Policy on the Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller

Contents

1. General Definitions and Scope of Application
2. List of Personal Data Databases
3. Purpose of Personal Data Processing
4. Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions Regarding the Data Subject’s Personal Data
5. Location of the Personal Data Database
6. Conditions for Disclosing Personal Data to Third Parties
7. Protection of personal data: protection methods, responsible person, employees directly involved in processing and/or having access to personal data in connection with the performance of their official duties, retention period for personal data
8. Rights of the data subject
9. Procedure for handling requests from the data subject
10. State registration of the personal data database

1. General Concepts and Scope of Application
1.1. Definitions:

personal data file — a named collection of organized personal data in electronic form and/or in the form of personal data records;
data protection officer — a designated individual who organizes activities related to the protection of personal data during its processing, in accordance with the law;
owner of a personal data database — a natural or legal person who, by law or with the consent of the data subject, has been granted the right to process such data, who determines the purpose of processing personal data in this database, establishes the composition of such data and the procedures for its processing, unless otherwise specified by law;

The State Register of Personal Data Bases is a unified state information system for the collection, accumulation, and processing of information on registered personal data bases;
publicly available sources of personal data — directories, address books, registries, lists, catalogs, and other organized collections of publicly available information containing personal data that have been posted and published with the knowledge of the data subject. Social networks and internet resources on which the data subject posts their personal data are not considered publicly available sources of personal data (except in cases where the data subject explicitly states that the personal data is posted for the purpose of its free dissemination and use);

Publicly available sources of personal data include directories, address books, registries, lists, catalogs, and other organized compilations of publicly available information containing personal data that have been posted or published with the knowledge of the data subject. Social networks and internet resources on which the data subject posts their personal data are not considered publicly available sources of personal data (except in cases where the data subject explicitly states that the personal data is posted for the purpose of its free dissemination and use);
consent of the data subject — any documented, voluntary expression of will by a natural person granting permission to process their personal data in accordance with the stated purpose of such processing;
de-identification of personal data — the removal of information that allows for the identification of an individual;
processing of personal data — any action or set of actions carried out wholly or partly in an information (automated) system and/or in personal data files, related to the collection, recording, accumulation, storage, adaptation, alteration, updating, use, and dissemination (distribution, sale, transfer), de-identification, or destruction of information about a natural person;

personal data — information or a set of information about a natural person who is identified or can be specifically identified;
personal data controller — a natural or legal person who has been granted the right to process such data by the owner of the personal data database or by law. A person who has been entrusted by the owner and/or controller of the personal data database to perform technical tasks related to the personal data database without access to the content of the personal data is not considered a personal data controller;

data subject — a natural person whose personal data is processed in accordance with the law;
third party — any person, other than the data subject, the owner or controller of a personal data database, and the authorized state body for personal data protection, to whom the owner or controller of a personal data database transfers personal data in accordance with the law;
special categories of data — personal data regarding racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sex life.
1.2. These Regulations are binding on the responsible person and the seller’s employees who directly process and/or have access to personal data in connection with the performance of their official duties.
2. List of Personal Data Databases
2.1. The Seller is the owner of the following personal data databases:

• Database of counterparties’ personal data.

3. Purpose of personal data processing
3.1. The purpose of processing personal data in the system is to ensure the implementation of civil law relationships, as well as the provision, receipt, and settlement of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”
4. Procedure for processing personal data: obtaining consent, notification of rights, and actions regarding the personal data of the data subject
4.1. The consent of the data subject must be a voluntary expression of will by the individual regarding the granting of permission to process their personal data in accordance with the stated purpose of such processing.

4.2. The consent of the data subject may be provided in the following forms:
• a paper document containing details that allow for the identification of both the document and the individual;
• an electronic document that must contain the required details allowing for the identification of both the document and the individual. It is advisable to certify the natural person’s voluntary expression of will regarding the granting of permission to process their personal data with the data subject’s electronic signature;
• a mark on the electronic page of the document or in an electronic file processed in an information system based on documented software and technical solutions.
4.3. The consent of the data subject is provided when entering into civil law relationships in accordance with applicable law.
4.4. Notification of the data subject regarding the inclusion of their personal data in the personal data database, the rights defined by the Law of Ukraine “On the Protection of Personal Data,” the purposes of data collection, and the parties to whom their personal data is transferred is provided upon the establishment of civil-law relations in accordance with applicable law.
4.5. The processing of personal data regarding racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sex life (special categories of data), is prohibited.

5. Location of the Personal Data Database
5.1. The personal data databases specified in Section 2 of these Regulations are located at the Seller’s address.
6. Conditions for disclosing personal data to third parties
6.1. The procedure for third parties to access personal data is determined by the terms of the data subject’s consent provided to the data controller for the processing of such data, or in accordance with the requirements of the law.
6.2. Access to personal data shall not be granted to a third party if such party refuses to assume obligations to ensure compliance with the requirements of the Law of Ukraine “On the Protection of Personal Data” or is unable to ensure such compliance.
6.3. The data subject submits a request for access (hereinafter referred to as the “request”) to personal data to the data controller.
6.4. The request must include:

• the last name, first name, and patronymic; place of residence (place of stay); and details of the identification document of the individual submitting the request (for an individual applicant);
• the name and location of the legal entity submitting the request, the position, last name, first name, and patronymic of the person certifying the request; confirmation that the content of the request falls within the legal entity’s authority (for a legal entity—the applicant);
• last name, first name, and patronymic, as well as other information allowing for the identification of the individual regarding whom the request is being submitted;
• information about the personal data database regarding which the request is being submitted, or information about the owner or controller of that personal data database;
• a list of the personal data being requested;
• the purpose and/or legal grounds for the request.

6.5. The period for reviewing a request to determine whether it should be granted may not exceed ten business days from the date of its receipt. Within this period, the owner of the personal data database shall notify the person submitting the request that the request will be granted or that the relevant personal data cannot be provided, specifying the grounds set forth in the applicable regulatory act. The request shall be granted within thirty calendar days from the date of its receipt, unless otherwise provided by law.
6.6. A delay in providing access to third-party personal data is permitted if the necessary data cannot be provided within thirty calendar days from the date of receipt of the request. In this case, the total time for resolving the issues raised in the request may not exceed forty-five calendar days.
6.7. The third party who submitted the request shall be notified of the deferral in writing, along with an explanation of the procedure for appealing such a decision.
6.8. The notice of postponement shall specify:
• the surname, first name, and patronymic of the official;
• the date the notice was sent;
• the reason for the postponement;
• the timeframe within which the request will be fulfilled.
6.9. Denial of access to personal data is permitted if access to such data is prohibited by law.

6.10. The notice of denial shall specify:
• the last name, first name, and patronymic of the official denying access;
• the date the notice was sent;
• the reason for the denial.
6.11. A decision to defer or deny access to personal data may be appealed in court.

7. Protection of personal data: protection measures, the responsible person, employees who directly process and/or have access to personal data in connection with the performance of their official duties, and the retention period for personal data
7.1. The owner of the personal data database is equipped with system and software-technical tools, as well as communication tools, that prevent the loss, theft, unauthorized destruction, distortion, falsification, or copying of information and comply with the requirements of international and national standards.

7.2. The designated officer organizes activities related to the protection of personal data during its processing in accordance with the law. The designated officer is appointed by order of the owner of the personal data database.
The designated officer’s responsibilities for organizing activities related to the protection of personal data during its processing are specified in the job description.
The responsibilities of the person in charge regarding the organization of work related to the protection of personal data during its processing are specified in the job description.
7.3. The person in charge is required to:
• be familiar with Ukrainian legislation regarding the protection of personal data;
• develop procedures for accessing employees’ personal data in accordance with their professional, official, or employment duties;
• ensure that the employees of the Personal Data Controller comply with the requirements of Ukrainian legislation regarding personal data protection and with internal documents governing the activities of the Personal Data Controller regarding the processing and protection of personal data in personal data databases;

• develop a procedure for internal monitoring of compliance with Ukrainian legislation on personal data protection and internal documents governing the activities of the personal data controller regarding the processing and protection of personal data in personal data databases, which, in particular, must include provisions regarding the frequency of such monitoring;
• Notify the owner of the personal data database of any violations by employees of the requirements of Ukrainian legislation regarding personal data protection and internal documents governing the activities of the owner of the personal data database concerning the processing and protection of personal data in personal data databases, no later than one business day from the time such violations are identified;
• ensure the retention of documents confirming the data subject’s consent to the processing of their personal data and the notification of said data subject regarding their rights.

7.4. In order to perform their duties, the designated person has the right to:
• receive the necessary documents, including orders and other administrative documents issued by the personal data controller and related to the processing of personal data;
• make copies of the documents received, including copies of files and any records stored on local computer networks and standalone computer systems;
• participate in discussions regarding their duties related to organizing work involving the protection of personal data during its processing;
• submit proposals for improving operations and work methods, as well as comments and suggestions for addressing identified shortcomings in the personal data processing process;
• receive clarifications regarding the processing of personal data;
• sign and countersign documents within the scope of their authority.

7.5. Employees who directly process and/or have access to personal data in connection with the performance of their official (employment) duties are required to comply with the requirements of Ukrainian legislation regarding the protection of personal data, as well as with internal documents concerning the processing and protection of personal data in personal data databases.
7.6. Employees who have access to personal data, including those who process it, are required to prevent the disclosure in any manner whatsoever of personal data entrusted to them or that has come to their knowledge in connection with the performance of their professional, official, or employment duties. This obligation remains in effect after they cease activities related to personal data, except in cases provided for by law.
7.7. Persons who have access to personal data, including those who process it, shall be liable in accordance with the laws of Ukraine in the event of a violation of the requirements of the Law of Ukraine “On the Protection of Personal Data.”

7.8. Personal data shall not be stored for longer than is necessary to achieve the purpose for which such data is stored, but in any case not longer than the data retention period specified in the data subject’s consent to the processing of such data.
8. Rights of the Data Subject
8.1. The data subject has the right:
• to know the location of the personal data database containing his or her personal data, its purpose and name, and the location and/or place of residence (stay) of the owner or controller of that database, or to authorize persons designated by him or her to obtain this information, except in cases established by law;
• receive information regarding the conditions for granting access to personal data, in particular information regarding third parties to whom their personal data contained in the relevant personal data database is transferred;

• to access their personal data contained in the relevant personal database;
• to receive, no later than thirty calendar days from the date of receipt of the request, except in cases provided by law, a response as to whether their personal data is stored in the relevant personal database, and to receive the contents of their personal data that is stored;
• to submit a reasoned request objecting to the processing of their personal data by state authorities and local government bodies in the exercise of their powers provided by law;
• to submit a reasoned request for the amendment or destruction of their personal data by any owner or administrator of this database, if such data is processed unlawfully or is inaccurate;
• to protect their personal data from unlawful processing and accidental loss, destruction, or damage due to intentional concealment, failure to submit, or late submission, as well as protection from the provision of information that is inaccurate or discredits the honor, dignity, and business reputation of an individual;
• Contact government authorities and local government bodies responsible for ensuring the protection of personal data regarding the protection of their rights to personal data;
• Use legal remedies in the event of a violation of personal data protection laws.

9. Procedure for Handling Requests from Personal Data Subjects
9.1. A personal data subject has the right to obtain any information about themselves from any party to a relationship involving personal data, without specifying the purpose of the request, except in cases provided by law.
9.2. Access by a personal data subject to their own data is free of charge.
9.3. A personal data subject submits a request for access (hereinafter referred to as the "request") to personal data to the owner of the personal database.

The request shall include:
• the last name, first name, and patronymic, place of residence (place of stay), and details of the identity document of the personal data subject;
• other information that allows for the identification of the personal data subject;
• information about the personal database in relation to which the request is submitted, or information about the owner or administrator of this database;
• a list of the requested personal data.

9.4. The period for reviewing a request for its satisfaction may not exceed ten business days from the date of its receipt. Within this period, the owner of the personal data base notifies the personal data subject that the request will be satisfied or the relevant personal data will not be provided, stating the grounds specified in the relevant regulatory legal act.
9.5. The request will be satisfied within thirty calendar days of its receipt, unless otherwise provided by law.

10. State Registration of Personal Databases
10.1. State registration of personal databases is carried out in accordance with Article 9 of the Law of Ukraine "On the Protection of Personal Data."