GDPR-size Penalties for Personal Data Protection Violations? What Can Individuals and Businesses Expect in Ukraine?
The current penalties for personal data protection violations under Ukrainian law may cause a smile rather than a desire to ensure compliance. However, Ukraine is taking steps to align its personal data protection laws with the General Data Protection Regulation ("GDPR”). The Ukrainian Parliament has resumed consideration of draft law No. 8153, dated 25 October 2022 ("Draft Law”). In particular, in February 2024, the Draft Law was included in the agenda of the Parliament, and some unofficial public discussion around the Draft Law is currently underway. The Draft Law is an amended and restated version of the current Law of Ukraine "On Protection of Personal Data.” This time, the Parliament intends to adopt it within Ukraine’s overall EU integration efforts. However, the Draft Law is still at an early stage of its consideration.
The Draft Law, among other things, suggests significant increases in the penalties for violating personal data protection laws. Below, we provide a brief overview of the Draft Law regarding the potential responsibility of controllers and processors for various types of personal data processing violations, including minimum and maximum fines for individuals and legal entities.
The Draft Law does not stipulate a transitional period for individuals and businesses. Well, not yet. We expect a one- to two-year transitional period to be introduced during the Parliament’s consideration of the Draft Law.
Information contained in this overview is for general information purposes only, does not constitute legal or other professional advice, and should not be relied upon as a substitute for specific professional advice tailored to particular circumstances. The overview was prepared with assistance of junior associate Anastasiia Havryliuk.