On May 9, 2024, the Ukraine Parliamentary Commissioner for Human Rights (the Commissioner) published clarifications for data controllers on their obligations.

The Commissioner highlighted that State authorities, local self-government bodies, enterprises, institutions, organizations of all forms of ownership, and natural persons who process personal data are obliged to ensure the protection of such data from accidental loss, destruction, or illegal processing, including illegal destruction or access to personal data. Furthermore, the Commissioner noted that the use of personal data by employees should be carried out only in accordance with their professional, official, or labor duties and that employees are obliged not to allow disclosure in any way of personal data entrusted to them or which became known in connection with the performance of professional, official, or labor duties, except for cases provided by law.

In addition, the Commissioner also stated that owners and administrators of personal data are responsible for:

• taking measures to ensure the protection of personal data at all stages of their processing, including with the help of organizational and technical measures; and
• independently determining the list and composition of measures aimed at the security of personal data processing, taking into account the requirements of legislation in the areas of personal data protection and information security.

You can read the press release, only available in Ukrainian, here.