Contents

  1. General concepts and scope of application.
  2. List of personal data databases.
  3. Purpose of personal data processing.
  4. Procedure for personal data processing: consent, notification on the rights and actions done with the personal data of the subject.
  5. Location of personal data database.
  6. Terms of disclosure of personal data to third parties.
  7. Personal data protection: protection methods; responsible person; employees who directly process and/or have access to personal data through their official duties; retention period for personal data.
  8. Rights of personal data subject.
  9. Procedure for working with requests from a personal data subject.
  10. State registration of personal data database.

1. General concepts and scope of application.

1.1. Terms and definitions:

Personal data database — a named set of sequenced personal data in electronic form and/or in the form of personal data files;

Responsible person — a person appointed to organize the work related to the protection of personal data in course of its processing in accordance with the law;

Owner of the personal data database — a natural or legal person who has the right to process such data by law or with the consent of the personal data subject. The responsible person approves the purpose of processing personal data in the database, establishes the contents of such data and procedures for their processing, unless otherwise specified by law;

The State Register of Personal Data Databases — the only State information system for collecting, retention and processing information about the registered databases of personal data;

Public sources of personal data — directories, address books, registers, lists, catalogs, and other organized publications of open information containing personal data, posted and published with the knowledge of the personal data subject.

Social networks and Internet resources wherein personal data subjects leave their personal data (except when the personal data subject expressly indicates that such personal data is provided for the its free distribution and use) shall not be deemed as socially accessible sources of personal data;

Consent of personal data subject — any documented free will of an individual to grant permission to process their personal data according to the stated purpose of its processing;

Depersonalization of personal data — removal of information that allows to identify a person;

Personal data processing — any action or set of actions performed wholly or partly in an (automated) information system and/or in personal data card indexes related to the collection, registration, accumulation, retention, adaptation, modification, update, use, and distribution (realization or transfer), depersonalization, or destruction of information about an individual;

Personal data — information or set of information about an individual that is identified or can be specifically identified;

Manager of a personal data database — a natural or legal person who has been given the right to process such data by the owner of the personal data database or by law.

A person assigned by the owner and/or administrator of the personal data database to perform technical work with the personal data database without access to the content of personal data shall not be the administrator of the personal data database;

Personal data subject — an individual in respect whereof the personal data is processed in accordance with the law;

Third party — any person, except for the personal data subject, the owner or administrator of the personal data database and the authorized state body for personal data protection, whereto the owner or administrator of the personal data database transfers personal data in accordance with the law;

Special categories of data — personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to health or sexual activity.

1.2. This provision is compulsory for application by the responsible person and employees of the seller who directly process and/or have access to personal data through their official duties.

2. List of personal data databases.

2.1. The seller is the owner of the following personal data databases:
personal data database of counterparts.

3. Purpose of personal data processing.

3.1. The purpose of personal data processing in the system is to store and maintain the data of counterparts in accordance with Articles 6 and 7 of the law of Ukraine “On Personal Data Protection”.

3.2. The purpose of personal data processing is to ensure the implementation of Civil Relations, provide/receive and make payments for purchased goods/services in accordance with the Tax Code of Ukraine, the Law of Ukraine “On Accounting and Financial Reporting in Ukraine”.

4. Procedure for personal data processing: consent, notification on the rights and actions done with the personal data of the subject.

4.1. The consent of a personal data subject shall be the free will of an individual to grant permission to process their personal data according to the stated purpose of its processing. The consent of the personal data subject can be provided in the following forms:
a hard copy document with details that allow to identify such document and the respective individual;
an electronic document that shall contain mandatory details allowing to identify such document and the respective individual. It is advisable to certify the free will of an individual on granting the permission to process their personal data with an electronic signature of such personal data subject.
a mark on the electronic page of the document or in the electronic file that is processed in the information system based on documented software and hardware solutions.

4.2. The consent of the personal data subject is provided at the moment of registration of civil relations in accordance with the current legislation.

4.3. At the moment of registration of Civil Relations in accordance with the current legislation, the personal data subject shall be notified about the inclusion of their personal data in the personal data database, their rights according to the Law of Ukraine “On Personal Data Protection”, the purpose of data collection and the persons whereto the personal data is transferred.

4.4. It is prohibited to process the personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to health or sexual activity (special categories of data).

5. Location of personal data database.

5.1. The personal data databases specified in Section 2 hereof are located at the seller’s address.

6. Terms of disclosure of personal data to third parties.

6.1. The procedure for accessing personal data of third parties shall be determined by the terms of the consent to process this data of the personal data subject provided to the owner of the personal data database, or in accordance with the requirements of the law.

6.2. Access to personal data is not granted to a third party if such a person refuses to assume obligations to ensure compliance with the requirements of the Law of Ukraine “On Personal Data Protection” or is unable to ensure them.

6.3. The subject of relations concerning the personal data shall submit a request for access (hereinafter referred to as the request) to personal data to the owner of the personal data database.

6.4. The request shall specify:
the last name, first name and patronymic, place of residence (place of stay), and details of the identity document of the person submitting the request (for individual applicants);
the name, location of the legal entity submitting the request, position, last name, first name and patronymic of the person certifying the request; confirmation that the contents of the request corresponds to the authority of the legal entity (for legal entity applicants);
the last name, first name and patronymic, as well as other information that allows you to identify the individual in respect whereof the request is made;
information about the personal data database in respect whereof the request is submitted, or information about the owner or administrator of such database;
the list of personal data requested;
the purpose of the request.

6.5. The deadline for processing the request may not exceed ten business days upon its receipt.
During this period, the owner of the personal data database shall inform the applicant that the request will be granted or the relevant personal data cannot be provided, indicating the grounds specified in the relevant regulatory legal act.
The request shall be fulfilled within thirty calendar days upon its receipt, unless otherwise provided by law.

6.6. All employees of the owner of the personal data database shall comply with the confidentiality requirements regarding personal data and information on securities accounts and securities turnover.

6.7. The access to personal data of third parties may be postponed if the required data cannot be provided within thirty calendar days upon receipt of the request. Meanwhile, the total period for resolving the issues raised in the request shall not exceed forty-five calendar days.

6.8. The written notice of postponement shall be sent to the third party who submitted the request, explaining the procedure for appealing against such a decision.

6.9. The notice of postponement shall specify:
the last name, first name, and patronymic of the official;
the date when the message was sent;
the reason for postponement;
the time period during which the request will be fulfilled.

6.10. Access to personal data may be denied if access thereto is prohibited by law.

6.11. The notice of denial shall specify:
the last name, first name, and patronymic of the official who denies access;
the date when the message was sent;
the reason for denial.

6.12. The decision to postpone or deny access to personal data may be appealed against at the authorized state body for personal data protection, other state authorities, and local self-government bodies whose powers comprise the implementation of personal data protection, or at the court.

7. Personal data protection: protection methods; responsible person; employees who directly process and/or have access to personal data through their official duties; retention period for personal data.

7.1. The owner of the personal data database is equipped with the system, software, hardware, and means of communication that prevent loss, theft, unauthorized destruction, distortion, forgery, or copying of information and meet the requirements of national and international standards.

7.2. The responsible person shall organize the work related to the protection of personal data during its processing, in accordance with the law. The responsible person shall be appointed by the order of the owner of the personal data database.
The duties of the responsible person regarding the organization of personal data protection in the course of its processing shall be specified in the job description.

7.3. The responsible person must:
know the legislation of Ukraine in the field of personal data protection;
develop procedures for accessing employees’ personal data in accordance with their professional, official, or job responsibilities;
ensure that employees of the owner of the personal data database comply with the requirements of the Legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases;
develop a procedure for internal control of compliance with the requirements of the Legislation of Ukraine on personal data protection and internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases, which, in particular, should contain the norms on the schedule of such control;
inform the owner of the personal data database about the employees’ violations of the Legislation of Ukraine on personal data protection and internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases no later than one business day upon the detection of such violations;
ensure the storage of documents confirming that the subject of personal data provides a consent to the processing of their personal data and notifies the specified subject of their rights.

7.4. In order to perform their duties, the responsible person shall have the right to:
receive the necessary documents, including orders and other administrative documents issued by the owner of the personal data database that are related to the personal data processing;
make copies of the received documents, including copies of files and any records stored in local area networks and autonomous computer systems;
participate in the discussion of their responsibilities in arranging the work related to personal data protection in the course of its processing;
submit proposals for improving activities and methods of work, submit comments and options for defect corrections in the course of personal data processing;
receive explanations on personal data processing;
sign and approve the documents within their competence.

7.5. Employees who directly process and/or access the personal data through their official (job) duties shall comply with the requirements of the Legislation of Ukraine on protection of personal data and internal documents, regarding the processing and protection of personal data in personal data databases.

7.6. Employees who have access to personal data, including those who process them, shall prevent the personal data that was entrusted to them or that has become known through the performance of professional, official, or labor duties from any disclosure. This obligation shall be valid after they terminate their activities related to personal data, except in cases established by law.

7.7. Individuals who have access to personal data, including those who process them, shall be liable in accordance with the legislation of Ukraine in case of violation of the Law of Ukraine “On Personal Data Protection”.

7.8. Personal data should not be retained for longer than required by the purpose for which such data was stored, but in any case not longer than the period of data storage defined in the consent for such data processing of the personal data subject.

8. Rights of personal data subject.

8.1. A personal data subject shall have the right to:
know the location of the personal data database containing their personal data, its purpose and name, location and/or place of residence (stay) of the owner or administrator of such database, or give an appropriate order to receive this information to persons authorized by them, except in cases established by law;
receive information about the provisions for granting access to personal data, in particular, to information about third parties whereto the personal data contained in the relevant personal data database is transferred;
access their personal data contained in the relevant personal data database;
No later than thirty calendar days upon the receipt of the request, receive a response on whether their personal data is stored in the relevant personal data database, as well as receive the contents of their personal data that is retained, except in cases provided for by law;
submit a reasoned request with an objection to the processing of their personal data by state authorities and local government bodies in the exercise of their powers provided for by law;
submit a reasoned request for modification or elimination of their personal data by any owner and administrator of this database, if such data is illegally processed or is incorrect;
to protect their personal data from illegal processing and accidental loss, elimination, or damage due to deliberate concealment, failure to provide or untimely provision thereof, as well as to protect against providing information that is incorrect or discredits the honor, dignity, and business reputation of the individual;
apply for the protection of their rights in relation to personal data to state authorities and local government bodies, whose powers comprise personal data protection;
apply legal remedies in case of violation of the legislation on personal data protection.

9. Procedure for working with requests from a personal data subject.

9.1. The subject of personal data shall have the right to receive any information about themselves from any subject of relations concerning personal data, without specifying the purpose of such request, except in cases established by law.

9.2. The access to personal data by personal data subject is free of charge.

9.3. The personal data subject shall submit a request for access (hereinafter referred to as the request) to personal data to the owner of the personal data database.
The request shall specify:
last name, first name, and patronymic, place of residence (place of stay) and details of the identity document of the personal data subject;
other information that allows to identify the personal data subject;
information about the personal data database in respect whereof the request is submitted, or information about the owner or administrator of such database;
the list of personal data requested.

9.4. The deadline for processing the request may not exceed ten business days upon its receipt.

9.5. During this period, the owner of the personal data database shall inform the personal data subject that the request will be granted or the relevant personal data cannot be provided, indicating the grounds specified in the relevant regulatory legal act.

9.6. The request shall be fulfilled within thirty calendar days upon its receipt, unless otherwise provided by law.

10. State registration of personal data database.

10.1. State registration of personal data databases shall be done in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection”.