraine on matters of human rights according to the law.
Article 23. Authorized State Body on Personal Data Protection
1. An authorized government agency for personal data protection shall mean a central executive agency responsible for implementation of the government’s personal data protection policy.
An authorized government agency for personal data protection shall independently exercise the powers established by this Law.
2. The main powers of the Authorized State Body on Personal Data Protection shall:
1) ensure the performance of state policy in the sphere of personal data protection;
2) registers the bases of personal data;
3) maintains the State Register of the Bases of Personal Data;
4) controls the execution of legislation on matters of protection of personal data by means of onsite and distance inspection of personal data controllers and/or processors with provision of access to the premises where processing of personal data is performed according to legislation;
5) issues the requests on illumination of violations of the legislation on data protection. This requests are obligatory for execution;
6) considers propositions, inquiries, appeals, claims and complaints of natural persons and legal entities;
7) organizes and provides for interaction with subjects of foreign relations related to personal data issues;
8) participates in the international organizations on matters of personal data protection.
9) inform personal data controllers and processors as well as personal data subjects of their rights and responsibilities;
10) monitor new practices, trends, and technologies used in personal data protection;
11) issue recommendations on practical application of the legislation on personal data protection;
12) submit, in accordance with the legally established procedure, proposals for the development of personal data protection policy;
13) approve, in accordance with article 27 part 2 of this Law, corporate codes of ethics;
3. The head of the authorized government agency for personal data protection and his/her deputies shall be appointed in accordance with the legally established requirements.
4. Position charts and budgets of the authorized government agency
for personal data protection shall be approved by its head in coordination with the Ministry of Finance of Ukraine.
The head of the authorized government agency for personal data protection shall, in accordance with the established procedure, decide upon the distribution of budget allocations managed by the authorized government agency for personal data protection.
5. A report on completion of tasks and work plans by the authorized government agency for personal data protection shall be made public, published on its official website, and submitted to the President of Ukraine, the Cabinet of Ministers of Ukraine, and the Verkhovna Rada of Ukraine.
Article 24. Provision for Protection of Personal Data
1. The State guarantees protection of personal data.
2. The subjects of relations related to personal data shall undertake to provide protection of such data from unauthorized processing, including its loss, illegal or accidental destruction, as well as from unauthorized access.
3. Provision of personal data protection in bases of personal data shall be performed by the controller of such personal data.
4. State power bodies, the bodies of local self-government, institutions and enterprises of all property forms shall appoint a structural department or a responsible person who organizes the work related to protection of personal data during its processing.
Article 25. Limitations on application of particular Articles of the Law
1. Limitations of rights stipulated by Articles 8, 11 and 17 of this Law shall be implemented only in the interests of:
– national safety, economic welfare and human rights;
– protection of rights and freedoms of natural persons whose personal data is being processed, or rights of other subjects of relations related to personal data, as well as with the purpose of anti-criminal activity;
– provision of subjects of relations connected with personal data with the drawn up depersonalized information with regard to personal data according to legislation.
2. Subjects of relations connected to personal data shall exercise their authorities within the frameworks established by the Constitution and the laws of Ukraine.
Article 26. Financing of Works on Personal Data Protection
Financing of works and measures to provide for protection of personal data shall be performed at the expense of the State Budget of Ukraine and local budgets, funds of the subjects of relations related to personal data.
Article 27. Application of Provisions of This Law
1.The provisions with regard to protection of personal data specified in this Law may be supplemented or defined more clearly by special laws provided that they establish requirements with regard to protection of personal data that do not contradict the requirements of this Law.
2. Professional associations can with approval of the authorized government agency for personal data protection, develop corporative codes of behavior with the purpose of providing for the efficiency of protection of rights of personal data subjects, assistance in application of legislation with regard to such matters, taking into account the specifics of processing the data about a natural person in different spheres.
Article 28. Liability for Violation of Legislation on Personal Data Protection
Violation of legislation on personal data protection shall lead to liability established by the law.
Article 29. International Cooperation and Transfer of Personal Data
1.Cooperation with foreign subjects of relations related to personal data shall be regulated by the Constitution of Ukraine, this Law, other normative and legal acts and international treaties of Ukraine.
2.If the international treaty of Ukraine which was made binding by the Verkhovna Rada of Ukraine establishes other regulations than those stipulated by legislation of Ukraine, the regulations of the international treaty shall apply.
3. Personal data may be transferred to foreign parties having relation to personal data in the cases stipulated by law or an international treaty of Ukraine only on condition that an adequate level of personal data protection is ensured by the relevant foreign state.
Member states of the European Economic Area as well as states signatory to the Council of Europe Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data.,
shall be assumed to ensure an adequate level of personal data protection.
The Cabinet of Ministers of Ukraine shall compile a list of the states that ensure an adequate level of personal data protection.
Personal data may not be distributed for the purpose other than the one
for which they have been collected.
4. Personal data may also be transferred to foreign parties having relation to personal data in case of the following:
1) a personal data subject’s explicit consent to the transfer;
2) the need to conclude and perform a legal agreement between a personal data controller and a third party who is a personal data subject for the benefit of the personal data subject;
3) the need to protect vital interests of personal data subjects;
4) the need to protect public interests, or establish, pursue and enforce a legal claim;
5) a personal data controller has provided the required guarantees of non-intrusion into the private and family life of the personal data subject.
Article 30. Final Provisions
1. This Law shall enter into force from 1st of January 2011.
2. Normative and legal acts shall be valid in the part that does not contradict this Law until they are brought in line with this Law.
3. The Cabinet of Ministers of Ukraine, within six months from the day of enforcement of this Law, shall do the following:
– provide for adoption of normative and legal acts stipulated by this Law;
– provide for bringing of its normative and legal acts in line with this Law;
– determine the authorized state power body on matters of personal data protection.