Privacy Policy

REGULATION ON PROCESSING AND PROTECTION OF PERSONAL DATA IN DATABASES OF PERSONAL DATA

CONTENT

  1. General concepts and scope of application.
  2. The list of databases of personal data.
  3. The purpose of personal data processing.
  4. The procedure of personal data processing:
  5. obtaining consent, notification of rights and actions with personal data of the data subject.
  6. The location of database of personal data.
  7. Terms of disclosure of personal data to third parties.
  8. Protection of personal data:
  9. methods of protection, responsible person, employees who directly perform processing and/or have access to personal data in connection with the performance of their official duties, the period of storage of personal data.
  10. The rights of the data subject.
  11. Procedure for handling requests from data subjects.
  12. State registration of the database of personal data.

1. General concepts and area of application.

1.1 Definition of terms:

database of personal data — named totality of ordered personal data in electronic form and/or in the form of personal data files;

responsible person — a designated person who organizes the work related to the protection of personal data during their processing in accordance with the law;

the owner of the database of personal data — natural or legal person who by law or with the consent of the data subject was given the right to process these data, approves the purpose of processing personal data in this database, establishes the composition of these data and procedures for their processing, unless otherwise provided by law;

State register of databases of personal data — unified state information system of collection, accumulation and processing of information on registered databases of personal data;

public sources of personal data — directories, address books, registers, lists, catalogs, other systematized collections of public information containing personal data, posted and published with the consent of the data subject.

Social networks and Internet resources in which data subjects leave their personal data (except in cases where the data subject has expressly stated that the personal data is placed with a view to their free dissemination and use) are not considered public sources of personal data;

data subject’s consent — any documented, voluntary expression of will of a natural person to authorize the processing of his/her personal data in accordance with the stated purpose of its processing;

depersonalization of personal data — removal of personally identifiable information;

processing of personal data — any action or set of actions, performed in whole or in part in the information (automated) system and/or files of personal data, related to the collection, registration, accumulation, storage, adaptation, modification, change, use and distribution (dissemination, sale, transfer), depersonalization, destruction of information about a natural person;

personal data — information or aggregate of information about a natural person, which is identified or can be specifically identified;

controller of database of personal data — natural or legal person, who is granted the right to process this data by the owner of the database of personal data or by the law.

A person entrusted by the owner and/or controller of the database of personal data with the technical works with the database without access to the content of personal data is not a controller of personal data;

data subject — a natural person, in respect of which personal data is processed in accordance with the law;

third party — any person, other than the data subject, the owner or controller of the database of personal data and the authorized state body on personal data protection, to which the owner or controller of database of personal data transfers personal data in accordance with the law;

special categories of data — personal data on racial or ethnic origin, political, religious or ideological convictions, membership in political parties and trade unions as well as data concerning health or sex life.

1.2. This Regulation shall be binding to the responsible person and company employees who directly process and/or have access to personal data in connection with performance of their official duties.

2. The list of databases of personal data.

2.1. VIVAT TRADING LLC is the owner of the following databases of personal data: Database of personal data of counterparties.

3. The purpose of personal data processing.

3.1. The purpose of personal data processing in the system is storage and maintenance of counterparties’ data in accordance with Articles 6, 7 of the Law of Ukraine “On Protection of Personal Data”.

3.2. The purpose of personal data processing is to ensure implementation of the civil-law relations, providing / receiving and making payments for purchased goods / services in accordance with the Tax Code of Ukraine, the Law of Ukraine “On Accounting and Financial Reporting in Ukraine”.

4. The procedure of personal data processing: obtaining consent, notification of rights and actions with personal data of the data subject.

4.1. Data subject’s consent shall be a voluntary expression of will of a natural person to authorize the processing of his/her personal data in accordance with the stated purpose of its processing.

The consent of the data subject may be provided in the following forms:

  • a paper document with particulars allowing to identify this document and the natural person;
  • an electronic document, which shall contain mandatory particulars allowing to identify the document and the natural person. Voluntary expression of a natural person’s will to authorize the processing of his/her personal data should be certified by an electronic signature of the data subject.
  • mark on the electronic page of the document or in the electronic file, processed in the information system on the basis of documented software and hardware solutions.

4.2. The consent of the data subject shall be provided when executing civil-law relations in accordance with the legislation in force.

4.3. Notification of the data subject on the inclusion of his/her personal data in the database of personal data, the rights defined by the Law of Ukraine “On Protection of Personal Data”, the purpose of data collection and the persons, to whom his/her personal data is transferred, is provided when executing the civil-law relationship in accordance with the legislation in force.

4.4. Processing of personal data on racial or ethnic origin, political, religious or ideological convictions, membership in political parties and trade unions as well as data concerning health or sex life (special data categories) is prohibited.

5. The location of database of personal data.

5.1. The databases of personal data specified in Section 2 of this Regulation are located at the company’s address.

6. Terms of disclosure of personal data to third parties.

6.1. The procedure of access to personal data of third parties is determined by the conditions of the consent of the data subject, provided to the owner of the database of personal data for the processing of these data, or as required by law.

6.2. Access to personal data is not granted to a third party, if the specified person refuses to undertake the obligations to ensure the compliance with the requirements of the Law of Ukraine “On Protection of Personal Data” or cannot ensure it.

6.3. The subject of relations related to personal data shall submit a request for access (hereinafter — the request) to personal data to the owner of the database of personal data.

6.4. The request shall specify:

  • last name, first name and patronymic, place of residence (place of stay) and details of the document verifying identity of the natural person submitting the request (for a natural person – applicant);
  • the name, location of the legal entity submitting the request, the position, last name, first name and patronymic of the person certifying the request;
  • confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity – applicant);
  • last name, first name and patronymic, as well as other information allowing to identify the natural person, in respect of whom the request is made;
  • information on database of personal data, in respect of which the request is made, or information on the owner or controller of the database;
  • the list of personal data requested;
  • purpose of the request.

6.5. The period of review of the request for its accommodation shall not exceed ten working days from the date of its receipt.

Within this period, the owner of the database of personal data shall notify the person submitting the request that the request will be accommodated or the relevant personal data may not to be provided, indicating the grounds as defined in the relevant normative legal act.

The request shall be accommodated within thirty calendar days from the date of its receipt, unless otherwise provided by law.

6.6. All employees of the owner of database of personal data are obliged to observe the confidentiality requirements in relation to personal data and information on accounts in securities and turnover of securities.

6.7. Delay of access to personal data of third parties is allowed in case the necessary data cannot be provided within thirty calendar days from the date of receipt of the request.

At that, the total term for resolution of issues raised in the request may not exceed forty-five calendar days.

6.8. The notice of delay shall be brought to the attention of the third party that submitted the request in written form with explanation of the procedure of disputing such decision.

6.9. The notice of delay shall contain:

  • last name, first name and patronymic of the official;
  • date of sending the notice;
  • reason for delay;
  • period of time, during which the request will be accommodated.

6.10. Denial of access to personal data is allowed if access thereto is prohibited by law.

6.11. The notice of denial shall contain:

  • last name, first name, patronymic of the official who denies access;
  • date of sending the notice;
  • reason for denial.

6.12. The decision to delay or deny access to personal data may be disputed in the state authority responsible for personal data protection, other state authorities and local authorities, whose competencies include the protection of personal data, or in court.

7. Protection of personal data:

methods of protection, responsible person, employees who directly perform processing and/or have access to personal data in connection with the performance of their official duties, the period of storage of personal data.

7.1. The owner of the database of personal data is equipped with system, software and hardware tools and means of communication that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information and meet the requirements of international and national standards.

7.2. Responsible person organizes the work related to the protection of personal data during their processing in accordance with the law.

The responsible person shall be determined by the order of the Owner of the database of personal data.

The responsibilities of the responsible person with regards to organizing the work related to personal data protection during their processing shall be specified in the job description.

7.3. The responsible person shall:

  • know the legislation of Ukraine in the field of protection of personal data;
  • develop procedures for access to personal data of employees in accordance with their professional or official or work-related duties;
  • ensure compliance by employees of the Owner of database of personal data with the requirements of Ukrainian legislation in the field of personal data protection and internal documents that regulate activities of the Owner of database of personal data on processing and protection of personal data in databases;
  • develop a procedure of internal control over compliance with the requirements of legislation of Ukraine in the sphere of protection of personal data and internal documents that regulate the activities of the Owner of database of personal data on processing and protection of personal data in databases, which, in particular, shall contain provisions on the frequency of such control;
  • notify the Owner of database of personal data about facts of violation by employees of requirements of legislation of Ukraine in the sphere of protection of personal data and internal documents that regulate the activities of the Owner of database of personal data on processing and protection of personal data in databases within one working day from the moment such violations were discovered;
  • ensure storage of documents, confirming the data subject’s consent to the processing of his/her personal data and notification of the said subject of his/her rights.

7.4. In order to fulfill the duties, the responsible person shall have the right to:

  • obtain the necessary documents, including orders and other administrative documents issued by the Owner of personal data, related to the processing of personal data;
  • make copies of received documents, including copies of files, any records stored in local computer networks and autonomous computer systems;
  • participate in discussions of their responsibilities in the organization of work related to the protection of personal data during their processing;
  • submit proposals for improvement of activities and methods of work, submit comments and options to address the identified shortcomings in the process of personal data processing;
  • obtain explanations on the issues of personal data processing;
  • sign and visa documents within their competence.

7.5. Employees, who directly perform processing and/or have access to personal data in connection with performance of their official (work-related) duties shall comply with the requirements of the legislation of Ukraine in the sphere of personal data protection and internal documents on processing and protection of personal data in databases.

7.6. Employees, who have access to personal data, including, carry out their processing, are obliged to prevent disclosure in any way of personal data, which was entrusted to them, or which became known in connection with performance of professional or official or work-related duties.

Such an obligation is in force after the termination of their activity related to personal data, except for the cases provided by law.

7.7. Individuals, who have access to personal data, including carry out their processing, in case of violation of the requirements of the Law of Ukraine “On Protection of Personal Data” bear responsibility under the Law of Ukraine.

7.8. Personal data shall not be stored longer than necessary for the purpose, for which such data are stored, but in any case not longer than the period of data storage specified in the consent of the data subject on the processing of this data.

8. The rights of the data subject.

8.1. The data subject has the rights to:

  • know about the location of the database of personal data containing his/her personal data, its purpose and name, location and/or place of residence (place of stay) of the owner or controller of this database or to give a corresponding order to obtain this information to persons authorized by him/her, except in cases established by law;
  • obtain information on conditions of access to personal data, including information about third parties, to which his/her personal data contained in the relevant database are transferred;
  • have access to his/her personal data contained in the relevant database;
  • receive no later than thirty calendar days from the date of receipt of the request, except in cases prescribed by law, answer on whether his/her personal data is stored in the relevant database, as well as receive the content of his/her personal data that are stored;
  • submit a reasonable demand with objections against processing of his/her personal data by state authorities, local authorities in the exercise of powers prescribed by law;
  • submit a reasonable demand for modification or destruction of his/her personal data by any owner and controller of this database, if these data are processed illegally or are unreliable;
  • protect his/her personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision, as well as protection from the provision of information that is inaccurate or defame the honor, dignity and business reputation of a natural person;
  • seek protection of rights with regards to his/her personal data with the state authorities, local authorities, the competence of which include protection of personal data;
  • apply legal remedies in case of infringement of law on protection of personal data.

9. Procedure for handling requests from data subjects.

9.1. Data subjects have the right to obtain any information about themselves from any subject of personal data relations, without specifying the purpose of the request, except in cases prescribed by law.

9.2. The data subject’s access to his/her personal data shall be free of charge.

9.3. The data subject shall submit a request for access (hereinafter — the request) to personal data to the owner of the database of personal data.

The request shall specify:

  • last name, first name and patronymic, place of residence (place of stay) and details of the document verifying identity of the data subject;
  • other information enabling to identify the data subject’s identity;
  • information on database of personal data, in respect of which the request is made, or information on the owner or controller of the database;
  • the list of personal data requested.

9.4. The period of review of the request for its accommodation shall not exceed ten working days from the date of its receipt.

9.5. Within this period, the owner of the database of personal data shall notify the data subject that the request will be accommodated or the relevant personal data may not to be provided, indicating the grounds as defined in the relevant normative legal act.

9.6. The request shall be accommodated within thirty calendar days from the date of its receipt, unless otherwise provided by law.

10. State registration of the database of personal data.

10.1. State registration of databases of personal data shall be performed in accordance with Article 9 of the Law of Ukraine “On Protection of Personal Data”.

Share: