Regulations on the processing and protection of personal data in personal data databases owned by the seller
Contents
General concepts and scope of application
List of personal data databases
Purpose of personal data processing
Procedure for personal data processing: obtaining consent, notification of rights and actions with personal data of the data subject
Location of the personal data database
Conditions for disclosure of personal data to third parties
Protection of personal data: methods of protection, responsible person, employees who directly process and/or have access to personal data in connection with the performance of their official duties, period of storage of personal data
Rights of the personal data subject
Procedure for handling requests from the subject of personal data
State registration of the personal data database
1. General concepts and scope of application
1.1. Definition of terms:
personal data database — a named collection of organized personal data in electronic form and/or in the form of personal data files;
responsible person — a designated person who organizes work related to the protection of personal data during its processing in accordance with the law;
personal data database owner — a natural or legal person who, by law or by agreement with the personal data subject, has been granted the right to process such data, who approves the purpose of processing personal data in this database, establishes the composition of such data and the procedures for its processing, unless otherwise specified by law;
State Register of Personal Data Bases — a unified state information system for the collection, accumulation, and processing of information about registered personal data bases;
Publicly available sources of personal data — directories, address books, registers, lists, catalogs, and other systematic collections of open information containing personal data that are posted and published with the knowledge of the personal data subject. Social networks and Internet resources in which the subject of personal data leaves their personal data are not considered publicly available sources of personal data (except in cases where the subject of personal data expressly states that the personal data is posted for the purpose of free distribution and use);
consent of the subject of personal data — any documented, voluntary expression of will by a natural person to give permission for the processing of their personal data in accordance with the stated purpose of their processing;
depersonalization of personal data — removal of information that allows a person to be identified;
processing of personal data — any action or set of actions performed in whole or in part in an information (automated) system and/or in personal data files related to the collection, registration, accumulation, storage, adaptation, modification, renewal, use, and dissemination (distribution, realization, transfer), depersonalization, destruction of information about a natural person;
personal data — information or a set of information about a natural person who is identified or can be specifically identified;
personal data controller — a natural or legal person who is granted the right to process personal data by the owner of the personal data or by law. A person who is entrusted by the owner and/or controller of the personal data to perform technical work with the personal data without access to the content of the personal data is not a personal data controller;
personal data subject — a natural person in relation to whom personal data is processed in accordance with the law;
third party — any person, except for the subject of personal data, the owner or administrator of the personal data base, and the authorized state body for personal data protection, to whom the owner or administrator of the personal data base transfers personal data in accordance with the law;
special categories of data — personal data on racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sex life.
1.2. These Regulations are binding on the responsible person and employees of the seller who directly process and/or have access to personal data in connection with the performance of their official duties.
2. List of personal data bases
2.1. The seller is the owner of the following personal data bases:
database of personal data of counterparties.
3. Purpose of personal data processing
3.1. The purpose of personal data processing in the system is to ensure the implementation of civil law relations, the provision, receipt, and settlement of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”
4. Procedure for processing personal data: obtaining consent, notification of rights, and actions with personal data of the data subject
4.1. The consent of the data subject must be a voluntary expression of will by a natural person to allow the processing of their personal data in accordance with the stated purpose of such processing.
4.2. The consent of the personal data subject may be given in the following forms:
a paper document with details that allow the identification of this document and the natural person;
an electronic document that must contain mandatory details that allow this document and the individual to be identified. The voluntary expression of will by an individual to give permission for the processing of their personal data should be certified by the electronic signature of the data subject;
a mark on the electronic page of the document or in the electronic file processed in the information system based on documented software and technical solutions.
4.3. The consent of the personal data subject is given during the formalization of civil law relations in accordance with applicable law.
4.4. Notification of the personal data subject about the inclusion of their personal data in the personal data database, the rights defined by the Law of Ukraine “On the Protection of Personal Data,” the purpose of data collection, and the persons to whom their personal data is transferred is carried out during the formalization of civil legal relations in accordance with applicable law.
4.5. The processing of personal data on racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, as well as data relating to health or sex life (special categories of data) is prohibited.
5. Location of the personal data database
5.1. The personal data databases specified in section 2 of these Regulations are located at the seller's address.
6. Conditions for disclosure of personal data to third parties
6.1. The procedure for accessing personal data of third parties is determined by the terms of consent of the personal data subject provided to the personal data controller for the processing of such data, or in accordance with the requirements of the law.
6.2. Access to personal data shall not be granted to a third party if that person refuses to undertake to comply with the requirements of the Law of Ukraine “On the Protection of Personal Data” or is unable to comply with them.
6.3. The subject of relations related to personal data shall submit a request for access (hereinafter referred to as the request) to personal data to the personal data owner.
6.4. The request shall specify:
the surname, first name, and patronymic, place of residence (place of stay), and details of the document certifying the identity of the natural person submitting the request (for a natural person — the applicant);
the name and location of the legal entity submitting the request, the position, surname, first name, and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity — the applicant);
the surname, first name, and patronymic, as well as other information that allows the identification of the individual to whom the request relates;
information about the personal data base to which the request relates, or information about the owner or administrator of this personal data base;
a list of the personal data requested;
the purpose and/or legal grounds for the request.
6.5. The period for reviewing the request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the owner of the personal data base shall inform the person submitting the request that the request will be satisfied or that the relevant personal data is not subject to disclosure, indicating the grounds specified in the relevant regulatory legal act. The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
6.6. Access to personal data of third parties may be delayed if the necessary data cannot be provided within thirty calendar days from the date of receipt of the request. In this case, the total time for resolving the issues raised in the request may not exceed forty-five calendar days.
6.7. The third party who submitted the request shall be notified of the delay in writing, with an explanation of the procedure for appealing such a decision.
6.8. The notification of the delay shall indicate:
the surname, name, and patronymic of the official;
the date of dispatch of the notification;
the reason for the delay;
the period during which the request will be satisfied.
6.9. Refusal of access to personal data is permitted if access to it is prohibited by law.
6.10. The notification of refusal shall indicate:
the surname, name, and patronymic of the official who refuses access;
the date of dispatch of the notification;
the reason for the refusal.
6.11. The decision to delay or deny access to personal data may be appealed in court.
7. Protection of personal data: methods of protection, responsible person, employees who directly process and/or have access to personal data in connection with the performance of their official duties, the period of storage of personal data
7.1. The owner of the personal data database is equipped with system and software-technical means and means of communication that prevent loss, theft, unauthorized destruction, distortion, falsification, copying of information and meet the requirements of international and national standards.
7.2. The responsible person organizes work related to the protection of personal data during its processing in accordance with the law. The responsible person is determined by order of the owner of the personal data database.
The responsibilities of the responsible person for organizing work related to the protection of personal data during its processing are specified in the job description.
7.3. The responsible person is obliged to:
be familiar with Ukrainian legislation in the field of personal data protection;
develop procedures for accessing the personal data of employees in accordance with their professional, official, or employment duties;
ensure that the employees of the personal data controller comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the personal data controller regarding the processing and protection of personal data in personal data bases;
develop a procedure for internal control over compliance with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the personal data owner regarding the processing and protection of personal data in personal data bases, which, in particular, must contain rules regarding the frequency of such control;
notify the owner of the personal data database of any violations by employees of the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases within one working day from the moment such violations are detected;
ensure the storage of documents confirming the consent of the personal data subject to the processing of their personal data and notification of the said subject of their rights.
7.4. In order to perform their duties, the responsible person has the right to:
receive the necessary documents, including orders and other administrative documents issued by the owner of the personal data database related to the processing of personal data;
make copies of the documents received, including copies of files, any records stored in local computer networks and stand-alone computer systems;
participate in the discussion of his duties in organizing work related to the protection of personal data during their processing;
submit proposals for improving activities and work methods, submit comments and options for eliminating identified shortcomings in the process of personal data processing;
receive explanations on issues related to the processing of personal data;
sign and approve documents within their competence.
7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (labor) duties are required to comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regarding the processing and protection of personal data in personal data bases.
7.6. Employees who have access to personal data, including those who process it, are obliged not to disclose in any way the personal data entrusted to them or which has become known to them in connection with the performance of their professional, official, or employment duties. This obligation remains in force after the termination of their activities related to personal data, except in cases established by law.
7.7. Persons who have access to personal data, including those who process it, are liable under Ukrainian law in the event of a violation of the requirements of the Law of Ukraine “On the Protection of Personal Data.”
7.8. Personal data shall not be stored longer than necessary for the purpose for which such data is stored, but in any case not longer than the data storage period specified in the consent of the personal data subject to the processing of such data.
8. Rights of the personal data subject
8.1. The personal data subject has the right to:
8. Rights of the personal data subject
8.1. The personal data subject has the right to:
know the location of the personal data database containing his/her personal data, its purpose and name, location and/or place of residence (stay) of the owner or manager of this database, or give appropriate instructions to obtain this information to persons authorized by him/her, except in cases established by law;
receive information about the conditions for providing access to personal data, in particular information about third parties to whom his/her personal data contained in the relevant personal data database is transferred;
access their personal data contained in the relevant personal data database;
receive, no later than thirty calendar days from the date of receipt of the request, except in cases provided for by law, a response as to whether their personal data is stored in the relevant personal data database, as well as receive the content of their personal data that is stored;
to submit a reasoned request objecting to the processing of their personal data by public authorities and local government bodies in the exercise of their powers provided for by law;
to submit a reasoned request for the modification or destruction of their personal data by any owner or administrator of this database if such data is processed unlawfully or is inaccurate;
to protect their personal data from unlawful processing and accidental loss, destruction, damage in connection with intentional concealment, failure to provide or untimely provision of such data, as well as to protect against the provision of information that is inaccurate or defamatory to the honor, dignity, and business reputation of an individual;
to apply to state authorities and local self-government bodies responsible for personal data protection with questions regarding the protection of their rights in relation to personal data;
to use legal remedies in case of violation of personal data protection legislation.
9. Procedure for handling requests from personal data subjects
9.1. The subject of personal data has the right to receive any information about themselves from any subject of relations related to personal data, without specifying the purpose of the request, except in cases established by law.
9.2. Access by the subject of personal data to data about themselves is provided free of charge.
9.3. The subject of personal data submits a request for access (hereinafter referred to as the request) to personal data to the owner of the personal data database.
The request shall specify:
surname, first name and patronymic, place of residence (place of stay) and details of the document certifying the identity of the subject of personal data;
other information that allows the identification of the personal data subject;
information about the personal data database to which the request relates, or information about the owner or administrator of this database;
a list of the personal data requested.
9.4. The period for reviewing a request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the owner of the personal data database shall inform the subject of personal data that the request will be satisfied or that the relevant personal data is not subject to disclosure, indicating the grounds specified in the relevant regulatory legal act.
9.5. The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
10. State registration of personal data bases
10.1. State registration of personal data bases is carried out in accordance with Article 9 of the Law of Ukraine “On the Protection of Personal Data.”
Règlement sur le traitement et la protection des données personnelles dans les bases de données personnelles dont le vendeur est le propriétaire
Contenu :
• Notions générales et champ d’application
• Liste des bases de données personnelles
• Finalité du traitement des données personnelles
• Procédure de traitement des données personnelles : obtention du consentement, information sur les droits et actions concernant les données personnelles du sujet
• Lieu de conservation de la base de données personnelles
• Conditions de divulgation des données personnelles à des tiers
• Protection des données personnelles : méthodes de protection, personne responsable, employés ayant directement accès aux données personnelles dans le cadre de leurs fonctions, durée de conservation des données
• Droits du sujet des données personnelles
• Procédure de traitement des demandes du sujet des données personnelles
• Enregistrement d’État des bases de données personnelles
⸻
1. Notions générales et champ d’application
1.1. Définitions des termes :
• Base de données personnelles — un ensemble nommé de données personnelles organisées, sous forme électronique et/ou sous forme de fichiers papier.
• Personne responsable — personne désignée pour organiser le travail lié à la protection des données personnelles lors de leur traitement, conformément à la loi.
• Propriétaire de la base de données personnelles — personne physique ou morale qui, selon la loi ou avec le consentement du sujet des données personnelles, a le droit de traiter ces données, fixe la finalité du traitement, la composition des données et les procédures de traitement, sauf disposition contraire de la loi.
• Registre national des bases de données personnelles — système d’information d’État unique pour la collecte, l’accumulation et le traitement des informations sur les bases de données personnelles enregistrées.
• Sources accessibles au public de données personnelles — annuaires, carnets d’adresses, registres, listes, catalogues et autres recueils systématisés d’informations ouvertes contenant des données personnelles, publiées avec le consentement du sujet. Les réseaux sociaux et ressources Internet ne sont pas considérés comme des sources publiques, sauf si la personne a indiqué explicitement que les données sont publiées à des fins de diffusion libre.
• Consentement du sujet des données personnelles — toute manifestation documentée et volontaire de la volonté d’une personne physique permettant le traitement de ses données personnelles en lien avec la finalité définie.
• Anonymisation des données personnelles — suppression des informations permettant d’identifier une personne.
• Traitement des données personnelles — toute action ou ensemble d’actions, partiellement ou totalement automatisées, liées à la collecte, l’enregistrement, le stockage, la modification, l’utilisation, la diffusion, l’anonymisation ou la destruction des informations sur une personne physique.
• Données personnelles — toute information relative à une personne physique identifiée ou identifiable.
• Gestionnaire de la base de données personnelles — personne physique ou morale à qui le propriétaire ou la loi a confié le droit de traiter les données. Une personne effectuant des tâches techniques sans accès au contenu n’est pas considérée comme gestionnaire.
• Sujet des données personnelles — personne physique dont les données sont traitées selon la loi.
• Tiers — toute personne autre que le sujet, le propriétaire ou le gestionnaire de la base de données et l’autorité de protection des données, à qui des données sont transmises selon la loi.