Ukraine Law 2297-VI

Law of Ukraine on Protection of Personal Data No. 2297-VI

Flag of UA
UkraineOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2011
Enacted
June 1, 2010
Enforcing Authority
Ukrainian Parliament Commissioner for Human Rights (Ombudsman)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Ukraine

Overview

Ukraine's Law 2297-VI provides general data protection without cookie-specific provisions. Current penalties are extremely low at approximately EUR 700. A GDPR-aligned replacement law (Draft No. 8153) was adopted as a basis by parliament in November 2024, proposing dramatically higher penalties of up to 8% of turnover.

What This Means for Your Website

  • Consent is required for processing personal data, which may extend to cookies containing personal data
  • There are no specific cookie consent requirements under current law
  • Current penalties are minimal (~EUR 700)
  • The pending GDPR-aligned replacement would significantly increase requirements and penalties

Key Requirements

The Ukrainian Ombudsman enforces the current law with modest penalties of up to UAH 34,000 (~EUR 700). Notification to the Ombudsman is required for risky processing within 30 working days. The pending replacement law would introduce penalties of up to UAH 150 million (~EUR 4.5 million) or 8% of global turnover, significantly exceeding even GDPR penalty levels.

How ConsentStack Handles This

ConsentStack applies consent best practices for Ukrainian visitors, positioning websites for compliance with both current requirements and the anticipated GDPR-aligned replacement law.

Penalties

Failure to notify Ombudsman: up to UAH 34,000 (~EUR 700). Draft replacement proposes: up to UAH 150 million (~EUR 4.5 million) or 8% turnover.

Maximum Fine
UAH34,000 per violation

Key Requirements

  • Consent required for personal data processing (extends to cookies with personal data)
  • Notification to Ombudsman required for risky processing within 30 working days
  • No specific cookie consent requirements in current law
  • Data subject rights: access, correction, deletion

Notable Provisions

  • No cookie-specific law (general data protection only)
  • Draft GDPR-aligned replacement adopted as basis November 2024
  • EU candidate country
  • Current penalties extremely low (~EUR 700)

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
Loi Informatique et LibertésFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does Ukraine have a cookie-specific law?

No. Ukraine's current Law 2297-VI is a general data protection law without cookie-specific provisions. A GDPR-aligned replacement is pending.

What are the penalties under Ukrainian data protection law?

Currently up to UAH 34,000 (~EUR 700). The pending replacement proposes up to UAH 150 million (~EUR 4.5 million) or 8% of turnover.

Is Ukraine aligning with GDPR?

Yes. As an EU candidate country, Ukraine's parliament adopted a GDPR-aligned replacement law as a basis in November 2024.

Stay compliant with Ukraine Law 2297-VI

ConsentStack helps you implement Opt-in consent for Ukraine automatically.

Get started free