Regulations on the processing and protection of personal data in databases of personal data owned by the seller


Content

1. General concepts and scope
2. List of personal data bases
3. The purpose of processing personal data
4. The procedure for processing personal data: obtaining consent, reporting rights and actions with the personal data of the personal data subject
5. Location of the personal data base
6. Terms of disclosure of information about personal data to third parties
7. Protection of personal data: protection methods, responsible person, employees directly processing and / or have access to personal data in connection with the performance of their official duties, the period of storage of personal data
8. Rights of the subject of personal data
9. The order of work with requests of the subject of personal data
10. State registration of the personal data base


1. General concepts and scope

1.1. Definition of terms:

personal data base - a named set of ordered personal data in electronic form and / or in the form of personal data files;

responsible person - a certain person who organizes work related to the protection of personal data when processed in accordance with the law;

the owner of the personal data base - an individual or a legal entity authorized by law or with the consent of the personal data subject to the processing of this data, approves the purpose of processing personal data in this database, establishes the composition of these data and the processing procedure, unless otherwise provided by law;

The state register of personal data bases is a unified state information system for the collection, accumulation and processing of information on registered databases of personal data;

public sources of personal data - directories, address books, registers, lists, catalogs, others are collected collections of public information containing personal data, posted and published with the consent of the subject of personal data. Social networks and Internet resources in which the subject of personal data leave personal data are not considered as publicly available personal data sources (unless the personal data subject expressly states that personal data is placed for the purpose of free distribution and use);

consent of the subject of personal data - any documented, voluntary will of an individual to grant permission to process his personal data in accordance with the stated purpose of their processing;

depersonalization of personal data - withdrawal of information that allows identification of the person;

processing of personal data - any act or combination of actions committed in whole or in part in an information (automated) system and / or in personal data files associated with the collection, registration, accumulation, storage, adaptation, modification, renewal, use and dissemination (distribution, implementation, transfer), depersonalization, destruction of information about an individual;

personal data - information or a body of information about an individual who is identified or can be specifically identified;

the manager of the personal data base - an individual or a legal entity to whom the owner of the personal data base or the law has been given the right to process this data. The person to whom the owner and / or manager of the personal data base is not authorized to carry out works of a technical nature with a personal data base without access to the content of personal data is not the administrator of the personal data base;

the subject of personal data is an individual in respect of whom, in accordance with the law, his personal data are processed;

the third party is any person, except for the personal data subject, the owner or the manager of the personal data base and the authorized state body for the protection of personal data, to which the personal data holder is the owner or manager of the personal data base in accordance with the law;

special data categories - personal data on race or ethnic origin, political, religious or philosophical beliefs, membership in political parties and trade unions, and data relating to health or sexual life.

1.2. This Regulation is mandatory for use by the responsible person and employees of the seller who directly handle processing and / or have access to personal data in connection with the performance of their official duties.

 

2. List of personal data bases

 

2.1. The seller is the owner of such personal data bases:

database of personal data of counterparties.


3. The purpose of processing personal data

3.1. The purpose of processing personal data in the system is to ensure the implementation of civil law relations, the provision, receipt and implementation of payments for purchased goods and services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine".

 

4. The procedure for processing personal data: obtaining consent, reporting rights and actions with the personal data of the personal data subject

4.1. Consent of the subject of personal data must be a voluntary declaration of the will of an individual to grant permission for the processing of his personal data in accordance with the stated purpose of their processing.

4.2. The consent of the subject of personal data can be provided in the following forms:

document on paper with details, allows you to identify this document and an individual;
an electronic document that must contain mandatory requisites to identify this document and an individual. Voluntary declaration of the consent of an individual to grant permission to process his personal data should be verified with the electronic signature of the subject of personal data;
a mark on the electronic page of the document or in an electronic file processed in the information system on the basis of documented software and technical solutions.
4.3. The consent of the subject of personal data is provided at registration of civil-law relations in accordance with the current legislation.

4.4. Notification of the subject of personal data on the inclusion of his personal data in the database of personal data, the rights defined by the Law of Ukraine "On the Protection of Personal Data", the purpose of data collection and persons to whom his personal data is transferred is carried out when registering civil law relations in accordance with applicable law.

4.5. The processing of personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, and data related to health or sexual life (special categories of data) is prohibited.

 

5. Location of the personal data base

5.1. The personal data bases specified in Section 2 of this Regulation are at the address of the seller.

 

6. Terms of disclosure of information about personal data to third parties

 

6.1. The procedure for accessing personal data of third parties is determined by the terms of consent of the personal data subject provided to the owner of personal data for processing this data, or in accordance with the requirements of law.

6.2. Access to personal data to a third party is not granted if the said person refuses to assume obligations to enforce the requirements of the Law of Ukraine "On the protection of personal data" or can not provide them.

6.3. The subject of relations associated with personal data submits an access request (hereinafter - request) to personal data to the owner of personal data.

6.4. The request specifies:

surname, first name and patronymic, place of residence (location) and details of the document certifying the natural person submitting the request (for the individual - applicant);
name, location of the legal person submitting the request, position, surname, name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the authority of the legal entity (for the applicant legal entity);
a surname, a name and a patronymic, and also other data allowing to identify the natural person in relation to which the request is made;
information on the database of personal data in respect of which the request is made, information about the owner or manager of this personal data base;
list of personal data requested;
purpose and / or legal grounds for the request.
6.5. The period of study of the request for its satisfaction can not exceed ten working days from the date it was received. During this period, the owner of the personal data base will notify the person making the request that the request will be sufficient or the relevant personal data will not be provided, indicating the grounds specified in the relevant regulatory act. The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.

6.6. Deferral of access to personal data of third parties is allowed in the event that the necessary data can not be provided within thirty calendar days from the date of receipt of the request. At the same time, the general term for resolving the issues raised in the request can not exceed forty-five calendar days.

6.7. The notice of deferral is communicated to the third person who submitted the request in writing, explaining the procedure for appealing against such a decision.

6.8. The postponement message states:

surname, first name and patronymic of the official;
the date the message was sent;
the reason for the delay;
the period during which the request is satisfied.
6.9. Denial of access to personal data is allowed if access to them is prohibited by law.

6.10. The disclaimer indicates:

surname, name, patronymic of the official who denies access;
the date the message was sent;
rejection reason.
6.11. The decision to postpone or deny access to personal data can be appealed to the court.

 

7. Protection of personal data: protection methods, responsible person, employees directly processing and / or have access to personal data in connection with the performance of their official duties, the period of storage of personal data

 

7.1. The owner of the personal data base is equipped with system and software and communication facilities that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information and meet the requirements of international and national standards.

7.2. The responsible person organizes the work connected with protection of the personal data at their processing according to the law. The responsible person is determined by the order of the owner of the personal data base.

Responsibilities of the person in charge of organizing work related to the protection of personal data during their processing are indicated in the job description.

7.3. Responsible person is obliged:

know the legislation of Ukraine in the field of personal data protection;
to develop procedures for accessing personal data of employees in accordance with their professional or official or work duties;
Ensure that the employees of the owner of the personal data base comply with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the owner of the personal data base for the processing and protection of personal data in databases of personal data;
to develop an internal procedure for internal control over compliance with the requirements of the legislation of Ukraine in the protection of personal data and internal documents regulating the activities of the holder of the personal data base for the processing and protection of personal data in databases of personal data, which, in particular, should contain rules on the frequency of implementation of such control;
inform the owner of the database of personal data about violations of the requirements of the legislation of Ukraine in the protection of personal data and internal documents governing the activities of the owner of the personal data base for processing and protecting personal data in databases of personal data within one working day from the time of detection of such violations;
ensure the storage of documents confirming the subject's provision of personal data consent to the processing of their personal data and communication of the said entity about his rights.
7.4. In order to fulfill his duties, the person in charge has the right:

receive the necessary documents, including orders and other regulatory documents issued by the owner of the personal data base related to the processing of personal data;
make copies of received documents, including copies of files, any records stored in local computer networks and stand-alone computer systems;
to participate in the discussion of the duties of organization of work performed by him related to the protection of personal data during their processing;
to submit proposals for improving the activities and improving the methods of work, to submit comments and options for eliminating the identified shortcomings in the processing of personal data;
to receive explanations on the issues of processing personal data;
to sign and visualize documents within the limits of their competence.
7.5. Employees who directly handle processing and / or have access to personal data in connection with the performance of their official (labor) duties are obliged to comply with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents, processing and protection of personal data in databases of personal data.

7.6. Employees who have access to personal data, including their processing, are required to prevent the disclosure in any way of personal data that they have been entrusted to or that have become known in connection with the performance of professional or service or employment duties. "Such an obligation is valid after termination of their activities related to personal data, except in cases established by law.

7.7.Ways who have access to personal data, including their processing in case of violation of the requirements of the Law of Ukraine "On Protection of Personal Data" are liable under the laws of Ukraine.

7.8. Personal data should not be stored longer than necessary for the purpose for which such data is stored, but in no case longer than the data retention period, the consent of the personal data subject to the processing of this data.

 

8. Rights of the subject of personal data

8.1. The subject of personal data has the right:

to know about the location of the personal data base containing its personal data, its purpose and name, location and / or residence (owner's) owner or the manager of this database or to give an appropriate instruction to receive this information to persons authorized by him, except as provided by law;
receive information on the conditions for granting access to personal data, including information about third parties to whom his personal data contained in the relevant personal data base is transferred;
access to their personal data contained in the relevant database of personal data;
Receive no later than thirty calendar days from the date of receipt of the request, except for cases provided for by law, the response that his personal data is stored in the relevant personal data base, and also receive the content of his personal data that is stored;
to submit a motivated claim with an objection to the processing of their personal data by public authorities, local authorities in the exercise of powers provided for by law;
to submit a motivated demand to change or destroy their personal data by any owner and manager of this database, if these data are processed illegally or are unreliable;
to protect their personal data from illegal processing and accidental loss, destruction, damage in connection with willful concealment, failure to provide or untimely provision thereof, as well as to protect against providing information that is unreliable or discrediting the honor, dignity and business reputation of an individual;
to apply for the protection of their personal data rights to public authorities, local authorities, whose powers include the protection of personal data;
to apply remedies in case of violation of legislation on the protection of personal data.


9. The order of work with requests of the subject of personal data

 

9.1. The subject of personal data has the right to receive any information about himself from any subject of relations associated with personal data, without specifying the purpose of the request, except in cases established by law.

9.2. Access of the subject of personal data to data about yourself is free of charge.

9.3. The personal data subject submits an access request (hereinafter - request) to the personal data of the owner of the personal data base.

The request specifies:

surname, first name and patronymic, place of residence (location) and details of the identity document of the subject of personal data;
other information that allows to identify the identity of the subject of personal data;
information on the database of personal data in respect of which the request is made, information about the owner or manager of this database;
list of personal data requested.
9.4. The period of study of the request for its satisfaction can not exceed ten working days from the date it was received. During this period, the owner of the personal data base will inform the subject of personal data, the request will be sufficient or the relevant personal data will not be provided, indicating the grounds specified in the relevant regulatory act.

9.5. The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.

 

10. State registration of the personal data base

10.1. State registration of personal data bases is carried out in accordance with Article 9 of the Law of Ukraine "On Protection of Personal Data".