|
|
Home
| Databases
| WorldLII
| Search
| Feedback
National Data Privacy Legislation |
|
|
|
LAW OF UKRAINE |
(Official Bulletin of the Verkhovna Rada of
Ukraine (BVR), 2010, No. 34, Art. 481)
{As amended by Laws No.
4452-VI of 23 February 2012, BVR, 2012, No. 50, Art. 564
No. 5491-VI of 20 November 2012, BVR, 2013, No. 51, Art. 715
No. 245-VII of 16 May 2013, BVR, 2014, No. 12, Art. 178
No. 383-VII of 03 July 2013, BVR, 2014, No. 14, Art. 252
No. 1170-VII of 27 March 2014, BVR, 2014, No. 22, Art. 816
No. 1262-VII of 13 May 2014, BVR, 2014, No. 27, Art. 914
No. 316-VIII of 09 April 2015, BVR, 2015, No. 26, Art. 218
No. 675-VIII of 03 September 2015, BVR, 2015, No. 45, Art. 410
No. 1774-VIII of 06 December 2016, BVR, 2017, No. 2, Art. 25
No. 2168-VIII of 19 October 2017, BVR, 2018, No. 5, Art. 31
No. 324-IX of 03 December 2019, BVR, 2020, No. 11, Art. 63
No. 524-IX of 04 March 2020, BVR, 2020, No. 38, Art. 279}
{In the Law wording, the words “personal
database owner” and “personal database manager” in all cases and numbers are
replaced,
respectively, by the words “personal data owner” and “personal data
manager” in the corresponding case and number in accordance
with Law No. 5491-VI of
20 November 2012}
This
law regulates legal relations concerning the protection and processing of
personal data and is aimed at protecting fundamental
human and civil rights and
freedoms, in particular at the right of non-interference in personal life, in
connection with personal
data processing.
This
Law shall be applied to the activities associated with personal data processing
by automated means in whole or in part, as
well as with the processing of
personal data contained in or to be entered into the filing system by
non-automated means.
{Part 3 of Article 1 has been deleted under Law
No. 383-VII of
03 July 2013}
{Part 4 of Article 1 has been deleted under Law
No. 383-VII of
03 July 2013}
{Article 1 as revised by Law No. 5491-VI of
20 November 2012}
For
the purposes of this Law, the following definitions shall apply:
personal
database is a named set of ordered personal data in electronic form and/or in
the form of personal data files;
Personal
data owner is a natural or legal person who determines the purpose of personal
data processing, the composition of this
data and the procedures for its
processing, unless otherwise specified by law;
{Paragraph 3 of Article 2 as amended under Law No. 5491-VI of
20 November 2012; as amended by Law No. 383-VII of
03 July 2013}
Personal
data subject's consent is a voluntary expression of the individual's will
(subject to his/her awareness) regarding the
granting of permission to process
his/her personal data in accordance with the stated purpose of their
processing, expressed in
writing or in a form that allows concluding that
consent has been provided. In the field of electronic commerce, the personal
data
subject's consent can be provided when registering in the information and
telecommunication system of the electronic commerce subject
by putting a mark
on the granting of permission to process the personal data in accordance with
the stated purpose of their processing,
provided that such a system does not
create opportunities for personal data processing until the mark is put down;
{Paragraph 4 of Article 2 as amended by Law No. 1262-VII of
13 May 2014; as amended by Law No. 675-VIII of
03 September 2015}
{Paragraph 5 of Article 2 has been deleted
under Law No. 383-VII of
03 July 2013}
Personal
data depersonalisation is a withdrawal of information that allows to directly
or indirectly identify a person;
{Paragraph 6 of Article 2 as amended by Law No. 5491-VI of
20 November 2012}
Card-file
is any structured personal data available according to certain criteria,
regardless of whether such data is centralised,
decentralised or divided
according to functional or geographic principles;
{Article 1 is supplemented with a term in
accordance with Law No. 5491-VI of
20 November 2012}
Personal
data processing is any action or set of actions, such as collection,
registration, accumulation, storage, adaptation, change,
renewal, use and
distribution (circulation, sale, transfer), depersonalisation, destruction of
personal data, including using information
(automated) systems;
{Article 1 as revised by Law No. 5491-VI of
20 November 2012}
Recipient
is a natural or legal person, to which the personal data are provided, whether
a third party or not;
{Article 1 is supplemented with a term in
accordance with Law No. 5491-VI of
20 November 2012}
Personal
data includes details or a set of details about the individual, which is or may
be explicitly identified;
Personal
data manager is a natural or legal person who is granted the right by the
personal data owner or by law to process this
data on behalf of the owner;
{Paragraph 11 of Article 2 as amended by Law No. 5491-VI of
20 November 2012}
Personal
data subject is a natural person whose personal data are processed;
{Paragraph 12 of Article 2 as revised under Law No. 383-VII of
03 July 2013}
Third
party is any person, except for the personal data subject, personal data owner
or manager and the Human Rights Ombudsman of
the Verkhovna Rada of Ukraine, to
whom the personal data owner or manager transfers personal data.
{Paragraph 13 of Article 2 as revised under Law No. 383-VII of
03 July 2013}
Article 3. Legislation on personal data
protection
The
legislation on personal data protection is constituted by the Constitution of Ukraine, this Law, other laws and by laws,
international treaties of Ukraine, the consent to the statutory requirement for
which was provided
by the Verkhovna Rada of Ukraine.
Article 4. Subjects of relations related to
personal data
1.
Subjects of relations related to personal data are:
Authorised
Human Rights Representative of the Verkhovna Rada of Ukraine (hereinafter
referred to as the Authorised Representative).
{Paragraph 6, Part 1 of Article 4 as amended by Law No. 383-VII of
03 July 2013}
{Paragraph 7, Part 1 of Article 4 has been
deleted by Law No. 5491-VI of
20 November 2012}
2.
Enterprises, institutions and organisations of all forms of ownership, state or
local authorities, individuals who process personal
data in accordance with the
law can be personal data owners or managers.
3.
Manager of personal data, the owner of which is a state or local authority, in
addition to these authorities, can only be an
enterprise of state or municipal
ownership that belongs to the sphere of this authority management.
{Part 3 of Article 4 as amended by Law No. 5491-VI of
20 November 2012}
4.
Personal data manager can entrust the personal data processing to the personal
data manager in accordance with a written agreement.
{Article 6 has been supplemented with Part 4 under
Law No. 5491-VI of
20 November 2012}
5.
Personal data manager may process personal data only for the purposes and to
the extent specified in the agreement.
{Article 4 has been supplemented with Part 5
under Law No. 5491-VI of
20 November 2012}
1.
Personal data is the protection object.
2.
Personal data can be classified as confidential information about a person by
law or by relevant person. Personal data relating
to a person authorised to
perform the state or local authorities functions, or official powers, is not
confidential information.
{Part 2 of Article 5 as amended by Law No. 524-IX of 04
March 2020}
3.
The personal data specified in the declaration of the person authorised to
perform the state or local authorities functions,
drawn up in the form
determined in accordance with the Law of Ukraine
“On Prevention of Corruption”, does not refer to the restricted information,
except for information determined by the Law of
Ukraine “On Prevention of
Corruption”.
{Paragraph 1, Part 3 of Article 5 as revised by
Law No. 524-IX of 04
March 2020}
Information
on the receipt of budget funds, state or municipal property in any form by an
individual is not restricted information,
except in cases provided for in Article 6 of the
Law of Ukraine “On Access to Public Information”.
The
Law may prohibit the classification of other information, which is personal
data, as restricted information.
{Article 5 as amended by Law No. 5491-VI of
20 November 2012; as revised by Law No. 1170-VII of
27 March 2014}
Article 6. General requirements for personal
data processing
1.
Purpose of personal data processing shall be stated in laws, other regulatory
legal acts, regulations, constituent or other documents
regulating the
activities of the personal data owner, and comply with the legislation on
personal data protection.
Personal
data shall be processed openly and transparently using means and way that meet
the specific purposes of such processing.
{Part one of Article 6 has been supplemented by
a new paragraph under Law No. 5491-VI of
20 November 2012}
In
the event that a specific purpose of personal data processing is changed to a
new purpose that is incompatible with the previous
one, for further data
processing, the personal data owner is liable obtain the personal data
subject's consent to process his data
in accordance with the changed purpose,
unless otherwise provided for by law.
{Paragraph 3, Part 1 of Article 6 as amended
under Law No. 5491-VI of
20 November 2012; as amended by Law No. 383-VII of
03 July 2013}
2.
Personal data shall be accurate, reliable and updated as required, determined
by the purpose of their processing.
{Part 2 of Article 6 as revised by the Law No. 5491-VI of
20 November 2012}
3.
Personal data composition and content shall be appropriate, adequate and
non-excessive with respect to the specific purpose of
their processing.
{Paragraph 1, Part 3 of Article 6 as amended by
Law No. 5491-VI of
20 November 2012}
{Paragraph 2, Part 3 of Article 6 has been
deleted by Law No. 5491-VI of
20 November 2012}
4.
Primary sources of information about an individual are documents issued in
his/her name; documents signed by him/her; information
that the person provides
about himself/herself.
5.
Personal data is processed for specific and legitimate purposes determined by
the personal data subject's consent or in cases
provided for by the laws of
Ukraine, in accordance with a procedure prescribed by law.
6.
Processing of data about an individual is not allowed, if it is confidential
information, without his/her consent, except for
cases determined by law, and
only in the interests of national security, economic welfare and human rights.
{Part 6 of Article 6 as amended by Law No. 1170-VII of
27 March 2014}
7.
If personal data processing is required to protect the vital interests of the
personal data subject, personal data processing
is allowed without his/her
consent until it becomes possible to obtain such consent.
8.
Personal data is processed in a form that allows the identification of the
individual to whom it concerns, not longer than it
is required for the
legitimate purposes for which it was collected or further processed.
Further
personal data processing for historical, statistical or scientific purposes may
be carried out provided that it is adequately
protected.
{Part 8 of Article 6 as revised by Law No. 383-VII of
03 July 2013}
{Part 9 of Article 6 has been deleted under Law
No. 383-VII of
03 July 2013}
10.
Standard procedure for personal data processing is approved by the Authorised
Representative.
{Part 10 of Article 6 as amended by laws No. 4452-VI of
23 February 2012, No. 5491-VI of
20 November 2012; as amended by laws No. 383-VII of
03 July 2013, No. 1262-VII of
13 May 2014}
Article 7. Special requirements for personal
data processing
1.
Processing of personal data on racial or ethnic origin, political, religious or
ideological beliefs, membership in political
parties and trade unions, criminal
conviction, as well as processing of data related to health, sexual life,
biometric or genetic
data is prohibited.
{Part 1 of Article 7 as amended under Law No. 5491-VI of
20 November 2012; as amended by Law No. 383-VII of
03 July 2013}
2.
Provisions of Part 1 of this Article shall not apply if one of the
following applies:
1)
personal data is processed provided that the personal data subject provides
unambiguous consent to such data processing;
2)
personal data processing is required for the exercise of the owner's rights and
obligations in the field of Labour Relations
in accordance with the law with
the provision of appropriate protection;
{Paragraph 2, Part 2 of Article 7 as amended
under Law No. 5491-VI of
20 November 2012}
3)
personal data processing is required to protect the vital interests of the
personal data subject or other person in the event
of incapacity or restriction
of the civil legal capacity of the personal data subject;
{Paragraph 3, Part 2 of Article 7 as amended
under Law No. 5491-VI of
20 November 2012}
4)
personal data is processed with the provision of appropriate protection by a
religious organisation, public persuasion organisation,
political party or
trade union, that are established in accordance with the law, provided that the
processing concerns exclusively
the personal data of members of these
associations or persons who maintain constant contacts with them due to the
nature of their
activities, and personal data is not transferred to a third
party without the personal data subject's consent;
{Paragraph 4, Part 2 of Article 7 as amended
under Law No. 5491-VI of
20 November 2012}
5)
personal data processing is required to justify, satisfy or protect a legal
claim;
6)
personal data processing is required for the purpose of health protection,
establishing a medical diagnosis, for providing care
or treatment or providing
medical services, electronic health system functioning, provided that such data
is processed by a medical
worker or other person of a health care institution
or by an individual who has received a license to carry out economic activities
in medical practice, and its employees who are responsible for ensuring the
protection of personal data and who are subject to
legislation on medical
secrecy, employees of the Central Executive Authority implementing state policy
in the field of state financial
guarantees of medical care for the population,
who are responsible for ensuring the personal data protection;
{Paragraph 6 of Part 2 of Article 7 as amended
by laws No. 5491-VI of
20 November 2012, No. 2168-VIII of
19 October 2017}
7)
personal data processing concerns court sentences, fulfilment of law
enforcement intelligence or counterintelligence operations,
fight against
terrorism and is carried out by a state body within the scope of its powers
defined by law;
{Paragraph 7, Part 2 of Article 7 as amended by
Law No. 245-VII of 16
May 2013; as amended by Law No. 383-VII of
03 July 2013}
8)
personal data processing concerns data that has been explicitly made public by
the personal data subject.
{Paragraph 8, Part 2 of Article 7 as amended
under Law No. 383-VII of
03 July 2013}
Article 8. Rights of the personal data subject
1.
Personal non-property rights to personal data, which are granted to each
individual, are inalienable and inviolable.
2.
Personal data subject has the right to:
1)
know about the sources of collection, location of his personal data, purpose of
their processing, location or place of residence
(stay) of the personal data
owner or manager, or give an appropriate order to receive this information to
persons authorised by
him, except in cases established by law;
{Paragraph 1, Part 2 of Article 8 as amended
under Law No. 5491-VI of
20 November 2012; as amended by Law No. 383-VII of
03 July 2013}
2)
receive information about the conditions for granting access to personal data,
in particular information about third parties
to whom his personal data is
transferred;
{Paragraph 2, Part 2 of Article 8 as amended
under Law No. 5491-VI of
20 November 2012}
3)
access to his personal data;
{Paragraph 3, Part 2 of Article 8 as amended
under Law No. 5491-VI of
20 November 2012}
4)
not later than thirty calendar days from the date of request receipt, except in
cases provided for by law, receive a response
on whether his personal data is
being processed, as well as receive the content of such personal data;
{Paragraph 4, Part 2 of Article 8 as amended by
Law No. 383-VII of
03 July 2013}
5)
submit a reasoned request to the personal data owner with an objection to the
processing of his personal data;
{Paragraph 5, Part 2 of Article 8 as revised by
the Law No. 5496-VI of
20 November 2012}
6)
submit a reasoned request for modification or destruction of his personal data
by any personal data owner and manager, if this
data is processed illegally or
is unreliable;
{Paragraph 6, Part 2 of Article 8 as amended
under Law No. 5491-VI of
20 November 2012}
7)
protect his personal data from illegal processing and accidental loss,
destruction, damage due to deliberate concealment, failure
to provide data or its
untimely provision, as well as protect against providing information that is
unreliable or discredits the
individual's honour, dignity and business
reputation;
8)
submit complaints about the his personal data processing to the Authorised
Representative or to the court;
{Paragraph 8, Part 2 of Article 8 as amended by
Law No. 5491-VI of
20 November 2012; as amended by Law No. 383-VII of
03 July 2013}
9)
apply legal remedies in case of violation of the law on personal data
protection;
10)
make reservations regarding the restriction of the right to process his
personal data when providing consent;
{Part 2 of Article 8 has been supplemented with
Paragraph 10 under Law No. 5491-VI of
20 November 2012}
11)
withdraw consent to the personal data processing;
{Part 2 of Article 8 has been supplemented with
Paragraph 11 under the Law No. 5491-VI of
20 November 2012}
12)
know the mechanism of automatic personal data processing;
{Part 2 of Article 8 has been supplemented with
Paragraph 12 under the Law No. 5491-VI of
20 November 2012}
13)
be protected from an automated solution that has legal consequences for him.
{Part 2 of Article 8 has been supplemented with
Paragraph 13 under the Law No. 5491-VI of
20 November 2012}
{Part 3 of Article 8 has been deleted under Law
No. 383-VII of
03 July 2013}
Article 9. Notification of personal data
processing
1.
Personal data owner shall notify the Authorised Representative about the
personal data processing, which poses a particular risk
to the rights and
freedoms of personal data subjects, within thirty working days from the date of
such processing.
Types
of processing personal data that pose a particular risk to the rights and
freedoms of personal data subjects and to the categories
of subjects to which
the notification requirement applies shall be determined by the Authorised
Representative.
2.
Notification on the personal data processing shall be submitted in the form and
in accordance with the procedure specified by
the Authorised Representative.
3.
Personal data owner is obliged to notify the Authorised Representative of any
change in the information to be notified within
ten working days from the date
of such a change.
4.
Information to be notified in accordance with this Article shall be published
on the official website of the Authorised Representative
in accordance with the
procedure established by the Authorised Representative.
{Article 9 as amended by Law No. 5491-VI of
20 November 2012; as revised by Law No. 383-VII of
03 July 2013}
Article 10. Use of personal data
1.
Use of personal data provides for any actions of the owner to process this
data, actions to protect it, as well as actions to
grant partial or full right
to process personal data to other subjects of relations associated with
personal data, performed with
the consent of the personal data subject or in
accordance with law.
{Part 1 of Article 10 as amended by Law No. 5491-VI of
20 November 2012}
2.
Use of personal data by the owner is carried out in the event he creates
conditions for the protection of this data. The owner
shall not disclose the
information regarding personal data subjects, the access to personal data of
which is provided for to other
subjects of relations associated with such data.
{Part 2 of Article 10 as amended by Law No. 5491-VI of
20 November 2012}
3.
Use of personal data by employees of the subjects of relations associated with
personal data should be carried out only in accordance
with their professional
or official or work duties. These employees are obliged not to allow the
disclosure of personal data that
was entrusted or that became known to them in
connection with the performance of professional or official or work duties in
any
way, except as otherwise provided for by law. Such an obligation is valid
after the termination of their activities related to personal
data, except as
otherwise provided for by law.
{Part 3 of Article 10 as amended by Law No. 1170-VII of
27 March 2014}
4.
Information about the personal life of an individual shall not be used as a
factor confirming or refuting his business qualities.
Article 11. Grounds for the processing of
personal data
1.
Grounds for the personal data processing are:
1)
personal data subject's consent to the processing of his personal data;
2)
permission to process personal data granted to the personal data owner in
accordance with the law solely for the exercise of
his powers;
3)
conclusion and execution of a transaction to which the personal data subject is
a party or which is concluded in favour of the
personal data subject or for the
implementation of measures preceding the transaction conclusion at the request
of the personal
data subject;
4)
protection of the personal data subject's vital interests;
5)
requirement to fulfil the personal data owner's obligation, which is provided
for by law;
{Part one of Article 11 has been supplemented by a new paragraph under
the Law No. 383-VII of
03 July 2013}
6)
requirement to protect the legitimate interests of the personal data owner or a
third party to whom the personal data is transferred,
except in cases where the
requirement to protect the fundamental rights and freedoms of the personal data
subject in connection
with his data processing is dominated by such interests.
{Paragraph 6, Part 1 of Article 11 as amended by Law No. 383-VII of
03 July 2013}
{Article 11 as revised by Law No. 5491-VI of
20 November 2012}
Article 12. Personal data collection
1.
Personal data collection is a component of the process of their processing,
which provides for actions to select or organise
information about an
individual.
{Part 1 of Article 12 as amended by Law No. 5491-VI of
20 November 2012}
2.
Personal data subject shall be informed about the personal data owner,
composition and content of the collected personal data,
his rights defined by
this Law, purpose of collecting personal data and the persons to whom his
personal data is transferred:
at
the time of personal data collection, if personal data is collected from the
personal data subject;
in
other cases within thirty working days from the date of personal data
collection.
{Part 2 of Article 12 as revised by Laws No. 5491-VI of
20 November 2012, No. 383-VII of
03 July 2013}
{Part 3 of Article 12 has been deleted under
Law No. 5491-VI of
20 November 2012}
{Part 4, Article 12 has been deleted under Law No. 5491-VI of
20 November 2012}
Article 13. Personal data accumulation and
storage
1.
Personal data accumulation provides for actions to combine and systematise
information about an individual or group of individuals
or enter this data into
the personal data base.
2.
Personal data storage provides for actions to ensure its integrity and
appropriate access to it.
Article 14. Personal data dissemination
1.
Personal data dissemination provides for actions for the transfer of
information about an individual with the personal data subject's
consent.
{Part 1 of Article 14 as amended by Law No. 5491-VI of
20 November 2012}
2.
Personal data dissemination without the consent of personal data subject or his
authorised person is allowed in cases specified
by law and only (if required)
in the interests of national security, economic welfare and human rights.
{Part 2 of Article 14 as amended by Law No. 5491-VI of
20 November 2012}
3.
Fulfilment of the established regime requirements for the protection of
personal data is ensured by the party disseminating this
data.
4.
The party to which the personal data is transferred shall first take measures
to ensure the requirements of this Law.
Article 15. Personal data deletion or
destruction
{Article title 15 as revised by Law No. 5491-VI of
20 November 2012}
1.
Personal data shall be deleted or destroyed in accordance with the procedure
established by law.
{Part 1 of Article 15 as amended by Law No. 5491-VI of
20 November 2012}
2.
Personal data shall be deleted or destroyed in the case of:
{Paragraph 1, Part 2 of Article 15 as amended
by Law No. 383-VII of
03 July 2013}
1)
expiration of the data storage period determined by the personal data subject's
consent to the processing of this data or by
law;
2)
termination of the legal relationship between the personal data subject and
owner or manager, unless otherwise provided for by
law;
3)
issuance of an appropriate order of the Authorised Representative or designated
by him officials of the Authorised Representative
Secretariat;
{Subparagraph 3, Part 2 of Article 15 as
amended by Law No. 383-VII of
03 July 2013}
4)
entry into force of a court decision on personal data removal or destruction.
{Part 2 of Article 15 has been supplemented by
a subparagraph under the Law No. 383-VII of
03 July 2013}
3.
Personal data collected in violation of the requirements of this Law shall be
subject to deletion or destruction in accordance
with a procedure prescribed by
law.
{Part 3 of Article 15 as amended by Law No. 383-VII of
03 July 2013}
4.
Personal data collected during the performance of tasks of law enforcement
intelligence or counterintelligence operations, fight
against terrorism shall
be deleted or destroyed in accordance with the Law requirements.
{Part 4 of Article 15 as amended by Law No. 383-VII of
03 July 2013}
{Text of Article 15 as amended by Law No. 5491-VI of
20 November 2012}
Article 16. Personal data access procedure
1.
Personal data access procedure for third parties is determined by the
conditions of personal data subject's consent to the processing
of such data,
provided to the personal data owner, or in accordance with Law requirements.
Procedure for access of third parties
to personal data held by the public
information manager is determined by the Law of Ukraine
“On Access to Public Information”, except for data received from other bodies
by the central executive body that ensures the
formation and implementation of
state financial and budgetary policy, during verification and monitoring of
state payments.
{Part 1 of Article 16 as amended under Laws No. 1170-VII of
27 March 2014, No. 1774-VIII of
06 December 2016; as revised by Law No. 324-IX of 03
December 2019}
2.
Access to personal data shall not be granted to a third party if the said
person refuses to undertake obligations to ensure compliance
with the
requirements of this Law or is unable to provide them.
3.
Subject of relations associated with personal data shall submit a request for
access (hereinafter referred to as the request)
to personal data to the
personal data owner.
4.
The request shall indicate:
1)
full name, place of residence (stay) and details of the document certifying the
individual submitting the request (for an individual
applicant);
2)
name, location of the legal entity submitting a request, assignment, full name
of the person certifying the request; confirmation
that the request content
corresponds to the legal entity powers (for a legal entity applicant);
3)
full name, as well as other information allowing to identify the individual in
respect of whom the request is made;
4)
information on the personal data base in respect of which the request is
submitted, or information on the personal data owner
or manager;
{Paragraph 4, Part 4 of Article 16 as amended
under Law No. 5491-VI of
20 November 2012}
5)
list of personal data requested;
6)
purpose and/or legal grounds for the request.
{Paragraph 6, Part 4 of Article 16 as amended
under Law No. 5491-VI of
20 November 2012}
5.
Term for reviewing a request for its satisfaction may not exceed ten working
days from the date of its receipt.
During
this period, the personal data owner shall notify the person making the
request, that the request will be satisfied or the
corresponding personal data
will not be provided, indicating the grounds specified in the relevant
regulatory legal act.
The
request shall be satisfied within thirty calendar days from the date of its
receipt, unless otherwise provided for by law.
6.
Personal data subject has the right to receive any information about himself
from any subject of relations associated with personal
data, given the
provision of information specified in Paragraph 1, Part 4 of
this Article, except as otherwise provided for by law.
{Part 6 of Article 16 as amended by Law No. 5491-VI of
20 November 2012}
Article 17. Postponement or denial of access to
personal data
1.
Postponement of access of the personal data subject to his personal data is not
allowed.
2.
Postponement of access to personal data of third parties is allowed if the
required data cannot be provided within thirty calendar
days from the date of
request receipt. In this case, the total term for resolving the issues raised
in the request may not exceed
forty-five calendar days.
Postponement
shall be notified to the third party who submitted the request in writing, with
an explanation of the procedure for
appealing such a decision.
Postponement
notification shall indicate:
4)
period during which the request is satisfied.
3.
Denial of access to personal data is allowed if access to it is prohibited by
law.
Refusal
notification shall indicate:
1)
full name of the official who refuses access;
Article 18. Appealing a decision on personal
data access postponement or refusal
1.
A decision to postpone or deny access to personal data may be appealed to the
Authorised Human Rights Representative of the Verkhovna
Rada of Ukraine or to
the court.
{Part 1 of Article 18 as revised by Law No. 5491-VI of
20 November 2012; as amended by Law No. 383-VII of
03 July 2013}
2.
If the request is made by the personal data subject regarding data about
himself, the obligation to prove in court the legality
of the access denial
rests with the personal data owner to whom the request was submitted.
{Part 2 of Article 18 as amended by Law No. 5491-VI of
20 November 2012}
Article 19. Payment for personal data access
1.
Access of the personal data subject to data about himself is free of charge.
2.
Access of other subjects of relations associated with personal data to the
personal data of a particular individual or group
of individuals may be paid if
the conditions specified by this Law are met. Payment shall be made for
work-related to personal
data processing, as well as for work on consulting and
organising access to the relevant data.
3.
The amount of payment for services for providing access to personal data by
state authorities is determined by the Cabinet of
Ministers of Ukraine.
4.
State and local authorities have the right to unimpeded and free access to
personal data in accordance with their powers.
Article 20. Amendments and additions to
personal data
1.
Personal data owners or managers are obliged to make amendments to personal
data on the reasoned written request from the personal
data subject.
{Part 1 of Article 20 as amended by Law No. 383-VII of
03 July 2013}
2.
Personal data owners or managers are obliged to make amendments to personal
data also upon the request of other subjects of relations
associated with
personal data, if the consent of the personal data subject is obtained or the
corresponding amendment is made according
to the order of the Authorised
Representative or Authorised Representative Secretariat officials designated by
him or by court
decision that entered into legal force.
{Part 2 of Article 20 as revised by Law No. 383-VII of
03 July 2013}
3.
Amendments to personal data that do not correspond to reality are made without
delay from the moment the discrepancy is established.
Article 21. Notification of actions with personal
data
1.
Personal data owner shall notify the personal data subject of the personal data
transfer to a third party within ten working
days, if required by the
conditions of his consent or otherwise not provided for by law.
2.
Notifications specified in Part 1 of this Article shall not be made in the case
of:
1)
personal data transfer upon requests when performing the tasks of law
enforcement intelligence or counterintelligence operations,
fight against
terrorism
2)
exercise by state and local authorities of their powers provided for by law;
3)
personal data processing for historical, statistical or scientific purposes;
4)
notification of the personal data subject in accordance with the requirements
of Part 2 of Article 12 of this Law.
{Part 2 of Article 21 has been supplemented
with Paragraph 4 under the Law No. 5491-VI of
20 November 2012}
3.
Personal data owner shall notify the personal data subject, as well as the
subjects of relations associated with personal data
to whom the personal data
have been transferred of the amendment, deletion or destruction of personal
data or restriction of access
to it within ten working days .
{Part 3 of Article 21 as amended by Law No. 383-VII of
03 July 2013}
Article 22. Monitoring compliance with Law On
Personal Data Protection
1.
Control over compliance with Law On Personal Data Protection within the powers
provided for by law is carried out by the following
bodies:
{Article 22 as amended by Law No. 5491-VI of
20 November 2012; text of Article 22 as revised
by Law No. 383-VII of 03 July 2013}
Article 23. Powers of the Authorised Human
Rights Representative of the Verkhovna Rada of Ukraine in the field of personal
data
protection
1.
Authorised Representative has the following powers in the field of personal
data protection:
1)
receive proposals, complaints and other appeals of individuals and legal
entities on the personal data protection and make decisions
based on the
results of its consideration;
2)
carry out, on the basis of requests or on his own initiative, on-site and
restricted to travel abroad, scheduled, unscheduled
inspections of the personal
data owners or managers in accordance with a procedure determined by the
Authorised Representative,
with ensuring access to the premises where the
personal data is processed in accordance with the law;
3)
receive upon his request and have access to any information (documents) of the
owners or managers of personal data that are required
to exercise control over
the personal data protection, including access to personal data, relevant
databases or card files, restricted
information;
4)
approve regulations in the field of personal data protection in the cases
provided by this Law;
5)
based on the results of the appeal verification, consideration, issue binding
requirements (instructions) on the prevention or
elimination of violations of
Law On Personal Data Protection, including amendment, deletion or destruction
of personal data, providing
access to it, providing or prohibiting its
provision to a third person, suspension or termination of personal data
protection;
6)
give recommendations on the practical application of the Law On Personal Data
Protection, clarify the rights and obligations
of the relevant persons at the
request of personal data subjects, personal data owners or managers, structural
units or persons
in charge of organising work on the personal data protection,
other persons;
7)
interact with structural subdivisions or responsible persons who, in accordance
with this Law, organise work related to the personal
data protection during
processing; publish information about such structural subdivisions and
responsible persons;
8)
apply with proposals to the Verkhovna Rada of Ukraine, the President of
Ukraine, the Cabinet of Ministers of Ukraine, other state
and local
authorities, their officials on the adoption or amendment of regulations on the
personal data protection;
9)
provide, upon request of professional, self-governing and other public
associations or legal entities, opinions on draft codes
of conduct in the field
of personal data protection and amendments to it;
10)
draw up protocols on bringing to administrative responsibility and send them to
the court in cases stipulated by law;
11)
inform about the Law On Personal Data Protection, problems of its practical
application, rights and obligations of the subjects
of relations associated
with the personal data;
12)
monitor new practices, trends and technologies of personal data protection;
13)
organise and ensure interaction with foreign subjects of relations associated
with personal data, including in connection with
the implementation of the Convention for
the Protection of Individuals with Regard to Automatic Processing of Personal
Data and the Additional Protocol to it, other international treaties of
Ukraine in the field of personal data protection;
14)
participate in the work of international organisations on personal data
protection.
2.
Authorised Human Rights Representative of the Verkhovna Rada of Ukraine shall
include in his annual report on the state of observance
and protection of human
and civil rights and freedoms in Ukraine a report on the state of observance of
legislation in the field
of personal data protection.
{Article 23 as amended by Law No. 5491-VI of
20 November 2012; as revised by Law No. 383-VII of
03 July 2013}
Article 24. Providing personal data protection
1.
Personal data owners, managers and third parties are obliged to ensure this
data protection from accidental loss or destruction,
from illegal processing,
including illegal destruction or access to personal data.
2.
Structural unit or individual in charge organising work related to the personal
data protection during processing, shall be established
(determined) in state
and local authorities, as well as in personal data owners or managers that
process personal data subject
to notification in accordance with this Law.
Information
on the specified structural union or individual in charge shall be reported to
the Authorised Human Rights Representative
of the Verkhovna Rada of Ukraine,
who shall ensure its publication.
3.
Structural unit or individual in charge of organisation of work related to the
personal data protection during processing shall:
1)
inform and advise the personal data owner or manager on compliance with the Law
On Personal Data Protection;
2)
interact with the Authorised Human Rights Representative of the Verkhovna Rada
of Ukraine and officials of the Secretariat designated
by him on issues of
prevention and elimination of violations of the Law On Personal Data
Protection.
4.
Individual entrepreneurs, including licensed doctors, lawyers, notaries
personally ensure the protection of personal data that
they possess, in
accordance with the Law requirements.
{Article 24 as amended by Law No. 5491-VI of
20 November 2012; as revised by Law No. 383-VII of
03 July 2013}
Article 25. Restraints on the validity of this
Law
1.
Restraint of Articles 6, 7 and 8 of this Law may be exercised in cases provided
by law, to the extent required in a democratic
society in the interests of
national security, economic welfare or protection of the rights and freedoms of
personal data subjects
or other persons.
2.
Processing of personal data is permitted without applying the provisions of
this Law, if such processing is carried out:
1)
by an individual solely for personal or domestic needs;
2)
solely for journalistic and creative purposes, given a balance is ensured
between the right to respect for private life and the
right to freedom of
expression.
3.
This Law shall not be applied to relations concerning the receipt of archival
information of repressive bodies.
{Article 25 has been supplemented with a Part 3
under Law No. 316-VIII of
09 April 2015}
{Article 25 as revised by Law No. 383-VII of
03 July 2013}
Article 26. Provision of finance for personal
data protection works
Provision
of finance for works and measures to ensure the personal data protection is
carried out at the expense of the State Budget
of Ukraine and local budgets,
funds of the subjects of relations associated with personal data.
Article 27. Application of this Law provisions
1.
Provisions on personal data protection set forth in this Law may be
supplemented or clarified by other laws, given that they
establish requirements
for the personal data protection that do not contradict the requirements of
this Law.
2.
Professional, self-governing and other public associations or legal entities
may develop codes of conduct to ensure effective
protection of the rights of
personal data subjects, compliance with law On Personal Data Protection, taking
into account the specifics
of personal data processing in various fields. When
developing such a code of conduct or making amendments to it, the relevant
association or legal entity may seek the opinion of the Authorised
Representative.
{Part 2 of Article 27 as amended under Law No. 5491-VI of
20 November 2012; as revised by Law No. 383-VII of
03 July 2013}
Article 28. Liability for violation of the Law
On Personal Data Protection
Violation
of the Law On Personal Data Protection entails liability established by law.
Article 29. International cooperation and
personal data transfer
{Article title 29 as revised by Law No. 5491-VI of
20 November 2012}
1.
Cooperation with foreign subjects of relations associated with personal data
shall be regulated by the Constitution of Ukraine, this Law, other regulatory legal acts
and international treaties of Ukraine.
2.
If an international treaty of Ukraine ratified by the Verkhovna Rada of Ukraine
establishes other regulations than those stipulated
by the law of Ukraine, the
regulations of the international treaty shall be applied.
3.
Transfer of personal data to foreign subjects of relations associated with
personal data is carried out only given that the relevant
state ensures
adequate personal data protection in cases established by law or an
international treaty of Ukraine.
Member
states of the European Economic Area, as well as states that have signed the
Council of Europe Convention for the Protection
of Individuals with Regard to
Automatic Processing of Personal Data, are recognised to ensure an adequate
level of personal data
protection.
The
Cabinet of Ministers of Ukraine determines the list of states that ensure
proper personal data protection.
Personal
data may not be disseminated for any purpose other than that for which it was
collected.
{Part 3 of Article 29 as revised by the Law No. 5491-VI of
20 November 2012}
4.
Personal data may be transferred to foreign subjects of relations associated
with personal data, also in the case of:
1)
granting by the personal data subject an unambiguous consent to such transfer;
2)
requirement to conclude or execute a transaction between the personal data
owner and a third party that is the personal data
subject in favour of the
personal data subject;
3)
requirement to protect the vital interests of personal data subjects;
4)
requirement to protect the public interest, establish, implement and ensure the
legal requirement;
5)
provision by the personal data owner of appropriate guarantees of
non-interference in the personal and family life of the personal
data subject.
{Article 29 has been supplemented with Part 4
under Law No. 5491-VI of
20 November 2012}
1.
This Law shall enter into force on 1 January 2011.
2.
Within six months from the day of enactment of this Law, the Cabinet of
Ministers of Ukraine shall:
ensure
adoption of regulatory acts stipulated by this Law;
provide
bringing of own regulations in accordance with this Law;
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/NDPrivLegis/2022/7.html
