Regulation on Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller

Table of Contents

  • General terms and scope of application

  • List of personal data databases

  • Purpose of personal data processing

  • Procedure for processing personal data: obtaining consent, notifying about rights, and actions with the data subject’s personal data

  • Location of the personal data database

  • Conditions for disclosure of personal data to third parties

  • Personal data protection: protection methods, responsible person, employees who directly process and/or have access to personal data due to their job duties, personal data retention period

  • Rights of the personal data subject

  • Procedure for handling requests of the personal data subject

  • State registration of the personal data database

General Terms and Scope of Application

1.1. Definitions

personal data database — a named set of organized personal data in electronic form and/or in the form of personal data filing systems;

responsible person — a designated person who organizes work related to the protection of personal data during processing, in accordance with the law;

owner (controller) of a personal data database — an individual or legal entity that, by law or with the consent of the personal data subject, is granted the right to process such data; the owner approves the purpose of processing personal data in this database, determines the composition of such data and the procedures for processing, unless otherwise provided by law;

State Register of Personal Data Databases — the unified state information system for collection, accumulation, and processing of information about registered personal data databases;

publicly available sources of personal data — directories, address books, registers, lists, catalogs, and other systematized collections of public information containing personal data that are placed and published with the knowledge of the personal data subject. Social networks and internet resources where the personal data subject leaves personal data are not considered publicly available sources (except where the personal data subject explicitly indicates that the personal data are posted for free distribution and use);

consent of the personal data subject — any documented, voluntary expression of will by an individual to grant permission for the processing of their personal data in accordance with the stated purpose of such processing;

de-identification (anonymization) of personal data — removal of information that makes it possible to identify a person;

processing of personal data — any action or set of actions carried out wholly or partly in an information (automated) system and/or in personal data filing systems related to the collection, registration, accumulation, storage, adaptation, modification, updating, use and dissemination (distribution, sale, transfer), de-identification, and destruction of information about an individual;

personal data — information or a set of information about an individual who is identified or can be specifically identified;

processor of a personal data database — an individual or legal entity that is granted the right to process such data by the owner of the personal data database or by law. A person is not considered a processor if they are assigned technical work with the database without access to the content of personal data;

personal data subject — an individual whose personal data are processed in accordance with the law;

third party — any person other than the personal data subject, the owner or processor of the personal data database, and the authorized state body for personal data protection, to whom the owner or processor transfers personal data in accordance with the law;

special categories of data — personal data relating to racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sex life.

1.2.

This Regulation is mandatory for the responsible person and the Seller’s employees who directly process and/or have access to personal data due to their official duties.

List of Personal Data Databases

2.1.

The Seller is the owner of the following personal data databases:
database of counterparties’ personal data.

Purpose of Personal Data Processing

3.1.

The purpose of personal data processing within the system is to ensure the implementation of civil-law relations, provision/receipt of services and settlements for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”

Procedure for Processing Personal Data: Obtaining Consent, Notifying of Rights, and Actions with Personal Data

4.1.

The personal data subject’s consent must be a voluntary expression of will by an individual to grant permission to process their personal data in accordance with the stated purpose of processing.

4.2.

Consent may be provided in the following forms:

  • a paper document with details that allow identification of the document and the individual;

  • an electronic document containing mandatory details that allow identification of the document and the individual; the individual’s voluntary consent is recommended to be confirmed by an electronic signature of the personal data subject;

  • a mark/tick on an electronic page of a document or in an electronic file processed in an information system based on documented software and technical solutions.

4.3.

Consent is provided when civil-law relations are formalized in accordance with applicable law.

4.4.

Notification of the personal data subject about the inclusion of their personal data in the personal data database, the rights defined by the Law of Ukraine “On Personal Data Protection,” the purpose of data collection, and the persons to whom their personal data are transferred is carried out when civil-law relations are formalized in accordance with applicable law.

4.5.

Processing of personal data relating to racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sex life (special categories of data) is prohibited.

Location of the Personal Data Database

5.1.

The personal data databases specified in Section 2 of this Regulation are located at the Seller’s address.

Conditions for Disclosure of Personal Data to Third Parties

6.1.

The procedure for access to personal data by third parties is determined by the terms of the personal data subject’s consent granted to the owner for processing, or in accordance with legal requirements.

6.2.

Access to personal data is not provided to a third party if such party refuses to undertake obligations to ensure compliance with the Law of Ukraine “On Personal Data Protection,” or is unable to ensure such compliance.

6.3.

A party to relations involving personal data submits a request for access (hereinafter — a request) to the personal data owner.

6.4.

The request shall indicate:

  • full name, place of residence (stay), and details of the identity document of the individual submitting the request (for an individual applicant);

  • name and location of the legal entity submitting the request, position, and full name of the person certifying the request; confirmation that the request content corresponds to the legal entity’s powers (for a legal entity applicant);

  • full name and other information enabling identification of the individual to whom the request relates;

  • information about the personal data database to which the request relates, or information about the owner/processor of such database;

  • list of requested personal data;

  • purpose and/or legal grounds for the request.

6.5.

The period for reviewing the request for possible satisfaction may not exceed ten business days from the date of receipt. Within this period, the owner informs the person submitting the request that the request will be satisfied or that the relevant personal data are not subject to provision, stating the grounds defined in the relevant legal act. The request is satisfied within thirty calendar days from the date of receipt, unless otherwise provided by law.

6.6.

Deferral of access to personal data of third parties is allowed if the required data cannot be provided within thirty calendar days from the date of receipt. In this case, the overall period for resolving the issues raised in the request may not exceed forty-five calendar days.

6.7.

Notice of deferral is provided to the requesting third party in writing with an explanation of the procedure for appealing such a decision.

6.8.

The deferral notice shall indicate:

  • full name of the official;

  • date the notice is sent;

  • reason for deferral;

  • period within which the request will be satisfied.

6.9.

Refusal to provide access to personal data is permitted if access is prohibited by law.

6.10.

The refusal notice shall indicate:

  • full name of the official refusing access;

  • date the notice is sent;

  • reason for refusal.

6.11.

A decision to defer or refuse access to personal data may be appealed in court.

Personal Data Protection: Protection Methods, Responsible Person, Employees, Retention Period

7.1.

The owner of the personal data database is equipped with system and software/technical tools and communication means that prevent loss, theft, unauthorized destruction, distortion, falsification, and copying of information and that comply with international and national standards.

7.2.

The responsible person organizes work related to the protection of personal data during processing in accordance with the law. The responsible person is appointed by an order of the owner of the personal data database.

The duties of the responsible person regarding organization of work related to personal data protection during processing are specified in the job description.

7.3.

The responsible person must:

  • know Ukrainian legislation in the field of personal data protection;

  • develop procedures for employees’ access to personal data in accordance with their professional/official or labor duties;

  • ensure employees comply with Ukrainian legislation on personal data protection and internal documents governing the owner’s activities regarding processing and protection of personal data;

  • develop a procedure for internal control over compliance with Ukrainian legislation and internal documents governing processing and protection of personal data, including provisions on the frequency of such control;

  • inform the owner about violations by employees of Ukrainian legislation and internal documents regarding personal data protection no later than one business day from the moment such violations are detected;

  • ensure storage of documents confirming the personal data subject’s consent to processing and notification of the subject about their rights.

7.4.

To perform their duties, the responsible person has the right to:

  • obtain necessary documents, including orders and other administrative documents issued by the owner related to personal data processing;

  • make copies of obtained documents, including file copies and any records stored in local networks and standalone computer systems;

  • participate in discussions on the organization of work related to personal data protection during processing;

  • submit proposals to improve activities and methods of work, provide comments and solutions to eliminate identified deficiencies in personal data processing;

  • receive explanations regarding personal data processing;

  • sign and approve documents within their competence.

7.5.

Employees who directly process and/or have access to personal data due to their official (labor) duties must comply with Ukrainian legislation on personal data protection and internal documents regarding processing and protection of personal data.

7.6.

Employees who have access to personal data, including those processing it, must not disclose in any manner personal data entrusted to them or that became known to them in connection with performance of professional/official or labor duties. This obligation remains in force after termination of their activity related to personal data, except as provided by law.

7.7.

Persons who have access to personal data, including those processing it, bear responsibility under Ukrainian law for violations of the Law of Ukraine “On Personal Data Protection.”

7.8.

Personal data must not be stored longer than necessary for the purpose for which it is stored, but in any case not longer than the retention period defined by the personal data subject’s consent to processing.

Rights of the Personal Data Subject

8.1.

The personal data subject has the right to:

  • know the location of the personal data database containing their data, its purpose and name, and the location and/or residence (stay) of the owner or processor of the database, or authorize a representative to obtain such information, except as provided by law;

  • obtain information on the conditions for granting access to personal data, including information about third parties to whom their personal data are transferred;

  • access their personal data contained in the relevant personal data database;

  • receive, no later than thirty calendar days from receipt of the request (except as provided by law), a response as to whether their personal data are stored in the relevant database and obtain the content of their stored personal data;

  • submit a reasoned objection to the processing of their personal data by state authorities or local self-government bodies within their powers provided by law;

  • submit a reasoned request to change or destroy their personal data by any owner or processor if such data are processed unlawfully or are inaccurate;

  • protection of their personal data from unlawful processing and accidental loss, destruction, or damage due to intentional concealment, failure to provide, or untimely provision, as well as protection from provision of inaccurate information that harms honor, dignity, or business reputation of an individual;

  • apply to state authorities and local self-government bodies competent in personal data protection to protect their rights;

  • use legal remedies in case of violations of personal data protection legislation.

Procedure for Handling Requests of the Personal Data Subject

9.1.

The personal data subject has the right to obtain any information about themselves from any party to relations involving personal data without stating the purpose of the request, except as provided by law.

9.2.

Access of the personal data subject to data about themselves is provided free of charge.

9.3.

The personal data subject submits a request (hereinafter — a request) for access to personal data to the owner of the personal data database.

The request shall indicate:

  • full name, place of residence (stay), and details of the identity document of the personal data subject;

  • other information enabling identification of the personal data subject;

  • information about the personal data database to which the request relates, or information about the owner/processor of the database;

  • list of requested personal data.

9.4.

The period for reviewing the request for possible satisfaction may not exceed ten business days from the date of receipt. Within this period, the owner informs the personal data subject that the request will be satisfied or that the relevant personal data are not subject to provision, stating the grounds defined in the relevant legal act.

9.5.

The request is satisfied within thirty calendar days from the date of receipt, unless otherwise provided by law.

State Registration of the Personal Data Database

10.1.

State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection.”