29 February 2012
Personal Data: What Every Company Should Do By July 1, 2012

According to recent changes into Ukrainian legislation, the administrative and criminal liability for violation of personal data (“PD”) provisions will be in force as of July 1, 2012.

To avoid the above responsibility each company incorporated in Ukraine shall do at least the following:

(1) Changes Required to the Internal Documents

і. Approve Policies on Personal Data

The Law of Ukraine“On Personal Data Protection” (“the Law”) requires every company introduce the internal policies providing for

  • Purpose of PD processing;
  • List of PD processed;
  • Procedures to process PD;
  • Location of PD database;
  • Measures to protect PD;
  • Department(s), officer(s),  responsible for PD processing;
  • Procedures to handle the PD requests;
  • Procedures to notify an individual on activities with his/her PD;
  • Procedures on change of PD;
  • Procedures on access to PD;
  • Procedures to delete the PD.

These policies might be included into existing internal documents of a company. Nevertheless, from practical point of view, it appears more reasonable to adopt a unified document covering the above.

іі. Develop a Sample Document Providing for

  • Consent of a person to process his/her PD;
  • Consent of a person to distribute his/her PD;
  • List and scope of PD provided by a person;
  • Rights of an individual providing his/her PD;
  • Purpose of PD processing;
  • Notice on inclusion of PD into respective PD database;
  • Consent of an individual granting access to his/her PD to third parties;
  • Consent of an individual to transfer his/her PD to third parties without notice

The above document shall be signed by each individual whose personal data are processed by company. Alternatively, these provisions can be incorporated into company’ contracts: in practice, the personal details of contracts signatories fall within the PD scope.

(2) Changes Required into Company Operations

і. Appoint company’ officer(s) responsible for PD processing;

іі. Ensure that technical protection of PD is in place;

ііі. Ensure the enforcement of internal policies on PD.

(3) State Registration of Personal Data Databases

The Law requires a company to register all its PD databases. The registration is carried out by State Service On Personal Data Protection http://217.20.166.204/dszpd/uk/publish/article/32503. To satisfy registration requirement, it is enough to complete and submit the respective application for each database http://217.20.166.204/dszpd/doccatalog/document?id=32534. There is no need to provide the entire database for this purpose.   

In current practice, it is considered that each company possesses at least two PD databases: internal (employees, shareholders etc.) and external (clients, supplies etc.).

It is worth noting that both business and state authorities consider present PD legislation far from perfect. Thus, there is possibility it will be amended in the near future. Nevertheless, it is highly recommended to adjust company activities and bring them into line with the above legislation to avoid quite heavy sanctions for its violation.

By Taras Kyslyy, Counsel, and Olha Yurchenko, Associate.