Regulation on the Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller

Contents:

  1. General Provisions and Scope of Application
  2. List of Personal Data Databases
  3. Purpose of Personal Data Processing
  4. Procedure for Processing Personal Data: Obtaining Consent, Notifying of Rights, and Actions with Personal Data of the Data Subject
  5. Location of the Personal Data Database
  6. Conditions for Disclosing Personal Data to Third Parties
  7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Directly Involved in Processing and/or Having Access to Personal Data in Connection with Their Job Duties, Retention Period for Personal Data
  8. Rights of the Data Subject
  9. Procedure for Handling Requests from the Data Subject
  10. State Registration of the Personal Data Database

1. General Provisions and Scope of Application

1.1 Definitions:

  • Personal Data Database: A named collection of structured personal data in electronic form and/or in the form of personal data files.
  • Responsible Person: The designated individual who organizes work related to the protection of personal data during its processing, in accordance with the law.
  • Owner of the Personal Data Database: A natural or legal person who has been granted the right to process such data by law or with the consent of the data subject. The owner determines the purpose of processing, establishes the composition of the data, and outlines the procedures for its processing unless otherwise specified by law.
  • State Register of Personal Data Databases: A unified state information system for collecting, storing, and processing information about registered personal data databases.
  • Public Sources of Personal Data: Directories, address books, registers, lists, catalogs, and other systematically compiled collections of open information containing personal data, published or made public with the consent of the data subject. Social networks and internet resources where the data subject places their personal data are not considered public sources unless explicitly stated by the data subject that the data is intended for free dissemination and use.
  • Consent of the Data Subject: Any documented, voluntary expression of will by an individual to authorize the processing of their personal data in accordance with a defined purpose.
  • Anonymization of Personal Data: The removal of information that allows the identification of an individual.
  • Processing of Personal Data: Any operation or set of operations performed wholly or partially in an information (automated) system and/or in personal data files, involving the collection, registration, accumulation, storage, adaptation, modification, updating, use, and dissemination (distribution, transfer), anonymization, destruction of information about an individual.
  • Personal Data: Information or a set of information about an individual who is identified or can be specifically identified.
  • Manager of the Personal Data Database: A natural or legal person authorized by the owner of the personal data database or by law to process this data. A person entrusted by the owner and/or manager to perform technical tasks with the database without access to the content of personal data is not considered a manager.
  • Data Subject: An individual whose personal data is processed in accordance with the law.
  • Third Party: Any person, except for the data subject, the owner, or the manager of the personal data database, as well as authorized state bodies responsible for personal data protection, who is granted access to the personal data in accordance with the law.
  • Special Categories of Data: Personal data regarding racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life.

1.2 Scope of the Regulation:

This Regulation is mandatory for the responsible person and employees of the seller who are directly involved in processing and/or have access to personal data in connection with the performance of their job duties.

2. List of Personal Data Databases

2.1 The seller owns the following personal data databases:

  • The database of personal data of contractors.

3. Purpose of Personal Data Processing

**3.1 The purpose of personal data processing in the system is to ensure the implementation of civil-legal relations, the provision, receipt, and execution of payments for purchased goods and services in accordance with the Tax Code of Ukraine, and the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."

4. Procedure for Processing Personal Data: Obtaining Consent, Notifying Rights, and Actions with Personal Data of the Data Subject

4.1 Consent of the Data Subject:

The consent of the data subject must be a voluntary expression of will to authorize the processing of their personal data in accordance with a defined purpose.

4.2 Forms of Consent:

Consent can be provided in the following forms:

  • A document on paper with requisites that allow identification of the document and the individual.
  • An electronic document containing mandatory requisites that allow identification of the document and the individual. The voluntary will of the individual to authorize data processing should be confirmed with an electronic signature.
  • A mark on an electronic page of a document or in an electronic file processed in an information system based on documented software and technical solutions.

4.3 Timing of Consent:

The consent of the data subject is provided during the establishment of civil-legal relations in accordance with current legislation.

4.4 Notification of Rights:

The data subject is notified about the inclusion of their personal data in the database, their rights defined by the Law of Ukraine "On Personal Data Protection," the purpose of data collection, and the entities to whom their data will be transferred during the establishment of civil-legal relations.

4.5 Prohibited Data Categories:

Processing of data on racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life (special categories of data), is prohibited.

5. Location of the Personal Data Database

5.1

The personal data databases specified in Section 2 of this Regulation are located at the seller's address.

6. Conditions for Disclosing Personal Data to Third Parties

6.1

The procedure for third-party access to personal data is determined by the terms of the consent provided by the data subject to the owner of the personal data for processing or in accordance with legal requirements.

6.2

Access to personal data is not granted to third parties if the person refuses to assume obligations to ensure compliance with the requirements of the Law of Ukraine "On Personal Data Protection" or is unable to ensure compliance.

6.3

A subject of relations involving personal data may submit a request to the owner of the personal data database for access to the personal data (hereinafter referred to as the "request").

6.4 The request must include:

  • Full name, place of residence (location), and details of the identity document of the requesting individual (for individual applicants).
  • Name, location of the legal entity submitting the request, the position, full name of the authorized person certifying the request, and confirmation of the request's compliance with the powers of the legal entity (for legal entities).
  • Full name and other details allowing identification of the individual whose data is being requested.
  • Information about the personal data database to which the request is related or information about its owner or manager.
  • A list of requested personal data.
  • The purpose and/or legal grounds for the request.

6.5

The request is examined within a period not exceeding ten working days from the date of receipt. During this period, the owner of the personal data database notifies the requester that the request will be satisfied or that the requested personal data cannot be provided, specifying the legal basis for refusal. If satisfied, the request is fulfilled within thirty calendar days of receipt unless otherwise stipulated by law.

6.6

Deferral of access to personal data is allowed if the requested data cannot be provided within thirty calendar days from the date of receipt. In this case, the total time for resolving issues raised in the request cannot exceed forty-five calendar days.

6.7

The requester is informed in writing about the deferral, including an explanation of the procedure for appealing the decision.

6.8 The deferral notice specifies:

  • The full name and position of the official.
  • The date the notice was sent.
  • The reason for the deferral.
  • The period within which the request will be satisfied.

6.9

Denial of access to personal data is permitted if access is prohibited by law.

6.10 The denial notice specifies:

  • The full name and position of the official denying access.
  • The date the notice was sent.
  • The reason for denial.

6.11

A decision to defer or deny access to personal data can be appealed in court.

7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Involved in Processing, Retention Period

7.1

The owner of the personal data database is equipped with systematic, program-technical means and communication facilities that prevent loss, theft, unauthorized destruction, distortion, falsification, or copying of information and comply with international and national standards.

7.2

The responsible person organizes work related to the protection of personal data during its processing in accordance with the law. The responsible person is appointed by an order of the owner of the personal data database.

The duties of the responsible person concerning the organization of work related to the protection of personal data are specified in their job description.

7.3 The responsible person is obliged to:

  • Be knowledgeable about the personal data protection laws of Ukraine.
  • Develop procedures for employee access to personal data in accordance with their professional or official duties.
  • Ensure compliance by the employees of the owner of the personal data database with the requirements of Ukrainian legislation on personal data protection and internal documents regulating the owner's activities related to personal data processing and protection.
  • Develop internal control procedures for compliance with the requirements of personal data protection legislation and internal regulations, including periodic review.
  • Notify the owner of the personal data database about violations of personal data protection legislation and internal regulations within one working day of discovering such violations.
  • Ensure the storage of documents confirming the data subject's consent to process their personal data and their notification of their rights.

7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Involved in Processing, Retention Period (continued)

7.4 The responsible person has the right to:

  • Receive necessary documents, including orders and other administrative documents issued by the owner of the personal data database related to data processing.
  • Make copies of received documents, including files, records stored in local computer networks, and autonomous computer systems.
  • Participate in discussions concerning their responsibilities in organizing work related to the protection of personal data during its processing.
  • Submit proposals for improving activities and refining work methods, and provide comments and suggestions for eliminating deficiencies identified in the personal data processing process.
  • Request explanations on issues related to personal data processing.
  • Sign and endorse documents within their area of competence.

7.5

Employees directly involved in the processing of personal data and/or having access to it in connection with their official (job-related) duties must comply with the legislation of Ukraine on personal data protection and internal regulations regarding the processing and protection of personal data in personal data databases.

7.6

Employees with access to personal data, including those processing it, are required not to disclose personal data entrusted to them or made known to them in connection with their professional or official (job-related) duties. This obligation remains in effect after their activity related to personal data has ended unless otherwise provided by law.

7.7

Individuals with access to personal data, including those processing it, are liable under Ukrainian law for violating the requirements of the Law of Ukraine "On Personal Data Protection."

7.8

Personal data must not be stored longer than necessary for the purposes for which such data is stored. However, it must not exceed the retention period specified in the data subject's consent for data processing.

8. Rights of the Data Subject

8.1 The data subject has the right to:

  • Know the location of the personal data database containing their personal data, its purpose, and name, as well as the location and/or residence (location) of the owner or manager of this database. They may also delegate obtaining this information to authorized persons unless prohibited by law.
  • Obtain information on the conditions of access to their personal data, including information about third parties to whom their personal data is transferred from the relevant database.
  • Access their personal data contained in the relevant personal data database.
  • Receive, no later than thirty calendar days from the date of receipt of the request (unless otherwise provided by law), a response on whether their personal data is stored in the relevant database and obtain the content of their personal data stored there.
  • Submit a reasoned objection to the processing of their personal data by public authorities or local self-government bodies when such processing is carried out within the scope of their legal authority.
  • Submit a reasoned request for changes or deletion of their personal data to any owner or manager of this database if the data is processed unlawfully or is inaccurate.
  • Protect their personal data from unlawful processing and accidental loss, destruction, or damage due to deliberate concealment, non-disclosure, or untimely disclosure, as well as from the provision of false or defamatory information damaging their honor, dignity, or business reputation.
  • Address personal data protection issues to public authorities and local self-government bodies authorized to protect personal data.
  • Exercise legal remedies in case of violations of personal data protection laws.

9. Procedure for Handling Requests from the Data Subject

9.1

The data subject has the right to obtain any information about themselves from any subject of relations involving personal data without specifying the purpose of the request, except as provided by law.

9.2

Access by the data subject to information about themselves is provided free of charge.

9.3

The data subject submits a request for access to their personal data (hereinafter referred to as the "request") to the owner of the personal data database.

9.4 The request must include:

  • Full name, place of residence (location), and details of the identity document of the data subject.
  • Other information enabling the identification of the data subject.
  • Information about the personal data database related to the request or information about its owner or manager.
  • A list of personal data requested.

9.5

The request is examined within ten working days from the date of receipt. During this period, the owner of the personal data database informs the data subject whether the request will be satisfied or whether the requested personal data cannot be provided, citing the legal grounds for refusal.

9.6

The request is fulfilled within thirty calendar days from the date of receipt unless otherwise provided by law.

10. State Registration of the Personal Data Database

10.1

State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection."