The Draft Law provides grounds for the processing of personal and sensitive information, as well as other specific types of data, establishes data subject rights and responsibilities for data controllers and operators, pertaining to the concept of Privacy by Design and requirements for the security of processing, registration with the relevant supervisory authority, and conducting Data Protection Impact Assessments ('DPIAs'), among other things. It applies to both the public and private sector, as well as for legislative bodies when adopting legal acts regulating the processing and security of personal data.

Scope and definitions

Generally, the Draft Law would apply to natural persons where the processing of personal data is carried out by automated or non-automated means. Importantly, and in line with international norms, the Draft Law would not apply to the processing of personal data to the extent that it is carried out by one or more individuals solely for personal or household purposes (Article 1 of the Draft Law).

In particular, the Draft Law defines 'personal data' as 'any information relating to an identified or identifiable natural person'. Additionally, sensitive data is not defined as a broad category, but different sub-types of data are defined, such as the following (Article 2 of the Draft Law):

• biometric data: personal data relating to the physical, physiological, or behavioural characteristics of a natural person, which, as a result of special technical processing, make it possible to identify or verify a natural person, in particular, according to the following parameters: a digitised signature of a person, a digitised image of a person's face, digitised fingerprints;
• genetic data: personal data regarding congenital or acquired genetic features of a physical person, which provide unique information about the physiology or health of such a physical person, and which are obtained, in particular, as a result of the analysis of a biological sample taken from the relevant physical person; and
• health data: personal data on the state of physical or mental health of an individual, including data on the provision of medical services or assistance, which contain information on the state of health of an individual.

Furthermore, the Draft Law defines 'processing of personal data' as 'any action or set of actions with personal data with or without the use of automated means, including collection, fixation, arrangement, structuring, storage, adaptation, change, restoration, familiarisation, pseudonymisation, profiling, depersonalisation, use, disclosure by transmission or dissemination, or making available in any other way, grouping or combining, limiting restriction, deletion, or destruction'.

With a terminology similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the Draft Law defines 'personal data controller' as 'any natural or legal person, subject of authority or any other body that independently or jointly with others determines the purposes and means of personal data processing, as well as other natural or legal persons for which purposes and means of processing are determined by law'. Instead, slightly departing from EU terminology, the Draft Law defines a 'personal data operator' as 'any natural or legal person, subject of authority, or any other body that processes personal data on behalf of the data controller and is authorised to do so by him or by the law'.

Personal data protection principles

Organisations will need to ensure that all processing of personal data complies with the personal data protection principles laid out under Article 4 of the Draft Law. The following seven principles are provided:

• legality, good faith, and transparency;
• purpose limitation;
• minimisation of personal data;
• accuracy of personal data;
• storage limitation;
• integrity and confidentiality; and
• accountability.

Lawful processing

The Draft Law provides that personal data processing is lawful in case of (Article 5 of the Draft Law):

• consent by the data subject to the processing of their personal data for one or more precisely defined purposes;
• conclusion and execution of a transaction to which the data subject is a party or for the implementation of measures necessary for the conclusion of a transaction at the request of the data subject;
• a need to fulfil a legal duty of the personal data controller;
• protection of vital interests of the data subject or another natural person;
• a need to perform tasks in the public interest or the powers assigned to the data controller by law; and
• necessity for the purposes of the legitimate interest of the data controller or a third party, except when such interests do not outweigh the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially if the data subject is a child.

In addition, the Draft Law provides that organisations, if opting for consent as a lawful basis for collecting personal data, must inform the data subject of (Article 6(5) of the Draft Law):

• the basis, purpose, and type of processing of their personal data;
• personal data to be processed;
• contact details of the data controller, including the permanent location and means of communication with them to the extent that allows the data subject to identify and contact them without hindrance;
• the rights provided by legislation in the field of personal data protection, and methods of their implementation; and
• any other information necessary to ensure fair and transparent processing of personal data.

Consent may be written, in an electronic form, obtained by choosing the appropriate technical settings in the website interface, operating system, software, or mobile application that involve the processing of personal data, provided that the data subject is previously informed that such actions will lead to the processing of their personal data or expressed through other affirmative action or behaviour that clearly indicates that the data subject in a specific case agrees to the further processing of their personal data (Article 6(1) of the Draft Law).

Sensitive personal data

Notably, even if sensitive data is not defined, the Draft Law prohibits the processing of sensitive personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in professional unions, as well as genetic and biometric data, and data related to health, sex life, or sexual orientation (Article 7 of the Draft Law).

This broad prohibition on the processing of such categories of data is then subject to several exemptions, such as when the processing of sensitive data is (Article 7(2) of the Draft Law):

• carried out under the condition that the data subject provides explicit consent to the processing of such data in accordance with Article 6 of the Draft Law, except for cases where the processing of personal data based on consent is prohibited;
• necessary for exercising the rights and fulfilling the duties of the data controller or the data subject in the field of labour relations or social protection in cases provided for by law, provided that such a law grants adequate guarantees of protection of the rights and interests of the data subject;
• necessary to protect the vital interests of the data subject or another natural person in the event that the data subject is physically unable to give consent or is incapacitated;
• carried out with the provision of appropriate protection by an organisation, association, or any non-profit organisation for political, ideological, religious, or trade union purposes, provided that the processing concerns exclusively the personal data of members and former members of these associations or persons who support permanent contacts with them in connection with the goals of the organisation and that personal data is not disclosed outside of this organisation without the consent of the data subject;
• necessary for filing, substantiating, or defending a legal claim or necessary for the court to exercise its powers;
• is necessary for the purposes of significant public interest in cases provided for by law, provided that such law is proportionate to the goal being pursued, takes into account the principle of respect for the essence of the right to the protection of personal data, and provides for proper and appropriate means of protection of the fundamental rights and interests of the data subject;
• necessary for the purposes of prevention and treatment of occupational diseases, assessment of the employee's work capacity, establishment of a medical diagnosis, provision of social services or services in the field of healthcare (including the electronic healthcare system), treatment or management of the healthcare and social care system services on the basis of the law, or a contract with employees of healthcare institutions, subject to compliance with the conditions and guarantees provided for in Article 7(2) of the Draft Law;
• necessary for the purposes of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare services and medical products or medical equipment in cases provided for by law, which guarantees proper and appropriate means of protection of the fundamental rights and freedoms of the data subject, in particular professional secrecy;
• necessary for the purposes of archiving in the public interest, the purposes of scientific or historical research, or statistical purposes, which is carried out on the basis of the law, proportional to the purpose pursued, takes into account the principle of respect for the essence of the right to the protection of personal data, and provides for proper and appropriate means of protection of fundamental rights and interests of the data subject; and
• necessary for the purposes of prevention, investigation, detection of offences, or execution of criminal penalties or penalties for administrative offences, in cases specified by law, which must provide for adequate guarantees of protection of the rights and interests of the data subject.

Implementation of video surveillance

The Draft Law establishes specific provisions for lawfully installing a video surveillance system. In particular, if subjects of power implement video surveillance systems, law enforcement agencies in public places, including public transport, are allowed to do so only in cases provided by law, for the purpose of preventing, detecting, or recording offences and ensuring public safety and order. Conversely, if legal entities or individuals implement video surveillance systems, it is allowed for the purpose of prevention of offences and protection of property in buildings and territories that are in their ownership or legal possession (Article 10(2) of the Draft Law).

Nonetheless, video surveillance is allowed only if, under specific circumstances, a legitimate goal cannot be achieved by other less intrusive measures (Article 10(3) of the Draft Law). Moreover, the Draft Law establishes different obligations on the data controllers which decide to implement a surveillance system, such as the obligation to post a warning that video surveillance is being carried out in a place accessible to everyone in the official language (Article 10(5) of the Draft Law).

Data subject rights

Individuals holding or owning personal data have a range of rights and the Draft Law further provides for conditions as to how data controllers must facilitate the exercise of these rights.

Importantly, the Draft Law grants individuals the following rights in relation to their personal data (Articles 18 to 26 of the Draft Law):

• right to information relating to the processing of their data;
• right of access;
• right to rectification;
• right to deletion, in certain circumstances;
• right to object;
• right to data portability;
• right to restriction of processing;
• right to oppose to automated decision-making; and
• right to protect their rights and obtain compensation for damage.

Nonetheless, the Draft Law does not provide for a time frame for responding to data subject requests.

Data controller and processor obligations

The Draft Law establishes several obligations for data controllers and operators when processing personal data. In general, data controllers and operators shall take 'appropriate technical and organisational measures to ensure the processing of personal data in accordance with the requirements of the Draft Law and they shall be able to prove it' (Article 28(1) of the Draft Law). Moreover, a data controller may allow the processing of personal data on their behalf only to an operator who will provide guarantees of taking appropriate and sufficient technical and organisational measures for processing personal data in accordance with the requirements of the Draft Law (Article 31(1) of the Draft Law). Instead, subcontracting operators is allowed only with the prior written permission of the data controller (Article 31(2) of the Draft Law).

Moreover, the processing of personal data by the operator must be carried out on the basis of a contract, which must provide for the type and categories of personal data to be processed, the term, nature and purpose of processing, the type and categories of data subjects whose data are to be processed, and rights and obligations of the data controller, among other things (Article 31(3) of the Draft Law).

When the data controller or operator is established and/or operates in other states, the organisations are obliged to appoint its representative on the territory of Ukraine, if one of the following conditions is met:

• the processing of personal data is related to offering goods, works, or services on a paid or free basis to data subjects located in the territory of Ukraine;
• the processing of personal data is related to the monitoring of the behaviour of the data subjects during their stay on the territory of Ukraine; and
• the data controller processes personal data of citizens of Ukraine.

Furthermore, the Draft Law establishes that each data controller (or the data controller's representative) is obliged to maintain a record of processing activities under its responsibility, which must contain information about:

• the title or name and contact details of the data controller, and, if applicable, the joint controller, the representative of the data controller, and the person responsible for the protection of personal data;
• the purpose of processing;
• the description of categories of data subjects and categories of personal data;
• categories of recipients to whom personal data has been or may be disclosed, including recipients in other states or international organisations;
• the transfer of personal data to other states or international organisations, including the name of the state or international organisation;
• the storage period before deletion of various categories of personal data, if possible; and
• a general description of technical and organisational security measures provided for by the first part of Article 35 of the Draft Law.

Privacy by Design

Article 29 of the Draft Law establishes the duty of Privacy by Design and Privacy by Default. In particular, each controller is obliged to take appropriate and sufficient technical and organisational measures that ensure:

• proper and effective implementation of the principles of personal data processing provided for by the Draft Law;
• compliance with the grounds for personal data processing provided for by the Draft Law; and
• the integration of protective guarantees in the process of personal data processing.

Moreover, the Draft Law provides that data controllers are obliged to take appropriate and sufficient technical and organisational measures to ensure that only that personal data that is necessary for the clearly defined legitimate purpose of processing is processed, and those measures will vary depending on (Article 29(4) of the Draft Law):

• the volume of personal data collected;
• the scope of personal data processing;
• the storage period of personal data; and
• availability of personal data.

DPIAs

Article 39 of the Draft Law sets conditions for carrying out impact assessments in relation to the protection of personal data. Particularly, when the processing involves the use of new technologies or the nature, scope, context, and purposes of processing are likely to lead to the occurrence of a high level of risk for the rights and freedoms of an individual, a data controller shall, prior to the processing, carry out a DPIA.

After performing a DPIA, the data controller shall write down a written conclusion, which must contain (Article 39(5) of the Draft Law):

• a detailed description of the planned processing of personal data and its purposes and grounds for processing personal data;
• information on the assessment of the necessity and proportionality of the processing in relation to the purposes;
• information on the risk assessment for the rights and freedoms of data subjects; and
• information on the measures that are provided for responding to risks, including guarantees, security measures, and mechanisms for ensuring the protection of personal data and demonstrating compliance with the requirements of the Draft Law.

Furthermore, data controllers and data processors must consult with the supervisory authority if the DPIA indicates that the processing of the data contains a high degree of risk that cannot be eliminated by the data controller's measures in view of the available technologies and the costs of their implementation (Article 39(8) of the Draft Law).

Persons responsible for personal data protection

The Draft Law requires both data controllers and operators to appoint a 'person responsible for the protection of personal data', comparable to the concept of the data protection officer ('DPO') under EU law, in the following cases (Article 41(1) of the Draft Law):

• where the processing of personal data is carried out by a public authority, except for courts, for the purpose of administering justice;
• where the main activity of the data controller or operator consists of the processing of personal data, which, by its nature, scope and/or its purpose, requires regular and systematic and large-scale monitoring of the actions or inaction of the data subjects;
• where the main activity of the data controller or operator is or is related to large-scale processing of personal data; and
• where the main activity of the data controller or operator is or is related to the processing of personal data defined in Articles 7 to 9 of the Draft Law.

Article 41(6) of the Draft Law specifies that the person responsible for the protection of personal data must have a higher education degree, namely at least a bachelor's degree, experience in the field of personal data, and shall have successfully passed a qualification exam and received a certificate issued by the supervisory authority conducting the certification (Article 42(1) of the Draft Law. Specifically, the Draft Law establishes that their tasks include advising the data controller, data processor, and their employees who carry out processing of their obligations, monitoring compliance with requirements of the Draft Law, and acting as the contact point for the supervisory authority, among other things (Article 41(4) of the Draft Law).

Data security

The Draft Law expressly requires that organisations adopt 'technical and organisational measures to ensure proper security of personal data processing at a level that is commensurate with the risk of personal data processing for the rights and freedoms of data subjects in compliance with the principle of proportionality'. The Draft Law provides a non-exhaustive list of some of the possible security measures to implement (Article 35(1) of the Draft Law):

• pseudonymisation and encryption of personal data;
• continuous provision of confidentiality, integrity, availability of personal data, and stability of processing systems and services;
• ensuring timely restoration of access to personal data in the event of an emergency or incident;
• regular testing, evaluation, and measurement of the effectiveness of technical and organisational measures to ensure processing security; and
• ensuring compliance with the code of conduct on personal data protection by employees of the data controller and operator.

Data breach notifications

When a data breach has occurred, the data controller must immediately, and no later than 72 hours after becoming aware of the data breach, notify the supervisory authority about it, except in cases where the data breach is unlikely to lead to a risk to the rights and freedoms of an individual (Article 37(1) of the Draft Law). Moreover, the notification to the supervisory authority shall contain (Article 37(4) of the Draft Law:

• a description of the nature of the data breach, including the categories and number of data subjects affected by the data breach, as well as the categories and number of personal data registration records affected by the data breach;
• contact details of the person responsible for data protection or another person who can provide additional information;
• a description of the probable consequences of the violation of the security of personal data; and
• a description of the measures taken or planned by the data controller to reduce the consequences of the data breach.

Further to the above, when such a data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller must communicate the data breach to the data subject without undue delay, providing the same information established for the notification to the supervisory authority (Article 38(1) of the Draft Law). In this context, where a direct communication to the data subject would constitute an excessive burden for the data controller, it is obliged to take other measures to inform the data subject about the violation of the security of personal data, for example, to make a notification using mass media, social networks, and official websites (Article 38(4) of the Draft Law).

International data transfers

The international transfer of personal data is regulated in Chapter IX of the Draft Law.

Specifically, the Draft Law establishes that the transfer of personal data to foreign states and/or international organisations may be carried out by the data controller in the following cases (Article 44(1) of the Draft Law):

• a foreign state or an international organisation ensures an adequate level of personal data protection;
• the data controller and/or operator provided adequate guarantees of personal data protection; and
• approved Binding Corporate Rules ('BCRs') in accordance with the requirements of the Draft Law.

Moreover, Article 45(1) of the Draft Law specifies that states and organisations subject to the GDPR are considered to ensure an adequate level of personal data protection.

In particular, Article 46(2) of the Draft Law indicates that, in case the foreign state is not recognised as providing an adequate level of personal data protection, a data controller or operator can still lawfully transfer the data without the permission of the supervisory authority on the basis of:

• legal acts of a mandatory nature, which regulate relations between subjects of power;
• BCRs; and
• standardised terms of protection of personal data approved by the supervisory authority.

Employer data processing activities

Notably, the Draft Law provides a series of particular obligations and measures when the processing relates to the specific relationship between employer and employees.

In particular, according to Article 51 of the Draft Law, the employer is obliged to process only those personal data of the data subject provided for in the second part of the same article, which are necessary for the implementation of employment relations related to:

• the performance of duties and realisation of rights of parties to labour relations;
• the provision of additional benefits and incentives by the employer; and
• the special nature of the work performed.

Nonetheless, the employer may process personal data for purposes not provided in the article above, if the processing is based on the consent of the data subject, such consent is voluntary, and the failure to provide or withdraw it does not lead to negative consequences for the data subject.

In particular, the Draft Law establishes the following specific requirements for the employer-employee relationship, among others:

• a specific duty of accountability towards the supervisory authority (Article 51(7) of the Draft Law);
• the employer is required to collect personal data directly from the employees, except for the cases stipulated by the employment contract (Article 52 of the Draft Law); and
• an enhanced duty of transparency of the processing for employment purpose (Article 55 of the Draft Law).

Supervision and enforcement

Although the Draft Law repeatedly refers to a supervisory authority, the explanatory note from the Verkhovna Rada explains that the Draft Law does not cover the issue of the creation of a supervisory body, which must be formed in accordance with the criteria stipulated by Ukraine's international obligations. A separate draft of the law on the supervisory body, On the National Commission for the Protection of Personal Data and Access to Public Information (No. 6177 dated 18.10.2021)³, was developed and is under consideration by the Verkhovna Rada Committee on Human Rights, Deoccupation and Reintegration of Temporarily Occupied Territories in Donetsk, Luhansk Regions and the Autonomous Republic of Crimea, the City of Sevastopol, National Minorities and International Relations. Presently, the Ukraine Parliamentary Commissioner for Human Rights has been designated as the supervisory authority under the current law.

Article 58(2) of the Draft Law establishes that the decision to prosecute for offences in the field of personal data protection is taken by the supervisory authority in the manner determined by legislation or by a court. In particular, the Draft Law provides a range of different administrative fines that may be imposed on natural and legal persons violating the data protection regulations.

More specifically, the Draft Law establishes three different categories of fines, depending on the severity of the violations:

1. a fine of UAH 10,000 to UAH 30,000 (approx. €270 to €800) on individuals, and a fine of 0.05% to 0.1% of their total annual turnover on legal entities, but not less than UAH 30,000 (approx. €800) for each separate violation.
2. a fine of UAH 30,000 to UAH 100,000 (approx. €800 to €2670) on individuals, and a fine of 0.5% to 1% of their total annual turnover on legal entities, but not less than UAH 100,000 (approx. €2670) for each individual violation.
3. a fine of UAH 100,000 to UAH 300,000 (approx. €2670 to €8010) on individuals, and a fine of 3% to 5% of their total annual turnover on legal entities, but not less than UAH 300,000 (approx. €8010) for each separate violation.

Lastly, if enacted, the Draft Law will enter into force on 1 January 2024.

Marcello Ferraresi Privacy Analyst
[email protected]

1. Available at: https://itd.rada.gov.ua/billInfo/Bills/Card/40707 (only available in Ukrainian)
2. Available at: https://itd.rada.gov.ua/billInfo/Bills/pubFile/1517430 (only available in Ukrainian)
3. Available at: https://www.kmu.gov.ua/bills/proekt-zakonu-pro-natsionalnu-komisiyu-z-pitan-zakhistu-personalnikh-danikh-ta-dostupu-do-publichnoi-informatsii (only available in Ukrainian)