Today, the new Law On Amending the Law of Ukraine “On Personal Data Protection”, dated 20 November 2012, (the "Amendment") has become effective. The Amendment has introduced significant changes to Ukrainian laws on personal data protection.
The Amendment, among other changes:
- provides more detailed regulation of cross-border personal data transfer;
- allows implicit acceptance of personal data processing;
- no longer requires companies to register personal databases in place for maintenance and realization of employment relations;
- allows processing and trans-border transfer of personal data of customers (counterparties) without prior consent;
- provides personal data subjects with the right to revoke consent for personal data processing; to reasonably object against data processing; to know the mechanism of automatic data processing;
- requires that corporate codes on compliance and personal data protection of professional associations must be greenlighted by the State Service of Ukraine on Personal Data Protection; and
- requires additional information for personal database registration: the scope of personal data processed, list of third parties-transferees and information on cross-border personal data transfers.
Cross-border personal data transfer
Trans-border transfer of personal data is only allowed provided that the receiving data subject is located in a state that provides adequate personal data protection. The Amendment indicates that the following states are deemed to be providing adequate personal data protection:
- the European Economic Area member states;
- the states that are a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;
- the states included in the respective list adopted by a resolution of the Cabinet of Ministers of Ukraine.
Explicit recognition of the validity of implicit consent for personal data processing has long been awaited by companies throughout business to customer operations and providers of online services. Under the Amendment, data processing consent is no longer required to be express, instead an implied one is now also allowed.
The Amendment requires that professional associations must obtain approval from the State Service of Ukraine on Personal Data Protection for their corporate codes on compliance and personal data protection. However, Ukrainian law fails to define what constitutes a 'professional association'. Therefore, the scope of these provisions is not sufficiently clear and their practical application by the State Service of Ukraine on Personal Data Protection should be closely monitored.