PRIVACY POLICY

REGULATION ON THE PROCESSING AND PROTECTION OF PERSONAL DATA IN THE PERSONAL DATABASES OF THE ONLINE STORE «gasanova.shop»

 

GENERAL CONCEPTS AND SCOPE

1.1. Definition of terms:

personal database - a named set of ordered personal data in electronic form and/or in the form of personal data files;

responsible person - a certain person who organizes the work related to the protection of personal data during their processing in accordance with the law;

owner of a personal database - an individual or legal entity who is granted the right to process this data by law or with the consent of the personal data subject, approves the purpose of processing personal data in this database, establishes the composition of this data and the procedures for its processing unless otherwise specified by law;

 

The state register of personal databases is a unified state information system for collecting, accumulating and processing information about registered personal databases;

public sources of personal data - directories, address books, registers, lists, directories, other systematic collections of public information containing personal data posted and published with the consent of the subject of personal data.

 

Social networks and Internet resources in which the subject of personal data leaves his personal data are not considered public sources of personal data (except when the subject of personal data expressly indicates that personal data is posted for their free distribution and use);

consent of the subject of personal data - any documented, voluntary expression of the will of an individual to grant permission to process his personal data in accordance with the stated purpose of their processing;

depersonalization of personal data - the seizure of information that allows identifying a person;

personal data processing - any action or set of actions committed in whole or in part in an information (automated) system and/or in personal data file cabinets related to the collection, registration, accumulation, storage, adaptation, change, updating, use and dissemination (implementation, transfer), depersonalization, destruction of information about an individual;

personal data - information or a collection of information about an individual who is identified or can be specifically identified;

personal database manager - a natural or legal person who has been granted the right to process this data by the owner of a personal database or law.

 

A person who is not authorized by the owner and/or manager of a personal database to carry out work of a technical nature with a personal database without access to the content of personal data is not the manager of the personal database;

personal data subject - an individual in respect of whom, in accordance with the law, the processing of his personal data is carried out;

third party - any person, except for the personal data subject, the owner or manager of the personal database and the authorized state body for the protection of personal data, to whom the owner or manager of the personal database transfers personal data in accordance with the law;

special categories of data - personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to health or sexual life.

 

1.2. This Regulation is mandatory for application by the responsible person and seller’s employees who directly process and/or have access to personal data in connection with the performance of their official duties.

 

2. THE LIST OF PERSONAL DATABASES

 

2.1. The seller is the owner of the following personal databases:

  • database of personal data of counterparties (customers, customers).

 

3. THE PURPOSE OF THE PROCESSING OF PERSONAL DATA

3.1. The purpose of processing personal data in the system is the storage and maintenance of counterparty data in accordance with Articles 6, 7 of the Law of Ukraine “On the Protection of Personal Data”.

 

3.2. The purpose of processing personal data is to ensure the implementation of civil law relations, the provision/receipt and settlement of purchases of goods/services in accordance with the Tax Code of Ukraine, the Law of Ukraine “On Accounting and Financial Reporting in Ukraine”.

 

4. THE PROCEDURE FOR PROCESSING PERSONAL DATA

4.1. The consent of the subject of personal data should be a voluntary will of the individual to grant permission to process his personal data in accordance with the stated purpose of their processing. The consent of the subject of personal data may be provided in the following forms:

  • a paper document with the details that allows you to identify this document and an individual;

  • an electronic document, which must contain the required details to identify this document and an individual. It is advisable to certify the voluntary will of an individual to provide permission to process his personal data with an electronic signature of the subject of personal data.

  • a mark on the electronic page of a document or in an electronic file processed in an information system based on documented software and hardware solutions.

 

4.2. The consent of the subject of personal data is granted upon registration of civil law relations in accordance with applicable law.

 

4.3. Notification of the subject of personal data on the inclusion of his personal data in the personal database, the rights defined by the Law of Ukraine “On the protection of personal data”, the purpose of collecting data and the persons to whom his personal data is transmitted is carried out during registration of civil law relations in accordance with applicable law.

 

4.4. The processing of personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data relating to health or sexuality (special data categories) is prohibited.

 

5. THE LOCATION OF THE DATABASE OF PERSONAL DATA

 

5.1. The personal databases specified in section 2 of this Regulation are located at the seller's address.

 

6. TERMS OF DISCLOSING INFORMATION ABOUT PERSONAL DATA TO THIRD PARTIES

 

6.1. The procedure for access to personal data by third parties is determined by the conditions for the consent of the subject of personal data provided to the owner of the personal database to process this data, or in accordance with the requirements of the law.

 

6.2. Access to personal data to a third party is not provided if the specified person refuses to assume obligations to ensure compliance with the requirements of the Law of Ukraine “On the protection of personal data” or cannot provide them.

 

6.3. The subject of relations related to personal data submits a request for access (hereinafter - the request) to personal data to the owner of the personal database.

 

6.4. The request shall indicate:

  • last name, first name and patronymic, place of residence (location) and details of the document certifying the individual submitting the request (for the individual applicant);

  • name, location of the legal entity submitting the request, position, last name, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the authority of the legal entity (for the legal entity - the applicant);

  • surname, name and patronymic, as well as other information allowing identification of the individual in relation to whom the request is made;

  • information about the database of personal data in relation to which a request is submitted, information about the owner or manager of this database;

  • a list of requested personal data;

  • purpose of the request.

6.5. The term for studying a request for its satisfaction may not exceed ten working days from the date of its receipt.

During this period, the owner of the personal database informs the person submitting the request that the request will be satisfied or the relevant personal data should not be provided, indicating the reason specified in the relevant regulatory act.

The request is satisfied within thirty calendar days from the date of its receipt unless otherwise provided by law.

 

6.6. All employees of the owner of the personal database are required to comply with confidentiality requirements regarding personal data and information on securities accounts and securities turnover.

 

6.7. Deferred access to personal data of third parties is allowed if the necessary data cannot be provided within thirty calendar days from the date of receipt of the request. At the same time, the total time period for resolving issues raised in the request may not exceed forty-five calendar days.

 

6.8. A notice of the postponement is communicated to the third party who submitted the request in writing with an explanation of how to appeal such a decision.

 

6.9. The postponement message indicates:

  • last name, first name and patronymic of an official;

  • date of sending the message;

  • reason for the delay;

  • the period during which the request will be satisfied.

 

6.10. Denial of access to personal data is allowed if access to it is prohibited by law.

 

6.11. The refusal message shall indicate:

  • last name, first name, patronymic of the official who denies access;

  • date of sending the message;

  • rejection reason.

 

6.12. The decision to postpone or deny access to personal data may be appealed to the authorized state body for the protection of personal data, other state authorities and local authorities, the powers of which include the protection of personal data, or in court.

 

7. PROTECTION OF PERSONAL DATA

 

7.1. The owner of the personal database has a system, software and hardware and communications that prevent the loss, theft, unauthorized destruction, distortion, falsification, copying information and meet the requirements of international and national standards.

 

7.2. The responsible person organizes the work related to the protection of personal data during its processing in accordance with the law. The responsible person is determined by order of the owner of the personal database.

The responsibilities of the person in charge of organizing work related to the protection of personal data during their processing are indicated in the job description.

 

7.3. The responsible person must:

  • know the legislation of Ukraine in the field of personal data protection;

  • develop procedures for access to personal data of employees in accordance with their professional or official or labour duties;

  • ensure that employees of the owner of the personal database comply with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents governing the activities of the owner of the personal database in the processing and protection of personal data in personal databases;

  • develop a procedure (procedure) for internal control over compliance with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents governing the activities of the owner of a personal database for processing and protecting personal data in personal databases, which, in particular, should contain norms on the frequency of implementation such control;

  • inform the owner of the personal database of the facts of violations by employees of the requirements of the legislation of Ukraine in the field of personal data protection and internal documents governing the activities of the owner of the personal database of processing and protecting personal data in personal data databases no later than one business day from the date of detection of such violations;

  • ensure the storage of documents confirming the provision by the subject of personal data of consent to the processing of his personal data and the notification of the indicated subject about his rights.

 

7.4. In order to fulfil his duties, the responsible person has the right:

  • receive the necessary documents, including orders and other administrative documents issued by the owner of the personal database related to the processing of personal data;

  • make copies of received documents, including copies of files, any records stored in local area networks and stand-alone computer systems;

  • participate in the discussion of the responsibilities of the organization of work related to the protection of personal data during its processing;

  • submit proposals for improving activities and improving working methods, submit comments and options for eliminating identified shortcomings in the processing of personal data;

  • receive explanations regarding the processing of personal data;

Sign and endorse documents within their competence.

7.5. Workers who directly process and / or have access to personal data in connection with the performance of their official (labour) duties are required to comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents, for the processing and protection of personal data in personal databases.

 

7.6. Employees who have access to personal data, including those who process it, are obliged to prevent disclosure in any way of personal data that they have been entrusted with or that became known in connection with the performance of professional, official or labour duties. Such an obligation shall be valid after they terminate activities related to personal data, except as otherwise provided by law.

 

7.7. Persons who have access to personal data, including those who process it in case they violate the requirements of the Law of Ukraine “On the Protection of Personal Data”, are liable in accordance with the legislation of Ukraine.

 

7.8. Personal data should not be stored longer than necessary for the purpose for which such data is stored but in any case no more than the data storage period specified by the consent of the personal data subject to the processing of this data.

 

8. THE RIGHTS OF THE SUBJECT OF PERSONAL DATA

 

8.1. The subject of personal data has the right:

  • know the location of the personal data database containing his personal data, its purpose and name, location and/or place of residence (stay) of the owner or manager of this database or give an appropriate order to receive this information to authorized persons, except as otherwise provided by law;

  • receive information on the conditions for providing access to personal data, including information on third parties to whom his personal data is transferred, contained in the corresponding personal database;

  • access to their personal data contained in the relevant personal database;

  • receive no later than thirty calendar days from the date of receipt of the request, except as provided by law, an answer about whether his personal data is stored in the appropriate personal database, and also receive the contents of his personal data that are stored;

  • present a reasoned demand with an objection to the processing of your personal data by state authorities, local authorities in the exercise of powers prescribed by law;

  • present a reasoned request to change or destroy your personal data by any owner and manager of this database if this data is processed illegally or is unreliable;

  • to protect their personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision thereof, as well as to protect against the provision of information that is unreliable or defaming the honour, dignity and business reputation of an individual;

  • apply for protection of their personal data rights to state authorities, local authorities, the powers of which include the protection of personal data;

  • apply legal remedies in case of violation of the legislation on the protection of personal data.

 

9. THE PROCEDURE FOR WORKING WITH THE REQUESTS OF THE SUBJECT OF PERSONAL DATA

 

9.1. The subject of personal data has the right to receive any information about himself from any subject of relations related to personal data, without specifying the purpose of the request, except in cases established by law.

 

9.2. Access by the subject of personal data to personal data is free.

 

9.3. The personal data subject submits a request for access (hereinafter - the request) to personal data to the owner of the personal database.

The request shall indicate:

  • surname, name and patronymic, place of residence (location) and details of the document proving the identity of the subject of personal data;

  • other information allowing to identify the identity of the subject of personal data;

  • information about the database of personal data in relation to which a request is submitted, information about the owner or manager of this database;

  • a list of requested personal data.

 

9.4. The term for studying a request for its satisfaction may not exceed ten working days from the date of its receipt.

 

9.5. During this period, the owner of the personal database informs the subject of personal data that the request will be satisfied or the corresponding personal data should not be provided, indicating the reason specified in the relevant regulatory act.

 

9.6. The request is satisfied within thirty calendar days from the date of its receipt unless otherwise provided by law.

 

10. STATE REGISTRATION OF A DATABASE OF PERSONAL DATA

 

10.1. State registration of personal databases is carried out in accordance with Article 9 of the Law of Ukraine «On the Protection of Personal Data».

CONTACT US

tel.: +380 73 000 6400

       e-mail: gasanova.showroom@gmail.com