Regulation on the Processing and Protection of Personal Data in Databases Owned by the Seller

Contents

  1. General Concepts and Scope of Application

  2. List of Personal Data Databases

  3. Purpose of Personal Data Processing

  4. Procedure for Personal Data Processing: Consent, Notification of Rights, and Actions with the Subject’s Personal Data

  5. Location of the Personal Data Database

  6. Conditions for Disclosure of Personal Data to Third Parties

  7. Protection of Personal Data: Methods of Protection, Responsible Person, Employees Directly Involved in Processing and/or Access to Personal Data, Data Retention Period

  8. Rights of the Data Subject

  9. Procedure for Handling Requests from the Data Subject

  10. State Registration of Personal Data Databases

1. General Concepts and Scope of Application

1.1. Definitions:

  • Personal Data Database: A named set of organized personal data in electronic form and/or as a collection of personal data cards.

  • Responsible Person: A designated individual who organizes work related to the protection of personal data during its processing in accordance with the law.

  • Owner of the Personal Data Database: A physical or legal entity authorized by law or by the subject’s consent to process the data, determine the purpose of processing, and establish the data’s content and procedures for processing unless otherwise provided by law.

  • State Register of Personal Data Databases: A unified state information system for collecting, accumulating, and processing information about registered personal data databases.

  • Public Sources of Personal Data: Directories, address books, registers, lists, catalogs, and other systematic collections of open information containing personal data, published with the subject’s consent. Social networks and internet resources where individuals leave personal data are not considered public sources unless explicitly stated for free distribution and use by the data subject.

  • Consent of the Data Subject: Any documented, voluntary declaration of will by an individual allowing their personal data to be processed for a specified purpose.

  • Anonymization of Personal Data: The removal of information that allows an individual to be identified.

  • Personal Data Processing: Any operation or set of operations performed wholly or partly in an information system or in personal data files, including collection, registration, accumulation, storage, adaptation, alteration, retrieval, dissemination, anonymization, or destruction.

  • Personal Data: Information or a set of information about an identified or identifiable individual.

  • Manager of the Personal Data Database: A physical or legal entity authorized by the owner or by law to process personal data. A manager is not someone performing technical tasks without access to the content of personal data.

  • Data Subject: An individual whose personal data is being processed under the law.

  • Third Party: Any entity other than the data subject, owner, or manager of the personal data database authorized by law to receive personal data.

  • Special Categories of Data: Personal data on racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, or health and sexual life.

1.2. This Regulation is mandatory for the responsible person and employees of the seller directly involved in processing and/or accessing personal data as part of their job responsibilities.

2. List of Personal Data Databases

2.1. The seller owns the following personal data databases:

  • Database of counterparties.

3. Purpose of Personal Data Processing

**3.1. The purpose of processing personal data is to ensure the realization of civil-law relations, provide and receive goods and services, and carry out payments in compliance with the Tax Code of Ukraine and the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."

4. Procedure for Personal Data Processing

4.1. Consent:

  • Consent must be a voluntary declaration by the data subject allowing the processing of their personal data for a defined purpose.

  • Consent can be provided in the following forms:

    • A document on paper with identifying details.

    • An electronic document with mandatory identifying details, confirmed by the subject’s electronic signature.

    • A mark on an electronic page or file processed in an information system, based on documented technical solutions.

4.2. Notification:

  • Data subjects must be informed during the establishment of civil-law relations about their inclusion in a personal data database, their rights, the purpose of data collection, and the entities to whom their data may be transferred.

4.3. Processing of special categories of data is prohibited.

5. Location of the Personal Data Database

5.1. The databases are located at the seller’s address.

6. Conditions for Disclosure of Personal Data to Third Parties

6.1. Access by third parties is governed by the data subject’s consent or legal requirements.

6.2. Third parties must agree to comply with Ukrainian laws on personal data protection.

6.3. Requests for access must include identification details, purpose, and justification for the request.

6.4. Requests are reviewed within ten working days.

6.5. Data is provided within 30 calendar days unless otherwise required by law.

7. Protection of Personal Data

7.1. The database owner implements technical and organizational measures to prevent loss, theft, or unauthorized access, compliant with international and national standards.

7.2. The responsible person ensures compliance with legal and internal regulations for data protection.

7.3. Employees with access to personal data must maintain confidentiality and follow legal and organizational requirements.

8. Rights of the Data Subject

8.1. The data subject has the right to:

  • Know the location and purpose of their data.

  • Access their personal data.

  • Request changes or deletion of data if it is inaccurate or processed unlawfully.

  • Seek legal remedies for data protection violations.

9. Procedure for Handling Requests from the Data Subject

9.1. Data subjects may request access to their personal data.

9.2. Requests are processed free of charge.

9.3. Responses are provided within 10 working days, and data is disclosed within 30 calendar days.

10. State Registration of Personal Data Databases

10.1. Registration is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection."