Regulation on the Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller
Contents
-
General Concepts and Scope of Application
-
List of Personal Data Databases
-
Purpose of Personal Data Processing
-
Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions with the Personal Data of the Data Subject
-
Location of the Personal Data Database
-
Conditions for Disclosing Personal Data to Third Parties
-
Protection of Personal Data: Methods of Protection, Responsible Person, Employees Directly Engaged in Processing and/or Having Access to Personal Data in Connection with Their Official Duties, Retention Period of Personal Data
-
Rights of the Data Subject
-
Procedure for Handling Requests of the Data Subject
-
State Registration of Personal Data Databases
1. General Concepts and Scope of Application
1.1. Definitions:
-
Personal Data Database – a named collection of organized personal data in electronic form and/or in the form of personal data files.
-
Responsible Person – a designated individual who organizes work related to the protection of personal data during its processing, in accordance with the law.
-
Owner of a Personal Data Database – a natural or legal person who is granted by law or by the consent of the data subject the right to process these data, approves the purpose of personal data processing in this database, determines the composition of these data, and establishes procedures for their processing, unless otherwise provided by law.
-
State Register of Personal Data Databases – a unified state information system for collecting, accumulating, and processing information about registered personal data databases.
-
Publicly Available Sources of Personal Data – directories, address books, registers, lists, catalogs, and other systematized collections of open information containing personal data, published and made available with the knowledge of the data subject. Social networks and internet resources where the data subject leaves their personal data are not considered publicly available sources, except when the data subject explicitly indicates that the personal data are placed for free distribution and use.
-
Consent of the Data Subject – any documented, voluntary expression of will by a natural person granting permission for the processing of their personal data in accordance with the stated purpose of processing.
-
Anonymization of Personal Data – the removal of information that allows identification of an individual.
-
Processing of Personal Data – any action or set of actions carried out fully or partially in an information (automated) system and/or personal data files related to collection, registration, accumulation, storage, adaptation, modification, updating, use, and dissemination (distribution, sale, transfer), anonymization, or destruction of information about a natural person.
-
Personal Data – information or a set of information about a natural person who is identified or can be specifically identified.
-
Administrator of a Personal Data Database – a natural or legal person to whom the owner of the personal data database or the law grants the right to process these data. A person performing purely technical tasks related to the database without access to the content of personal data is not considered an administrator.
-
Data Subject – a natural person whose personal data are being processed in accordance with the law.
-
Third Party – any person other than the data subject, the owner or administrator of the personal data database, and the authorized state body responsible for personal data protection, to whom personal data are transferred by the owner or administrator in accordance with the law.
-
Special Categories of Data – personal data relating to racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life.
1.2. This Regulation is mandatory for application by the responsible person and the employees of the seller who directly process and/or have access to personal data in connection with the performance of their official duties.
2. List of Personal Data Databases
2.1. The seller is the owner of the following personal data databases:
-
Personal Data Database of Counterparties.
3. Purpose of Personal Data Processing
3.1. The purpose of processing personal data in the system is to ensure the implementation of civil-law relations, the provision, receipt, and execution of settlements for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”
4. Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions with the Personal Data of the Data Subject
4.1. The consent of the data subject must be a voluntary expression of will by the individual to grant permission for the processing of their personal data in accordance with the stated purpose of processing.
4.2. The consent of the data subject may be provided in the following forms:
-
A document in paper form containing details that allow identification of the document and the individual;
-
An electronic document that includes mandatory details allowing identification of the document and the individual. It is advisable to confirm the voluntary expression of will regarding consent to the processing of personal data with the data subject’s electronic signature;
-
A mark on an electronic page of the document or in an electronic file processed in the information system based on documented software-technical solutions.
4.3. The data subject’s consent is provided during the establishment of civil-law relations in accordance with applicable legislation.
4.4. Notification of the data subject about the inclusion of their personal data in the personal data database, the rights defined by the Law of Ukraine “On Personal Data Protection,” the purpose of data collection, and the persons to whom their personal data are transferred shall be carried out during the establishment of civil-law relations in accordance with applicable legislation.
4.5. Processing of personal data regarding racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life (special categories of data) is prohibited.
5. Location of Personal Data Databases
5.1. The personal data databases specified in Section 2 of this Regulation are located at the seller’s address.
6. Conditions for Disclosing Personal Data to Third Parties
6.1. The procedure for granting access to personal data to third parties is determined by the terms of the data subject’s consent provided to the personal data owner for processing these data, or in accordance with the requirements of the law.
6.2. Access to personal data by a third party shall not be granted if such person refuses to assume the obligation to ensure compliance with the Law of Ukraine “On Personal Data Protection” or is unable to ensure it.
6.3. A subject of relations related to personal data submits a request (hereinafter — “request”) for access to personal data to the personal data owner.
6.4. The request must specify:
-
Full name, place of residence (or location), and details of the document identifying the individual submitting the request (for an individual applicant);
-
Name and location of the legal entity submitting the request, position, full name of the person certifying the request; confirmation that the request corresponds to the powers of the legal entity (for a legal entity applicant);
-
Full name and other information enabling identification of the individual whose data are requested;
-
Information about the personal data database for which the request is submitted, or information about the owner or controller of this database;
-
List of personal data requested;
-
Purpose and/or legal grounds for the request.
6.5. The review period of the request for compliance shall not exceed ten working days from the date of its receipt. During this period, the personal data owner shall notify the requester whether the request will be granted or if the relevant personal data cannot be provided, indicating the basis as defined in the relevant regulatory legal act. The request shall be fulfilled within thirty calendar days from the date of receipt, unless otherwise provided by law.
6.6. Deferral of access to personal data is allowed if the required data cannot be provided within thirty calendar days from the date of the request. In this case, the total period for resolving issues raised in the request shall not exceed forty-five calendar days.
6.7. Notification of the deferral shall be communicated to the third party who submitted the request in writing, with an explanation of the procedure for appealing such a decision.
6.8. The deferral notice shall include:
-
Full name of the official;
-
Date of sending the notice;
-
Reason for the deferral;
-
Period within which the request will be fulfilled.
6.9. Refusal to provide access to personal data is allowed if such access is prohibited by law.
6.10. The refusal notice shall include:
-
Full name of the official refusing access;
-
Date of sending the notice;
-
Reason for the refusal.
6.11. Decisions regarding deferral or refusal of access to personal data may be appealed in court.
7. Protection of Personal Data: Methods of Protection, Responsible Person, Employees Directly Processing and/or Having Access to Personal Data, Storage Period of Personal Data
7.1. The personal data owner is equipped with system and software-technical tools and communication facilities that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information, and comply with international and national standards.
7.2. The responsible person organizes activities related to the protection of personal data during their processing in accordance with the law. The responsible person is appointed by the order of the personal data owner.
Duties of the responsible person regarding the organization of work related to the protection of personal data during processing are specified in their job description.
7.3. The responsible person is obliged to:
-
Know the legislation of Ukraine in the field of personal data protection;
-
Develop procedures for employee access to personal data according to their professional, official, or labor duties;
-
Ensure compliance by employees of the personal data owner with the requirements of Ukrainian law on personal data protection and internal documents regulating the processing and protection of personal data in personal data databases;
-
Develop internal control procedures to ensure compliance with Ukrainian law on personal data protection and internal documents regulating the processing and protection of personal data, including specifying the frequency of such control;
-
Notify the personal data owner of any violations by employees of the law on personal data protection and internal regulations within one working day of detection;
-
Ensure the storage of documents confirming the data subject’s consent to the processing of their personal data and the notification of the data subject about their rights.
7.4. To fulfill their duties, the responsible person has the right to:
-
Receive necessary documents, including orders and other administrative documents issued by the personal data owner, related to personal data processing;
-
Make copies of received documents, including files, and any records stored in local networks or standalone computer systems;
-
Participate in discussions regarding the organization of work related to the protection of personal data during processing;
-
Submit proposals to improve operations and methods, provide remarks, and suggest ways to address identified shortcomings in data processing;
-
Obtain explanations regarding personal data processing;
-
Sign and endorse documents within their competence.
7.5–7.8. Employees and Storage of Personal Data
7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (labor) duties are obliged to comply with the requirements of Ukrainian legislation on personal data protection and internal documents regarding the processing and protection of personal data in personal data databases.
7.6. Employees who have access to personal data, including those processing them, must not disclose in any way the personal data entrusted to them or that became known to them in connection with the performance of their professional, official, or labor duties. This obligation remains in effect after the termination of their activities related to personal data, except in cases provided by law.
7.7. Persons who have access to personal data, including those processing them, bear responsibility in accordance with Ukrainian legislation in the event of violations of the Law of Ukraine “On Personal Data Protection.”
7.8. Personal data shall not be stored longer than necessary for the purpose for which such data are stored, and in any case, not longer than the storage period specified by the data subject’s consent to the processing of their personal data.
8. Rights of the Personal Data Subject
8.1. A personal data subject has the right to:
-
Know the location of the personal data database containing their personal data, its purpose, and the name, location, and/or residence (location) of the owner or controller of this database, or to give the corresponding instruction to authorized persons to obtain this information, except as provided by law;
-
Receive information on the conditions for granting access to personal data, including information on third parties to whom their personal data contained in the respective database are disclosed;
-
Access their personal data contained in the respective database;
-
Receive, no later than thirty calendar days from the date of the request (except as provided by law), a response regarding whether their personal data are stored in the respective database, as well as access to the content of their personal data stored therein;
-
Submit a reasoned objection to the processing of their personal data by state authorities or local self-government bodies when exercising their powers as provided by law;
-
Submit a reasoned request for the modification or destruction of their personal data by any owner or controller of the database if such data are processed unlawfully or are inaccurate;
-
Protect their personal data from unlawful processing and accidental loss, destruction, or damage due to intentional concealment, non-provision, or untimely provision, as well as from the provision of inaccurate information that damages their honor, dignity, or business reputation;
-
Address issues related to the protection of their personal data rights to state authorities or local self-government bodies responsible for data protection;
-
Apply legal remedies in the event of violations of personal data protection legislation.
9. Procedure for Handling Requests from Personal Data Subjects
9.1. A personal data subject has the right to obtain any information about themselves from any entity involved in personal data relations, without specifying the purpose of the request, except as provided by law.
9.2. Access of a personal data subject to their data is free of charge.
9.3. The personal data subject submits a request (hereinafter — “request”) for access to personal data to the owner of the personal data database.
The request must include:
-
Full name, residence (location), and details of the document identifying the personal data subject;
-
Other information allowing identification of the personal data subject;
-
Information about the personal data database for which the request is submitted, or about the owner or controller of this database;
-
List of personal data requested.
9.4. The review period of the request shall not exceed ten working days from the date of its receipt. During this period, the personal data owner shall notify the data subject whether the request will be granted or if the relevant personal data cannot be provided, specifying the basis defined in the relevant regulatory legal act.
9.5. The request shall be fulfilled within thirty calendar days from the date of receipt, unless otherwise provided by law.
10. State Registration of Personal Data Databases
10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection.”