Regulation on the processing and protection of personal data in personal data databases owned by the seller
Table of Contents
- General concepts and scope of application
- List of personal data databases
- Purpose of personal data processing
- The procedure for processing personal data: obtaining consent, notification of rights and actions with personal data of the sub-object of personal data
- Location of the personal data database
- Conditions for disclosure of personal data to third parties
- Personal data protection: methods of protection, responsible person, employees who directly process and/or have access to personal data in connection with the performance of their official duties, the period of storage of personal data
- The rights of the sub-object of personal data
- The procedure for working with requests of the personal data subject
- State registration of the personal data database
1. General concepts and scope of application
1.1. Definition of terms:
personal data database a named collection of ordered personal data in electronic form and/or in the form of personal data files;
the responsible person has been identified as the person who organizes the work related to the protection of personal data during their processing, in accordance with the law;
the owner of the personal data database is a natural or legal person who has been granted the right to process this data by law or by agreement of the personal data object, which approves the purpose of processing personal data in this database, establishes the composition of this data and the procedures for their processing, unless otherwise determined by law;
The State Register of Personal Data Databases is a unified state information system for collecting, accumulating and processing information about registered personal data databases;
publicly available sources of personal data directories, address books, registries, lists, catalogs, and other systematized collections of open information containing personal data posted and published in a well-known sub-object of personal data. Social networks and Internet resources in which the sub-object of personal data leave their personal data are not considered publicly available sources of personal data (except in cases when the sub-object of personal data explicitly states that the personal data is posted for the purpose of free distribution and use;
consent of the subject of the personal dataany documented, voluntary expression of the will of an individual regarding the granting of permission for the processing of her personal data in accordance with the stated purpose of their processing
depersonalization of personal datawithdrawal of personal identification information;
processing of personal data — any action or set of actions carried out in whole or in part in an information (automated) system and/or in personal data filing cabinets, et’related to the collection, registration, accumulation, storage, adaptation, modification, renewal, use and distribution (distribution, sale, transfer), depersonalization, destruction of information about an individual;
personal data information or a set of information about an individual who has been identified or can be specifically identified;
the administrator of the personal data database is a natural or legal person to whom the owner of the personal data database or the law has granted the right to process this data. A person who is assigned by the owner and/or manager of the personal data database to carry out technical work with the personal data database without access to the content of personal data is not the administrator of the personal data database;
the sub-object of personal data is an individual in respect of whom, in accordance with the law, her personal data is processed;
third partyany person, with the exception of the sub-object of personal data, the owner or the administrator of the personal data database and the authorized state body for the protection of personal data, to whom the owner or the administrator of the personal data database transfers personal data in accordance with the law;
special categories of datapersonal data about racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to health’I sexual life.
1.2. This Provision is mandatory for the application of the responsible person and the seller's employees who directly process and/or have access to personal data in connection with the performance of their official duties.
2. List of personal data databases
2.1. The Seller is the owner of the following databases of personal data:- database of contractors' personal data.
3. Purpose of personal data processing
3.1. The purpose of processing personal data in the system is to ensure the implementation of civil law relations, provision, receipt and settlement of purchased goods and services of the Tax Code of Ukraine, the Law of Ukraine on Accounting and Financial Reporting in Ukraine.
4. The procedure for processing personal data: obtaining consent, notification of rights and actions with personal data of the sub-object of personal data
4.1. The consent of the subject of the personal data must be a voluntary expression of the will of an individual regarding the granting of permission for the processing of her personal data in accordance with the formulated purpose of their processing.
4.2. The consent of the subject of the personal data may be provided in the following forms:
- a paper document with the details, which makes it possible to identify this document and an individual;
- an electronic document that must necessarily contain"language requirements" that make it possible to identify this document and an individual. It is advisable to certify the voluntary will of an individual regarding the granting of permission for the processing of her personal data with an electronic signature of the subject of the personal data object;
- a mark on the electronic page of a document or in an electronic file that is processed in an information system based on documented software and hardware solutions.
4.3. The consent of the subject of the personal data is provided during the registration of civil relations in accordance with the current legislation.
4.4. Notification of the subject of personal data about the inclusion of his personal data in the personal data database, the rights defined by the Law of Ukraine on the Protection of Personal Data, the purpose of data collection and the persons to whom his personal data is transferred is carried out during the registration of civil relations in accordance with the current legislation.
4.5. Processing of personal data about racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to health, sexual life (special categories of data) is prohibited.
5. Location of the personal data database
5.1. The personal data databases specified in Section 2 of this Regulation are located at the seller's address.
6. Conditions for disclosure of personal data to third parties
6.1. The procedure for accessing the personal data of third parties is determined by the terms of the consent of the subject of personal data provided to the owner of personal data for the processing of this data, or in accordance with the requirements of the law.6.2. Access to personal data is not granted to a third party if the specified person refuses to assume obligations to ensure compliance with the requirements of the Law of Ukraine on the Protection of Personal Data or is unable to provide them.
6.3. The sub-object of the relations related to personal data submits a request for access (hereinafter referred to as a request) to the owner of personal data.
6.4. The request specifies:
- surname, first name'I 'by patronymic, place of residence (place of stay) and details of the document certifying the individual who submits the request (for the individual applicant);
- name, location of the legal entity submitting the request, position, surname, first name 'I and the patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for the legal entity of the applicant);
- surname, first name'I and by father, and also other information, make it possible to identify the individual in respect of whom the request is being made;
- information about the personal data database in respect of which the request is being submitted, or information about the owner or manager of this personal data database;
- list of personal data requested;
- purpose and/or legal grounds for the request.
6.8. In the postponement message, the following are noted:
- last name, first name'I by official;
- date the message was sent;
- reason for postponement;
- the period during which the request will be satisfied.
6.10. The rejection message specifies:
- last name, first name'I, according to the official who denies access;
- date the message was sent;
- reason for refusal.
7. Personal data protection: methods of protection, responsible person, employees who directly process and/or have access to personal data in connection with the performance of their official duties, the period of storage of personal data
7.1. The owner of the personal data database is equipped with system and software-technical means and communication means that prevent loss, theft, unauthorized destruction, distortion, fragmentation, copying of information and comply with the requirements of international and national standards.
7.2. The responsible person organizes the work related to the protection of personal data during their processing, in accordance with the law. The responsible person is determined by the order of the Owner of the personal data database.
It is mandatory that the responsibilities of the responsible person for the organization of work related to the protection of personal data during their processing are specified in the job description.
7.3. The responsible person of the goiter is connected:
- know the legislation of Ukraine in the field of personal data protection;
- develop procedures for accessing employees' personal data in accordance with their professional or official or work obligations
- ensure that the employees of the Owner of the personal data database comply with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents that regulate the activities of the Owner of the personal data database in relation to the processing and protection of personal data in personal data databases;
- develop an internal control procedure for compliance with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents that regulate the activities of the Owner of the personal data database in relation to the processing and protection of personal data in personal data databases, which, in particular, should contain rules on the frequency of such control;
- inform the Owner of the personal data database about the facts of violations by employees of the requirements of the legislation of Ukraine in the field of personal data protection and internal documents that regulate the activities of the Owner of the personal data database in relation to the processing and protection of personal data in personal data databases within one working day from the moment of detection of such violations;
- ensure the storage of documents confirming the provision of consent by the sub-object of personal data to the processing of their personal data and notification of the specified sub-object of its rights.
7.4. In order to fulfill their duties, the responsible person has the right to:
- receive the necessary documents, including orders and other administrative documents issued by the Owner of the personal data database, that are related to the processing of personal data;
- make copies of the received documents, including copies of files, any records that are stored in local computer networks and autonomous computer systems;
- participate in the discussion of the duties performed by him/her in the organization of work related to the protection of personal data during their processing;
- submit proposals for improving activities and improving working methods for consideration, submit comments and options for eliminating identified deficiencies in the processing of personal data;
- receive explanations on the issues of personal data processing;
- sign and approve documents within the scope of their competence.
7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (labor) duties are bound to adhere to the requirements of the legislation of Ukraine in the field of personal data protection and internal documents, processing and protection of personal data in personal data databases.
7.6. Employees, have access to personal data, including, carry out their processing obligations related not to allow disclosure of any way of personal data that they have been entrusted with or that have become known in connection connection with performance of professional or official or labor duties’connections. Such an obligation’obligation to act after the termination of their activities, this’related to personal data, except in cases prescribed by law.
7.7.Persons who have access to personal data, including, carry out their processing in case of violation of the requirements of the Law of Ukraine on the Protection of Personal Data, are responsible according to the legislation of Ukraine.7.8. Personal data should not be stored longer than is necessary for the purpose for which such data is stored, but in any case not longer than the data retention period determined by the consent of the sub-object of personal data to the processing of this data.
8. The rights of the sub-object of personal data
8.1. The Personal data Provider has the right to:
- to know about the location of the personal data database containing his personal data, its purpose and name, location and/or place of residence (stay) of the owner or the administrator of this database, or to give appropriate instructions regarding the receipt of this information to authorized persons, except in cases established by law;
- receive information about the conditions for granting access to personal data, in particular information about third parties to whom his personal data is transferred, contained in the relevant personal data database;
- on access to their personal data that contained in the relevant database of personal data;
- receive no more than thirty calendar days from the date of receipt of the request, except in cases provided for by law, an answer about whether his personal data is stored in the relevant personal data database, and also receive the contents of his personal data that are stored;
- before submitting a reasoned claim with an objection to the processing of their personal data by state authorities, local self-government bodies in the exercise of their powers provided for by law;
- before submitting a reasoned demand regarding the modification or destruction of their personal data by any owner and administrator of this database, if these data are processed illegally or are unreliable;
- to protect your personal data from illegal processing and accidental loss, destruction, damage in connection with intentional concealment, non-provision or untimely provision of them, and also to protect against the provision of information that is unreliable or discredits honor, dignity and business reputation of an individual;
- to address the issues of protection of their rights regarding personal data to the state authorities, local self-government bodies, whose powers include the protection of personal data;
- apply legal remedies in case of violation of the legislation on personal data protection.
9. The procedure for working with the requests of the personal data object
9.1. The personal data subject has the right to receive any information about himself in any sub-object of relations related to personal data, without specifying the purpose of the request, except in cases established by law.
9.2. Access of the subject of personal data to personal data is free of charge.
9.3. The sub-object of personal data submits a request for access (hereinafter referred to as a request) to the owner of the personal data database.
The request specifies:
- surname, first name'I'by patronymic, place of residence (place of stay) and details of the document, identity document of the sub’object of personal data;
- other information, make it possible to identify the person of the sub’object of personal data;
- information about the database of personal data in respect of which the request is being submitted, or information about the owner or manager of this database;
- list of personal data requested.
9.4. The term for studying the request for its satisfaction may not exceed ten working days from the date of its receipt. During this period, the owner of the personal data database informs the known sub of the personal data object that the request will be satisfied or the relevant personal data will not be provided, with an indication of the grounds specified in the relevant regulatory legal act.
9.5. The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
10. State registration of the personal data database
10.1. The state registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine About the protection of personal data.