Nothing found
Brands
Products
Search
виски
lancome
сигареты
шоколад
armani

Regulation on the processing and protection of personal data in personal data database owned by MYDUTYFREE

Contents

  1. General concepts and scope.
  2. List of databases of personal data.
  3. The purpose of processing of personal data.
  4. The procedure for processing of personal data: obtaining consent, notification of rights and actions with personal data of the personal data subject.
  5. Location of the database of personal data.
  6. Terms of disclosure of the information about personal data to the third parties.
  7. Protection of personal data: ways of protection, responsible person, employees, who directly process and/or have access to personal data due to the performance of their official duties, terms of storage of personal data.
  8. Rights of the personal data subject.
  9. Operating procedure with the requests of the personal data subject.
  10. State registration of the database of personal data.
  1. General concepts and scope

    1. Terms and definitions
      database of personal datanamed collection of data in electronic form and/or in form of personal data files;
      responsible personcertain person who organizes the work related to the protection of personal data during their processing, in accordance with the law;
      database controllernatural or legal person, who, by the law or the consent of data subject, was given the right to process these data, who approves the purpose of processing of personal data in this database, sets the data warehouse and procedures of their processing, unless otherwise provided by law;
      state register of databases of personal dataunified state informational system of collection, accumulation and processing of lists of registered personal data;
      public sources of personal datareference books, address books, registers, lists, catalogs and other systematic collections of public information, which contain personal data posted and published with a consent of the personal data subject.
      Social media and internet resources in which the data subject leaves its personal data (except when the data subject explicitly states that personal data are placed for the purpose of their free dissemination and use) are not considered as public sources of personal data.
      consent of the personal data subjectany documented free will of natural person which grants a permission to process his or her personal data, in accordance with the stated purpose of their processing;
      de-identification of personal datawithdrawal of information that makes it possible to identify a person;
      processing of personal dataany action or set of actions performed in whole or in part in an information (automated) system and/or in personal data files, which is associated with the collection, registration, accumulation, preservation, adaptation, modification, updating, use and dissemination (implementation, transfer), de-personalization, destruction of the data about the natural person;
      personal datastatements or a set of statements about an individual (natural person) who is identified or can be specifically identified;
      processor of the databasenatural or legal person to whom, by the controller or the law was given the right to process these data. A person entrusted by the controller and/or processor of the database with work of a technical nature with the database of personal data without access to the content of personal data can not be considered as a processor of the database.
      personal data subjectnatural person with regard to whom personal data is processed, in accordance with the law;
      third partyany person, with the exception of the personal data subject, the controller or processor of the personal data database and authorized state body on the protection of personal data, to whom by the controller or processor personal data is disclosed, in accordance with the law;
      special categories of datapersonal data about racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to health or sexual life.
    2. This Regulation is mandatory for use by the responsible person and the employees of the seller, who directly process and/or have access to personal data in connection with the performance of their official duties.
  2. List of databases of personal data

    The seller is the controller of the following personal data databases:
    • Customer personal data database
  3. The purpose of processing of personal data

    The purpose of processing of personal data in the system is storage and maintenance of customer data in accordance with Articles 6, 7 of the Law of Ukraine “On Personal Data Protection”
  4. The procedure for processing of personal data: obtaining consent, notification of rights and actions with personal data of the personal data subject

    • The consent of the personal data subject should be a free will of the natural person to grant permission for the processing of his or hers personal data in accordance with the stated purpose of the processing. The consent of the personal data subject can be provided in the following form:
      • mark on the electronic page of the document or in an electronic file that is processed in the information system on the basis of documented software and technical solutions.
    • Notification of the personal data subject about the inclusion of his or hers personal data in personal data databases, rights defined by the Law of Ukraine "On the protection of personal data", the purpose of collection of personal data and the persons to whom his or hers personal data is disclosed takes place during checkout on the website mydutyfree.net.
    • The processing of personal data about racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data relating to health or sexual life (specific data categories) is prohibited.
  5. Location of the database of personal data

    The personal data databases specified in section 2 of this regulation are located at the address of «Mydutyfree» company.
  6. Terms of disclosure of the information about personal data to the third parties

    1. The procedure for access to personal data by third parties is determined by terms of the consent of the personal data subject provided to the controller of the personal data database for processing this data, or in accordance with the requirements of the law.
    2. Access to personal data is not provided to a third party if the specified person refuses to undertake obligations to fulfill the conditions of the Law of Ukraine “On the protection of personal data” or is unable to provide them.
    3. The subject of relations related to personal data, submits a request for access (hereinafter - the request) to the personal data, to the controller of the personal data database.
    4. The request shall include:
      • last name, first name and patronymic, place of residence (place of stay) and details of the document certifying the individual who makes the request (for the natural person - the applicant);
      • name, location of the legal entity that submits the request, position, last name, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the authority of the legal entity (for a legal entity - the applicant);;
      • last name, first name and patronymic as well as other information that makes it possible to identify the natural person in regard to whom the request is being made;
      • information about the database of personal data in regard to which the request is made, or information about the owner or disposer of this database;
      • list of personal data that is requested;
      • purpose of the request.
    5. The term for studying of a request for its satisfaction may not exceed ten working days from the date of its admission.
      During this period, the controller of the personal data database informs the person who submitted the request that the request will be satisfied or the relevant personal data will not be provided, indicating the grounds specified in the relevant legal act.
      The request is satisfied within thirty calendar days from the date of its admission, unless otherwise provided by law.
    6. All employees of the controller of the personal data database are obliged to adhere to the requirements of confidentiality in regard to personal data.
    7. The postponement of access to personal data to third parties is allowed if the necessary data cannot be provided within thirty calendar days from the day the request is received. At the same time, the total time for resolving the issues raised in the request may not exceed forty five calendar days.
    8. The postponement message shall be brought to knowledge of the third party who submitted the request, in writing, explaining the procedure for appealing such a decision.
    9. The postponement report shall include:
      • last name, first name and patronymic of the official;
      • date of sending of the message;
      • reason of postponement;
      • the period during which the request will be satisfied.
    10. Denial of access to personal data is allowed if access to it is prohibited in accordance with the law.
    11. Rejection message shall include:
      • last name, first name and patronymic of the official who denied access;
      • date of sending of the message;
      • reasons of rejection;
    12. The decision on the removal or denial of access to personal data may be appealed to the authorized state body on the protection of personal data, other state authorities and local governments, whose powers include the protection of personal data, or in court.
  7. Protection of personal data: ways of protection, responsible person, employees, who directly process and/or have access to personal data due to the performance of their official duties, terms of storage of personal data

    1. The controller of the personal data database is equipped with system, software and hardware and communication tools that prevent loss, theft, unauthorized destruction, distortion, copying of information and meet the requirements of international and national standards.
    2. The responsible person organizes the work related to the protection of personal data during their processing, in accordance with the law. The responsible person is determined by the decree of the controller of the personal data database.
      The responsibilities of the responsible person in organizing work related to the protection of personal data during their processing are indicated in the job description.
    3. The responsible person must:
      • know the legislation of Ukraine in the field of personal data protection;
      • develop procedures for access to personal data of employees in accordance with their professional, service or work duties;
      • ensure that the employees of the controller of the personal data database comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activity of the controller of the personal data database on the processing and protection of personal data in personal data databases;
      • develop a procedure for internal control of compliance with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the controller of the personal data database for processing and protecting personal data in personal data databases, which, in particular, should contain standards regarding the frequency of such control;
      • inform the controller of the personal data database about the facts of violations by employees of the conditions of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activity of the controller of the personal data database on personal data processing and protection in the personal data databases no later than one working day from the moment such violations were detected;
      • ensure the storage of documents confirming the provision by the personal data subject of consent to the processing of his or hers personal data and notification of the data subject of his rights.
    4. In order to fulfill the duties, the responsible person has the right to:
      • receive necessary documents, including orders and other administrative documents issued by the controller of the personal data database related to the processing of personal data;
      • make copies of received documents, including copies of files, of any records stored in local computer networks and autonomous computer systems;
      • take part in the discussion of his duties in work organization related to the protection of personal data during their processing;
      • submit proposals for improving activities and improving work methods, submit comments and options for eliminating the identified deficiencies in the process of processing personal data;
      • receive explanations in the matters of the processing of personal data;
      • sign and endorse documents within the competence.
    5. Employees who directly process and/or have access to personal data in connection with the performance of their official (job) duties must comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents on the processing and protection of personal data in personal data databases.
    6. Employees who have access to personal data, including their processing, are obliged to prevent disclosure of personal data entrusted to them or which have become known in connection with the performance of professional, official or work duties in any way. Such an obligation is valid after the termination of their activities related to personal data, except cases established by law.
    7. Individuals who have access to personal data, including those who process the data, in case of violation of the conditions of the Law of Ukraine «On Personal Data Protection» bear responsibility according to the law of Ukraine.
    8. Personal data should not be stored longer than necessary for the purpose for which such data is stored, but, in any case, no longer than the data retention period determined by the consent of the personal data subject to the processing of this data.
  8. Rights of the personal data subject

    The personal data subject has the right to:
    • know about the location of the personal data database, which contains his or hers personal data, its purpose and name, location and/or place of residence (stay) of the controller or processor of this database or give the appropriate instruction to receive this information by persons authorized by him, except for cases stipulated by law;
    • access to his or hers personal data contained in the relevant database of personal data;
    • receive an answer about whether his or hers personal data is stored in the relevant personal data database, as well as receive the contents of his or hers personal data that is stored, no later than in thirty calendar days from the date of the request, except for cases stipulated by law;
    • submit a reasoned request with an objection to the processing of personal data by public authorities, local authorities in the implementation of their duties provided by law;
    • make a reasoned request to replace or destroy the personal data by any controller and processor of this database, if this data is processed illegally or is unreliable;
    • protect personal data from illegal processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely providing, as well as to protect from the providing of statements that are unreliable or discredit the honor, dignity and business reputation of a natural person;
    • apply for the protection of his or hers rights about personal data to state authorities, local governments whose authority is to protect personal data;
    • apply legal remedies in case of violation of personal data protection legislation.
  9. Operating procedure with the requests of the personal data subject

    1. The personal data subject has the right to receive any information about himself from any subject of the relationship related to personal data, without specifying the purpose of the request, except for cases stipulated by law.
    2. Access to personal data by the personal data subject is free of charge.
    3. The personal data subject submits a request for access (hereinafter — request) to personal data to the controller of the personal data database.
      The request shall include:
      • last name, first name and patronymic, place of residence (place of stay) and details of the document certifying the identity of the personal data subject;
      • other information that makes it possible to identify the individual of the personal data subject;
      • information about the database of personal data in regard to which the request is made, or information about the owner or disposer of this database;
      • list of requested personal data.
    4. The term for studying of the request for its satisfaction may not exceed ten working days from the receipt date.
    5. During this period, the controller of the personal data database informs the personal data subject that the request will be satisfied or the relevant personal data will not be provided, indicating the basis specified in the relevant legal act.
    6. The request is satisfied within thirty calendar days from the reception date, except for cases stipulated by law.
  10. State registration of personal data database

    The state registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection”.
Terms and Conditions of MyDutyFree preorder service
Restore password
New user? Sign Up