Contact us
Homepage /

Privacy Policy

Privacy Policy and Terms of Use

1. GENERAL PROVISIONS

1.1. This Personal Data Protection Policy (hereinafter – the Policy) defines the procedure for processing and protecting personal data in Limited Liability Company “SYLA MISTSYA”, a legal entity established and operating in accordance with the legislation of Ukraine, EDRPOU code – 45907018 (hereinafter – the Company), and sets out the procedure aimed at preventing and detecting any violations of applicable personal data laws.

1.2. This Policy has been developed in accordance with the legislation of Ukraine and the European Union, namely the following documents:

– General Data Protection Regulation (GDPR), adopted by the European Parliament and the Council of the European Union on 27 April 2016;

– Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe, Strasbourg, 28 January 1981), ratified by Ukraine on 06 July 2010;

– Law of Ukraine “On Personal Data Protection” No. 2297-17 of 01 June 2010.

1.3. The requirements and rules set out in this Policy are mandatory for all employees of the Company.

1.4. The purpose of the Policy is:

  • to define the procedure and conditions for the processing of personal data, in particular the procedures aimed at preventing violations of laws, and the procedures for internal control in accordance with applicable personal data legislation;

  • to familiarise the Company’s employees responsible for the processing of personal data with this Policy and the Company’s requirements for the processing of personal data;

  • to establish liability of employees engaged in the processing of personal data for non-compliance with applicable personal data legislation;

  • to ensure the right of personal data subjects to be informed about the methods of processing their personal data by the Company.

1.5. Management and employees must report any possible violations of this Policy. Information about violations must be immediately sent to the following email address: office@powerofplace.com.ua


2. TERMINOLOGY USED IN THE POLICY

For the purposes of this Policy, the following concepts and terms are used:

Responsible person organising work related to personal data protection – a person responsible for monitoring the application of the General Data Protection Regulation (GDPR) and other applicable laws regarding the protection of data subjects in connection with the processing of personal data, who performs the functions assigned to him/her in accordance with this Policy and other applicable laws, and who advises the Company’s management on personal data protection. Such person is appointed by the Director of the Company on the basis of separate internal documents of the Company (order, minutes, etc.).

Personal data – any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, in particular by reference to identification information such as a name, an identification number, location data.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction of processing, erasure or destruction.

Restriction of processing – the marking of stored personal data with the aim of limiting their processing in the future.

Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Company acts as the controller.

Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient – a natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether it is a third party or not.

Third party – a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the personal data subject – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data protection breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


3. COMPOSITION OF PERSONAL DATA

3.1. The personal data processed in the Company include:

  • personal data of current and former employees;

  • personal data of employees’ family members;

  • personal data of job candidates;

  • personal data of contact persons of the Company’s business partners (legal entities, individual entrepreneurs, natural persons) under contracts, as well as persons who are parties to, or represent the Company’s counterparties that are parties to, such contracts;

  • personal data of participants and winners of advertising activities during advertising campaigns for the purpose of granting and taxing incentives of such campaigns in accordance with the requirements of the current legislation of Ukraine.

3.2. Special categories of personal data:

The Company does not process any information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, intimate or private life.

3.3. Obtaining personal data:

  • The Company may obtain all personal data of a subject directly from the subject or from other sources, including open sources, social networks, public authorities, recruitment firms, etc.

  • The Company reserves the right to verify the integrity and accuracy of personal data provided by the personal data subject.


4. RIGHTS OF PERSONAL DATA SUBJECTS

A subject whose personal data are processed by the Company has the following rights:

Right to information – to receive from the Company the following information:

  • identification and contact details of the Company, details of its representatives and the responsible person organising work related to personal data protection;

  • the purposes and legal grounds for the processing of personal data by the Company;

  • categories of personal data;

  • recipients of personal data and a description of appropriate safeguards and security measures;

  • the period for which the personal data will be stored, or the criteria used to determine that period, provided that the Company stores and processes personal data for the period required by applicable laws and regulations;

  • the source from which the personal data originate (if the personal data have not been obtained from the data subject);

  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; whether the data subject is obliged to provide the personal data and what the possible consequences of failure to provide such data are.

Right of access to personal data – to obtain from the Company confirmation as to whether or not personal data concerning him/her are being processed, as well as the right to obtain a copy of any record containing his/her personal data.

Right to rectification – to obtain from the Company, without undue delay, the rectification of inaccurate personal data concerning him/her and the completion of incomplete personal data, including by means of providing a supplementary statement.

Right to erasure – to obtain from the Company the erasure of personal data without undue delay (if the personal data are no longer necessary in relation to the purposes for which they were collected, if the data subject withdraws his/her consent, etc.).

Right to restriction of processing – where the personal data are inaccurate and the data subject requests that their use be restricted rather than erased; where the personal data are no longer needed for the purposes of the processing, but are required by the data subject for the establishment, exercise or defence of legal claims; where the data subject has objected to processing pending verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability – to receive personal data in a structured, commonly used and machine-readable format and the right to transmit those personal data to another controller without hindrance from the Company (where the processing is based on consent or on a contract and is carried out by automated means).

Right to object at any time to the processing of personal data (including where personal data are processed for direct marketing purposes).

Right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Accordingly, the data subject understands and agrees that, in the event of withdrawal, the purposes of processing personal data may not be achieved.

Right to lodge a complaint with a supervisory authority, namely the Ukrainian Parliament Commissioner for Human Rights and the Secretariat of the Commissioner for Personal Data Protection, if the data subject considers that his/her rights have been violated.

Right to an effective judicial remedy against a supervisory authority, the Company or another data processor.

Right to obtain compensation from the Company or another data processor for damage suffered.


5. PERSONAL DATA PROTECTION

Processing of personal data

The processing of personal data is confidential. It shall be carried out only by persons acting on behalf of the Company and only in accordance with its instructions.

Access to personal data is granted only to those employees of the Company who need such personal data for the performance of their duties related to any of the above purposes of processing. Access to personal data by other employees of the Company who do not have access rights in accordance with this Policy is prohibited.

Employees of the Company who have access to personal data are entitled to process only those personal data that are necessary for them to perform their official duties related to any of the above purposes of processing.

Documents containing personal data are stored in the Company’s structural units whose employees have access to the personal data in connection with the performance of their official duties and are responsible for interaction with the relevant personal data subject.

The Company has the right to authorise a third party to process personal data with the consent of the personal data subject or, in other cases provided for by applicable law, without such consent.

A person processing personal data on behalf of the Company shall comply with the principles and rules of personal data processing established by this Policy.

Where the Company entrusts another person with the processing of personal data, the Company remains liable to the personal data subject for the actions of such person. A person processing personal data on behalf of the Company is liable to the Company for such processing.

Storage of personal data

Documents containing any personal data (hereinafter – Documents) must be stored in accordance with the following requirements:

Documents must be stored in folders in office premises, in cupboards that can be securely locked. Proper conditions must be created to ensure their physical security, including video surveillance.

Employees must not leave Documents in shared office equipment (copying machines, scanners, fax machines, etc.).

It is prohibited to take Documents out of the office premises for work outside such premises.

All employees and third parties engaged by the Company must protect and responsibly use all Documents when they are granted the right to use such Documents or information.

Measures to ensure the security of personal data

The Company shall take all appropriate organisational and technical measures to ensure the security of personal data and their protection against accidental or unlawful destruction, loss, alteration, unauthorised dissemination or access, as well as against any other form of unlawful processing, including purpose limitation, data minimisation and limited storage periods (as defined below in Section 6 of the Policy).

Such measures ensure a level of security appropriate to the risks associated with the processing and the nature of the data processed.

In the absence of an employee at his/her desk, no documents containing personal data shall be left there (“clean desk policy”).

The Company provides appropriate personal data protection training for employees who have permanent or regular access to personal data.


6. STORAGE OF PERSONAL DATA

The Company takes all appropriate organisational and technical measures to ensure the security of personal data.

The Company stores personal data for as long as is necessary to achieve the purposes of their collection and processing, or for the duration of the storage period established by the legislation of Ukraine. Thereafter, the personal data shall be erased in accordance with the legislation of Ukraine.

If an individual withdraws his/her consent to the processing of his/her personal data, the Company shall, without undue delay, erase such personal data to the extent that the collection and processing of personal data were based on the withdrawn consent.

If an individual exercises his/her right to have his/her personal data erased, the Company shall erase such personal data processed by the Company without undue delay, provided there is no other legal ground for the processing and storage of such data and no requirement to store such data as provided by the legislation of Ukraine.

Destruction or erasure of personal data (in accordance with Article 15 of the Law of Ukraine “On Personal Data Protection”) shall be carried out in the manner established pursuant to the requirements of the law, using destruction methods that exclude the possibility of their subsequent restoration.


7. LIABILITY FOR BREACH OF THE POLICY

7.1. Breach of this Policy entails disciplinary, civil, administrative or criminal liability in accordance with the current legislation of Ukraine.

7.2. In case of a breach of this Policy (disclosure of personal data to unauthorised employees and/or other third parties, loss of documents or any other materials containing personal data, etc.), the Company has the right to apply the following disciplinary measures to such employee: warning, suspension and other liability measures provided for by applicable law.

7.3. If, as a result of the actions of an employee of the Company or another third party, the provisions of this Policy are violated and the Company suffers losses due to such breach, such employee or other third party shall be obliged to fully compensate all losses associated with his/her unlawful actions.


8. REVIEW OF THE POLICY

8.1. The Policy is kept up to date and reviewed on a regular basis. If, based on the results of a review, no changes are made to the Policy, it does not need to be re-approved.

Grounds for amending the Policy include changes in legislation, international standards or the occurrence of significant changes.