Protecting personal data, information, and communication privacy

Everyone has the right to respect for his or her private and family life, home and communication.

Article 7 of the Charter of Fundamental Rights of the European Union

Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.

Article 8 of the Charter of Fundamental Rights of the European Union 
Text as of March 2026

Based on research and human rights practice, the following problems in the exercise of this right in Ukraine can be distinguished:

  1. Legislation on personal data protection does not meet EU standards. The personal data protection law is broadly formulated. It lacks clear provisions on data storage limitation, the right to be forgotten, and mechanisms for responding to data leaks. There are also no procedures for handling personal data collected through surveillance tools, nor are there rules on profiling or other sensitive data. Data subjects lack effective remedies when their rights are violated.
    • Article 32 of the Constitution of Ukraine prohibits the processing of confidential data without the prior consent of the individual, except in cases specified by law, and only in the interests of national security, economic well-being, and human rights. This provision is narrower than the legal grounds for data processing set out in Article 6 of the General Data Protection Regulation (GDPR). Specifically, it does not include “legitimate interest,” performance of a contract (Article 6(1)(b) GDPR), performance of a public task (Article 6(1)(e) GDPR), or protection of the vital interests of an individual (Article 6(1)(d) GDPR). This creates a potential constitutional conflict in implementing the GDPR that requires resolution.
    • Current legislation does not require a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR. A DPIA is required when processing activities may present a high risk to individuals’ rights and freedoms, especially when using new technologies at scale, conducting mass surveillance, or handling sensitive data.
    • The current Law lacks provisions on extraterritorial effect as outlined in Article 3 of the GDPR. Foreign companies that process Ukrainian data are not subject to Ukrainian law. Draft law No. 8153 establishes a process to appoint local representatives for non-residents. However, this gap will persist until the draft law is adopted.
  2. An effective independent supervisory authority is currently lacking in the field of data protection. The only oversight body is the Commissioner for Human Rights of the Verkhovna Rada of Ukraine, whose role is limited to parliamentary oversight, issuing advisory decisions, and conducting on-site or remote inspections. The Commissioner lacks authority to independently resolve disputes between data subjects and controllers, impose effective and proportionate sanctions, or enforce legislation. It also lacks sufficient resources to implement these activities on a national scale. This functional burden undermines the effective protection of personal data.
  3. Current legal frameworks do not adequately regulate how law enforcement agencies process personal data. EU Directive 2016/680 remains unimplemented.
  4. A comprehensive legal framework governing the use of surveillance tools is currently lacking. Ukraine lacks comprehensive legislation governing mass surveillance. Certain laws regarding the National Police, operational and investigative activities, and counterintelligence grant authorities broad discretion without clear boundaries, defined authorized entities, or specific grounds for using surveillance tools. Subjects of surveillance are not notified, and there is almost no opportunity to appeal these measures. These actions lack effective independent oversight and are not subject to public reporting.
  5. Currently, there is no established mechanism to hold parties accountable for violations of data protection legislation. Article 28 of the Law is worded in general terms: “violation of the legislation on the protection of personal data entails liability established by law.” The law lacks a detailed mechanism for sanctions proportionate to the type and severity of violations, especially for unauthorized data collection, missed processing deadlines, and the sale or leakage of personal data.
  6. Recent legislative initiatives may increase the discretion of security agencies without adequate safeguards in place. Parliament is increasingly considering draft laws that would grant security and law enforcement agencies direct, automated access to state and private information systems and databases, including confidential data, without requiring legitimate grounds. Other video surveillance initiatives grant authorities broad discretion and lack mechanisms to monitor compliance with the law.
  7. Cybersecurity and personal data leaks. Ukraine is facing unprecedented cyber threats. In December 2024, the Ministry of Justice experienced its largest external cyberattack, resulting in a temporary outage of state registers. Services were restored on January 20, 2025. In September 2025, an archive appeared online, reportedly connected to the Diia databases. Although the Ministry of Digital Transformation denied the leak, many experts identified systemic data protection issues across multiple institutions. Current legislation lacks a mandatory data breach notification mechanism that complies with Article 33 of the GDPR, which requires notification to the supervisory authority within 72 hours.
  8. Risks of data centralization on the Diia platform. The rapid digitalization enabled by the Diia ecosystem, which serves over 22 million users and offers more than 150 services as of 2025, increases the risk of centralization. While Diia uses a data-in-transit model and does not store personal data, cybersecurity experts note that the centralized Trembita platform, which facilitates data exchange between registries, creates a single point of failure. The platform’s security has not undergone an independent audit, and the legal framework for protecting data collected through Diia is not adequately regulated.
  9. The problem of cross-border data transfer. Current legislation lacks a sufficient mechanism for cross-border data transfers in compliance with Chapter V of the GDPR. Ukraine has not received an adequacy decision from the European Commission under Article 45 of the GDPR. Standard contractual clauses (SCCs) and binding corporate rules (BCRs) for data transfer are lacking. This creates legal uncertainty for the Ukrainian IT sector and other businesses that handle customer data from the EU.
  10. Data protection under martial law. Martial law in Ukraine poses significant challenges to privacy protections. Key concerns include the lack of clear legal definitions for constitutional restrictions on rights under martial law (Article 64 of the Constitution of Ukraine), the collection and processing of biometric data during mobilization, expanded powers of special services without adequate judicial oversight, and the use of video surveillance cameras and facial recognition systems for security purposes. ECtHR case law affirms that Article 8 rights under the Convention on Human Rights remain in effect during armed conflict.

What Ukraine needs to do during its accession to the EU to improve the situation:

  • Align the Law of Ukraine “On Protection of Personal Data” with the requirements of the General Data Protection Regulation (GDPR). Clarify and enshrine the fundamental principles of personal data processing. Implement the right to be forgotten. Broaden data subjects’ rights and ensure effective protection measures. Introduce clear rules on profiling and provide additional safeguards for processing sensitive data, such as biometric and health information. Establish a robust mechanism for responding to data breaches. Every individual must be guaranteed the following rights: access to and rectification of their data, erasure of data, objection to and restriction of processing, data portability, protection from automated decisions with legal effects, and compensation for damages. Under Articles 25 and 29 of the GDPR and Convention No. 108, controllers should be required to implement technical and organizational measures to protect privacy at the system design stage and by default. Parliament should urgently consider draft law No. 8153, adopted in the first reading in November 2024. The review should address comments from Council of Europe experts and human rights activists, and ensure full compliance with the GDPR.
  • The narrow definition of grounds for processing personal data in Article 32 of the Constitution of Ukraine should be revised to align with the EU acquis.
  • Mandate by law that a data protection impact assessment (DPIA) be conducted in accordance with Article 35 of the GDPR for any processing likely to pose a high risk to individuals’ rights. This is particularly relevant given the large-scale digitalization of public services through Diia, the implementation of video surveillance, the use of AI in the public sector, and data collection for mobilization or national security.
  • Establish an independent supervisory authority to oversee personal data protection. Establish an independent body with authority to hear data subject complaints, conduct inspections, impose proportionate sanctions, and enforce data protection laws. Parliament should promptly review draft law No. 6177, introduced in 2021 but not yet considered, associated with draft law No. 8153. This review should incorporate feedback from Council of Europe experts and human rights activists.
  • Ukraine should sign and ratify the Protocol amending Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223).
  • Introduce the institute of data protection officers. Ensure the legislation includes a mechanism for appointing data protection officers, in line with the General Data Protection Regulation (GDPR). The legislation should specify clear requirements for their independence and outline procedures for their activities.
  • Implement Directive (EU) 2016/680. Align the legislation with the Directive on the processing of personal data by law enforcement authorities for the prevention, investigation, detection, and prosecution of criminal offenses. This is especially relevant in the context of expanded powers of special services.
  • Develop a unified mechanism for using surveillance tools. Establish a legislative definition of “mass surveillance” and specify all permissible grounds for its use. Define the purposes and grounds for intrusive measures, and restrict automated database access by security agencies to legitimate reasons under judicial oversight. Clearly outline the limits of discretion for authorized bodies. Require mandatory notification to individuals subject to surveillance and ensure the right to judicial appeal. Create an independent supervisory body for oversight or assign these responsibilities to an existing independent authority. Establish legal regulations for the implementation of video surveillance in public places, ensuring compliance with personal data protection standards and respect for privacy rights. Law enforcement agencies should publish annual reports detailing their use of surveillance tools and any activities that may impact individual privacy.
  • Implement a proportionate liability framework to address data protection violations. Amend the Law “On Protection of Personal Data” to include provisions for differentiated sanctions based on the type and severity of violations. Clarify Article 188-39 of the Code of Administrative Offenses regarding violations in personal data protection. Establish criminal liability for unlawful actions involving personal data that constitute a crime, and ensure law enforcement agencies investigate such reports.
  • Develop a data exchange mechanism for the purposes of training AI systems. Implement legislative requirements for data exchange between public institutions and AI developers, modeled on the EU Data Governance Act. Ensure mandatory consent from data subjects and require specific contracts that define permissible uses of personal data.
  • Introduce the concept of “data altruism.” Include incentive mechanisms in legislation to encourage individuals to voluntarily share their data for societal benefit. These mechanisms require data protection safeguards, such as a public register of verified organizations authorized to process them.
  • Strengthen the protection of the privacy of electronic communications. Prohibit wiretapping and interception of users’ communications without prior consent or unless required for criminal investigations. Require communication service providers to destroy or anonymize data that is no longer needed for service provision.
  • Implement ePrivacy requirements. Align legislation, namely the law on electronic communications, especially rules regarding cookies and online user tracking, communications metadata protection, direct marketing, and location data processing restrictions, with Directive 2002/58/EC (ePrivacy Directive) requirements.
  • Establish an individual’s right to control their own image. According to the ECtHR case law, an individual has the right to control the distribution of their photographs, including the right to refuse their publication. This right remains in effect even if the image is already in the public domain. Its continued use must be balanced with the individual’s right to privacy. Thus, the outdated provisions of the Civil Code (Articles 307–308 of the Civil Code of Ukraine) should be updated.
  • Implement protection against monitoring of workplace communications. According to ECtHR case law, employees must receive clear advance notice if their correspondence may be monitored or their personal data accessed by the employer without their knowledge. Failing to provide such a warning violates the right to privacy. In Ukraine, these processes are largely unregulated by law.
  • Establish regulations to ensure the protection of personal data on digital platforms. Enact legislation to prevent platforms from profiling sensitive data for advertising. Require large platforms to obtain explicit consent before combining personal data across services or connecting users to new services.
  • Ensure the protection of the communications of journalists and their sources. Access to journalists’ communications is allowed only on lawful grounds and must not result in the disclosure of journalistic sources as a consequence of authorized actions.
  • Introduce restrictions on artificial intelligence systems that process biometric or other sensitive data. Prohibit AI systems from collecting facial images in bulk, identifying emotions in workplaces or educational institutions, or classifying individuals based on biometric data. Providers of high-risk AI systems may process sensitive data only as needed to detect bias. Pseudonymization is required, and transferring data to third parties is prohibited.
  • Provide an independent audit of the cybersecurity of Diia and critical infrastructure. Implement regular, independent cybersecurity audits for both the Diia platform and the Trembita system. Audit results should be made available to the public, except for information that could compromise security. Establish an incident response protocol that includes a clear process for notifying data subjects of breaches, as required by Articles 33 and 34 of the GDPR.
  • Counteract the illegal circulation of personal data. Increase criminal liability for creating and managing Telegram bots and similar platforms that facilitate the illegal sale of personal data, and ensure these cases are effectively investigated. Implement a mandatory audit of access to state registers through a monitoring system.
  • Complete the enforcement of the ECtHR judgments in the following cases:
  • Denysyuk and Others v. Ukraine (2025): addresses systemic shortcomings in secret surveillance, including the absence of an independent supervisory body, inadequate guarantees of professional secrecy for lawyers, and a lack of effective legal remedies.
  • Koval and Others v. Ukraine (2013): addresses complex issues related to search and seizure procedures.
  • Korniets and Others v. Ukraine (2025): search without a court order, inability to challenge the legality of the search, and legislative issues regarding arbitrary searches and seizure of property;
  • Guyvan v. Ukraine (2025).

For a comprehensive overview of these issues and the rationale behind our recommendations, please refer to the research section, specifically the document available in Ukrainian: Privacy.  If you have any feedback or comments about this material, please send them to: hrmap@ccl.org.ua.

Published materials may be used provided that a mandatory link to the original source is included. @ 2025 Center for Civil Liberties.

Exsperts

Picture of Anna Ludva

Anna Ludva

Lawyer of the Digital Security Lab

Author picture

Digital Security Lab Ukraine