Data protectioni Requirements for registration
Under Ukrainian law, the main personal data includes a person's name, nationality, education, family status, religion, health condition, address, and date and place of birth. The Labour Code prohibits an employer from requesting information from candidates on their nationality, political party membership, origins, place of residence and other documents not required by law.
Almost all companies operating in Ukraine have been facing problems in the process of adjusting their business activities to the new Ukrainian personal data protection legislation. The Law on Personal Data Protection (the PDP Law), which came into effect on 1 January 2011 and has been significantly amended several times, sets new rules for collecting, storing, using, processing and transferring personal data. The PDP Law contains many questionable provisions, the interpretation of which is often problematic even for the representatives of the data protection authorities.
Ukrainian law provides for serious penalties for companies found in breach of the PDP Law (including fines up to 17,000 hryvnas for each violation and up to three years' imprisonment for the company's chief executive officer). Therefore, it is absolutely necessary for all entities operating in Ukraine to become compliant with the PDP Law.
As of 1 January 2014, controllers are no longer required to register their databases containing personal data. If processing of the personal data creates a risk to the rights of the data subjects (risk data), the controller will have to notify the Ombudsman of such processing within 30 business days of the date of the processing. The types of data that constitute risk data are established by the Ombudsman. The risk data includes, but is not limited to, sensitive data (see subsection iii, below).
Considering that under the PDP Law, the company must obtain express consent from each employee for transferring his or her personal data to any third parties, unless otherwise required by law, Ukrainian employers normally prefer to obtain the employees' consent for their data collecting, storing and other processing as well.
The company processing personal data is responsible for ensuring protection of the processed data from any illegal processing and access, including by designating an employee to perform these functions.
To assist in proving the absence of guilt in violating the personal data protection legislation before the data protection authorities or the court, a sound corporate personal data protection programme should be developed by every entity doing business in Ukraine. This programme should include developing model internal documentation (policies, regulations, orders, letters of consent, personal data protection clauses in the employment agreements (or contracts), etc.).ii Cross-border data transfers
The law does not require registration or notification for the cross-border transfer of personal data, unless the data transferred falls into the category of risk data.
It is generally prohibited to transfer personal data to jurisdictions that do not ensure adequate protection of such data (these are all countries except for those in the European Economic Area and other signatories to the EC Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). However, the PDP Law provides for five exhaustive exceptions when transferring personal data to jurisdictions with inadequate protection. Three of them are relevant to employers, namely: (1) the unequivocal consent of the affected data subjects for the transfer of their personal data to jurisdictions whose data protection regime is deemed inadequate; (2) collection and further processing of personal data is necessary for establishing, exercising or defending a legal claim (e.g., in case of internal investigations); and (3) by the controller giving guarantees to the data subjects that there will be no intrusion into their personal and family lives arising from the transfer.
The transfer consent should contain, in particular, information on the data recipient, the scope of the transferred data and the purpose of its processing. It can be incorporated into the initial employee consent for data processing obtained by the employers. It is advisable for the employer to enter into an agreement with a foreign data recipient requiring imposing an obligation on the data transferee to ensure protection of the imported data at least at the level established by the employer.
The employer shall notify all affected data subjects of their data transfer, but only where the right to receive such notice was not waived by them at the time of obtaining their initial consent for data processing.iii Sensitive data
Information related to race, ethnic origin, political, religious and ideological beliefs, political party and trade union membership, criminal prosecution and judgment in a criminal case, biometric and genetic data, as well as medical records and other data related to the health and intimate life of an individual is considered as sensitive data that, in general, cannot be requested and processed, except for in certain cases specifically permitted by law, including when such processing is required by law in the area of employment relationships. The sensitive data of an employee or candidate can be transferred to third parties, including those located abroad, only after the employer obtains consent from the data subject, unless he or she already consented to the transfer of data when giving consent for the processing of personal data.iv Background checks
An employer may request only a limited amount of information and documentation from a candidate or employee. In all instances such requests should be justified by law. For instance, if a certain job has specific health or age requirements, the employer is authorised to request confirmation of these requirements from the candidate.
The law clearly states which documents can be requested from a candidate or employee for each job (e.g., for teaching positions, criminal records can be verified) and it is forbidden for the employer to ask for additional documents or information (credit history, bank statements, etc.).
Personal data protection laws restrict background checks of candidates for a job. It is likely that the candidates' express consent will be required to justify any collecting, storing, using, transferring and other processing of the candidates' personal data, except for information, documents, etc., the provision of which is expressly prescribed by the Labour Code and other applicable laws.