Ukraine's data protection framework is built on a domestic statute that mirrors key GDPR principles, yet diverges in enforcement mechanics, supervisory authority powers and cross-border transfer rules. For any international business processing personal data of Ukrainian residents - or operating Ukrainian legal entities - non-compliance carries regulatory fines, civil liability and reputational damage. This article maps the legal landscape, identifies the most common compliance gaps, and explains the practical steps controllers and processors must take to operate lawfully in Ukraine.
The legal foundation: Ukraine's personal data protection law and its GDPR parallels
The primary instrument is the Law of Ukraine 'On Personal Data Protection' (Закон України 'Про захист персональних даних'), adopted in 2010 and amended multiple times since. Its structure deliberately mirrors the EU Data Protection Directive and, in later amendments, incorporates GDPR concepts. The law defines personal data as any information relating to an identified or identifiable natural person - the data subject.
Controllers (володільці персональних даних) are entities that determine the purposes and means of processing. Processors (розпорядники персональних даних) act on the controller's instructions. This distinction matters because liability allocation, notification obligations and contractual requirements differ between the two roles. A common mistake among international clients is treating a Ukrainian subsidiary as a mere processor when, under Ukrainian law, it qualifies as a controller because it independently determines processing purposes for local HR or customer data.
Article 6 of the Law establishes the legal bases for processing: consent, contract performance, legal obligation, vital interests, public interest and legitimate interests. The legitimate interests basis exists in Ukrainian law but is narrower in practice than under GDPR, because the supervisory authority - the Ukrainian Parliament Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини), also known as the Ombudsman - has historically interpreted it conservatively. Controllers relying on legitimate interests should document a balancing test in writing.
Article 8 governs consent. Valid consent must be informed, specific, freely given and unambiguous. Pre-ticked boxes and bundled consent clauses embedded in general terms of service do not satisfy the standard. Many businesses operating in Ukraine inherited consent mechanisms designed for older, less stringent rules; updating these mechanisms is one of the most frequent remediation tasks in practice.
The Law also incorporates special categories of sensitive data - health, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership and criminal records. Processing these categories requires explicit consent or another narrowly defined legal basis under Article 7. Employers processing health data for occupational safety purposes must document the specific legal basis and limit access strictly.
Supervisory authority, registration and enforcement powers
The Ombudsman's Secretariat (Секретаріат Уповноваженого) functions as the data protection supervisory authority. It receives complaints, conducts inspections, issues binding orders and imposes administrative sanctions. Unlike the GDPR's lead supervisory authority mechanism, Ukraine does not operate a one-stop-shop system. Every controller with a Ukrainian establishment is subject to the Ombudsman's jurisdiction regardless of where the group's main establishment is located.
Until relatively recently, Ukrainian law required controllers to register databases of personal data with the Ombudsman. Amendments removed mandatory registration for most categories, but controllers processing sensitive data or data of a large number of subjects may still face registration or notification requirements in specific sectors - notably healthcare and financial services, where sector regulators impose additional obligations.
Enforcement powers include the right to conduct scheduled and unscheduled inspections, demand access to processing systems and documentation, issue binding remediation orders and refer matters for administrative prosecution. Administrative fines under the Code of Ukraine on Administrative Offences (Кодекс України про адміністративні правопорушення) are modest by GDPR standards - typically in the range of a few hundred to a few thousand Ukrainian hryvnias for individual violations. However, the reputational and operational consequences of an adverse Ombudsman decision, combined with potential civil claims from data subjects, create a more significant aggregate risk.
Civil liability under Article 23 of the Law allows data subjects to claim compensation for material and moral harm caused by unlawful processing. Ukrainian courts have awarded moral damages in cases involving unauthorised disclosure of health data, unsolicited marketing and failure to honour erasure requests. The amounts awarded are generally modest but the litigation burden and management distraction are real costs.
A non-obvious risk is that Ukrainian prosecutors and law enforcement agencies can initiate criminal proceedings for unlawful collection, storage or use of personal data under Article 182 of the Criminal Code of Ukraine (Кримінальний кодекс України). This provision applies to natural persons - directors, data protection officers and IT administrators - not only to legal entities. International managers with signing authority over Ukrainian operations should be aware of this personal exposure.
To receive a checklist on data protection compliance for Ukraine, send a request to info@vlolawfirm.com
Cross-border data transfers: rules, mechanisms and practical constraints
Cross-border transfer of personal data from Ukraine to third countries is governed by Article 29 of the Law. Transfers to countries that ensure an adequate level of protection are permitted without additional safeguards. Ukraine recognises EU member states and EEA countries as adequate destinations. Transfers to other jurisdictions - including the United States, the United Kingdom post-Brexit and most Asian jurisdictions - require one of the following mechanisms:
- Explicit consent of the data subject to the specific transfer.
- Standard contractual clauses (SCCs) approved by the Ombudsman or modelled on EU SCCs.
- Binding corporate rules (BCRs) approved by the Ombudsman for intra-group transfers.
- A contractual necessity exception where the transfer is required to perform a contract with the data subject.
In practice, the most widely used mechanism is contractual clauses. Ukraine has not published its own set of approved SCCs, so practitioners typically adapt EU SCCs with Ukrainian law addenda. The Ombudsman has accepted this approach in practice, though formal approval of a Ukrainian SCC template remains pending. Controllers should document the transfer mechanism in their records of processing activities and review it whenever the destination country's legal framework changes.
A common mistake is assuming that because a Ukrainian subsidiary sends data to a parent company in an EU member state, no transfer documentation is needed. Even transfers to adequate countries should be recorded in the controller's internal documentation to demonstrate accountability. The accountability principle - though not labelled as such in the Ukrainian statute - is embedded in Article 24 of the Law, which requires controllers to implement organisational and technical measures and maintain evidence of compliance.
Transfers to cloud service providers located outside Ukraine raise specific questions. The Law does not prohibit cloud processing, but the controller remains responsible for ensuring the processor's compliance. Data processing agreements (DPAs) with cloud vendors must address Ukrainian law requirements: purpose limitation, data minimisation, security standards, sub-processing restrictions and the right of the controller to audit. Many global cloud vendors offer DPA templates that satisfy GDPR requirements but omit Ukrainian-specific provisions. Supplementing these templates is a practical necessity.
The interaction between Ukrainian data protection law and sector-specific regulations adds complexity. The National Bank of Ukraine (Національний банк України) imposes data localisation requirements on certain categories of financial data. The Ministry of Health issues guidance on health data processing. Telecommunications operators are subject to additional rules under the Law of Ukraine 'On Telecommunications.' Controllers operating across multiple sectors must map all applicable requirements and resolve conflicts between them.
Data breach notification: obligations, timelines and response protocols
Ukraine's Law on Personal Data Protection does not contain an explicit 72-hour breach notification rule equivalent to GDPR Article 33. However, Article 24 of the Law requires controllers to implement measures to prevent unauthorised access and to respond to security incidents. The Ombudsman's methodological guidance interprets this as requiring prompt notification to the supervisory authority and affected data subjects when a breach creates a risk of harm.
In practice, the absence of a codified notification deadline creates uncertainty. Controllers who delay notification and subsequently face an Ombudsman inspection are in a weaker position than those who notify proactively. The prudent approach is to treat 72 hours as a de facto standard, consistent with GDPR, and to document the decision-making process if notification is delayed beyond that window.
Breach response protocols should address four stages. First, detection and containment: identifying the scope of the breach, isolating affected systems and preserving evidence. Second, assessment: determining whether personal data was accessed, exfiltrated or destroyed, and evaluating the risk to data subjects. Third, notification: informing the Ombudsman and, where the risk to data subjects is high, notifying affected individuals directly. Fourth, remediation: implementing technical and organisational measures to prevent recurrence and documenting lessons learned.
Controllers processing data on behalf of EU-based controllers face a dual obligation: they must comply with Ukrainian law and, under their DPA with the EU controller, meet GDPR notification timelines. This dual obligation is one of the most practically challenging aspects of operating as a Ukrainian processor for European clients. Contractual provisions should align internal escalation timelines to ensure the EU controller can meet its 72-hour GDPR deadline.
Scenario one: a Ukrainian e-commerce platform suffers a database breach exposing names, email addresses and purchase histories of 50,000 customers. The controller should notify the Ombudsman promptly, assess whether financial data was included, and send individual notifications to affected customers if the risk of identity theft or fraud is material. Legal counsel should be engaged immediately to manage the regulatory response and preserve privilege over internal investigation findings.
Scenario two: a multinational corporation's Ukrainian subsidiary inadvertently sends an HR spreadsheet containing salary and health data to an incorrect external recipient. The breach affects fewer than 20 employees but involves sensitive data. The controller must assess the risk, notify the Ombudsman, and consider whether individual notification to affected employees is required. The small scale does not eliminate the obligation; sensitive data breaches carry higher risk regardless of volume.
Scenario three: a Ukrainian software development company acting as a processor for a German client discovers that a former employee copied client data before resignation. The processor must notify the German controller immediately under the DPA, cooperate with the controller's breach assessment, and initiate internal disciplinary and potentially criminal proceedings against the former employee under Ukrainian law.
To receive a checklist on data breach response procedures for Ukraine, send a request to info@vlolawfirm.com
Data subject rights: implementation, limitations and dispute resolution
Ukrainian law grants data subjects a set of rights that closely parallel GDPR Chapter III. Article 8 of the Law establishes the right to information about processing. Article 16 grants the right to access personal data. Article 19 provides the right to object to processing. The right to erasure and the right to rectification are addressed in Articles 19 and 20 respectively. The right to data portability is not explicitly codified in Ukrainian law, though controllers serving EU residents must provide it under GDPR regardless.
Response timelines are set by Article 16: controllers must respond to access requests within 30 calendar days. This differs from GDPR's one-month standard only marginally in practice, but the calculation method - calendar days from receipt of the request - should be built into internal workflows. Failure to respond within the deadline is a separate violation from unlawful processing and can be the subject of a standalone complaint to the Ombudsman.
Verification of identity before responding to data subject requests is both a right of the controller and a practical necessity. Controllers should establish a documented verification procedure that is proportionate to the sensitivity of the data. Requiring a notarised identity document for a simple access request is disproportionate; requiring basic identity verification before disclosing health records is not. The procedure should be described in the controller's privacy notice.
The right to object to processing for direct marketing purposes is absolute under Ukrainian law, mirroring GDPR Article 21(2). Controllers must cease processing for marketing purposes immediately upon receipt of an objection, without requiring the data subject to provide reasons. Many Ukrainian businesses operating loyalty programmes or email marketing campaigns have not implemented the technical mechanisms to honour objections in real time - a gap that generates complaints and Ombudsman inquiries.
Dispute resolution for data subject rights violations follows two parallel tracks. Administrative complaints to the Ombudsman are free of charge, relatively fast - the Ombudsman typically responds within 30 to 45 days - and can result in binding orders. Civil claims in Ukrainian courts for compensation of harm are slower, typically taking six to eighteen months at first instance, but allow recovery of damages. Data subjects can pursue both tracks simultaneously. Controllers should treat an Ombudsman complaint as a trigger for immediate legal review, because the Ombudsman's findings can be used as evidence in subsequent civil proceedings.
Appointing a data protection officer and building a compliance programme
The Law of Ukraine on Personal Data Protection does not mandate appointment of a Data Protection Officer (DPO) in the same terms as GDPR Article 37. However, Article 24 requires controllers to designate a responsible person (відповідальна особа) for organising personal data protection. In practice, this role functions similarly to a DPO: the responsible person oversees compliance, liaises with the Ombudsman and handles data subject requests.
For international groups subject to GDPR, the Ukrainian responsible person and the GDPR DPO may be the same individual or different people depending on the group's structure. Where they are different, clear escalation protocols between the two roles are essential to avoid gaps in breach notification and regulatory response. The responsible person's contact details should be published in the controller's privacy notice and communicated to the Ombudsman.
Building a compliance programme for Ukraine involves seven core elements. First, a data mapping exercise to identify all processing activities, legal bases, data flows and third-party processors. Second, a privacy notice that meets the information requirements of Articles 8 and 12 of the Law. Third, consent mechanisms that satisfy the specificity and granularity requirements. Fourth, data processing agreements with all processors and sub-processors. Fifth, a records of processing activities (RoPA) document, which is not explicitly required by Ukrainian law but is best practice and supports accountability. Sixth, a breach response plan with defined roles, escalation timelines and notification templates. Seventh, a training programme for staff who handle personal data.
The cost of building a compliance programme from scratch varies significantly by organisation size and complexity. For a mid-sized Ukrainian entity with straightforward processing activities, legal fees for a full compliance review and documentation package typically start from the low thousands of USD. For a large group with complex cross-border data flows, multi-sector obligations and legacy systems, costs are substantially higher. The cost of non-compliance - regulatory sanctions, civil litigation, reputational damage and loss of EU business partners who require GDPR-compliant processors - generally exceeds the cost of proactive compliance.
A non-obvious risk for international businesses is that Ukrainian law imposes obligations not only on the Ukrainian entity but also on foreign controllers that process data of Ukrainian residents. A foreign company running a Ukrainian-language website, collecting data from Ukrainian users and not having a Ukrainian establishment may still fall within the Law's scope under an effects-based interpretation that the Ombudsman has applied in practice. Controllers in this position should assess their exposure and consider whether appointing a local representative is appropriate.
We can help build a compliance strategy tailored to your organisation's structure and risk profile. Contact info@vlolawfirm.com to discuss your specific situation.
FAQ
What is the most significant practical risk for a foreign company processing data of Ukrainian residents without a local establishment?
The Ombudsman can assert jurisdiction over foreign controllers whose processing activities affect Ukrainian residents, even without a local establishment. The practical risk is an investigation triggered by a data subject complaint, resulting in a binding remediation order and potential referral for administrative proceedings. Foreign controllers who ignore such orders face reputational damage and may find that Ukrainian courts enforce the Ombudsman's decisions against assets or local partners. Appointing a local representative and implementing a basic compliance framework significantly reduces this exposure.
How long does an Ombudsman investigation typically take, and what are the financial consequences?
An Ombudsman investigation following a complaint typically takes between two and six months from receipt of the complaint to a final decision, depending on complexity and the controller's cooperation. Administrative fines under the Code of Administrative Offences are modest in absolute terms, but the Ombudsman's decision can be used as evidence in civil proceedings where data subjects seek compensation for moral and material harm. The aggregate cost of an adverse decision - legal fees, remediation costs, civil settlements and management time - can reach the mid-to-high tens of thousands of USD for a complex matter.
When should a controller use contractual clauses rather than consent as the mechanism for cross-border data transfers?
Consent is appropriate for transfers that are genuinely voluntary, specific and revocable without detriment to the data subject - for example, a user choosing to share their profile with a foreign social platform. Consent is not appropriate as the primary transfer mechanism for employee data, because employment relationships create an inherent power imbalance that undermines the 'freely given' requirement. For systematic transfers - HR data to a parent company, customer data to a global CRM, or operational data to a cloud provider - contractual clauses are the more robust and sustainable mechanism. Consent-based transfers require ongoing management of withdrawal requests and can collapse if a significant number of data subjects withdraw consent simultaneously.
Conclusion
Ukraine's data protection regime is more sophisticated than many international businesses assume. The combination of a GDPR-aligned statute, an active supervisory authority, civil liability for data subjects and criminal exposure for individuals creates a compliance environment that rewards proactive investment. Controllers and processors operating in Ukraine should treat data protection not as a checkbox exercise but as an ongoing governance function integrated into their operational and legal risk management.
Our law firm VLO Law Firm has experience supporting clients in Ukraine on data protection and privacy matters. We can assist with compliance programme design, cross-border transfer documentation, data breach response, Ombudsman investigations and data subject rights disputes. To receive a consultation, contact: info@vlolawfirm.com
To receive a checklist on building a data protection compliance programme for Ukraine, send a request to info@vlolawfirm.com
