Study on liability and sanctions for GDPR violations presented in Ukraine

On February 12, the Secretariat of the Verkhovna Rada of Ukraine Commissioner for Human Rights presented the study “Liability and Sanctions for Violations of the General Data Protection Regulation (GDPR)”, prepared by the EU4DigitalUA project which is funded by the European Union and implemented by FIIAPP within the framework of the “Data Protection” component. The document was prepared in cooperation with the Office of the Ombudsman of Ukraine and is available here: https://eu4digitalua.eu/wp-content/uploads/2025/02/gdprvidpovidalnist-i-sanktsii-3.pdf

The event was held in a hybrid format with the participation of the Representative for Information Rights of the Ukrainian Parliament Commissioner for Human Rights Yuliia Derkachenko, representatives of the private sector (Nova, Uklon, Deloitte, YouControl, Pharmaceutical Company “Darnytsia”) and the public sector, in particular, State Joint Stock Company “Ukrzaliznytsia”.

The participants of the event, in particular, experts from the EU4DigitalUA project and representatives of the Department for Monitoring Compliance with Information Rights, explained:

– The methodology for calculating administrative fines in accordance with the GDPR.
– Methodology of investigations by the supervisory authority into cases of data protection law violations.
– Practical cases from the European Union demonstrating the consequences of non-compliance with personal data protection standards.

“Ukraine, as a state that has chosen a European vector of development, has undertaken to harmonise its legislation in accordance with EU standards. In accordance with the Association Agreement, our country is implementing large-scale changes in this area, and an important step on this path will be the adoption of the draft law “On Personal Data Protection”, said Andrii Nikolaev, lawyer, lead of the personal data protection component of the EU4DigitalUA FIIAPP project.

According to experts, the EU experience shows that first, the supervisory authorities conduct information and advisory work, and only then proceed to the application of fines. The calculation of fines will be carried out in accordance with the European methodology, which takes into account the scope of the violation, its seriousness and economic context.

The event discussed the draft law on the establishment of the National Commission for the Protection of Personal Data and Access to Public Information. As Liliya Oleksiuk, an expert of the EU4DigitalUA FIIAPP project, noted, this body will be responsible for the implementation of GDPR norms in Ukraine and will perform three main functions: preventive measures and explanatory work; control measures regarding violations; investigative powers. At the same time, a mechanism for transparent appointment of inspectors who will be engaged in inspections and sanctions is important. It was emphasised that the main role of this body is not fines, but the restoration of violated rights.

Penalties will come into force a year after the establishment of the National Commission, which will give businesses time to adapt to the new requirements. During this period, educational work will be carried out, and businesses will be provided with recommendations on compliance with the new legislation.

Personal data protection expert of the EU4DigitalUA FIIAPP project Oleksandr Shevchuk, during the presentation of his research, explained the importance of transparent regulatory mechanisms: “Creating an effective personal data protection system is impossible without transparent rules of the game. Business, citizens and state bodies must clearly understand how the regulator works, what requirements it sets and how sanctions are imposed. All decisions on sanctions must be clearly reasoned and publicly available.”

Following the results of the discussion, the participants noted the need for cooperation between the public and private sectors to implement European personal data protection standards in Ukraine.