Ukraine Data Privacy Laws: Personal Data Protection and GDPR Reform Guide (2026)
Overview of Ukraine's Data Protection Framework
Ukraine's data protection regime is currently at a critical point of transition. The existing framework is built on the Law of Ukraine on Personal Data Protection No. 2297-VI, adopted on 1 June 2010 and in effect since 1 January 2011. This law was modeled on the EU Data Protection Directive 95/46/EC, which was itself replaced by the GDPR in 2018. As a result, Ukraine's current data protection standards lag significantly behind modern international benchmarks.
The country is actively pursuing comprehensive reform to align its data protection legislation with the GDPR and the Council of Europe's modernized Convention 108+. This reform effort is closely connected to Ukraine's broader EU integration process, as data protection alignment is a requirement under the EU-Ukraine Association Agreement and a precondition for Ukraine's accession process.
A draft law aimed at modernizing the data protection framework was adopted as a basis by the Verkhovna Rada (Parliament) on 20 November 2024. As of early 2026, the draft law is being prepared for its second reading, with the full reform expected to transform Ukraine's data protection landscape once enacted.
Current Law: No. 2297-VI on Personal Data Protection
Scope and Application
The current law applies to the processing of personal data carried out entirely or partly by automated means, as well as to non-automated processing of personal data that forms part of a filing system. It covers both natural and legal persons, in both the public and private sectors.
The law defines personal data as information or a set of information about a natural person who is identified or who can be specifically identified. This definition is broadly consistent with international standards, though the implementing provisions are less detailed than those found in the GDPR.
Consent and Legal Bases
Under the current framework, consent of the data subject is the primary legal basis for processing personal data. The law requires that consent be voluntary, informed, and clear. However, the law lacks the detailed provisions on consent found in the GDPR, including requirements for consent to be unambiguous and demonstrable.
The law provides exemptions from the consent requirement for processing necessary for the performance of a contract, processing required by law, processing for the protection of vital interests, and processing for the performance of tasks in the public interest.
Data Subject Rights
The current law grants data subjects the right to know about the sources of collection, the location of their personal data, the purpose of processing, the location or place of residence of the owner or manager of personal data, and the right to access their personal data. Data subjects also have the right to make reasoned objections to the processing of their data and the right to correct inaccurate data.
However, the rights framework is less comprehensive than the GDPR, lacking explicit provisions for the right to data portability, the right to restriction of processing, and the right to be forgotten in its modern formulation.
Registration Requirement
The current law requires the registration of personal data databases with the Ukrainian Parliament Commissioner for Human Rights. Data controllers must register their databases before commencing processing, providing information about the categories of data, the purposes of processing, and the security measures in place.
The Enforcement Gap
Current Enforcement Authority
Under the existing framework, the Ukrainian Parliament Commissioner for Human Rights (Ombudsman) serves as the supervisory authority for personal data protection. The Commissioner's office has the power to receive complaints, conduct inspections, and issue recommendations.
However, enforcement has been limited in practice. The Commissioner's office has not been a particularly active enforcer of data protection law, partly due to resource constraints and partly due to the law's limited penalty provisions.
Minimal Penalties Under Current Law
One of the most significant weaknesses of the current framework is its penalty regime. Administrative fines for data protection violations under the current law are minimal by international standards, providing limited deterrent effect for organizations that fail to comply.
This stands in stark contrast to the GDPR's penalties of up to EUR 20 million or 4% of worldwide turnover, and to the penalty frameworks of neighboring countries that have already modernized their data protection laws.
The GDPR Alignment Reform
Draft Law Overview
The reform draft law, adopted as a basis in November 2024, represents a comprehensive overhaul of Ukraine's data protection framework. The draft law is designed to bring Ukrainian data protection standards into alignment with the GDPR and Convention 108+, addressing the significant gaps in the current framework.
Key elements of the reform include the establishment of an independent data protection authority, the introduction of GDPR-aligned principles and legal bases for processing, enhanced data subject rights including data portability and the right to erasure, a comprehensive framework for cross-border data transfers, mandatory data breach notification requirements, requirements for data protection impact assessments, and GDPR-scale administrative penalties.
New Data Protection Authority
The reform establishes the National Commission on Personal Data Protection and Access to Public Information as an independent supervisory authority. This new body will replace the Parliamentary Commissioner for Human Rights as the primary enforcement body for data protection.
The National Commission is designed to be structurally independent, free from government interference, and equipped with adequate resources and powers to effectively oversee and enforce data protection law. This aligns with the GDPR's requirement for independent supervisory authorities with effective enforcement powers.
During the first year after the reform's enactment, the National Commission is expected to focus on institutional formation, including recruiting staff, establishing operational procedures, and developing guidance for organizations. No penalties are expected to be imposed during this initial setup period.
GDPR-Scale Penalties
The reform introduces significantly increased penalties for data protection violations, moving from the current minimal fines to a GDPR-inspired penalty framework. The proposed penalties are designed to serve as a meaningful deterrent for organizations of all sizes, including large international companies that process Ukrainian personal data.
The specific penalty amounts and structure are being finalized in the second reading of the draft law, but the direction is clearly toward penalties that are comparable to those available under the GDPR.
Cross-Border Data Transfers
Current Framework
Under the existing law, the transfer of personal data to foreign states is permitted to states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and to states that ensure adequate protection of personal data.
The law prohibits transfers to countries that do not ensure adequate protection, unless the data subject has given consent, the transfer is necessary for the conclusion or performance of a contract, the transfer is necessary for the protection of the data subject's vital interests, or other specific exemptions apply.
Proposed Reform
The reform is expected to introduce a more detailed framework for cross-border transfers, aligned with the GDPR's approach. This would include formal adequacy assessments, standard contractual clauses, binding corporate rules, and specific derogations for particular situations.
The alignment with GDPR transfer mechanisms is particularly important in the context of Ukraine's EU accession process, as it would facilitate data flows between Ukraine and EU Member States.
EU Integration Context
Association Agreement Obligations
The EU-Ukraine Association Agreement, which entered into force in 2017, includes obligations for Ukraine to align its legislation with EU standards in various areas, including data protection. Annex XVII of the agreement specifically references the EU data protection framework.
The comprehensive reform of Ukraine's data protection law is a direct response to these obligations and forms an integral part of Ukraine's broader EU integration agenda.
Accession Process
Ukraine's formal EU candidate status, granted in June 2022, has accelerated the urgency of data protection reform. Alignment with the GDPR is one of the benchmarks that Ukraine must meet as part of the accession process, and the progress of the reform law is closely monitored by both Ukrainian and EU institutions.
Data Security Requirements
Current Requirements
The existing law requires data controllers to take appropriate measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. However, the specific technical and organizational measures required are not detailed in the law, and implementation has varied significantly across organizations.
Reform Expectations
The reform is expected to introduce more detailed security requirements, including mandatory data breach notification, data protection impact assessments for high-risk processing, requirements for data protection by design and by default, and specific security standards proportionate to the sensitivity of the data being processed.
Practical Compliance Considerations
Organizations operating in Ukraine or processing Ukrainian personal data face a complex transitional landscape. During the current period, compliance with the existing Law No. 2297-VI remains mandatory, including the database registration requirement and the consent-based processing framework.
At the same time, organizations should begin preparing for the forthcoming reform by assessing their data processing activities against GDPR standards, reviewing and updating consent mechanisms, mapping cross-border data flows, implementing robust security measures, and developing data breach response plans.
Organizations that already comply with the GDPR (for example, due to operations in EU Member States) will find that they are well-positioned for the new Ukrainian framework. The alignment between the two frameworks means that GDPR compliance programs can serve as a strong foundation for Ukrainian compliance.
The timeline for the reform's full implementation remains subject to the legislative process, but organizations should anticipate the transition and allocate resources for compliance accordingly.
This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.
Sources and References
- ICLG Ukraine Data Protection 2025-2026(iclg.com)
- DLA Piper Ukraine Data Protection(dlapiperdataprotection.com)
- CEE Legal Matters Ukraine 2024(ceelegalmatters.com)
- World Law Group Ukraine Penalties(theworldlawgroup.com)
- DataGuidance Ukraine(dataguidance.com)