Clause on processing and protecting of personal data in the personal databases that the Provider owns

General provisions

Kyiv, June 12th , 2022

Personal database is a sum of arranged personal data in the electronic form and/or in the form of card indexes bearing personal data, endowed with a name;

The person in charge is a specific person who organizes the workflow related to personal data protection at the time of their processing, in compliance with the law;

Personal database owner is a physical or a legal person who is granted the right, by law or by consent of the personal data subject, to process this personal data, and who defines the content of this personal data and the procedures of its processing, unless the law stipulates otherwise;

Publicly available personal data sources are directories, address books, registers, lists, catalogues, other systematized sources of open information that contain personal data, placed and published by consent of the personal data subject. Social media and internet resources where a personal data subject leaves its personal data are not considered as publicly available (except for the case when a personal data subject explicitly stipulates that the personal data are placed with the aim of ensuring their free dissemination and usage);

Consent by the personal data subject is any documented voluntary free will statement made by a physical person whereby he or she grants permission to process his/her personal data in compliance with the formulated purpose of its processing;

Personal data depersonalization is removal of the data that allows for the identification of the person;

General provisions (continuation)

Personal data processing is any action, or a sum of actions committed in full or in part, in an information (automated) system and/or in personal data card indexes that are related to collecting, registering, accumulating, storage, adaptation, alteration, updating, usage and dissemination (sale, transfer), depersonalization, annihilation of the data regarding the physical person;

Personal data are the data, or a sum of data regarding a physical person who is identified, or can be specifically identified;

Personal data base manager — is a physical or a legal entity who is granted the right, by the data base owner or by the law, to conduct works of technical nature, with the personal data base, without having haaccess to the personal data content;

Personal data subject is a physical entity, in regards to whom, his or her personal data are processed in compliance with the law;

Third person is any person, with the exception of the personal data subject, the owner or the manager of the personal data base, and an entitled public body in charge of personal data protection, who is entitled, by the owner or the manager of the data base, to access personal data in accordance with the law;

Special data categories are the personal data regarding racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and professional unions, as well as data regarding health or sexual life.

1. Area of application

1.1. The clause that regards the procedure for personal data processing and storage (to be later referred to as Clause) defines a set of organizational and technical means aimed to provide the defence of personal data of the physical persons who are recipients of the consultation services of the Psychologist (to be later referred as Clients), namely Physical Person Entrepreneur Stanislavska Tatyana Alekseevna (to be referred to as Provider) from illegal processing, including loss, illegal or accidental destruction, as well as illegal access to them.

1.2. The Clause was developed based on the Law of Ukraine “On Personal Data Protection” dated 01.06.2010 №2297-VI and Typical Procedure of Personal Data Protection, validated by the order of the Verkhovna Rada Commissioner on Human Rights on 08.01.2014 №1/02-14.

1.3. The Clause is mandatory for all the persons who have access to personal data and are involved in processing personal data.

1.4. All the terms implied in this Clause are defined in accordance with the Law of kraine “On personal data protection”; moreover, in compliance with the terminology implied by the abovementioned Law, the Provider is considered to be the owner of the personal data.

1.5. Personal data imply all data or a set of data regarding the Clients, by which they can be identified, or can facilitate their specific identification.

1.6. In regards to the access mode, the Clients’ personal data are listed as information with restricted access. The Provider assumes obligations to ensure the protection of the Clients’ personal data.

1.7. Clients’ personal data are processed on electronic carriers, with such
software as Excel, Word and others.

1.8. Personal data processing implies any action or a sum of actions, such as collection, registration, accumulation, storage, adapting, alteration, resuming, usage and dissemination (including sale and transfer), depersonalization, elimination of personal data.

2. Goal, reasons and/or usage of personal data processing

2.1. Clients’ personal data protection usage is conducted with the view to ensuring the implementation of the contractual relations as Provider conducts his/her consulting activity.

2.2. Personal data are processed based on the Clients’ agreements, and other legal
grounds, in strict compliance with the current Ukrainian legislation in the area of personal data protection, and are stored in paper and/or electronic form.

3. Procedure of personal data processing: obtaining agreement, communicating the rights,
and actions with the personal data pertaining to the subject of personal data.

3.1. Procedure of personal data processing: obtaining agreement, communicating the rights,
and actions with the personal data pertaining to the subject of personal data.
a document on a paper carrier bearing the requisites that allow to identify
this document and the physical person;
an electronic document that should contain mandatory requisites allowing
to identify this document and the physical person. It is expedient (and
optional) to secure the free-willed expression of the physical person to
grant permission to process his/her personal data carrying an electronic
signature of the personal data subject.
3.2. The subject of personal data grants his/her permission at the moment of forming
the civil-law relations in accordance with the present legislation.

3.3. In compliance with the defined goal of procession, the legal acts, and the needs
of consultation services, the Provider processes the Client’s personal data:
name, patronymic, surname;
electronic mail address (e-mail);
mobile telephone number;
information about the actions committed on the website
3.4. The Provider can designate one of the Provider’s employees as a Person in
Charge of ensuring the compliance with the Ukrainian legislation regarding personal
data protection and processing, as well as conditions of this Clause.

3.5. The Person in Charge fulfils his/her obligations in compliance with the present
Clause and the norms of Ukraine’s acting legislation in regards to personal data
processing and storage.

4. Location of the personal data base

The personal data bases are located at the Provider’s address.

5. Conditions for disclosing information on personal data to third persons

5.1. The access to personal data for third persons is defined by the conditions set out in the permission to process data, granted to the owner of the personal data, by the personal data subject, or in compliance with the legal requirements. The procedure of the third persons’ access to the personal data, which are owned by the public information manager, is defined by the Law of Ukraine “On access to public information”.

5.2. The access to personal data is not granted to the third person if the aforementioned person refuses to assume obligations to ensure the compliance with the Law of Ukraine “On personal data protection” or is unable to ensure them.

5.3. The subject of the relations tied with personal data, submits a request for access to personal data (to be later referred to as access) to the personal data base owner.

5.4. The request shall contain:
surname, name, patronymic, residence address (location) and requisites of the document that identifies the physical person who is submitting the request (for the physical person who is applicant);
title and location of the legal entity that files the request; job title, surname, name, patronymic of the person who verifies the request; the proof that the content of the request lies within the powers of the legal entity (for the applicant who is a legal person);
surname, name and patronymic, as well as other data that allow to identify the physical person, in whose regard the application is submitted;
data regarding the personal data base, in whose regards the application is submitted; data regarding the owner or the manager of this data base;
list of the requested personal data;
purpose of the request.

5.5. The term for considering this request, with the purpose of satisfying it, shall not exceed ten working days since is receipt. During this time, the owner of the personal data base shall inform the applicant that the request will be satisfied, or that the relevant personal data will not be granted, indicating the grounds for this decision, according to the acting legislation of Ukraine. The request shall be satisfied within 10 calendar days since the day of its receipt, unless the law stipulates otherwise.

5. Conditions for disclosing information on personal data to third persons (continuation)

5.6. All employees of the data base owner are obliged to observe the demands for confidentiality regarding personal data.

5.7. The delayed access to personal data is acceptable in case if the necessary data cannot be granted within ten calendar days since the request receipt. Moreover, the general term for resolving the issues evoked in the request, shall not exceed fourty five calendar days.

5.8. The message about the delay shall be communicated to the third person who filed the request, in writing, exposing the existing procedure to appeal such a decision.

5.9. The delay message shall contain:
surname, name, patronymic of the official;
message date;
reason for delay;
the term, within which the request shall be satisfied.

5.10. Denial for access to personal data is accepted if access is forbidden by law.

5.11. The denial message shall contain the following data:
surname, name, patronymic of the official who denies the access;
message date;
reason for refusal.

5.12. Decision on delay or denial of access to personal data can be appealed in the
relevant public agency in charge of personal data protection, other public authorities
and local governance structures, that are entitled to ensure personal data protection,
or in the court.

6. Personal data protection

The owners and managers of personal data and third persons are obliged to ensure the protection of these data from accidental loss or destruction, from illegal processing, including illegal annihilation or access to personal data according to the legislation of Ukraine.

7. Rights and responsibilities of the clients as personal data subjects

Clients, as personal data subjects, are entitled:to know the sources used for collecting their personal data, their storage location, except for the cases established by the law;
data, including information about third persons to whom their personal data is transferred to;
to have access to their personal data;
receiving, no later than 30 calendar days since receipt of the request;
unless the law stipulates otherwise, the reply about whether their personal data is being processed, as well as receive the content of these personal data;
to present to the Provider a motivated objection against their personal data processing;
to present a motivated demand about the change or destruction of their personal data by the Provider, if this data is processed illegally or is untruthful;
to have their personal data defended against illegal processing and accidental loss, destruction, damage inflicted by premeditated concealing, untimely presenting, as well as security against the presentation of untruthful data, or the information that undermines dignity, honour and business reputation;
to file lawsuits with complaints related to their personal data processing;
to recur to the means of legal defence in the case of law violations, should the law on personal data protection, be violated;
to input restrictions related to the right to process personal data when consent it granted;
to recall permission for personal data processing;
to be aware of the mechanism of automatic personal data processing;
to be defended against the automated decision that can have legal implications.

8. Clients’ personal data collection

8.1. Clients’ personal data procession is part of the process related to processing the
aforementioned personal data, which involves the actions needed to collect and arrange personal data.

8.2. The reasons for processing the personal data pertaining to counteractants are:
ensure services offered by the Provider;
the need to defend the Client’s legal interests, except for the cases when the subject of personal data demands to disengage from his personal data processing (point 6, part 1, article 11 of the Law of Ukraine “On personal data protection”).
8.3. The Clients confirm being introduced to their rights in the area of personal data
protection, by accepting the Contract Offer.

8.4. Once the Contract Offer is accepted by the Clients, their personal data is
introduced to the data base “Clients”.

8.5. In the event that it is discovered that some processed data do not match reality,
this data should be corrected or annihilated.

9. Storage and deletion of Clients’ personal data

9.1. Personal data storage implies the actions necessary to ensure their wholeness, and relevant access regime to be respected.

9.2. Clients’ personal data is processed in the form that allows for the identification of the physical person that they relate to, and are stored during the time that does not exceed what is necessary in regards to their legal purpose and the goal of their processing, unless law in the area of archiving and office work stipulates otherwise.

9.3. Clients personal data is deleted or annihilated according to the procedure established in accordance with the law.

9.4. Personal data is subject to annihilation in the following cases:
end of storage term defined in the consent for processing given by subject of personal data, or in the law;
end of legal relations between the Client and the Provider, unless the law stipulates otherwise;
court decision about withdrawing data about a physical person from the personal data base coming into force;
relevant decree is issued by the Verkhovna Rada Commissioner on human rights, or the officials from the Commissioner’s secretariat that he/she designates.
9.5. The personal data collected with the violations of the Law of Ukraine “On personal data protection” are subject to annihilation, in conformity with the law.

9.6. The selection for eventual deletion of documents containing personal data, whose storage time has expired, shall be conducted by an expert commission whose composition shall be defined by the Provider.

9.7. Personal data shall be deleted using the means that excludes the possibility to restore this personal data in the future.

10. Personal data protection when processing them in an automated system

10.1. The right to access an automated system is granted to the Provider’s employees whose job descriptions involve the functions related to data processing in the automated system, and who sign a written obligation of non-disclosure.

10.2. The automatic system shall mandatorily be equipped with anti-virus protection and means of uninterrupted power supply for the system’s elements.

10.3. The access to Client’s personal data is granted to the third persons, with whom the Client has signed an agreement foreseeing contract obligations toward the Client.

11. Final Clauses

11.1. The Client can receive any clarifications related to their personal data processing by reaching out to the Provider by electronic mail

11.2. This document shall reflect any modifications in the politics of personal data protection and processing practiced by the Provider. Personal data processing and protecting data policy has no time limit and shall be in force until being replaced with a new version that should be published at the Provider’s website 24 hours before coming into force.

11.3. The relevant version of the Policy is publicly available at the Provider’s website at web address: