On the protection of personal data in Ukraine

    On January 1, 2011, Law No. 2297-VI “On the Protection of Personal Data” entered into force in Ukraine . Many heard about this event, some knew about the opening of registration of PD databases in July of this year, but very few of those who were affected by this law were quick to take any concrete actions. Meanwhile, from January 1, 2012, amendments to the administrative and criminal codes of Ukraine come into force, defining responsibility for non-compliance with the relevant law. Next, we will try to answer the most important questions:
    • who does this concern?
    • What do we have to do?
    • and what will happen if nothing is done?
    Who needs to take into account the law on the protection of personal data to

    any person (individual or legal) of Ukraine who owns any personal information of individuals. The law broadly interprets the concept of “personal data”. In its explanations, the ZPD service refersto the Council of Europe Convention and defines personal data as information or a collection of information about an individual that can be specifically identified using this information. Thus, almost any information can be personal data: email, IP address, GPS position of the user. Not to mention data such as name, date of birth, address and telephone number. Personal database is a named collection of ordered personal data in electronic form and / or in the form of personal data files.

    Obviously, according to the law, owners of almost any websites with registered users must register their databases. All online stores with their customer bases also get here. But the most interesting thing is that information about employees is also considered personal data. So, any Ukrainian company is obliged to register its base of employees.

    After such a pessimistic beginning, let us move on to concrete actions.

    How to ensure compliance with the law on the protection of personal data

    In order for the ZPD service not to have questions for you, you need to ensure the implementation of three conceptual points:
    1. obtain permission from each subject of personal data (for example, the user) to process and use his PD, notifying him of the purpose of collecting this data and their processing, his rights, in connection with the inclusion of information about him in the personal data base, and the persons to whom this data transmitted;
    2. register the database of personal data in the state register;
    3. protect the database of personal data.

    If we talk about specific actions, they will be slightly different for different PD databases. We distinguish two figurative cases: a website and a company that has a database of employees.

    To implement the first paragraph, you will need to modify the user agreement. It is necessary to add information about user rights (it is possible to give a link or cite article 8 of the law on the protection of personal data ), the purpose of processing PD, as well as the item “I allow the administration of example.com to collect and process my personal data. I am acquainted with the rights arising in connection with the processing of my personal data and the purposes of the processing and use of my personal data. ”

    It is necessary to adopt provisions that will set out the rights of employees arising in connection with the processing of their PD, as well as the purpose of processing the PD (an example of an order and regulation ). You also need to get the written permission of each employee to process his PD ( example ).

    Registration of PD databases will be the same for all cases and should not take much time. We have prepared the necessary tool and detailed instructions on our blog .

    In addition, the law requires the owner of PD databases to ensure their protection. However, the choice of specific measures and methods of protection lies entirely with the owner of the PD databases and is not indicated in any way. Note that there are draft recommendations to ensure the protection of PD databases, and in the future this issue will be resolved much more precisely.

    What liability is provided for non-compliance with the law on the protection of personal data

    ? We quote the Code of Ukraine on administrative offenses. The tax-free minimum income of citizens is 17 hryvnia.

    Administrative Responsibility :
    • failure to notify (untimely notice) the subject of personal data about his rights in connection with the inclusion of his personal data in the database, the purpose of collecting data and the people to whom these data are transferred - a fine of up to 300 NMDG for citizens and from 300 to 400 - for officials and SPD;
    • failure to notify (untimely notification) of a specially authorized body for protection of PD about the change of statements submitted for state registration of a personal data base - a fine from 100 to 200 NMDG for citizens and from 200 to 400 NMDG for officials and SPD;
    • evasion of registration of a personal data base - a fine from 300 to 500 NMDG for citizens and from 500 to 1000 NMDG for officials and SPD;
    • non-observance of the procedure for protecting the PD base established by law, which led to illegal access to PD - from 300 to 1000 NMDG;
    • failure to comply with the legal requirements of the officials of the specially authorized body for the protection of PD - a fine from 100 to 200 NMDG.
    There is also criminal liability for the illegal collection, storage, use, destruction and dissemination of confidential information (according to Article 182 of the Criminal Code of Ukraine), but we sincerely hope that this will not come to this.

    The compilation of protocols on violations in the field of personal data protection is entrusted to the authorized body - the State Service for the Protection of Personal Data. Local courts are authorized to prosecute and decide on a fine.

    Special cases

    The law does not apply in the following cases:
    • if the base is used by an individual for personal non-professional needs;
    • if the base is used by an individual for domestic purposes;
    • if the base is used by a journalist to perform his duties;
    • if the base is used by a creative worker to carry out his creative activities.
    Therefore, if you have a personal blog and you have a database of subscribers, then you do not need to register anything.

    Question-answer column

    Q: Is there any minimum set of information that is considered personal data?
    Oh no. Any information about the person by whom he can be identified is considered personal data.

    Q: The data is stored on servers in the USA, do I need to register the PD database ?
    Oh yeah.

    Q: What is the deadline for registering PD databases?
    A: There is no such deadline, but from January 1, 2012 you may be held administratively liable for non-compliance with the provisions of the law on the protection of PD. However, most likely, the EPD service will not come to you with a scheduled check, and real problems can only arise if you are filed a complaint. In any case, it is better to register the database as soon as possible, it is not so difficult.

    Q: Are employee details considered personal data?
    A: Yes

    Q: Do I need to get permission to use PD from existing users on my site?
    A: No, but you need to make changes to the registration procedure for all new users.


    www.zpd.gov.ua - public service for the protection of personal data
    www.zpd.gov.ua/zpd.gov.ua_eng/indexDovidkaInfo.html - reference information for citizens and legal entities
    zakon2.rada.gov.ua/laws / show / 2297-17-
    Law of Ukraine “On the protection of personal data” zakon1.rada.gov.ua/cgi-bin/laws/main.cgi?nreg=616-2011-%EF - Regulation on the State Register of Personal Databases and the procedure for its maintenance - 05.25.2011 (
    BDT registration began on July 1, 2011) www.zpd.gov.ua/R/perelik/perelik/24.htm - Regulation on the State Service for the Protection of Personal Data
    zakon2.rada.gov.ua/laws/show/3454- 17 - Strengthening the responsibility for violation of the legislation on the protection of personal data
    rbpd.informjust.ua - register of personal data bases
    taxer.com.ua/blog/23 - instructions for filing an application for registering a PD database in electronic form

    I would like to note that the law on the protection of personal data does not set as its goal to cover everyone with a cap. Nobody registers user data themselves. Only the fact of the existence of a database of personal data is registered, which guarantees the presence of a responsible person who is responsible for the safety of user data. First of all, this gives a guarantee to the users themselves that their data will not leak away and will not be used in illegal actions. In this regard, as personal data, it is necessary to consider not some kind of data set that EXACTLY determines the user (for example, full name + date of birth), but that CAN help identify the user. For example, if a user uses the address name@surname.com, a third party who has somehow gained access to this database will be able to associate this email with a specific person. And none of the users would like this.

    Also popular now: