The bill provides for the implementation of the main provisions of the General Data Protection Regulation (GDPR) into national law:
- introduced the principles of personal data processing (lawfulness, integrity, transparency, minimization of processing, purpose limitations, etc.);
- the basic 6 grounds for personal data processing were revised and detailed;
- the full list of rights of personal data subjects under GDPR has been implemented (the right to information, to be forgotten, rectification, data mobility, protection against automated decision-making, etc.)
- the conditions of lawfulness and legitimacy of consent to processing were detailed;
- the concept of sensitive personal data and their replacement list for the personal data constituting a special risk for the rights and liberties of the subjects has been proposed
- some provisions on the processing of personal data by the public authorities, employers, in connection with the video surveillance, audio and video recording of public events, for direct marketing, election campaigning and political advertising have been established
- the obligation of the personal data controller to respect the principles of "privacy by default" and "privacy by design" has been implemented;
- controller's obligation to record the personal data processing operations and drawing up the relevant records has been foreseen
- the position of the person responsible for personal data protection and his/her obligations are foreseen. In general, it should be a person with experience in the field of personal data protection and at least a bachelor's degree in education. In order to hold the position of a person responsible for the protection of personal data in public authorities, there is a requirement to pass a qualification exam;
- provision is made for the possibility of compensation by the person for the damage caused as a result of the breach of rights;
- for foreign controllers there is an obligation to appoint a representative in Ukraine.
There are unusual and interesting provisions in this bill. For example, it provides a procedure for obtaining information about persons making unwanted or malicious calls and messages. This means that the user (subscriber) will be able to legally obtain from the mobile operator identifying information about the person who makes unwanted calls and use it further to protect their rights (for example, when sending a statement to the police).
The bill does not leave out the issue of liability for violations of protection of personal data legislation, in particular through the imposition of fines:
- for a natural person in the amount of 10,000 to 30,000 UAH;
- for a legal entity in the amount from 0.05% to 0.1% of the total annual revenue but not less than 30,000 UAH, and for some categories of violations not less than 100 or 300 thousand UAH.
We have positive expectations that the bill will be adopted by the Parliament of Ukraine and will work already in 2023.