An international company operating in Ukraine discovers mid-audit that it has been collecting personal data from Ukrainian residents without a valid consent mechanism in place. The compliance gap has persisted for over a year. Under Ukrainian data protection legislation, the company faces enforcement action, mandatory remediation orders, and reputational exposure – all while managing the operational realities of a market under active geopolitical pressure. The window to act is narrow.
Data protection in Ukraine is governed by dedicated personal data legislation administered by the Уповноважений Верховної Ради України з прав людини (Ukrainian Parliament Commissioner for Human Rights). Who acts as the national data protection authority (DPA). Every organisation that collects, stores, or processes personal data of Ukrainian residents must register as a data controller or data processor, implement appropriate safeguards, and maintain documentation demonstrating compliance. Timelines for responding to regulatory inquiries are short – typically measured in days – and failure to respond triggers automatic escalation.
This page outlines the key legal instruments, procedural steps, common pitfalls, and cross-border considerations that international businesses face when managing data protection obligations in Ukraine. It covers the self-assessment conditions relevant to deciding whether current structures are compliant and what remediation looks like in practice.
The regulatory landscape for data protection in Ukraine
Ukraine's data protection system is built on dedicated personal data legislation that pre-dates and operates independently from the EU's General Data Protection Regulation (GDPR). However, Ukrainian privacy law has been significantly influenced by European standards, and the two regimes interact in ways that matter practically for international businesses.
The core of the legislative regime distinguishes between a data controller – the entity that determines the purpose and means of processing – and a data processor – the entity acting on the controller's instructions. This distinction mirrors the GDPR architecture, but the procedural obligations under Ukrainian law have their own requirements, deadlines, and enforcement logic.
Businesses operating in Ukraine must register databases of personal data with the DPA. This registration obligation applies broadly. It covers not only digital records but also structured paper-based systems containing personal data. Failure to register a database is an independent violation. It does not depend on whether any harm has occurred.
The DPA holds investigative and enforcement powers. It can initiate audits on complaint or on its own motion. During an audit, the DPA may request access to internal policies, processing records, consent forms, data transfer agreements, and security documentation. Organisations typically have between five and fifteen business days to respond to formal requests. Missing these deadlines is treated as non-cooperation and escalates the severity of the proceeding.
Ukraine's conflict context has added a dimension that is not purely legal. Data localisation questions – where personal data of Ukrainian residents may be stored and processed – intersect with national security considerations. Regulatory guidance has evolved since 2022. Businesses must verify that their current data hosting and transfer practices align with the most recent DPA positions, which have shifted materially.
Practitioners advising in Ukraine consistently note that international companies underestimate the registration and documentation obligations. They focus on GDPR compliance in their home jurisdictions and assume Ukrainian requirements are met by default. That assumption is frequently incorrect.
Key legal instruments and compliance procedures
Compliance with Ukrainian data protection law involves a structured set of obligations. Each carries its own conditions, timeline, and risk profile if missed.
Database registration is the threshold requirement. Any legal entity or individual entrepreneur processing personal data in Ukraine must submit a registration notification to the DPA before commencing processing. The notification describes the database, its purpose, categories of data subjects, and security measures in place. Registration is not a one-time event. Any material change – a new data category, a new processing purpose, a new data recipient – requires an updated notification. Processing prior to registration is itself a violation, even if the processing is otherwise lawful.
Consent mechanisms are a second pillar. Ukrainian data protection legislation requires freely given, informed, and specific consent for processing personal data in most commercial contexts. Consent must be documented. Verbal consent is insufficient for regulatory purposes. Written consent – including digital consent with a verifiable audit trail – is the required standard. Consent forms must specify the data controller, the purpose of processing, the categories of data collected, and the data subject's rights. A consent mechanism that is adequate under GDPR may still fall short of Ukrainian requirements if it does not satisfy local-language and local-format standards.
Data transfer agreements govern the movement of personal data outside Ukraine. Ukrainian legislation restricts cross-border data transfers to countries with an adequate level of protection or where appropriate safeguards are in place. The DPA maintains guidance on which jurisdictions qualify. Transfers to third countries without adequate safeguards require individual authorisation or the use of contractual mechanisms that mirror the substance of standard contractual clauses. Businesses that transfer data to EU processors or cloud providers must confirm that the Ukrainian legal basis for transfer is separately established. GDPR compliance on the EU side does not satisfy the Ukrainian transfer requirement.
Internal data protection policies are required for any organisation processing personal data above a minimal threshold. These policies must describe the processing purposes, retention periods, security measures, and procedures for responding to data subject requests. Policies must be made accessible to employees and, in relevant cases, to data subjects. A policy that exists only in English is unlikely to satisfy Ukrainian regulators during an audit.
Data subject rights under Ukrainian legislation include access, correction, deletion, and objection. Data controllers must respond to rights requests within prescribed timeframes – typically within ten business days of receipt. Delay or refusal to respond without a valid legal basis is independently actionable. A data subject can lodge a complaint directly with the DPA, triggering an investigation. The DPA may impose remediation orders and refer serious violations for administrative proceedings.
For a tailored assessment of your data protection compliance position in Ukraine, contact us at info@ferrazwhitmore.com.
Businesses with operations that involve automated decision-making or profiling of Ukrainian residents face additional scrutiny. Ukrainian legislation imposes specific restrictions on decisions taken solely on the basis of automated processing where those decisions produce significant effects for data subjects. Compliance requires either obtaining explicit consent or demonstrating a clear legal basis. For companies deploying AI-driven analytics or scoring tools, the intersection of data protection and AI regulation is material. The AI law practice in Ukraine at Ferraz & Whitmore covers this overlap in detail.
Practical pitfalls and what international clients typically miss
The majority of enforcement actions against international businesses in Ukraine arise from documentation gaps rather than substantive misuse of data. Regulators find that companies processed data lawfully in practice but cannot demonstrate that fact on paper. This is an avoidable failure.
One common mistake is treating GDPR compliance as a proxy for Ukrainian compliance. The two regimes share architecture but diverge on key points: the registration obligation does not exist under GDPR. Ukrainian consent standards differ in format. and the legal bases for processing recognised under Ukrainian legislation do not map identically to the GDPR legal bases. An organisation that has invested heavily in GDPR compliance still needs a separate Ukrainian compliance review.
A second recurring issue is inadequate documentation of consent. Many companies use online consent checkboxes that satisfy formal GDPR requirements but cannot be linked to a specific individual in a DPA audit. Ukrainian regulators require a verifiable record showing when consent was obtained, from whom, and on what terms. Without that audit trail, the consent is treated as absent.
A third pitfall involves employee data. Ukrainian labour law and data protection legislation interact around the processing of employee personal data. Employers are permitted to process employee data necessary for the employment relationship. However, extended processing – for example, monitoring systems, biometric data for access control, or health data – requires a separate consent or legal basis. Many international companies install workplace monitoring tools without reviewing whether the Ukrainian legal basis is properly established.
Cross-border data transfers represent the most legally complex point of failure. A company that transfers Ukrainian employee or customer data to an EU parent company, to a US service provider. Alternatively. To a cloud platform hosted outside Ukraine must independently verify that the transfer is lawful under Ukrainian legislation. The fact that the recipient is itself GDPR-compliant does not resolve the Ukrainian transfer question. This is a structural gap that surfaces almost every time an international group undergoes a Ukrainian regulatory audit.
Practitioners also note that many international businesses overlook the Ukrainian data breach notification obligation. Ukrainian legislation requires notification of certain data breaches to the DPA and to affected data subjects within a defined window. The timeframe is short. Businesses that discover a breach and manage it solely under their EU or US incident response procedures – without triggering the Ukrainian notification – are non-compliant by default.
Cross-border and strategic considerations
Ukraine's data protection system operates in a geopolitically complex environment. The Russia dimension is directly relevant for any business that previously had operational or data connections between Ukrainian and Russian entities. Since 2022, data transfers involving Russian processors or subsidiaries have become legally and practically untenable for most organisations. Businesses that have not formally severed those data-sharing relationships – even dormant ones – remain exposed. A separate analysis of the data protection regime applicable to those historical flows is available in our coverage of data protection legal services in Russia.
The EU dimension operates differently. Ukraine's candidacy status and the ongoing EU association process have accelerated regulatory alignment. Ukrainian data protection law is moving closer to GDPR standards, and the DPA has strengthened its engagement with the European Data Protection Board. For international businesses, this trajectory creates both opportunity and complexity. Companies that build Ukrainian compliance programmes designed for eventual GDPR equivalence – rather than minimum local compliance – will be better positioned as alignment deepens. However, during the transition period, the two systems remain distinct and must be managed separately.
For businesses structured as groups, the question of which entity acts as data controller versus data processor within Ukraine requires careful analysis. Ukrainian legislation imposes obligations on the entity that determines processing purposes. A foreign parent company that sets group-wide data policies may be treated as a controller with direct Ukrainian obligations – regardless of whether it has a registered entity in Ukraine. This is an exposure that many holding structures have not addressed.
Data localisation is a live strategic issue. Ukrainian legislation contains provisions that can require certain categories of data relating to Ukrainian residents to be stored on servers within Ukraine. The practical scope and enforceability of these provisions has evolved. Organisations with cloud-first data architectures must verify that their storage configurations do not create a localisation violation. This is particularly relevant for companies in the financial services, healthcare, and telecommunications sectors.
The economics of compliance are worth stating directly. The cost of building a defensible Ukrainian data protection compliance programme – covering registration, consent documentation, internal policies, and transfer mechanisms – is considerably lower than the cost of remediation following a DPA audit. Enforcement orders may require suspension of processing activities while remediation takes place. For businesses that rely on digital customer acquisition or CRM systems, a suspension order is a material operational disruption. Proactive compliance is not an abstract risk-management exercise. It is a concrete business protection measure.
For a preliminary review of your cross-border data protection position in Ukraine and the EU, email info@ferrazwhitmore.com.
A detailed overview of the company formation and regulatory entry steps in Ukraine that precede data protection registration is available in our guide to company formation in Ukraine.
Self-assessment: when to prioritise Ukrainian data protection compliance
Ukrainian data protection law applies, and compliance should be treated as urgent, if any of the following conditions are present:
- Your organisation collects, stores, or processes personal data of Ukrainian residents – whether as a local entity, a foreign parent, or a data processor acting for a Ukrainian controller.
- You operate an online platform, application, or CRM system that processes Ukrainian user data – regardless of where your servers are located.
- Your organisation employs staff in Ukraine, even through a third-party employer-of-record arrangement, and holds employee personal data.
- You transfer any personal data involving Ukrainian residents to entities or infrastructure outside Ukraine, including to EU group companies or third-party cloud providers.
- Your organisation has not registered its data processing databases with the DPA or has not updated registration following a change in processing scope.
Before initiating a compliance programme or remediation process, verify the following:
- A complete inventory of all personal data categories processed and all databases in active use.
- Confirmation that each database is registered with the DPA or falls within a recognised exemption.
- A review of all consent mechanisms against the Ukrainian standard for format, language, and auditability.
- Confirmation that cross-border data transfer arrangements have a valid Ukrainian legal basis independent of GDPR compliance.
- An internal policy in Ukrainian covering processing purposes, retention, security, and data subject rights procedures.
- A data breach response procedure that includes the Ukrainian DPA notification requirement.
If the answer to more than two items in the checklist is uncertain, a structured compliance audit is warranted before the next operating period.
Frequently asked questions
Q: Does GDPR compliance mean we are already compliant with Ukrainian data protection law?
A: No. While Ukrainian data protection legislation shares structural features with the GDPR, the two regimes impose different specific obligations. Ukrainian law requires database registration with the national DPA – an obligation that does not exist under the GDPR. Consent format requirements and legal bases for processing also differ. Organisations must address Ukrainian compliance separately and cannot assume that GDPR-compliant documentation automatically satisfies Ukrainian regulatory standards.
Q: How long does it take to register a personal data database with the Ukrainian DPA, and what does it cost?
A: The registration process typically takes several weeks from the date of submission, assuming the notification is complete and accurate. Registration fees are determined by the applicable procedural rules and are not significant in monetary terms. The more material investment is in preparing the underlying documentation – processing records, security measures, consent forms – to a standard that will withstand audit. Engaging a lawyer in Ukraine with data protection experience at the outset significantly reduces the risk of having to resubmit.
Q: Can a foreign company be subject to Ukrainian data protection enforcement if it has no legal entity registered in Ukraine?
A: Yes. Ukrainian data protection legislation applies to entities that process personal data of Ukrainian residents, regardless of whether they have a registered legal presence in Ukraine. A foreign company operating an online platform accessible to Ukrainian users. Alternatively. A foreign parent company that sets data processing policies for a Ukrainian subsidiary, may be treated as a data controller subject to Ukrainian obligations. The DPA has the authority to issue orders to foreign entities and to refer matters to competent authorities in the entity's home jurisdiction through international cooperation channels.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international companies operating in Ukraine and across the CIS region with database registration, consent mechanism design, cross-border data transfer structuring, DPA audit defence, and data breach response. As an international law firm in Ukraine and across the wider region, we combine Portuguese civil law expertise with English common law tradition to deliver compliance programmes that work across multiple legal systems simultaneously. Our attorneys have advised on data protection and GDPR compliance matters spanning civil law and common law jurisdictions, and the firm's Lisbon base provides direct access to EU regulatory developments relevant to Ukrainian alignment. A lawyer in Ukraine and across the region requires not only local regulatory knowledge but also the cross-border perspective that international groups demand. To discuss how Ukrainian data protection obligations apply to your organisation's specific situation, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.