Contents
- General concepts and scope of application.
- List of personal data bases.
- Purpose of personal data processing.
- Procedure for processing personal data: obtaining consent, informing about the rights and actions regarding personal data of the data subject.
- Location of the personal data base.
- Conditions for disclosing information about personal data to third parties.
- Personal data protection: methods of protection, responsible person, employees directly involved in processing and/or having access to personal data in connection with their official duties, retention period of personal data.
- Rights of the data subject.
- Procedure for handling requests from the data subject.
- State registration of the personal data base.
1. General concepts and scope of application.
1.1. Definitions:
personal data base — named collection of ordered personal data in electronic and/or card index form;
responsible person — a designated person who organizes work related to the protection of personal data during their processing, in accordance with the law;
personal data owner — a natural or legal person who has been granted the right to process such data by law or with the consent of the data subject, who establishes the purpose of processing personal data in this database, defines the composition of such data and the procedures for their processing, unless otherwise provided by law;
State Register of personal data bases — a single state information system for collecting, accumulating, and processing information about registered personal data bases;
public sources of personal data — directories, address books, registers, lists, catalogs, and other systematized collections of public information containing personal data, placed and published with the knowledge of the data subject.
Social networks and Internet resources where the data subject leaves their personal data are not considered public sources of personal data (except cases when the data subject explicitly states that their personal data is posted for free distribution and use);
data subject's consent — any documented, voluntary expression of will of a natural person regarding the processing of their personal data for the stated purpose of processing;
depersonalization of personal data — removal of information that enables the identification of a person;
processing of personal data — any action or combination of actions performed fully or partially in an information (automated) system and/or in personal data card indexes, related to the collection, registration, accumulation, storage, adaptation, modification, renewal, use, distribution (dissemination, implementation, transfer), depersonalization, destruction of information about a natural person;
personal data — information or a set of information about an identified or identifiable natural person;
personal data handler — a natural or legal person who, by the owner of the personal data base or by law, is granted the right to process such data.
A person who is assigned to perform technical work with the personal data base without access to the content of personal data is not considered a personal data handler;
data subject — a natural person whose personal data is processed in accordance with the law;
third party — any person, except for the data subject, the owner or handler of the personal data base, and the authorized state body for personal data protection, to whom the owner or handler of the personal data base transfers personal data in accordance with the law;
special categories of data — personal data about racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and professional associations, as well as data related to health or sex life.
1.2. This Regulation is mandatory for compliance by the responsible person and employees of the seller who are directly involved in processing and/or have access to personal data in connection with the performance of their official duties.
2. List of personal data bases.
2.1. The seller is the owner of the following personal data bases:
- personal data base of contractors.
3. Purpose of personal data processing.
3.1. The purpose of processing personal data in the system is to store and service data of contractors, in accordance with Articles 6, 7 of the Law of Ukraine "On the Protection of Personal Data":
3.2. The purpose of processing personal data is to ensure the implementation of civil law relations, provision/receipt, and execution of settlements for purchased goods/services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."
4. Procedure for processing personal data: obtaining consent, informing about the rights and actions regarding personal data of the data subject.
4.1. The consent of the data subject must be a voluntary expression of will of a natural person regarding the processing of their personal data for the stated purpose of processing. The consent of the data subject can be given in the following forms:
- a document on paper containing details that allow identification of the document and the individual;
- an electronic document that must contain mandatory details enabling identification of the document and the individual. The voluntary expression of will of a natural person regarding the processing of their personal data is advisable to be certified by the electronic signature of the data subject;
- a mark on the electronic page of the document or in the electronic file being processed in the information system based on documented software and technical decisions.
4.2. The consent of the data subject is given during the conclusion of civil law relations in accordance with the current legislation.
4.3. The data subject shall be informed about the inclusion of their personal data in the personal data base, the rights defined by the Law of Ukraine "On the Protection of Personal Data," the purpose of data collection, and the persons to whom their personal data are transferred, during the conclusion of civil law relations in accordance with the current legislation.
4.4. The processing of personal data on racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and professional associations, as well as data related to health or sex life (special categories of data) is prohibited.
5. Location of the personal data base.
5.1. The personal data bases specified in section 2 of this Regulation are located at the seller's address.
6. Conditions for disclosing information about personal data to third parties.
6.1. The procedure for third parties' access to personal data is determined by the conditions of the data subject's consent given to the owner of the personal data base for the processing of such data or in accordance with the requirements of the law.
6.2. Access to personal data is not granted to a third party if the said party refuses to undertake the obligations to ensure compliance with the requirements of the Law of Ukraine "On the Protection of Personal Data" or is unable to fulfill them.
6.3. The subject of relations related to personal data submits a request for access (hereinafter referred to as "the request") to the owner of the personal data base.
6.4. The request shall specify:
- the surname, first name, and patronymic, place of residence (place of stay), and details of the document certifying the identity of the natural person submitting the request (for a natural person - the applicant);
- the name, location of the legal entity submitting the request, position, surname, first name, and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the authority of the legal entity (for a legal entity - the applicant);
- the surname, first name, and patronymic, as well as other information enabling the identification of the natural person to whom the request relates;
- information about the personal data base to which the request relates or information about the owner or handler of this base;
- the list of personal data requested;
- the purpose of the request.
6.5. The term for studying the request in order to satisfy it shall not exceed ten working days from the date of its receipt.
Within this period, the owner of the personal data base shall inform the person submitting the request that the request will be satisfied or that the relevant personal data will not be provided, with an indication of the legal basis specified in the relevant regulatory legal act.
The request shall be satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
6.6. All employees of the owner of the personal data base are obliged to comply with the confidentiality requirements regarding personal data and information about securities accounts and securities circulation.
6.7. Delaying access to personal data of third parties is allowed if the necessary data cannot be provided within thirty calendar days from the date of receiving the request. In this case, the total resolution period for the issues raised in the request cannot exceed forty-five calendar days.
6.8. The notification of the delay shall be communicated to the third party that submitted the request in writing, with an explanation of the procedure for appealing such a decision.
6.9. The notification of the delay shall include:
- the surname, first name, and patronymic of the official;
- the date of sending the notification;
- the reason for the delay;
- the deadline within which the request will be fulfilled.
6.10. Refusal of access to personal data is allowed if access is prohibited by law.
6.11. The notification of the refusal shall include:
- the surname, first name, and patronymic of the official who refuses access;
- the date of sending the notification;
- the reason for the refusal.
6.12. The decision on delaying or refusing access to personal data can be appealed to the authorized state body for the protection of personal data, other bodies of state authority and local self-government, which are empowered to protect personal data, or to the court.
7. Personal Data Protection: Protection Methods, Responsible Person, Employees Directly Processing and/or Having Access to Personal Data in Connection with Their Official Duties, and Personal Data Retention Period.
7.1. The owner of the personal data base is equipped with system and software and technical means and communication tools that prevent losses, theft, unauthorized destruction, distortion, falsification, copying of information, and comply with the requirements of international and national standards.
7.2. The responsible person organizes work related to the protection of personal data during their processing in accordance with the law. The responsible person is appointed by the order of the owner of the personal data base.
The responsibilities of the responsible person for organizing work related to the protection of personal data during their processing are specified in the job description.
7.3. The responsible person is obliged to:
- be familiar with the legislation of Ukraine on the protection of personal data;
- develop procedures for accessing personal data by employees in accordance with their professional, official, or employment duties;
- ensure that employees of the owner of the personal data base comply with the requirements of the legislation of Ukraine on the protection of personal data and internal documents regulating the activities of the owner of the personal data base regarding the processing and protection of personal data in personal data bases;
- develop a procedure for internal control over compliance with the requirements of the legislation of Ukraine on the protection of personal data and internal documents regulating the activities of the owner of the personal data base regarding the processing and protection of personal data in personal data bases, which, in particular, should contain provisions on the frequency of such control;
- notify the owner of the personal data base of the facts of violations of the requirements of the legislation of Ukraine on the protection of personal data and internal documents regulating the activities of the owner of the personal data base regarding the processing and protection of personal data in personal data bases no later than one working day from the moment of detecting such violations;
- ensure the storage of documents confirming the consent of the data subject to the processing of their personal data and notifications of the rights of the said data subject.
7.4. In order to fulfill their duties, the responsible person has the right to:
- receive necessary documents, including orders and other regulatory documents issued by the owner of the personal data base related to the processing of personal data;
- make copies of received documents, including file copies, any records stored in local computer networks and standalone computer systems;
- participate in discussions of the duties performed by them related to the protection of personal data during their processing;
- submit proposals for improving the activities and enhancing the methods of work, provide comments and suggestions for eliminating identified shortcomings in the process of processing personal data;
- receive explanations regarding the processing of personal data;
- sign and endorse documents within their competence.
7.5. Employees who directly process and/or have access to personal data in connection with their official (employment) duties are required to comply with the requirements of Ukrainian legislation on the protection of personal data and internal documents regarding the processing and protection of personal data in personal data databases.
7.6. Employees who have access to personal data, including those who process them, are obliged not to disclose in any way the personal data entrusted to them or known to them in connection with the performance of their professional or official duties. Such obligation remains valid after they have ceased activities related to personal data, except as provided by law.
7.7. Individuals who have access to personal data, including those who process them, bear responsibility in accordance with Ukrainian legislation in the event of a breach of the Law of Ukraine "On the Protection of Personal Data."
7.8. Personal data should not be stored longer than necessary for the purpose for which such data are stored, but in any case, not longer than the data retention period determined by the subject's consent to the processing of such data.
8. Rights of the personal data subject.
8.1. The personal data subject has the right to:
- know the location of the personal data database containing their personal data, its purpose and name, the location and/or place of residence (stay) of the owner or controller of this database, or give appropriate authorization to authorized persons to obtain this information, except as provided by law;
- receive information about the conditions for providing access to personal data, including information about third parties to whom their personal data contained in the relevant database is transferred;
- access their personal data contained in the relevant database;
- receive, no later than thirty calendar days from the date of the request, except as provided by law, a response regarding the existence of their personal data in the relevant database and obtain the content of their personal data stored;
- submit a reasoned request with an objection to the processing of their personal data by state authorities, local governments in the exercise of their powers provided by law;
- submit a reasoned request for changes or destruction of their personal data by any owner and controller of this database if such data is processed illegally or is inaccurate;
- protect their personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, non-disclosure, or untimely provision thereof, as well as protection against the provision of information that is inaccurate or denigrates the honor, dignity, and business reputation of an individual;
- apply to state authorities, local governments, whose powers include protecting personal data, regarding the protection of their rights related to personal data;
- apply legal remedies in case of violation of the legislation on the protection of personal data.
9. Procedure for handling personal data subject requests.
9.1. The personal data subject has the right to obtain any information about themselves from any subject of relationships related to personal data, without indicating the purpose of the request, except as provided by law.
9.2. Access of the personal data subject to information about themselves is free of charge.
9.3. The personal data subject submits a request for access (hereinafter - the request) to their personal data to the owner of the personal data database.
The request must specify:
- surname, name and patronymic, place of residence (location), and details of the document certifying the person of the personal data subject;
- other information that allows identifying the individual;
- information about the personal data database to which the request relates or information about the owner or controller of this database;
- list of personal data requested.
9.4. The period for reviewing the request for its satisfaction cannot exceed ten business days from the date of its receipt.
9.5. Within this period, the owner of the personal data database informs the personal data subject that the request will be satisfied or that the respective personal data will not be provided, indicating the grounds specified in the relevant normative legal act.
9.6. The request is satisfied within thirty calendar days from the date of its receipt, unless otherwise provided by law.
10. State registration of personal data databases.
10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On the Protection of Personal Data."
More detailed information about the terms of use of the website and other issues is provided in the corresponding sections:
- Terms of Use: https://promin.ua/en/help/terms/
- Delivery Terms: https://promin.ua/en/help/delivery/
- Payment Terms: https://promin.ua/en/help/payment/
- Return Policy: https://promin.ua/en/help/warranty/
- Help (Frequently Asked Questions): https://promin.ua/en/help/faq/