Regulations on the processing and protection of personal data

Regulations on Personal Data Processing and Protection

Regulations on personal data processing and protection in personal data databases owned by the seller

General Concepts and Scope
List of Personal Data Databases
Purpose of Personal Data Processing
Procedure for Personal Data Processing: Obtaining Consent, Notification of Rights, and Actions with Personal Data Subject's Data
Location of Personal Data Database
Conditions for Disclosure of Personal Data to Third Parties
Personal Data Protection: Protection Methods, Responsible Person, Employees Who Directly Process and/or Have Access to Personal Data in Connection with Their Official Duties, Personal Data Storage Period
Rights of the Personal Data Subject
Procedure for Processing Personal Data Subject's Requests
State Registration of Personal Data Database

1. General Concepts and Scope

1.1. Definition of terms:

personal data database — a named set of organized personal data in electronic form and/or in the form of personal data card files;

responsible person — a designated person who organizes work related to the protection of personal data during their processing, in accordance with the law;

personal data database owner — a natural or legal person who has been granted the right to process this data by law or with the consent of the personal data subject, who approves the purpose of processing personal data in this database, establishes the composition of this data and procedures for their processing, unless otherwise specified by law;

State Register of Personal Data Databases — a unified state information system for collecting, accumulating, and processing information about registered personal data databases;

publicly available sources of personal data — directories, address books, registers, lists, catalogs, other systematized collections of open information containing personal data, placed and published with the knowledge of the personal data subject. Social networks and internet resources where personal data subjects leave their personal data are not considered publicly available sources of personal data (except when the personal data subject explicitly states that the personal data is posted for free distribution and use);

consent of the personal data subject — any documented, voluntary expression of will by a natural person to grant permission for the processing of their personal data in accordance with the formulated purpose of their processing;

personal data anonymization — removal of information that allows identification of a person;

personal data processing — any action or set of actions performed fully or partially in an information (automated) system and/or in personal data card files, related to collection, registration, accumulation, storage, adaptation, modification, renewal, use and distribution (dissemination, sale, transfer), anonymization, destruction of information about a natural person;

personal data — information or a set of information about a natural person who is identified or can be specifically identified;

personal data database processor — a natural or legal person who has been granted the right to process this data by the personal data database owner or by law. A person who has been entrusted by the owner and/or processor of the personal data database to perform technical work with the personal data database without access to the content of personal data is not considered a processor of the personal data database;

personal data subject — a natural person whose personal data is processed in accordance with the law;

third party — any person, except for the personal data subject, the owner or processor of the personal data database and the authorized state body for personal data protection, to whom the owner or processor of the personal data database transfers personal data in accordance with the law;

special categories of data — personal data about racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life.

1.2. These Regulations are mandatory for application by the responsible person and employees of the seller who directly process and/or have access to personal data in connection with their official duties.

2. List of Personal Data Databases

2.1. The seller owns the following personal data databases:

database of personal data of counterparties.

3. Purpose of Personal Data Processing

3.1. The purpose of processing personal data in the system is to ensure the implementation of civil law relations, provision, receipt and settlement for purchased goods and services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."

4. Procedure for Personal Data Processing: Obtaining Consent, Notification of Rights, and Actions with Personal Data Subject's Data

4.1. The consent of the personal data subject must be a voluntary expression of will by a natural person to grant permission for the processing of their personal data in accordance with the formulated purpose of their processing.

4.2. The consent of the personal data subject may be provided in the following forms:

a paper document with details that allow identification of this document and the natural person;
an electronic document that must contain mandatory details that allow identification of this document and the natural person. It is advisable to certify the voluntary expression of will of the natural person to grant permission for the processing of their personal data with the electronic signature of the personal data subject;
a mark on an electronic page of a document or in an electronic file that is processed in the information system based on documented software and technical solutions.

4.3. The consent of the personal data subject is provided during the formalization of civil law relations in accordance with current legislation.

4.4. Notification of the personal data subject about the inclusion of their personal data in the personal data database, rights defined by the Law of Ukraine "On Personal Data Protection," the purpose of data collection and persons to whom their personal data is transferred is carried out during the formalization of civil law relations in accordance with current legislation.

4.5. Processing of personal data about racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life (special categories of data) is prohibited.

5. Location of Personal Data Database

5.1. The personal data databases specified in Section 2 of these Regulations are located at the seller's address.

6. Conditions for Disclosure of Personal Data to Third Parties

6.1. The procedure for third party access to personal data is determined by the terms of consent of the personal data subject given to the personal data owner for processing this data, or in accordance with legal requirements.

6.2. Access to personal data is not granted to a third party if the said person refuses to undertake obligations to ensure compliance with the requirements of the Law of Ukraine "On Personal Data Protection" or is unable to ensure them.

6.3. The subject of relations related to personal data submits a request for access (hereinafter - request) to personal data to the personal data owner.

6.4. The request shall specify:

surname, first name and patronymic, place of residence (place of stay) and details of the identity document of the natural person submitting the request (for a natural person - applicant);
name, location of the legal entity submitting the request, position, surname, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity - applicant);
surname, first name and patronymic, as well as other information that allows identification of the natural person about whom the request is made;
information about the personal data database regarding which the request is submitted, or information about the owner or processor of this personal data database;
list of personal data requested;
purpose and/or legal grounds for the request.

6.5. The period for reviewing the request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the personal data database owner informs the person submitting the request that the request will be satisfied or the relevant personal data is not subject to provision, indicating the grounds specified in the relevant regulatory legal act. The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.

6.6. Delay in access to personal data of third parties is allowed if the necessary data cannot be provided within thirty calendar days from the date of receipt of the request. In this case, the total term for resolving issues raised in the request may not exceed forty-five calendar days.

6.7. Notification of delay is communicated to the third party who submitted the request in writing with an explanation of the procedure for appealing such a decision.

6.8. The delay notification shall specify:

surname, first name and patronymic of the official;
date of sending the notification;
reason for delay;
period within which the request will be satisfied.

6.9. Refusal of access to personal data is allowed if access to them is prohibited by law.

6.10. The refusal notification shall specify:

surname, first name, patronymic of the official who refuses access;
date of sending the notification;
reason for refusal.

6.11. The decision on delay or refusal of access to personal data may be appealed in court.

7. Personal Data Protection: Protection Methods, Responsible Person, Employees Who Directly Process and/or Have Access to Personal Data in Connection with Their Official Duties, Personal Data Storage Period

7.1. The personal data database owner is equipped with system and software-technical means and communication means that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information and comply with the requirements of international and national standards.

7.2. The responsible person organizes work related to the protection of personal data during their processing, in accordance with the law. The responsible person is determined by order of the Personal Data Database Owner.

The duties of the responsible person regarding the organization of work related to the protection of personal data during their processing are specified in the job description.

7.3. The responsible person is obliged to:

know the legislation of Ukraine in the field of personal data protection;
develop procedures for employees' access to personal data in accordance with their professional or official or work duties;
ensure compliance of the Personal Data Database Owner's employees with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the Personal Data Database Owner regarding the processing and protection of personal data in personal data databases;
develop a procedure for internal control over compliance with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the Personal Data Database Owner regarding the processing and protection of personal data in personal data databases, which, in particular, should contain norms regarding the frequency of such control;
notify the Personal Data Database Owner about violations by employees of the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the Personal Data Database Owner regarding the processing and protection of personal data in personal data databases within one working day from the moment such violations are detected;
ensure storage of documents confirming the personal data subject's consent to the processing of their personal data and notification of the specified subject about their rights.

7.4. In order to perform their duties, the responsible person has the right to:

receive necessary documents, including orders and other administrative documents issued by the Personal Data Database Owner related to personal data processing;
make copies of received documents, including copies of files, any records stored in local computer networks and autonomous computer systems;
participate in the discussion of their duties regarding the organization of work related to the protection of personal data during their processing;
submit proposals for improving activities and improving work methods, submit comments and options for eliminating identified deficiencies in the process of personal data processing;
receive explanations on issues related to personal data processing;
sign and approve documents within their competence.

7.5. Employees who directly process and/or have access to personal data in connection with their official (work) duties are obliged to comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regarding the processing and protection of personal data in personal data databases.

7.6. Employees who have access to personal data, including those who process them, are obliged not to disclose in any way personal data that has been entrusted to them or that became known to them in connection with the performance of professional or official or work duties. This obligation remains valid after they terminate activities related to personal data, except in cases established by law.

7.7. Persons who have access to personal data, including those who process them, in case of violation of the requirements of the Law of Ukraine "On Personal Data Protection" are liable according to the legislation of Ukraine.

7.8. Personal data should not be stored longer than necessary for the purpose for which such data is stored, but in any case not longer than the data storage period determined by the personal data subject's consent to process this data.

8. Rights of the Personal Data Subject

8.1. The personal data subject has the right to:

know about the location of the personal data database containing their personal data, its purpose and name, location and/or place of residence (stay) of the owner or processor of this database or give appropriate instructions regarding obtaining this information to persons authorized by them, except in cases established by law;
receive information about the conditions for granting access to personal data, in particular information about third parties to whom their personal data contained in the relevant personal data database is transferred;
access their personal data contained in the relevant personal data database;
receive, no later than thirty calendar days from the date of receipt of the request, except in cases provided by law, an answer about whether their personal data is stored in the relevant personal data database, and also receive the content of their personal data that is stored;
submit a reasoned request with an objection against the processing of their personal data by state authorities, local self-government bodies in the exercise of their powers provided by law;
submit a reasoned request for change or destruction of their personal data by any owner and processor of this database if this data is processed illegally or is inaccurate;
protect their personal data from illegal processing and accidental loss, destruction, damage in connection with intentional concealment, non-provision or untimely provision, as well as protection from providing information that is inaccurate or discredits the honor, dignity and business reputation of a natural person;
appeal to state authorities, local self-government bodies whose powers include the protection of personal data, on issues of protection of their rights regarding personal data;
apply legal remedies in case of violation of legislation on personal data protection.

9. Procedure for Processing Personal Data Subject's Requests

9.1. The personal data subject has the right to receive any information about themselves from any subject of relations related to personal data without specifying the purpose of the request, except in cases established by law.

9.2. The personal data subject's access to data about themselves is free of charge.

9.3. The personal data subject submits a request for access (hereinafter - request) to personal data to the personal data database owner.

The request shall specify:

surname, first name and patronymic, place of residence (place of stay) and details of the identity document of the personal data subject;
other information that allows identification of the personal data subject;
information about the personal data database regarding which the request is submitted, or information about the owner or processor of this database;
list of personal data requested.

9.4. The period for reviewing the request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the personal data database owner informs the personal data subject that the request will be satisfied or the relevant personal data is not subject to provision, indicating the grounds specified in the relevant regulatory legal act.

9.5. The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.

10. State Registration of Personal Data Database

10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection."

		Quantity	Out of stock
	Sign in to apply your personal discount Apply discount code
Total $0.00 Proceed to checkout