On 3 July 2013 the Ukrainian Parliament passed a law that significantly amends the Ukrainian Law On Personal Data Protection (the “Privacy Law”).
The principal changes to the Privacy Law are summarised below:
- the state agency in charge of personal data protection matters in Ukraine will change. The State Service of Ukraine on Personal Data Protection is to be abolished and its functions will be transferred to the Ombudsmen;
- the requirement to register personal databases will be cancelled and replaced with a duty to notify the Ombudsman of the processing of personal data that constitutes a special risk to the rights and freedoms of the data subjects (“High Risk Data”). The notification must be submitted by the data controller within 30 working days of when it starts processing the data. Types of data classified as High Risk Data and the data controllers bound by the notification requirement are to be decided by the Ombudsman by 1 October 2013. It remains unclear whether previously registered databases will need to be notified to the Ombudsman;
- the period during which a data subject must be notified that his/her personal data is being processed and informed of his/her rights in this regard is extended from 10 to 30 days (except for cases when data is collected directly from the data subject – in which case there is no change, and the notification is made at the moment of collecting the data);
- the definition of consent to data processing will be removed. Removal of the definition can make it difficult to identify whether consent had been granted by the data subject (previously, a documented or other clearly identifiable form of consent was required).
These changes to the Privacy Law will become effective from 1 January 2014. Data controllers that start processing High Risk Data must notify the Ombudsman by 1 July 2014.
Law of Ukraine On Amending Certain Legislation Acts of Ukraine Regarding Improving the System of Personal Data Protection No. 383-VII dated 3 July 2013.