Privacy policy

Regulation on the processing and protection of personal data in personal details databases owned by the seller

Contents

  1. General Concepts and Scope of Regulation
  2. List of Personal Details Databases
  3. Purpose of Personal Data Processing
  4. Procedure for Personal Data Processing: Obtaining Consent, Reporting Rights and Actions with Personal Data of the Personal Data Subject
  5. Location of Personal Details Database
  6. Terms of Disclosure of Personal Data to Third Parties
  7. Protection of Personal Data: Methods of Protection, the Responsible Person, Employees Who Directly Process and/or Have Access to Personal Data in Connection with the Performance of Their Duties, the Period of Storage of Personal Data
  8. Rights of the Personal Data Subject
  9. Procedure of Work with the Requests of the Personal Data Subject
  10. State Registration of Personal Details Database

 

1. General Concepts and Scope of Regulation

1.1. Definition of Terms:

Personal details database means a named aggregate of ranked personal data in electronic form and/or in the form of personal data files.

Responsible person means a certain person who organizes work related to the protection of personal data when they are processed in accordance with the law.

Owner of the personal details database means a private individual or a legal entity which has been granted the right to process these data by law or with the consent of the personal data subject and which approves the purpose of processing personal data in this database, sets the composition of these data and the procedures for their processing, unless otherwise provided for by law.

State register of personal details databases is a unified state information system for collecting, accumulating and processing information about registered personal details databases.

Publicly accessible sources of personal data means reference books, address books, registers, lists, catalogs, other systematized collections of public information containing personal data posted and published with the consent of the personal data subject.

Social networks and Internet resources in which the personal data subjects leave their personal data are not considered to be public sources of personal data (except when the personal data subject explicitly states that personal data are placed for the purpose of their free distribution and use).

Consent of the personal data subject means any documented, free will of a private individual to grant permission for the processing of its personal data in accordance with the stated purpose of their processing.

Depersonalization of personal data means removal of information that allows to identify a person.

Personal data processing means any action or a combination of actions performed in whole or in part in the information (automated) system and/or in personal data files, related to the collection, registration, accumulation, storage, adaptation, modification, updating, use and distribution (distribution, sale, transfer), depersonalization, destruction of information about a private individual.

Personal data means information or a combination of information about a private individual that is identified or can be specifically identified.

Processor of the personal details database means a private individual or a legal entity to which the right to process these data has been granted by the owner of the personal details database or provided for by law.

A private individual / legal entity which is charged by the owner and/or processor of the personal details database to carry out technical work with the personal details database without access to the content of personal data is not a processor of the personal details database.

Personal data subject means a private individual in respect of which the processing of its personal data is carried out in accordance with the law.

Third party means any private individual / legal entity, except for the personal data subject, of the owner or processor of the personal details database and the authorized state body for the protection of personal data to which the owner or processor of the personal details database transfers personal data in accordance with the law.

Special categories of data means personal data on racial or ethnic origin, political, religious or ideological convictions, membership in political parties and trade unions, as well as data relating to health or sexual activity.

1.2. This Regulation is binding on the responsible person and the seller’s employees who directly process and/or have access to personal data in connection with the performance of their official duties.

2. List of Personal Details Databases

2.1. The seller is the owner of the following personal details databases:

  • personal details database of counterparties.

3. Purpose of Personal Data Processing

3.1. The purpose of processing personal data in the system is storage and maintenance of data of counterparties in accordance with Articles 6, 7 of the Law of Ukraine “On Protection of Personal Data”.

3.2. The purpose of personal data processing is to ensure the implementation of civil law relations, the provision/receipt of and payment for purchased goods/services in accordance with the Tax Code of Ukraine, the Law of Ukraine “On Accounting and Financial Reporting in Ukraine”.

4. Procedure for Personal Data Processing: Obtaining Consent, Reporting Rights and Actions with Personal Data of the Personal Data Subject

4.1. Consent of the personal data subject shall be the free will of a private individual to grant permission for the processing of its personal data in accordance with the stated purpose of their processing. Consent of the personal data subject can be provided in the following forms:

  • a hard copy record with the details which allows to identify this document and the private individual;

  • a soft copy record that must contain mandatory details to identify this document and the private individual. The free will of a private individual to grant permission for the processing of its personal data is advisable to certify with the electronic signature of the personal data subject.

  • Mark on the electronic page of the document or in an electronic file processed in the information system on the basis of documented software and hardware solutions.

4.2. Consent of the personal data subject is granted when formalizing civil law relations in accordance with current legislation.

4.3. Notification of the personal data subject about the inclusion of its personal data in the personal details database, about the rights defined by the Law of Ukraine “On Protection of Personal Data”, about the purpose of collecting data and the private individuals / legal entities to whom its personal data are transferred, is carried out at formalizing civil law relations in accordance with current legislation.

4.4. Processing of personal data on racial or ethnic origin, political, religious or ideological convictions, membership in political parties and trade unions, as well as data relating to health or sexual activity (specific data categories) is prohibited.

5. Location of Personal Details Database

5.1. The personal details databases specified in Section 2 of this Regulation are located at the seller’s address.

6. Terms of Disclosure of Personal Data to Third Parties

6.1. The procedure for accessing personal data of third parties is determined by the terms of consent of the personal data subject provided to the owner of the personal details database for processing these data, or in accordance with law.

6.2. Access to personal data is not provided to a third party if the said party refuses to assume obligations to ensure compliance with the Law of Ukraine “On Personal Data Protection” or cannot fulfill such obligations.

6.3. The party to relations related to personal data submits a request for access (hereinafter referred to as the “request”) to the personal data to the owner of the personal details database.

6.4. The request shall include:

  • surname, name and patronymic, place of residence (location) and details of the document certifying a private individual submitting the request (for the requesting private individual);

  • name, location of the legal entity submitting the request, position, last name, first name and patronymic of the person certifying the request; confirmation that the content of the request complies with the authority of the legal entity (for the requesting legal entity);

  • surname, name and patronymic, as well as other information that allows to identify the private individual in respect of which the request is made;

  • information about the personal details database in respect of which the request is submitted, information about the owner or processor of this database;

  • list of personal data requested;

  • the purpose of the request.

6.5. The term for review of the request may not exceed ten business days from the date of its receipt.

During this period, the owner of the personal details database notifies the private individual / legal entity submitting the request about granting the request, or that the relevant personal data will not be provided by stating the grounds defined in the relevant regulatory legal act.

The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided for by law.

6.6. All employees of the owner of the personal details database are obliged to comply with the requirements of confidentiality with respect to personal data and information on securities accounts and securities business.

6.7. Postponement of access of third parties to the personal data is allowed if the necessary data cannot be provided within thirty calendar days from the date the request has been received. However, the total time for resolving issues raised in the request may not exceed forty-five calendar days.

6.8. The postponement is notified to the third party which submitted the request in writing containing explanation of the procedure for appealing such a decision.

The postponement report shall include:

  • surname, name and patronymic of the official;

  • date when the notification was sent;

  • reason for the delay;

  • period during which the request will be granted.

6.10. Denial of access to personal data is allowed if access to such data is prohibited by law.

6.11. The denial notification shall include:

  • surname, name, patronymic of the official who denies access;

  • date when the notification was sent;

  • reason for denial.

6.12. The decision to postpone or deny access to personal data may be appealed to the authorized state body for the protection of personal data, other state bodies and local authorities authorized in the implementation of personal data protection, or to the court.

7. Protection of Personal Data: Methods of Protection, the Responsible Person, Employees Who Directly Process and/or Have Access to Personal Data in Connection with the Performance of Their Duties, the Period of Storage of Personal Data

7.1. The owner of the personal details database is equipped with system and software and hardware and communication tools that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information and meet international and national standards.

7.2. The responsible person organizes work related to the protection of personal data when they are processed in accordance with the law. The responsible person is appointed by the order of the owner of the personal details database.

The responsibilities of the responsible person in organizing work related to the protection of personal data during their processing are indicated in the job description.

7.3. The responsible person shall:

  • know the personal data protection legislation of Ukraine;

  • develop procedures for access to personal data of employees in accordance with their professional or service or employment duties;

  • ensure that employees of the owner of the personal details database comply with the personal data protection legislation of Ukraine and internal documents governing the activities of the owner of the personal details database for processing and protecting personal data in personal details databases;

  • develop a procedure for internal control over compliance with the personal data protection legislation of Ukraine and internal documents governing the activities of the owner of the personal details database for processing and protecting personal data in personal details databases, which, in particular, should contain rules on the frequency of such control;

  • inform the owner of the personal details database about violations by employees of the data protection legislation of Ukraine and internal documents regulating the activities of the owner of personal details database on processing and protecting personal data in personal details databases no later than within one business day from the date such violations have been detected;

  • ensure the storage of documents confirming the consent by the personal data subject to the processing of its personal data and the notification of the specified subject about its rights.

7.4. In order to fulfill its duties, the responsible person has the right to:

  • receive necessary documents, including orders and other administrative documents issued by the owner of the personal details database related to the processing of personal data;

  • make copies of received documents, including copies of files, of any records stored in local computer networks and free running computer systems;

  • participate in discussion of the duties of the organization of work related to the protection of personal data during their processing;

  • submit proposals for improving activities and improving working methods, submit comments and options for eliminating the identified deficiencies in the process of processing personal data;

  • receive explanations on the processing of personal data;

  • sign and endorse documents within competence.

7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (work) duties are obliged to comply with the data protection legislation of Ukraine and internal documents related to personal data processing and protection in personal details databases.

7.6. Employees who have access to personal data and process them, are obliged not to allow disclosure by any means of personal data that they have been entrusted with or which have become known in connection with the performance of professional or service or employment duties. Such an obligation remains in force after the termination of their activities related to personal data, except as required by law.

7.7. The private individuals / legal entities that have access to personal data, and process it, bear liability for violation of the Law of Ukraine “On Protection of Personal Data” in accordance with legislation of Ukraine.

7.8. Personal data shall not be stored longer than is necessary for the purpose of storage, but in any case no more than the storage period defined in the consent of the personal data subject to the processing of these data.

8. Rights of the Personal Data Subject

8.1. The personal data subject has the right to:

  • know the location of the personal details database containing its personal data, its purpose and name, location and/or place of residence (stay) of the owner or processor of this database or give the appropriate order to obtain this information to persons authorized by it, except as required by law;

  • receive information about the conditions for granting access to personal data, including information about third parties to which its personal data are transmitted, contained in the relevant personal details database;

  • access to its personal data contained in the relevant personal details database;

  • receive, no later than thirty calendar days from the date of receipt of the request, except as required by law, the answer to whether its personal data are stored in the relevant personal details database, as well as receive the content of its personal data that are stored;

  • make a justified demand with objection to the processing of its personal data by state authorities, local authorities in the exercise of the powers provided by for law;

  • make a justified demand to change or destroy its personal data by any owner and processor of this database, if these data are processed illegally or are unreliable;

  • protect its personal data from unlawful processing and accidental loss, destruction, damage due to intended concealment, failure to provide or untimely provision, as well as protection from providing information that is unreliable or discrediting the honor, dignity and business reputation of private individual;

  • apply to the state authorities, local authorities, authorized for the implementation of personal data protection, for the protection of its personal data rights;

  • apply remedies in case of violation of personal data protection legislation.

9. Procedure of Work with the Requests of the Personal Data Subject

9.1. The personal data subject has the right to receive any information about itself from any party to relations related to personal data, without specifying the purpose of the request, except as required by law.

9.2. Access by the personal data subject to personal data is free of charge.

9.3. The personal data subject submits a request for access (hereinafter referred to as the “request”) to the personal data to the owner of the personal details database.

The request shall include:

  • surname, name and patronymic, place of residence (location) and details of the document certifying the identity of the personal data subject;

  • other information to identify the personal data subject;

  • information about the personal details database in respect of which the request is submitted, information about the owner or processor of this database;

  • list of personal data requested.

9.4. The term for review of the request may not exceed ten business days from the date of its receipt.

9.5. During this period, the owner of the personal details database notifies the personal data subject about granting the request, or that the relevant personal data will not be provided by stating the grounds defined in the relevant regulatory legal act.

9.6. The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided for by law.

10. State Registration of Personal Details Database

10.1. State registration of personal details databases is carried out in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection”.