LAW OF UKRAINE

ON PROTECTION OF PERSONAL DATA

Article 1. Scope of Law

This Law shall regulate relations related to the protection of personal data during their processing.

This Law shall not apply to activity of establishment of personal databases and possessing of personal data in databases by:

• Natural person exclusively with non-professional and ordinary needs;

• Journalist – withregardtoexecutionofhis/herprofessional duties;

• Professional creative employee – for purposes of creative activity.

•  

Article 2. Term Definitions

In this Law, following terms shall have the meaning hereunder assigned to them:

-Personal databaseshall mean a named aggregate of organized personal data in electronic form and/or in form of personal data card file;

-Owner of personal database(hereinafter referred to as “database owner”) shall mean a natural or legal entity that has obtained a right to processing of such data according to the law or to the consent of the personal data subject, which approves the purpose of the processing of personal data in the database, establishes the content of this data and the procedures for its processing, in case other is prescribed by legislation;

-State Register of Databasesis a joint state informational system of accumulation, collection and processing of information concerning the registered personal databases:

-Consent of personal data subjectshall mean any documentary, namely written, voluntary declaration of will of a natural person with regard to granting permission to processing of his/her personal data in accordance with formulated perpose of its processing;

-Depersonalization of personal datashall mean withdrawal of information that allows identifying a person;

-Processing of personal data(hereinafter referred to as “processing”) shall mean any action ornumber of actions performed in the information (automated) system and/or in personal data card files completely or partially, related to collection, registration, accumulation, storage, adaptation, change, update, use and spreading (distribution, realization, transfer), depersonalization, destruction of information about a natural person;

-Personal data shallmean information or aggregate information about a natural person who is identified or may be identified;

-Administrator of personal database(hereinafter referred to as “databaseadministrator”) shall mean a natural person or legal entity which obtained the right to process such data from the database owner or according to the law;

-Subject of personal datashall mean natural person, whose personal data is preceded to legislation;

-Third personshall mean any person, except subject of personal data, owner or administrator of database of personal data and Authorizes State Body on Personal Data Protection, to whom owner of administrator of database of personal data transfers this data according to legislation.

Article 3. Legislation on Protection of Personal Data

Legislation on protection of personal data consists of the Constitution of Ukraine, this Law, the laws of Ukraine "On Information", "On Protection of Information in Informational and Telecommunication Systems", other laws and normative and legal acts, international treaties of Ukraine which were approved as binding by the Verkhovna Rada of Ukraine.

Article 4. Subjects of Relations Connected to Personal Data

1. The subjects of relations connected to personal data are the following:

- Personal data subject;

- Owner of personal database;

- Personal database administrator;

- Third person

- Authorized state body on matters of personal data protection;

- Other state power bodies and local self-government institutions the authorities of which include protection of personal data.

2. State undertakings, public utilities and private companies, bodies of state or local power, private entrepreneurs, who process personal data in accordance with legislation, may be entitled to be owners of administrators of databases of personal data.

3. The administrator of the database which is owned by a state power body or a local self-government body may be a legal entity which acts in the sphere of administration of such body.

Article 5. Objects of Protection

1. The objects of protection are personal data that are being processed in personal databases.

2. Personal data, except depersonalized one, is the data with restricted access

3. The Law may prohibit assigning personal data to certain categories of citizens or exhaustive list of such categories as information with restricted access.

4. The personal data of a natural person who claims for or holds an elective post or position of a state official of the first category shall not be assigned to information with restricted access, except of information assigned as such pursuant to the law.

Article 6. General Requirements with Regard to Personal Data Processing

1. The purpose of processing of personal data must be clearly formulated in legal and other normative acts, regulations, constitutive or other documents that regulate activity of the owner of the base of personal data, and conform to legislation on personal data protection.

In case the purpose of processing of personal data is changed the subject of this personal data shall give new permission for processing of his personal data.

2. Personal data shall be accurate, authentic, and updated where necessary.

3. The composition and content of personal data shall be appropriate and non-excessive with regard to the purpose of their processing.

The scope of the personal data which may be included into the database shall be determined by the consent of the subject of personal data.

4. Primary sources of information about a natural person shall be the documents issued in this person’s name; documents signed by the person; information which a person provides about himself/herself.

5. Processing of personal data shall be conducted for concrete and legal purposes, determined by the consent of subject of personal data or, in certain cases prescribed by Law.

6. Processing of data about a natural person shall be prohibited without such person’s consent, except for the cases stipulated by the law, and only in the interests of national safety, economic welfare and human rights.

7. Until the moment it is possible to obtain the consent of the subject of personal data it may be proceeded without consent of the its subject in case it is necessary to protect his/her vital interests.

8. Personal data shall be processed in the form that permits identification of a natural person who they concern, within the term no more than it is necessary according to their legal purpose.

9. Usage of personal data with historical, statistical or scientific purposes may be held only in depersonalized manner.

10. Ordinary order of the processing of personal data in databases shall be adopted by the authorized body in this sphere.

The order of processing of personal data which belongs to bank secrecy shall be adopted by National Bank of Ukraine.

Article 7. Particular Requirements with Regard to Processing of Personal Data

1.The processing of personal data shall be prohibited if such data is about racial or ethnic origin, political views, religious or other convictions, membership in political parties and trade unions, as well as data with regard to health or sexual life.

2. Provisions of part one of this Article shall not apply if processing of personal data:

- Is implemented in case the personal data subject gives a well-defined consent to process such data;

- Is necessary for realization of authorities in the sphere of labor relations according to the law;

- Is necessary for protection of the interests of the personal data subject or any other person in case of incapability or limitation of civil capability of the personal data subject;

- Is carried out by religious or civil organization of religious orientation, a political party or trade union, created according to national legislation in case such processing concerns only personal data of members of these associations or persons who are in constant touch with them with regard to the nature of their activity, and that personal data is not transferred to the third party without consent of personal data subjects;

- Is necessary for substantiation, satisfaction or protection of legal claim;

- Is necessary for the purposes of health protection, provision of care or medical treatment on condition that such data is processed by a medical worker or another person of a health care institution which has liabilities with regard to provision of protection of personal data;

- Concerns accusations in crimes, court sentences, implementation of the authorities by a state body, as defined by the law with regard to execution of tasks of operational and search or counterintelligence activity, antiterrorism;

- Concerns the data that were disclosed by the personal data subject.

Article 8. Rights of Personal Data Subject

1. Personal non-property rights to personal data that each natural person has shall be integral and inviolable.

2. The personal data subject shall have the right to:

- Know about the location of personal database which contains his/her personal data, its purpose and name, location and/or place of residence (staying) of the owner or administrator of such database, or to issue a respective proxy to the authorized persons, except for cases established by the law;

- Receive the information concerning the conditions of access to personal data, in particular information about third persons who obtain his/her personal data from the appropriate database;

- Access his/her personal data that are contained in a respective personal database;

- Receive a response with regard to whether his/her personal data is stored in a respective personal database as well as to receive the content of his/her personal data which are stored in such database, no longer than in 30 days period from the moment the reques has been received in case other is prescribed by Law;

- Provide a motivated request with objection against processing of his/her personal data by public authority, local authority while performing its functions;

- Provide a motivated request with regard to change or destruction of his/her personal data by any owner and administrator of such database, if such data is processed illegally or are inaccurate;

- Protect of his/her personal data from illegal processing and accidental loss, destruction, damage due to a deliberate concealing, failure to provide them or provision of such data with delay, as well as to protection from provision of information which is inaccurate or are disgraceful for the honor, dignity and business reputation of a natural person;

- Address to the state power bodies and local self-government bodies which are competent to perform protection of personal data, with regard to protection of his/her rights to personal data;

- Apply measures of legal protectionin case of violation of legislation on protection of personal data;

3. Disposal of personal data of a natural person who has restricted civil capacity or is adjudged incapable shall be performed by such person’s legal representative.

Article 9. Registration of personal databases

1. The database of personal data shall be registered in obligatory order by entering the appropriate information into the State Register of the Bases of Personal data by Authorized State Body on Personal Data Protection.

The regulation on State Register of the Bases of Personal Data shall be adopted by the Cabinet of Ministers of Ukraine.

2. Registration of the bases of personal data shall be performed by the principle of filing.

3. Owner of the base of personal data shall submit the application on registration of its base of personal data to the Authorized State Body on Personal Data Protection.

Application shall contain:

• Appeal on enlisting of the base of personal data into the State Register of the Bases of Personal Data;

• Information concerning the owner of the base of personal data;

• Information concerning the name and location of the base of personal data;

• Information concerning the purpose of processing of personal data, formulated in accordance with Articles 6 and 7 of this Law;

• Information concerning other administrators of personal data;

• Confirmation of the obligation on execution of the requirements on protection of personal data, laid down by the legislation on protection of personal data.

4. Authorized State Body on Protection of Personal Data, in order established by the Cabinet of Ministers of Ukraine, shall:

   • Inform the applicant about receiving of application no longer than in one day term:

   • Make a decision concerning the registration of the base of personal data within ten days period.

Owner of the database of personal data shall receive the appropriate document confirming registration of the base of personal data at the State Register.

5. Authorized State Body on Protection of Personal data may refuse the registration of the base of personal data in case the application does not meet the requirements of the point 3 of this Article.

Article 10. Use of Personal Data

1. Use of personal data means any actions of the database owner with regard to processing of such data, their protection and provision of partial or full right to process such personal data by other subjects of relations related to personal data, which are performed according to the consent of a personal data subject or according to the law.

2. The use of personal data by the database owner shall be performed in case he/she fulfils the conditions for protection of such data. The database owner shall not disclose information about the personal data subjects whose personal data is accessed by other subjects of relations related to such data.

3. The use of personal data by the employees of the subjects of relations related to personal data shall be performed only according to their professional or official and labor duties. These employees shall undertake to prevent disclosure of personal data which was entrusted with them or became known to them due to performance of official or labor duties, by any possible way. Such liability shall be valid after termination of their activity related to personal data, except for cases established by the law.

4. The information about a private life of a natural person shall not be used as factor that may confirm or disprove his/her business skills.

Article 11. The Basis for the Creation of the Right to Use Personal Data

1. The basis for the creation of the right to use personal data shall be the following:

- Consent of the personal data subject to processing of his/her personal data. The subject of personal data shall be entitled to include a warning with regard to limitation of processing of his/her personal data to the contract;

- Permission to processing of personal data granted to the personal database owner according to the law, but only for exercise of his/her authorities.

2. Owner of the base of personal data may entitle the administrator to process personal data by concluding appropriate agreement in writing.

3. Administrator of the base of personal data may process it exclusively in accordance with the purpose and extend laid down in agreement.

Article 12. Collection of Personal Data

1. Collection of personal data shall be an element of the process which provides for actions to select or to arrange information about the natural person and its placement in the personal database.

2. Subject of personal data shall, within ten days period from placement of his/her personal data into the register of personal data, be notified in writing about his/her rights under this Law, the persons who and purpose of the collection of personal data.

3. Notification shall not be provided where personal data is collected from commonly accessible sources or for temporary storage in the database for a period no more than three months.

4. The information collected about the natural person as well as the information about its sources shall be provided to the personal data subject upon his/her request, except for cases established by the law.

Article 13. Accumulation and Storage of Personal Data

1. Accumulation of personal data shall provide actions with regard to unification and systematization of information about a natural person or a group of natural persons or placement of this data to the personal database.

2. Storage of personal data shall provide actions with regard to ensuring their integrity and proper mode of access to it.

Article 14. Spreading of Personal Data

1. Spreading of personal data shall provide actions with regard to transference of information about a natural person from personal databases with the consent of the personal data subject.

2. Spreading of personal data without the consent of the personal data subject or a person authorized by him/her shall be permitted in cases determined by the law, and only in the interests of national safety, economic welfare and human rights.

3. Execution of requirements of established protection mode of personal data shall be provided by the party that spreads this data.

4. The party, to which the personal data is transferred shall previously take measures with regard to execution of the requirements of this Law.

Article 15. Destruction of Personal Data

1. Personal Data in personal databases shall be destroyed according to the procedure established by legislation.

2. Personal data in personal databases shall be destroyed in following cases:

- termination of period of data storage determined by the consent of the personal data subject for processing of this data or determined by law;

- termination of legal relationships between the personal data subject and the owner or administrator of the database, unless otherwise stipulated by the law;

- enforcement of a court decision with regard to withdrawal of data about a natural person from a personal database.

1. Personal data collected with violations of requirements of this Law shall be destroyed in the personal databases according to the procedure established by the legislation.

2. Personal data collected during execution of tasks of operational and search activity or counterintelligence activity, anti-terrorism actions will be destroyed in the personal databases according to the requirements of the law.

Article16. Mode of Access to Personal Data

1. Access to personal data of third parties shall be determined by the permission terms between the personal database subject and the owner of personal database as for processing this data or according to the access mode established by the law.

2. Access to personal data of third parties shall not be granted, if the such party refuses to take liabilities with regard to provision or cannot provide execution of requirements of this Law or unable to provide for execution of such requirements.

3. The subject of relations related to personal data shall submit an inquiry on access to personal data (hereinafter referred to as “inquiry”) to the owner or administrator of the database.

4.The inquiry shall contain the following information:

- surname, name and patronymic, place of residence and information from an identifying document of the person who submits inquiry (for natural person-applicant);

- name, place of location of a legal entity that submits an inquiry, position, surname, name and patronymic of the person who certifies the inquiry; confirmation of conformity of the content of inquiry with the authorities of legal entity (for legal entities-applicants);

- surname, name and patronymic as well as other data that enable identification of a natural person about who such inquiry is submitted;

- information about the personal database with regard to which the inquiry is made, or information about the owner or administrator of such database;

- list of personal data that are being required;

- purpose of the inquiry.

3. The term of consideration of the inquiry with regard to its satisfaction shall not exceed ten days from the day it was recieved.

Within this term, any owner or administrator of the data base shall inform the person who submits an inquiry that such inquiry shall be satisfied or that the respective personal data is not subject to provision, with notification about the basis specified in a respective normative and legal act.

The inquiry shall be satisfied within one calendar month, unless otherwise stipulated by the law.

4. The personal data subject shall be entitled to reception of any information about himself/herself from any subject of relations related to personal data without specifying the purpose of the inquiry unless other is prescribed by law.

Article17. Deferment or Refusal to Grant Access to Personal Data

1. Deferment or Refusal to Grant Access to Personal Data shall not be allowed.

2. Deferment in access to personal data of third parties shall be permitted when the necessary data cannot be provided within one month period. At that common period of providing the access to personal data of third parties shall not exeed the fourty five days term.

Notification on deferment shall be presented to the third party who made an inquiry in writing with explanation of the procedure of appeal against such decision.

The notification about deferment of access shall contain the following:

- surname, name and patronymic of the official;

- date of sending;

- reason of deferment;

- the term during which the inquiry shall be satisfied.

Refusal to grant access to personal data shall be allowed, if such access to it is prohibited according to the law.

The notification about refusal shall contain the following:

- surname, name and patronymic of the official;

- date of sending;

- reason of refusal.

Article 18. Appeal against Decision on Deferment or Refusal to Grant Access to Personal Data

1. The decision on deferment or refusal to grant access to personal data may be appealed against in the authorized state body on protection of personal data, other state power bodies and local self-governing institutions which are competent in performance of protection of personal data, or in court.

2. If the inquiry is made by the personal data subject, in this case the liability of proving the lawfulness of deferment or refusal to grant access to personal data in court shall be imposed on the owner or the administrator of the base of personal data who received the particular inquiry.

Article19. Payment for Access to Personal Data

1. Access of a personal data subject to the data about him/her shall be free of charge.

2. Access of other subjects of relations, connected with personal data, to personal data of a particular natural person or a group of persons may reqiure payment only in case it requires the conditions prescribed by that Law. The work related to processing of personal data as well as the work with regard to consulting and organization of access to respective data may be paid for.

3. Amount of payment for services on granting access to personal data by the state power bodies shall be determined by the The Cabinet of Ministers of Ukraine.

4. The state power bodies and local self-government institutions shall be entitled to free access to personal data according to competence delegated to them.

Article20. Changes and Supplements to Personal Data

1. The owners or administrators of bases of personal data shall be binded to make changes or supplements to personal data on the basis of reasoned written requirement of the subject of personal data.

2. Changes of personal data shall also be permitted upon request of other subjects of relations related to personal data, if the personal data subject gave his/her consent to this or if a respective change is made according to the court decision which entered into legal force.

3. Changes of personal data in case it is incorrect shall be performed immediately after such incorrection was noticed.

Article 21. Notification about Actions with Personal Data

1. The owner of personal database shall inform the personal data subject about transfer of personal data to the third party within 10 days period, if it is required by the conditions of his consent or unless otherwise established by the law.

2. The above-mentioned notifications shall not be performed in the following cases:

   • of transfer of personal data upon requests during execution of tasks of operational and investigative activities or counterintelligence activity, and anti-terrorist actions;

   • performance by state power bodies and the bodies of local self-government of their authorities stipulated by the law ;

   • processing of personal data with historical, statistical or scientific purposes.

3. The owner of personal database shall inform the personal data subject and the subjects of relations related to personal data about the changes or supplements or restriction of access to the data which was transferred to such subjects within ten days period.

Article22. Control over Observance of Legislation on Protection of Personal Data

1. Control over ciomplience with legislation in the sphere of protection of personal data shall within their competence be exercised by the following bodies:

- authorized state power body on matters of personal data protection;

- other state bodies and bodies local self-government;

2. Parliamentary control over the observance of human rights to protection of personal data shall be exercised by the Ombudsman of the Verkhovna Rada of Ukraine on matters of human rights according to the law.

Article23. Authorized State Body on Personal Data Protection

1. The authorized state body on Personal Data Protection shall be the central executive power body with special status entrusted with the tasks on personal data protection and shall be established according to the legislation of Ukraine.

The main powers of the Authorized State Body on Personal Data Protection shall:

1) ensure the performance of state policy in the sphere of personal data protection;

2) registers the bases of personal data,;

3) maintains the State Register of the Bases of Personal Data;

4) controls the execution of legislation on matters of protection of personal data with provision of access to the premises where processing of personal data is performed according to legislation;

5) issues the requests on illumination of violations of the legislation on data ptotection. This requesrs are abligatory for exsecution;

6) considers propositions, inquiries, appeals, claims and complaints of natural persons and legal entities;

7) organizes and provides for interaction with subjects of foreign relations related to personal data issues;

8) participates in the international organizations on matters of personal data protection.

Article24. Provision for Protection of Personal Data in Personal Databases

1. The State guarantees protection of personal data.

2. The subjects of relations related to personal data shall undertake to provide protection of such data from unauthorized processing, as well as from unauthorized access.

3. Provision of personal data protection in personal databases shall be performed by the owner of such database.

4. The owner of personal database in electronic form shall provide its protection according to the law.

5. State power bodies, the bodies of local self-government, institutions and enterprises of all property forms shall appoint a structural department or a responsible person who organizes the work related to protection of personal data during its processing.

Article 25. Limitations on application of particular Articles of the Law

1. Limitations of rights stipulated by Articles 8, 11 and 17 of this Law shall be implemented only in the interests of:

- national safety, economic welfare and human rights;

- protection of rights and freedoms of natural persons whose personal data is being processed, or rights of other subjects of relations related to personal data, as well as with the purpose of anti-criminal activity;

- provision of subjects of relations connected with personal data with the drawn up depersonalized information with regard to personal data according to legislation.

2. Subjects of relations connected to personal data shall exercise their authorities within the frameworks established by the Constitution and the laws of Ukraine.

Article 26. Financing of Works on Personal Data Protection

Financing of works and measures to provide for protection of personal data shall be performed at the expense of the State Budget of Ukraine and local budgets, funds of the subjects of relations related to personal data.

Article 27. Application of Provisions of This Law

1.The provisions with regard to protection of personal data specified in this Law may be supplemented or defined more clearly by special laws provided that they establish requirements with regard to protection of personal data that do not contradict the requirements of this Law.

2. Professional associations can develop corporative codes of behavior with the purpose of providing for the efficiency of protection of rights of personal data subjects, assistance in application of legislation with regard to such matters, taking into account the specifics of processing the data about a natural person in different spheres.

Article28. Liability for Violation of Legislation on Personal Data Protection

Violation of legislation on personal data protection shall lead to liability established by the law.

Article 29. International Cooperation

1.Cooperation with foreign subjects of relations related to personal data shall be regulated by the Constitution of Ukraine, this Law, other normative and legal acts and international treaties of Ukraine.

2.If the international treaty of Ukraine which was made binding by the Verkhovna Rada of Ukraine establishes other regulations than those stipulated by legislation of Ukraine, the regulations of the international treaty shall apply.

3.Transfer of personal data to foreign subjects of relations related to personal data shall be performed on conditions of providing appropriate protection of personal data and with an appropriate permission in cases established by the law or international treaty of Ukraine and according to the order stipulated by national legislation . Personal data cannot be spread with a purpose other than the purpose for which it was collected.

Article 30. Final Provisions

1. This Law shall enter into force from 1^stof January 2011.

2. Normative and legal acts shall be valid in the part that does not contradict this Law until they are brought in line with this Law.

3. The Cabinet of Ministers of Ukraine, within six months from the day of enforcement of this Law, shall do the following:

- provide for adoption of normative and legal acts stipulated by this Law;

- provide for bringing of its normative and legal acts in line with this Law;

- determine the authorized state power body on matters of personal data protection.

People’s deputies of Ukraine:

O. Shevchuk

(registry card № 270)

V. Lytvyn

(registry card № 431)

V. Polohalo

(registry card № 225)

K. Samoylyk

(registry card № 420)