1. General Concepts and Scope of Application

1.1. Definitions:

  • Personal Data Database: A named collection of ordered personal data in electronic form and/or in the form of personal data card files.
  • Responsible Person: A designated individual who organizes work related to the protection of personal data during their processing in accordance with the law.
  • Owner of the Personal Data Database: A natural or legal person authorized by law or the consent of the data subject to process this data, who establishes the purpose of processing the personal data, determines their composition, and sets the procedures for their processing unless otherwise specified by law.
  • State Register of Personal Data Databases: A unified state information system for collecting, accumulating, and processing information about registered personal data databases.
  • Public Sources of Personal Data: Directories, address books, registers, lists, catalogs, and other systematically organized collections of open information containing personal data published with the consent of the data subject. Social networks and internet resources where data subjects post personal data are not considered public sources unless explicitly stated by the data subject that such data is intended for unrestricted dissemination and use.
  • Consent of the Data Subject: Any documented voluntary expression of the individual's will regarding permission to process their personal data for a specific purpose.
  • Anonymization of Personal Data: The removal of information that enables the identification of an individual.
  • Processing of Personal Data: Any action or set of actions performed fully or partially in an information (automated) system and/or in personal data card files related to the collection, registration, accumulation, storage, adaptation, modification, updating, usage, dissemination (distribution, transfer), anonymization, destruction of information about an individual.
  • Personal Data: Information or a collection of information about an identified or identifiable individual.
  • Administrator of the Personal Data Database: A natural or legal person authorized by the database owner or by law to process such data. The administrator does not include individuals assigned solely technical tasks without access to the content of personal data.
  • Data Subject: An individual whose personal data is being processed in accordance with the law.
  • Third Party: Any person, excluding the data subject, the owner, or the administrator of the personal data database, as well as the authorized state authority for personal data protection, to whom the owner or administrator of the database transfers personal data in accordance with the law.
  • Special Categories of Data: Personal data related to racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life.

1.2. This Regulation is mandatory for the responsible person and the employees of the seller who directly process or access personal data as part of their official duties.

2. List of Personal Data Databases

2.1. The seller owns the following personal data databases:

  • The personal data database of contractors.

3. Purpose of Personal Data Processing

3.1. The purpose of processing personal data in the system is to ensure the fulfillment of civil-law relations, provision, receipt, and execution of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."

4. Procedure for Personal Data Processing: Obtaining Consent, Notification of Rights, and Actions with the Personal Data of the Data Subject

4.1. Consent of the data subject must be a voluntary expression of the individual’s will, permitting the processing of their personal data for the specified purpose.

4.2. Consent of the data subject may be provided in the following forms:

  • A paper document with identifiers to verify the document and the individual.
  • An electronic document containing identifiers for verification, ideally confirmed with the data subject’s electronic signature.
  • A mark on an electronic page or document file processed in an information system, based on documented technical solutions.

4.3. Consent of the data subject is granted during the establishment of civil-law relations in accordance with current legislation.

4.4. Notification of the data subject regarding the inclusion of their personal data in the database, their rights under the Law of Ukraine "On Personal Data Protection," the purpose of data collection, and the entities to whom their data is transferred occurs during the establishment of civil-law relations.

4.5. Processing of personal data concerning racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data related to health or sexual life (special categories of data), is prohibited.

5. Location of the Personal Data Database

5.1. The personal data databases listed in Section 2 of this Regulation are located at the seller’s address.

6. Conditions for Disclosing Personal Data to Third Parties

6.1. The procedure for granting access to personal data to third parties is determined by the terms of the consent provided by the data subject to the owner of the personal data database for processing such data or in accordance with legal requirements.

6.2. Access to personal data is not granted to a third party if that party refuses to undertake obligations to ensure compliance with the requirements of the Law of Ukraine "On the Protection of Personal Data" or is unable to fulfill such obligations.

6.3. A subject of relations involving personal data must submit a request (hereinafter referred to as the "request") to the owner of the personal data database to gain access to such data.

6.4. The request must include the following:

  • The last name, first name, and patronymic, place of residence (or stay), and details of the document identifying the individual submitting the request (for an individual applicant).
  • The name, location of the legal entity submitting the request, the position, last name, first name, and patronymic of the individual certifying the request, as well as confirmation that the content of the request aligns with the legal entity's authority (for a legal entity applicant).
  • The last name, first name, and patronymic, as well as other information allowing for the identification of the individual to whom the request pertains.
  • Information about the personal data database in question, or details about its owner or administrator.
  • A list of personal data being requested.
  • The purpose and/or legal grounds for the request.

6.5. The period for reviewing a request to determine its fulfillment must not exceed ten working days from the date of its receipt. During this period, the owner of the personal data database must notify the requesting party whether the request will be fulfilled or whether the requested personal data will not be provided, citing the reason based on relevant legal norms. The request must be fulfilled within thirty calendar days from the date of its receipt unless otherwise provided by law.

6.6. Deferral of access to personal data for third parties is allowed if the necessary data cannot be provided within thirty calendar days from the date of receipt of the request. In such cases, the total time for resolving the issues raised in the request must not exceed forty-five calendar days.

6.7. Notification of the deferral must be provided in writing to the third party that submitted the request, including an explanation of the procedure for appealing such a decision.

6.8. The notification of deferral must include the following:

  • The last name, first name, and patronymic of the official issuing the notification.
  • The date the notification was sent.
  • The reason for the deferral.
  • The timeframe within which the request will be fulfilled.

6.9. Refusal to grant access to personal data is permitted if such access is prohibited by law.

6.10. The notification of refusal must include the following:

  • The last name, first name, and patronymic of the official issuing the refusal.
  • The date the notification was sent.
  • The reason for the refusal.

6.11. Decisions to defer or refuse access to personal data may be appealed in court.

7. Protection of Personal Data: Protection Measures, Responsible Persons, Employees Directly Processing and/or Accessing Personal Data in the Course of Their Official Duties, Retention Periods for Personal Data

7.1. The owner of the personal data database is equipped with system and program-technical means and communication devices that prevent loss, theft, unauthorized destruction, distortion, falsification, or copying of information and comply with international and national standards.

7.2. The responsible person organizes work related to the protection of personal data during their processing in accordance with the law. The responsible person is appointed by the order of the owner of the personal data database.

The responsibilities of the responsible person regarding the organization of work related to the protection of personal data during their processing are specified in their job description.

7.3. The responsible person is obligated to:

  • Be knowledgeable about Ukrainian legislation on the protection of personal data.
  • Develop procedures for employee access to personal data in accordance with their professional or official or labor responsibilities.
  • Ensure that the employees of the owner of the personal data database comply with the requirements of Ukrainian legislation on the protection of personal data and the internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases.
  • Develop an internal control procedure for compliance with Ukrainian legislation on the protection of personal data and internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data. This procedure should include norms for the periodicity of such control.
  • Notify the owner of the personal data database of any violations by employees of the requirements of Ukrainian legislation on the protection of personal data and internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data in personal data databases no later than one working day from the moment such violations are detected.
  • Ensure the storage of documents confirming the data subject's consent to the processing of their personal data and informing the said subject of their rights.

7.4. To fulfill their duties, the responsible person has the right to:

  • Obtain necessary documents, including orders and other regulatory documents issued by the owner of the personal data database related to personal data processing.
  • Make copies of received documents, including copies of files, records stored in local computer networks, and autonomous computer systems.
  • Participate in discussions of their duties regarding the organization of work related to the protection of personal data during their processing.
  • Submit proposals for improving the processing and protection of personal data.

7.5. Employees who directly process personal data and/or have access to personal data in connection with their official duties are required to comply with Ukrainian legislation on the protection of personal data and internal documents regulating the activities of the owner of the personal data database regarding the processing and protection of personal data.

7.6. Employees who have access to personal data, including processing it, are required to:

  • Ensure the processing and protection of personal data in accordance with Ukrainian legislation and internal documents.
  • Prevent disclosure of personal data that they have access to in connection with their official duties.
  • Immediately notify the responsible person of any violation of the requirements of Ukrainian legislation on the protection of personal data or internal documents.

7.7. The retention period of personal data is determined in accordance with the purpose of their processing, but it should not exceed the time necessary to achieve the stated purpose unless otherwise provided by law.

8. Rights of the Data Subject

8.1. The data subject has the right to:

  • Be informed about the location of the database containing their personal data and its purpose.
  • Require the correction or destruction of their personal data if the data is processed illegally or is inaccurate.
  • Apply legal remedies in the event of a violation of their rights in the processing of personal data.

9. Procedure for Handling Requests from the Data Subject

9.1. A data subject or their representative has the right to submit a request regarding the processing of their personal data.

9.2. The request must contain:

  • Name, surname, and patronymic of the data subject or their representative.
  • Information on the subject's personal data being requested.
  • Contact information for providing a response.

9.3. The response to the request should be provided no later than 30 calendar days from the receipt of the request, unless otherwise stipulated by law.

10. State Registration of Personal Data Databases

10.1. The personal data database is subject to state registration in accordance with the procedure established by Ukrainian legislation.