Law of Ukraine
"On Protection of Personal Data"
Date of entry into force:
January 1, 2011
The present Law regulates relations related to the protection of personal data during its processing. The present Law does not apply to creation of databases of personal data and processing of personal data in such databases:
- by natural persons – exclusively for non-professional personal or household needs;
- by journalists – in the process of performing official or professional duties;
- by professional creative workers – for performing creative activity.
According to Article 2 of the present Law, personal data is defined as data or a collection of data on a natural person that is or can be clearly identified. Processing of personal data is defined as any action or a series of actions performed partially or completely inside an information (automated) system and/or catalogue of personal data and related to collection, registration, accumulation, storage, adaptation, amendment, updating, use and dissemination (distribution, sale, transfer), depersonalization and deletion of data on a natural person.
According to Article 4 of the present Law, the following are subjects of relations related to personal data:
- subject of personal data;
- owner of the personal data database;
- manager of the personal data database;
- third party;
- authorized state body in the issues of personal data protection;
- other bodies of state power and bodies of local self-government, whose scope of authority includes personal data protection.
Objects of protection include personal data processed in personal data databases. By regime of access, personal data, except of depersonalized personal data, belongs to information with restricted access (Article 5 of the present Law).
Article 6 of the present Law establishes the general requirements to processing of personal data. Namely, pursuant to the Law:
- the purpose for processing of personal data must be formulated in laws, other normative-legal acts), provisions, statutory or other documents that regulate the activity of the personal data database owner, and conform to the legislation in the field of personal data protection;
- personal data must be precise, reliable, and be updated in case of necessity;
- the primary sources of data on a natural person are: documents issued in their name; documents signed by them; information provided by the person about themselves;
- processing of personal data is carried out for specific and lawful purposes, determined by consent of the subject of personal data, or in cases provided for by the laws of Ukraine, according to the procedure determined by the legislation;
- processing of personal data on a natural person is not allowed without their consent, except for cases determined by the law, and only in the interests of national security, economic welfare and human rights.
Article 7 of the present Law forbids processing of personal data on race or ethnicity, political, religious or world views, membership in political parties and trade unions, as well as data relating to health or sexual life. However, this provision of the Law does not apply if the processing of personal data:
- is carried out with an explicit consent of the subject of the personal data for such processing;
- is necessary to exercise rights and perform obligations in the sphere of labor relations, according to the law;
- is necessary to protect the interests of the subject of personal data or another person, in case of legal incapacity or severely restricted capacity of the subject of personal data;
- is done by a religious organization, public organization of a world-view nature, political party or trade union created according to the law, provided that such processing is related exclusively to the personal data of the members of such organizations or persons maintaining a stable contact with them due to the nature of their activity, and that the personal data is not disclosed to third parties without the consent of the subject of personal data;
- is necessary for rationale, satisfaction or protection of legal demands;
- is necessary for health care or treatment, provided that such data is processed by a medical man) or another employee of a health care institutions charged with protection of personal data;
- concerns criminal charges, court verdict, execution of legal authority by a state body to conduct operative investigation, counter-intelligence activity and combat terrorism;
- concerns data that was promulgated by the subject of the personal data.
The rights of the subject of personal data are described in Article 8 of the Law.
The personal data database is subject to state registration by means of entering an appropriate record into the State Register of Personal Data Databases by the authorized state body in the issues of personal data protection. Registration of personal data databases is done on application basis, by notification (Article 9 of the present Law).
According to Article 10 of the present Law, the use of personal data envisages any actions of the database owner in respect of processing and protection of such data, and actions related to granting full or partial right of processing personal data to other subjects of relations related to personal data, carried out by consent of the subject of personal data or according to the law.
The grounds for the right of use of personal data are the following:
- consent of the subject of personal data to processing of their personal data. The subject of personal data has the right to limit the right to process their personal data when granting consent;
- permission to process personal data granted to the personal data database owner according to the law, exclusively for the purposes of exercising their authority.
Articles 12-15 of the present Law define the procedure for:
- collection of personal data;
- accumulation and storage of personal data;
- dissemination of personal data;
- destruction of personal data.
The procedure for accessing personal data is established in Article 16 of the present Law.
The owner of the personal data database informs the subject of personal data of their personal data being transferred to a third party within 10 working days, if the conditions of the consent require that, unless otherwise stated by the law (Article 21 of the present Law).
Control over adherence to the legislation in the area of personal data protection is carried out by the following bodies, within the authority established by the law:
- authorized state body in the issues of personal data protection (the central body of executive power whose authority includes personal data protection, created according to the legislation);
- other bodies of state power and bodies of local self-government.
According to the Article 24 of the present Law, the state guarantees protection of personal data. Subjects of relations related to personal data are obliged to ensure protection of such data against unlawful processing and unauthorized access. The owner of a personal data database is charged with ensuring protection of personal data in the database. The owner of an electronic personal data database ensures its protection according to the law. Bodies of state power and bodies of local self-government, organizations, institutions and enterprises of all forms of ownership shall determine a division or a responsible person to organize the work related to protection of personal data during processing thereof, according to the law. Natural persons – entrepreneurs, including doctors with an appropriate license, advocates and notaries, personally ensure protection of personal data databases owned by them, according to the requirements of the law.