In today’s digital world, the issue of personal data protection is of particular importance. With the rapid development of digital technologies, their processing has become an integral part of the activities of government agencies, businesses and society as a whole. At the same time, ensuring their proper protection is not only a legal obligation, but also an element of trust.
I would like to point out that legal relations related to the protection and processing of personal data are regulated by the Law of Ukraine “On Personal Data Protection”. This law is aimed at ensuring fundamental human rights and freedoms, including the right to privacy, in connection with the use of information about a person.
This law provides for the right of an individual to protect his or her personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision, as well as to protect against the provision of information that is inaccurate or discreditable to the honour, dignity and business reputation of an individual.
Read also: Children returned from TOT and the Russian Federation: how they are welcomed and assisted at the Child Rights Protection Centre
How data controllers should ensure personal data protection
I would like to emphasise that the use of personal information includes any actions of the owner to process, protect, and grant partial or full right to process to other subjects of relations related to personal data. Such actions are carried out with the consent of the personal data subject or in accordance with the law.
Owners and managers of personal data, as well as third parties, are obliged to ensure the protection of such data from accidental loss or destruction, unlawful processing, including unlawful destruction or access.
I would like to emphasise that employees who have access to personal data should use it solely within the scope of their professional, official or employment duties, and should not disclose data entrusted to them or which they have become aware of in the course of performing their functions, except as provided by law. I note that this obligation remains even after the termination of their activities related to the processing of personal data, unless otherwise provided by law. Employees who have access to personal data shall sign a written obligation not to disclose personal data.
It should also be noted that the owner and manager of personal data must ensure the protection of this data at all stages of its processing by applying appropriate organisational and technical measures. They independently determine the list and composition of measures aimed at ensuring the security of data processing, taking into account the requirements of the legislation in the areas of personal data protection and information security.
The protection of personal data includes measures aimed at preventing their accidental loss, destruction, as well as unlawful processing, including unauthorised access or destruction. To ensure the security of processing, special technical means are used to prevent unauthorised access to data.
Read also: Status S for Ukrainians: When Refugees Behave Like Tourists
As for organisational measures, they include, in particular, establishing rules for access to personal data by employees of the owner or manager; determining the procedure for recording operations related to the processing of personal data and access to them; developing an action plan in case of unauthorised access, technical failures or emergencies; regular training of employees working with personal data.
The owner and manager shall keep records of employees with access to personal data and determine the level of their access, limiting it to only those data necessary to perform their duties.
They must also keep records of operations related to the processing of personal data, storing information on the date, time and source of data collection, their change, review, transfer, deletion or destruction, as well as the employee who performed these operations and the legal basis for them.
In this case, if personal data is processed by an automated system, it should automatically record this information.
I would like to emphasise that violation of personal data protection legislation entails administrative, civil and criminal liability established by law.
More details on the requirements for personal data protection can be found in the Standard Procedure for Personal Data Processing at the link.
Read also: Labour imbalance due to the war: Ukrainians are looking for work in the EU, while the labour market at home suffers from a shortage of staff
Why is this issue under my control as the Ukrainian Parliament Commissioner for Human Rights?
By law, I, as the Ukrainian Parliament Commissioner for Human Rights, exercise parliamentary control over compliance with personal data protection legislation and have the right to consider citizens’ appeals related to violations of their right to personal data protection and make decisions based on the results of their consideration, conduct inspections of personal data owners and managers, and provide recommendations.
It should be noted that any person whose right to personal data protection has been violated may file a complaint with me.
Read also: The right to education for persons with disabilities and persons with special educational needs: problems and solutions
Why protecting private information is our shared responsibility
In today’s world, personal data protection is one of the key elements of ensuring human rights and freedoms, as well as trust in government agencies and private companies. The Law of Ukraine “On Personal Data Protection” establishes the legal framework for regulating the processing and protection of personal data, defines the rights of data subjects and the obligations of data owners and managers. Importantly, personal data protection must be ensured at all stages of its processing using appropriate technical and organisational measures, and employees working with such data must maintain confidentiality.
Read also: Freezing of US international humanitarian aid leads to additional suffering for the most vulnerable