Regulation on processing and protection of personal data in personal data bases owned by the seller
Contents
General concepts and scope of application
List of personal data bases
Purpose of personal data processing
Procedure of personal data processing: obtaining consent, notification of rights and actions with personal data of personal data subject
Location of the personal data base
Conditions for disclosure of personal data to third parties
Protection of personal data: methods of protection, responsible person, employees who directly process and/or have access to personal data in connection with the performance of their official duties, period of personal data storage
Rights of the personal data subject
Procedure of handling the requests of the personal data subject
State registration of the personal data base
1. general concepts and scope of application
1.1 Definition of terms:
personal data base - named aggregate of organized personal data in electronic form and/or in the form of personal data files;
responsible person - a certain person who organizes the work related to the protection of personal data during their processing in accordance with the law;
owner of personal data base - natural or legal person who is authorized by law or with the consent of the personal data subject to process these data, who approves the purpose of personal data processing in this data base, establishes the composition of these data and the procedures of their processing, unless otherwise defined by law;
State Register of personal data bases - a unified state information system of collection, accumulation and processing of data on registered personal data bases;
publicly available sources of personal data - directories, address books, registers, lists, catalogs, other systematized collections of public information containing personal data, placed and published with the consent of the personal data subject. Social networks and Internet resources where the personal data subject leaves his/her personal data are not considered to be publicly available sources of personal data (except in cases where the personal data subject explicitly states that the personal data are posted for the purpose of their free distribution and use);
consent of the personal data subject - any documented, voluntary expression of will of a natural person to authorize the processing of his/her personal data in accordance with the formulated purpose of their processing;
depersonalization of personal data - removal of information allowing to identify a person;
personal data processing - any action or set of actions performed fully or partially in the information (automated) system and/or in personal data files, related to the collection, registration, accumulation, storage, adaptation, modification, updating, use and dissemination (distribution, realization, transfer), depersonalization, destruction of information about a natural person;
personal data - information or a set of information about a natural person who is identified or can be specifically identified;
personal data controller - a natural or legal person who is authorized by the owner of the personal data base or by law to process such data. A person who is authorized by the owner and/or manager of the personal data base to carry out technical works on the personal data base without access to the content of personal data is not a personal data controller;
personal data subject - a natural person in respect of whom his/her personal data are processed in accordance with the law;
third party - any person, except for the personal data subject, the owner or manager of the personal data base and the authorized state authority for personal data protection, to whom the owner or manager of the personal data base transfers personal data in accordance with the law;
special categories of data - personal data concerning racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life.
1.2 This Policy is binding for the responsible person and employees of the Seller who directly process and/or have access to personal data in connection with the performance of their official duties.
2. List of personal data bases
2.1 The Seller is the owner of such personal data bases:
database of personal data of counterparties.
3. Purpose of personal data processing
3.1 The purpose of personal data processing in the system is to ensure the realization of civil legal relations, provision, receipt and settlement of payments for purchased goods and services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine".
4. Procedure of personal data processing: obtaining consent, notification of rights and actions with personal data of the personal data subject
4.1 The consent of the personal data subject must be a voluntary expression of will of the natural person to authorize the processing of his/her personal data in accordance with the formulated purpose of their processing.
4.2 The consent of the personal data subject may be provided in the following forms:
a hard copy document with requisites allowing to identify this document and the natural person;
an electronic document, which must contain mandatory requisites that allow identifying the document and the individual. The voluntary expression of will of the natural person to authorize the processing of his/her personal data shall be expediently certified by the electronic signature of the personal data subject;
a mark on the electronic page of the document or in the electronic file, which is processed in the information system on the basis of documented software and hardware solutions.
4.3 The consent of the personal data subject shall be provided when formalizing civil-law relations in accordance with the legislation in force.
4.4 Notification of the subject of personal data about inclusion of his/her personal data in the personal data base, rights defined by the Law of Ukraine "On Protection of Personal Data", purpose of data collection and persons to whom his/her personal data are transferred shall be provided at the registration of civil-law relations in accordance with the current legislation.
4.5 Processing of personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data concerning health or sex life (special categories of data) is prohibited.
5. Location of the personal data base
5.1 The personal data bases specified in section 2 of this Regulation are located at the address of the Seller.
6. Conditions of disclosure of personal data to third parties
6.1 The procedure of access to personal data of third parties is determined by the terms of consent of the subject of personal data provided to the owner of personal data for processing of such data, or in accordance with the requirements of the law.
6.2 Access to personal data to a third party shall not be granted if the said person refuses to undertake obligations to ensure compliance with the requirements of the Law of Ukraine "On Protection of Personal Data" or is unable to ensure them.
6.3 The subject of relations related to personal data submits a request for access (hereinafter - request) to personal data to the owner of personal data.
6.4 The request shall specify:
surname, first name and patronymic, place of residence (place of stay) and details of the document certifying the natural person submitting the request (for the natural person - applicant);
name, location of the legal entity submitting the request, position, surname, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for the legal entity - applicant);
surname, first name and patronymic, as well as other information allowing to identify the natural person in respect of whom the request is made;
information about the personal data base, in respect of which the request is submitted, or information about the owner or controller of this personal data base;
the list of personal data requested;
the purpose and / or legal basis for the request.
6.5 The term for examining the request for its satisfaction may not exceed ten working days from the date of its receipt. Within this term, the personal data base owner shall inform the person submitting the request that the request will be satisfied or the personal data concerned are not to be provided, indicating the grounds defined in the relevant legal act. The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
6.6 Deferred access to personal data of third parties is allowed if the necessary data cannot be provided within thirty calendar days from the date of receipt of the request. At the same time, the total period for resolving the issues raised in the request may not exceed forty-five calendar days.
6.7 The notice of postponement shall be communicated to the third party who submitted the request in writing with an explanation of the procedure for appealing against such decision.
6.8 The notification of deferral shall include
surname, first name and patronymic of the official;
the date of sending the notification
the reason for the postponement;
the period of time within which the request will be satisfied.
6.9 Denial of access to personal data is allowed if access is prohibited by law.
6.10 The refusal notice shall include:
the surname, first name, patronymic of the official who denies access;
the date of sending the notice
the reason for the denial.
6.11 The decision to postpone or deny access to personal data may be appealed in court.
7. Personal data protection: protection methods, responsible person, employees directly processing and/or having access to personal data in connection with the performance of their official duties, personal data storage period
7.1 The owner of the personal data base is equipped with system and software-technical means and means of communication that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information and meet the requirements of international and national standards.
7.2 The responsible person organizes the work related to the protection of personal data during their processing in accordance with the law. The responsible person is determined by the order of the Personal Data Base Owner.
The duties of the person in charge of organizing the work related to the protection of personal data during their processing shall be specified in the job description.
7.3 The responsible person is obliged to:
to know the legislation of Ukraine in the field of personal data protection;
develop procedures of access to personal data of employees in accordance with their professional or service or labor duties;
ensure that the employees of the Personal Data Base Owner fulfill the requirements of the Ukrainian legislation in the field of personal data protection and internal documents regulating the activity of the Personal Data Base Owner on processing and protection of personal data in personal data bases;
to develop an order (procedure) of internal control over compliance with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activity of the Personal Data Base Owner on processing and protection of personal data in personal data bases, which, in particular, should contain norms on the periodicity of such control;
to inform the Personal Data Base Owner about the facts of violation by employees of the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activity of the Personal Data Base Owner on processing and protection of personal data in personal data bases within one working day from the moment of detection of such violations;
to ensure storage of documents confirming that the personal data subject has given his/her consent to the processing of his/her personal data and informing the said subject of his/her rights.
7.4 In order to fulfill his/her duties, the responsible person shall have the right to:
to obtain the necessary documents, including orders and other administrative documents issued by the Personal Data Owner related to the processing of personal data;
make copies from the received documents, including file copies, of any records stored in local computer networks and autonomous computer systems;
to participate in the discussion of his/her duties related to the organization of the work related to the protection of personal data during their processing;
to submit for examination proposals for the improvement of the activity and of the working methods, to submit comments and options for eliminating the identified shortcomings in the process of personal data processing;
to receive explanations on personal data processing issues;
sign and vise documents within their competence.
7.5 Employees who directly process and/or have access to personal data in connection with the performance of their official (labor) duties are obliged to comply with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents on processing and protection of personal data in personal data bases.
7.6 Employees who have access to personal data, including those who process them are obliged not to allow disclosure by any means of personal data, which they were entrusted with or which became known in connection with the performance of professional or official (labor) duties. Such obligation shall be valid after they cease their activities related to personal data, except in cases prescribed by law.
7.7 Persons who have access to personal data, including those who process them in case of their violation of the requirements of the Law of Ukraine "On Protection of Personal Data" shall be liable under the laws of Ukraine.
7.8 Personal data shall not be stored longer than is necessary for the purpose for which such data are stored, but in any case not longer than the period of data storage determined by the consent of the personal data subject to the processing of such data.
8. Rights of personal data subject
8.1 The subject of personal data has the right:
to know the location of the personal data base containing his/her personal data, its purpose and name, the location and / or residence (stay) of the owner or manager of this base or to give a corresponding instruction to obtain this information to persons authorized by him/her, except in cases established by law;
to obtain information on the conditions of access to personal data, in particular information on third parties to whom his personal data contained in the respective personal data base are transferred;
to have access to his/her personal data contained in the respective personal data base;
to receive, no later than thirty calendar days from the date of receipt of the request, except in cases provided for by law, an answer as to whether his/her personal data are stored in the respective personal data base, as well as to receive the content of his/her personal data that are stored;
to submit a reasoned request objecting to the processing of his/her personal data by public authorities, local self-government bodies in the exercise of their powers provided by law;
to present a reasoned demand for the modification or destruction of his/her personal data by any owner and manager of this database, if these data are processed illegally or are unreliable;
to protect their personal data from unlawful processing and accidental loss, destruction, damage due to deliberate concealment, failure to provide or untimely provision of such data, as well as to protect them from providing information that is inaccurate or defamatory to the honor, dignity and business reputation of a natural person;
to address on issues of protection of his/her rights in relation to personal data to public authorities, local self-government bodies, whose competences include the implementation of personal data protection;
apply legal remedies in case of violation of the legislation on personal data protection.
9. Procedure for handling the requests of the personal data subject
9.1 The personal data subject has the right to obtain any information about himself/herself from any subject of relations related to personal data, without specifying the purpose of the request, except in cases established by law.
9.2 The access of the personal data subject to the data about him/herself is free of charge.
9.3 The personal data subject submits a request for access (hereinafter - request) to personal data to the owner of the personal data base.
The request shall specify:
surname, first name and patronymic, place of residence (place of stay) and details of the personal data subject's identity document;
other information allowing to identify the identity of the personal data subject;
information about the personal data base, in relation to which the request is submitted, or information about the owner or manager of this base;
the list of personal data requested.
9.4 The term for examining the request for its satisfaction may not exceed ten working days from the date of its receipt. Within this term, the owner of the personal data base shall inform the personal data subject that the request will be satisfied or the relevant personal data are not to be provided, indicating the grounds defined in the relevant legal and regulatory act.
9.5 The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
10. State registration of the personal data base
10.1 The state registration of personal data bases is carried out in accordance with Article 9 of the Law of Ukraine "On Protection of Personal Data".