Terms of Offer

Regulation on the processing and protection of personal data in the personal data databases owned by the Seller

Contents

General concepts and scope List of personal data databases Purpose of processing personal data Procedure for processing personal data: obtaining consent, notification of rights and actions with the personal data of the personal data subject Location of the personal data database Conditions for disclosing personal data to third parties Protection of personal data: methods of protection, the responsible person, employees who directly process and/or have access to personal data in connection with the performance of their duties, the personal data retention period Rights of the personal data subject Procedure for handling requests of the personal data subject State registration of the personal data database

  1. General concepts and scope

1.1. Definitions of terms:

personal data database — a named set of ordered personal data in electronic form and/or in the form of personal data card files;

responsible person — a designated person who organises the work related to the protection of personal data during their processing, in accordance with the law;

owner of the personal data database — a natural or legal person who, by law or with the consent of the personal data subject, has been granted the right to process this data, who approves the purpose of processing the personal data in this database, and establishes the composition of this data and the procedures for its processing, unless otherwise provided by law;

State Register of Personal Data Databases — a unified state information system for the collection, accumulation and processing of information about registered personal data databases;

publicly available sources of personal data — reference books, address books, registers, lists, catalogues, and other systematised collections of open information that contain personal data placed and published with the knowledge of the personal data subject. Social networks and internet resources in which personal data subjects leave their personal data are not considered publicly available sources of personal data (except where the personal data subject has explicitly indicated that the personal data has been placed for the purpose of its free distribution and use);

consent of the personal data subject — any documented, voluntary expression of will by a natural person to grant permission for the processing of their personal data in accordance with the stated purpose of such processing;

depersonalisation of personal data — the removal of information that makes it possible to identify a person;

processing of personal data — any action or set of actions performed in full or in part in an information (automated) system and/or in personal data card files, related to the collection, registration, accumulation, storage, adaptation, alteration, updating, use and dissemination (distribution, sale, transfer), depersonalisation and destruction of information about a natural person;

personal data — information or a set of information about a natural person who is identified or can be specifically identified;

administrator of the personal data database — a natural or legal person who has been granted the right to process this data by the owner of the personal data database or by law. A person who has been entrusted by the owner and/or administrator of the personal data database to perform work of a technical nature with the personal data database without access to the content of the personal data is not an administrator of the personal data database;

personal data subject — a natural person in respect of whom the processing of their personal data is carried out in accordance with the law;

third party — any person, except for the personal data subject, the owner or administrator of the personal data database, and the authorised state body for personal data protection, to whom the owner or administrator of the personal data database transfers personal data in accordance with the law;

special categories of data — personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life.

1.2. This Regulation is mandatory for application by the responsible person and by the Seller's employees who directly process and/or have access to personal data in connection with the performance of their duties.

  1. List of personal data databases

2.1. The Seller is the owner of the following personal data databases:

the counterparties' personal data database.

  1. Purpose of processing personal data

3.1. The purpose of processing personal data in the system is to ensure the implementation of civil-law relations, the provision, receipt and settlement of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine "On Accounting and Financial Reporting in Ukraine".

  1. Procedure for processing personal data: obtaining consent, notification of rights and actions with the personal data of the personal data subject

4.1. The consent of the personal data subject must be a voluntary expression of will by a natural person to grant permission for the processing of their personal data in accordance with the stated purpose of such processing.

4.2. The consent of the personal data subject may be provided in the following forms:

a paper document with details that make it possible to identify this document and the natural person; an electronic document that must contain mandatory details making it possible to identify this document and the natural person. The voluntary expression of will by a natural person to grant permission for the processing of their personal data is expediently certified by the electronic signature of the personal data subject; a mark on the electronic page of a document or in an electronic file processed in an information system on the basis of documented software and hardware solutions. 4.3. The consent of the personal data subject is provided during the formalisation of civil-law relations in accordance with current legislation.

4.4. Notification of the personal data subject about the inclusion of their personal data in the personal data database, about the rights defined by the Law of Ukraine "On Personal Data Protection", about the purpose of data collection and about the persons to whom their personal data is transferred, is carried out during the formalisation of civil-law relations in accordance with current legislation.

4.5. The processing of personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life (special categories of data), is prohibited.

  1. Location of the personal data database

5.1. The personal data databases specified in section 2 of this Regulation are located at the Seller's address.

  1. Conditions for disclosing personal data to third parties

6.1. The procedure for third-party access to personal data is determined by the terms of the consent of the personal data subject provided to the owner of the personal data for the processing of this data, or in accordance with the requirements of the law.

6.2. Access to personal data is not granted to a third party if that person refuses to undertake obligations to ensure compliance with the requirements of the Law of Ukraine "On Personal Data Protection" or is unable to ensure them.

6.3. A subject of relations connected with personal data submits a request for access (hereinafter — the request) to personal data to the owner of the personal data.

6.4. The request shall specify:

the surname, first name and patronymic, place of residence (place of stay), and the details of the identity document of the natural person submitting the request (for a natural person — the applicant); the name and location of the legal person submitting the request, the position, surname, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal person (for a legal person — the applicant); the surname, first name and patronymic, as well as other information making it possible to identify the natural person in respect of whom the request is made; information about the personal data database in respect of which the request is submitted, or information about the owner or administrator of this personal data database; the list of personal data being requested; the purpose of and/or legal grounds for the request. 6.5. The period for examining a request as to whether it can be satisfied may not exceed ten working days from the day of its receipt. Within this period, the owner of the personal data database informs the person submitting the request that the request will be satisfied or that the relevant personal data is not subject to provision, indicating the grounds defined in the relevant legal act. The request is satisfied within thirty calendar days from the day of its receipt, unless otherwise provided by law.

6.6. Postponement of third-party access to personal data is permitted where the required data cannot be provided within thirty calendar days from the day the request is received. In this case, the total time for resolving the matters raised in the request may not exceed forty-five calendar days.

6.7. Notification of the postponement is communicated to the third party who submitted the request in writing, with an explanation of the procedure for appealing such a decision.

6.8. The notification of postponement shall specify:

the surname, first name and patronymic of the official; the date the notification is sent; the reason for the postponement; the period within which the request will be satisfied. 6.9. Refusal of access to personal data is permitted where access to it is prohibited by law.

6.10. The notification of refusal shall specify:

the surname, first name and patronymic of the official who refuses access; the date the notification is sent; the reason for the refusal. 6.11. A decision to postpone or refuse access to personal data may be appealed in court.

  1. Protection of personal data: methods of protection, the responsible person, employees who directly process and/or have access to personal data in connection with the performance of their duties, the personal data retention period

7.1. The owner of the personal data database is equipped with system and software-and-hardware facilities and means of communication that prevent losses, theft, unauthorised destruction, distortion, forgery and copying of information and that meet the requirements of international and national standards.

7.2. The responsible person organises the work related to the protection of personal data during their processing, in accordance with the law. The responsible person is designated by order of the owner of the personal data database.

The duties of the responsible person regarding the organisation of work related to the protection of personal data during their processing are specified in the job description.

7.3. The responsible person is obliged to:

know the legislation of Ukraine in the field of personal data protection; develop procedures for employees' access to personal data in accordance with their professional, official or labour duties; ensure that the employees of the owner of the personal data database comply with the requirements of the legislation of Ukraine in the field of personal data protection and with the internal documents governing the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases; develop a procedure for internal control over compliance with the requirements of the legislation of Ukraine in the field of personal data protection and with the internal documents governing the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases, which, in particular, must contain provisions on the frequency of such control; notify the owner of the personal data database of instances of violations by employees of the requirements of the legislation of Ukraine in the field of personal data protection and of the internal documents governing the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases, within a period no later than one working day from the moment such violations are discovered; ensure the storage of documents confirming that the personal data subject has given consent to the processing of their personal data and that the said subject has been notified of their rights. 7.4. In order to perform their duties, the responsible person has the right to:

receive the necessary documents, including orders and other administrative documents issued by the owner of the personal data database related to the processing of personal data; make copies of the documents received, including copies of files and any records stored in local computer networks and standalone computer systems; participate in the discussion of the duties they perform in organising work related to the protection of personal data during their processing; submit proposals for consideration to improve activities and methods of work, and submit comments and options for eliminating identified shortcomings in the process of processing personal data; receive explanations on matters of personal data processing; sign and endorse documents within the limits of their competence. 7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (labour) duties are obliged to comply with the requirements of the legislation of Ukraine in the field of personal data protection and with the internal documents on the processing and protection of personal data in personal data databases.

7.6. Employees who have access to personal data, including those who process it, are obliged not to allow disclosure in any manner of personal data entrusted to them or that became known to them in connection with the performance of professional, official or labour duties. This obligation remains in force after they cease activities related to personal data, except in cases established by law.

7.7. Persons who have access to personal data, including those who process it, in the event of a violation by them of the requirements of the Law of Ukraine "On Personal Data Protection", bear responsibility in accordance with the legislation of Ukraine.

7.8. Personal data must not be stored longer than is necessary for the purpose for which such data is stored, but in any case no longer than the data retention period defined by the personal data subject's consent to the processing of this data.

  1. Rights of the personal data subject

8.1. The personal data subject has the right to:

know about the location of the personal data database that contains their personal data, its purpose and name, and the location and/or place of residence (stay) of the owner or administrator of this database, or to give a corresponding instruction to obtain this information to persons authorised by them, except in cases established by law; receive information about the conditions for granting access to personal data, in particular information about third parties to whom their personal data contained in the relevant personal data database is transferred; access their personal data contained in the relevant personal data database; receive, no later than thirty calendar days from the day the request is received, except in cases provided by law, an answer as to whether their personal data is stored in the relevant personal data database, as well as receive the content of their personal data being stored; present a reasoned demand objecting to the processing of their personal data by state authorities and local self-government bodies in the exercise of their powers provided by law; present a reasoned demand for the alteration or destruction of their personal data by any owner and administrator of this database, if this data is processed unlawfully or is inaccurate; protect their personal data from unlawful processing and accidental loss, destruction or damage in connection with intentional concealment, failure to provide or untimely provision, as well as protection from the provision of information that is inaccurate or that discredits the honour, dignity and business reputation of the natural person; apply on matters of the protection of their rights regarding personal data to state authorities and local self-government bodies within whose powers the protection of personal data falls; use legal remedies in the event of a violation of the legislation on personal data protection.

  1. Procedure for handling requests of the personal data subject

9.1. The personal data subject has the right to receive any information about themselves from any subject of relations connected with personal data, without stating the purpose of the request, except in cases established by law.

9.2. The personal data subject's access to data about themselves is free of charge.

9.3. The personal data subject submits a request for access (hereinafter — the request) to personal data to the owner of the personal data database.

The request shall specify:

the surname, first name and patronymic, place of residence (place of stay), and the details of the identity document of the personal data subject; other information making it possible to identify the personal data subject; information about the personal data database in respect of which the request is submitted, or information about the owner or administrator of this database; the list of personal data being requested. 9.4. The period for examining a request as to whether it can be satisfied may not exceed ten working days from the day of its receipt. Within this period, the owner of the personal data database informs the personal data subject that the request will be satisfied or that the relevant personal data is not subject to provision, indicating the grounds defined in the relevant legal act.

9.5. The request is satisfied within thirty calendar days from the day of its receipt, unless otherwise provided by law.

  1. State registration of the personal data database

10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection".