We would like to inform you that the Law of Ukraine No. 3454 "On Amendments to Certain Legislative Acts of Ukraine to Increase Liability for Violation of Personal Data Protection Law" comes into force on July 1, 2012.
The key provision of this law establishes liability for company officials in case they fail to register personal data base with Ukrainian authorities. For now, such liability is in the form of monetary (administrative) fine equal up to 17,000 UAH (about 2,000 USD). Note, however, that the Criminal Code will be also amended accordingly in light of such changes, providing for arrest of any guilty officials for up to six (6) months or even imprisonment for a period of up to three (3) years.
The said registration of the personal data is only one of the material aspects, contained in the Law of Ukraine No. 2297 – VI "On Personal Data Protection," dated June 1, 2010, which came into force as of January 1, 2011 (hereinafter, "the Law"). Apart from registration of personal data base, the Law involves the following two other basic responsibilities for the owner of personal data base:
- obtaining a consent for processing of personal data;
- notification of the person (i.e., subject of personal data) about his/her rights.
Thus, the personal data that is contained in the data base may be processed exclusively on the basis of the legal grounds. The key to compliance is obtaining written consent of the person whose personal data is processed, for effectuating such processing. Importantly, the Law prohibits processing of personal data on racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life (unless unambiguous consent of the person is obtained).
Based on the foregoing, in light of employment relationship any employer is technically considered to be an owner of personal data. Accordingly, an employee can be allowed to work only after obtaining his/her consent for processing his/her personal data. Similar to the employment relationship, any holder of personal data should obtain relevant consent from its clients, customers, contractors and any other subject of personal data.
To summarize, in order to bring into compliance the relationship between the holders of the personal data base and the subjects of personal data, it is necessary to obtain the respective consent from the subjects of personal data, granting the permission to process such data.
In light of the foregoing requirements, please let us know if you wish to receive a draft of the application, which you may offer to the subjects of personal data in order to obtain their consent. Alternatively, your company's officials may be held liable for any fines resulting from failure to comply with this requirement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
