Regulation on the Processing and Protection of Personal Data in Personal Databases Owned by the Seller

 

Contents

  1. General Concepts and Scope

  2. List of Personal Data Databases

  3. Purpose of Personal Data Processing

  4. Procedure for Processing Personal Data: Obtaining Consent, Informing about Rights and Actions Regarding the Data Subject’s Personal Data

  5. Location of the Personal Data Database

  6. Conditions for Disclosing Personal Data to Third Parties

  7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Directly Processing or Accessing Personal Data in the Course of Their Duties, Retention Period of Personal Data

  8. Rights of the Data Subject

  9. Procedure for Handling Data Subject Requests

  10. State Registration of the Personal Data Database

1. General Concepts and Scope

1.1. Definitions of terms:

  • Personal data database – a named set of organized personal data in electronic form and/or in personal data card-indexes;

  • Responsible person – an individual designated to manage work related to personal data protection during processing in accordance with the law;

  • Owner of the personal data database – an individual or legal entity granted by law or by the data subject’s consent the right to process these data, who determines the purpose of data processing in the database, defines the data composition and processing procedures, unless otherwise stipulated by law;

  • State Register of Personal Data Databases – the unified state information system for collecting, accumulating and processing information about registered personal data databases;

  • Publicly accessible sources of personal data – directories, address books, registers, lists, catalogs or other systematically collected open information containing personal data published with the data subject’s knowledge. Social networks and websites where data subjects post their personal data are not considered publicly accessible sources—except where the data subject explicitly states the data is intended for free distribution and use;

  • Consent of the data subject – any documented voluntary expression of will by a natural person granting permission to process their personal data in accordance with the stated purpose;

  • Anonymization of personal data – removal of information that enables identification of the person;

  • Processing of personal data – any action or set of actions performed fully or partially in an automated information system and/or in personal data card-indexes related to collection, registration, accumulation, storage, adaptation, modification, updating, use and distribution (including dissemination, sale, transfer), anonymization, destruction of information about a natural person;

  • Personal data – information or set of information about a natural person who is identified or can be specifically identified;

  • Administrator of the personal data database – a natural or legal person to whom the database owner or the law grants the right to process these data. A person assigned by the owner or administrator to perform technical work on the database without access to personal data content is not considered an administrator;

  • Data subject – a natural person whose personal data is processed in accordance with the law;

  • Third party – any person other than the data subject, database owner or administrator, or authorized state body responsible for data protection, to whom personal data is transferred by the owner or administrator in accordance with the law;

  • Special categories of data – personal data concerning racial or ethnic origin, political, religious or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life.

1.2. This Regulation is mandatory for the responsible person and employees of the seller who directly process or have access to personal data in the course of their official duties.

2. List of Personal Data Databases

2.1. The seller owns the following personal data databases:

  • Database of counterparties’ personal data.

3. Purpose of Personal Data Processing

3.1. The purpose of processing personal data in the system is to ensure the execution of civil-law relations, provision, receipt and settlement of payment for purchased goods and services in accordance with the Tax Code of Ukraine and the Law “On Accounting and Financial Reporting in Ukraine.”

4. Procedure for Processing Personal Data: Consent, Informing Data Subject

4.1. The data subject’s consent must be a voluntary expression of will by a natural person to grant permission for processing their personal data for the stated purpose.
4.2. Consent may be given in the following forms:

  • A paper document with details allowing identification of the document and the person;

  • An electronic document containing mandatory details for identification, preferably signed electronically by the data subject;

  • A checkbox or mark on an electronic page or file processed in an information system based on documented software‑technical solutions.
    4.3. Consent is given during the establishment of civil-legal relations under current legislation.
    4.4. The data subject is notified at the time of entering civil-legal relations about inclusion of their data into a database, their rights under the Law “On Protection of Personal Data”, the purpose of data collection, and the persons to whom data will be disclosed.
    4.5. Processing special categories of data (racial/ethnic origin, beliefs, union membership, health, sexual life) is prohibited.

5. Location of the Personal Data Database

5.1. The databases listed in Section 2 are located at the seller’s address.

6. Conditions for Disclosing Personal Data to Third Parties

6.1. Access conditions for third parties are governed by the consent provided by the data subject or by legal requirements.
6.2. No access is granted to third parties refusing to undertake obligations under Ukrainian data protection law or unable to ensure compliance.
6.3.–6.11. The data subject or other party may submit a request specifying personal details, database/reference, data requested, purpose or legal basis. The owner must review within ten working days and either fulfill or refuse (with reasons); fulfillment occurs within 30 calendar days unless extended up to 45 days with proper notification including identity of official, date, reason, and appeal procedure.

7. Protection of Personal Data: Methods, Responsible Persons, Retention Period

7.1. The database owner employs technical, system‑based and communication safeguards to prevent loss, theft, unauthorized destruction, distortion, falsification, copying—meeting international and national standards.
7.2.–7.8. The responsible person (appointed by the owner) organizes data protection measures, knows relevant laws, develops procedures for employee access, ensures internal control, reports violations within one working day, maintains consent documentation. Employees with access must maintain confidentiality during and after employment. Processing beyond legal requirements leads to liability. Data retention must not exceed what is necessary and the retention period defined by the data subject’s consent.

8. Rights of the Data Subject

8.1. The data subject has the right to:

  • Know where the database containing their personal data is located, its purpose and owner/administrator;

  • Receive information about access conditions, including third parties receiving their data;

  • Access their stored data;

  • Receive a response within 30 calendar days (unless prohibited by law) whether their data is stored and to see its contents;

  • Object to processing by state or local authorities;

  • Demand correction or deletion if data is unlawful or inaccurate;

  • Protect their data against unlawful processing, loss, destruction, damage, or defamatory content;

  • Seek protection of their rights via state or local authorities;

  • Apply legal remedies in case of violation of data protection legislation.

9. Procedure for Handling Data Subject Requests

9.1.–9.5. The data subject may request any information about themselves from any entity involved in processing without specifying purpose, free of charge. The request must include identification and data details. The owner must respond within ten working days whether it will be granted, and comply within 30 calendar days unless otherwise prescribed by law.

10. State Registration of the Personal Data Database

10.1. State registration is carried out in accordance with Article 9 of the Law of Ukraine “On Protection of Personal Data.”