• Olena Shamrina

    Partner, Pakharenko & Partners, Lawyer and registered Patent
    and Trademark Attorney of Ukraine

    Higher economic and legal education. More than 25 years experience in IP sphere. Olena’s practice covers counseling on all aspects of protection of IPR objects, particularly inventions, utility models, trademarks, geographical indications, industrial designs, copyright. Other practice areas include customs, contract and banking law. Membership: Ukrainian National Group of International Association for the Protection of Intellectual Property (AIPPI), International Trademark Association (INTA), Licensing Executives Society (LES), Al-Ukrainian Association
    of Patent Attorneys.


Address: Business Centre Olimpiysky, 72 Velyka Vasylkivska Street, Kyiv, 03150, Ukraine

Tel: +380 44 593 9693

Fax: +380 44 451 4048

E-mail: pakharenko@pakharenko.com.ua

Web-site: pakharenko.ua

IP and Law Firm Pakharenko & Partners was established in 1994 and has offices in Kyiv and London. As a firm providing full IP service coverage we are keen on developing successful protection and enforcement strategies for our clients, covering the development of IP portfolio, acquisition of IPRs, commercialisation of IPRs, enforcement and management of IPRs, including patents (inventions and utility models), designs, trademarks and geographical indications, domain names, copyright and related rights, plant breeders’ rights both at national and international level.

The firm provides assistance to national and foreign clients in securing and enforcing their intellectual property rights in Ukraine and CIS countries.

The company’s lawyers have been involved in anti-counterfeiting and anti-piracy activities since the implementation of the relevant provisions on IPR enforcement in Ukrainian legislation.

Our staff members also have expertise in pharmaceutical law, competition law, media law, corporate and commercial law, commercial litigation.

We’re able to service our clients’ needs around the world through our established network of associates. The special relationships developed by our company with many attorney firms in key foreign markets provide ongoing, substantial benefits to our internationally focused clients.


Main practice areas:

Intellectual Property Law, Anti-Counterfeiting and Anti-Piracy Operations and Legal Support, Media Law, Advertising Law, Competition Law, Pharmaceutical Law, Corporate Law, Customs Law, Commercial and IP Litigation


Membership of organizations:

The company and its members are actively involved in the operation of a number of national and international intellectual property associations, such as: AIPPI, INTA, FICPI, LES, MARQUES, PTMG, ECTA, ACG, IACC, ACACAP, ICC Ukraine, IBA, European Business Association (EBA), American Chamber of Commerce (ACC) in Ukraine, Ukrainian Patent Attorneys Association (UPAA), Seed Association of Ukraine, Ukrainian Bar Association, Ukrainian Attorney Association (UAA), Ukrainian Alliance Against Counterfeiting and Piracy (UAACP) which is a member of the GACG Network, CIOPORA.

GDPR and Ukrainian Business Entities

It’s been almost a year since the provisions of the General Data Pro­tection Regulation (GDPR, Regulation (EU) 2016/679) on the protection of personal data of citizens of the European Union came into force.

The main purpose of the GDPR is to protect personal data of EU citizens irrespective of the country where such data is stored, processed and used.

Clause 11 of the Action Plan on Implementing the Association Agreement bet­ween Ukraine, on the one hand, and the European Union, the European Atomic Energy­ Community and their Member States, on the other hand, approved by the Resolution of the Cabinet of Ministers of Ukraine of 25 October 2017, No. 1106 specifies the objectives related to the improvement of the legislation on personal data protection to bring it into compliance with the GDPR.  The responsibility for making the necessary legislative changes has been entrusted to the Ukrainian Parliament Commissioner for Human Rights (upon consent), the Mi­nistry of Finance, the Ministry of Justice, the Ministry of Economic Development and Trade, the Ministry of Internal Affairs. Despite the fact that no such changes have been made to date, the requirements established by the GDPR should in certain cases be observed by business entities in Ukraine.

What Information is Regarded as Personal Data in the EU and Ukraine

According to Article 4 of GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the phy­sical, physiological, genetic, mental, econo­mic, cultural or social identity of that natural person. For example, such identifiers may include a client’s e-mail, name and surname, details of his bank card or any other financial information, photo and video, online identifiers, such as IP address, cookies, etc.

By Article 32 of the Constitution of Ukraine the human right of non-interference in one’s personal life is proclaimed. Moreover, the collection, storage, use, and dissemination of confidential information about a person without his/her consent shall not be permitted, except for the cases determined by law and only in the interests of national security, economic welfare, and human rights. A natural person shall have the right to health secrecy, to secrecy of the fact of turning for medical aid, to confidentiality of the diagnosis and information received during medical examination. It is forbidden to require and submit information about the diagnosis and methods of treatment of a natural person to places of work or study. (Article 286 of the Civil Code of Ukraine). In Article 2 of the Law of Ukraine On Protection of Personal Data No. 2297 of 1  June 2010 personal data is defined as information or a collection of data about an individual that is identified or can be specifically identified. Such a definition makes it impossible to distinguish personal data from any other information. For example, from the confidential information about a person. The law does not provide for the differentiation of personal data by the criterion of “sensitivity” that exists in EU laws.

Under EU laws, personal data is divided into general data (surname, first name, patronymic name, date and place of birth, nationality, place of residence) and sensitive (health information, ethnicity, religious commitment, identification numbers, fingerprints, voiceprint, photographs, criminal records, etc.). At the same time, in the EU sensitive personal data enjoys a higher level of protection.

Ukrainian authorities, within the limits of their legal powers, assist in the implementation of the main principles of protection of personal data provided for by national legislation. For example, the  campaign to prevent fraud in the course of online trade and protection of personal data has been launched by the cyber police; the Ministry of Health of Ukraine, for implementation of electronic medical records, has paid particular attention to the protection of the personal data of patients; the Cabinet of Ministers of Ukraine abolished the complaint and suggestion book and one of the reasons for taking such a decision was non-observance of legislation on protection of personal data, since the names and phone numbers of consumers were publicly available.

It’s worth mentioning that GDPR does not provide for an exhaustive list of personal data since personal data can be any data that helps to identify a specific person. Furthermore, there can be situations where simple data can become personal data. For example, if, for security reasons, video surveillance cameras are installed in your office to ensure recording of all that is happening, the data obtained from recording of all that is happening video cameras will not be regarded as personal data. However, if a face recognition system is connected to the video surveillance apparatus, the recorded data becomes personal data and requires obtaining consent from all clients to record.

Parties Involved in Data Processing

Data controller — a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data of EU residents. Data operator (processor) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The data controller carries the main responsibility for the processing of personal data in accordance with the requirements of GDPR, while an operator shall observe separate rules for working with data. The controller and the operator should conduct their activities only subject to the agreement between them.

According to Ukrainian legislation, namely under Article 2 of the Law of Ukraine On Protection of Personal Data, processing of personal data includes any activity or the combination of actions such as collection, regi­stration, accumulation, storage, adaptation, changing, restoration, use, dissemination, depersonalization, deletion of personal data, in particular with the use of informational (automated) systems. The owner of a database with personal data can be a natural person or legal entity which is granted the right to process these data under the law or with the consent of the data subject, which approves the purpose and procedure of data proces­sing. A disposer of a database with personal data can be a natural person or a legal entity, which has been granted the right to process these data under the law or by the owner of the database. Notably, the concepts of “controller” and “processor” of data have already been introduced in the Ukrainian legislation.

For example, you as a business owner are the data controller (owner), namely you determine which personal data of the client should be collected, processed and how to treat it further, while a data operator may be a respective IT-department (internal or external). The data operator (dispo­ser) is an executor which carries out the respective processing of data (collecting, sto­rage, structuring, changing, deletion etc). If you collect the guest data by yourself, via your own services or feedback form available on the website, you will combine the functions of the controller and operator.

Also, according to the requirements of the GDPR, companies should introduce the position of data protection officer. Your company may have a single position, namely an officer responsible for legitimate and secure processing of data of EU residents. The principles of appointment, responsibilities and objectives of the said officer are specified in Articles 37-39 of the GDPR. In particular, its responsibilities shall include the monitoring of any technologies which are in some manner related to the processing of data.

Ukrainian Business Entities and GDPR Requirements

If the Ukrainian owner of a business:

— offers its services to EU citizens;

— requests and collects personal data of the EU citizens (its clients) and processes the respective amount of transactions with debit cards, including in currency;

— obtains personal data of EU citizens (its clients) from other sources such as third-party booking websites and own websites;

— is involved in marketing profiling of its potential clients, such business potentially involves the processing of personal data of EU citizens and, accordingly, such a business entity should use such data and protect their confidentiality in compliance with the requirements of the GDPR.

Below we provide some practical steps that we recommend to our clients when working with the personal data of custo­mers in order to ensure data privacy:

a) make an inventory of all the company’s activities related to the processing of personal data;

b) revise and update data processing contracts with third parties;

c) review and minimize the collected personal data of customers; limit the data to the minimum scope and only to the technological data necessary for improving services, providing better customer support and for any other purposes necessary to ensure quality performance of the service expected from you;

d) introduce a mechanism for providing a client’s explicit written consent to the processing of data (with the possibility of correction, deletion of their personal data);

e) introduce a mechanism for automated deletion of data upon expiry of a specified period, or upon a client’s request;

f) update the Privacy Policy regarding the company’s personal data, the provisions of which should be short and simple, without obscure legal terms and vague and ambiguous wording, available in all languages supported by the website, including English, so that customers from the EU could understand it. The data controller and operator should be clearly indicated in the document, with their contacts provided. From the provisions of the Privacy Policy, the client must clearly understand what data and for what purpose it is requested from him; where and for how long such data will be stored; that he will be notified in the event of any violations with regard to his data; that his data will not be provided to third parties without his explicit consent, etc.