Ukrainian legislation requires that databases controlled by Ukraine-based entities (residents and non-residents) be registered with the Ukrainian authorities by 1 January 2012. Below please find a brief description of the requirements pursuant to the Ukrainian Law "On Protection of Personal Data" (PDP Law) and procedures that must be followed.
Registration of Personal Data
According to the PDP Law, Ukraine-based legal entities must register with the State Service of Ukraine on Personal Data Protection (Data Protection Service) all databases with personal data that they control. Personal data is defined as "any information about an identified or identifiable individual or a summary of such information." This includes, but is not limited to, any databases containing personal data of employees, customers and service providers.
Any existing databases must be registered by 1 January 2012. If any new databases are created after 1 January 2012, they may be registered at any time according to registration procedure.
To register a database, a company must file an application (pursuant to the form established by law) with the Data Protection Service. The application must include information about the database controller, the name and location of the database, the purpose for processing personal data, the processor(s) of the database (if any) and confirmation that all personal data protection measures provided by law are being followed.
You can find the application form (in Ukrainian) on the official Data Protection Service website.
No other documents (such as lists of individuals, copies of data protection consent forms, descriptions of the data in the database, etc.) are required.
Registration is free of charge, and applications may be filed on the Data Protection Service website (with electronic signature) or sent by mail. If all registration documents are in order, a certificate of registration should be issued within 10 working days.
Pursuant to the PDP Law, a controller of a database must provide adequate protection for the personal data it receives. Personal data may be received from individuals only with their prior written consent.
Starting from 1 January 2012, the database controller is subject to both criminal and administrative liability. For example, a company may be fined in the amount of UAH 8,500 to UAH 17,000 for not registering its database.
For more information on the PDP Law or guidance on other data privacy issues in Ukraine, please contact one of the lawyers listed in this alert.