This Order approves the internal “Procedure for the Processing and Protection of Personal Data at the Economic Security Bureau of Ukraine.” The document defines clear rules for handling information about natural persons that the ESB collects and uses while performing its functions, in particular within the scope of pre-trial investigations, human resources work, or the processing of citizens’ appeals. The Procedure is mandatory for all Bureau employees and establishes security standards for both electronic databases and paper documents.
**Structure and Main Provisions:**
The document consists of three sections and a standard non-disclosure commitment form.
* **Section I (General Provisions):** defines the purpose of data processing and the list of categories of information (ranging from Unified Register of Pre-trial Investigations materials to candidate application forms for positions).
* **Section II (Requirements for Processing):** details categories of data subjects, the composition of collected information, its storage periods, and procedures for amending or deleting data.
* **Section III (Data Protection):** establishes technical and organizational requirements for security, including protection against unauthorized access and mandatory recording of breaches.
* **Amendments:** This act is a new regulatory instrument that brings the internal activities of the ESB into compliance with the requirements of the Law of Ukraine “On the Protection of Personal Data” and the Model Procedure of the Ukrainian Parliament Commissioner for Human Rights.
**Key Provisions for Practical Application:**
1. **Personal Liability:** Every ESB employee who has access to data signs a written non-disclosure commitment, which is kept in their personnel file.
2. **Limited Access:** The “need-to-know” access principle has been implemented—an employee sees only that portion of data which is necessary for the performance of their specific official duties.
3. **Storage Periods:** The document strictly regulates retention periods for different categories (for example, data regarding citizens’ appeals is stored for 5 years, and data regarding access to premises—for up to 3 years).
4. **Rights of Subjects:** The Procedure enshrines a person’s right to change or delete inaccurate data, as well as the ESB’s obligation to notify the subject about the transfer of their data to third parties (with the exception of cases provided for by law, for example, within the scope of operational-search activities).
5. **Security:** A requirement has been established regarding mandatory anti-virus protection and the logging of operations involving access to personal data in ESB information systems.