< Back

Share |

Data Protection Law in Ukraine

May 2017

The Law of Ukraine No.2297-VI "On Personal Data Protection" (PDPL) was passed by the Parliament on 1 June 2010, and initially amended on 3 September 2015. Generally, the PDPL is similar to the EU Data Protection Directive. The main scope of the PDPL is the legal regulation and protection of privacy in connection with the processing of personal data.

Territorial Scope

The PDPL does not expressly provide any conditions with regards to territorial effect. As far as it is a national legal act and taking into account the applicability sphere defined in Article 1, the PDPL is likely to apply to personal data processing taking place in Ukraine or which concerns Ukrainian citizens or residents, regardless of the location of the data owner or processor.


Personal Data is defined as information or an aggregation of information about a natural person who is identified or can be identified.

Processing of personal data includes collection, registration, accumulation, storage, adaptation, alteration, updating, use and dissemination (distribution, sale, and transfer), anonymisation and destruction of personal data, including destruction of the same by means of automated systems.

Article 4 of the PDPL defines the key parties involved in data processing:

  • data subject - a natural person whose personal data is being processed;
  • personal data owner - a natural person or a legal entity, which determines the goals of personal data processing, as well as defines scope and ways of such processing. The personal data owner corresponds to the concept of a data controller in the EU Directive;
  • personal data processor - a natural person or a legal entity, which is permitted by the data owner or under applicable law to process personal data. The term is similar to the concept of a data processor in the Data Protection Directive but not identical;
  • third party - any additional person or entity which receives personal data from a data controller or data processor for a specific purpose;
  • Ukrainian Parliament Commissioner for Human Rights (the Ombudsman).

The PDPL has not explicitly adopted the concept used by the EU of dividing personal data into non-sensitive and sensitive categories but instead classes "Extreme Risk Data" as a separate category of data, much of which overlaps with the EU's classification of sensitive data and covers data on:

  • race, ethnic origin and nationality;
  • political, philosophical and religious beliefs;
  • membership of political parties, trade unions and other organisations;
  • health;
  • sexual life;
  • biometric data;
  • genetic data;
  • criminal records;
  • any pre-trial procedures involving the person;
  • any investigative procedures relating to the person;
  • violence against the person; and
  • location data and travel routes.

Anyone processing Extreme Risk Data should notify the Ombudsman's Office within 30 business days from the moment processing began. The data owner must get consent from the data subject to the processing where processing of Extreme Risk Data is explicitly specified.


The data subject's consent is one of the major justifications for personal data processing under the PDPL.

The PDPL defines consent as a voluntary declaration of will by a natural person, provided he/she has been properly informed, to grant permission to process his/her personal data in accordance with the stated purpose, either in writing or in any other form that supports the conclusion that the permission has been granted.

Consent may be collected on e-commerce websites during the customer registration or account sign up process through an opt-in tick box, accepting the terms of the privacy policy, provided no data processing is carried out by the data owner in relation to the data subject before the box has been ticked.

Consent is not required:

  • where such processing is required by law and has the personal data owner’s specific authorisation;
  • for the conclusion and execution of an agreement to which the data subject is a party or which is concluded to the benefit of the data subject, or for activities that have been completed prior to the transaction at the request of the data subject;
  • for the protection of the vital interests of the data subject;
  • when the processing is required in order to enable the data owner to comply with its legal obligations;
  • where the processing is in the legitimate interests of the data controller or third party except where those interests are overridden by the rights and freedoms of the individual.


The PDPL does not apply to the processing of personal data by individuals for personal purposes nor to processing for journalistic and artistic purposes, subject to the requirement to balance privacy and freedom of speech.

The provisions of the PDPL, which regulate general and special requirements on personal data processing and the rights of the data subject, can be overridden in certain cases, for example, where personal data is being processed for national security reasons, in the interests of economic prosperity, or to protect the rights and freedoms of data subjects or other individuals.

Data subject rights

In addition, data subjects have to be informed about the processing of their data (subject to certain exceptions), as well as of their rights, the identity of the data owner, the scope and content of personal data processed, the purpose of such processing and the identity of any third parties to whom such data is transferred. This information must be provided either at the moment of direct collection from the data subject; or if not, within thirty business days from the day on which the processing began.

Article 8 of the PDPL gives data subjects the right to restrict the processing of personal data when granting consent and the right to withdraw the consent at any time.

Data exports

Non-residents are allowed to process personal data originating in Ukraine or involving Ukrainian citizens provided they ensure a level of legal protection equivalent to that provided by the PDPL.

Members of the EEA, as well as states which have signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, are deemed as ensuring an adequate level of personal data protection. The Cabinet of Ministers of Ukraine also maintains a list of approved third countries for the purposes of data exports.

Non-residents are authorised to receive personal data from Ukraine where:

  • the data subject expressly consents to the transfer;
  • the transfer is required to give effect to a contract between the personal data owner and a third party for the benefit of the data subject;
  • the transfer is required to protect the vital interests of the data subject;
  • the transfer is required in order to protect public interest, or in the context of legal proceedings; or
  • the personal data owner provides relevant guarantees of non-interference in the personal and family life of the data subject.


The Ombudsman has the right to adopt regulations in the sphere of personal data protection where applicable under the PDPL. For example, the Typical Order on Personal Data Processing and accompanying official Explanation has been published as guidance. The Typical Order relates to the processing of personal data by particular employees of data owners and limits their access to personal data.


In terms of sanctions, the PDPL provides for administrative and criminal liability for non-compliance.

The Code of Ukraine on Administrative Offences prescribes administrative liability for violation of the data protection legislation, namely:

  • failure to notify or late notification of the processing or amendment of Extreme Risk Data to the Ombudsman's Office is subject to an administrative fine of up to EUR 240;
  • non-compliance with the legitimate requests by the Ombudsman's Office to comply with the PDPL are subject to administrative fines of up to EUR 580;
  • non-compliance with data protection procedures, which result in unlawful access to personal data or violation of a data subject`s rights are subject to an administrative fine of up to EUR 580.

Criminal liability for data protection-related offences is set out in Article 182 of the Criminal Code of Ukraine: the illegal collection, storage, use, disposal, dissemination and change of confidential information relating to an individual, attracts penalties of fines of up to EUR 670, corrective labour for up to two years; a custodial sentence of up to six months; or up to three years of freedom limitation.

While the potential criminal sanctions for non-compliance are quite severe compared with those in EU jurisdictions, in practice the Ombudsman's Office usually issues a 'cease and desist' type notice in the event of a breach of the PDPL. Administrative fines may then be imposed if the notice is not complied with. It is rare for criminal liability to result from cases relating to the illegal disposal of confidential information.

Ukraine flag

Olena Stakhurska        

Ilarion Tomarov

Olena and Ilarion outline the main concepts of the Ukraine Law on Personal Data Protection.

"While the potential criminal sanctions for non-compliance are quite severe compared with those in EU jurisdictions, in practice, the Ombudsman's Office usually issues a 'cease and desist' type notice in the event of a breach of the PDPL. Administrative fines may then be imposed if the notice is not complied with."