Mon, Jun
53 New Articles

Ukrainian Data Protection Considerations Related to COVID-19

Ukraine: Ukrainian Data Protection Considerations Related to COVID-19

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The restrictions that have been implemented by most governments to tackle the COVID-19 pandemic have affected various sectors of the economy and changed the way most businesses operate.

Many companies have switched to remote working to minimize personal contact to the extent possible. As a result, the intensity and volume of the data flow inside organizations has risen dramatically, making data protection compliance as compelling as it was at the end of May 2018 when the General Data Protection Regulation (GDPR) became effective.

Let’s have a closer look at how the Ukrainian data protection framework and the country’s regulatory authorities are dealing with some of most crucial issues put on the agenda by COVID-19.

Lawfulness of Processing

Under the general rule, processing of personal data (including health data) requires the consent of individuals whose personal data is processed. In addition, processing of health data, which has a higher level of legal protection by operation of law, requires that the Ukrainian Parliament Commissioner for Human Rights (the “Regulator”) be notified.

Nevertheless, health data may be processed without the consent of an individual if, for example, processing is necessary for the due performance of the controller’s statutory obligations or to protect the vital interests of the individual whose data is processed.

In addition, processing of health data does not require the obtaining of consent if it is required for public health purposes and where the processor has a medical license or is a medical worker or a person employed with a medical institution.

Position of Regulator?

Although most European data protection authorities have issued official positions on whether certain health data (e.g., body temperature, fact of being tested COVID-19 positive, etc.) may be collected/processed without consent based on the public interest or other exemptions, the Regulator, so far, has remained silent.

Given the nature of the COVID-19 crisis, the requirement to notify the Regulator of the processing of health data appears to be quite burdensome and even impractical for some processors. As the result, some of them have approached the Regulator asking whether this requirement may be temporary lifted.

While the Regulator has not yet announced its official position, we expect it to follow a general trend set by most data protection authorities, acknowledging the challenges raised by COVID-19 in terms of managing data protection and information security matters, but eventually reinforcing the view that the relevant laws should still apply.

Further Course of Action

While the Regulator has not yet provided any guidance on how to deal with the data compliance challenges caused by COVID-19, we have a few recommendations on how to deal with some of these challenges.

We recommend checking the subject matter of consents the company has already obtained. This may be especially relevant in relations between employer and employees. Most likely, such consents do not cover health data which the employer may collect and/or process through, for example, the use of thermal cameras. If this is the case, the processing of health data of such employees requires obtaining a separate consent (as the purpose of the initial processing has changed).

The employer may inform employees of the fact that other employees have tested positive for COVID-19, and of their potential exposure. However, the employer should not disclose the identity of infected employees to their colleagues.

Information Security

While the regulatory framework addressing information security matters remains quite undeveloped, we recommend that companies act responsibly and proactively by applying best practices without external stimulus.

It is easier to develop a solid IT infrastructure and introduce relevant policies within the company in advance, thereby reducing the risks attached to email scams, social engineering, and so on, than to refrain from doing so and await potentially adverse consequences.


While it is hard to predict how long COVID-19 and the relevant restriction measures will last, it is important to see the opportunities attached to such challenging times.

Shifting to remote work may be a good test for companies’ IT systems and personal data compliance policies. This change may either show the areas for improvement or, on the contrary, confirm that the internal business processes are flexible and can be easily adjusted even to the realities of COVID-19.

By Mykola Stetsenko, Partner, and Dmytro Symbiryov, Senior Associate, Avellum

This Article was originally published in Issue 7.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Avellum at a Glance

AVELLUM is a leading Ukrainian full service law firm with a key focus on Finance, Corporate, Dispute Resolution, Tax, and Antitrust.

Our aim is to be the firm of choice for large businesses and financial institutions in respect of their most important and challenging transactions.

We build lasting relationships with our clients and make them feel secure in new uncertain economic and legal realities.

We incorporate the most advanced Western legal techniques and practices into our work. By adding our first-hand knowledge, broad industry experience, and unparalleled level of service we deliver the best results to our clients in their business endeavours. Our partners are taking an active role in every transaction and ensure smooth teamwork.

AVELLUM is recognised as one of the leading law firms in Ukraine by various international and Ukrainian legal editions (Chambers, The Legal500, IFLR1000, The Ukrainian Law Firms, and others).

Firm's website: www.avellum.com