Personal data protection: the law was amended!

December 26, 2012

December 20, 2012 the Law of Ukraine “On Amendments to the Law of Ukraine” On Personal Data Protection, № 5491-VI came into force.

The main change in the law is to expand the scope of its protection concerning personal data in databases and card files in all areas of personal data protection. So, now the scope of the law extended to legal relations connected with the protection and processing of personal data, and aims to protect the fundamental rights and freedoms of man and citizen, including the right to privacy in relation to personal data processing. Exclusions from the scope of the law remains the data processing, which is performed by an individual for personal or household use, as well as creative or literary worker, including a journalist, for professional purposes, under the condition of providing balance between the right to privacy and the right to expressions.

Among the significant changes of the law there is a noteworthy change in the consent of the subject of personal data, which is now a voluntary expression of individual (assuming its awareness) for granting permission to the processing of personal data in accordance with the articulated goals of their treatment, expressed in writing or in a form that allows you to conclude its presentation.

Among the updated individual rights regarding the processing of its personal data appeared the right to make reservations regarding restriction on the processing of their personal data while granting consent, the right to withdraw consent to the processing of personal data, the right to know the automatic processing of personal data and the right to protection from automated solution which has its legal implications for it. At the same time, application on the decision to delay or denial of access to personal data can only take place in court (before it was possible to do it before the State Service of the protection of personal data).

For employers there is a useful rule that frees from the obligation of registration of personal databases if they are connected with the provision and implementation of labor relations, as well as it is applied to members of the public, religious organizations, trade unions and political parties. At the same time, if the personal database is still subject to registration, the holder of an appropriate database has to specify the composition of personal data processed, information about third parties which are transmitted with personal data and information on the transfer of personal data. At the same time if the personal database is still subject to registration, the holder of an appropriate database has to specify additionally the composition of personal data processed, information about third parties which are transmitted personal data and information on the transfer of personal data. This State Service of protecting personal data released from the obligation to report the fact of application for registration of the relevant database, and the registration may be delayed up to 30 business days.

Among the new grounds for processing personal data, other than existing permission and consent of the subject based on the new law, also, appeared a conclusion and execution of the legal transaction, by a party which is the subject of personal data or which is concluded in favor of the subject of personal data or for activities that precede the conclusion of the transaction at the request of the subject of personal data and the need to protect the legitimate interests of the holders of personal data and third parties, except when the subject of personal data requires to stop processing its personal data and the need to protect personal data dominates such interest. Final provision is helpful for those who collect and distributes information of public interest. However, a person whose personal data is collected by another person must be notified at the time of collection or in cases of protection of vital interests, as well as protection of the legitimate interests of the person or others, treatment under the law, within 10 days after the collection of data.

State Service of protection of personal data may now conduct on-site or off-site inspection of owners and / or managers of personal data, monitoring new practices, trends and technologies to protect personal data; gives recommendations for the practical application of legislation on protection of personal data, and coordinates corporate codes of behavior according to Article 27 of the Law.