User Agreement
Policy on the Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller
Table of Contents
- General Concepts and Scope of Application
- List of Personal Data Databases
- Purpose of Processing Personal Data
- Procedure for Processing Personal Data: Obtaining Consent, Notifying Data Subjects of Their Rights, and Actions Involving Their Personal Data
- Location of the personal data database
- Conditions for Disclosing Personal Data to Third Parties
- Personal Data Protection: Protection Measures, the Data Protection Officer, Employees Who Directly Process and/or Have Access to Personal Data in Connection with the Performance of Their Job Duties, and the Retention Period for Personal Data
- Rights of the Data Subject
- Procedure for Handling Requests from Data Subjects
- State Registration of a Personal Data Database
General Concepts and Scope of Application
1.1. Definitions:
personal data database — a named collection of organized personal data in electronic form and/or in the form of personal data files;
person in charge — a designated individual who organizes activities related to the protection of personal data during its processing, in accordance with the law;
controller of a personal data database — a natural or legal person who, by law or with the consent of the data subject, has been granted the right to process such data, and who determines the purpose of processing personal data in this database, defines the scope of such data, and establishes the procedures for its processing, unless otherwise provided by law;
State Register of Personal Data Bases — a unified state information system for collecting, storing, and processing information about registered personal data databases;
publicly available sources of personal data — directories, address books, registries, lists, catalogs, and other organized collections of publicly available information that contain personal data, which are posted and published with the knowledge of the data subject. Social networks and online resources on which data subjects post their personal data are not considered publicly available sources of personal data (except in cases where the data subject explicitly states that the personal data is posted for the purpose of its free dissemination and use);
consent of the data subject — any documented, voluntary expression of will by an individual to grant consent to the processing of their personal data in accordance with the stated purpose of such processing;
de-identification of personal data — removal of information that allows a person to be identified;
processing of personal data — any action or set of actions carried out in whole or in part within an information (automated) system and/or in personal data files that are related to the collection, recording, accumulation, storage, adaptation, modification, updating, use, and dissemination (distribution, sale, transfer), anonymization, or destruction of information about a natural person;
personal data — відомості чи сукупність відомостей про фізичну особу, яка ідентифікована або може бути конкретно ідентифікована;
the controller of the personal data database — a natural or legal person who has been granted the right to process personal data by the owner of the personal data database or by law. A person who has been entrusted by the owner and/or controller of a personal data database to perform technical tasks related to the database without access to the content of the personal data is not considered a controller of the personal data database;
data subject — an individual whose personal data is being processed in accordance with the law;
third party — any person, other than the data subject, the owner or controller of a personal data database, or the authorized state body responsible for personal data protection, to whom the owner or controller of a personal data database transfers personal data in accordance with the law;
special categories of data — personal data regarding racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and labor unions, as well as data concerning health or sex life.
1.2. These Regulations are binding on the data protection officer and the seller’s employees who directly process and/or have access to personal data in connection with the performance of their job duties.
List of Personal Data Databases
2.1. The Seller is the owner of the following personal data databases:
- a database of counterparties’ personal information.
Purpose of Processing Personal Data
3.1. The purpose of processing personal data in the system is to ensure the implementation of civil law relationships, as well as the provision, receipt, and settlement of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”
Procedures for Processing Personal Data: Obtaining Consent, Notifying Data Subjects of Their Rights, and Actions Involving Their Personal Data
4.1. The consent of the data subject must be a voluntary expression of will by an individual to grant permission for the processing of their personal data in accordance with the stated purpose of such processing.
4.2. The data subject’s consent may be given in the following forms:
- a paper document containing identifying information that allows for the identification of both the document and the individual;
- an electronic document that must contain mandatory details enabling the identification of both the document and the individual. It is advisable to certify an individual’s voluntary consent to the processing of their personal data with the data subject’s electronic signature;
- A mark on the electronic page of a document or in an electronic file that is processed in an information system based on documented software and hardware solutions.
4.3. The consent of the data subject is provided when entering into civil law relationships in accordance with applicable law.
4.4. Notification of the data subject regarding the inclusion of his or her personal data in the personal data database, the rights set forth in the Law of Ukraine “On the Protection of Personal Data,” the purpose of data collection, and the parties to whom his or her personal data is disclosed is provided when establishing civil-law relationships in accordance with applicable law.
4.5. The processing of personal data regarding racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and labor unions, as well as data concerning health or sex life (special categories of data) is prohibited.
Location of the personal data database
5.1. The personal data databases specified in Section 2 of these Regulations are located at the seller’s address.
Conditions for Disclosing Personal Data to Third Parties
6.1. The procedure for third parties to access personal data is determined by the terms of the data subject’s consent, which was provided to the personal data controller for the processing of such data, or in accordance with the requirements of the law.
6.2. Access to personal data shall not be granted to a third party if such party refuses to undertake obligations to ensure compliance with the requirements of the Law of Ukraine “On the Protection of Personal Data” or is unable to ensure such compliance.
6.3. A party to a relationship involving personal data shall submit a request for access (hereinafter referred to as the “request”) to the personal data controller.
6.4. The request shall specify:
- last name, first name, and patronymic; place of residence (current address); and details of the identification document of the individual submitting the request (for an individual applicant);
- the name and location of the legal entity submitting the request; the title, last name, first name, and patronymic of the person certifying the request; confirmation that the content of the request falls within the legal entity’s authority (for a legal entity acting as the applicant);
- last name, first name, and patronymic, as well as other information that makes it possible to identify the individual who is the subject of the request;
- information about the personal data database that is the subject of the request, or information about the owner or controller of that personal data database;
- a list of the personal data being requested;
- the purpose and/or legal basis for the request.
6.5. The time required to review a request to determine whether it should be granted may not exceed ten business days from the date of its receipt. Within this period, the controller of the personal data database shall notify the person who submitted the request that the request will be granted or that the relevant personal data cannot be provided, specifying the grounds set forth in the applicable regulatory act. The request shall be granted within thirty calendar days from the date of its receipt, unless otherwise provided by law.
6.6. Access to third parties’ personal data may be deferred if the requested data cannot be provided within thirty calendar days of the date the request is received. In such cases, the total time required to resolve the issues raised in the request may not exceed forty-five calendar days.
6.7. The third party that submitted the request shall be notified in writing of the deferral, along with an explanation of the procedure for appealing such a decision.
6.8. The notice of deferral shall specify:
- the official’s last name, first name, and patronymic;
- the date the message was sent;
- reason for the deferral;
- the time frame within which the request will be fulfilled.
6.9. Access to personal data may be denied if such access is prohibited by law.
6.10. The notice of denial shall specify:
- the last name, first name, and patronymic of the official denying access;
- the date the message was sent;
- Reason for rejection.
6.11. A decision to defer or deny access to personal data may be appealed in court.
Protection of Personal Data: protection measures, the person responsible, employees who directly process and/or have access to personal data in connection with the performance of their job duties, and the retention period for personal data
7.1. The controller of the personal data database is equipped with hardware, software, and communication systems that prevent the loss, theft, unauthorized destruction, alteration, forgery, or copying of information and comply with international and national standards.
7.2. The designated person organizes activities related to the protection of personal data during its processing, in accordance with the law. The designated person is appointed by order of the personal data controller.
The responsibilities of the person in charge of organizing work related to the protection of personal data during its processing are specified in the job description.
7.3. The person in charge is required to:
- be familiar with Ukrainian legislation on personal data protection;
- develop procedures for accessing employees’ personal data in accordance with their professional, official, or job-related duties;
- ensure that employees of the personal data controller comply with the requirements of Ukrainian legislation on personal data protection and with internal documents governing the personal data controller’s activities regarding the processing and protection of personal data in personal data databases;
- develop a procedure for internal oversight of compliance with Ukrainian laws on personal data protection and with internal documents governing the activities of the personal data controller regarding the processing and protection of personal data in personal data databases, which, in particular, must include provisions regarding the frequency of such oversight;
- notify the Personal Data Controller of any violations by employees of the requirements of Ukrainian law regarding the protection of personal data and of internal documents governing the Personal Data Controller’s activities related to the processing and protection of personal data in personal data databases, no later than one business day after such violations are detected;
- ensure the retention of documents confirming that the data subject has consented to the processing of their personal data and that the data subject has been informed of their rights.
7.4. In order to perform their duties, the designated person has the right to:
- receive the necessary documents, including orders and other administrative documents issued by the personal data controller, related to the processing of personal data;
- make copies of the documents received, including copies of files and any records stored on local computer networks and standalone computer systems;
- participate in discussions regarding his or her duties related to organizing work involving the protection of personal data during its processing;
- submit proposals for improving operations and refining work methods, and provide comments and suggestions for addressing identified shortcomings in the processing of personal data;
- to receive explanations regarding the processing of personal data;
- sign and approve documents within the scope of their authority.
7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (employment) duties are required to comply with the requirements of Ukrainian legislation on the protection of personal data and with internal documents regarding the processing and protection of personal data in personal data databases.
7.6. Employees who have access to personal data, including those who process it, are required to prevent the disclosure, by any means, of personal data entrusted to them or that has come to their knowledge in connection with the performance of their professional, official, or employment duties. This obligation remains in effect after they cease activities related to personal data, except in cases provided for by law.
7.7. Persons who have access to personal data, including those who process it, shall be held liable under Ukrainian law if they violate the requirements of the Law of Ukraine “On the Protection of Personal Data.”
7.8. Personal data must not be retained for longer than is necessary for the purpose for which such data is retained, but in any case no longer than the data retention period specified in the data subject’s consent to the processing of such data.
Rights of the Data Subject
8.1. The data subject has the right to:
- to know the location of the personal data database containing his or her personal data, its purpose and name, and the location and/or place of residence (stay) of the owner or controller of that database, or to authorize persons designated by him or her to obtain this information, except in cases provided for by law;
- to receive information about the conditions for granting access to personal data, including information about third parties to whom his or her personal data contained in the relevant personal data database is disclosed;
- the right to access their personal data contained in the relevant personal data database;
- to receive, no later than thirty calendar days from the date of receipt of the request—except in cases provided for by law—a response indicating whether their personal data is stored in the relevant personal data database, as well as to receive the content of their stored personal data;
- to file a reasoned objection to the processing of their personal data by state authorities and local government bodies in the exercise of their powers as provided by law;
- to submit a reasoned request to any owner or controller of this database to amend or delete their personal data if such data is being processed unlawfully or is inaccurate;
- to protect their personal data from unlawful processing and accidental loss, destruction, or damage resulting from intentional concealment, failure to provide, or untimely provision of such data, as well as protection against the disclosure of information that is inaccurate or defamatory to the honor, dignity, and business reputation of a natural person;
- contact state authorities and local government bodies responsible for the protection of personal data regarding the protection of your personal data rights;
- to seek legal remedies in the event of a violation of personal data protection laws.
Procedure for Handling Requests from Data Subjects
9.1. A data subject has the right to obtain any information about himself or herself from any party involved in personal data-related activities without specifying the purpose of the request, except in cases provided for by law.
9.2. The data subject may access their personal data free of charge.
9.3. The data subject submits a request for access (hereinafter referred to as the “request”) to the personal data to the controller of the personal data database.
The request must include the following:
- last name, first name, and patronymic; place of residence (current address); and the details of the document identifying the data subject;
- other information that makes it possible to identify the data subject;
- information about the personal data database that is the subject of the request, or information about the owner or controller of that database;
- a list of the personal data being requested.
9.4. The time required to review a request to determine whether it should be granted may not exceed ten business days from the date of its receipt. Within this period, the controller of the personal data database shall notify the data subject that the request will be granted or that the relevant personal data cannot be provided, specifying the grounds set forth in the applicable regulatory act.
9.5. A request shall be granted within thirty calendar days of the date of its receipt, unless otherwise provided by law.
State Registration of a Personal Data Database
10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine «On the Protection of Personal Data».
