Data protection & privacy laws in Ukraine (2026)

Law No. 2297-VI "On Personal Data Protection" (1 June 2010) is the general statute governing protection and processing of personal data, covering fully/partly automated processing and structured manual (card-index) data.

Since 1 January 2014 the Ukrainian Parliament Commissioner for Human Rights (Ombudsman) is the state authority controlling compliance with data-protection legislation; it is a parliamentary human-rights body, not a standalone independent DPA.

The law guarantees rights to restrict processing, withdraw consent, place limits when giving consent, know the logic of automated processing, and protection against legally significant automated decisions.

Processing of data on racial/ethnic origin, political, religious or philosophical beliefs, party or trade-union membership, health or sex life is prohibited unless based on the data subject's unambiguous consent or other grounds explicitly set out in law.

Draft Law No. 8153, a new redaction harmonizing Ukrainian rules with the GDPR and Convention 108+, passed first reading on 20 Nov 2024 and was returned for refinement; it would add breach notification, DPIAs, mandatory DPOs and turnover-based fines, but is not yet enacted.

The reform package envisions a dedicated independent supervisory authority (a National Commission for the Protection of Personal Data and Access to Public Information) to replace the Ombudsman's current oversight role, in line with EU norms.