1. BASIC DEFINITIONS
1.1. Personal data (PD)— any data that allows to identify an individual, including, but not limited to the following:
- — name (full name);
- — identification numbers (series, numbers of any documents);
- — location data;
- — Internet identifier (e-mail address or other online identifier, including data on visits to Internet resources, etc.);
- — individual data or a combination of these that are specific to an individual's physical, physiological, genetic, mental, economic, cultural or social identity.
1.2. The principles of processing PD are as follows:
- — the principle of legality, personal data should be processed only on legal grounds;
- — the principle of compatibility, personal data should be obtained with specific legitimate purposes and processed in accordance with them;
- — the principle of adequacy and non redundancy, personal data should be adequate, not redundant, to meet the purposes of processing;
- — the principle of accuracy, personal data should be accurate and precise;
- — the principle of urgency of storage, personal data should not be stored longer than is determined by the relevant legal and regulatory framework;
- — the principle of respecting the rights of the individual, personal data should be processed in compliance with the rights of the subject of personal data, including the right of access to them.
1.3. Data Protection Officer — An employee of the Company who is responsible for the control of compliance with the procedures of processing and protection of personal data. Contact details -firstname.lastname@example.org.
1.4. Responsible person— employee of the Company is involved in the process of processing of PD and / or support of issues related to this processing.
1.5. Processing of PD— any action or set of actions, such as collection, registration, accumulation, storage, adaptation, change, restoration, use and distribution (granting access to the third parties, realization, transfer), depersonalization, destruction of the personal data, including with use of information (automated) systems, is carried out in strict conformity with certain procedures, with obligatory observance:
- — certain conditions of their storage;
- — limitation of the access regime to them;
- — completeness and integrity of personal data.
1.6. Procedure of PD— processing detailed description of actions which are carried out by Responsible persons of the Company at PD processing in which are specified:
- — purpose of processing;
- — list of Responsible Persons;
- — order of data exchange;
- — protection measures;
- — terms of storage and an order of destruction;
- — procedure of conformity control.
2. TYPES OF PERSONAL DATA
2.1. Internal PD (IPD) — personal data of the Company's employees are processed in the PD 'EMPLOYEES' database for the purpose of personnel records management, preparation of statistical, managerial and other reporting information on personnel issues. The category of personal data processed in the database of PD 'EMPLOYEES' includes:
- — passport data (citizenship, surname, name, date, year of birth;
- — personal data (sex, place of actual residence, telephone numbers, photo, taxpayer card number);
- — education, name of educational institution;
- — data confirming the employee's right to benefits established by labor legislation.
Paper copies of primary documents are kept in personnel files of employees.
The IPD is kept by the Company for the duration of the employment relationship between the employee and the Company, as well as for 2 (two) years after its termination. At the end of a certain period of time, the said IPD should be transferred to the archive for permanent storage for a period of 75 years.
By legal status, the Company is the owner and manager (Law 2297) of the PD 'EMPLOYEES' database.
2.2. External PD (EPD) — personal data received from the Clients of the Company's services, processing of which is carried out on the basis of and within the framework of the concluded contracts for the provision of relevant services. The Customer of the Company's services shall ensure compliance with the requirements of the legislation on the protection of Personal Data prior to their transfer to the Company, and the Company in turn - during the processing.
EPD are processed according to procedure of processing of PD which is an integral part of the agreement on granting of corresponding services.
EPD are stored in terms defined in Procedure of processing of PD but within the limits of terms of validity of the corresponding consent
The Company is the Administrator (Law 2297) and the Processor (GDPR) in its legal status in relation to the EPD, and the Client is the Owner (Law 2297) and the Controller (GDPR).
3. MEASURES TO PROTECT PERSONAL DATA AGAINST ILLEGAL PROCESSING AND UNAUTHORIZED ACCESS
Processing of personal data in the software and hardware complexes of the Company is carried out with application of means of network protection against unauthorized access.
Access to the software and hardware complexes of the Company is carried out in strict accordance with the current procedures for access control.
Responsible persons of the Company are allowed to process personal data only after their authorization. Access of the persons who have not passed the procedure of identification and / or authentication is blocked. In information (automated) system where personal data are processed, registration is carried out, in particular:
- — results of identification and / or authentication of responsible persons;
- — actions on personal data processing;
- — the results of the control of the integrity of personal data protection means.
Registration data are protected from modification and destruction. Registration data shall be stored and provided upon a reasoned request to the Data Protection Officer for analysis related to personal data. The Company provides anti-virus protection in the information (automated) system.
The degree of access to PD processing (making changes, forming reports and analytical information, viewing or other, if necessary) is determined by the position of the responsible person.
Each employee of the Company makes and personally signs the obligation on preservation of the information with the limited access.
Properly executed obligations to preserve the information with restricted access are kept in the personal files of responsible persons.
Heads of structural divisions carry out constant control over observance by subordinated employees of Procedure of processing of the personal data, and also for legality of processing of the personal data, protection of the personal data at their processing.
The Company notifies the subjects of personal data protection and Controllers about all revealed facts of unauthorized distribution of personal data within a period not exceeding 72 hours
Personal data collected in violation of the requirements of Law 2297 is subject to deletion or destruction in the databases of personal data in accordance with the procedure established by law.
4. THE RIGHT OF ACCESS TO PERSONAL DATA OF THIRD PARTIES, NOTIFICATION ABOUT THE ACTION WITH PERSONAL DATA, RESPONSIBILITY FOR VIOLATION OF PERSONAL DATA PROTECTION.
4.1 Grounds for processing of personal data are:
- — consent of the subject of personal data for processing of his personal data;
- — permission to process personal data provided to the owner of the personal data base in accordance with the law solely for the exercise of his powers;
- — conclusion and execution of a transaction where the personal data subject is a party or which is concluded in favor of the subject of personal data or for the implementation of activities prior to the conclusion of the transaction at the request of the subject of personal data;
- — protection of vital interests of the personal data subject;
- — the need to perform the duties of the personal data holder, which is provided for by the Law 2297;
- — the need to protect the legitimate interests of the personal data holder or of the third party to whom the personal data are transmitted, except in cases where the need to protect the fundamental rights and freedoms of the personal data subject in connection with the processing of his data prevails over such interests.
4.2. The procedure of access to personal data of third parties is determined by the conditions of consent of the subject of personal data, provided to the owner of personal data for processing of this data, or in accordance with the requirements of the Law 2297. Access to the personal data of the third party is not provided, if the specified person refuses to undertake obligations on maintenance of observance of requirements of Law 2297 or cannot provide them.
4.3. The subject of the relationship relating to personal data submits a request to the Company for access to personal data. The content of the request for access is defined in Article 16 of Law 2297 and the period of study of this request for its satisfaction may not exceed ten working days from the date of its receipt by the Company.
Within this period, the Company will inform the person making the request that the request will be granted or the relevant personal data will not be provided, indicating the grounds as defined in the relevant regulation.
Request is satisfied within thirty calendar days from the date of its receipt in the Company, unless otherwise provided by the legislation of Ukraine.
4.4. Message on exclusion of access to personal persons of third parties is made by the Company to the third party who submitted the request in writing with explanation of the procedure of appealing such decision in accordance with Article 17 of the Law 2297.
The decision to remove or refuse access to personal data may be appealed to the Authorized person or in court.
4.5. The Company, as the owner of the personal data base, shall notify the subject of personal data within ten working days, if required by the terms of consent or unless otherwise provided by the legislation of Ukraine in the field of personal data protection.
4.6. Messages specified in paragraph 4.5. of this Policy shall not be implemented in case of:
transfer of personal data upon request in the course of performing tasks operatively - investigative or counter-intelligence activities, counter-terrorism efforts;
performance by public authorities and local self-government authorities of their powers as provided by law;
processing of personal data for historical, statistical or scientific purposes.
4.7. The company also notifies the subject of personal data, as well as the subject of relations related to personal data, to whom this data has been communicated about the change, deletion or destruction of personal data or restriction of access to them, within ten working days. The employees of the Company designated by the relevant order of the Director of the Company are responsible for the timely provision of the message.
4.8. In cases of violation of the requirements of the legislation on protection of personal data Responsible persons may be held liable for administrative violations of such laws.
4.9. For violation of privacy, namely for illegal collection, storage, use, destruction, distribution of confidential information about the person or illegal change of such information, the guilty Responsible persons may be held criminally liable.
4.10. Control over the observance of the legislation on personal data protection within the limits of powers provided by the Law 2297 is carried out by the Commissioner and courts.