Ukraine Data Privacy Laws: Personal Data Protection, Draft Law 8153, and the GDPR Reform (2026)

Ukraine's primary data privacy statute is the Law on Personal Data Protection No. 2297-VI, in force since 1 January 2011 and administered by the parliamentary Ombudsperson. A GDPR-alignment reform, Draft Law No. 8153, passed its first reading on 20 November 2024 but is not yet enacted as of May 2026.

Quick Answer

Ukraine currently operates under the Law on Personal Data Protection No. 2297-VI, adopted on 1 June 2010 and in force since 1 January 2011. The law predates the GDPR and tracks the long-superseded EU Directive 95/46. The parliamentary Ombudsperson enforces it. A landmark reform law, Draft Law No. 8153, passed a first reading on 20 November 2024 and is working its way toward a second reading as of mid-2026. Once enacted, it will align Ukraine's rules with the GDPR, create an independent data protection authority, expand data subject rights, and introduce penalties of up to UAH 150 million or 8 percent of annual turnover.

For businesses, compliance today means the 2010 law. Compliance tomorrow means preparing for GDPR-equivalent obligations while the reform finishes its legislative journey.

Constitutional Basis

Ukraine's right to privacy traces to Article 32 of the Constitution of Ukraine, which guarantees every person the right to inviolability of private life, personal and family life, and protection of personal data.

Article 32 further provides that no one shall be subjected to interference in personal and family life except in cases envisaged by the Constitution. The collection, storage, use, and dissemination of confidential information about a person without consent is not permitted except in cases determined by law and only in the interests of national security, economic welfare, or human rights.

This constitutional guarantee forms the bedrock on which the 2010 statute and the forthcoming reform rest. The Constitutional Court of Ukraine has affirmed that the right to inviolability of private life attaches to every person regardless of status, including public figures.

The Law on Personal Data Protection No. 2297-VI (2010)

Background and Scope

The Law on Personal Data Protection was enacted on 1 June 2010 and entered into force on 1 January 2011. Ukraine also ratified the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) in 2010, and its Additional Protocol on supervisory authorities and cross-border data flows.

The law applies to the processing of personal data carried out entirely or partly by automated means, and to non-automated processing of personal data that forms part of a filing system. It covers both natural persons and legal entities, in the public and private sectors alike.

Personal data is defined as information or a set of information about a natural person who is identified or who can be specifically identified. The definition is broadly compatible with international standards, though the implementing provisions are less granular than those in the GDPR.

Legal Bases for Processing

Consent of the data subject is the primary legal basis under the 2010 framework. Consent must be voluntary, informed, and clear. The law lacks the GDPR's requirement that consent be unambiguous and demonstrable, and there is no equivalent of the GDPR's tiered consent model.

The law provides exemptions allowing processing without consent where it is necessary for the performance of a contract to which the data subject is a party, required by law, necessary for the protection of vital interests, or necessary for the performance of tasks in the public interest.

Notification of High-Risk Processing

Ukraine abolished mandatory registration of personal data databases on 1 January 2014. In its place, data controllers must notify the Ombudsperson within 30 working days of beginning to process data that is of particular risk to the rights and freedoms of data subjects.

Mandatory notification applies when processing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual life data, biometric data, genetic data, criminal conviction records, pre-trial measures, records of violence, or location and movement tracking data. Certain exemptions apply, including for public registers, NGOs processing their members' data, and employers processing employee data.

The notification must include the identity of the controller and processor, the categories of risky data being processed, the purpose of processing, the categories of individuals concerned, third parties to whom data is disclosed, cross-border transfer details, processing location, and a description of technical and organizational security measures.

Data Subject Rights Under the 2010 Law

The current law grants data subjects the following rights:

• The right to know the sources of collection, location, purpose, and persons who process their data, within 30 calendar days of a request.
• The right to access their personal data.
• The right to object to processing and to impose restrictions or reservations on certain processing activities.
• The right to request rectification of inaccurate data.
• The right to request deletion where processing is unlawful or the data is inaccurate.
• The right to withdraw consent at any time.
• The right to protection against solely automated decision-making.
• The right to seek compensation for damages, including moral harm.
• The right to submit complaints to the Ombudsperson or to court.

The framework is less comprehensive than the GDPR. There is no explicit right to data portability, no right to restriction of processing as a standalone right, and no right to erasure in its modern GDPR formulation.

The Supervisory Authority: The Ombudsperson

Role and Powers

The Ukrainian Parliament Commissioner for Human Rights, commonly called the Ombudsperson, serves as the supervisory authority for personal data protection under the 2010 law. The Ombudsperson's office operates from 21/8 Instytutska Street, Kyiv, and maintains an English-language presence at ombudsman.gov.ua.

The Ombudsperson has authority to receive and investigate complaints from individuals, conduct scheduled and unscheduled inspections of data controllers, issue binding corrective orders and warnings, impose administrative fines following non-compliance with warnings, and issue advisory guidance on consent, remote transactions, wartime data protection, and AI-related processing matters.

In practice, the Ombudsperson's office conducts roughly 25 to 26 compliance inspections per quarter across public and private sector organizations. Enforcement follows a graduated approach: the office first issues a warning demanding that a violation cease. Administrative fines are then imposed only if the offending party fails to comply with that warning. This approach, combined with resource constraints, means strategic enforcement against large private sector organizations has been limited.

In 2025, the Ombudsperson's office received more than 1,100 requests concerning personal data protection as cybercrime escalated. Commissioner Lubinets issued public warnings about the growing risk of data breaches and identity theft in the wartime digital environment.

Current Administrative Penalties

Current administrative penalties are set in the Code of Ukraine on Administrative Offences and are modest by international standards:

• Failure to notify the Ombudsperson about high-risk data processing: up to approximately EUR 170.
• Non-compliance with Ombudsperson directives: up to approximately EUR 425.
• Unlawful access to or violations involving personal data: up to approximately EUR 425.
• Repeat violations within one year: penalties increase 2 to 2.5 times.

For legal entities and their responsible officers, the maximum fine reaches approximately UAH 34,000 (roughly EUR 700). These figures provide limited deterrent effect for commercial organizations.

Criminal Liability

Separate from administrative fines, the Criminal Code of Ukraine provides sanctions for more serious violations. Illegal collection, storage, or dissemination of personal data carries fines, correctional labor of up to two years, detention of up to six months, or restriction of liberty of up to three years for a first offense. Repeat offenses or offenses causing substantial harm escalate to detention of three to six months, restriction of liberty for three to five years, or imprisonment for three to five years.

Draft Law No. 8153: The GDPR Alignment Reform

Background and Legislative History

Draft Law No. 8153 "On Personal Data Protection" was registered with the Verkhovna Rada on 25 October 2022. It was developed with expert support from the Council of Europe and the EU4DigitalUA program, and benefited from multiple rounds of stakeholder consultation involving government officials, civil society, business associations, and international partners.

The Council of Europe published a formal opinion on the draft, assessing its compatibility with Convention 108+ and the GDPR. The European Business Association and the Better Regulation Delivery Office organized expert discussions on its provisions, particularly the tension between stronger privacy protections and Ukraine's open data commitments.

First Reading Passage: November 2024

The Verkhovna Rada adopted Draft Law No. 8153 as a basis on 20 November 2024, clearing the first reading. This is a procedural milestone under Ukrainian parliamentary practice: adoption as a basis means Parliament has endorsed the law's core principles and directed the responsible committee to prepare the text for a second reading with amendments.

As of May 2026, the draft law is being prepared for its second reading. It has not been enacted and is not yet in force. The timeline for completing the second and third readings depends on Parliament's legislative calendar and the ongoing demands of martial law governance. Organizations should monitor the Verkhovna Rada's website at zakon.rada.gov.ua for updates.

Key Provisions of Draft Law 8153

Draft Law 8153 represents a comprehensive overhaul rather than a modest amendment. Its principal elements include:

GDPR-aligned processing principles. Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Expanded legal bases. In addition to consent and contract, the draft introduces legitimate interests as a legal basis for processing, bringing Ukraine into alignment with GDPR Article 6.

Enhanced data subject rights. The draft adds the right to erasure, the right to restriction of processing, the right to data portability, and explicit protection against solely automated decisions including profiling. Article 25 of the draft prohibits decisions that significantly affect data subjects if based solely on automated processing.

Data protection by design and by default. Controllers must implement technical and organizational measures ensuring that only necessary personal data is processed by default.

Mandatory data breach notification. Controllers must notify the supervisory authority within 72 hours of becoming aware of a breach affecting personal data security, including details of the breach, the number of affected individuals, data types involved, likely consequences, and remedial measures taken. This is a significant change from the current law, which contains no mandatory breach notification obligation.

Data Protection Officer requirements. Organizations must appoint a DPO when they regularly and systematically monitor data subjects at large scale, process large volumes of sensitive data, or process biometric or genetic data.

Data Protection Impact Assessments. Article 39 requires impact assessments for processing activities that involve systematic automated analysis and other high-risk activities.

AI and automated decision-making. Article 18 of the draft requires controllers to disclose automated decision-making mechanisms to data subjects. The Dnistrianskyi Center has noted that the draft's AI provisions, while a step forward, lack the specificity of the EU AI Act and will need to be complemented by future AI-specific legislation.

Penalty Structure Under Draft Law 8153

The proposed penalty framework is dramatically higher than current law.

For individuals, fines range from UAH 10,000 to UAH 20 million (approximately EUR 300 to EUR 606,000).

For legal entities at the lower tier, fines run from UAH 30,000 or 0.05 percent of annual turnover up to 5 percent of annual turnover, but not less than UAH 300,000.

For legal entities at the upper tier, covering the most serious violations, fines reach up to UAH 150 million or 8 percent of prior year annual turnover, whichever is higher.

Repeated violations within one year trigger a penalty of 200 percent of the initial fine.

These figures track the GDPR's two-tier penalty structure closely. The upper tier of 8 percent slightly exceeds the GDPR's 4 percent cap for the most serious violations, reflecting the drafters' intent to signal strong deterrence.

The draft law as passed in its first reading does not include an explicit transitional grace period. Legal analysts anticipate that a one-to-two-year transition period will be introduced in the second reading to give organizations time to adapt.

New Independent Supervisory Authority

One of the most significant structural changes in Draft Law 8153 is the replacement of the Ombudsperson as the primary data protection authority. The draft establishes the National Commission on Personal Data Protection and Access to Public Information as a new, independent body.

A companion draft law, No. 6177, sets out the National Commission's institutional structure. The Commission would be a dedicated government agency independent of the executive branch, responsible for both policymaking and enforcement. It would have quasi-investigative powers, including the ability to engage technology and other subject-matter experts.

During its initial year of operation, the National Commission is expected to focus on institutional formation: recruiting staff, establishing procedures, and developing compliance guidance. Penalties are not expected to be imposed during this setup phase.

The shift to a dedicated authority matters. Under the current arrangement, the Ombudsperson's data protection function competes with a broad human rights mandate for resources and attention. A specialist commission would have the capacity and expertise to engage more proactively with the private sector, issue detailed guidance, and pursue strategic enforcement.

EU Accession and the GDPR Alignment Imperative

The EU-Ukraine Association Agreement

Ukraine's path toward EU membership provides the strongest external driver for data protection reform. The EU-Ukraine Association Agreement, which entered into force in September 2017, obligates Ukraine to align its legislation with EU standards across numerous areas. Annex XVII of the Agreement references the EU data protection framework explicitly.

Ukraine received formal EU candidate status in June 2022. As of early 2026, it has opened 18 of 35 negotiating chapters with the EU, with 6 provisionally closed. GDPR alignment is a medium-term priority with a target completion date in the Q1 2026 timeframe. The delay in enacting Draft Law 8153 has created some slippage against this timeline.

What Accession Requires

GDPR alignment for EU accession purposes involves more than passing a law with similar text. Ukraine must also establish an independent supervisory authority meeting the GDPR's Article 51-54 independence standards, demonstrate effective enforcement capacity, adopt secondary legislation and binding guidance consistent with EDPB standards, and work toward an adequacy finding to enable free data flows between Ukraine and EU Member States.

The European Data Protection Board has published translations and guidance that Ukrainian authorities are actively studying. The Ombudsperson's office has used EDPB guidance as a reference for advisory opinions issued during the reform preparation period.

Adequacy and Data Flows

Ukraine is not currently the subject of a European Commission adequacy decision under GDPR Article 45. Data transfers from the EU to Ukraine therefore require reliance on standard contractual clauses, binding corporate rules, or one of the Article 49 derogations. Enactment of Draft Law 8153 and establishment of the independent National Commission are expected to be preconditions for a future adequacy assessment.

Cross-Border Data Transfer Rules

Current Framework

Under the 2010 law, transfers of personal data to foreign states are permitted where the destination country is a party to Convention 108 or otherwise ensures adequate protection of personal data. The law prohibits transfers to countries that do not meet this threshold unless at least one of these conditions applies:

• The data subject has given explicit consent to the transfer.
• The transfer is necessary for the conclusion or performance of a contract benefiting the data subject.
• The transfer is necessary to protect the data subject's vital interests.
• The transfer serves a public interest or is necessary for the establishment, exercise, or defense of legal claims.
• The data controller provides appropriate safeguards for the data.

No prior approval from the Ombudsperson is required for cross-border transfers as such. However, where the transferred data falls into a risky category, the separate notification obligation applies.

The United States was added to Ukraine's list of adequate destination countries via Cabinet of Ministers Resolution No. 910 in August 2022. EEA member states and Convention 108 signatories are treated as adequate by default.

Martial Law Transfer Exception

A specific exception enacted during martial law permits transfers of health and rehabilitation data to third countries (other than Russia and Belarus) where necessary for medical assistance or rehabilitation using telemedicine, provided the transfer complies with the receiving country's medical practice regulations.

Reform Outlook

Draft Law 8153 is expected to introduce a more detailed transfer framework modeled on GDPR Chapter V. This would formalize adequacy assessments, standard contractual clauses, binding corporate rules, and derogations for specific circumstances. The reform would simplify compliance for multinational organizations by aligning Ukrainian transfer rules with those applicable to EU-resident data.

Martial Law Context and Data Protection

The Conflict Environment

Russia's full-scale invasion of Ukraine began on 24 February 2022. Martial law has been in effect continuously since that date, renewed by Parliament at regular intervals. The wartime environment creates acute data protection challenges that have no parallel in peacetime jurisdictions.

Russian cyberattacks targeting Ukrainian government agencies, critical infrastructure, financial institutions, and private enterprises have been a persistent feature of the conflict. CERT-UA, the national computer emergency response team, has documented thousands of incidents involving unauthorized access to systems containing personal data. The State Service of Special Communications and Information Protection coordinates national cyber defense alongside the Cyberpolice Department of the National Police.

Constitutional Rights Under Martial Law

Article 32 of the Ukrainian Constitution guarantees the right to privacy, but Article 64 permits temporary restrictions on constitutional rights during martial law to the extent required by necessity. Ukrainian authorities have taken the position that restrictions on data subject rights are permissible under martial law where justified by national security, provided the restrictions are proportionate and not discriminatory.

The Ombudsperson has issued guidance acknowledging that certain limitations are legally defensible during the emergency period while emphasizing that core obligations around data security, breach prevention, and minimum consent requirements remain in force.

Wartime Compliance Priorities

The Ombudsperson's office has identified cybersecurity-related data protection as a priority enforcement area during martial law. This includes protection of civilian population registers, safeguarding health records of internally displaced persons and military personnel, preventing unauthorized disclosure of location data that could endanger individuals, and ensuring that humanitarian organizations processing conflict victim data comply with data minimization standards.

Organizations operating in Ukraine have been advised to implement multi-factor authentication, data encryption at rest and in transit, and incident response plans. The elevated threat environment makes the absence of a mandatory breach notification requirement under the current law a particular gap.

ePrivacy and Electronic Marketing

Ukraine has not implemented the EU ePrivacy Directive. Electronic marketing rules derive from the Law on Electronic Commerce (2015), the Law on Advertising (1996), and the Law on Electronic Communications (2020).

Email marketing may be conducted on either a consent basis or an opt-out basis. Spam is defined as the repetitive sending of five or more electronic messages without the recipient's consent. Telephone marketing using repeated calls without prior consent is prohibited. Organizations may contact existing customers about similar products or services with an opt-out mechanism in place.

Draft Law 8153 does not directly address the ePrivacy gap. Separate legislation implementing ePrivacy-equivalent rules is expected to be developed as part of the broader digital harmonization program.

Business Compliance Considerations

Current Obligations

Organizations operating in Ukraine or processing Ukrainian personal data must currently identify the legal basis for each processing activity, notify the Ombudsperson within 30 working days before commencing processing of risky data categories, implement appropriate technical and organizational security measures, honor data subject access and rectification requests within 30 calendar days, inform data subjects within 10 business days if their personal data has been amended or deleted, and refrain from transferring data to countries without adequate protection unless a statutory derogation applies.

Preparing for the Reform

Organizations that already maintain GDPR compliance programs for EU operations are well-positioned: the alignment between the two frameworks means the GDPR program can serve as a strong foundation for Ukrainian compliance, needing adaptation rather than reconstruction.

Organizations without EU operations should conduct a data mapping exercise to understand what personal data they process, on what legal basis, with what third-party sharing, and in what cross-border contexts.

The DPO requirement under the draft will apply to organizations processing large volumes of data or engaging in systematic monitoring or sensitive data processing. Identifying whether a DPO appointment will be required is a practical early step.

The mandatory 72-hour breach notification requirement means organizations need an incident response plan capable of identifying breaches promptly, assessing notification thresholds, and communicating with the National Commission. Building this capability before the law is enacted reduces compliance risk.

The penalty scale under the draft, reaching UAH 150 million or 8 percent of turnover, changes the risk calculus significantly from the current minimal-fine environment. Organizations should treat compliance investment proportionally to this future exposure.

Recent Developments (2024-2026)

November 2024: The Verkhovna Rada adopted Draft Law No. 8153 in its first reading. The Committee on Digital Transformation was directed to prepare the bill for a second reading.

December 2024: An expert discussion convened by the Better Regulation Delivery Office and the Ministry of Digital Transformation, with more than 40 participants from government, civil society, and business, identified unresolved tension between data protection and Ukraine's open data commitments as a key second-reading issue.

Early 2025: The Council of Europe published its formal opinion on Draft Law 8153, assessing compliance with Convention 108+ and recommending clarifications on several provisions. The EU4DigitalUA program continued providing technical assistance to the Parliamentary committee preparing the second reading text.

2025: The Ombudsperson received more than 1,100 data protection complaints during the year, with Commissioner Lubinets publicly warning of escalating cybercrime risks to personal data.

As of May 2026: Draft Law 8153 remains in second-reading preparation. It is not yet enacted. The National Commission has not yet been established. The 2010 law remains the operative legal framework.

This article is for informational purposes only and does not constitute legal advice. Ukraine's data protection framework is actively changing. Organizations should consult qualified legal counsel for advice specific to their situation. See also: Ukraine Recording Laws.