GDPR poses a significant challenge, especially for non-EU companies that process personal data of EU citizens or offer services in the EU. They must comply with strict data protection requirements when personal data is transferred to third countries – such as Ukraine. Many companies are wondering how the EU-Ukraine data transfer can be made legally compliant, what role standard contractual clauses play and what needs to be considered since the Schrems II judgement. We explain which technical and organisational measures are necessary to protect personal data in accordance with the requirements of the GDPR, how companies deal with current regulations and possible uncertainties and which solutions are possible for small and medium-sized companies without their own EU location. You will also learn how you can achieve data protection compliance as a non-EU company and avoid fines.

Data transfer EU-Ukraine: Legal framework conditions

Many small and medium-sized enterprises from non-EU countries require an efficient and at the same time legally compliant EU-Ukraine data transfer – for example in the context of cooperation with Ukrainian service providers or IT specialists. As Ukraine is not formally recognised as a “safe third country” within the meaning of the GDPR, special measures must be observed for the transfer of personal data to recipients in Ukraine. Standard contractual clauses play a central role here: they ensure that comparable data protection standards are also observed outside the EU. However, since the Schrems II decision, standard contractual clauses alone are not always sufficient. It is important to correctly assess risks and take additional measures to ensure that personal data, e.g. from EU customers, is not processed improperly in third countries. This is the only way to ensure that the EU-Ukraine data transfer complies with the requirements of the GDPR.

Schrems II: Effects on data transfers

The Schrems II judgement of the European Court of Justice (ECJ) from July 2020 has fundamentally changed the rules for international data transfers. The ECJ declared the Privacy Shield agreement between the EU and the USA invalid, which also tightened the requirements for other third countries, such as Ukraine. For companies, this means

• The transfer of personal data to third countries is only permitted under strict conditions.
• Standard contractual clauses are still applicable, but require an additional risk analysis.
• It must be ensured that an adequate level of data protection exists in the recipient country – otherwise additional technical and organisational measures are required.

The assessment is particularly relevant for the EU-Ukraine data transfer, as there are specific risks, for example due to state access, an unclear legal situation or a lack of independent supervisory authorities. GDPR requires data subjects to be informed transparently about data transfers and their rights, such as access, rectification, erasure and objection, to be guaranteed.

The Schrems II judgement obliges companies to carry out a so-called Transfer Impact Assessment (TIA) when using standard contractual clauses. The aim is to assess individual risks and introduce additional protection mechanisms where necessary. Without these measures, there is a risk of high fines and reputational damage. Data protection therefore remains a central element for every company that processes the personal data of EU citizens internationally.

Ensuring data protection for EU-Ukraine data transfers

Companies that wish to transfer personal data of EU citizens to Ukraine must fulfil the requirements of the GDPR and ensure a legally secure data transfer, regardless of where the company is based. The following solutions should be considered:

1. Use of standard contractual clauses (SCC): Standard contractual clauses are sample contracts provided by the EU Commission that oblige the recipient in Ukraine to comply with EU data protection standards. They must be customised and signed by both parties in a legally binding manner.
2. Carry out a transfer impact assessment: Since Schrems II, it has been necessary to carry out a risk analysis (transfer impact assessment) before every EU-Ukraine data transfer. This includes
   • Evaluation of the legal situation in the recipient country (Ukraine)
   • Examination of potential risks for the data subjects
   • Documentation of the results and measures taken
3. Additional guarantees and technical measures: If the level of data protection in Ukraine is not sufficient, additional measures should be taken, such as
   • Encryption of sensitive data (end-to-end)
   • Pseudonymisation of data before transfer
   • Restricting access to personal data at the recipient’s end
   • Regular data protection training for Ukrainian partners
4. Transparent information for data subjects: Under the GDPR, you are obliged to disclose data transfers to third countries. Data subjects must be informed about the type, scope and purpose of the transfer as well as their rights under the GDPR.
5. Documentation and proof: All measures taken, in particular standard contractual clauses, assessments and technical protection measures, must be documented and presented to the data protection authority upon request.
6. Selection of an experienced EU representative: To ensure compliance with data protection requirements and communication with EU supervisory authorities, it is advisable to appoint an EU representative in accordance with Art. 27 GDPR. This representative provides support in fulfilling the legal requirements, in particular in managing the EU-Ukraine data transfer.

Practical example

A software company based in the USA works with Ukrainian developers and receives access to EU customer data. To ensure data protection compliance, the company concludes standard contractual clauses with the Ukrainian partner, encrypts all data, carries out a detailed transfer impact assessment and logs all measures. A registered EU representative handles communication with the data protection authorities.

Implementing the above steps ensures that your company meets the requirements of Schrems II and GDPR for international data transfers between the EU and Ukraine – and thus minimises the risk of data protection violations.

Summary

Compliance with the GDPR for EU-Ukraine data transfers is essential. Following the Schrems II ruling, standard contractual clauses alone are often not sufficient – supplementary risk analyses and technical protective measures are mandatory. This is the only way to ensure that the personal data of EU citizens is also adequately protected in Ukraine. Non-EU companies must document all processes, safeguard data subject rights and appoint an EU representative. Seek professional advice to ensure data protection compliance and avoid high fines. Contact us for customised solutions for international data transfers between the EU and Ukraine.