User agreement

User Agreement Regulations on the Processing and Protection of Personal Data in Databases Owned by the Seller Contents

1. General Concepts and Scope of Application

2. List of Personal Data Databases

3. Purpose of Personal Data Processing

4. Procedure for Personal Data Processing: Obtaining Consent, Notification of Rights, and Actions with Personal Data of the Data Subject

5. Location of the Personal Data Database

6. Conditions for Disclosing Personal Data to Third Parties

7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Directly Processing and/or Accessing Personal Data in Connection with Their Official Duties, Data Retention Period

8. Rights of the Personal Data Subject

9. Procedure for Handling Requests from the Personal Data Subject

10. State Registration of the Personal Data Database

1. General Concepts and Scope of Application

1.1. Definitions:

• Personal Data Database – a named collection of structured personal data in electronic form and/or in the form of personal data card files.

• Responsible Person – a designated individual who organizes work related to the protection of personal data during processing, in accordance with the law.

• Owner of the Personal Data Database – a natural or legal person who is granted the right to process personal data by law or with the consent of the data subject, who determines the purpose of processing, the composition of the data, and the processing procedures unless otherwise specified by law.

• State Register of Personal Data Databases – a unified state information system for collecting, accumulating, and processing information about registered personal data databases.

• Public Sources of Personal Data – directories, address books, registers, lists, catalogs, and other systematically compiled collections of open information containing personal data that have been placed and published with the knowledge of the data subject. Social networks and online resources where data subjects leave their personal data are not considered public sources, except in cases where the data subject has explicitly indicated that their personal data is placed for free distribution and use.

• Consent of the Personal Data Subject – any documented, voluntary expression of will by an individual granting permission for the processing of their personal data according to the stated purpose.

• Anonymization of Personal Data – removal of information that enables the identification of an individual.

• Processing of Personal Data – any action or series of actions carried out fully or partially in an information (automated) system and/or in personal data card files, related to the collection, registration, accumulation, storage, adaptation, modification, updating, usage, dissemination (distribution, transmission), anonymization, or destruction of personal data.

• Personal Data – information or a set of information about an individual who is identified or can be specifically identified.

• Processor of the Personal Data Database – a natural or legal person authorized by the owner of the personal data database or by law to process these data. A person tasked with performing technical operations related to the personal data database without access to its content is not considered a processor.

• Personal Data Subject – a natural person whose personal data is processed in accordance with the law.

• Third Party – any person other than the data subject, the owner or processor of the personal data database, and the authorized state body responsible for personal data protection, to whom the personal data is transferred by the owner or processor under the law.

• Special Categories of Data – personal data regarding racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, as well as data related to health or sexual life.

1.2.These Regulations are mandatory for implementation by the responsible person and the seller’s employees who directly process and/or have access to personal data in connection with their official duties.

2. List of Personal Data Databases

2.1. The seller is the owner of the following personal data database:

• Personal data database of counterparties.

3. Purpose of Personal Data Processing

3.1. The purpose of personal data processing in the system is to ensure the implementation of civil-law relations, provision, receipt, and execution of payments for purchased goods and services in accordance with the

Tax Code of Ukraine and the Law of Ukraine “On Accounting and Financial Reporting in Ukraine.”

4. Procedure for Personal Data Processing: Obtaining Consent, Notification of Rights, and Actions with Personal Data of the Data Subject

4.1. The consent of the personal data subject must be a voluntary expression of will by the individual granting permission for the processing of their personal data in accordance with the stated purpose of processing.

4.2. The consent of the personal data subject may be provided in the following forms:

• A paper document with details that allow identifying the document and the individual.

• An electronic document containing the necessary details that allow identifying the document and the individual. The voluntary will of the individual to grant permission for personal data processing should preferably be certified by the subject’s electronic signature.

• A mark on an electronic document page or in an electronic file processed in an information system based on documented software-technical solutions.

4.3. The consent of the personal data subject is granted during the establishment of civil-law relations in accordance with current legislation.

4.4. The personal data subject is notified of the inclusion of their personal data in the database, the rights defined by the Law of Ukraine “On Personal Data Protection,” the purpose of data collection, and the individuals to whom their personal data is transferred at the time of the establishment of civil-law relations in accordance with current legislation.

4.5. The processing of personal data related to racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life (special categories of data), is prohibited.

5. Location of the Personal Data Database

5.1. The personal data databases specified in Section 2 of these Regulations are located at the seller’s address.

6. Conditions for Disclosing Personal Data to Third Parties 6.1. The procedure for granting access to personal data to third parties is determined by the terms of the data subject’s consent, provided to the personal data owner for the processing of such data, or in accordance with legal requirements.

6.2. Access to personal data is not granted to a third party if that party refuses to assume obligations to ensure compliance with the Law of Ukraine “On Personal Data Protection” or is unable to ensure such compliance.

6.3. A subject of legal relations involving personal data submits a request for access (hereinafter referred to as the request) to the personal data owner.

6.4. The request must include: • The surname, first name, patronymic, place of residence (stay), and details of the identification document of the individual making the request (for individuals).

• The name, location of the legal entity making the request, position, surname, first name, and patronymic of the individual certifying the request, along with confirmation that the request corresponds to the entity’s legal authority (for legal entities).

• The surname, first name, patronymic, and other identifying information about the individual whose data is being requested.

• Information about the personal data database in question or details of its owner or processor.

• A list of the requested personal data.

• The purpose and/or legal basis for the request.

6.5. The request must be reviewed within ten business days from the date of receipt. During this period, the personal data owner informs the requester whether the request will be fulfilled or whether the requested personal data cannot be provided, citing the relevant legal grounds. If approved, the request must be fulfilled within thirty calendar days from the date of receipt unless otherwise specified by law.

6.6. Postponement of access to personal data may be allowed if the requested data cannot be provided within thirty calendar days. In such cases, the total period for responding to the request must not exceed forty-five calendar days.

6.7. A written notification of the postponement must be sent to the third party submitting the request, including instructions on how to appeal the decision.

6.8. The postponement notice must include:

• The surname, first name, and patronymic of the responsible officer. • The date of the notification

 • The reason for the postponement.

• The deadline by which the request will be fulfilled.

6.9. Access to personal data is denied if such access is prohibited by law.

6.10. The refusal notice must include:

• The surname, first name, and patronymic of the responsible officer denying access.

• The date of the notification.

• The reason for the refusal.

6.11. Decisions regarding the postponement or denial of access to personal data may be appealed in court.

7. Personal Data Protection: Protection Methods, Responsible Person, Employees Handling Personal Data, and Data Retention Period

7.1. The personal data owner is equipped with systemic, software, technical, and communication measures that prevent loss, theft, unauthorized destruction, distortion, forgery, or copying of information, in compliance with international and national standards.

7.2. The responsible person organizes and oversees the protection of personal data during processing, in accordance with the law. This person is appointed by an official order from the personal data owner. The duties of the responsible person in managing personal data protection are specified in their job description.

7.3. The responsible person must:

• Be knowledgeable about Ukrainian legislation on personal data protection.

• Develop procedures for employees’ access to personal data according to their professional or official duties.

• Ensure that employees comply with Ukrainian legislation and internal regulations regarding personal data processing and protection.

• Establish internal control procedures to monitor compliance with legal and internal regulations on personal data protection, including defining the frequency of such controls.

• Inform the personal data owner of any violations by employees regarding personal data protection legislation within one business day of detecting such violations.

• Ensure the storage of documents confirming the data subject’s consent to personal data processing and their notification of their rights.

7.4. The responsible person has the right to:

• Obtain necessary documents, including orders and regulatory documents issued by the personal data owner.

• Make copies of obtained documents, including files and records stored in local computing networks and standalone computer systems.

• Participate in discussions on organizing personal data protection activities.

• Propose improvements to procedures and suggest solutions for addressing deficiencies in personal data processing.

• Request explanations regarding personal data processing.

• Sign and approve documents within their area of responsibility.

7.5. Employees who directly process and/or have access to personal data in connection with their official (employment) duties must strictly comply with Ukrainian legislation on personal data protection and internal regulations governing the processing and protection of personal data.

7.6. Employees with access to personal data, including those processing them, must not disclose personal data in any manner entrusted to them or that became known to them in connection with their professional, official, or employment duties. This obligation remains in effect after they cease activities related to personal data unless otherwise required by law.

7.7. Individuals with access to personal data, including those processing them, are legally responsible for violating the Law of Ukraine “On Personal Data Protection” in accordance with Ukrainian law.

7.8. Personal data must not be stored longer than necessary for the purpose for which it was collected, but in any case, no longer than the retention period specified by the data subject’s consent to processing.