New Law Tightens Protection of Personal Data
The new Law of Ukraine on Personal Data Protection (the "Law") was officially published on 7 July 2010. While it may appear less important than other major legislative initiatives undertaken by the government recently, in fact it contains important regulatory requirements affecting nearly every business and individual in Ukraine. The Law regulates processing of and access to personal data, as well as creation and registration of personal information databases. The Law will become effective on 1 January 2011.
Who is covered by the Law
The Law will apply to a wide range of persons and entities that collect and process information for different purposes, including information on their employees for staff management purposes, as well as information on their clients for marketing, promotion, accounting or billing purposes. In other words, not only companies directly involved in information processing are covered by the Law.
The Law does not provide an exhaustive list of information that may be classified as personal data and defines the personal data as "information about an individual who is identified or can be specifically identified". In other words in practice any information about an individual (e.g., a tax identification number, telephone number, address, etc.) can be recognized as personal data. The Law classifies personal data as restricted information meaning that internal rules at companies must restrict access to such information.
Registration of personal information databases
Practically any collection of personal data which can be used to identify individuals, whether in an electronic or a hard copy form, represents a personal information database under the Law. The Law requires the owner of a personal information database to register such a database in the yet-to-be-created state registry. The government agency responsible for registration and the registration procedure are yet to be determined by the Cabinet of Ministers. Notably, it is the very fact of existence of a personal information database and not the data included in such a database that must be registered.
Consent for personal data processing
The Law requires the database owner to obtain consent of the individual for the processing of his or her personal data, including collection, use and distribution of such personal data. Their consent must be "documented." The requirement for documentation is understood rather loosely to include in a written document, electronic message, audio record of a call, etc. If the purpose of personal data processing changes, the database owner should obtain a new consent for processing of such data for the new purposes from the person whose data is used.
Actions the database owner should take to comply with the new Law
The key steps which the database owner must undertake under the new Law:
For further information please contact