On January 10 2014 the Ukrainian Parliament commissioner for human rights announced the approval of the following regulations:
• the Master Procedure for Processing Personal Data;
• the Procedure for Supervision by the Ukrainian Parliament Commissioner for Human Rights of Compliance with Personal Data Protection Laws; and
• The Procedure for Notifying the Ukrainian Parliament Commissioner for Human Rights of Personal Data Processing Presenting a Particular Risk to the Rights and Freedoms of Data Subjects, and of the Structural Unit or Responsible Person Arranging the Personal Data Processing.
Full texts of the approved regulations are available on the commissioner's website.
Under the notification procedure, which is primarily aimed at businesses, the requirement to register personal databases with the State Service for Personal Data Protection has been replaced by the requirement to notify the commissioner.
The procedure sets forth an exhaustive list of personal data whose processing is subject to commissioner notification. The notification requirement applies to sensitive personal data as well as personal location and relocation data.
In order to serve notice to the commissioner, personal data controllers must submit a standard application form to the commissioner's office. In addition to general information about the data controller and data processor (if any), the following information (among other things) must be provided:
• the scope of the personal data subject to processing;
• the purpose of the personal data processing;
• information on the categories of person whose personal data is subject to processing or transfer; and
• information on cross-border transfers.
The application must be submitted to the commissioner's office within 30 business days of the processing commencement date. However, data controllers that were already processing personal data as of January 1 2014 have been granted a six-month grace period to submit applications (ie, until June 30 2014).
In addition to the application, the data controller and data processor (if any) must submit another standard application form to notify the commissioner's office of the structural unit or person responsible for arranging the due processing of the personal data.
The requirement to notify the commissioner does not apply where the personal data processing is performed in relation to the data controller's exercise of rights and fulfilment of obligations regarding labour relations. Other exemptions will not apply to businesses.
The new personal data protection regulations entered into force on January 8 2014 and are not subject to registration with the Ministry of Justice.