Policy on Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller


Contents

 

  1. General Concepts and Scope of Application
  2. List of Personal Data Databases
  3. Purpose of Personal Data Processing
  4. Procedure for Personal Data Processing: Obtaining Consent, Notification of Rights and Actions with Personal Data of the Data Subject
  5. Location of Personal Data Database
  6. Conditions for Disclosure of Personal Data Information to Third Parties
  7. Personal Data Protection: Protection Methods, Responsible Person, Employees Directly Performing Processing and/or Having Access to Personal Data in Connection with Performance of Their Official Duties, Personal Data Storage Period
  8. Rights of the Data Subject
  9. Procedure for Handling Requests from Data Subjects
  10. State Registration of Personal Data Database


1. General Concepts and Scope of Application

1.1. Definition of terms:

personal data database - a named set of organized personal data in electronic form and/or in the form of personal data files;

responsible person — a designated person who organizes work related to the protection of personal data during their processing, in accordance with the law;

owner of personal data database - a natural or legal person who is granted the right by law or with the consent of the data subject to process such data, approves the purpose of personal data processing in this database, establishes the composition of such data and procedures for their processing, unless otherwise determined by law;

State Register of Personal Data Databases - a unified state information system for collecting, accumulating and processing information about registered personal data databases;

publicly available sources of personal data - directories, address books, registers, lists, catalogs, other systematized collections of open information containing personal data, posted and published with the knowledge of the data subject. Social networks and internet resources where data subjects leave their personal data are not considered publicly available sources of personal data (except in cases where the data subject explicitly indicates that personal data is posted for the purpose of free distribution and use);

consent of the data subject - any documented, voluntary expression of will of a natural person regarding granting permission for processing of their personal data in accordance with the formulated purpose of their processing;

depersonalization of personal data — removal of information that allows identification of a person;

personal data processing - any action or set of actions performed completely or partially in an information (automated) system and/or in personal data files, related to collection, registration, accumulation, storage, adaptation, modification, updating, use and distribution (dissemination, implementation, transfer), depersonalization, destruction of information about a natural person;

personal data - information or a set of information about a natural person who is identified or can be specifically identified;

administrator of personal data database - a natural or legal person who is granted the right by the owner of the personal data database or by law to process such data. A person who is assigned by the owner and/or administrator of the personal data database to perform technical work with the personal data database without access to the content of personal data is not considered an administrator of the personal data database;

data subject — a natural person in respect of whom personal data processing is carried out in accordance with the law;

third party — any person, except for the data subject, owner or administrator of the personal data database and the authorized state body for personal data protection, to whom the owner or administrator of the personal data database transfers personal data in accordance with the law;

special categories of data — personal data about racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sex life.

1.2. This Policy is mandatory for application by the responsible person and employees of the seller who directly perform processing and/or have access to personal data in connection with the performance of their official duties.

2. List of Personal Data Databases

2.1. The seller is the owner of the following personal data databases:

counterparty personal data database


3. Purpose of Personal Data Processing

3.1. The purpose of personal data processing in the system is to ensure the implementation of civil law relations, provision, receipt and execution of settlements for purchased goods and services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine".

4. Procedure for Personal Data Processing: Obtaining Consent, Notification of Rights and Actions with Personal Data of the Data Subject

4.1. The consent of the data subject must be a

voluntary expression of will of a natural person regarding granting permission for processing of their personal data in accordance with the formulated purpose of their processing.

4.2. The consent of the data subject may be provided in the following forms:

  • a document on paper with details that allow identification of this document and the natural person;
  • an electronic document that must contain mandatory details allowing identification of this document and the natural person. The voluntary expression of will of a natural person regarding granting permission for processing of their personal data should be certified by the electronic signature of the data subject;
  • a mark on an electronic page of a document or in an electronic file that is processed in an information system based on documented software and technical solutions.

4.3. The consent of the data subject is provided when formalizing civil law relations in accordance with current legislation.

4.4. Notification to the data subject about the inclusion of their personal data in the personal data database, rights defined by the Law of Ukraine "On Personal Data Protection", the purpose of data collection and persons to whom their personal data is transferred is carried out when formalizing civil law relations in accordance with current legislation.

4.5. Processing of personal data about racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sex life (special categories of data) is prohibited.

 

5. Location of Personal Data Database

5.1. The personal data databases specified in section 2 of this Policy are located at the seller's address.

 

6. Conditions for Disclosure of Personal Data Information to Third Parties

6.1. The procedure for third party access to personal data is determined by the conditions of consent of the data subject provided to the personal data owner for processing such data, or in accordance with legal requirements.

6.2. Access to personal data is not provided to a third party if such person refuses to undertake an obligation to ensure compliance with the requirements of the Law of Ukraine "On Personal Data Protection" or cannot ensure such compliance.

6.3. A subject of relations related to personal data submits a request for access (hereinafter — request) to personal data to the personal data owner.

6.4. The request shall specify:

  • surname, name and patronymic, place of residence (place of stay) and details of the document certifying the natural person submitting the request (for a natural person — applicant);
  • name, location of the legal entity submitting the request, position, surname, name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity — applicant);
  • surname, name and patronymic, as well as other information allowing identification of the natural person in respect of whom the request is made;
  • information about the personal data database in respect of which the request is submitted, or information about the owner or administrator of this personal data database;
  • list of requested personal data;
  • purpose and/or legal grounds for the request.

6.5. The period for reviewing a request for its satisfaction cannot exceed ten working days from the day of its receipt. Within this period, the owner of the personal data database informs the person submitting the request that the request will be satisfied or the corresponding personal data is not subject to provision, indicating the basis determined in the relevant regulatory legal act. The request is satisfied within thirty calendar days from the day of its receipt, unless otherwise provided by law.

6.6. Deferral of access to third party personal data is allowed if the necessary data cannot be provided within thirty calendar days from the day of receipt of the request. In this case, the total period for resolving issues raised in the request cannot exceed forty-five calendar days.

6.7. Notification of deferral is brought to the attention of the third party that submitted the request in writing with an explanation of the procedure for appealing such a decision.

6.8. The deferral notification shall specify:

  • surname, name and patronymic of the official;
  • date of sending the notification;
  • reason for deferral;
  • period within which the request will be satisfied.

6.9. Refusal of access to personal data is allowed if access to them is prohibited by law.

6.10. The refusal notification shall specify:

  • surname, name, patronymic of the official refusing access;
  • date of sending the notification;
  • reason for refusal.

6.11. The decision on deferral or refusal of access to personal data may be appealed in court.

 

7. Personal Data Protection: Protection Methods, Responsible Person, Employees Directly Performing Processing and/or Having Access to Personal Data in Connection with Performance of Their Official Duties, Personal Data Storage Period

7.1. The owner of the personal data database is equipped with system and software-technical means and

communication systems that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information and comply with the requirements of international and national standards.

7.2. The responsible person organizes work related to the protection of personal data during their processing, in accordance with the law. The responsible person is determined by order of the owner of the personal data database.

The duties of the responsible person for organizing work related to the protection of personal data during their processing are specified in the job description.

7.3. The responsible person is obliged to:

  • know the legislation of Ukraine in the field of personal data protection;
  • develop procedures for employee access to personal data in accordance with their professional or official or labor duties;
  • ensure compliance by employees of the personal data database owner with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the personal data database owner on processing and protection of personal data in personal data databases;
  • develop a procedure for internal control over compliance with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the personal data database owner on processing and protection of personal data in personal data databases, which, in particular, must contain norms on the frequency of such control;
  • inform the owner of the personal data database about facts of violations by employees of the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the personal data database owner on processing and protection of personal data in personal data databases within no later than one working day from the moment of detection of such violations;
  • ensure storage of documents confirming the provision by the data subject of consent to the processing of their personal data and notification of the specified subject about their rights.

7.4. For the purpose of fulfilling their duties, the responsible person has the right to:

  • receive necessary documents, including orders and other administrative documents issued by the personal data database owner, related to personal data processing;
  • make copies of received documents, including copies of files, any records stored in local computer networks and autonomous computer systems;
  • participate in discussions of their duties in organizing work related to the protection of personal data during their processing;
  • submit for consideration proposals to improve activities and improve working methods, submit comments and options for eliminating identified deficiencies in the personal data processing process;
  • receive explanations on issues of personal data processing;
  • sign and endorse documents within their competence.

7.5. Employees who directly perform processing and/or have access to personal data in connection with the performance of their official (labor) duties are obliged to comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents on processing and protection of personal data in personal data databases.

7.6. Employees who have access to personal data, including those who process them, are obliged not to allow disclosure by any means of personal data that was entrusted to them or that became known in connection with the performance of professional or official or labor duties. Such obligation remains in force after they cease activities related to personal data, except for cases established by law.

7.7. Persons who have access to personal data, including those who process them, in case of violation of the requirements of the Law of Ukraine "On Personal Data Protection" bear responsibility in accordance with the legislation of Ukraine.

7.8. Personal data should not be stored longer than necessary for the purposes for which such data is stored, but in any case not longer than the data storage period determined by the consent of the data subject to the processing of such data.

 

8. Rights of the Data Subject

8.1. The data subject has the right to:

  • know about the location of the personal data database containing their personal data, its purpose and name, location and/or place of residence (location) of the owner or administrator of this database or give corresponding instructions to receive this information to persons authorized by them, except for cases established by law;
  • receive information about the conditions of providing access to personal data, in particular information about third parties to whom their personal data contained in the corresponding personal data database is transferred;
  • access to their personal data contained in the corresponding personal data database;
  • receive no later than thirty calendar days from the date of receipt of the request, except for cases provided by law, an answer about whether their personal data is stored in the corresponding personal data database, as well as
  • obtain the content of their stored personal data;
  • present a motivated demand with objection to the processing of their personal data by state authorities, local self-government bodies in the exercise of their powers provided by law;
  • present a motivated demand for change or destruction of their personal data by any owner and administrator of this database, if such data is processed illegally or is inaccurate;
  • protection of their personal data from illegal processing and accidental loss, destruction, damage due to deliberate concealment, non-provision or untimely provision, as well as protection from provision of information that is inaccurate or dishonest;

  • appeal to state authorities, local self-government bodies whose powers include the implementation of personal data protection on issues of protection of their rights regarding personal data;
  • use legal remedies in case of violation of personal data protection legislation.

 

9. Procedure for Handling Requests from Data Subjects

9.1. The data subject has the right to receive any information about themselves from any subject of relations related to personal data, without indicating the purpose of the request, except for cases established by law.

9.2. Access of the data subject to data about themselves is carried out free of charge.

9.3. The data subject submits a request for access (hereinafter — request) to personal data to the owner of the personal data database.

The request shall specify:

  • surname, name and patronymic, place of residence (place of stay) and details of the document certifying the identity of the data subject;
  • other information allowing identification of the identity of the data subject;
  • information about the personal data database in respect of which the request is submitted, or information about the owner or administrator of this database;
  • list of requested personal data.

9.4. The period for reviewing a request for its satisfaction cannot exceed ten working days from the day of its receipt. Within this period, the owner of the personal data database informs the data subject that the request will be satisfied or the corresponding personal data is not subject to provision, indicating the basis determined in the relevant regulatory legal act.

9.5. The request is satisfied within thirty calendar days from the day of its receipt, unless otherwise provided by law.

 

10. State Registration of Personal Data Database

10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection".