Policy on the Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller

Contents

  1. General Definitions and Scope of Application

  2. List of Personal Data Databases

  3. Purpose of Personal Data Processing

  4. Procedure for Processing Personal Data: Consent, Notification of Rights, and Actions Regarding Data Subjects’ Personal Data

  5. Location of Personal Data Databases

  6. Conditions for Disclosure of Personal Data to Third Parties

  7. Protection of Personal Data: Means of Protection, Responsible Person, Employees with Access, Data Retention Period

  8. Rights of Personal Data Subjects

  9. Procedure for Handling Requests from Personal Data Subjects

  10. State Registration of Personal Data Databases

1. General Definitions and Scope of Application

1.1. Definitions:

  • Personal Data Database: A named collection of structured personal data in electronic form and/or in the form of personal data files;

  • Responsible Person: The designated individual who organizes the work related to the protection of personal data during processing in accordance with the law;

  • Owner of the Personal Data Database: A natural or legal person who, by law or with the consent of the personal data subject, is granted the right to process such data, sets the purpose of processing, determines the composition of the data and processing procedures, unless otherwise provided by law;

  • State Register of Personal Data Databases: The unified national information system for collecting, storing, and processing information on registered personal data databases;

  • Public Sources of Personal Data: Directories, address books, registries, lists, catalogs, and other systematically compiled collections of open information containing personal data, published with the knowledge of the data subject. Social networks and websites are not considered public sources unless the subject explicitly declares their data is intended for free distribution and use;

  • Consent of the Personal Data Subject: Any documented, voluntary expression of will by an individual allowing the processing of their personal data for the defined purpose;

  • Anonymization of Personal Data: The removal of information that enables the identification of an individual;

  • Processing of Personal Data: Any action or set of actions, performed in part or in full in an information (automated) system and/or personal data files, related to collection, registration, accumulation, storage, adaptation, modification, updating, use, dissemination (distribution, transfer), anonymization, destruction of personal information;

  • Personal Data: Information or a set of information about a natural person who is identified or can be specifically identified;

  • Processor of the Personal Data Database: A natural or legal person authorized by the owner or by law to process such data. A person performing technical tasks without access to the content of personal data is not considered a processor;

  • Data Subject: A natural person whose personal data is processed under the law;

  • Third Party: Any person other than the data subject, owner, processor, or authorized government body for data protection to whom personal data is disclosed by the owner or processor according to law;

  • Special Categories of Data: Personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties or trade unions, and data concerning health or sexual life.

1.2. This Policy is mandatory for the responsible person and the seller’s employees who directly process or access personal data in connection with their official duties.

2. List of Personal Data Databases

2.1. The seller is the owner of the following personal data database:

  • Database of counterparties’ personal data.

3. Purpose of Personal Data Processing

3.1. The purpose of processing personal data is to ensure the fulfillment of civil-law relations, provision, receipt, and payment for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."

4. Procedure for Processing Personal Data

4.1. The consent of the personal data subject must be a voluntary expression of will regarding the granting of permission to process their personal data for the defined purpose.

4.2. Consent may be given in the following forms:

  • A written document on paper containing identifiers that allow the person and document to be identified;

  • An electronic document with the necessary details for identifying the person and document. It is advisable to confirm consent with an electronic signature;

  • A mark on an electronic document or in a file processed within an information system based on documented technical solutions.

4.3. Consent is provided at the time of entering into civil-law relations as required by applicable legislation.

4.4. Notification of the data subject about the inclusion of their personal data into a database, their rights under the Law of Ukraine "On Personal Data Protection," the purpose of data collection, and the recipients of such data is conducted when civil-law relations are established.

4.5. Processing of special categories of data (racial or ethnic origin, political, religious, or ideological beliefs, union or party membership, health or sexual life) is prohibited.

5. Location of Personal Data Databases

5.1. The databases listed in Section 2 of this Policy are located at the address of the Seller.

6. Conditions for Disclosure of Personal Data to Third Parties

6.1. Third-party access to personal data is governed by the data subject’s consent or legal requirements.

6.2. Access is not granted if the third party refuses to comply with or cannot ensure compliance with the Law of Ukraine "On Personal Data Protection."

6.3. Any party involved in personal data relations may submit a request for access to the data to the owner.

6.4. The request must include:

  • Full name, residence, and ID details of the individual making the request (if an individual);

  • Name, address, job title, and name of the representative (if a legal entity) and confirmation of authority;

  • Full name and identifiers of the individual about whom the data is requested;

  • Information about the relevant database and its owner or processor;

  • A list of requested personal data;

  • Purpose and/or legal basis for the request.

6.5. The owner shall review the request within ten business days of receipt. Within this period, the requester shall be informed whether the request is approved or denied, with legal justification.

6.6. If the data cannot be provided within thirty calendar days, a deferral is allowed. The total period for resolving the request may not exceed forty-five calendar days.

6.7. The requester shall be notified in writing of any deferral, with an explanation of how to appeal the decision.

6.8. The deferral notice must include:

  • Name and title of the official;

  • Date of notification;

  • Reason for deferral;

  • Deadline for satisfying the request.

6.9. Denial of access to personal data is permitted if such access is prohibited by law.

6.10. The denial notice must include:

  • Name and title of the official issuing the denial;

  • Date of notification;

  • Reason for denial.

6.11. A decision to defer or deny access to personal data may be appealed in court.

7. Protection of Personal Data

7.1. The owner of the personal data database shall ensure protection using system, software, technical, and communication tools that prevent loss, theft, unauthorized destruction, distortion, forgery, or copying of information and comply with international and national standards.

7.2. The responsible person organizes work related to the protection of personal data during processing in accordance with the law and is appointed by an order of the database owner. Their duties are outlined in a job description.

7.3. The responsible person must:

  • Know the laws of Ukraine on personal data protection;

  • Develop procedures for employee access to personal data in accordance with their professional or job responsibilities;

  • Ensure employees comply with legislation and internal policies on personal data protection and processing;

  • Establish internal control procedures, including frequency of audits, to ensure compliance;

  • Notify the database owner of violations within one business day of detection;

  • Store documentation proving data subject consent and rights notification.

7.4. The responsible person may:

  • Request relevant documents and orders from the database owner;

  • Make copies of such documents and electronic records;

  • Participate in discussions on personal data protection procedures;

  • Propose improvements and corrective actions;

  • Request clarifications regarding personal data processing;

  • Sign and review documents within their authority.

7.5. Employees with direct access to personal data must comply with personal data protection legislation and internal policies.

7.6. These employees must not disclose personal data obtained during employment, including after termination, unless otherwise specified by law.

7.7. Violations of the Law of Ukraine "On Personal Data Protection" shall result in liability as established by law.

7.8. Personal data shall not be stored longer than necessary for the stated purpose, and no longer than the retention period specified in the subject’s consent.

8. Rights of Personal Data Subjects

8.1. A personal data subject has the right to:

  • Know the location, purpose, and name of the personal data database and its owner or processor;

  • Receive information about third-party access to their personal data;

  • Access their own personal data held in the database;

  • Receive a response within thirty calendar days about whether their data is being processed and, if so, obtain its contents;

  • Object to processing of their data by public authorities in certain cases;

  • Demand correction or deletion of inaccurate or unlawfully processed personal data;

  • Protect their data from unauthorized processing, loss, or dissemination, including reputational harm;

  • Appeal to authorities or courts for rights protection under the law.

9. Procedure for Handling Requests from Personal Data Subjects

9.1. A personal data subject may request information about themselves from any party involved in personal data processing, without stating a purpose, unless otherwise required by law.

9.2. Access to personal data by the data subject is free of charge.

9.3. The request must include:

  • Full name, residence, and ID details;

  • Other identifying information;

  • Database information or details of its owner or processor;

  • List of requested data.

9.4. The owner has ten business days to review the request and notify the subject whether it is granted or denied, with legal justification.

9.5. The request shall be fulfilled within thirty calendar days, unless otherwise required by law.

10. State Registration of Personal Data Databases

10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection."