Regulation on the Processing and Protection of Personal Data in Databases Owned by the Seller

Contents

  • General concepts and scope of application

  • List of personal data databases

  • Purpose of personal data processing

  • Procedure for processing personal data: obtaining consent, notification of rights, and actions with the personal data of the data subject

  • Location of the personal data database

  • Conditions for disclosing personal data to third parties

  • Protection of personal data: protection methods, responsible person, employees directly involved in processing and/or having access to personal data in connection with their official duties, storage period of personal data

  • Rights of the personal data subject

  • Procedure for handling requests of the personal data subject

  • State registration of the personal data database

 

1. General concepts and scope of application

1.1. Definitions:

  • Personal data database — a named set of structured personal data in electronic form and/or in the form of personal data card files.

  • Responsible person — a designated person who organizes work related to the protection of personal data during its processing, in accordance with the law.

  • Owner of the personal data database — an individual or legal entity that, by law or by consent of the data subject, has been granted the right to process such data, defines the purpose of processing, determines the composition of the data and the procedures for their processing, unless otherwise provided by law.

  • State Register of Personal Data Databases — the unified state information system for collecting, accumulating, and processing information about registered personal data databases.

  • Public sources of personal data — directories, address books, registers, lists, catalogues, other structured collections of open information containing personal data, published with the knowledge of the data subject. Social networks and online resources where data subjects post their personal data are not considered public sources, except when the subject explicitly states that the data is posted for free distribution and use.

  • Consent of the data subject — any documented, voluntary expression of will by an individual to permit the processing of their personal data for a specified purpose.

  • Depersonalization of personal data — removal of information that allows identification of a person.

  • Processing of personal data — any action or set of actions performed fully or partially in an information (automated) system and/or in personal data files related to the collection, registration, accumulation, storage, adaptation, modification, updating, use, dissemination (distribution, implementation, transfer), depersonalization, destruction of information about a natural person.

  • Personal data — information or a set of information about an individual who is identified or can be specifically identified.

  • Processor of the personal data database — an individual or legal entity to whom the owner of the personal data database or the law grants the right to process such data. A person entrusted only with technical work with the database without access to the content of the personal data is not considered a processor.

  • Data subject — an individual whose personal data is being processed in accordance with the law.

  • Third party — any person other than the data subject, the owner or processor of the personal data database, and the authorized state body for personal data protection, to whom personal data is transferred in accordance with the law.

  • Special categories of data — personal data concerning racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data relating to health or sex life.

1.2. This Regulation is mandatory for the responsible person and for the seller’s employees directly engaged in processing and/or having access to personal data in connection with their official duties.

 

2. List of personal data databases

2.1. The seller is the owner of the following personal data databases:

  • Database of counterparties’ personal data.

 

3. Purpose of personal data processing

3.1. The purpose of processing personal data in the system is to ensure the implementation of civil-law relations, the provision, receipt, and execution of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”

 

4. Procedure for processing personal data: obtaining consent, notification of rights, and actions with personal data

4.1. Consent of the data subject must be a voluntary expression of will to permit the processing of their personal data for the specified purpose.

4.2. Consent may be given in the following forms:

  • A paper document with requisites identifying both the document and the individual;

  • An electronic document containing requisites identifying the document and the individual, preferably certified with the subject’s electronic signature;

  • A mark on an electronic page or file processed in the information system based on documented software and technical solutions.

4.3. Consent is provided at the time of concluding civil-law relations in accordance with current legislation.

4.4. The data subject is notified of the inclusion of their personal data in the database, their rights under the Law of Ukraine “On Personal Data Protection,” the purpose of collection, and the persons to whom the data is transferred at the time of concluding civil-law relations.

4.5. Processing of special categories of data (racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, health or sex life) is prohibited.

 

5. Location of the personal data database

5.1. The databases specified in Section 2 of this Regulation are located at the seller’s address.

 

6. Conditions for Disclosure of Personal Data to Third Parties

6.1. The procedure for granting access to personal data to third parties shall be determined by the terms of the consent of the personal data subject, granted to the personal data controller for the processing of such data, or in accordance with the requirements of the law.

6.2. Access to personal data shall not be granted to a third party if such person refuses to undertake obligations to ensure compliance with the Law of Ukraine "On Personal Data Protection" or is unable to ensure such compliance.

6.3. A party to relations related to personal data shall submit a request for access (hereinafter – the "request") to the personal data controller.

6.4. The request shall indicate:

  • surname, name, patronymic, place of residence (place of stay) and details of the identity document of the individual submitting the request (for an individual applicant);

  • name, registered office of the legal entity submitting the request, position, surname, name, patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity applicant);

  • surname, name, patronymic and other information allowing identification of the individual with respect to whom the request is made;

  • information about the personal data database to which the request relates, or information about the controller or processor of such database;

  • list of requested personal data;

  • purpose and/or legal grounds for the request.

6.5. The period for reviewing a request to determine its satisfaction shall not exceed ten (10) business days from the date of receipt. Within this period, the personal data controller shall inform the requester whether the request will be satisfied or whether the requested personal data are not subject to disclosure, indicating the legal basis for refusal. The request shall be satisfied within thirty (30) calendar days from the date of receipt, unless otherwise provided by law.

6.6. Deferral of access to personal data of third parties is permitted if the requested data cannot be provided within thirty (30) calendar days from the date of receipt of the request. In this case, the total period for resolving the issues raised in the request shall not exceed forty-five (45) calendar days.

6.7. Notification of deferral shall be provided in writing to the third party who submitted the request, including an explanation of the procedure for appealing such a decision.

6.8. The notification of deferral shall state:

  • surname, name, patronymic of the official;

  • date of sending the notification;

  • reason for deferral;

  • the period within which the request will be satisfied.

6.9. Refusal of access to personal data is permitted if such access is prohibited by law.

6.10. The notification of refusal shall state:

  • surname, name, patronymic of the official refusing access;

  • date of sending the notification;

  • reason for refusal.

6.11. A decision on deferral or refusal of access to personal data may be appealed in court.

 

7. Protection of Personal Data: Means of Protection, Responsible Person, Employees Directly Processing and/or Having Access to Personal Data in Connection with Their Official Duties, Retention Period of Personal Data

7.1. The personal data controller shall be equipped with system, software, technical, and communication means that prevent loss, theft, unauthorized destruction, distortion, falsification, or copying of information and comply with international and national standards.

7.2. The responsible person shall organize work related to the protection of personal data during their processing in accordance with the law. The responsible person shall be appointed by order of the personal data controller.

The responsibilities of the responsible person regarding the organization of work related to the protection of personal data during their processing shall be specified in the job description.

7.3. The responsible person shall:

  • be knowledgeable about the legislation of Ukraine in the field of personal data protection;

  • develop procedures for employee access to personal data in accordance with their professional, official, or employment duties;

  • ensure that employees of the personal data controller comply with the legislation of Ukraine in the field of personal data protection and internal documents regulating the controller's activities regarding the processing and protection of personal data in databases;

  • develop a procedure for internal control over compliance with the legislation of Ukraine in the field of personal data protection and internal documents regulating the controller's activities regarding the processing and protection of personal data in databases, which shall include provisions on the frequency of such control;

  • notify the personal data controller about any violations by employees of the legislation of Ukraine in the field of personal data protection and internal documents regulating the controller’s activities regarding the processing and protection of personal data in databases within one (1) business day from the moment of detecting such violations;

  • ensure the storage of documents confirming the consent of the personal data subject to the processing of their personal data and the notification of the subject regarding their rights.

7.4. In order to perform their duties, the responsible person shall have the right to:

  • obtain necessary documents, including orders and other directives issued by the personal data controller related to personal data processing;

  • make copies of obtained documents, including copies of files and any records stored in local networks and standalone computer systems;

  • participate in discussions concerning the performance of duties related to organizing personal data protection during processing;

  • submit proposals for improving activities and methods of work, make remarks, and suggest ways to eliminate deficiencies in the processing of personal data;

  • obtain explanations on issues related to personal data processing;

  • sign and endorse documents within their competence.

7.5. Employees who directly process personal data and/or have access to them in connection with the performance of their official (employment) duties shall comply with the legislation of Ukraine in the field of personal data protection and internal documents regulating the processing and protection of personal data in databases.

7.6. Employees having access to personal data, including those processing such data, shall not disclose personal data entrusted to them or that became known to them in connection with their professional, official, or employment duties in any way. This obligation remains in force after they cease activities related to personal data, except as provided by law.

7.7. Persons having access to personal data, including those processing such data, who violate the requirements of the Law of Ukraine "On Personal Data Protection" shall bear responsibility in accordance with the legislation of Ukraine.

7.8. Personal data shall not be stored longer than necessary for the purpose for which such data are stored, but in any case not longer than the storage period determined by the consent of the personal data subject for the processing of such data.

 

8. Rights of the Personal Data Subject

8.1. The personal data subject shall have the right to:

  • know the location of the personal data database containing their personal data, its purpose and name, as well as the location and/or residence (place of stay) of the controller or processor of such database, or issue a corresponding authorization to obtain this information to authorized persons, except as provided by law;

  • obtain information about the conditions for granting access to personal data, in particular information about third parties to whom their personal data contained in the respective database are transferred;

  • access their personal data contained in the respective personal data database;

  • obtain, within thirty (30) calendar days from the date of receipt of a request (unless otherwise provided by law), a response as to whether their personal data are stored in the respective personal data database, and also obtain the content of such stored personal data;

  • submit a reasoned request objecting to the processing of their personal data by state authorities or local self-government bodies in the exercise of their statutory powers;

  • submit a reasoned request for the modification or destruction of their personal data by any controller or processor of such database if such data are processed unlawfully or are inaccurate;

  • protect their personal data from unlawful processing, accidental loss, destruction, damage due to intentional concealment, failure to provide, or untimely provision, as well as protection from providing information that is inaccurate or discredits the honor, dignity, and business reputation of an individual;

  • apply to state authorities or local self-government bodies authorized to protect personal data rights;

  • use legal remedies in case of violation of legislation on personal data protection.

 

9. Procedure for Handling Requests of the Personal Data Subject

9.1. The personal data subject shall have the right to obtain any information about themselves from any party to relations connected with personal data without specifying the purpose of the request, except as provided by law.

9.2. Access of the personal data subject to their data shall be free of charge.

9.3. The personal data subject shall submit a request for access (hereinafter – the "request") to the personal data controller.

The request shall indicate:

  • surname, name, patronymic, place of residence (place of stay), and details of the identity document of the personal data subject;

  • other information allowing the identification of the personal data subject;

  • information about the personal data database to which the request relates, or information about the controller or processor of such database;

  • list of requested personal data.

9.4. The period for reviewing a request to determine its satisfaction shall not exceed ten (10) business days from the date of receipt. Within this period, the personal data controller shall inform the personal data subject whether the request will be satisfied or whether the requested personal data are not subject to disclosure, indicating the legal basis for refusal.

9.5. The request shall be satisfied within thirty (30) calendar days from the date of receipt, unless otherwise provided by law.

 

10. State Registration of the Personal Data Database

10.1. The state registration of personal data databases shall be carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection."