1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
There are no legislative provisions establishing mandatory requirements to notify the personal data owner (individual) about the breach of his / her personal data rights. There is no legal requirement to inform the Ukrainian Parliament Commissioner for Human Rights who performs the functions of a data protection authority ("DPA"). The law only provides for the right of the individual owner of the personal data to inform the DPA about the facts of the personal data breach affecting him/her and apply for protection of his/her rights. At the same time, the DPA has the right to carry out investigations and inspections. If the facts of a personal data breach are discovered, the infringers may be exposed to the relevant administrative sanctions, followed, where necessary, by enforcement of such sanctions through the court. Moreover, the individual has the right to inform law enforcement authorities (e.g., police department) of the personal data breach affecting the individual or to file lawsuits against the infringers (organisations or persons committing violation of the individual’s personal data rights) in order to restore his/her breached rights and seek compensation of damages caused by the infringement.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
A breach of any personal data may serve as the reason for a notification submission to the DPA. The Ukrainian legislation describes personal data as data about an individual who is identified or may be specifically identified. It includes, in particular, data on the person’s nationality, education, marital status, religious beliefs and health condition, as well as address, date and place of birth. Neither the data controller nor a data processor is under the obligation to notify. Only the affected individual has the right to notify the DPA. A notification from an individual about a data breach may be sent to the relevant authorities (either the DPA or law enforcement authorities) in a written form. It must be based on the facts of the personal data breach.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
The notification must describe the facts of the personal data breach and contain the relevant information about the type of personal data, its owner and infringer. The DPA does not provide a standard form to file the notification. Since the notification is not mandatory, respectively no submission deadline is established. The notification can be sent to relevant authorities by the affected individual at any time. However, penalisation of the infringer (as a result of the respective notification) and compensation for damages caused by the breach are possible only within the respective statutes of limitations. The infringer may be subject to administrative sanctions no later than two months after the breach or after the exposure of the breach (in case of a continuing violation). The respective term of limitation for criminal liability is three or five years (depending on the qualification of the violation). Compensation for damages through civil proceedings may be possible with application of the standard three-year statute of limitation. The notification should be sent by regular mail or filed directly with the relevant authority in written form.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
Since no obligation to notify is established, penalties and fines are not provided for by the law.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
Such notification to an individual may be recommended as a general courtesy; however, only the subsequent notification by the relevant individual to the competent authorities may have legal effect and consequences.
1.6 What are the applicable (data protection) laws or guidelines within your country?
- Constitution of Ukraine, dated 28 June 1996, as amended;
- Law of Ukraine "On Personal Data Protection" no. 2297-VI dated 1 June 2010, as amended;
- Criminal Code of Ukraine no. 2341-III dated 5 April 2001, as amended;
- Code of Administrative Offences no. 8073-X dated 7 December 1984, as amended;
- Model Procedure for Personal Data Processing adopted by the Order of Ukrainian Parliament Commissioner for Human Rights no. 1/02-14 dated 8 January 2014;
- Procedure for Execution of Control by Ukrainian Parliament Commissioner for Human Rights over Compliance with Personal Data Protection Legislation adopted by the Order of Ukrainian Parliament Commissioner for Human Rights no. 1/02-14 dated 8 January 2014; and
- Procedure for Notifying Ukrainian Parliament Commissioner for Human Rights on the Processing of Sensitive Personal Data, on a Department or an Individual Responsible for Organizing Work related to Personal Data Protection in connection with the Processing, and Publishing of Such Data adopted by the Order of Ukrainian Parliament Commissioner for Human Rights no. 1/02-14, dated 8 January 2014.
1.7 Contact information for the local Data Protection Authority:
Ukrainian Parliament Commissioner for Human Rights
21/8 Instytutska St., 01008 Kyiv City, Ukraine
+38 044 253 75 89; +38 0800 50 17 20
+32 2 274 4835
For more information, contact:
CMS Reich-Rohrwig Hainz
19-B Instytutska St., 5th Floor, 01021 Kyiv, Ukraine
+380 44 5001 710
+380 44 5001 716