Policy on Processing and Protection of Personal Data in Personal Data Repositories Owned by the Seller
Contents
-
General concepts and scope of application
-
List of personal data repositories
-
Purpose of processing personal data
-
Procedure for processing personal data: obtaining consent, informing subjects of their rights, and actions concerning the subject’s personal data
-
Location of the personal data repository
-
Conditions for disclosing personal data to third parties
-
Protection of personal data: protection methods, responsible person, employees who directly process and/or have access to personal data in connection with their duties, retention period
-
Rights of the personal data subject
-
Procedure for handling subject requests
-
State registration of the personal data repository
1. General Concepts and Scope of Application
1.1 Definitions:
-
Personal data repository – a named collection of organized personal data in electronic form and/or within card indexes;
-
Responsible person – the individual designated to organize data protection activities in compliance with the law;
-
Owner of the personal data repository – the individual or legal entity legally authorized to determine the purpose, content, and processing procedures of the repository;
-
State Register of Personal Data Repositories – a unified government information system for records of registered personal data repositories;
-
Publicly available sources of personal data – directories, address books, registries, lists, catalogs, and other organized public information collections containing personal data and published with the subject’s consent—excluding social media and websites unless expressly stated otherwise;
-
Consent of the personal data subject – documented voluntary consent of an individual to personal data processing for a specified purpose;
-
Anonymization of personal data – removal of information that identifies the individual;
-
Processing of personal data – any operation or set of operations with personal data in automated or manual form;
-
Personal data – information about an identifiable individual;
-
Data controller – individual or legal entity that handles the personal data under authorization;
-
Personal data subject – individual whose personal data is being processed;
-
Third party – any party other than the subject, the owner or controller, or authorized state body, to whom data is transferred by law;
-
Special categories of data – personal data revealing race, ethnicity, political, religious beliefs, etc., as well as health or sexual life.
1.2 This policy is mandatory for the responsible person and employees of the seller directly involved in data processing.
2. List of Personal Data Repositories
2.1 The seller owns the following repository:
-
Repository of counterparties’ personal data.
3. Purpose of Processing Personal Data
3.1 The purpose of data processing is to facilitate civil-law relations, the provision, receipt, and financial settlements for goods and services under the Ukrainian Tax Code and Accounting Law.
4. Procedure for Personal Data Processing
4.1–4.5 Procedures for obtaining and documenting consent, informing the subject, and prohibition of processing special categories of data.
5. Repository Location
5.1 The repositories listed in section 2 are located at the seller’s premises.
6. Conditions for Disclosure of Data to Third Parties
6.1–6.11 Defines conditions, deadlines, postponements, refusals, and appeal rights regarding third-party access requests.
7. Personal Data Protection
7.1–7.8 Outlines technical safeguards, responsibilities, staff obligations, confidentiality duties, liability, and data retention limits.
8. Rights of the Data Subject
8.1 Enumerates individual rights to information, access, correction, deletion, and legal protection.
9. Handling Subject Requests
9.1–9.5 Covers rights to request, free access, identification requirements, and response timelines.
10. State Registration
10.1 Registration of data repositories as per Article 9 of Ukraine’s Personal Data Protection Law.