Privacy Policy
Regulation on processing and protection of personal data in personal data bases held by the seller
Contents
General concepts and scope of application.
List of personal data bases.
Purpose of personal data processing.
Procedure of personal data processing: obtaining consent, notification of rights and actions with personal data of the personal data subject.
Location of the personal data base.
Conditions of disclosure of information about personal data to third parties.
Protection of personal data: methods of protection, responsible person, employees who directly process and / or have access to personal data in connection with the performance of their official duties, storage period of personal data.
Rights of the personal data subject. Procedure for handling requests of the personal data subject.
1.1 Definition of terms:
personal data base – a named set of organised personal data in electronic form and/or in the form of personal data files;
responsible person – a certain person who organises the work related to the protection of personal data during their processing in accordance with the law;
personal data base owner – natural or legal person who is authorised by law or with the consent of the personal data subject to process these data, approves the purpose of personal data processing in this database, establishes the composition of these data and the procedures of their processing, unless otherwise defined by law;
State Register of personal data bases – a unified state information system for the collection, accumulation and processing of information on registered personal data bases;
publicly available sources of personal data – directories, address books, registers, lists, catalogues, other systematised collections of public information containing personal data, placed and published with the consent of the personal data subject.
Social networks and internet resources where the personal data subject leaves his/her personal data are not considered publicly available sources of personal data (except in cases where the personal data subject explicitly states that the personal data are posted for the purpose of their free distribution and use);
consent of the personal data subject – any documented, voluntary expression of will of a natural person to authorise the processing of his/her personal data in accordance with the formulated purpose of their processing;
depersonalisation of personal data – removal of information that allows to identify an individual;
personal data processing – any action or set of actions performed fully or partially in the information (automated) system and / or in personal data files, related to the collection, registration, accumulation, storage, storage, adaptation, modification, updating, use and dissemination (distribution, implementation, transfer), depersonalisation, destruction of information about a natural person;
personal data – information or a set of information about a natural person who is identified or can be specifically identified;
personal data controller – a natural or legal person who is authorised by the owner of the personal data base or by law to process such data.
A person who is authorised by the owner and / or manager of the personal data base to carry out technical works on the personal data base without access to the content of personal data is not a personal data controller;
personal data subject – a natural person in respect of whom his/her personal data are processed in accordance with the law;
third party – any person, except the personal data subject, the owner or manager of the personal data base and the authorised state authority for personal data protection, to whom the owner or manager of the personal data base transfers personal data in accordance with the law;
special categories of data – personal data concerning racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life.
1.2 This Policy is binding for the responsible person and employees of the Seller who directly process and/or have access to personal data in connection with the performance of their official duties.
2. List of personal data bases.
2.1 The Seller is the owner of the following personal data bases:
2.2 Personal data bases of counterparties.
3. Purpose of personal data processing.
3.1 The purpose of personal data processing in the system is to store and maintain data of counterparties in accordance with Articles 6, 7 of the Law of Ukraine ‘On Protection of Personal Data’ :.
3.2 The purpose of personal data processing is to ensure the implementation of civil legal relations, providing / receiving and making payments for purchased goods / services in accordance with the Tax Code of Ukraine, the Law of Ukraine ‘On Accounting and Financial Reporting in Ukraine’.
4. Procedure of personal data processing: obtaining consent, notification of rights and actions with personal data of the personal data subject.
4.1 The consent of the personal data subject must be a voluntary expression of will of the natural person to authorise the processing of his/her personal data in accordance with the formulated purpose of their processing. The consent of the personal data subject may be provided in the following forms:
– a hard copy document with requisites that allow to identify this document and the natural person;
– an electronic document, which must contain mandatory requisites that allow identifying this document and the natural person. The voluntary expression of will of a natural person to authorise the processing of his/her personal data should be certified by the electronic signature of the personal data subject.
– a mark on the electronic page of the document or in the electronic file processed in the information system on the basis of documented software and hardware solutions.
4.2 The consent of the personal data subject shall be provided when formalising civil-law relations in accordance with the legislation in force.
4.3 Notification of the personal data subject about inclusion of his/her personal data in the personal data base, rights defined by the Law of Ukraine ‘On Protection of Personal Data’, the purpose of data collection and persons to whom his/her personal data are transferred is carried out in the course of civil law relations in accordance with the current legislation.
4.4 Processing of personal data concerning racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data concerning health or sex life (special categories of data) is prohibited.
5. Location of the personal data base.
5.1 The personal data bases specified in section 2 of these Regulations are located at the address of the Seller.
6. Conditions of disclosure of information about personal data to third parties.
6.1 The procedure for access to personal data of third parties is determined by the terms of the consent of the subject of personal data, provided to the owner of the personal data base to process this data, or in accordance with the requirements of the law.
6.2 Access to personal data to a third party shall not be granted if the said person refuses to undertake obligations to ensure compliance with the requirements of the Law of Ukraine ‘On Protection of Personal Data’ or is unable to ensure them.
6.3 The subject of relations related to personal data submits a request for access (hereinafter – request) to personal data to the owner of the personal data base.
6.4 The request shall specify:
– surname, first name and patronymic, place of residence (location) and details of the document certifying the natural person submitting the request (for the natural person – applicant);
– name, location of the legal entity submitting the request, position, surname, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the authorisation of the legal entity (for the legal entity – applicant);
– surname, first name and patronymic, as well as other information allowing to identify the natural person in respect of whom the request is made;
– information about the personal data base in respect of which the request is submitted, information about the owner or manager of this base;
– the list of personal data requested;
– the purpose of the request.
6.5 The term for examining the request for its satisfaction may not exceed ten working days from the day of its receipt.
Within this term, the personal data base owner informs the person submitting the request, the request will be satisfied or the relevant personal data are not to be provided, indicating the reason defined in the relevant legal act.
The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
6.6 All employees of the personal data base owner are obliged to observe confidentiality requirements with regard to personal data and information on securities and securities accounts.
6.7 Postponement of access to personal data of third parties is allowed if the necessary data cannot be provided within thirty calendar days from the date of receipt of the request. At the same time, the total period for resolving the issues raised in the request may not exceed forty-five calendar days.
6.8 The notice of postponement shall be communicated to the third party who submitted the request in writing with an explanation of the procedure for appealing against such decision.
6.9 The notification of deferral shall contain:
– the surname, first name and patronymic of the official;
– the date on which the notice was sent
– the reason for the deferral;
– the period within which the request will be deferred.
6.10. Denial of access to personal data is allowed if access to it is prohibited by law.
6.11. The notice of refusal shall specify:
– surname, first name, patronymic of the official who refuses access;
– the date of sending the message
– the reason for the refusal.
6.12. The decision on postponement or refusal of access to personal data may be appealed to the authorised state authority on personal data protection issues, other public authorities and local self-government bodies, whose competences include the implementation of personal data protection, or to the court.
7. Protection of personal data: methods of protection, responsible person, employees directly processing and / or have access to personal data in connection with the performance of their official duties, storage period of personal data.
7.1 The owner of the personal data base is equipped with system and software and hardware means and means of communication that prevent loss, theft, unauthorised destruction, distortion, forgery, copying of information and meet the requirements of international and national standards.
7.2 The responsible person organises the work related to the protection of personal data during their processing in accordance with the law. The responsible person is determined by the order of the owner of the personal data base. The duties of the person in charge of organising the work related to the protection of personal data during their processing shall be specified in the job description.
7.3 The responsible person is obliged to:
– Know the legislation of Ukraine in the field of personal data protection;
– to develop procedures for access to personal data of employees in accordance with their professional or official or labour duties;
– ensure that employees of the personal data base owner fulfil the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activity of the personal data base owner on processing and protection of personal data in personal data bases;
– to develop an order (procedure) of internal control over compliance with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activity of the owner of the personal data base on processing and protection of personal data in personal data bases, which, in particular, should contain norms on the periodicity of such control;
– to inform the owner of the personal data base about the facts of violations by employees of the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activity of the owner of the personal data base on processing and protection of personal data in personal data bases within one working day from the moment of detection of such violations;
– ensure the storage of documents confirming that the personal data subject has given his/her consent to the processing of his/her personal data and informing the said subject of his/her rights.
7.4 In order to fulfil his/her duties, the responsible person shall have the right to:
– to obtain the necessary documents, including orders and other dispositive documents issued by the Personal Data Owner related to the processing of personal data;
– make copies from the received documents, including file copies, of any records stored in local computer networks and autonomous computer systems;
– to participate in the discussion of his/her duties related to the organisation of the work related to the protection of personal data during their processing;
– to submit for examination proposals for the improvement of the activity and of the working methods, to submit remarks and options for eliminating the identified shortcomings in the personal data processing process; – to receive explanations on personal data processing issues;
– sign and vise documents within their competence.
7.5 Employees who directly process and / or have access to personal data in connection with the performance of their official (labour) duties must comply with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents on the processing and protection of personal data in personal data bases.
7.6 Employees who have access to personal data, including the processing thereof are obliged not to allow disclosure in any way of personal data that they were entrusted with or which became known in connection with the performance of professional or official or labour duties. This obligation shall remain in force after the termination of their activities related to personal data, except in cases established by law.
7.7 Persons who have access to personal data, including those who process them, in case of their violation of the requirements of the Law of Ukraine ‘On Protection of Personal Data’ are liable under the legislation of Ukraine.
7.8. Personal data shall not be stored longer than is necessary for the purpose for which such data are stored, but in any case not longer than the period of data storage determined by the consent of the subject of personal data to the processing of such data.
8. Rights of the subject of personal data.
8.1 The subject of personal data has the right:
– to know the location of the personal data base containing his/her personal data, its purpose and name, location and / or residence (stay) of the owner or manager of this base or to give a corresponding instruction to obtain this information to persons authorised by him/her, except in cases established by law ;
– to receive information on the conditions of access to personal data, including information on third parties to whom his/her personal data contained in the respective personal data base are transferred;
– to have access to his/her personal data contained in the respective personal data base;
– to receive, no later than thirty calendar days from the date of receipt of the request, except in cases provided for by law, an answer as to whether his/her personal data are stored in the respective personal data base, as well as to receive the content of his/her personal data that are stored;
– to submit a reasoned request objecting to the processing of his/her personal data by public authorities, local self-government bodies in the exercise of the powers provided for by law;
– to submit a reasoned demand for the modification or destruction of his personal data by any owner and manager of this base, if these data are processed illegally or are unreliable;
– to protect their personal data from unlawful processing and accidental loss, destruction, damage due to deliberate concealment, failure to provide or untimely provision of such data, as well as to protect them from providing information that is inaccurate or defamatory to the honour, dignity and business reputation of a natural person;
– to apply to the state authorities and local self-government bodies, whose competences include the protection of personal data; – to apply legal remedies in case of violation of the legislation on personal data protection.
9. Procedure for handling requests of the subject of personal data.
9.1 The personal data subject has the right to obtain any information about himself/herself from any subject of relations related to personal data, without specifying the purpose of the request, except in cases established by law.
9.2 The access of the personal data subject to the data about him/herself is free of charge.
9.3 The personal data subject submits a request for access (hereinafter – request) to personal data to the owner of the personal data base.
The request shall specify:
– surname, first name and patronymic, place of residence (location) and details of the personal data subject’s identity document;
– other information allowing to identify the identity of the personal data subject;
– information about the personal data base in relation to which the request is submitted, information about the owner or manager of this base;
– the list of personal data requested.
9.4 The term for examining the request for its satisfaction may not exceed ten working days from the date of its receipt.
9.5 Within this term, the owner of the personal data base shall inform the personal data subject whether the request will be satisfied or the personal data concerned are not to be provided, indicating the grounds defined in the relevant legal act.
9.6 The request shall be satisfied within thirty calendar days from the day of its receipt, unless otherwise provided by law.
10. State registration of the personal data base.
10.1 The state registration of personal data bases shall be carried out in accordance with Article 9 of the Law of Ukraine ‘On Protection of Personal Data’.