Background
While employee privacy regulation is not new around the world, it is continuously developing. It is also becoming more detailed as we make our life more and more digital, the workforce more mobile, economies more fragile and various types of laws within and across economies converging. The economy in Ukraine and the employment market in Ukraine are no exception to being affected by this phenomenon. In January, 2011, the new Law on Personal Data Protection entered into force in Ukraine. It is important for companies resident in Ukraine, companies operating web-sites assisting workers and multi-nationals, to understand labour, privacy and even export laws in Ukraine as they relate to the overall employment life cycle.
Official statistics regarding data protection practices are not available. Our experience demonstrates that subsidiaries of international companies, especially B2C companies, were the first to start implementing privacy policies, including employee privacy. We think that the overall number of companies that began to adjust their business in line with the privacy issues starting from early 2011 is rather low. Lack of extended practice amongst data controllers in privacy compliance is the main issue of public discussions.
We would like to overview some of the major risks and, even more importantly, about the mitigating controls that are necessary for those of us who do business in Ukraine.
Legal framework on employee privacy
Until January 1, 2011, personal data protection in Ukraine was regulated only by Article 32 of the Constitution of Ukraine, Articles 23 and 31 of Law of Ukraine No. 2657-XII “On Information”, dated October 2, 1992, and Articles 200 and 302 of Civil Code of Ukraine No. 435-IV, dated January 16, 2003.
Law of Ukraine No. 2297-VI “On Personal Data Protection”, dated June 1, 2010 (the “Law”), which entered into force on January 1, 2011, has essentially detailed the data protection legal framework in Ukraine.
Since January 1, 2011, Ukraine has been a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 28.01.1981) with minor notices and the Additional Protocol to the Convention (Strasbourg, 08.11.2001). Law of Ukraine No. 2939-VI “On Access to Public Information”, dated January 13, 2011, which entered into force on May 5, 2011, has detailed the issues of access to public information, including certain personal data processed by the authorities.
Basic employees’ rights are set out in Labour Code of Ukraine No. 322-VIII, dated December 10, 1971 (the “Labour Code”). Nowadays, there are no special laws or regulations relating to the protection of employees’ personal data; the above “general” data protection acts are applicable.
Basic principles of data protection in Ukraine
Article 2 of the Law defines personal data as any or all information relating to an identified or identifiable individual. The notion of personal data is quite general and may refer to any identification information regarding an individual. It can include biometric data, any other background, and biographical, family, professional, skills, career, assessment and other data. Thus, if any particular data on an individual is associated with his or her name, it should be regarded as personal. If the available information is not sufficient to identify an individual, such information does not qualify as personal data.
Ukrainian legislation does not provide a notion of employee personal data. There are no special laws or regulations in Ukraine concerning employee privacy and security.
General privacy rules apply, and the protection is given to all personal data that is being processed by the employer (data controller). The employee’s personal data is considered as general data, except trade union membership data, which (along with the personal data about racial or ethnic origin, political opinions, religious or other beliefs, political affiliations and trade union memberships, health, and sex life) is regarded as sensitive data.
The Law further imposes restrictions on the processing of sensitive personal data. Article 25 of the Labour Code prohibits requesting the information about the political and ethnic affiliation, origin, registration of the place of residence or stay of the employee.
The data controller is an individual or a legal entity who or which is granted the right to process data by law or by the consent of the personal data subject and who or which approves the purpose of the personal data processing, specifies the composition of the data and the procedures for the processing thereof. In this respect the employer shall be regarded a data controller with respect to its employees’ personal data.
The Law regulates the processing of personal data that is performed, in full or in part, in a personal database that exists in an electronic form and/or in the form of card index files. According to a recent opinion of the Ukrainian Data Protection Authority (the “Ukrainian DPA”), each company runs at least two databases: one is related to personal data of its employees, while the other one contains data of other individuals who are contacted in the course of business. Thus, each company is regarded as a data controller with respect to personal data of its staff. Each data controller shall register its database with the Ukrainian DPA and fulfil other privacy compliance duties. In Ukraine, the purpose of personal data processing should be set forth in the law, in the company’s Charter or in other internal documents of the data controller.
Processing employee’s personal data
General provisions concerning consent requirements are applicable to the employee consent. Data controllers shall obtain an employee’s consent prior to processing his personal data. The Law specially requires that the consent for personal data processing be in writing or in any other documented form (e.g., electronic file or electronic “check box” option). Such consent should explicitly indicate: (i) the content and volume of employee’s personal data to be processed, (ii) the specific and explicitly defined purpose of personal data processing, and (iii) the conditions of third parties’ access to the employee personal database, etc. As provided in Article 6 of the Law, if the purpose of personal data processing changes, a new consent must be obtained from the employee for his/her personal data processing. That is why we recommend indicating the broadest possible purpose of personal data processing.
We also recommend recruitment agencies to obtain individual consents of applicants for processing personal data for employment and recruitment purposes.
According to a recent opinion of the Ukrainian DPA, it is not necessary to obtain any consent from employees, whose personal data was collected before January 1, 2011.
The processing of sensitive personal data is allowed upon obtaining explicit (opt-in) consent of the employee.
As a general rule, it is prohibited to process sensitive data unless the:
- data subject gave his/her unambiguous consent to the processing of such data;
- processing is required to exercise respective labor rights or duties;
- processing is required to protect interests of an incapable data subject;
- processing is performed by a religious organization/NGO/political party/trade union with respect to its members provided that data is not transferred to third parties without an individual’s consent;
- processing is required for setting up a legal claim;
- processing is required for medical treatment by a doctor;
- processing is related to investigation, law enforcement and justice;
- processing refers to data that has been made public by the individual.
Private companies are not eligible to request from the applicants or employees any background information relating to their criminal or credit problem related activities. However, criminal record history may be checked in respect of candidates for CEO positions in banks or other financial companies, for positions of higher-level public service clerks, policemen, judges, members of the Parliament and similar state officials. However, normally the applicant himself should obtain a certificate on absence of criminal records from the police and then provide it to the employer. Credit problems of applicants are rarely investigated by potential employers.
The Constitution prohibits any tests or trials against the free will of a person. However, medical-sanitary examination is compulsory for employees who are employed in food sale/manufacturing companies. Drug or alcohol testing is rarely practiced in Ukraine, except for special routine tests for sportsmen, drivers or pilots and the like. Skill testing is not forbidden; moreover the employer may set a probation period (general duration – 3 months). Some companies practice lie-detectors, however their role as evidence is rather doubtful. Certain companies may apply Internet access restrictions for security reasons. Some companies install CCTV for security reasons. There is no specific law addressing employee monitoring. There are no special rules regarding whistle-blowing hotlines, therefore the companies shall observe general rules regarding the personal data processing. Consumer care hotlines in private sector and anti-bribery hotlines in public service sector are used in Ukraine. However, there is no standard approach to this issue.
Data Protection Authority
The Ukrainian DPA (the State Service of Ukraine for Personal Data Protection) was established on December 9, 2010. On April 6, 2011, the Regulations on the State Service for Personal Data Protection were approved by the Resolution of the President of Ukraine. Nevertheless, the Ukrainian DPA launched its actual activities only in mid-summer 2011.
The Ukrainian DPA is subordinated to the Ministry of Justice of Ukraine. The Ukrainian DPA’s basic competence includes:
- regulatory functions (issue of privacy regulations, recommendations and handbooks);
- controlling and penalizing functions (consideration of complaints/requests, imposition of fines and issue of obligatory compliance orders);
- database registration functions.
Currently, the Ukrainian DPA has a limited budget and staff and is more focused on regulatory functions and registration of databases than on controlling and penalizing functions. Mainly employees’ databases and customers’ databases are being registered.
The Ukrainian DPA’s officers take part in privacy conferences, meetings and other public events. The Public Advisory Council of the Ukrainian DPA that has been established in September 2011 brings together officials and NGOs to discuss and develop privacy policy in Ukraine.
Registration of employees’ personal databases
The database registration process was launched only in July 2011 and many companies still have not applied for registration.
The procedure for registration of employee personal databases does not differ from the procedure for registration of all other types of personal databases. The companies shall register their employee personal databases with the Ukrainian DPA by filling out a standard database registration application (the “Notification”). The law does not provide for a notification exemption regime. As indicated above, the Ukrainian DPA regards each company as a data controller of the employee database, which requires registration of the respective database in a due course.
The Notification should include:
- name of the data controller (including the address of its seat or place of residence and registration number);
- name and location of the database (e.g., Database of Employees of Company “A”);
- personal data processing purposes (e.g., personal data is processed for the purposes of carrying out relations in the sphere of labour law, tax relations, accounting and audit), reference to company’s privacy bylaws and categories of data processed;
- grounds for data processing (e.g., individual’s consent or law);
- name of data processor, if any (including the address of its seat or place of residence and registration number);
- data controller’s confirmation that data security measures are applied (by virtue of signing a respective warranty clause contained in the Notification).
In case of any of the above data changes, the Data Controller should submit the updated filing to the Ukrainian DPA. Personal data itself should not be communicated (transferred) to the Ukrainian DPA.
Database registration procedure was launched in July 2011. The registration application form is available in Ukrainian at: https://rbpd.informjust.ua/
The detailed procedure for database registration is set forth in Resolution No. 616 of the Cabinet of Ministers of Ukraine, dated May 25, 2011, and Order No. 1824/5 of the Ministry of Justice of Ukraine, dated July 8, 2011.
The Ukrainian DPA has drafted recommendations concerning the provision of additional information for personal database registration purposes. The registration is free of charge. Three options of Notification filing are available: by hard-copy submission, by e-mail and by applying online.
Privacy Liability
Please note that since July 1, 2012 administrative liability (fines) and enhanced criminal liability (fines, arrest or imprisonment) for violation of privacy legislation was introduced by Law of Ukraine No. 3454-VI.
In particular, those companies which:
- fail to register their databases or fail to update the information with the Ukrainian Data Protection Authority; or
- fail to notify individuals of their privacy rights, the purpose of collecting personal data and the external recipients of personal data; or
- fail to follow the imperative instructions given by the Ukrainian Data Protection Authority, can be fined up to a maximum of UAH 17,000 (approx EUR 1700).
Therefore, to avoid risks of liability it is highly recommended that all companies double-check their privacy compliance as soon as possible.
Also, many companies express concerns on possible risks of inspection of their premises by the Ukrainian DPA [the latter has the right to inspect premises where personal data is allegedly processed]. We expect that first court cases may be initiated by the individuals whose personal data is processed illegally. Some employers express concerns regarding probable situations when employees refuse to give consent for data processing.
Transborder transfer of personal data
In Ukraine, trans border transfer of personal data, including employee personal data, is allowed if:
- the adequate level of protection is provided,
- the data subject has granted the consent to trans border transfer, and
- the processing purpose remains unchanged. It is not required to obtain approval by or submit notification to the Ukrainian DPA in case of trans border transfer. As mentioned above, Ukraine is signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and trans border data flows.
Brussels European Employee Relations Group (BEERG) - European Labour Law Briefing, July 2012
Author: Oksana Voynarovska, Vladyslav Podolyak