29
Fri, Mar
48 New Articles

Ukraine: The Pandemic’s Impact on Personal Data Protection – What Regulations Remain Relevant?

Ukraine: The Pandemic’s Impact on Personal Data Protection – What Regulations Remain Relevant?

Ukraine
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The COVID-19 pandemic has triggered substantial social changes and a seemingly never-ending rollercoaster of legislative amendments and re-adoptions. Both social and legislative changes occurred in the Employment Sector, inevitably including the sphere of Personal Data Protection (PDP).

Remote working and the desire of employers to monitor the performance and processes of their employees has given rise not only to a series of legislative amendments but also to a series of misconceptions about these amendments and about compliance with existing legislation.

One of the first rounds of COVID-related changes in Ukraine included the establishment of a new exception to the requirement of consent for personal data processing: a data subject’s consent is not required when the processing is necessary for the purpose of combating the virus. This was a common headline in the news in April and May of 2020. However, this exception is only applicable to specific entities (i.e., the Ukrainian Ministry of Digital Transformation), and does not apply at all to most private businesses. The processing of personal data (especially sensitive data) remains subject to many restrictions and additional compliance actions must be taken before, during, and after processing (for sensitive data).

Another common misconception is that video-surveillance does not constitute the processing of personal data. Even though it’s very tempting to trust this statement, it is misleading and should not be relied upon. It has been well established that an image of a person contained in a video is in itself personal data. When using such monitoring instruments, an employer (or anyone conducting monitoring) must follow the usual “compliance steps” for personal data processing.

The pandemic has also provided fertile soil for remote work tracking and monitoring software. Most of the software packages offered on the market contain built-in confidentiality disclaimers and personal data processing consent. However, these do not offer a panacea for PDP compliance. One should choose software that provides an option for the person being monitored to pause the monitoring. This will ensure that no excessive personal data is collected (especially sensitive data). For example, financial data, private correspondence (conversations with other employees on non-work-related topics might also include private life details), etc.

It is commonly (and incorrectly) understood that where someone consents to processing, the processor is free to collect any data (or all the data provided for in the consent). Again, data processing consent is not a magic shield from PDP-law violation. It is well established that even when a personal data subject consents, if the scope of data collected and processed exceeds what is necessary to process for the purpose at hand, such processing is unlawful.

For example, when tracking an employee’s activities, software can collect data regarding time spent by an employee on a project that helps the employer monitor and assess the employee’s performance; but if the software collects and transfers to the employer such data as screenshots of bank account details or online payment information, etc., even when included in the consent, this exceeds the lawful purpose of processing and constitutes a PDP-law violation. Moreover, collecting sensitive personal data will trigger additional compliance requirements (such as sensitive data processing notification).

Furthermore, the earlier described “lawful data” is usually used for a lawful purpose (such as work performance evaluation). However, an employer should still be on guard when, for example, a decision related to an employee is made based exclusively on this data. Ukrainian law specifically protects data subjects from any automated decision affecting their rights. Depending on the particularities of the software and the procedure by which the decision (for example, to fire an employee or to distribute bonuses) is adopted, such decision could potentially result in a PDP-law violation. The same is true for profiling.

Evidently, most of the PDP law that was already in place is still applicable and relevant to “COVID-19 amended relations,” and businesses simply need to consider it as carefully as possible and not rely upon tempting but misleading statements.

All of this is also applicable to subcontracting relations and the data collected from subcontractors when monitoring their services.

By Maria Orlyk, Managing Partner, and Diana Valyeyeva, Associate, CMS Reich-Rohrwig Hainz, Kyiv

This Article was originally published in Issue 8.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

CMS at a Glance

CMS Sofia is a full-service law firm, the largest international law firm in Bulgaria and one of the largest providers of legal services in the local market as a whole. The breadth and depth of our practice means that our lawyers are specialised, with a level of specialisation that few of our competitors can match.

CMS Sofia is the Bulgarian branch of CMS, a top ten global legal and tax services provider with over 5000 lawyers in 43 countries and 78 offices across the world.

CMS entered the Bulgarian market as one of the first internationally active law firms in 2005 and is now among the most respected legal advisors in the country. We have 7 partners, 4 counsel and over 30 lawyers in our office in Sofia.

Our legal experts, who are rooted in Bulgaria’s local culture, can also draw on years of experience in foreign countries and are at home in several legal systems at once. We know the particularities of the local market just as well as the needs of our clients and combine both to achieve optimum solutions. Our lawyers are Bulgarian qualified and we also have English qualified experts – all of them regularly working on cross-border mandates.

In our work, we focus on M&A, Energy, Projects and Construction, Banking and Finance, Real Estate, Media, IP and IT law, Tax, Employment law, Competition, Procurement and any kind of Dispute resolution, including arbitration and mediation. What’s more, we also take care of the entire legal management of our clients’ projects.

Firm's website.