Privacy & Information Security Law Blog

On June 1, 2010, Ukraine’s parliament adopted a bill on the protection of personal data which introduces a comprehensive regulatory regime for data processing in the country.  The bill was signed by the President of Ukraine on June 24, 2010, and will come into force on January 1, 2011.

Currently, data protection in Ukraine is governed by several laws, including the Ukrainian Constitution, the Civil Code and the Law on Information.  Some highlights of the new Data Protection Law include:

• Personal data is defined as “any information about an identified or identifiable individual or a summary of such information”
• Processing activities involving sensitive data (which is defined as any information that reveals (i) racial or ethnic origins; (ii) political, philosophical or religious opinions; (iii) political-party or trade union membership; (iv) health; or (v) sexual life) are prohibited unless the individual’s prior consent is obtained or a legal exemption applies
• An independent data protection authority must be created (the “State Register of the Personal Data Databases”), and any data processing involving personal data will be subject to registration before this authority
• Transfer of personal data abroad is possible, however, the wording of the law is unclear and seems to require further explanation

In addition, on July 6, 2010, Ukraine’s parliament adopted the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and its additional protocol to the convention regarding supervisory authorities and transborder data flows (ETS No. 181).