top of page

UKRAINE - Data Protection and GDPR Review

Data protection in Ukraine has developed over the past few decades, gradually transitioning from a period of limited legislative oversight to an era with more comprehensive regulations. The country has also sought to align its data protection laws with international standards, including the European Union's General Data Protection Regulation (GDPR). Below is an overview of the key milestones and developments in Ukraine's history of data protection.

Early Beginnings

Constitution of Ukraine

The Ukrainian Constitution, which was adopted in 1996, provides for the protection of personal data under Article 32. This served as the foundational legal basis for privacy rights in Ukraine, although there was no specific legislation solely focused on data protection for many years.

Sector-Specific Laws

Before the adoption of dedicated data protection laws, several sector-specific laws governed data protection in areas such as healthcare, finance, and telecommunications. These laws provided piecemeal protection and lacked a comprehensive approach.

Law on Protection of Personal Data (2010)

In 2010, Ukraine took a significant step by adopting the Law on Protection of Personal Data. This was the first comprehensive law aimed at safeguarding personal data and regulating data processing activities. The law introduced key principles like consent, purpose limitation, and data security.

Key Provisions:

  1. Definitions of personal data and data processing

  2. Principles governing data processing, such as lawfulness, fairness, and transparency

  3. Obligations for data controllers and processors

  4. Rights of data subjects

  5. Mechanisms for data protection enforcement

Establishment of the Ombudsman

The law also led to the appointment of an Ombudsman responsible for protecting citizens' rights to personal and family privacy.

Toward European Alignment

Association Agreement with the EU (2014)

The signing of the EU-Ukraine Association Agreement in 2014 represented a milestone for Ukraine’s legislative landscape. The agreement committed Ukraine to harmonize its laws with EU standards, including in the area of data protection.

GDPR Influence

Although Ukraine is not an EU member and is therefore not directly subject to the GDPR, the European regulation has had a significant influence on discussions and potential amendments to Ukrainian data protection laws. Ukrainian companies that process data of EU citizens are required to comply with GDPR.

Current Challenges and Future Directions

Incomplete Harmonization

Despite efforts to align with European standards, gaps remain between Ukrainian laws and GDPR requirements. For example, enforcement mechanisms and data subject rights are not as robust as those under GDPR.

Political Factors

Ukraine's complex political environment, including ongoing conflicts and governance challenges, has implications for data protection, especially in terms of balancing national security and individual privacy rights.

Future Reforms

As of my last update in September 2021, Ukraine was planning further reforms to its data protection laws to complete its alignment with the GDPR and other international standards.

The history of data protection in Ukraine is characterized by a gradual transition from limited regulations to a more comprehensive legal framework influenced by international standards. The ongoing dialogue with the EU, coupled with domestic pressures for reform, suggest that data protection will remain a dynamic field in Ukraine, evolving to meet both local and global challenges.

Data protection is a critical issue in Ukraine, especially as the country aims to align its legislation with international standards, including the European Union's General Data Protection Regulation (GDPR). This comprehensive guide explores Ukraine's data protection landscape, key laws, and how they relate to GDPR.

Legal Framework

Ukrainian Law on Protection of Personal Data (2010)

Ukraine's primary law governing data protection is the Law on Protection of Personal Data, enacted in 2010. It serves as the foundational legal document for the protection of personal data within the country.

GDPR Relevance

Although Ukraine is not a member of the European Union, Ukrainian businesses that offer goods or services to EU citizens or monitor their behavior are obliged to comply with the GDPR.

Key Principles

Principles Under Ukrainian Law

  1. Consent: Explicit consent is generally required for data processing, similar to GDPR.

  2. Purpose Limitation: Personal data should be collected for a specific purpose and should not be further processed in a manner incompatible with that purpose.

  3. Data Minimization: Only data that is essential for the stated purpose should be processed.

  4. Transparency: Data subjects should be informed about the processing of their data.

Principles Under GDPR

GDPR emphasizes similar principles but adds levels of complexity and detail, including lawfulness, fairness, transparency, accuracy, and integrity and confidentiality.

Rights of Individuals

Ukrainian Law

  1. Right to Information: Data subjects should be informed about the collection and processing of their personal data.

  2. Right to Access: Individuals can ask for confirmation about whether their data is being processed, as well as request copies of such data.

  3. Right to Rectification: Individuals can request the modification of incorrect data.

  4. Right to Erasure: Under specific circumstances, the data subject can request the deletion of their personal data.


GDPR provides more exhaustive rights to data subjects, including the right to object, the right to data portability, and the right to be informed of a data breach. Ukrainian businesses dealing with EU citizens must ensure compliance with these additional rights.

Organizational Obligations

Ukrainian Law

  1. Data Controller Responsibilities: Organizations are obligated to protect the personal data they collect and process.

  2. Security Measures: Ukrainian law mandates companies to implement appropriate security measures to safeguard personal data.

  3. Data Protection Impact Assessments: Certain types of data processing require a risk assessment, although the law is less specific compared to GDPR.


  1. Data Protection Officer (DPO): GDPR mandates the appointment of a DPO for certain organizations, which is not explicitly required under Ukrainian law.

  2. Accountability: GDPR introduces the principle of accountability, requiring organizations to be able to demonstrate compliance.

  3. Data Breach Notifications: GDPR has stringent timelines and requirements for reporting data breaches.

Enforcement and Penalties

Ukrainian Law

The Ombudsman, appointed by the Ukrainian Parliament, is responsible for overseeing data protection issues. However, enforcement is generally considered to be less rigorous than in the EU.


GDPR is known for its strict enforcement mechanisms, with penalties for non-compliance that can go up to €20 million or 4% of annual global turnover, whichever is higher.

Compliance Tips for Ukrainian Businesses

  1. Legal Analysis: Evaluate whether GDPR applies to your operations. If yes, ensure compliance with both Ukrainian law and GDPR.

  2. Data Mapping: Understand where and how personal data is processed within your organization.

  3. Update Policies: Revise privacy policies to make sure they meet both Ukrainian and GDPR standards if applicable.

  4. Consult Legal Experts: Consult data protection experts who are familiar with both Ukrainian and EU law for tailored advice.

  5. Continuous Monitoring: Stay updated with legal amendments in both jurisdictions and adjust your compliance strategies accordingly.


Data protection in Ukraine is evolving, especially as the country aims to align itself with European standards. Understanding the nuances of both Ukrainian law and GDPR is critical for businesses operating across these jurisdictions. Although Ukraine's laws offer a strong foundation for data protection, businesses targeting EU citizens must be cautious to comply with the more stringent GDPR regulations. Consulting legal professionals specialized in data protection is often necessary to navigate this complex landscape.


bottom of page