Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Ukraine: Draft data protection law submitted to Parliament
The Parliament of Ukraine ('Verkhovna Rada') announced, on 25 October 2022, that it had received a draft data protection law ('the Draft Law'), following the rejection of the previous data protection bill. In particular, the Draft Law provides grounds for the processing of personal and sensitive information, as well as other specific types of data, including biometric data, processing associated with the implementation of video surveillance, and processing of personal data of deceased persons, among other things. In addition, the Draft Law establishes data subject rights, responsibilities for data controllers and operators, including the adoption of Privacy by Design and requirements for the security of processing, registration with the relevant supervisory authority, and the carrying out of Data Protection Impact Assessments ('DPIAs'), including prior consultation where applicable.
Notably, the Draft Law contains sectoral requirements, among which rules for the processing of personal data by employers. Separately, the Draft Law contains requirements for the reporting of data leakages, specifically requiring data controllers to report data leakages to the supervisory authority no later than 72 hours from the moment when they became aware of the leak, except in cases where the leak is unlikely to lead to a risk to the rights and freedoms of an individual. Furthermore, the Draft Law provides that data transfers can be carried out where:
- a foreign state or an international organisation provides an adequate level of personal data protection;
- the controller and/or operator have provided adequate guarantees for the protection of personal data; and
- approved mandatory corporate rules in accordance with the requirements of the Draft Law.
Finally, in relation to enforcement, the Draft Law clarifies that the decision to prosecute offences in the field of personal data protection, as well as to apply other measures provided for by law, is taken by the controlling body in the manner determined by legislation or the Courts. On this point, the Draft Law provides for penalties of up to UAH 150 million (approx. €4 million) and 8% of total annual turnover of such a legal entity for the last reporting year.
You can read the press release and the Draft Law here, both only available in Ukrainian.