Regulations on the processing and protection of personal data in personal databases owned by the seller

Content

  • General concepts and scope of application
  • List of personal databases
  • Purpose of personal data processing
  • The procedure of processing data: obtaining consent, notification of rights and actions with personal data of the subject of personal data
  • The location of the personal database
  • Terms of disclosure of information about personal data to third parties
  • Protection of personal data: methods of safety, the responsible person, employees who directly process and have access to personal data in connection with the performance of their official duties, the period of storage of personal data
  • Rights of the subject of personal data
  • Procedure for handling requests of the subject of personal data
  • State registration of the personal database
  1. General concepts and scope of application

1.1. Definition of terms:

Term Definitions

In this law, the following terms shall have the meaning hereunder assigned to them:

 – Base of personal data shall mean a named aggregate of organized personal data in electronic form and/or in the form of a filing system;

Controller of personal data shall mean a natural or legal entity that has obtained a right to the processing of such data according to the law or to the consent of the personal data subject, which approves the purpose of the processing of personal data in the base of personal data, establishes the content of this data and the procedures for its processing, in case the legislation prescribes other;

The state Register of the base of personal data is a joint state informational system of accumulation, collection, and processing of information concerning the registered personal base of personal data;

Personal data subject's consent shall mean a voluntary declaration of will by a natural person, provided he/she has been properly informed, to grant permission to process his/her personal data following the purpose of processing stated in writing or in any other form that allows concluding that the permission has been granted;

Depersonalization of personal data shall mean withdrawal of information that allows directly or indirectly identifying a person;

– Filing system shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;

Processing of personal data (hereinafter referred to as "processing") shall mean any operation or set of operations such as collection, registration, accumulation, storage, adaptation, alteration, updating, use, and dissemination (distribution, sale, transfer), depersonalization, or destruction of personal data which may involve the use of information (automated) systems;

– Recipient shall mean a natural or legal person, including a third party, to whom personal data is disclosed;

Personal data shall mean information or aggregate information about a natural person who is identified or may be identified;

Processor of personal data shall mean a natural person or legal entity which obtained the right to process such data on behalf of the controller of personal data or according to the law;

Subject of personal data shall mean natural person, whose personal data is preceded to legislation;

Third person shall mean any person, except the subject of personal data, controller or processor of personal data and Authorizes State Body on Personal Data Protection, to whom controller or processor of personal data transfers this data according to legislation.

Special category data - is personal data that needs more protection because it is sensitive.

1.2. This Regulation is mandatory for application by the responsible person and employees of the seller who directly process or has access to personal data in connection with the performance of their official duties.

  1. List of personal databases

2.1. The seller is the Owner of the following personal databases:

Database of personal data of counterparties

  1. Purpose of personal data processing

3.1. The purpose of processing personal data in the system is to ensure the implementation of civil legal relations, providing, receiving, and making payments for the purchased

  1. The procedure of processing personal data: processing the personal data that data subjects provide, including but not restricted to name and contact information. 

4.1. We process your personal data to answer your questions and handle the matter you contacted us, provide you with information or materials requested, and improve our offers, services, and the information we provide on our websites.

4.2. The benefit of the data subject can be given in the following forms:

  • A document on paper with details, which allows identifying the record and the physical person;
  • An electronic document contains mandatory details for identifying this document and a natural person.
  • A note on the electronic page is processed in an information system based on documented software. 

4.3. The consent of the subject of personal data is given during the registration of civil legal relations following the current legislation

4.4. The notification of the data subject about the inclusion of his personal data in the personal database, the rights defined by the Law of Ukraine "On the Protection of Personal Data," the purpose of data collection, and the persons to whom his personal data was transferred is carried out during the registration of civil legal relations following the current legislation.

4.5. The processing of personal data on racial or ethnic origin, political, religious, or ideological beliefs, membership in political parties and trade unions, and data related to health or sexual life (special categories of data) are prohibited.

  1. Location of the personal database

5.1. The personal database specified in section 2 of this Regulation is located at the seller's address.

 

  1. Mode of Access to Personal Data

 6.1. The permission terms shall determine access to personal data of third parties between the base of the personal data subject and the controller of the base of personal data as for processing this data or according to the access mode established by the law.

 6.2. Access to personal data of third parties shall not be granted if a such party refuses to take liabilities about provision or cannot provide execution of requirements of this law or is unable to provide for the execution of such requirements.

 6.3. The subject of relations related to personal data shall submit an inquiry on access to personal data to the controller or processor of personal data.

 6.4. The inquiry shall contain the following information:

 – surname, name and patronymic, place of residence, and information from an identifying document of the person who submits inquiry (for natural person-applicant);

 – name, place of location of a legal entity that submits an inquiry, position, surname, name, and patronymic of the person who certifies the inquiry; confirmation of the conformity of the content of inquiry with the authorities of legal entity (for legal entities-applicants);

 – surname, name, and patronymic as well as other data that enable identification of a natural person about whom such inquiry is submitted;

 – information about personal data concerning which the inquiry is made. Or information about the controller or processor of such personal data;

 – list of personal data that are being required;

 – the purpose of or legal grounds for the inquiry.

 6.5. The term of consideration of the inquiry concerning its satisfaction shall not exceed ten days from the day it was received.

 Within this term, any controller or processor of personal data shall inform the person who submits an inquiry that such inquiry shall be satisfied or that the respective personal data is not subject to the provision, with notification about the basis specified in a respective normative and legal act.

 The inquiry shall be satisfied within one calendar month unless otherwise stipulated by the law.

6.6. The personal data subject shall be entitled to reception of any information about himself/herself from any subject of relations related to personal data provided that he/she presents the information specified in section 4, paragraph 1 of this article other is prescribed by law.

6.7. Protection of personal data: methods of protection, responsible person, employees directly processing or having access to personal data in connection with the performance of their official duties, the period of storage of personal data

  1. Protection of personal data: methods of protection, the responsible person, employees who directly process or have access to personal data in connection with the performance of their official duties, the period of storage of personal data

7.1. The Owner of the personal database is equipped with a system, software, and communication tools that prevent the loss, theft, unauthorized destruction, distortion, forgery, and copying of information and meet the requirements of international and national standards.

7.2. The responsible person organizes the work related to protecting personal data during their processing, per the law. The Owner of the personal database determines the responsible person.

The job description determines the duties of the responsible person.


 

7.3. The responsible person is obliged to:

  • Know the legislation of Ukraine in the field of personal data protection;
  • Develop procedures for access to personal data of employees following their professional or official or labor duties;
  • To ensure compliance by the employees of the Owner of the personal database with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the Owner of the personal database regarding the processing and protection of personal data in personal databases;
  • Develop a procedure for internal control over compliance with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the Owner of the personal database regarding the processing and protection of personal data in the personal databases, which, in particular, should contain norms regarding the periodicity of such control;
  • To notify the Owner of the personal database about the facts of violations by employees of the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the Owner of the personal database regarding the processing and protection of personal data in the personal data bases no later than one working day from the moment of detection of such violations;
  • To ensure the storage of documents confirming the provision by the subject of personal data of consent to processing his personal data and notification of the specified subject about his rights.

7.4. To fulfill his duties, the responsible person has the right to:

  • Receive the necessary documents, including orders and other administrative documents issued by the Owner of the personal database, related to the processing of personal data;
  • Make copies of received documents, including copies of files and any records stored in local computer networks and autonomous computer systems;
  • To participate in the discussion of duties performed by him in the organization of work related to the protection of personal data during their processing;
  • Submit for consideration proposals for improving activities and improving work methods, submit comments and options for eliminating identified deficiencies in the process of personal data processing;
  • To receive explanations on personal data processing issues;
  • To sign and certify documents within their competence.

7.5. Employees who directly process or have access to personal data in connection with the performance of their official (labor) duties are obliged to comply with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regarding the processing and protection of personal data in personal databases.

7.6. Employees who have access to personal data, including those who carry out their processing, are obliged not to allow disclosure in any way of personal data entrusted. To them or which became known in connection with the professional or official or labor duties of the Such an obligation is valid after they have stopped activities related to personal data, except for cases established by law.

7.7. Persons who have access to personal data, including taking into account their processing in the event of violating the requirements of the Law of Ukraine "On the Protection of Personal Data," are not responsible for following the legislation of Ukraine.

7.8. Personal data shall not be stored longer than is necessary for the purpose for which such data is stored, but in any case, no longer than the data storage period determined by the consent of the subject of personal data to the processing of this data.

    1. Rights of the subject of personal data

    8.1. The subject of personal data has the right:

    • To know the location of the personal database that contains his data, its purpose, and name, location or place of residence (residence) of the Owner or administrator of this database or to give the appropriate instructions to obtain this information to persons authorized by him, except in cases established by law;
    • To receive information about the conditions for providing access to personal data, in particular, information about third parties to whom his data contained in the relevant personal database are transferred;
    • To access his data contained in the relevant personal database;
    • To receive no later than thirty calendar days from the date of receipt of the request, except in cases provided by law, an answer on whether his data is stored in the relevant personal data database, as well as to receive the contents of his data that are stored;
    • Submit a reasoned demand with an objection to the processing of his data by state authorities and local self-government bodies in the exercise of their powers provided for by law;
    • Make a reasoned demand to change or destroy his data by any owner and administrator of this database if these data are processed illegally or are unreliable;
    • To protect his data from illegal processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision, as well as protection from providing information that is unreliable or disgraces the honor, dignity, and business reputation of a natural person ;
    • To apply for the protection of one's rights regarding personal data to state authorities and local self-government bodies, whose powers include the protection of personal data;
    • Apply legal remedies in case of violation of the legislation on the protection of personal data.
    1. Procedure for handling requests of the subject of personal data

    9.1. The subject of personal data has the right to receive any information about himself from any subject of relations related to personal data, without specifying the purpose of the request, except for cases established by law.

     

    9.2. Access of the subject of personal data to personal data is free of charge.

    9.3. The subject of personal data submits a request for access to personal data to the Owner of the personal database.

     

    The request states:

    • Surname, name and patronymic, place of residence (place of stay), and details of the document proving the identity of the subject of personal data;
    • Other information that makes it possible to identify the person of the subject of personal data;
    • Information about the database of personal data concerning which information about the Owner or manager of this database;
    • List of requested personal data.

    9.4. The term of examining the request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the Owner of the personal database notifies the subject of personal data that the request will be satisfied or that the relevant personal data are not subject to the provision, indicating the grounds defined in the relevant regulatory legal act.

    9.5. The request is satisfied within thirty calendar days from the date of its receipt unless otherwise provided by law.

     
    1. State registration of the personal database

    10.1. State registration of personal databases is carried out following Article 9 of the Law of Ukraine "On the Protection of Personal Data".