Regulation on the Processing and Protection of Personal Data in Databases Owned by the Seller

Contents

  1. General Concepts and Scope of Application

  2. List of Personal Data Databases

  3. Purpose of Personal Data Processing

  4. Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions with Personal Data of the Data Subject

  5. Location of the Personal Data Database

  6. Conditions for Disclosure of Personal Data to Third Parties

  7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Directly Involved in Processing and/or Having Access to Personal Data in Connection with Their Official Duties, Retention Period of Personal Data

  8. Rights of the Data Subject

  9. Procedure for Handling Requests from the Data Subject

  10. State Registration of the Personal Data Database

1. General Concepts and Scope of Application

1.1. Definitions:

  • Personal Data Database: A named set of organized personal data in electronic form and/or in the form of personal data card files.

  • Responsible Person: A designated individual who organizes work related to the protection of personal data during their processing in accordance with the law.

  • Owner of the Personal Data Database: A natural or legal person who is granted the right to process these data by law or with the consent of the data subject, who determines the purpose of processing personal data in this database, establishes the composition of these data, and the procedures for their processing, unless otherwise specified by law.

  • State Register of Personal Data Databases: A unified state information system for collecting, accumulating, and processing information about registered personal data databases.

  • Public Sources of Personal Data: Directories, address books, registers, lists, catalogs, and other systematic collections of open information containing personal data, placed and published with the knowledge of the data subject. Social networks and internet resources where the data subject leaves their personal data are not considered public sources of personal data (except in cases where the data subject explicitly indicates that personal data are placed for the purpose of their free distribution and use).

  • Consent of the Data Subject: Any documented, voluntary expression of will by a natural person regarding the granting of permission for the processing of their personal data in accordance with the formulated purpose of their processing.

  • Anonymization of Personal Data: The removal of information that allows for the identification of a person.

  • Processing of Personal Data: Any action or set of actions performed fully or partially in an information (automated) system and/or in personal data card files related to the collection, registration, accumulation, storage, adaptation, modification, updating, use, and dissemination (distribution, realization, transfer), anonymization, destruction of information about a natural person.

  • Personal Data: Information or a set of information about a natural person who is identified or can be specifically identified.

  • Manager of the Personal Data Database: A natural or legal person who is granted the right by the owner of the personal data database or by law to process these data. A person who is assigned by the owner and/or manager of the personal data database to perform technical work with the personal data database without access to the content of personal data is not considered a manager of the personal data database.

  • Data Subject: A natural person whose personal data is processed in accordance with the law.

  • Third Party: Any person, except the data subject, owner, or manager of the personal data database, and the authorized state body for personal data protection, to whom the owner or manager of the personal data database transfers personal data in accordance with the law.

  • Special Categories of Data: Personal data about racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life.

1.2. This Regulation is mandatory for application by the responsible person and employees of the seller who directly process and/or have access to personal data in connection with the performance of their official duties.

2. List of Personal Data Databases

2.1. The seller is the owner of the following personal data databases:

  • Personal data database of counterparties.

3. Purpose of Personal Data Processing

3.1. The purpose of processing personal data in the system is to ensure the implementation of civil-law relations, provision, receipt, and execution of settlements for purchased goods and services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."

4. Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions with Personal Data of the Data Subject

4.1. The consent of the data subject must be a voluntary expression of will by a natural person regarding the granting of permission for the processing of their personal data in accordance with the formulated purpose of their processing.

4.2. The consent of the data subject may be provided in the following forms:

  • A document on paper with details that allow for the identification of this document and the natural person.

  • An electronic document containing mandatory details that allow for the identification of this document and the natural person. The voluntary expression of will by a natural person regarding the granting of permission for the processing of their personal data is advisable to be certified by the electronic signature of the data subject.

  • A mark on the electronic page of the document or in the electronic file being processed in the information system based on documented software and technical solutions.

4.3. The consent of the data subject is provided during the establishment of civil-law relations in accordance with current legislation.

4.4. Notification of the data subject about the inclusion of their personal data in the personal data database, the rights defined by the Law of Ukraine "On Personal Data Protection," the purpose of data collection, and the persons to whom their personal data are transferred is carried out during the establishment of civil-law relations in accordance with current legislation.

4.5. The processing of personal data about racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life (special categories of data) is prohibited.

5. Location of the Personal Data Database

5.1. The personal data databases specified in section 2 of this Regulation are located at the seller's address.

6. Conditions for Disclosure of Personal Data to Third Partie.

  • the request (for a legal entity – the applicant) confirms that the content of the request corresponds to the powers of the legal entity;

  • surname, name, and patronymic, as well as other information that allows the identification of the natural person to whom the request pertains;

  • information about the personal data database to which the request relates, or information about the owner or manager of that personal data database;

  • a list of the requested personal data;

  • the purpose and/or legal basis for the request.

6.5. The period for reviewing the request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the owner of the personal data database shall inform the person submitting the request that the request will be satisfied or that the respective personal data are not subject to disclosure, stating the reasons defined in the relevant regulatory legal act. The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.

6.6. Postponement of access to personal data for third parties is allowed if the requested data cannot be provided within thirty calendar days from the date of the request. In this case, the total period for resolving the issues raised in the request may not exceed forty-five calendar days.

6.7. A written notification of the postponement shall be provided to the third party who submitted the request, with an explanation of the procedure for appealing such a decision.

6.8. The postponement notification shall include:

  • surname, name, and patronymic of the official;

  • date the notification was sent;

  • reason for the postponement;

  • the time frame within which the request will be fulfilled.

6.9. Refusal to access personal data is allowed if access to them is prohibited by law.

6.10. The refusal notification shall include:

  • surname, name, and patronymic of the official who refuses access;

  • date the notification was sent;

  • reason for the refusal.

6.11. The decision to postpone or deny access to personal data may be appealed in court.

7. Protection of Personal Data
(Methods of protection, responsible person, employees directly involved in processing and/or having access to personal data in connection with their official duties, data retention period)

7.1. The owner of the personal data database is equipped with system and software-technical means and communication tools that prevent loss, theft, unauthorized destruction, distortion, forgery, or copying of information, and comply with international and national standards.

7.2. The responsible person organizes the work related to the protection of personal data during their processing in accordance with the law. The responsible person is appointed by order of the owner of the personal data database.

The duties of the responsible person regarding the organization of work related to the protection of personal data during their processing are specified in their job description.

7.3. The responsible person is obliged to:

  • be familiar with the legislation of Ukraine on personal data protection;

  • develop procedures for access to personal data for employees according to their professional or official duties;

  • ensure that the employees of the owner of the personal data database comply with the legislation of Ukraine on personal data protection and internal documents governing the processing and protection of personal data in the databases;

  • develop internal control procedures for compliance with the legislation of Ukraine on personal data protection and internal documents regulating the activity of the owner of the personal data database. This should include the frequency of such control;

  • notify the owner of the personal data database about violations of the legislation of Ukraine on personal data protection and internal documents by employees within one working day from the moment of detection of such violations;

  • ensure the storage of documents confirming that the data subject gave consent to the processing of their personal data and was informed of their rights.

7.4. In order to fulfill their duties, the responsible person has the right to:

  • obtain necessary documents, including orders and other instructions issued by the owner of the personal data database related to personal data processing;

  • make copies of received documents, including files and records stored in local computer networks and standalone computer systems;

  • participate in discussions related to the organization of work on personal data protection;

  • make suggestions for improving processes and submit proposals for eliminating deficiencies discovered during personal data processing;

  • request explanations regarding personal data processing;

  • sign and endorse documents within their area of competence

7. Protection of Personal Data 

7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (employment) duties must comply with the legislation of Ukraine on personal data protection and internal documents governing the processing and protection of personal data in the databases.

7.6. Employees who have access to personal data, including those who process them, are obliged not to disclose personal data in any way that were entrusted to them or became known to them in connection with the performance of their professional or official (employment) duties. This obligation remains in force after they cease activities related to personal data, except as provided by law.

7.7. Persons who have access to personal data, including those who process them, shall be held liable in case of violation of the Law of Ukraine "On Personal Data Protection" in accordance with the legislation of Ukraine.

7.8. Personal data must not be stored longer than necessary for the purpose for which such data are stored, but in any case, not longer than the period defined by the consent of the data subject to the processing of such data.

8. Rights of the Data Subject

8.1. The data subject has the right to:

  • know the location of the personal data database that contains their personal data, its purpose and name, the location and/or residence (stay) of the owner or manager of this database, or to give a corresponding instruction for obtaining this information to authorized persons, except as provided by law;

  • receive information about the conditions of access to personal data, in particular, information about third parties to whom their personal data contained in the respective personal data database are transferred;

  • access their personal data contained in the respective personal data database;

  • receive, no later than thirty calendar days from the date of receipt of the request, except as provided by law, a response on whether their personal data are stored in the relevant personal data database, as well as receive the content of such personal data that are stored;

  • submit a reasoned demand with an objection to the processing of their personal data by state authorities, local self-government bodies in the exercise of their powers provided by law;

  • submit a reasoned demand for the modification or destruction of their personal data by any owner or manager of this database if these data are processed unlawfully or are unreliable;

  • protect their personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision, as well as protect from the provision of information that is untrue or discredits the honor, dignity, and business reputation of a natural person;

  • apply to state authorities, local self-government bodies, within the competence of which is the implementation of personal data protection, for the protection of their rights regarding personal data;

  • apply legal remedies in case of violation of the legislation on personal data protection.

9. Procedure for Handling Requests from the Data Subject

9.1. The data subject has the right to receive any information about themselves from any subject of relations related to personal data, without indicating the purpose of the request, except as provided by law.

9.2. Access of the data subject to data about themselves is provided free of charge.

9.3. The data subject submits a request for access (hereinafter referred to as the request) to personal data to the owner of the personal data database.

The request shall include:

  • surname, name, and patronymic, place of residence (stay), and details of the document certifying the identity of the data subject;

  • other information that allows for the identification of the data subject;

  • information about the personal data database to which the request relates, or information about the owner or manager of this database;

  • list of requested personal data.

9.4. The period for reviewing the request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the owner of the personal data database shall inform the data subject that the request will be satisfied or that the respective personal data are not subject to disclosure, stating the reasons defined in the relevant regulatory legal act.

9.5. The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.

10. State Registration of the Personal Data Database

10.1. The state registration of personal data databases shall be carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection."