Ukraine's data protection authority – the Уповноважений Верховної Ради України з прав людини (Ukrainian Parliament Commissioner for Human Rights, acting as the national DPA) – has materially intensified its enforcement posture. International companies processing Ukrainian personal data are now exposed to scrutiny that did not meaningfully exist two years ago. Inaction carries direct financial and reputational risk.
Ukraine's data protection legislation was substantially amended to align with European standards, with reinforced enforcement provisions taking effect in 2025. Every data controller and data processor that handles personal data of Ukrainian residents – regardless of where the company is incorporated – is within the DPA's jurisdiction. Companies that fail to implement compliant consent mechanisms, lawful data transfer safeguards, and internal processing records face administrative sanctions and potential suspension of data operations.
This alert explains what changed, which businesses are affected, and the specific steps international companies must take now to remain on the right side of Ukrainian data protection law.
What changed and when it took effect
Ukraine has pursued a deliberate policy of converging its privacy regime with GDPR compliance standards as part of its broader EU association agenda. The latest wave of enforcement reflects amendments to the primary data protection legislation that came into force in the first half of 2025.
The core changes introduced three new operational requirements. First, data controllers must maintain detailed records of processing activities. These records must identify the legal basis for each processing purpose, the categories of data subjects, and the retention period applied. Second, cross-border data transfer to countries outside a defined list of adequate jurisdictions now requires either explicit contractual safeguards or specific DPA authorisation. Third, consent mechanisms must meet a higher standard: blanket or pre-ticked consents are explicitly invalidated, and withdrawal of consent must be as simple as giving it.
Alongside the substantive changes, the DPA has issued binding guidance on enforcement priorities. Remote-sector businesses – including e-commerce platforms, financial technology companies, and digital health services – are identified as primary audit targets. The DPA has also begun coordinating with sector-specific regulators, meaning that a data protection investigation may now run in parallel with a financial or telecommunications regulatory inquiry.
For companies with parallel exposure in neighbouring markets, our alert on data protection enforcement developments in Russia sets out comparable developments in that jurisdiction.
Who is affected and the compliance threshold
The legislation applies to any entity that determines the purposes and means of processing personal data of individuals located in Ukraine. Physical presence in Ukraine is not required. A company incorporated in the EU, the UK, or the Americas that operates a Ukrainian-language website, targets Ukrainian consumers, or monitors the behaviour of Ukrainian users is caught by the rules.
The DPA has indicated that its enforcement priorities fall across the following business categories:
- E-commerce and marketplace platforms with Ukrainian user bases
- Financial technology and payment service providers
- Digital health and telemedicine services
- HR software and recruitment platforms processing employee data
- Cloud service providers acting as data processors for Ukrainian clients
The threshold for mandatory compliance is not tied to company size or revenue. Any entity – including a small cross-border operator – that processes personal data of Ukrainian residents for commercial purposes must comply in full. The absence of a local Ukrainian office provides no exemption. Companies that have previously relied on the assumption that Ukrainian data protection law lacks extraterritorial reach should treat that assumption as no longer valid.
For companies assessing their broader technology law exposure in Ukraine, including AI-driven data processing obligations, our AI and technology law practice in Ukraine covers the intersection of data protection rules and algorithmic decision-making requirements.
To receive an expert assessment of your data protection exposure in Ukraine, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
The compliance deadline is immediate: the DPA has not announced a grace period for companies that were already subject to the prior legislation. For companies newly discovering their exposure, acting within the next four to eight weeks is prudent before the next scheduled audit cycle.
The following actions address the highest-risk gaps identified in recent DPA enforcement decisions:
- Audit your processing inventory. Map every category of personal data collected from Ukrainian residents, the legal basis relied upon, and the retention period applied. Gaps in this inventory are the single most common finding in DPA investigations.
- Review consent mechanisms. Replace any pre-ticked boxes, bundled consents, or passive opt-in flows with granular, affirmative consent that meets the updated standard. Document the date and method of each consent obtained.
- Assess cross-border data transfer arrangements. Identify every transfer of Ukrainian personal data to a non-adequate third country. For each transfer, confirm that a lawful transfer mechanism – such as standard contractual clauses or DPA authorisation – is in place and documented.
- Update data processor agreements. Contracts with third-party processors handling Ukrainian data must include mandatory clauses covering processing instructions, security obligations, and sub-processor controls. Existing agreements that pre-date the 2025 amendments should be reviewed and, where necessary, replaced.
- Designate a responsible contact point. Where a company has no local presence in Ukraine, the DPA expects a designated representative or contact point capable of responding to regulatory correspondence within the prescribed timeframe.
For detailed guidance on building a compliant data protection programme for the Ukrainian market, our data protection practice in Ukraine covers the full scope of obligations under the current legislative regime.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international companies in managing regulatory exposure across both EU and non-EU markets, including Ukraine and other CIS jurisdictions. Engaging a lawyer in Ukraine with cross-border data protection experience is particularly valuable when the DPA's enforcement reach spans multiple legal systems. As an international law firm with deep knowledge of European and emerging-market privacy regimes, we help clients align their data processing operations with local requirements quickly and efficiently. Our practitioners have advised on GDPR compliance mapping, cross-border data transfer structuring, and DPA engagement across civil law and common law systems. To discuss your data protection obligations in Ukraine, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.