EU4DigitalUA Hosted Online Training on Personal Data Protection for Startups

On February 6-7, the EU4DigitalUA project, funded by the European Union and implemented by FIIAPP, held an online training session focused on personal data protection as part of its “Data Protection” component. Organised in partnership with the Office of the Ombudsman of Ukraine, the training was designed for representatives of Ukraine’s startup community.

The two-day session provided practical guidance on preparing startups for the EU market, deepened participants’ understanding of Ukrainian and European data protection legislation, and outlined key organisational measures for ensuring compliance. Day one featured in-depth discussions on personal data processing principles, the roadmap to GDPR compliance, and procedural requirements to help companies meet legal obligations.

Maria Gaston Betran, FIIAPP Technical Institutional Coordinator for EU4DigitalUA, delivered a welcome address to over 80 participants: “For startups, especially those aspiring to expand into the European market, compliance with data protection standards such as GDPR is essential. Understanding these regulations not only helps avoid legal risks and financial penalties but also builds credibility with international customers, investors, and partners.”

Yuliia Derkachenko, Representative for Information Rights of the Ukrainian Parliament Commissioner for Human Rights, also addressed the participants, emphasising Ukraine’s commitment to ensuring a high level of personal data protection under the Cooperation Agreement with Eurojust: “In today’s world, information technologies are advancing rapidly, leading to the accumulation of vast amounts of personal data across various sectors. The custodians of such data must take responsibility for its protection at all stages of processing. We strive to ensure that Ukraine’s legislation on personal data protection is regularly updated and aligned with European standards. In this context, state authorities, private companies, and institutions must carefully manage data processing and guarantee its proper handling at every stage of use.”

As experts noted during their speeches, the regulation of personal data in the EU is based on the principles of legality, transparency and minimisation of data collection. Ukrainian companies should focus on these standards if they plan to operate in the European market. Personal data protection is not only a legal requirement, but also a matter of user trust. Companies that adhere to security standards gain a competitive advantage.

The second day began with a presentation on the calculation of administrative fines for GDPR violations. Participants learned about the levels and criteria for imposing sanctions, reviewed real cases from the practice of European regulators, and discussed the opportunities that the EU Digital Single Market opens up for Ukrainian startups.

“Fines are not the main goal of regulation. European practice shows that sanctions are only a last resort, and the main focus is on ensuring that companies comply with transparent data processing rules,” said Oleksandr Shevchuk, Candidate of Law, National Expert on Personal Data Protection of the EU4DigitalUA FIIAPP project.

As the experts emphasised, the GDPR has extraterritorial effect. This means that Ukrainian companies that process data of EU citizens or provide services to them are already obliged to comply with European requirements. Thus, the banking sector, marketing companies, and the telecommunications sector in Ukraine are already actively implementing GDPR standards, as they work with European partners.

Additionally, during the training, attention was paid to the ethics of AI and privacy, on which Andrii Nikolaev, lawyer, lead of the personal data protection component of the EU4DigitalUA FIIAPP project, held an information session. According to him, GDPR and AI legislation should complement each other: “If personal data is used to train algorithms, companies must comply with strict requirements regarding their confidentiality. The development of AI also creates new challenges in the field of cybersecurity: AI can be used both to protect data and for its illegal collection and analysis. One of the main problems when using artificial intelligence is the transparency of algorithms. The AI ​​Act (Artificial Intelligence Regulation) contains requirements for the explainability of AI solutions, especially for high-risk systems in the financial and healthcare sectors. Discussions are ongoing in the EU on the development of detailed standards for the implementation of these requirements and methods for assessing the transparency of algorithms.”