Data Protection and Digital Compliance in Ukraine
Ukraineʼs data protection framework is in active transition. The Law on Personal Data Protection — the 2010 statute now scheduled for replacement — establishes the compliance obligations for companies collecting and processing personal data of Ukrainian residents. In parallel, the Diia digital ecosystem is reshaping how personal data is verified, shared, and processed in both public and commercial contexts.
For international companies operating digital services in Ukraine, or engaging Ukrainian technology suppliers who process personal data, the compliance picture requires analysis of both the framework in force and its trajectory toward GDPR alignment. We advise on data protection as an integrated element of IT contracts (→ IT Contracts and Software Transactions) and cross-border technology transactions (→ Technology Transfer and R and D Investment).
Legal and regulatory framework
The law in force. The Law of Ukraine on Personal Data Protection (No. 2297-VI) establishes the core obligations for controllers and processors — consent requirements, data subject rights, cross-border transfer restrictions, and breach notification. It applies to any processing of personal data of Ukrainian residents, regardless of where the controller is established. Supervision sits with the Ukrainian Parliament Commissioner for Human Rights.
The law that is coming. Draft Law No. 8153 — a complete new edition of the 2010 statute — passed its first reading in the Verkhovna Rada on 20 November 2024 and remains in redrafting ahead of a second reading. It is a deliverable of Ukraineʼs EU accession roadmap and is designed to bring Ukrainian law substantially into line with GDPR. What it introduces:
- A dedicated independent supervisory authority, replacing the Ombudsman in this function
- Financial penalties of up to UAH 30 million for violations
- The right to erasure — for the first time in Ukrainian law
- Privacy by design and privacy by default as statutory obligations
- Mandatory appointment of a data protection officer
- Statutory definitions of biometric and genetic data, and a prohibition on processing sensitive data
- Express regulation of processing by employers, video surveillance, direct marketing, and online processing
- Defined criteria for cross-border transfers
The draft as it stands contains no transition period for business. Compliance structured only to the 2010 text may require rapid remediation once the new law is adopted — which is why we structure against the direction of travel, not only against the current statute.
This practice covers data protection as an integrated element of IT contracts, technology transactions, and digital infrastructure projects — Ukrainian law analysis, DPA drafting, cross-border transfer structuring, and Diia integration. For IT contract structuring specifically → IT Contracts and Software Transactions. For critical and digital infrastructure projects → Digital Infrastructure Projects.
Where the three frameworks stand
GDPR applies directly to companies established in the EU processing personal data of Ukrainian residents, and to non-EU companies offering goods or services to individuals in the EU. For cross-border digital services touching both EU and Ukrainian personal data, both frameworks apply — and they are not identical.
| Element | Ukraine — Law 2297-VI (in force) | Ukraine — Draft Law 8153 (pending) | GDPR |
|---|---|---|---|
| Supervisory authority | Parliament Commissioner for Human Rights | Dedicated independent authority | National DPAs, coordinated through the EDPB |
| Penalties | Administrative fines — low by EU standards | Up to UAH 30 million | Up to EUR 20 million or 4% of global turnover |
| Right to erasure | Not expressly provided | Introduced | Art. 17 |
| Privacy by design / default | Not a statutory obligation | Statutory obligation | Art. 25 |
| Data protection officer | Not mandatory | Mandatory appointment | Mandatory in defined cases (Art. 37) |
| Cross-border transfers | Adequacy list; otherwise consent or contractual protections | Defined statutory transfer criteria | Adequacy decisions, SCCs, BCRs, derogations |
| Sensitive data | Restricted processing | Express prohibition, with exceptions | Art. 9 |
| Employer processing, video surveillance, direct marketing | Not expressly regulated | Expressly regulated | General principles plus national law |
The practical consequence: GDPR compliance does not deliver Ukrainian compliance, and vice versa. Consent standards, legitimate interest grounds, retention rules, and breach notification timelines differ in ways that require deliberate structuring rather than assumed equivalence.
The Diia digital ecosystem
Diia — Ukraineʼs state digital services platform — has become a significant infrastructure layer for personal data verification, document authentication, and digital identity in commercial transactions. For companies integrating Diia-based identity verification into their digital services, the framework governing data access, processing obligations, and liability allocation requires analysis. Integration requires an operator agreement with the Ministry of Digital Transformation, which imposes specific obligations on data access, processing purposes, and security. The operator bears responsibility for the lawfulness of its own use of Diia-verified data.
Scope of services
Ukrainian compliance analysis
- Assessment of Ukrainian obligations for the specific business model or transaction
- Controller and processor classification under Ukrainian law
- Consent mechanism analysis — Ukrainian requirements vs GDPR standards
- Data subject rights implementation and how it differs from GDPR
- Retention obligations, deletion requirements, and regulatory interaction
Data processing agreements
- DPAs under Ukrainian law — standalone and as annex to IT contracts
- Controller-processor and joint controller arrangements
- Sub-processing chains — documentation and flow-down obligations
- Processing clauses in IT outsourcing and software development agreements
- SaaS and cloud services data processing terms
Cross-border transfer structuring
- Ukrainian law adequacy assessment for the destination jurisdiction
- Transfer mechanism identification — SCCs, binding corporate rules, consent
- Interaction between Ukrainian transfer restrictions and GDPR mechanisms
- Transfer provisions in cross-border IT contracts and outsourcing
- Due diligence on transfer arrangements in technology M and A
Diia ecosystem integration
- Legal analysis of Diia operator agreement obligations
- Data processing responsibility allocation in Diia integrations
- Liability framework for identity verification failures
- Contractual provisions for Diia integration in service agreements
- Regulatory interaction with the Ministry of Digital Transformation
Data protection in transactions
- Provisions in software development and IT outsourcing agreements
- Privacy by design requirements in contract specifications
- Data protection due diligence in technology M and A and investment
- Compliance review of existing IT contracts
- Breach notification — contractual allocation and regulatory requirements
Readiness for Draft Law 8153
- Gap assessment against the draft as it currently stands
- Data protection officer requirement — whether the client falls within scope
- Privacy by design and by default — review of existing arrangements
- Consent mechanism review against the stricter draft standards
- Drafting that anticipates the new framework without over-committing to a draft that may change
From our practice
A US software company had engaged a Ukrainian development team as an independent contractor and, in parallel, was serving EU end users through its platform. Its data processing documentation consisted of a single GDPR-standard DPA with the Ukrainian supplier, on the assumption that GDPR compliance would carry Ukrainian compliance with it.
It did not. The Ukrainian supplier was processing personal data of Ukrainian residents in the course of testing, and that processing fell squarely within the Law on Personal Data Protection regardless of the English governing law of the main services agreement. The consent basis relied on in the GDPR DPA did not map to Ukrainian requirements, and the onward transfer to the companyʼs US infrastructure had no Ukrainian law transfer basis at all.
Outcome — a Ukrainian law-compliant DPA annexed to the existing services agreement, a documented transfer basis for the flow to US infrastructure, a corrected consent mechanism, and a mapped sub-processing chain. We also flagged the provisions that would need to change if Draft Law 8153 is adopted in its current form — in particular the data protection officer requirement, into which the client would fall.
Work algorithm
Step 1 — Operational and data mapping. We identify the personal data flows relevant to the transaction — what data is collected, from whom, by which entity, for what purpose, and to where it is transferred.
Step 2 — Framework identification. We determine which frameworks apply — Ukrainian law, GDPR, or both — and identify the specific obligations arising in the clientʼs operational context.
Step 3 — Gap analysis. We assess existing arrangements against the applicable requirements, and against Draft Law 8153, identifying gaps that require contractual or operational remediation.
Step 4 — Structuring. We design the compliance structure — controller and processor allocation, transfer mechanisms, consent frameworks, and contractual provisions.
Step 5 — Documentation. We draft or review the relevant agreements — DPAs, transfer arrangements, privacy notices, and data protection provisions in the underlying commercial contracts.
Step 6 — Integration. We integrate the data protection documentation into the broader transaction structure, ensuring consistency with the commercial and operational terms.
Who we work with
We act as Ukrainian Local Counsel on data protection, typically as a component of a broader technology transaction rather than as a standalone mandate.
Our clients include:
- International technology companies engaging Ukrainian development capacity or operating digital services in Ukraine
- Foreign companies whose IT contracts or outsourcing arrangements involve processing of Ukrainian personal data
- Investors and funds conducting data protection due diligence on Ukrainian technology assets
- International law firms requiring Ukrainian data protection analysis in cross-border technology transactions
- Ukrainian technology companies entering international relationships that require GDPR-aligned processing arrangements
Typical situations we handle:
- A US company has engaged a Ukrainian development team and needs DPA provisions satisfying both Ukrainian law and GDPR
- A European SaaS provider expanding into Ukraine needs analysis of how Ukrainian law interacts with existing GDPR-compliant terms
- An international fund is acquiring a Ukrainian technology company and needs data protection due diligence
- A company is integrating Diia-based identity verification and needs the operator agreement and processing obligations reviewed
- An international law firm needs Ukrainian data protection analysis for a cross-border technology transaction
Key experts
![]()
Doctor of Laws — Data protection in technology transactions, cross-border transfer structuring, DPA integration in IT contracts and outsourcing
![]()
PhD — Ukrainian personal data protection law, GDPR interaction analysis, Diia ecosystem framework, regulatory compliance for digital services
![]()
Data protection disputes, regulatory proceedings before the supervisory authority, enforcement of processing obligations in Ukrainian courts
FAQ: Data Protection and Digital Compliance in Ukraine
Does Ukrainian data protection law apply to foreign companies with no Ukrainian presence?
Yes. Ukrainian data protection law applies to any processing of personal data of Ukrainian residents, regardless of where the controller is established. A foreign company that collects personal data from Ukrainian users through a website, application, or digital service is subject to Ukrainian obligations. The extraterritorial scope is similar in concept to GDPR reach, though the specific obligations differ.
How does Ukrainian data protection law differ from GDPR?
The frameworks share a conceptual foundation but differ materially. Consent standards under Ukrainian law are in some respects broader than GDPR legitimate interest grounds; data subject rights under the current law are less detailed; breach notification has different timelines and addressees; and the supervisory structure differs — supervision currently sits with the Parliament Commissioner for Human Rights rather than a dedicated authority. Draft Law 8153 is expected to narrow these gaps, but for current transactions the differences require deliberate analysis rather than assumed equivalence.
What transfer mechanism is required for cross-border personal data transfers from Ukraine?
Ukrainian law requires that personal data be transferred only to countries ensuring an adequate level of protection — a list maintained by the Ukrainian supervisory authority. Where the recipient country is not on the list, consent of the data subject or specific contractual protections are required. This is a distinct requirement from GDPR transfer mechanisms and requires separate compliance analysis. Draft Law 8153 introduces defined statutory transfer criteria.
Do we need a separate Ukrainian DPA if our main contract is governed by English law?
Where the counterparty is a Ukrainian entity processing personal data of Ukrainian residents, Ukrainian data protection law applies to that processing regardless of the governing law of the main commercial agreement. A Ukrainian law-compliant DPA may be required in addition to, or as an annex to, the main agreement. Choice of foreign law does not displace Ukrainian data protection obligations.
What are the legal obligations when integrating Diia into a commercial digital service?
Integration with Diia requires entering into an operator agreement with the Ministry of Digital Transformation, which imposes specific obligations on data access, processing purposes, and security requirements. The operator bears responsibility for the lawfulness of its own use of Diia-verified data within its service. We analyse the operator agreement obligations, the allocation of processing responsibility, and the liability framework for verification failures.
When is Draft Law 8153 expected to be adopted, and what should we do now?
The draft passed its first reading on 20 November 2024 and remains in redrafting ahead of a second reading. No adoption date is fixed. The practical point for business is that the draft as it stands contains no transition period — meaning that once adopted, remediation would need to be rapid. We advise structuring current arrangements so that they are compliant with the law in force while being resilient to the changes the draft would introduce: in particular the data protection officer requirement, privacy by design obligations, and the new transfer criteria.
Related practices
Ready to proceed?
We will assess your data protection arrangements against the law in force and against the framework that is coming, and structure the compliance path accordingly.