Taking the GDPR as a reference for privacy reform is seen as a sensible move. The GDPR is a regulation that most companies operating in Ukraine aim to comply with, and therefore setting mirrored requirements is business-friendly. In addition, the GDPR outperforms current Ukrainian legislation in terms of data subject protection.
When is reform expected?
If adopted, the Privacy Bill, which was submitted on 25 October 2022, will take effect on 1 January 2024. If the Privacy Bill is not passed until Summer 2023, the effective date will be postponed. Parliament aims to make the Privacy Bill a proper foundation for recognizing Ukraine as a country with an adequate level of protection under the GDPR, and it has rejected any new insertions that are questionable. The previous iteration of a privacy bill failed to pass Parliament due to severe intrusion into the activities of internet service providers.
What are the key features and differences from the GDPR?
While the Privacy Bill mostly follows the GDPR, there are some key differences:
- Certification of Data Protection Officer. If large-scale processing is conducted, the Privacy Bill requires that a data protection officer (DPO) must pass a qualification exam prior to appointment. There are no further details in the bill about the exam or the option to substitute it with generally accepted certifications (e.g. CIPP-E).
- EU Guidelines and Case Law. Some recommendations of EU Working Party/European Data Protection Board and EU case law were directly hardwired into the Privacy Bill, including:
- Data Processing Impact Re-Assessment. A DPIA must be concluded at least once every three years.
- CCTV recording retention period. Legitimate video recordings processed based on the legitimate interest of crime prevention and property protection can be kept for up to six months.
- Extraterritoriality. The Privacy Bill does not contain articles defining its material and territorial scope. Like the GDPR, the Privacy Bill obliges foreign legal entities to appoint a representative in Ukraine if they (1) offer services or products to data subjects in Ukraine, (2) monitor the activities of data subjects in Ukraine, or (3) process personal data of Ukrainian citizens. This suggests that the Privacy Bill applies in those cases, however there is no clear confirmation on this point.
- Personal data of deceased persons. The Privacy Bill states that consent is valid for ten years (twenty years for deceased minors) after the subject’s death, unless otherwise requested by the data subject before death. Post-death processing of personal data (except name, sex, places and dates of birth and death, death certificate) without a legal basis acquired before death requires consent of the subject’s successor.
- Cross-border transfer. Countries operating under the GDPR or Council of Europe Convention No. 108 On Data Protection are recognised as countries which ensure an adequate level of data protection. The list may be extended by a supervisory authority. Transfer to other countries is possible under rules similar to those in the GDPR.
- Data breach notification. The time needed to prepare a notification of breach to the supervisory authority cannot be used as an excuse for missing the notification deadline (72 hours after becoming aware of the breach). If individual data subject notification involves disproportionate effort, a public announcement through electronic media must be used instead.
- Reasonable fee for data subject requests. A controller may charge a fee for administrative costs only in the event of repeated requests regarding the same personal data (this is a narrower approach compared to the GDPR).
The Privacy Bill is not final and is subject to further modification and improvement as it moves through the legislative process.
For more information about Employee Data Privacy