- Interviews New
- Editor's Preface
- Ukrainian Legal Market
Practice Areas and Industries Review
- Advertising & Marketing
- Aircraft Finance
- Alternative Dispute Resolution
- Anti-Money Laundering
- Anti-Raiding Law
- Banking & Finance
- Banking Disputes
- Business Crime
- Business Protection
- Capital Markets
- Commercial Law
- Commodities Arbitration
- Competition Investigations
- Complex International Transactions
- Contract Law
- Corporate Disputes
- Corporate Governance
- Counterfeiting and Piracy
- Criminal Process
- Cross-Border Debt Recovery
- Cross-Border Debt Restructuring
- Data Protection
- Domain Names
- Due Diligence
- Energy Efficiency
- Enforcement of Foreign Awards
- Enforcement Proceedings
- Family Law
- Fees and Duties
- Financial Services
- Free Trade Agreements
- Government Relations
- Insolvency Disputes
- International Arbitration
- International Civil Procedure
- International Finance
- International Tax
- Jurisdiction Issues in Commercial Procedure
- Labor & Employment
- Marine Insurance
- Maritime law
- Medicine & Healthcare
- Mergers & Acquisitions
- Natural Resources
- Political Prosecution
- Ports and Marine Terminals
- Private Clients / Wealth Management
- Private Equity
- Procedural Actions
- Procurement Disputes
- Project Finance
- Property Rights
- Public-Private Partnerships
- R&D Offices
- Real Estate
- Renewable Energy
- Role of Experts in International Arbitration
- Show Business
- State Aid
- Tax Controversy
- Trade Remedies
- Transfer Pricing
- Unfair Competition
Who Is Who
- Antitrust and Competition
- Banking & Finance, Capital Markets, Debt Restructuring
- Corporate and M&A
- Criminal Law/White-Collar Crime
- Energy & Natural Resources
- Intellectual Property
- International Arbitration
- International Trade: Trade Remedies/WTO, Commodities, Commercial Contracts
- IT/ Telecommunications & Media
- Labor & Employment
- Pharmaceuticals/Medicine & Healthcare
- Private Clients/Wealth Management
- Real Estate, Construction, Land
- Tax and Transfer Pricing
- Transport: Aviation, Maritime, Shipping
- Law Firms Profiles
- Lawyers Profiles
Partner, Pakharenko & Partners, Lawyer and registered Patent
and Trademark Attorney of Ukraine
Higher economic and legal education. More than 25 years experience in IP sphere. Olena’s practice covers counseling on all aspects of protection of IPR objects, particularly inventions, utility models, trademarks, geographical indications, industrial designs, copyright. Other practice areas include customs, contract and banking law. Membership: Ukrainian National Group of International Association for the Protection of Intellectual Property (AIPPI), International Trademark Association (INTA), Licensing Executives Society (LES), Al-Ukrainian Association
of Patent Attorneys.
GDPR and Ukrainian Business Entities
It’s been almost a year since the provisions of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) on the protection of personal data of citizens of the European Union came into force.
The main purpose of the GDPR is to protect personal data of EU citizens irrespective of the country where such data is stored, processed and used.
Clause 11 of the Action Plan on Implementing the Association Agreement between Ukraine, on the one hand, and the European Union, the European Atomic Energy Community and their Member States, on the other hand, approved by the Resolution of the Cabinet of Ministers of Ukraine of 25 October 2017, No. 1106 specifies the objectives related to the improvement of the legislation on personal data protection to bring it into compliance with the GDPR. The responsibility for making the necessary legislative changes has been entrusted to the Ukrainian Parliament Commissioner for Human Rights (upon consent), the Ministry of Finance, the Ministry of Justice, the Ministry of Economic Development and Trade, the Ministry of Internal Affairs. Despite the fact that no such changes have been made to date, the requirements established by the GDPR should in certain cases be observed by business entities in Ukraine.
What Information is Regarded as Personal Data in the EU and Ukraine
According to Article 4 of GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For example, such identifiers may include a client’s e-mail, name and surname, details of his bank card or any other financial information, photo and video, online identifiers, such as IP address, cookies, etc.
By Article 32 of the Constitution of Ukraine the human right of non-interference in one’s personal life is proclaimed. Moreover, the collection, storage, use, and dissemination of confidential information about a person without his/her consent shall not be permitted, except for the cases determined by law and only in the interests of national security, economic welfare, and human rights. A natural person shall have the right to health secrecy, to secrecy of the fact of turning for medical aid, to confidentiality of the diagnosis and information received during medical examination. It is forbidden to require and submit information about the diagnosis and methods of treatment of a natural person to places of work or study. (Article 286 of the Civil Code of Ukraine). In Article 2 of the Law of Ukraine On Protection of Personal Data No. 2297 of 1 June 2010 personal data is defined as information or a collection of data about an individual that is identified or can be specifically identified. Such a definition makes it impossible to distinguish personal data from any other information. For example, from the confidential information about a person. The law does not provide for the differentiation of personal data by the criterion of “sensitivity” that exists in EU laws.
Under EU laws, personal data is divided into general data (surname, first name, patronymic name, date and place of birth, nationality, place of residence) and sensitive (health information, ethnicity, religious commitment, identification numbers, fingerprints, voiceprint, photographs, criminal records, etc.). At the same time, in the EU sensitive personal data enjoys a higher level of protection.
Ukrainian authorities, within the limits of their legal powers, assist in the implementation of the main principles of protection of personal data provided for by national legislation. For example, the campaign to prevent fraud in the course of online trade and protection of personal data has been launched by the cyber police; the Ministry of Health of Ukraine, for implementation of electronic medical records, has paid particular attention to the protection of the personal data of patients; the Cabinet of Ministers of Ukraine abolished the complaint and suggestion book and one of the reasons for taking such a decision was non-observance of legislation on protection of personal data, since the names and phone numbers of consumers were publicly available.
It’s worth mentioning that GDPR does not provide for an exhaustive list of personal data since personal data can be any data that helps to identify a specific person. Furthermore, there can be situations where simple data can become personal data. For example, if, for security reasons, video surveillance cameras are installed in your office to ensure recording of all that is happening, the data obtained from recording of all that is happening video cameras will not be regarded as personal data. However, if a face recognition system is connected to the video surveillance apparatus, the recorded data becomes personal data and requires obtaining consent from all clients to record.
Parties Involved in Data Processing
Data controller — a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data of EU residents. Data operator (processor) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The data controller carries the main responsibility for the processing of personal data in accordance with the requirements of GDPR, while an operator shall observe separate rules for working with data. The controller and the operator should conduct their activities only subject to the agreement between them.
According to Ukrainian legislation, namely under Article 2 of the Law of Ukraine On Protection of Personal Data, processing of personal data includes any activity or the combination of actions such as collection, registration, accumulation, storage, adaptation, changing, restoration, use, dissemination, depersonalization, deletion of personal data, in particular with the use of informational (automated) systems. The owner of a database with personal data can be a natural person or legal entity which is granted the right to process these data under the law or with the consent of the data subject, which approves the purpose and procedure of data processing. A disposer of a database with personal data can be a natural person or a legal entity, which has been granted the right to process these data under the law or by the owner of the database. Notably, the concepts of “controller” and “processor” of data have already been introduced in the Ukrainian legislation.
For example, you as a business owner are the data controller (owner), namely you determine which personal data of the client should be collected, processed and how to treat it further, while a data operator may be a respective IT-department (internal or external). The data operator (disposer) is an executor which carries out the respective processing of data (collecting, storage, structuring, changing, deletion etc). If you collect the guest data by yourself, via your own services or feedback form available on the website, you will combine the functions of the controller and operator.
Also, according to the requirements of the GDPR, companies should introduce the position of data protection officer. Your company may have a single position, namely an officer responsible for legitimate and secure processing of data of EU residents. The principles of appointment, responsibilities and objectives of the said officer are specified in Articles 37-39 of the GDPR. In particular, its responsibilities shall include the monitoring of any technologies which are in some manner related to the processing of data.
Ukrainian Business Entities and GDPR Requirements
If the Ukrainian owner of a business:
— offers its services to EU citizens;
— requests and collects personal data of the EU citizens (its clients) and processes the respective amount of transactions with debit cards, including in currency;
— obtains personal data of EU citizens (its clients) from other sources such as third-party booking websites and own websites;
— is involved in marketing profiling of its potential clients, such business potentially involves the processing of personal data of EU citizens and, accordingly, such a business entity should use such data and protect their confidentiality in compliance with the requirements of the GDPR.
Below we provide some practical steps that we recommend to our clients when working with the personal data of customers in order to ensure data privacy:
a) make an inventory of all the company’s activities related to the processing of personal data;
b) revise and update data processing contracts with third parties;
c) review and minimize the collected personal data of customers; limit the data to the minimum scope and only to the technological data necessary for improving services, providing better customer support and for any other purposes necessary to ensure quality performance of the service expected from you;
d) introduce a mechanism for providing a client’s explicit written consent to the processing of data (with the possibility of correction, deletion of their personal data);
e) introduce a mechanism for automated deletion of data upon expiry of a specified period, or upon a client’s request;