Personal Data Processing and Protection Policy for Personal Data Databases Owned by the Seller

Contents

  1. General Concepts and Scope

  2. List of Personal Data Databases

  3. Purpose of Personal Data Processing

  4. Procedure for Processing Personal Data: Obtaining Consent, Informing About Rights, and Actions with the Data Subject’s Personal Data

  5. Location of the Personal Data Database

  6. Conditions for Disclosure of Personal Data to Third Parties

  7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Who Directly Process and/or Have Access to Personal Data in Connection with Their Official Duties, Data Retention Period

  8. Rights of the Data Subject

  9. Procedure for Handling Requests from the Data Subject

  10. State Registration of the Personal Data Database

1. General Concepts and Scope

1.1. Definitions

personal data database — a named set of structured personal data in electronic form and/or in the form of personal data card files;

responsible person — the designated individual who organizes work related to the protection of personal data during its processing in accordance with the law;

owner of the personal data database — a natural or legal person who, by law or with the consent of the data subject, is granted the right to process such data, determines the purpose of processing personal data in this database, establishes the composition of such data and the procedures for their processing unless otherwise provided by law;

State Register of Personal Data Databases — a unified state information system for collecting, accumulating, and processing information about registered personal data databases;

public sources of personal data — directories, address books, registers, lists, catalogues, and other systematized collections of open information that contain personal data placed and published with the knowledge of the data subject. Social networks and internet resources where the data subject leaves personal data are not considered public sources (except where the data subject explicitly indicates that the personal data is placed for free distribution and use);

consent of the data subject — any documented, voluntary expression of the individual’s will to permit the processing of their personal data for the formulated purpose of such processing;

anonymization of personal data — removal of information that allows a person to be identified;

processing of personal data — any action or set of actions performed wholly or partially in an information (automated) system and/or in personal data card files related to the collection, registration, accumulation, storage, adaptation, modification, updating, use and dissemination (distribution, provision, transfer), anonymization, destruction of information about an individual;

personal data — information or a set of information about an individual who is identified or can be specifically identified;

processor of the personal data database — a natural or legal person who is granted the right by the owner of the personal data database or by law to process such data. A person entrusted by the owner and/or processor only with technical work on the database without access to the content of personal data is not a processor;

data subject — an individual whose personal data are processed under the law;

third party — any person, except the data subject, the owner or the processor of the personal data database, and the authorized state body for personal data protection, to whom personal data is transferred by the owner or processor in accordance with the law;

special categories of data — personal data about racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data related to health or sex life.

1.2.

This Policy is mandatory for the responsible person and the seller’s employees who directly process and/or have access to personal data in connection with the performance of their official duties.

2. List of Personal Data Databases

2.1.

The seller is the owner of the following personal data database:

  • personal data database of counterparties.

3. Purpose of Personal Data Processing

3.1.

The purpose of processing personal data in the system is to ensure the performance of civil-law relations, the provision, receipt, and settlement of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”

4. Procedure for Processing Personal Data: Obtaining Consent, Informing About Rights, and Actions with the Data Subject’s Personal Data

4.1.

The data subject’s consent must be a voluntary expression of the individual’s will permitting the processing of their personal data for the formulated purpose of such processing.

4.2.

The data subject’s consent may be given in the following forms:

  • a paper document with requisites enabling identification of the document and the individual;

  • an electronic document that contains mandatory requisites enabling identification of the document and the individual. The individual’s voluntary expression of will to permit processing of personal data should preferably be certified by the data subject’s electronic signature;

  • a mark on an electronic page of a document or in an electronic file processed in an information system based on documented software and technical solutions.

4.3.

The data subject’s consent is granted when establishing civil-law relations in accordance with applicable legislation.

4.4.

Notice to the data subject about inclusion of their personal data in a personal data database, the rights defined by the Law of Ukraine “On Personal Data Protection,” the purpose of data collection, and the persons to whom their personal data are transferred is provided when establishing civil-law relations in accordance with applicable legislation.

4.5.

Processing of personal data concerning racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data relating to health or sex life (special categories of data) is prohibited.

5. Location of the Personal Data Database

5.1.

The personal data databases specified in Section 2 of this Policy are located at the seller’s address.

6. Conditions for Disclosure of Personal Data to Third Parties

6.1.

The procedure for third-party access to personal data is determined by the conditions of the data subject’s consent granted to the personal data owner for processing such data, or in accordance with legal requirements.

6.2.

Access to personal data shall not be granted to a third party if that party refuses to assume obligations to ensure compliance with the Law of Ukraine “On Personal Data Protection” or is unable to ensure such compliance.

6.3.

A participant in relations related to personal data submits a request for access (hereinafter — “request”) to the owner of the personal data.

6.4.

The request must include:

  • last name, first name, patronymic, place of residence (stay), and details of the identity document of the individual submitting the request (for an individual applicant);

  • name and location of the legal entity submitting the request, position, last name, first name, and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity applicant);

  • last name, first name, patronymic, and other information enabling identification of the individual to whom the request relates;

  • information about the personal data database to which the request pertains, or information about the owner or processor of such database;

  • the list of requested personal data;

  • the purpose and/or legal grounds for the request.

6.5.

The period for reviewing a request for its satisfaction shall not exceed ten (10) business days from the date of its receipt. Within this period, the owner of the personal data database informs the requester that the request will be satisfied or that the respective personal data cannot be provided, indicating the grounds specified in the relevant regulatory act. The request shall be satisfied within thirty (30) calendar days from the date of its receipt unless otherwise provided by law.

6.6.

Postponement of access to personal data of third parties is allowed if the required data cannot be provided within thirty (30) calendar days from the date of receipt of the request. In this case, the total period for resolving the issues raised in the request may not exceed forty-five (45) calendar days.

6.7.

Notice of postponement shall be communicated to the third party who submitted the request in writing with an explanation of the procedure for appealing such decision.

6.8.

The notice of postponement must state:

  • the full name of the responsible official;

  • the date the notice was sent;

  • the reason for the postponement;

  • the period within which the request will be satisfied.

6.9.

Refusal of access to personal data is permitted if access is prohibited by law.

6.10.

The notice of refusal must state:

  • the full name of the responsible official who refuses access;

  • the date the notice was sent;

  • the reason for the refusal.

6.11.

A decision to postpone or refuse access to personal data may be appealed in court.

7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Who Directly Process and/or Have Access to Personal Data in Connection with Their Official Duties, Data Retention Period

7.1.

The owner of the personal data database is equipped with system, software-technical tools and communication facilities that prevent loss, theft, unauthorized destruction, distortion, falsification, or copying of information and comply with international and national standards.

7.2.

The responsible person organizes work related to the protection of personal data during processing in accordance with the law. The responsible person is appointed by order of the owner of the personal data database.
The duties of the responsible person regarding the organization of work related to personal data protection during processing are specified in the job description.

7.3.

The responsible person must:

  • know the legislation of Ukraine in the field of personal data protection;

  • develop procedures for employee access to personal data according to their professional, official, or labor duties;

  • ensure that employees of the owner of the personal data database comply with the legislation of Ukraine in the field of personal data protection and internal documents regulating the owner’s activities regarding the processing and protection of personal data in personal data databases;

  • develop a procedure for internal control over compliance with the legislation of Ukraine in the field of personal data protection and internal documents regulating the owner’s activities regarding the processing and protection of personal data in personal data databases, which, in particular, must contain provisions on the frequency of such control;

  • inform the owner of the personal data database about violations by employees of the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the owner’s activities regarding the processing and protection of personal data in personal data databases within no later than one business day from the moment such violations are detected;

  • ensure the storage of documents confirming the data subject’s consent to the processing of their personal data and the notification of the data subject about their rights.

7.4.

To fulfill their duties, the responsible person has the right to:

  • receive necessary documents, including orders and other administrative documents issued by the owner of the personal data database related to personal data processing;

  • make copies of received documents, including copies of files and any records stored in local area networks and stand-alone computer systems;

  • participate in discussions of tasks related to organizing work on personal data protection during processing;

  • submit proposals for improving activities and methods, provide comments and options for eliminating identified shortcomings in the process of personal data processing;

  • obtain explanations on issues related to personal data processing;

  • sign and endorse documents within their competence.

7.5.

Employees who directly process and/or have access to personal data in connection with the performance of their official (labor) duties must comply with the legislation of Ukraine in the field of personal data protection and internal documents on the processing and protection of personal data in personal data databases.

7.6.

Employees who have access to personal data, including those who process such data, must not disclose in any way the personal data entrusted to them or that became known to them in connection with the performance of their professional, official, or labor duties. This obligation remains in force after they cease activities related to personal data, except as provided by law.

7.7.

Persons who have access to personal data, including those who process such data, are liable under the legislation of Ukraine for violating the Law of Ukraine “On Personal Data Protection.”

7.8.

Personal data must not be stored longer than necessary for the purpose for which such data are stored, and in any case not longer than the retention period defined by the data subject’s consent to the processing of such data.

8. Rights of the Data Subject

8.1.

The data subject has the right to:

  • know the location of the personal data database containing their personal data, its purpose and name, as well as the location and/or place of residence (stay) of the owner or processor of this database, or to assign an authorized person to obtain this information, except as provided by law;

  • obtain information about the conditions for granting access to personal data, in particular information about third parties to whom their personal data are transferred from the relevant database;

  • access their personal data contained in the relevant personal data database;

  • receive, no later than thirty (30) calendar days from the date of receipt of the request (unless otherwise provided by law), a response as to whether their personal data are stored in the relevant database, and also receive the content of their stored personal data;

  • submit a reasoned objection to the processing of their personal data by state authorities and local self-government bodies when exercising their powers provided by law;

  • submit a reasoned request for modification or destruction of their personal data by any owner or processor of the database if such data are processed unlawfully or are inaccurate;

  • protect their personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision, as well as from the provision of information that is inaccurate or defames the honor, dignity, and business reputation of an individual;

  • apply to state authorities and local self-government bodies with powers to protect personal data for the protection of their rights related to personal data;

  • use legal remedies in the event of violations of personal data protection legislation.

9. Procedure for Handling Requests from the Data Subject

9.1.

The data subject has the right to obtain any information about themselves from any participant in relations related to personal data without specifying the purpose of the request, except as provided by law.

9.2.

Access by the data subject to data about themselves is free of charge.

9.3.

The data subject submits a request for access (hereinafter — “request”) to personal data to the owner of the personal data database.
The request must include:

  • last name, first name, patronymic, place of residence (stay), and details of the identity document of the data subject;

  • other information enabling identification of the data subject;

  • information about the personal data database to which the request pertains, or information about the owner or processor of this database;

  • the list of requested personal data.

9.4.

The period for reviewing a request for its satisfaction shall not exceed ten (10) business days from the date of its receipt. Within this period, the owner of the personal data database informs the data subject that the request will be satisfied or that the respective personal data cannot be provided, indicating the grounds specified in the relevant regulatory act.

9.5.

The request shall be satisfied within thirty (30) calendar days from the date of its receipt unless otherwise provided by law.

10. State Registration of the Personal Data Database

10.1.

State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection.”