SNOWMARKET
User Agreement of the SNOWMARKET Online Store
User Agreement of the SNOWMARKET Online Store
Regulations on the Processing and Protection of Personal Data
in personal data databases owned by the Seller
Table of Contents
General Terms and Scope of Application
List of Personal Data Databases
Purpose of Personal Data Processing
Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions with Personal Data of the Data Subject
Location of the Personal Data Database
Conditions for Disclosure of Personal Data to Third Parties
Protection of Personal Data: Methods of Protection, Responsible Person, Employees Directly Processing and/or Having Access to Personal Data in Connection with Their Official Duties, Storage Period of Personal Data
Rights of the Personal Data Subject
Procedure for Handling Requests from the Personal Data Subject
State Registration of Personal Data Databases
1. General Terms and Scope of Application
1.1. Definitions of Terms
Personal Data Database — a named set of organized personal data in electronic form and/or in the form of personal data filing systems;
Responsible Person — a designated person who organizes activities related to the protection of personal data during its processing in accordance with the law;
Owner of the Personal Data Database — an individual or legal entity granted the right by law or by consent of the personal data subject to process such data, who determines the purpose of processing personal data in this database, establishes the composition of such data and the procedures for its processing, unless otherwise provided by law;
State Register of Personal Data Databases — a unified state information system for collecting, accumulating, and processing information on registered personal data databases;
Publicly Available Sources of Personal Data — directories, address books, registers, lists, catalogs, and other systematized collections of open information containing personal data published with the knowledge of the personal data subject. Social networks and internet resources where personal data subjects leave their personal data are not considered publicly available sources of personal data, except where the subject explicitly states that the personal data is published for free distribution and use;
Consent of the Personal Data Subject — any documented voluntary expression of will by an individual granting permission for the processing of their personal data according to the stated purpose of such processing;
Depersonalization of Personal Data — removal of information that allows identification of a person;
Processing of Personal Data — any action or set of actions carried out fully or partially within an information (automated) system and/or personal data filing systems related to collection, registration, accumulation, storage, adaptation, modification, renewal, use and dissemination (distribution, sale, transfer), depersonalization, and destruction of information about an individual;
Personal Data — information or a set of information about an individual who is identified or can be specifically identified;
Manager of the Personal Data Database — an individual or legal entity authorized by the owner of the personal data database or by law to process such data. A person entrusted only with technical work related to the personal data database without access to the content of personal data is not considered a manager of the database;
Personal Data Subject — an individual whose personal data is processed in accordance with the law;
Third Party — any person other than the personal data subject, the owner or manager of the personal data database, or the authorized state body for personal data protection, to whom personal data is transferred by the owner or manager in accordance with the law;
Special Categories of Data — personal data concerning racial or ethnic origin, political, religious, or ideological beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life.
1.2.
These Regulations are mandatory for the responsible person and employees of the Seller who directly process and/or have access to personal data in connection with the performance of their official duties.
2. List of Personal Data Databases
2.1.
The Seller is the owner of the following personal data databases:
database of counterparties’ personal data.
3. Purpose of Personal Data Processing
3.1.
The purpose of processing personal data within the system is to ensure the implementation of civil law relations, provision, receipt, and settlement of payments for purchased goods and services in accordance with the Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine”.
4. Procedure for Processing Personal Data
4.1.
Consent of the personal data subject must be a voluntary expression of will by an individual granting permission for the processing of their personal data according to the stated purpose of such processing.
4.2.
Consent of the personal data subject may be provided in the following forms:
a paper document containing details allowing identification of the document and the individual;
an electronic document containing mandatory details allowing identification of the document and the individual. The voluntary consent of an individual to the processing of their personal data should preferably be certified by the electronic signature of the personal data subject;
a mark on an electronic page of a document or in an electronic file processed in an information system based on documented software and technical solutions.
4.3.
Consent of the personal data subject is provided during the establishment of civil law relations in accordance with current legislation.
4.4.
Notification of the personal data subject regarding inclusion of their personal data in the personal data database, the rights established by the Law of Ukraine “On Personal Data Protection”, the purpose of data collection, and the persons to whom their personal data is transferred is carried out during the establishment of civil law relations in accordance with current legislation.
4.5.
Processing of personal data concerning racial or ethnic origin, political, religious or ideological beliefs, membership in political parties or trade unions, as well as data concerning health or sexual life (special categories of data), is prohibited.
5. Location of the Personal Data Database
5.1.
The personal data databases specified in Section 2 of these Regulations are located at the Seller’s address.
6. Conditions for Disclosure of Personal Data to Third Parties
6.1.
The procedure for access to personal data by third parties is determined by the conditions of consent granted by the personal data subject to the owner of the personal data database for processing such data, or in accordance with legal requirements.
6.2.
Access to personal data shall not be granted to a third party if such party refuses to undertake obligations ensuring compliance with the requirements of the Law of Ukraine “On Personal Data Protection” or is unable to ensure such compliance.
6.3.
A subject of relations connected with personal data submits a request for access (hereinafter — the “Request”) to personal data to the owner of the personal data database.
6.4.
The Request shall specify:
surname, first name, patronymic, place of residence (place of stay), and details of the identity document of the individual submitting the Request;
name and location of the legal entity submitting the Request, position, surname, first name, and patronymic of the person certifying the Request, and confirmation that the content of the Request corresponds to the authority of the legal entity;
surname, first name, and patronymic, as well as other information allowing identification of the individual in respect of whom the Request is made;
information about the personal data database concerned by the Request, or information about the owner or manager of such database;
list of requested personal data;
purpose and/or legal grounds for the Request.
6.5.
The period for reviewing the Request regarding its satisfaction may not exceed ten business days from the date of receipt. Within this period, the owner of the personal data database shall notify the person submitting the Request whether the Request will be satisfied or whether the relevant personal data is not subject to disclosure, specifying the grounds established by the relevant regulatory legal act. The Request shall be satisfied within thirty calendar days from the date of receipt unless otherwise provided by law.
7. Protection of Personal Data
7.1.
The owner of the personal data database is equipped with system and software-technical means, as well as communication facilities that prevent loss, theft, unauthorized destruction, distortion, forgery, copying of information, and comply with the requirements of international and national standards.
7.2.
The responsible person organizes activities related to the protection of personal data during its processing in accordance with the law. The responsible person is appointed by an order of the Owner of the personal data database.
The duties of the responsible person regarding the organization of activities related to the protection of personal data during processing are specified in the job description.
7.3.
The responsible person is obliged to:
know the legislation of Ukraine in the field of personal data protection;
develop procedures for employees’ access to personal data according to their professional, official, or employment duties;
ensure compliance by employees of the Owner of the personal data database with the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the Owner concerning the processing and protection of personal data in personal data databases;
develop procedures for internal control over compliance with the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the Owner concerning the processing and protection of personal data in personal data databases, including provisions regarding the frequency of such control;
notify the Owner of the personal data database of violations by employees of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the Owner concerning the processing and protection of personal data in personal data databases no later than one business day from the moment such violations are detected;
ensure the storage of documents confirming the consent of the personal data subject to the processing of their personal data and notification of the subject regarding their rights.
7.4.
For the purpose of fulfilling their duties, the responsible person has the right to:
receive necessary documents, including orders and other administrative documents issued by the Owner of the personal data database related to personal data processing;
make copies of received documents, including copies of files and any records stored in local computer networks and standalone computer systems;
participate in discussions regarding the performance of duties related to organizing activities connected with the protection of personal data during processing;
submit proposals for improving activities and methods of work, comments, and options for eliminating identified deficiencies in the process of personal data processing;
receive explanations regarding personal data processing;
sign and approve documents within the limits of their competence.
7.5.
Employees who directly process and/or have access to personal data in connection with the performance of their official (employment) duties are obliged to comply with the legislation of Ukraine in the field of personal data protection and internal documents regarding the processing and protection of personal data in personal data databases.
7.6.
Employees who have access to personal data, including those processing such data, are obliged not to disclose in any manner personal data entrusted to them or which became known to them in connection with the performance of professional, official, or employment duties. Such obligation remains in force after termination of activities related to personal data, except in cases established by law.
7.7.
Persons having access to personal data, including those processing such data, bear responsibility in accordance with the legislation of Ukraine in the event of violation of the requirements of the Law of Ukraine “On Personal Data Protection”.
7.8.
Personal data shall not be stored longer than necessary for the purpose for which such data is stored, but in any case not longer than the storage period determined by the consent of the personal data subject to the processing of such data.
8. Rights of the Personal Data Subject
8.1.
The personal data subject has the right to:
know the location of the personal data database containing their personal data, its purpose and name, the location and/or place of residence (stay) of the owner or manager of the database, or authorize other persons to obtain this information, except in cases established by law;
receive information about the conditions for granting access to personal data, including information about third parties to whom their personal data contained in the relevant personal data database is transferred;
access their personal data contained in the relevant personal data database;
receive, no later than thirty calendar days from the date of receipt of the Request, except in cases provided by law, a response as to whether their personal data is stored in the relevant personal data database, and receive the content of such personal data;
submit a reasoned objection against the processing of their personal data by state authorities or local self-government bodies when exercising powers provided by law;
submit a reasoned request regarding amendment or destruction of their personal data by any owner or manager of the database if such data is processed unlawfully or is inaccurate;
protection of their personal data from unlawful processing and accidental loss, destruction, damage caused by intentional concealment, failure to provide, or untimely provision thereof, as well as protection from providing inaccurate information or information discrediting the honor, dignity, and business reputation of an individual;
apply to state authorities and local self-government bodies responsible for personal data protection regarding the protection of their rights;
use legal remedies in case of violation of personal data protection legislation.
9. Procedure for Handling Requests from the Personal Data Subject
9.1.
The personal data subject has the right to receive any information about themselves from any subject of relations connected with personal data without specifying the purpose of the Request, except in cases established by law.
9.2.
Access of the personal data subject to information about themselves is provided free of charge.
9.3.
The personal data subject submits a request for access (hereinafter — the “Request”) to personal data to the owner of the personal data database.
The Request shall specify:
surname, first name, patronymic, place of residence (place of stay), and details of the identity document of the personal data subject;
other information allowing identification of the personal data subject;
information about the personal data database concerned by the Request, or information about the owner or manager of such database;
list of requested personal data.
9.4.
The period for reviewing the Request regarding its satisfaction may not exceed ten business days from the date of receipt. Within this period, the owner of the personal data database shall notify the personal data subject whether the Request will be satisfied or whether the relevant personal data is not subject to disclosure, specifying the grounds established by the relevant regulatory legal act.
9.5.
The Request shall be satisfied within thirty calendar days from the date of receipt unless otherwise provided by law.
10. State Registration of Personal Data Databases
10.1.
State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection”.