Concerning introduction of liability for breach of personal data protection legislation
We would like to inform you that on June 2, 2011 the President of Ukraine has signed the law that brings in administrative and criminal liability for breach of the Law “On personal data protection”.
The Law “On personal data protection” (hereinafter – “the Law”) has become effective since January 1, 2011. It foresees that personal data of the individuals may be processed (i.e. collected, stored, used etc.) only based on written consent of such individuals. At the same time, the definition of the term “personal data”, stated in the Law, is quite general and, in fact, may include any information about individuals.
The Law also provides for mandatory registration of personal data databases in the State register of personal data databases, which is expected to be set up soon.
We would like to bring your attention to the circumstance that this issue is especially urgent for structural departments that work with personal data: sales department, human resources department, accounting department etc.
The sanctions for the breach of the Law will become effective from January 1, 2012. The number of violations, such as non-notification or untimely notification of individual about his/her rights during the inclusion of personal data to personal data database, evasion from registration of databases etc. may cause an administrative responsibility in the form of fines in the amount of UAH 1700 – 17000.
At the same time, for unlawful processing of personal data (i.e. without written consent of an individual) a criminal liability is envisaged, which may result in up to 3 years of limitation of freedom, and in case of repeated violation or if it caused significant damage to the rights and interests of an individual – may trigger deprivation of freedom up to 5 years. Please also be informed that for the imposition of sanctions it is sufficient only to ascertain the fact of unlawful processing of personal data, i.e. the law does not foresee the ascertainment of caused damage etc.
For supervision over compliance with the Law and also for execution of other foreseen functions by virtue of decree of the President as of April 6, 2011 the State Service of Ukraine on Personal Data Protection was established. This Service has quite broad authorities and, generally speaking, is another control authority that has power to perform audits and impose sanctions.
Considering the above, in order to ensure compliance with the requirements of the Law and to secure your business from claims of aforementioned Service, we would like to recommend you taking the following actions:
- to elaborate draft of written consent of an individual on processing of his/ her personal data.
- to adopt a number of internal documents: order of the CEO, standard operating procedure regarding processing of personal data etc.
- to appoint liable person, that will supervise the compliance with the requirements of legislation during the processing of personal data, as it is required by the Law.
- to elaborate and conclude agreements or appendices to agreements with third parties to whom personal data is transferred or may be transferred for further processing.
We believe that the above information will be useful for you. Please do not hesitate to contact us if you will need assistance on the matter.
The above commentary presents the general statement for information purposes only and as such may not be practically used in specific cases without professional advice.
Newsletter available in Ukrainian and English.