Today, people disclose their personal data to numerous entities — websites, loyalty programs in stores, government bodies, and others. However, Ukrainian legislation establishes rules for collecting, processing, and transferring personal data to third parties, as well as liability for violations. These rules provide for sanctions, including monetary fines and criminal liability.
What Data is Considered Personal Under Ukrainian Law?
The Law of Ukraine “On Personal Data Protection” defines “personal data” as information or a set of information about an individual who is identified or can be specifically identified. The law also defines depersonalization of personal data — the removal of information that allows direct or indirect identification of a person. This principle is used to minimize the volume of stored data, retaining only what is necessary for the intended purpose, thereby protecting it from leaks.
There is no exhaustive list of what constitutes personal data. However, typically considered personal are: full name; passport details; place of residence; education; marital status; nationality; ethnic origin; date and place of birth; information regarding beliefs and opinions, and more. This list is not final, as any information that can be used to identify a person is considered personal.
When is Consent Required for the Transfer of Personal Data?
Consent from the data subject is required before transferring their data. According to the above-mentioned law, in the field of e-commerce, a subject gives consent during registration in an information and communication system by checking a box allowing the processing of personal data in accordance with the stated purpose. Consent may also be provided in writing, during questionnaire completion, or by another indication of data transfer. It is important to emphasize that the consent must be proportional to the purpose of processing. In many cases, transferring data to third parties is necessary for its intended use, but it is essential to know to whom and for what purpose your data is being shared.
Types of Liability for Unlawful Disclosure or Transfer of Data
Liability for violating personal data legislation is set out in the Code of Administrative Offenses and the Criminal Code of Ukraine. For administrative violations, fines range from UAH 1,700 to UAH 34,000, depending on the specific actions and the responsible party. For criminal offenses, there is a broader range of penalties — from fines and correctional labor to probation, restriction of freedom, or even imprisonment.
Administrative Liability: What Does the Code of Administrative Offenses Provide?
Specifically, the Code of Administrative Offenses establishes liability for failure to notify or late notification of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights regarding the processing of personal data or changes in information subject to notification, as well as providing incomplete or false data. Fines for citizens range from 100 to 200 non-taxable minimum incomes, and for officials and business entities — from 200 to 400.
Failure to comply with lawful requests or orders of the Commissioner or designated Secretariat employees to prevent or eliminate violations of personal data protection law results in fines: from 200 to 300 non-taxable minimums for citizens, and from 300 to 1,000 for officials and entrepreneurs.
Repeated violations within one year result in fines of 300 to 500 minimums for citizens and 500 to 2,000 for officials and business entities.
If non-compliance with data protection legislation leads to unlawful access or a violation of the data subject’s rights, citizens face fines of 100 to 500 minimums, and officials or entrepreneurs — from 300 to 1,000. Repeated violations carry fines from 1,000 to 2,000 minimums for all liable parties.
Criminal Liability for Unlawful Use of Personal Data
Article 182 of the Criminal Code of Ukraine provides for liability for violating the right to privacy. It refers to confidential information as the object of the offense, and personal data is included in this category under data protection law.
For illegal collection, storage, use, destruction, dissemination, or modification of confidential personal data, the following penalties apply: fines from 500 to 1,000 non-taxable minimums, correctional labor for up to two years, probation supervision for up to three years, or restriction of freedom for the same period.
If these actions are committed repeatedly or cause significant harm to an individual’s rights, interests, or freedoms, penalties include probation from three to five years, restriction of freedom for three to five years, or imprisonment for the same term. Significant harm is defined as material damage exceeding UAH 151,400
How Can Businesses Comply with Data Processing Legislation?
To minimize the risk of violating Ukrainian law, businesses should follow these steps:
First, determine what kind of information is being collected — full name, phone number, marital status, etc. It is also essential to assess whether this information includes sensitive categories, such as health status, biometric data, political or religious beliefs, and so on. According to the Notification Procedure, data controllers that process personal data which pose a significant risk to the rights and freedoms of subjects must notify the Ukrainian Parliament Commissioner for Human Rights. The main criterion for determining such risk is the category of personal data being processed.
Next, it is crucial to clearly define and understand all aspects of personal data processing. This includes methods of data collection; storage terms and conditions; procedures and conditions for deleting personal data; a list of third parties who may receive the data, along with reasons and methods for transfer; and, of course, the security measures applied and their effectiveness.
Before collecting data from individuals, it is important to develop the appropriate documentation. One of the key documents is the “Privacy Policy,” which should outline the purpose of data collection, rights and obligations of the parties, and other provisions required by law. Clients should be able to review the Policy and understand who is receiving their personal data and for what purpose. Another essential document is the internal procedure for handling personal data, including which employees have access, their authority, and the purpose of processing. Other documents may also be adopted to ensure the highest level of protection and data security. It is important to stay up-to-date with legal changes to keep this documentation current.
Finally, appointing a responsible person or group to monitor compliance with legislation and internal regulations is essential. They will also notify the Commissioner if necessary and fulfill other relevant responsibilities.
What Are the Risks for Companies That Violate Data Processing Rules?
To recap the liability aspect specifically for companies: in cases of minor violations, an official notice may be issued requiring correction. If the company fails to comply with the notice, a fine may be imposed — but only in certain cases. Fines for businesses range from UAH 5,100 to UAH 17,000, and in case of repeated violations within a year — from UAH 8,500 to UAH 34,000.
However, for the following violations, liability arises without the need for prior notice:
Failure to notify or late notification of the Commissioner regarding data processing or changes to relevant information, or providing incomplete or inaccurate information — the fine ranges from UAH 3,400 to UAH 6,800, and from UAH 8,500 to UAH 34,000 for repeated violations within a year.
Failure to ensure proper personal data protection, resulting in unauthorized access or violation of a data subject’s rights — the fine is between UAH 5,100 and UAH 17,000, and from UAH 17,000 to UAH 34,000 for repeated violations.
Violations that may lead to criminal liability (as previously mentioned) are difficult to commit unintentionally. Therefore, if no employee intends to unlawfully obtain confidential information, companies generally have no cause for concern.
Legal Support in Personal Data Matters
Legal support from a lawyer may be needed at all stages of working with personal data. At the outset, a lawyer can help identify the necessary and sufficient personal data required for the company’s purposes while avoiding excessive control and liability for storing sensitive data. When drafting the “Privacy Policy” and internal procedures for data handling, it is highly recommended to consult with legal professionals — or better yet, entrust this task to experienced specialists. A lawyer will help interpret the law accurately, define the goals, and outline the rights and responsibilities of all parties, preventing future legal complications and assuring clients of the proper use of their data.
In the event of a suspected violation, a lawyer can verify whether the alleged actions were actually committed by the company or if the enforcement authority made a mistake. A lawyer can assist in appealing fines or official notices in court and proving the company’s innocence.