Featured Galleries USUBC COLLECTION OF OVER 160 UKRAINE HISTORIC NEWS PHOTOGRAPHS 1918-1997 Holodomor Posters
On Law of Ukraine “On the Protection of Personal Information”
Salans LLC, Kyiv, Ukraine, Wednesday, December 21, 2011
As of 1 January 2012, sanctions (both administrative and criminal) will now apply for violations of the Law of Ukraine “On the Protection of Personal Information” (the “Data Protection Law”) which came into effect on 1 January 2011 but was not fully implemented until this fall. The Data Protection Law requires that all individual entrepreneurs and legal entities obtain the consent of individuals to collect and process their personal information, with a few exceptions, and to register the respective databases containing such personal information with the State Service on the Protection of Personal Information. Personal information is broadly defined in the Data Protection Law to mean “data or an array of data on an individual who is identified or may be uniquelyidentified”.
Under Ukrainian law only an individual (acting as individuals, individual entrepreneurs or officers) may be held criminally and administratively liable. Hence, companies per se would not be held liable for violationsof the Data Protection Law.
As of the New Year, the Code of Ukraine on Administrative Violations (Articles 18839 and 18840) introduces fines for non-compliance with therequirements of the Personal Data Law.
In particular, fines for the failure to notify or timely notify an individual of his/her rights in connection with the inclusion of his/her personal information into a personal database as well as the purpose for which such data is collected and persons to whom such data may be transferred would range from UAH 3,400 to UAH 5,100 (approx. USD 425 to USD 638) for individuals and from UAH 5,100 to UAH 6,800 (approx. USD 638 to USD 850) for officers and individual entrepreneurs. Fines for the failure to notify or timely notify the Personal DataProtection Service of changes in personal information that was already filed (e.g., name of database, its location, owner or holder) would rangefrom UAH 1,700 to UAH 3,400 (approx. USD 213 to USD 425) forindividuals and from UAH 3,400 to UAH 6,800 (approx. USD 425 toUSD 850) for officers and individual entrepreneurs.
Repeat violations within a year are punishable by fines ranging from UAH 5,100 to UAH 8,500 (approx. USD 637 to USD 1,062) for individuals and from UAH 6,800 to UAH 11,900 (approx. USD 850 to USD 1,488) for officers and individual entrepreneurs.
Fines for the failure to register a personal information database would range from UAH 5,100 to UAH 8,500 (approx. USD 637 to USD 1,062) for individuals and from UAH 8,500 to UAH 17,000 (approx. USD 1,062 to USD 2,125) for officers and individual entrepreneurs.
Failure to comply with demands of the Personal Data Protection Service to cure respective violations is punishable by fines ranging from UAH 1,700 to UAH 3,400 (approx. USD 213 to USD 425) for officers and individual entrepreneurs.
Fines for a data leak [from the personal data database] caused by noncompliance with applicable security requirements range from UAH 5,100 to UAH 17,000 (approx. USD 637 to USD 2,125).
The Criminal Code of Ukraine (Article 182) would also introduce criminal responsibility for unlawful collection, storing, use, destruction, and dissemination of confidential information (and confidential information includes information about a natural person), or making unlawful changes in such information save for cases specified in other articles of the Criminal Code.
In particular, such actions are punishable by fines ranging from UAH 8,500 to UAH 17,000 (approx. USD 1,062 to USD 2,125) or corrective labour for a term of up to two years, or an arrest for a term of up to six months or restriction of liberty for a term of up to three years. Repeated violations (provided that substantial damage was caused) are punishable by an arrest for a term from three to six months or restriction of liberty for a term from three to five years or an imprisonment of the same term.
Unfortunately, the registration of a personal data base suggests that a government entity in due course could potentially seek access to such data base.
We would be happy to assist in such registration and to advise how best to organise the data base to avoid extensive potential disclosure of proprietary information.