The draft law provides grounds for the processing of personal data, including biometric data, processing related to the implementation of video surveillance and the processing of personal data of deceased persons. In addition, the draft law establishes the rights of data subjects, the obligations of data controllers, including the adoption of privacy by design and security requirements for processing and the conduct of a data protection impact assessment.
The draft also contains sectoral requirements, among which are rules on the processing of personal data by employers. The draft also sets out requirements for reporting data protection breaches, in particular requiring data controllers to notify the supervisory authority no later than 72 hours after becoming aware of the breach. An exception is made in cases where the breach is unlikely to jeopardise the rights or freedoms of an individual. In addition, the Draft Law provides that international transfers of data may take place when:
- the third country or international organisation provides an adequate level of personal data protection;
- the recipient provides adequate safeguards for the protection of personal data; and
- the transfer would take place under approved corporate rules consistent with the requirements of the draft law.
Decisions to prosecute personal data protection offences, as well as other measures provided by law, are to be taken by the supervisory authority. In this regard, the draft law provides for penalties of up to UAH 150 million (approximately €4 million) and 8% of the total annual turnover of such legal entity for the last financial year.