Mon-Fri 9 am - 6 pm Sat / Sun - day off
Rules for the processing and protection of personal data in personal databases owned by the Seller
- General concepts and scope
- List of Personal Data Bases
- Aim of personal data processing
- Procedures for the processing of personal data: obtaining of consent, notification of rights and operations with the personal data of the data subject
- Location of the database
- Conditions for disclosing personal data to third parties
- Protection of personal data: methods of protection, responsible person, employees who directly process and/or have access to personal data in connection with performing their official duties, period of storing personal data.
- Data subject's rights
- Handling of requests from the person concerned
- State registration of the personal database
1. General Terms and Scope
Personal database - a named set of organized personal data in electronic form and/or in the form of personal files;
Responsible person - a designated person who organizes work related to protecting personal data while processing it according to the Law;
Owner of a personal data base - a natural person or legal entity who is authorized by law or with the consent of the data subject to process such data, who approves the purpose of the processing of personal data in this data base, determines the composition of such data and procedures for its processing, unless otherwise provided by law;
The State Register of Personal Data Bases is a unified state information system for collecting, accumulating and processing information on registered personal data bases;
publicly accessible sources of personal data - directories, directories, registers, lists, catalogs, other systematized collections of open information containing personal data, which are entered and published with the consent of the person concerned. Social networks and Internet resources where the data subject leaves his or her personal data are not considered publicly available sources of personal data (unless the data subject expressly states that the personal data is posted for the purpose of making it freely available and using it);
Consent of the data subject - any documented, voluntary expression of the individual's will to grant permission for the processing of his or her personal data in accordance with the stated purpose of the processing;
Depersonalization of personal data - the removal of any information that could be used to identify an individual;
Processing of personal data - any operation or set of operations performed in whole or in part in an (automated) information system and/or in personal data files in connection with collecting, registering, collecting, storing, adapting, modifying, renewing, using and disseminating (distributing, selling, transferring), depersonalizing, destroying information about a natural person;
Personal data - information or set of information about an identified or identifiable individual;
Person in charge of the database - an individual or a legal entity that has the right to handle the information from the owner of the database or from the law. A person who is entrusted by the owner and/or the manager of the personal data base with the performance of technical work with the personal data base without having access to the content of the personal data is not a manager of the personal data base;
Data subject - a person about whom personal data is processed in accordance with the law;
third party - any person, except for the personal data subject, the owner or the manager of the personal data base and the state authority for the protection of personal data, to whom the owner or the manager of the personal data base transfers personal data in accordance with the law;
special categories of data - personal data concerning racial or ethnic origin, political, religious or philosophical convictions, membership in political parties and trade unions, and data concerning health or sex life.
1.2. This Policy is binding on the Responsible Person and the Seller's employees who directly process and/or have access to personal data related to the performance of their official duties.
2. Personal database list
2.1. Seller is the owner of such personal information:
- database of personal data of counterparties.
3. Purpose of processing personal data
3.1. The purpose of the processing of personal data in the system is to ensure the implementation of civil law relations, provision, receipt and payment for purchased goods and services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On accounting and financial reporting in Ukraine".
4. Procedures for processing personal data: obtaining consent, informing data subjects of their rights and handling personal data
4.1. The data subject's consent must be a voluntary expression of his or her will to allow his or her personal data to be processed for the stated purpose.
4.2. The consent of the personal data subject may be provided in the following forms:
- A paper document with information that is relevant to the identification of the document and a person;
- An electronic document that must have mandatory information for the identification of the document and the data subject. The electronic signature of the data subject should certify the voluntary expression of the data subject's will to consent to the processing of his or her personal data;
- A mark on an electronic page of a document or in an electronic file that is processed in an information system on the basis of documented software and hardware solutions.
4.3. The consent of the data subject will be obtained during the formalization of civil law relationships, in accordance with the applicable law.
4.4. The data subject shall be informed about the inclusion of his/her personal data in the personal data base, about the rights defined by the Law of Ukraine "On personal data protection", about the purpose of data collection and about the persons to whom his/her personal data will be transferred in the course of formalization of civil-law relations in accordance with the applicable law.
4.5. The processing of personal data concerning racial or ethnic origin, political, religious or philosophical beliefs, membership of political parties or trade unions, as well as data concerning health or sex life (special categories of data) is prohibited.
5. Location of the personal database
5.1. At the Seller's address are the personal databases specified in Section 2 of this Policy.
6. Terms for disclosing personal information to third parties
6.1. The procedure for access to personal data of third parties will be in accordance with the terms of the personal data subject's consent to the data controller's processing of that data, or in accordance with the requirements of the law.
6.2. Access to personal data is not granted to a third party if the said person refuses to assume obligations to ensure that the requirements of the Law of Ukraine "On Personal Data Protection" are met or fails to meet them.
6.3. A request for access to personal data (hereinafter referred to as "request") is submitted to the personal data controller by a data subject.
6.4. The request shall include:
- Name, surname and patronymic, place of residence (place of stay) and details of the document certifying the identity of the applicant (in the case of an individual applicant);
- Name, address of the legal entity submitting the application, position, name, surname and patronymic of the person certifying the application; confirmation that the content of the application corresponds to the powers of the legal entity (for the legal entity - the applicant);
- Surname, first name, patronymic, as well as other information identifying the person about whom the request is made;
- Information regarding the personal database regarding which the request is made, or information regarding the owner or manager of that personal database;
- list of requested personal data;
- purpose and/or legal grounds for the request.
6.5. The term of consideration of the request for its fulfillment shall not be longer than ten working days from the date of its receipt. During this period, the owner of the personal data base shall inform the person making the request that the request will be satisfied or that the relevant personal data will not be provided, stating the reasons specified in the relevant regulatory legal act. Unless otherwise provided by law, the request shall be satisfied within thirty calendar days from the date of its receipt.
6.6. If the necessary data cannot be provided within thirty calendar days from the date of receipt of the request, access to the personal data of third parties may be deferred. In this case, no more than forty-five calendar days shall be allowed for the resolution of the issues raised in the request.
6.7. Notice of the deferral shall be provided in writing to the third party submitting the request and shall include an explanation of the appeal process for such a decision.
6.8. The notice of deferral shall specify:
- The official's last name, first name, and patronymic;
- Date the message was sent;
- Why it was delayed;
- The time within which the request is approved.
6.9. Refusing to provide access to personal information is permitted if such access is prohibited by law.
6.10. The notice of denial shall state the following:
- Name, surname, and patronymic of the official denying access;
- Date the message was sent;
- Reason for denial.
6.11. You may appeal to a court of law the decision to defer or deny access to your personal information.
7. Protection of personal data: methods of protection, person responsible, employees who directly process and/or have access to personal data in connection with carrying out their official duties, period for keeping personal data
7.1. The owner of the personal data base has a system, software, hardware and communication facilities that prevent loss, theft, unauthorized destruction, distortion, falsification and copying of information and are in compliance with international and national standards.
7.2. In accordance with the law, the responsible person organizes the work related to the protection of personal data during its processing. By order of the owner of the personal data, the responsible person is appointed.
The responsibilities of the person in charge of the organization of work related to the protection of personal data during their processing are specified in the job description.
7.3. The responsible person has a duty to do this:
- Knowledge of the laws and regulations of Ukraine in the area of personal data protection;
- Develop procedures, consistent with their professional or official duties or employment responsibilities, for accessing employees' personal information;
- Ensure that the employees of the owner of personal data comply with the requirements of the legislation of Ukraine in the sphere of protection of personal data and internal documents regulating the activities of the owner of personal data in the sphere of processing and protection of personal data in personal databases;
- To develop a procedure for internal control over the compliance with the requirements of the legislation of Ukraine in the sphere of personal data protection and internal documents regulating the activities of the holder of personal data in the sphere of processing and protection of personal data in personal databases. In particular, the procedure should contain rules on the frequency of such control;
- to inform the Owner of the Personal Database about the facts of violation by the employees of the requirements of the legislation of Ukraine concerning the protection of personal data and internal documents regulating the activities of the Owner of the Personal Database concerning the processing and protection of personal data stored in the Personal Databases within one working day from the day of discovering such violations;
- Ensure that documents are kept confirming that the data subject has consented to having his or her personal data processed and that the data subject has been informed of his or her rights.
7.4. The Responsible Person has the right to do the following in order to perform his/her duties:
- To receive necessary documents, including orders and other administrative documents issued by the Owner of the Personal Data Base, related to processing personal data;
- to make copies of the received documents, including copies of the files, all the records stored in the local computer networks and in the autonomous computer systems;
- Participate in the discussion of his/her duties in the organization of work in connection with the protection of personal data during their processing;
- Submitting proposals for improving the activities and working methods. Submitting comments and options for eliminating identified shortcomings in the process of personal data processing;
- Receipt of explanations on issues in connection with the processing of personal data;
- Signature and approval of documents within the scope of their competence.
7.5. The requirements of Ukrainian legislation on the protection of personal data and internal documents on the processing and protection of personal data in personal databases shall be observed by employees who directly process and/or have access to personal data in connection with the performance of their official (employment) duties.
7.6. Employees who have access to personal data, including those who process such data, are under an obligation to prevent the disclosure in any manner whatsoever of personal data that has been entrusted to them or that has come to their knowledge in connection with the performance of professional or official duties or employment. Except in the cases provided for by law, this obligation shall continue to apply even after they have ceased to carry out activities related to personal data.
7.7.Persons who have access to personal data, including those who are its processors, shall be liable in accordance with the laws of Ukraine in case of violation of the requirements of the Law of Ukraine "On Protection of Personal Data".
7.8. Personal data should be stored for no longer than is necessary for the purposes for which such data are stored, and in any case for no longer than the data retention period determined by the consent of the personal data subject to the processing of such data.
8. Data Subject Rights
8.1. The subject of the personal data has the right to obtain
- to know the location of the personal data bank containing his/her personal data, its purpose and the name, location and/or domicile (residence) of the owner or manager of such data bank, or to give an order to the persons authorized by him/her to obtain such information, except for the cases provided for by law;
- to receive information on the conditions for the granting of access to his/her personal data, including information on the third parties to whom his/her personal data contained in the relevant personal data base will be communicated;
- to have access to his/her personal data contained in the relevant personal database;
- to be informed, no later than thirty (30) calendar days from the date of receipt of the request, as to whether or not his/her personal data are included in the said file, except in the cases provided for by law, and to know the content of his/her personal data included in the said file;
- the submission of a justified request with an objection to the processing of his/her personal data by state authorities, local self-government bodies in the exercise of their powers provided for by law; the submission of a justified request with an objection to the processing of his/her personal data by state authorities, local self-government bodies in the exercise of their powers provided for by law;
- to submit a reasoned request for the modification or deletion of his/her personal data by any owner and manager of this data base, if this data is being processed unlawfully or is unreliable;
- Protection of their personal data against unlawful processing, accidental loss, destruction, damage due to deliberate concealment, failure to provide or untimely provision, as well as against the provision of information that is inaccurate or discrediting to the honor, dignity and business reputation of a person;
- to apply to state authorities and local self-government bodies in charge of the protection of personal data for the protection of his rights in relation to personal data;
- in case of violation of the legislation on protection of personal data, apply for legal remedies.
9. Procedures for dealing with requests from the subjects of personal data
9.1. Except in the cases provided for by law, a data subject shall have the right to obtain from any party involved in the processing of personal data, without specifying the purpose of the request, any information concerning him or her.
9.2. Access by the data subject to data relating to him or her shall be free of charge.
9.3. The data subject submits to the owner of the personal data base a request for access to personal data (hereinafter "request").
The request must include the following
- Surname, first name and patronymic, place of residence (stay) and information regarding the identity card of the person concerned;
- any other information that makes it possible to identify the person to whom the personal information relates;
- Information about the personal database that is the subject of the request, or information about the owner or manager of that database;
- A list of personal information requests.
9.4. The term of consideration of the request for its fulfillment shall not be longer than ten working days from the date of its receipt. Within this period of time, the owner of the personal data base shall inform the data subject that the request will be satisfied or that the relevant personal data will not be provided, stating the reasons specified in the relevant regulatory legal act.
9.5. Except as otherwise provided by law, the request shall be satisfied within thirty calendar days of receipt.
10. State registered personal database
10.1. In accordance with Article 9 of the Law of Ukraine "On Protection of Personal Data", the state registration of personal databases is carried out.