Transfer Impact Assessment — Ukraine

1. Purpose and Scope

This Transfer Impact Assessment ("TIA") evaluates the legal and practical conditions surrounding the transfer of personal data by Complete Solution s. r. o. (the "Data Exporter," acting as Processor under Article 28 GDPR) to independent contractors located in Ukraine (the "Data Importers," acting as Sub-processors) for the purpose of providing software development, quality assurance, and operations services to our EU-based clients. This TIA supplements the EU Standard Contractual Clauses (Module 3, processor-to-subprocessor) executed with each Ukrainian sub-processor.

2. Description of the Transfer

• Categories of data subjects: end-users, employees, and business contacts of our clients, as defined in the relevant Principal Agreement.
• Categories of personal data: identifiers, contact information, account information, content data, and technical data, as scoped by each engagement.
• Special categories: only where explicitly authorized by the client in writing.
• Purpose: software development, debugging, testing, deployment, and operational support.
• Frequency: continuous during the engagement period.
• Storage location: primarily on Data Exporter's EU-based infrastructure (AWS eu-central-1 by default); Ukrainian sub-processors access data through encrypted remote channels and do not store production personal data on local devices.

3. Legal Framework in the Destination Country

Ukraine has a comprehensive data protection regime under the Law of Ukraine "On Personal Data Protection" No. 2297-VI (1 June 2010), as amended. The law establishes data subject rights, processor obligations, breach notification requirements, and an independent supervisory authority (Ukrainian Parliament Commissioner for Human Rights). Ukraine is a Council of Europe member and has ratified Convention 108+ on data protection. As of the date of this assessment, the European Commission has not issued a full adequacy decision for Ukraine; transfers are therefore conducted under appropriate safeguards (Article 46 GDPR).

4. Government Access Considerations

Ukrainian law regulates government access to personal data through Law No. 2229-IV (on counter-intelligence activities), Law No. 2135-XII (on operative-investigative activity), and the Criminal Procedure Code. Access requires judicial authorization in most cases. Ukraine's accession process to the European Union (candidate status granted June 2022) imposes ongoing alignment with EU data protection standards. The Data Exporter is not aware of laws in Ukraine that would prevent compliance with the SCC obligations of the sub-processor.

5. Risk Assessment

The Data Exporter has assessed the following risks:

• (a) government access for national security or law enforcement purposes;
• (b) infrastructure disruption due to the ongoing armed conflict;
• (c) physical safety of personnel.

The Data Exporter concludes that the risks are mitigated by the technical and organizational measures listed in section 6, and that no production personal data is stored on physical devices located in Ukraine.

6. Supplementary Measures

Technical measures

• Encryption in transit using TLS 1.2 or higher for all access channels.
• Encryption at rest using AES-256 for all storage of personal data.
• No local storage of production personal data on personnel devices. Access occurs through ephemeral cloud development environments hosted in EU regions.
• Multi-factor authentication required for all access to systems containing personal data.
• Role-based access controls limiting access to the minimum necessary for the assigned task.
• Pseudonymization of personal data in non-production environments where technically feasible.
• Centralized logging of all access events to personal data, retained for at least 12 months.

Organizational measures

• Each Ukrainian sub-processor has signed (i) the SCC 2021/914 Module 3, (ii) a confidentiality and non-disclosure agreement, and (iii) an internal data protection policy acknowledgment.
• Mandatory annual data protection and information security training.
• Documented procedures for handling government access requests, including immediate notification to the Data Exporter and the relevant Controller where legally permitted.
• Right of the Data Exporter and the Controller to audit, including remote audit, on reasonable notice.

Contractual measures

• The Data Exporter retains the right to terminate the sub-processing relationship immediately if the sub-processor is unable to fulfill its obligations under the SCC.
• The sub-processor must challenge any government access request that is not compliant with EU equivalent standards, where legally possible, and inform the Data Exporter without undue delay.

7. Conclusion

Based on the assessment above, the Data Exporter concludes that the transfer of personal data to Ukrainian sub-processors, executed under SCC 2021/914 Module 3 and supplemented by the technical, organizational, and contractual measures described in section 6, provides a level of protection essentially equivalent to that guaranteed within the European Union for the personal data categories and processing activities described. The Data Exporter will re-assess this conclusion at least annually and upon any material change in the legal or factual circumstances.