Who is covered by the Law The Law will apply to a wide range of persons and entities that collect and process information for different purposes, including information on their employees for staff management purposes, as well as information on their clients for marketing, promotion, accounting or billing purposes. In other words, not only companies directly involved in information processing are covered by the Law.
Personal data The Law does not provide an exhaustive list of information that may be classified as personal data and defines the personal data as "information about an individual who is identified or can be specifically identified". In other words in practice any information about an individual (e.g., a tax identification number, telephone number, address, etc.) can be recognized as personal data. The Law classifies personal data as restricted information meaning that internal rules at companies must restrict access to such information.
Registration of personal information databases Practically any collection of personal data which can be used to identify individuals, whether in an electronic or a hard copy form, represents a personal information database under the Law. The Law requires the owner of a personal information database to register such a database in the yet-to-be-created state registry. The government agency responsible for registration and the registration procedure are yet to be determined by the Cabinet of Ministers. Notably, it is the very fact of existence of a personal information database and not the data included in such a database that must be registered.
Consent for personal data processing The Law requires the database owner to obtain consent of the individual for the processing of his or her personal data, including collection, use and distribution of such personal data. Their consent must be "documented." The requirement for documentation is understood rather loosely to include in a written document, electronic message, audio record of a call, etc. If the purpose of personal data processing changes, the database owner should obtain a new consent for processing of such data for the new purposes from the person whose data is used.
Actions the database owner should take to comply with the new Law The key steps which the database owner must undertake under the new Law:
amend company's incorporation documents or internal regulations to stipulate the purpose of personal data processing (e.g., for staff administration or client relations purposes); establish a department or appoint an employee responsible for personal data protection; register the personal information database in the State Registry of the Personal Information Databases according to the procedure to be approved by the Cabinet of Ministers; obtain consent of the respective individuals for processing of their personal data. Such consent need not be a separate document and can be included in employment agreements or contracts with clients etc.; notify individuals in writing about the inclusion of their personal data in the database if such personal data is collected from non-public sources, about transfer of personal data to a third party, and about similar operations with their personal data.
For further information please contact
Oleksiy Didkovskiy
Managing Partner
oleksiy.didkovskiy@asterslaw.com
