REGULATIONS ON THE PROCEDURE OF PERSONAL DATA PROCESSING AND TRANSFER OF INFORMATIONLLC "GRUPIUS"
CONTENT
1.1. General requirements and scope
1.2. Definition of terms
1.3. Personal data base, the owner and administrator of which is the Company
1.4. Purpose of personal data processing
1.5. Composition of personal data processed by the Company
1.6. Notification of the rights of personal data subjects
2. Processing of personal data
2.1. Grounds for processing personal data
3. Procedure for access to personal data
3.1. Access by personal data subjects
3.2. Access by third parties
4. Protection of personal data
5. Protection of personal data in the field of e-commerce
6. Liability for violation of the procedure for processing personal data
7. State registration of personal data bases
1. General Provisions
1.1. General Requirements and Scope of Application.
These Regulations on the Procedure for Processing Personal Data and Transferring Information (hereinafter referred to as the "Regulations") are a public announcement from LLC "GRUPIUS" (hereinafter referred to as the "Company") addressed to an unspecified circle of personal data subjects who in one way or another enter into relations with the Company. These Regulations have been developed in accordance with the Law of Ukraine (as amended and supplemented) "On Personal Data Protection" dated 01.06.2010 No. 2297-VI (hereinafter referred to as the "Law"), the Standard Procedure for Processing Personal Data, approved by the Order of the Verkhovna Rada Commissioner for Human Rights dated 08.01.2014 No. 1/02-14, as well as other regulatory legal acts regulating relations in the field of personal data protection.
By announcing this Regulation, the Company pursues the goal, in compliance with the requirements of the legislation in the field of information in general and the Law in particular, to regulate relations with personal data subjects. The Company also reserves the right to interpret the absence of officially expressed objections to the subject and content of the Regulation by the personal data subjects as confirmation that they have read it, understand it and accept the procedure for processing their personal data by the Company announced in it. The Regulation defines the main concepts related to personal data, contains the purpose of personal data processing, the rights of personal data subjects, the procedure for personal data protection, and other requirements of the legislation of Ukraine on personal data protection.
1.2. Definition of terms
In this Regulation, the following terms are used in the following meaning:
personal database - a named set of organized personal data in electronic form and/or in the form of personal data files;
the company - the owner of personal data - LLC "GRUPIUS", which by law or with the consent of the personal data subject is granted the right to process these data, which approves the purpose of processing personal data, establishes the composition of these data and the procedure for their processing. Company details: Limited Liability Company "GRUPIUS", Ukraine, 08205, Kyiv region, Buchansky district, Irpin city, Universytetskaya street, building 2/1, office 56/1, EDRPOU 44822976;
consent - a voluntary expression of the will of the personal data subject regarding the provision of permission to process his personal data. The subject's consent to the processing of his personal data must be voluntary, expressed in writing or provided in electronic form on the sites grupius.com, zoostrichi.org or other related Internet resources by clicking on the "Register", "Join", "Place an order", "Purchase" and similar buttons;
client - a personal data subject who acts in relations with the Company;
processing of personal data - any action or set of actions, such as collection, registration, accumulation, storage, adaptation, modification, updating, use and distribution (distribution, sale, transfer), depersonalization, destruction of personal data, including using information (automated) systems;
personal data - information or a set of information about an individual who is identified or can be specifically identified;
personal data processing period – the period during which the Company processes the personal data of the personal data subject, which is calculated from the moment the Company receives personal data and consent to the processing of personal data and does not exceed the period necessary to achieve the purpose of processing and the period specified by the legislation of Ukraine in the field of archival affairs and office management.
personal data subject – an individual whose personal data are processed;
third party – any person, except for the personal data subject, the Company or the Commissioner of the Verkhovna Rada of Ukraine for Human Rights, to whom personal data is transferred.
authorized representative of the state authority on personal data protection issues – the Commissioner of the Verkhovna Rada of Ukraine for Human Rights (hereinafter referred to as the "Authorized Person").
1.3. Personal data base owned by the Company
The Company is the owner of the personal data base of clients of LLC "GRUPIUS". The Company processes personal data of subjects who independently contact the Company and provide it with their personal data. Such subjects of personal data have consented to the processing of their personal data and entry into the database for the time necessary for this and in accordance with the purpose specified in these Regulations.
1.4. Purpose of personal data processing
The purpose of personal data processing is to store and service clients in accordance with Articles 6, 7 of the Law of Ukraine "On Personal Data Protection" and ensure the implementation of civil legal relations, provision/receipt and payment for purchased goods/services in accordance with the Civil Code of Ukraine, the Commercial Code of Ukraine, the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine" and other provisions of the current legislation of Ukraine.
1.5. Composition of personal data processed by the Company
In the personal data databases, the following information is processed:● last name, first name and patronymic (if available) of the subject;● passport data;● sample of personal signature;● age;● gender;● place of permanent residence or temporary stay;● place of registration;● registration number of the taxpayer's registration card (if available);● telephone numbers;● bank details;● email address.
1.6. Notification of the rights of personal data subjects
The Company hereby notifies the personal data subjects about the inclusion of their personal data in the Company's personal data databases, as well as about their rights as personal data subjects stipulated in Article 8 of the Law of Ukraine No. 2297-VI dated 01.06.2010 "On Personal Data Protection" (as amended and supplemented), including:
● to know about the sources of collection, the location of their personal data, the purpose of their processing, the location of the owner of personal data or to give the appropriate instruction to obtain this information from persons authorized by them, except for cases established by law;
● to receive information about the conditions for providing access to personal data, in particular information about third parties to whom their personal data is transferred;
● to access their personal data;
● receive no later than thirty calendar days from the date of receipt of the request, except in cases provided for by law, a response on whether their personal data are being processed, as well as the content of such personal data;
● submit a reasoned request to the Company with an objection to the processing of their personal data;
● protection of their personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision thereof, as well as protection from the provision of information that is inaccurate or defamatory of the honor, dignity and business reputation of an individual;
● file complaints about the processing of their personal data to the Commissioner;
● apply legal remedies in case of violation of the legislation on personal data protection;
● enter reservations regarding the restriction of the right to process their personal data when providing consent;
● withdraw consent to the processing of personal data;
● to know the mechanism of automated processing of their personal data;
● to be protected against automated decision-making that has legal consequences for them.
2. Processing of personal data
2.1. Grounds for processing personal data
The grounds for processing personal data in databases are the consent of the personal data subject to the processing of his personal data.
The consent of the personal data subject must be a voluntary expression of the will of an individual to grant permission to process his personal data in accordance with the formulated purpose of their processing. The consent of the personal data subject may be provided in the form of a mark on an electronic page of a document or in an electronic file processed in an information system based on documented software and technical solutions.
3. Procedure for access to personal data
All personal data, except for depersonalized personal data owned by the Company, are information with limited access according to the access mode.
3.1. Access of personal data subjects
Access of an individual whose personal data is processed by the Company is provided in accordance with the procedure stipulated by the legislation of Ukraine and the Company's internal documents, based on a written request from an individual - the subject of personal data. The request shall indicate: surname, first name and patronymic, place of residence (place of stay) and details of the document certifying the individual submitting the request. The access of the personal data subject to data about himself is free of charge.
3.2. Access of third parties
These provisions provide for the possibility of access to personal data of third parties based on the consent of the personal data subject provided to the Company for the processing of such personal data, or (in some cases) in accordance with the requirements of the Law.
Access to personal data is not provided to a third party if the specified person refuses to assume obligations to ensure compliance with the requirements of the Law or is unable to provide them. To obtain access to personal data, the subject of relations related to personal data submits a request to the Company, which specifies: surname, first name and patronymic, place of residence (place of stay) and details of the document certifying the individual submitting the request (for an individual - the applicant); name, location of the legal entity submitting the request, position, surname, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the powers of the legal entity (for a legal entity - the applicant); surname, first name and patronymic, as well as other information that allows identifying the individual in respect of whom the request is made; list of personal data requested; purpose and/or legal grounds for the request.
The Company studies the request for its satisfaction within 10 (ten) business days from the date of its receipt. During this period, the Company shall notify the person submitting the request that the request will be granted or that the relevant personal data shall not be provided, indicating the reason.
The request shall be granted within 30 (thirty) calendar days from the date of its receipt, unless otherwise provided by the Law.
Access to personal data of third parties may be postponed if the necessary data cannot be provided by the Company within 30 (thirty) calendar days from the date of receipt of the request. In this case, the total period for resolving the issues raised in the request may not exceed 45 (forty-five) calendar days.
The Company shall indicate in the notification of the postponement:
1) the last name, first name and patronymic of the official;
2) the date of sending the notification;
3) the reason for the postponement;
4) the period within which the request will be satisfied.
Denial of access to personal data is allowed if access to them is prohibited by law. In the refusal notice, the Company indicates: last name, first name, patronymic of the official who denies access; date of sending the notice; reason for the refusal.
4. Protection of personal data
The Company is equipped with system and software and hardware and communication means and takes all necessary measures to ensure the protection of personal data at all stages of their processing, including through organizational and technical measures that prevent loss, theft, unauthorized destruction, illegal processing or access to personal data.
Organizational measures include: determining the procedure for access to personal data of the Company's employees; determining the procedure for keeping records of operations related to the processing of the subject's personal data and access to them; developing an action plan in case of unauthorized access to personal data, damage to technical equipment, and the occurrence of emergencies; regular training of employees who work with personal data.
The Company keeps records of employees who have access to the subjects' personal data. The Company determines the level of access of the said employees to the subjects' personal data. Each of these employees has access only to those personal data (parts thereof) of the subjects that are necessary for him in connection with the performance of his professional, official or labor duties.
Employees who have access to personal data give a written undertaking not to disclose personal data that was entrusted to them or that became known to them in connection with the performance of professional, official or labor duties. This written undertaking determines the level of responsibility of employees who have access to personal data.
Employees who have access to personal data, including processing them, are liable in case of violation of the requirements of the Law in accordance with the legislation of Ukraine.
The company independently determines the procedure for storing information about operations related to the processing of the subject's personal data and access to them.
In the case of processing the personal data of subjects using an automated system, such system automatically records the specified information. This information is stored by the Company for one year from the end of the year in which the specified operations were carried out, unless otherwise provided for by the legislation of Ukraine. In order to ensure the security of personal data processing, the Company also takes special technical protection measures, including to exclude unauthorized access to the personal data being processed and the operation of the technical and software complex through which personal data is processed.
5. Protection of personal data in the field of electronic commerce
The use of personal data in the field of electronic commerce may be carried out if the subject of electronic commerce creates conditions for the protection of such data. Participants in relations in the field of electronic commerce are obliged to ensure the protection of personal data that became known to them from electronic documents (messages) during the performance of electronic transactions, in accordance with the procedure provided for by the Law of Ukraine "On the Protection of Personal Data". It is prohibited to use and request personal data by the parties to an electronic transaction for a purpose other than the performance of an electronic transaction, unless otherwise established by law or by agreement of the parties.
Registration of an individual in the information system of an e-commerce subject means giving consent to the use and processing of his personal data and performing other actions provided for by the Law of Ukraine "On the Protection of Personal Data".
Identification of a person using an electronic signature must be carried out during each entry into the information system of an e-commerce subject.
In order to prevent unauthorized access to a person's account in the information and telecommunications system of an e-commerce entity, an additional unique set of electronic data may be used to identify such a person, which is added (joined) to a special set of electronic data that was entered (created) by such a person during registration.
6. Liability for violation of the procedure for processing personal data
Violation of the legislation on personal data protection and failure to comply with the requirements of these Regulations entails liability established by regulatory legal acts, as well as internal documents of the Company.
7. State registration of personal data bases
State registration of personal data bases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection".