It has been more than a year now since the personal data protection law took effect in Ukraine. Another related law took effect on July 1, 2012 — that is the law providing for fines for failure to comply with the personal data protection law.
The term “personal data” is understood to mean details of an individual who may be identified correctly. Personal data specifically include such information that enables to identify an individual as his or her passport details, details of registration or actual residence, information about his or her benefits, education, and telephone numbers. A company is considered to have a personal database if it has a card index or an archive that stores details of employees or clients, or summarized personal data in electronic form.
The State Service of Ukraine on Personal Data Protection registers databases on a free-of-charge basis upon an application filed by a company. There are three ways to fill out and file such an application with the State Service of Ukraine on Personal Data Protection— by filling out and filing an application directly with this state agency as a hard copy, by sending an electronic message at its electronic mail address, or by filling out an application form on its web site, if a company has a digital signature.
However, the registration of personal databases may be regarded as an intermediary link in implementing a whole range of measures aimed to ensure personal data protection. Particularly, it involves the need to analyze the data categories that a company uses. For example, these may be personal and financial information about employees; personal, passport, biographical, and family information about consumers; test and other results of job applicants; details of property and history of purchases of clients, and so on. A company should also analyze the purpose of processing of data categories and formalize that purpose, as required by the law, by issuing an internal order or an internal comprehensive local act titled “Policy on Personal Data Processing and Protection”.
The State Service of Ukraine on Personal Data Protection believes that every company has at least two personal databases—a database for personal data of employees and a database for personal data of clients and other entities that it uses in the ordinary course of business.
Many companies regard this law as burdensome as it imposes several additional obligations concerning informational relations. For example, companies are now obligated to register their personal databases and obtain consents from individuals for processing their personal data. At the same time, as practice shows, implementing some of the rules stipulated by the newly-enacted law requires an official explanation from state agencies.
Effective from July 1, 2012, every company using an unregistered personal database may be fined UAH 8,500 to UAH 17,000. After registering its databases, a company should also regularly track any changes in the information that it has filed with the State Service of Ukraine on Personal Data Protection. It is required to file updated information with the State Service of Ukraine on Personal Data Protection within 10 business days in the form of a standard application. The State Service of Ukraine on Personal Data Protection is in charge of overseeing compliance with the personal data protection law by conducting scheduled, unscheduled, field, and desk inspections.
If you want to discuss this article, please contact the author:
Elena Mashkova, Partner of Awara Group