Latest news, Opportunities, Stories, Explainers, Publications, Opinion polls, Profiles, Blog, Activities
Personal data protection: a key aspect in the cooperation between Ukraine and the EU 
July 25, 2023

Personal data protection: a key aspect in the cooperation between Ukraine and the EU 

Author: Anzhelika Yefimova

According to information provided by Forbes in 2017, more than 3.7 billion humans use the Internet. In order to do any ordinary business (whether ordering lunch or logging in to the email), we use our own data and thereby transfer it to the companies that own the websites we visit. However, in the event of a company’s careless behaviour with an individual’s personal data, data can be leaked and have huge consequences for both companies and individuals.

Because of these risks, states and international organisations have decided to improve control over the transfer and use of personal data, including in the context of transnational cooperation.

On June 23, Ukraine acquired the status of candidate for EU membership, which, according to the Vice-Prime Minister for European and Euro-Atlantic Integration of Ukraine, implies the large-scale transformation of all spheres of cooperation between Ukraine and the EU. Such areas include the protection of personal data, without which the principles of the EU will not be respected, and therefore the legal protection of individuals in the field of personal data will be violated.

Protection of personal data is one of the painful topics in business today, as many questions arise when trying to meet EU standards, but the main principle of international law is the respect and protection of human rights, so it is the primary task of states to prevent their violation. 

Information rights

With the development of technology, the march of globalisation, and the ever-increasing worldwide connection to the Internet, society needs to initiate control over information transmitted by automated and non-automated means.

First of all, it is worth focusing attention on the fact that human rights are theoretically divided into several generations, which in turn include rights of different nature: 

  1. The first generation of human rights includes civil and political rights, the main idea of which is to ensure the formal equality of all, as well as to ensure protection against the arbitrariness of the state.
  2. Economic, social and cultural rights make up the second generation of human rights, which are the answer to the social inequality of various categories of the population.
  3. Collective rights are the third generation of human rights, which consist in preserving the rights of ethnic and cultural minorities to their own self-identity, and are also closely related to environmental rights.

The object of this article are information rights, which are among the so-called “first generation” rights – civil, political and cultural rights. 

Information rights refer to the rights related to the obtaining, distribution, use, and protection of information. Subjects of information rights are not only natural persons, but also legal entities and the state, since during their activities they receive information in the form of personal data and thereby acquire rights and bear certain obligations regarding this information.

The importance of the cooperation of states in this area is directly related to the role of the Internet and the use of social networking platforms, since the acquisition of sensitive information about any person poses a threat to society as a whole. Therefore, the state undertakes to improve the level of protection of personal data because a person is the highest social value.

Cooperation between Ukraine and the European Union

Ukraine did not have a direct obligation to implement the provisions of the General Regulation on the Protection of Personal Data No. 2016/679 (hereinafter – “GDPR” and “Regulation”)  into its own legislation within the framework of the EU Visa Liberalisation Action Plan for Ukraine or the European Union-Ukraine Association Agreement. However, within the framework of the Association Agreement, Ukraine undertook to bring its legislation on the protection of personal data into line with international standards. Thus, the Cabinet of Ministers of Ukraine decided to harmonise the provisions of Ukrainian legislation with European standards. Accordingly, changes were made to the Action Plan for the implementation of the Association Agreement.

Undoubtedly, these changes have a significant impact on the activities of enterprises, especially on the work of lawyers who provide legal services to businesses. For instance, during my work as a legal adviser to agricultural enterprises of Ukraine, I had a case where an individual did not have adequate knowledge about his rights in the field of information:

A request was received for information regarding an employee of the enterprise, as well as several agreements related to the sale of agricultural products. The argument of this request was the right to receive public information, and provided relevant norms from the legislation of Ukraine. Here, the individual made a mistake, which manifests itself in the following moments:

  1. The enterprise was a person of private law, which is not a manager of public information in the context of the Law of Ukraine “On Access to Public Information” (a controller in the context of GDPR), and therefore the request for the provision of public information is not appropriate.
  2. The information that the individual wanted to receive is information with limited access, so it can be distributed only in cases provided for by law and local acts of enterprises. For example, data about an employee of the enterprise is protected by the Law of Ukraine “On the Protection of Personal Data” and international treaties, the binding consent of which was given by the Verkhovna Rada of Ukraine.

The above-mentioned legislative acts are currently being harmonised in accordance with international standards in the field of information rights. One of the main acts in the international arena of a local nature, which regulates the issue of personal data protection, is the GDPR adopted within the European Union.

GDPR is a revolutionary document that gives the right to people who are in the territory of the European Union to control their own personal data, and one of the main goals of this regulation is the formation of a free, safe and fair economic space between the participating states.

Basic provisions of the GDPR 

The European Union’s Charter of Fundamental Rights and the Treaty on the Functioning of the European Union enshrine the right of every natural person to the protection of personal data, so the GDPR specifies this right and provides more protection mechanisms for the natural person. Moreover, each state has its own national interest, which is the core of international relations. This national interest includes an economic aspect, so the GDPR also ensures economic and social development. Compliance with the terms of the GDPR is one of the keys to access to the EU economic market.

Let’s start with the definition of “personal data”, since this is one of the most important points in working with such data. Personal data is any information relating to a data subject (a natural person who can be identified). For example, when filling out an Erasmus+ application, an individual provides personal information such as name, age, email addresses, etc. According to such data, another person can identify such a person and make an “approximate portrait”: this guy’s name is Martin, he is 22, he is currently in Warsaw and is studying to be an economist.

The Regulation establishes the rules for the protection of personal data in connection with their processing and the rules for the free movement of personal data. “Processing of personal data” means any action directed to personal data, with or without the use of automation tools, and related to the collection, distribution or other type of provision of access, use, recording, organisation, revision, destruction etc. For example, the Erasmus+ organisers process the personal data of each applicant: first they create a Google form to fill out the application, then collect personal data with the help of automation tools (gadgets), use this data to analyse candidates, store the data and may distribute it to ensure the participation of certain individuals in this programme. Or another example from my experience is the storage in enterprises of files with the data of each employee, which means the use of means of non-automated data processing. Each folder provides the ability to identify an individual, so such cases are also covered by the GDPR.

Relevant legal relations in the field of personal data have parties who, in turn, have rights and obligations. Such parties in such legal relations are:

  • The data subject is a natural person whose personal data is processed;
  • The controller is any natural or legal entity that determines the purpose and means of personal data processing;
  • The processor is a natural or legal entity that processes personal data of the subject at the request of the controller.

A natural person, registering on a certain website in order to order a product or service, provides their personal data to the owner of this website. In this situation, this person is the data subject and the website owner is the controller. He can process personal data only in accordance with the purpose he has set, namely: to sell a product or provide a service.

However, it is important to note that the right to personal data protection available to the subject of personal data is not absolute. It must be balanced with other rights in order to be balanced according to the principle of proportionality. For example, in ordinary life, the controller/processor of information has no right to distribute information known to them about a natural person without their consent, but in some cases (for example, prosecution of this natural person in the framework of criminal proceedings) the controller/processor can provide information about a natural person to the competent authorities to a reasonable extent without the consent of such a natural person.

Another important aspect of GDPR is territorial jurisdiction. The regulation applies when there is processing of personal data by the controller/processor, regardless of whether the processing of this information takes place on the territory of the EU. For instance, if Maria, a Ukrainian, being in France, saw an advertisement for a product manufactured by a Ukrainian brand, then the Ukrainian brand must comply with GDPR standards, since the target is a person who is in the EU, and the purpose of the target is to sell goods/provide services. Why? Because as a result, there is a possibility that Maria will want to buy a product from this brand, and in this relationship there will be a transfer of personal data by the person to the manufacturer. Non-compliance with GDPR standards is a threat to economic well-being within the EU market, which is one of the main goals of this regulation.

The other side of the territorial jurisdiction is the organisational unit of the enterprise on the territory of the EU. The highlight of this is that this organisational unit may or may not have the legal status of a legal entity. For example, an enterprise registered as a legal entity in Ukraine has an employee who lives in Belgium. This employee performs his work duties in the EU, so the GDPR applies, regardless of whether the services/goods are provided in the EU.

Summary 

Ukraine is on the way to digitalisation of certain spheres of social activity, therefore the legislation needs updating and mechanisms for proper protection of personal data. Despite the fact that it is impossible to predict all possible risks, Europe is a leader in the field of personal data protection, which provides adequate guarantees of protection for people in case of negative situations. Therefore, cooperation in this area is one of the areas related to cyber security, and therefore to the security of the state and society as a whole, which cannot be ignored.

Looking at the latest trends, taking into account the mistakes in the protection of personal data, Ukraine and the European Union are making big changes in the relationship between them in the field of personal data protection.

Anzhelika Yefimova

LATEST

SEE ALL

More campaign pages:

Interested in the latest news and opportunities?

Sign up

This website is managed by the EU-funded Regional Communication Programme for the Eastern Neighbourhood ('EU NEIGHBOURS east’), which complements and supports the communication of the Delegations of the European Union in the Eastern partner countries, and works under the guidance of the European Commission’s Directorate-General for Neighbourhood Policy and Enlargement Negotiations, and the European External Action Service. EU NEIGHBOURS east is implemented by a GOPA PACE-led consortium. It is part of the larger Neighbourhood Communication Programme (2020-2024) for the EU's Eastern and Southern Neighbourhood, which also includes 'EU NEIGHBOURS south’ project that runs the EU Neighbours portal.

The information on this site is subject to a Disclaimer and Protection of personal data. © European Union,