Amendments to the Ukrainian Law on Personal Data Protection (the Amendments) – in force from 1 January 2014 – introduce new liabilities for unapproved processing of high risk data, with a maximum penalty of 680 € (3,400 € if repeated in the same year). The Amendments, which were adopted 3 July 2013, also remove the requirement to register databases containing personal data. However, the amendments stipulate that processing of data comprising ‘special risk for data subject’s rights and freedoms’ requires approval of the Parliamentary Commissioner for Human Rights Ombudsman (the Ombudsman). The Amendments confer regulation of data protection to the Ombudsman, replacing the State Service of Ukraine for Personal Data Protection. The Ombudsman has clarified that high risk data includes sensitive personal data, as defined by the law. ”Risky personal data comprises a wider list than sensitive personal data,” said Vladyslav Podolyak, Senior Associate at Vasil Kisil and Partners LLP. “Risky data also includes: national origins, membership of religious organisations, criminal prosecution, […] personal location and movement.” The Ombudsman has also drafted new rules on privacy compliance audits and a new Standard Data Processing Procedure, which clarifies organisations’ responsibilities in collecting, retaining and handling data.