Legal alerts


On May 25, 2018 the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) will replace outdated Data Protection Directive 95/46/EC and will be directly applicable in all EU Member States. Due to the extra-territorial nature of the regulation it also affects all Ukrainian companies with an EU nexus.

First of all it should be noted both the current Data Protection Directive and GDPR allow the transfer of personal data under certain circumstances particularly the recipient country is declared adequate. Currently, data transfers are allowed to a third country if the European Commission decides it has adequate safeguards for personal data protection. Among the counties are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US as providing adequate protection. As you noticed Ukraine is not listed.

In the absence of an adequacy decision, however, transfers are also allowed outside to non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA. The main advantage of BCRs over other means of providing adequate safeguards is that, once developed and operational, BCRs can provide a framework for a variety of intra-group transfers to meet your organization’s requirements.

Another option is the standard contractual clauses. The European Commission has issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or EEA and one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA. Thus the issue may be solved by drafting the data protection addendum addressing GDPR and incorporating standard contractual clauses.


There will be two levels of fines based on the GDPR.  The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.

So the impact to businesses is huge and will permanently change the way personal data is collected, stored, and used. If your company faces a task of compliance with the GDPR requirements, our lawyers are glad to be of assistance to you.


      Vladyslav Kysil                           Mykhailo Semka         

           Partner                                       Associate

     KPD Consulting                          KPD Consulting  

Should you have any questions with respect to above or require any additional information, please do not hesitate to contact Mr. Vladyslav Kysil ( or Mr. Mykhailo Semka ( We will be pleased to assist you.

The information contained in this overview is not intended to provide legal advice and should not be relied on or treated as a substitute for specific advice concerning individual situations.

Subscribe to newsletters
KPD Consulting is a full-service law firm.
We are focused on business needs of corporate clients demanding highly-effecient legal support. 
The firm is a member of Lexicom (network of independent commercial law firms across Europe) and WIRAS International that guarantees a succesfull assistance of the clients in key foreign jurisdictions.