PROVISIONS ON THE PROCESSING AND PROTECTION OF PERSONAL DATA IN DATABASES OWNED BY THE SELLER

Contents

1. General definitions and scope

2. List of personal data databases

3. Purpose of personal data processing

4. Procedure for processing personal data: obtaining consent, informing subjects, actions with personal data

5. Location of the personal data database

6. Conditions for disclosure of personal data to third parties

7. Protection of personal data: methods, responsible person, employees with access, storage period

8. Rights of the personal data subject

9. Procedure for handling requests from the personal data subject

10. State registration of the personal data database

1. General Definitions and Scope

1.1. Definitions

Personal data database — a named set of structured personal data in electronic form and/or in card files.

Responsible person — a designated individual organizing work related to the protection of personal data during processing, in accordance with the law.

Owner of the personal data database — an individual or legal entity authorized by law or the subject’s consent to process personal data.
The owner determines the purpose, scope, and procedure of data processing unless otherwise established by law.

State Register of Personal Data Databases — a unified state information system for collecting, storing, and processing data on registered personal data databases.

Public sources of personal data — directories, address books, registers, lists, catalogues, and other systematic collections of publicly available information.
Social networks and websites where users enter their personal data are not considered public sources, unless explicitly stated by the data subject.

Consent of the personal data subject — documented, voluntary permission of an individual for processing their personal data according to the defined purpose.

Anonymization — removal of data that allows a person to be identified.

Processing of personal data — any action or set of actions related to the collection, registration, storage, adaptation, modification, use, distribution, anonymization, or destruction of data.

Personal data — information about an identified or identifiable individual.

Data manager — an individual or legal entity authorized by the owner to process personal data. A technical service provider without access to the content of personal data is not considered a data manager.

Personal data subject — an individual whose personal data is processed.

Third party — any person except the data subject, the database owner, the manager, or the authorized supervisory authority.

Special category data — information on racial or ethnic origin, political, religious, or philosophical beliefs, union membership, health, or sexual life.

1.2. Scope

These Provisions are mandatory for the responsible person and employees of the seller who directly process or access personal data while performing their duties.

2. List of Personal Data Databases

2.1. The seller is the owner of the following database:

— Personal data database of counterparties.

3. Purpose of Personal Data Processing

3.1. Personal data is processed to ensure the execution of civil-law relations, provision of services, fulfillment of tax and accounting requirements, and financial transactions in accordance with:

— the Tax Code of Ukraine;
— the Law of Ukraine “On Accounting and Financial Reporting.”

4. Procedure for Processing Personal Data

4.1. Consent

The consent of the personal data subject must be voluntary and aligned with the defined purpose of processing.

4.2. Forms of Consent

Consent may be provided as:

— a physical document containing identifying details of the person and the document;
— an electronic document with identifying attributes;
— an electronic mark (checkbox, confirmation) recorded in the information system via technical solutions.

4.3. Consent is provided during the establishment of civil-law relations in accordance with applicable legislation.

4.4. Notification of inclusion of personal data in the database, rights under the Law of Ukraine “On Personal Data Protection,” purpose of data collection, and recipients is provided during the formation of civil-law relations.

4.5. Processing of special category data (health, religion, ethnicity, political views, sexual life) is prohibited.

5. Location of the Personal Data Database

5.1. The database specified in Section 2 is located at the seller’s registered address.

6. Conditions for Disclosure of Personal Data to Third Parties

6.1. Access for third parties is provided according to:

— the consent of the personal data subject,
or
— requirements of the law.

6.2. Access cannot be granted if the third party:

— refuses to comply with the Law of Ukraine “On Personal Data Protection,” or
— cannot ensure proper protection.

6.3. Third parties submit a request to the database owner.

6.4. A valid request must include:

• full name and address of the applicant;

• passport or identification details (for individuals);

• name and address of the legal entity;

• full name of the person whose data is requested;

• database name or owner information;

• list of requested data;

• purpose or legal basis for the request.

6.5. Examination of the request lasts no more than 10 business days.

The requester is informed whether access will be granted.

If approved, access is provided within 30 calendar days, unless otherwise required by law.

6.6. Postponement of access is allowed if providing the data within 30 days is not possible.

Total period — not more than 45 days.

6.7. Notification of postponement includes:

• name of the responsible person;

• date of notification;

• reason for postponement;

• period in which the request will be fulfilled.

6.8. Refusal is permitted when access is prohibited by law.

6.9. Notification of refusal includes:

• name of the responsible person;

• date of notification;

• reason for refusal.

6.10. Decisions on postponement or refusal may be appealed in court.

7. Protection of Personal Data

7.1. Technical Protection

The database owner uses systemic, software, and communication tools to prevent:

— loss,
— theft,
— unauthorized destruction or modification,
— copying or distortion of information.

Tools comply with national and international standards.

7.2. Responsible Person

The responsible person is appointed by internal order.
Their duties are defined in the job description.

7.3. Responsibilities of the Responsible Person

The responsible person must:

• understand relevant legislation;

• define employee access procedures;

• enforce internal policies and legal compliance;

• develop procedures for internal control;

• report violations within one working day;

• store consent documents and notifications to subjects.

7.4. Rights of the Responsible Person

The responsible person may:

• obtain required documents;

• make copies of documents and files;

• participate in discussions of data protection matters;

• submit proposals for improving processes;

• request explanations from employees;

• sign documents within their competence.

7.5. Employees with Access to Personal Data

Employees who process personal data must:

— follow applicable laws and internal procedures;
— maintain confidentiality and data integrity.

7.6. Confidentiality Obligations

Employees must not disclose personal data in any form.
This obligation continues after employment ends, unless otherwise permitted by law.

7.7. Liability

Any person who violates the Law of Ukraine “On Personal Data Protection”
bears responsibility in accordance with legislation.

7.8. Data Retention Period

Personal data must not be stored longer than necessary for its processing purpose,
and not longer than specified in the subject’s consent.

8. Rights of the Personal Data Subject

8.1. The subject has the right to:

• know the location, purpose, and owner of the database;

• receive information about access conditions and third-party recipients;

• access their own personal data;

• receive a response within 30 days confirming whether their data is stored;

• object to processing by state or local authorities;

• demand correction or deletion of inaccurate or unlawfully processed data;

• protect personal data from illegal use, loss, or distortion;

• contact state authorities responsible for personal data protection;

• use legal remedies in case of violations.

9. Procedure for Handling Requests from the Personal Data Subject

9.1. The subject has the right to request any information about themselves

without stating a purpose, unless otherwise required by law.

9.2. Access to personal data for the subject is free of charge.

9.3. A valid request must include:

• full name and address;

• identification document details;

• database name or owner information;

• list of requested data.

9.4. Examination of the request lasts up to 10 business days.

The subject is informed whether the request will be fulfilled.

9.5. Fulfillment of the request occurs within 30 calendar days,

unless otherwise required by law.

10. State Registration of the Personal Data Database

10.1. State registration is carried out according to Article 9 of the Law of Ukraine

“On Personal Data Protection.”