Policy on the Processing and Protection of Personal Data

Contents

1. General Definitions and Scope
2. List of Personal Data Databases
3. Purpose of Personal Data Processing
4. Procedure for Processing Personal Data
5. Location of Personal Data Databases
6. Conditions for Disclosure of Personal Data to Third Parties
7. Personal Data Protection
8. Rights of the Data Subject
9. Procedure for Handling Data Subject Requests
10. State Registration of Personal Data Databases

General Definitions and Scope

1.1. Definitions:

• Personal Data Database — a named set of structured personal data in electronic form and/or in filing systems;
• Responsible Person — a designated individual who organizes activities related to the protection of personal data during its processing, in accordance with the law;
• Data Controller — an individual or legal entity authorized by law or by the data subject to process personal data, determine the purpose of processing, the composition of the data, and processing procedures, unless otherwise provided by law;
• State Register of Personal Data Databases — a unified state information system for collecting, storing, and processing information on registered personal data databases;
• Public Sources of Personal Data — directories, address books, registers, lists, catalogues, and other structured collections of publicly available information containing personal data published with the knowledge of the data subject. Social networks and internet resources where personal data is posted are not considered public sources unless the data subject explicitly states that such data is made available for free distribution and use;
• Consent of the Data Subject — any documented, voluntary expression of will by an individual granting permission for the processing of their personal data in accordance with the stated purpose;
• Anonymization of Personal Data — removal of information that allows identification of an individual;
• Processing of Personal Data — any action or set of actions performed wholly or partially in an information (automated) system and/or in personal data filing systems, including collection, registration, accumulation, storage, adaptation, modification, updating, use, dissemination (distribution, sale, transfer), anonymization, and destruction of personal data;
• Personal Data — any information or set of information relating to an identified or identifiable individual;
• Data Processor — an individual or legal entity authorized by the controller or by law to process personal data. A person performing purely technical operations without access to the content of personal data is not considered a data processor;
• Data Subject — an individual whose personal data is processed;
• Third Party — any entity other than the data subject, controller, processor, or authorized state body for personal data protection, to whom personal data may be transferred in accordance with the law;
• Special Categories of Data — personal data concerning racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties or trade unions, as well as data relating to health or sex life.

1.2. Scope
This Policy is mandatory for the responsible person and employees who directly process and/or have access to personal data in connection with their official duties.

List of Personal Data Databases

2.1. The Company (Seller) is the owner of the following personal data database:

• Counterparties (clients and partners)

Purpose of Personal Data Processing

3.1. The purpose of personal data processing is to store and maintain counterparty data in accordance with Articles 6 and 7 of the Law of Ukraine “On Personal Data Protection,” as well as to ensure civil-law relations, provision and receipt of goods and services, and financial settlements in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”

Procedure for Processing Personal Data

4.1. Consent
Consent must be a voluntary expression of will and may be provided in the following forms:

• a written document containing details that allow identification of the document and the individual;
• an electronic document containing mandatory details enabling identification of the document and the individual, preferably certified by an electronic signature;
• a mark on an electronic page or file processed within an information system based on documented technical solutions.

4.2. Consent is obtained during the establishment of civil-law relations in accordance with applicable legislation.

4.3. The data subject is informed about the inclusion of their personal data in the database, their rights, the purpose of data collection, and recipients of the data during the establishment of civil-law relations.

4.4. Processing of special categories of personal data is prohibited.

Location of Personal Data Databases

5.1. The personal data databases specified in Section 2 are located at the Seller’s address.

Conditions for Disclosure of Personal Data to Third Parties

6.1. Access to personal data by third parties is determined by the consent of the data subject or by law.
6.2. Access is not granted if the third party refuses or is unable to ensure compliance with data protection legislation.
6.3. Requests for access to personal data must be submitted to the data controller.
6.4. Requests must include identification details, information about the requested data, and the purpose of the request.
6.5. Requests are reviewed within 10 business days from the date of receipt.
6.6. Within this period, the controller informs the applicant whether the request will be satisfied or denied, indicating the legal grounds.
6.7. Requests are fulfilled within 30 calendar days unless otherwise provided by law.
6.8. All employees must comply with confidentiality requirements regarding personal data.
6.9. Access may be postponed if the data cannot be provided within 30 calendar days; however, the total period shall not exceed 45 calendar days.
6.10. Notification of postponement is provided in writing with an explanation of appeal procedures.
6.11. The notification shall include the name of the responsible official, the date of notification, the reason for postponement, and the expected timeframe.
6.12. Refusal of access is permitted if prohibited by law.
6.13. Notification of refusal shall include the name of the responsible official, the date, and the reason for refusal.
6.14. Decisions on postponement or refusal may be appealed to the authorized state body, other public authorities, or the court.

Personal Data Protection

7.1. The Company implements technical and organizational measures to prevent loss, theft, unauthorized destruction, distortion, falsification, or copying of information, in compliance with national and international standards.
7.2. A Responsible Person is appointed to organize data protection processes.
7.3. The duties of the Responsible Person are defined in their job description.
7.4. The Responsible Person is obliged to ensure compliance with legislation, develop procedures, monitor adherence, and report violations.
7.5. The Responsible Person has the right to access documents, make copies, participate in discussions, propose improvements, obtain explanations, and sign documents within their authority.
7.6. Employees processing or accessing personal data must comply with applicable laws and internal policies.
7.7. Employees must not disclose personal data obtained in the course of their duties; this obligation remains valid after termination of employment, except as provided by law.
7.8. Violations of personal data protection legislation entail liability under Ukrainian law.
7.9. Personal data shall not be stored longer than necessary for its intended purpose and in any case not longer than permitted by the data subject’s consent.

Rights of the Data Subject

8.1. The data subject has the right to:

• know the location, purpose, and name of the personal data database and the controller or processor;
• receive information about conditions of access to personal data and third parties to whom it is disclosed;
• access their personal data;
• receive confirmation within 30 calendar days whether their data is processed and obtain its content;
• object to the processing of their personal data;
• request correction or deletion of inaccurate or unlawfully processed data;
• protect their personal data from unlawful processing, loss, or damage;
• apply to public authorities or courts for protection of their rights;
• use legal remedies in case of violations.

Procedure for Handling Data Subject Requests

9.1. The data subject may request information about their personal data without stating a purpose, except where otherwise required by law.
9.2. Access is provided free of charge.
9.3. Requests are submitted to the data controller.
9.4. Requests must include identification details and information necessary to identify the data subject and the requested data.
9.5. Requests are reviewed within 10 business days.
9.6. The data subject is informed whether the request will be satisfied or denied.
9.7. Requests are fulfilled within 30 calendar days unless otherwise provided by law.

State Registration of Personal Data Databases

10.1. Personal data databases are registered in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection.”