Right to informational self-determination?
“Zerkalo Nedeli. Ukraine”
№46, December 16, 2011
A citizen of the modern information society is
an individual whose personal data (PD) is processed automatically. Is it
agreed with the constitutional principle of privacy?
A day-to-day environment.
You are an individual, participant of such legal relations as, for
example labor ones. When getting a job you provide an employer with
required private information, or PD, in other words, "the information
about an individual who is identified or can be specifically
identified." The employer will put it in its personal data database
(PDD) of employees, and - congratulations - you've got the status of a
subject of personal data (SPD). The employer in this case is the owner
of PDD. This means that your personal data gets to be collected, stored,
maintained, adapted, modified, renewed, used and distributed,
depersonalized and even eliminated! In short, your data is handled
through PDD. PD is processed by a person- manager of PDD appointed by
The owner may process your PD solely on the basis of you voluntary
recorded consent (with the scope of data specified) in accordance with
the stated purpose. In this case, the objective of data procession is
linked to employment.
Based on what?
The constitutional right to privacy is the basis of PD protection and
provides for a special legal regime of information about an individual,
since according to the Ukrainian legislation the information about an
individual is confidential and, therefore, the access to it is limited
by such individual on its own.
Only with a permission?
All PD about you as an individual is processed (automatically or through
card-indexing) only with your written consent. This decision was taken
by Ukraine towards a visa-free regime. But, let’s talk more about that
later. Global jurisprudence on PD protection steered in two ways: either
a way of identifying PD with any information relating to a particular
person, or a way of differentiating PD. The principle of PD
differentiation is also embodied in the national legislation. Embodied,
but, unfortunately, not forming the basis for the PD access regime.
What does the differentiation mean? It means the breakdown of information about an individual onto the following components:
- So-called operational minimum of PD - general information - full
name, identification number, education, employment history, marital
status, contact information;
- The category of "sensitive" data - about racial or ethnic origin,
political, religious or philosophical beliefs, membership in political
parties and trade unions, as well as data concerning health or
sexuality. The Law prohibits the procession of such information, but
gives a list of exceptions to the prohibition. Conventionally, such
exceptions include two aspects: one relates to the explicit consent of
SPD and another refers to an objective necessity.
Remarkably, when the access to PD is based on the principle of data
differentiation, then a licensing procedure for processing relates
solely to the “sensitive” data. In our case, the obligation to obtain
SPD’s consent concerns its all PD. This is how a Ukrainian legislator
has decided to set up the protection of PD in the Law of Ukraine “On
protection of personal data” No. 2297 of June 01, 2010 (hereinafter -
Thus, we have examined the situation from a position of SPD.
The law came in response to a new challenge of the European integration.
In order to intensify a visa-free dialogue with the EU the PD
protection was issued among the priority reforms of 2010: “Matrix of
cooperation” between Ukraine and the EU and the Plan of Priority
Measures for the Integration of Ukraine into the EU - up to the Law. In
addition, some national legislative acts were amended as regards the
strengthening of accountability for violations of the legislation on
protection of personal data (effective from January 01, 2012) and there
were ratified the 1981 Convention on the Protection of Individuals with
regard to Automatic Processing of Personal Data, (hereinafter - the
Convention) and its 2001 Additional Protocol regarding supervisory
authorities and transborder data flows. But before it no longer
disappointed the EU, Ukraine has not got on well in sorting out the
legal consequences of “reforms” for itself.
Now, let’s examine the situation from the perspective of PDD’s owner.
The Law defined that the guarantee for PD protection shall be compulsory
state registration of PDD. Although the Convention formulates only a
general duty to create the PD safeguard system, i.e. it does not require
from the member-states the introduction of some specific mechanism,
such as, for example, mandatory registration of all PDD. Moreover, the
European states-parties to the Convention introduced so-called necessary
registration: first, the registration of PDD owners rather than PDD
and, second, the registration of owners of “sensitive” PDD and, third,
the registration with the purpose to control data processing and to
ensure the transparency of information about processing.
By the way, you may not even realize that you have already had some PDD
subject to registration. But from a new year your ignorance will reveal
Entered into force on January 01, 2011, the Law launched a new
mechanism. What, then, have the state’s efforts resulted in? An
entrepreneur: a private-entrepreneur - individual (hereinafter - PE)
automatically became an owner of PDD by hiring two employees. Therefore,
PDD of the staff constitutes the first base. Doing a favourite pursuit
means getting another “gift” - PDD of clients.
If a status obliges, a business entity as a legal entity will have yet the third database – PDD of service providers.
As such, the registration minimum is for your attention: if you are an
individual - PE, be prepared for the registration of two PDD, if you are
an entity, you have to register, then, as much as three PDD!
How does the state propose to live with the status of an owner of PDD?
The state established a special legal and institutional mechanism to
ensure protection of PD. The State Service for Personal Data Protection
of Ukraine (SSPDP) is the regulator, the registrar and supervisor. The
specialized legal framework, apart from the Law and amendments
introduced in the other regulatory acts, includes subordinated acts
governing SSPDP’s establishment and operation, maintenance of register
and submission of documents for registration.
Owners to register PDD have to be prepared. And not only morally, but thoroughly:
- to determine an objective for PD procession and a number of PDD required to carry out own activities;
- to approve the procedure of PD procession and protection by an in-house order, make employees acquainted with this document;
- to approve a text of an individual’s consent for the procession of his/her personal data;
- to obtain a written consent of the subjects of personal data;
- to define a structural unit or person responsible for the
organization of work for protection of personal data during processing.
Having cleared up these issues at a private level, an owner submits an
application for registration of PDD owned by it (separately for each
PDD!). The application has to contain the information required for
registration, namely, a request on PDD entry into the register, the
information on PDD owner, the information on the title and location of
PDD, the information on PDD manager, the information on the objective of
data processing, the document certifying the obligation to fulfil
requirements of the laws on PD protection.
The Ministry of Justice approved the sample application as soon as in
August 2011. PDD registration is carried out by making an appropriate
entry and issuing a certificate within ten days from the date of receipt
of the application.
And the certificate, here it is on your hand! Could you, after the
registration, forget about another bureaucratic mechanism? No. So, you
have to live with this.
In accordance with the Law: “... any change of information required for
registration shall be informed about by PDD owner to SSPDP no later than
within ten working days from the occurrence of such change.”
What is the sequence of actions of a law-abiding owner? For example, PDD manager, some Mr. Hennady Pavlovich changed address.
PDD owner has to:
1) address to Mr. Hennady Pavlovich to obtain his consent to process his
personal data (as the status of manager does not exempt him from the
status of SPD);
2) having obtained the consent, introduce changes into PDD;
3) advise SSPDP about the changes introduced in the record.
Having changed the address of actual location or storage of PDD media, don’t forget to inform SSPDP.
In addition, the rules for maintenance of document circulation and the
procedure for carrying out the activities by a employer require him the
constant internal procession of PD. Although changes in the data of SPD
do not require to inform SSPDP about, due to the procedure of
obtaining a consent the data procession adds a lot of documentary burden
to the employer. Even it is hard to cheer sincerely about the addition
in an employee’s family…
Considering such scenario an individual or minor legal entity, once
having faced the difficulties, would choose to extend its staff just for
one person, but a larger entity would have to establish a separate unit
for both inner “correspondence” as regards the procession of SPD’s
data, and for “correspondence” with SSPDP. This is a real way to
absurdity, isn’t it?
According to the Law: “…personal data in PDD is subject to elimination
in case of termination of legal relations between SPD and PDD owner,
unless otherwise prescribed by the law”. However, as far back as in 1998
the Main Archive Direction re-obliged an employer to keep personal data
as long as 75 years. This provision is not a new one but inherited. And
according to the legislative hierarchy, a law supersedes an order, so
the practice of documents circulation and archiving is ignored?
And remember, you have also to inform about PD elimination both SPD and all persons this data was communicated to.
Article 1 — mistake No. 1.
Exception to the general rule of obligatory registration, by virtue of
exclusion from the scope of the law, concerns the activity to create PDD
and process personal data in these databases, which is carried out:
? by physical persons — exceptionally for non-professional private and domestic needs;
? by journalists — in view of their official and professional duties;
? by professional artistic intellectuals — to carry out creative activity.
Since the Law of Ukraine “On State Support of Mass Media and Social
Protection of Journalists” defines a journalist as “a creative worker
who professionally collects, receives, creates and prepares information
for media ...”, the second category of subjects of release is included
in the third category. All what is left to do is to put the accent on
the unordinary attention given to exceptions from the scope of any
In the United Kingdom personal data is protected under the Data
Protection Act, 1998 (hereinafter - the Act), which is based on the
principle of differentiation of PD. This state, a member to the
Convention, introduced a “required obligatory registration”, which
provides exceptions for:
1) owners engaged in the procession of private information for:
- personnel management (including billing information);
- advertising, marketing, public relations (in connection with commercial activities);
- book accounting
2) some unprofitable organizations;
3) procession of personal data for private, family and domestic purposes (including leisure activity);
4) owners engaged in procession of personal data to maintain public register;
5) owners not engaged in computer procession of personal data.
The register of owners is maintained by the Information Commissioner,
who is also authorized to impose monetary penalties for violation of the
registration. The register maintenance is supervised by the Information
Commissioner’s Office. The institutional system is complemented with
the tribunal for information policy that is included in the system of
administrative court procedure.
Exceptions to the British system are not exceptions for the sake of
exceptions, but they are really aimed at the elimination of bureaucracy
in activities of PDD owners who deal with the processing of “operational
minimum of PD”, and at the protection of “sensitive” PD.
Why is this important today? As of November 10, 2011, SSPDP received,
processed and recorded 1,203 applications for registration of PDD into
the State Register of PDD. Upon consideration of these applications the
SSPDP Interim Commission for review of the documents for PDD
registration brought 861 PDD into the State Register. What is that, a
violation of the law?
At first glance, the statistics indicate the non-compliance by PDD
owners of the current legislation on PD protection by avoiding PDD
registration. But in fact, for the PD protection system to run properly
the key mechanism has to be launched - the mechanism of accountability
for violations of the law on PD protection. Relevant changes will take
effect since January 01, 2012 and provide administrative and criminal
liability in accordance with the Code of Administrative Offences (CAO)
and the Criminal Code of Ukraine (CCU).
In particular, the initiatives contemplate an administrative
responsibility in the form of penalties for failure to register PDD:
- for individuals - ranging from 300 to 500 tax-free incomes, that is from UAH 5,100 to UAH 8,500 and
- for officials and private entrepreneurs - ranging from 500 to 1000 tax-free incomes, that is from UAH 8,500 to UAH 17,000.
Since the majority of registration will account for the bases which
contain the “operational minimum of PD”, the “misunderstanding” of the
concept of mandatory registration may prove costly for PDD owners.
Publicity of information
Since January 01, 2012 the Register’s data will be publicly available on
the web-site of the Register’s administrator (SE “Information Center”
of the Ministry of Justice of Ukraine) by searching and browsing the
information about PDD (name of database, information about the owner.
For individuals – with available name, purpose of data procession,
registration number of the record of PDD within the Register). The
search, thus, may be performed based on the last three items.
Ukraine has once again followed the path of “anti-people law-writing”,
putting additional bureaucratic, financial and administrative burden on
entrepreneurs – the registration for the sake of registration and not to
protect the required category of “sensitive” PD.
Undoubtedly, it is hard to underestimate the institute of PD protection
in contemporary environment of unauthorized use of PD. However, Ukraine
must institute its requirement to register PDD on the principle of
differentiation of personal data. This, on one hand, would help meet the
objective of protection of those personal data that need it, and, on
the other hand - would not create additional barriers to the activity of
PDD owners representing the layer of small and medium businesses.
Instead of curing Ukraine’s legal system, ill-conceived legislative
reform brings it just “sores because it made sense to consult a doctor
first, get a prescription and even buy medicine. It is necessary to take
medicine properly and systematically rather than chase elusive health
by taking excessive antibiotics and tranquilizers, especially when this
health is badly needed for millions to people”.
Bek Marianna, Associate,
Oleksiy Volkov, Managing Partner,
Volkov and Partners Law Firm