Regulations on the Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller

Contents

  1. General Concepts and Scope

  2. List of Personal Data Databases

  3. Purpose of Personal Data Processing

  4. Procedure for Personal Data Processing: Consent, Notification of Rights, and Actions with Personal Data

  5. Location of Personal Data Databases

  6. Conditions for Disclosing Personal Data to Third Parties

  7. Personal Data Protection: Methods, Responsible Person, Employees with Access, Retention Period

  8. Rights of the Data Subject

  9. Procedure for Handling Data Subject Requests

  10. State Registration of Personal Data Databases

1. General Concepts and Scope

1.1 Definitions

  • Personal data database – a named set of organized personal data in electronic form and/or in the form of personal data files.

  • Responsible person – an appointed individual who organizes work related to the protection of personal data during processing, in accordance with the law.

  • Owner of the personal data database – a natural or legal person who, by law or with the consent of the data subject, is authorized to process personal data, determines the purpose of processing, the composition of data, and the procedures for processing unless otherwise specified by law.

  • State Register of Personal Data Databases – a unified state information system for collecting, accumulating, and processing information about registered personal data databases.

  • Publicly available sources of personal data – directories, address books, registries, lists, catalogs, and other systematized collections of publicly available information containing personal data. Social networks and internet resources where data subjects post personal data are not considered publicly available sources, except where the data subject explicitly indicates that the data is for free distribution and use.

  • Consent of the data subject – any documented, voluntary expression of will by a natural person to allow the processing of their personal data according to a specified purpose.

  • Anonymization of personal data – removal of information that allows identifying a person.

  • Processing of personal data – any action or set of actions performed fully or partially in an automated information system or in personal data files related to collection, registration, accumulation, storage, adaptation, modification, updating, use, dissemination (distribution, sale, transfer), anonymization, or destruction of personal data.

  • Personal data – information about an identified or identifiable natural person.

  • Administrator of a personal data database – a natural or legal person authorized to process data by the database owner or by law. Individuals performing technical work without access to data content are not considered administrators.

  • Data subject – a natural person whose personal data is processed according to the law.

  • Third party – any person other than the data subject, owner, administrator, or authorized state body to whom the data is transferred according to law.

  • Special categories of data – personal data revealing racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life.

1.2 Scope

This Regulation is mandatory for the responsible person and employees of the seller who directly process or have access to personal data in the course of their duties.

2. List of Personal Data Databases

2.1. The seller owns the following personal data databases:

  • Database of counterparties’ personal data

3. Purpose of Personal Data Processing

3.1. The purpose of processing personal data in the system is to ensure civil-law relations, provide, receive, and conduct payments for purchased goods and services according to the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”

4. Procedure for Processing Personal Data: Consent, Notification, and Actions

4.1. Consent must be voluntary and provide permission for processing personal data according to the stated purpose.

4.2. Consent can be provided in the following forms:

  • Paper document with details identifying the document and person

  • Electronic document with mandatory identifying information; voluntary consent may be certified with an electronic signature

  • Mark on an electronic page or file processed by the information system

4.3. Consent is given when entering into civil-law relations according to applicable legislation.

4.4. Data subjects are notified of the inclusion of their data in the database, their rights under the Law of Ukraine “On Personal Data Protection,” the purpose of data collection, and third parties receiving the data.

4.5. Processing of special categories of data (race, ethnicity, political, religious beliefs, health, sexual life) is prohibited.

5. Location of Personal Data Databases

5.1. Databases listed in section 2 are located at the seller’s address.

6. Disclosure of Personal Data to Third Parties

6.1. Access to personal data by third parties is determined by the consent of the data subject or according to the law.
6.2. Data is not provided if the third party refuses or cannot comply with data protection requirements.
6.3.–6.11. Procedures for submitting requests, response times, delays, refusals, and appeals are regulated by law.

7. Personal Data Protection

7.1. The database owner is equipped with technical and software means preventing loss, theft, destruction, distortion, forgery, or copying of data according to national and international standards.

7.2.–7.8. Responsibilities of the responsible person and employees include:

  • Knowledge of data protection legislation

  • Developing procedures for employee access

  • Ensuring compliance with law and internal regulations

  • Internal control procedures

  • Notification of violations

  • Confidentiality obligations, including post-employment

  • Retention of data no longer than necessary

8. Rights of the Data Subject

8.1. The data subject has the right to:

  • Know the location, purpose, and owner of the database

  • Access information on conditions of data disclosure to third parties

  • Access and obtain their personal data

  • Request correction or deletion of illegal or inaccurate data

  • Protect their data from unlawful processing, loss, or damage

  • Appeal to state authorities regarding data protection violations

9. Procedure for Handling Requests

9.1.–9.5. Data subjects may request information about themselves free of charge. Requests must include identification and details of the requested database. Processing times are: initial review within 10 business days, completion within 30 calendar days, unless otherwise specified by law.

10. State Registration of Personal Data Databases

10.1. Registration is conducted according to Article 9 of the Law of Ukraine “On Personal Data Protection.”