Clause on processing and protecting of personal data

General provisions

Kyiv, March 1th , 2024

Personal database is a sum of arranged personal data in the electronic form and/or in the form of card indexes bearing personal data, endowed with a name;

The person in charge is a specific person who organizes the workflow related to personal data protection at the time of their processing, in compliance with the law;

Personal database owner is a physical or a legal person who is granted the right, by law or by consent of the personal data subject, to process this personal data, and who defines the content of this personal data and the procedures of its processing, unless the law stipulates otherwise;

Publicly available personal data sources are directories, address books, registers, lists, catalogues, other systematized sources of open information that contain personal data, placed and published by consent of the personal data subject. Social media and internet resources where a personal data subject leaves its personal data are not considered as publicly available (except for the case when a personal data subject explicitly stipulates that the personal data are placed with the aim of ensuring their free dissemination and usage);

Consent by the personal data subject is any documented voluntary free will statement made by a physical person whereby he or she grants permission to process his/her personal data in compliance with the formulated purpose of its processing;

Personal data depersonalization is removal of the data that allows for the identification of the person;

General provisions (continuation)

Personal data processing is any action, or a sum of actions committed in full or in part, in an information (automated) system and/or in personal data card indexes that are related to collecting, registering, accumulating, storage, adaptation, alteration, updating, usage and dissemination (sale, transfer), depersonalization, annihilation of the data regarding the physical person;

Personal data are the data, or a sum of data regarding a physical person who is identified, or can be specifically identified;

Personal data base manager — is a physical or a legal entity who is granted the right, by the data base owner or by the law, to conduct works of technical nature, with the personal data base, without having haaccess to the personal data content;

Personal data subject is a physical entity, in regards to whom, his or her personal data are processed in compliance with the law;

Third person is any person, with the exception of the personal data subject, the owner or the manager of the personal data base, and an entitled public body in charge of personal data protection, who is entitled, by the owner or the manager of the data base, to access personal data in accordance with the law;

Special data categories are the personal data regarding racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and professional unions, as well as data regarding health or sexual life.

1. Area of application

1.1. The Regulation on the Procedure for Processing and Protection of Personal Data (hereinafter – the Regulation) defines a set of organizational and technical measures to ensure the protection of personal data of individuals who voluntarily provided them (referredІndividuals) to the NGO “War Psychotrauma Institute” (referredProvider) from unlawful processing, including loss, unlawful or accidental destruction, as well as unlawful access to them.

1.2. The Clause was developed based on the Law of Ukraine “On Personal Data Protection” dated 01.06.2010 №2297-VI and Typical Procedure of Personal Data Protection, validated by the order of the Verkhovna Rada Commissioner on Human Rights on 08.01.2014 №1/02-14.

1.3. The Clause is mandatory for all the persons who have access to personal data and are involved in processing personal data.

1.4. All the terms implied in this Clause are defined in accordance with the Law of kraine “On personal data protection”; moreover, in compliance with the terminology implied by the abovementioned Law, the Provider is considered to be the owner of the personal data.

1.5. Personal data imply all data or a set of data regarding the Іndividuals, by which they can be identified, or can facilitate their specific identification.

1.6. In regards to the access mode, the Іndividuals’ personal data are listed as information with restricted access. The Provider assumes obligations to ensure the protection of the Іndividuals’ personal data.

1.7. Іndividuals’ personal data are processed on electronic carriers, with such software as Excel, Word and others.

1.8. Personal data processing implies any action or a sum of actions, such as collection, registration, accumulation, storage, adapting, alteration, resuming, usage and dissemination (including sale and transfer), depersonalization, elimination of personal data.

2. Goal, reasons and/or usage of personal data processing

2.1. Іndividuals’ personal data protection usage is conducted with the view to ensuring the implementation of the contractual relations as Provider conducts his/her consulting activity.

2.2. Personal data are processed based on the Clients’ agreements, and other legal
grounds, in strict compliance with the current Ukrainian legislation in the area of personal data protection, and are stored in paper and/or electronic form.

3. Procedure of personal data processing: obtaining agreement, communicating the rights, and actions with the personal data pertaining to the subject of personal data.

3.1. Procedure of personal data processing: obtaining agreement, communicating the rights, and actions with the personal data pertaining to the subject of personal data.a document on a paper carrier bearing the requisites that allow to identify this document and the physical person; an electronic document that should contain mandatory requisites allowing to identify this document and the physical person. It is expedient (and optional) to secure the free-willed expression of the physical person to grant permission to process his/her personal data carrying an electronic signature of the personal data subject.

3.2. The subject of personal data grants his/her permission at the moment of forming the civil-law relations in accordance with the present legislation.

3.3. In compliance with the defined goal of procession, the legal acts, and the needs of consultation services, the Provider processes the Іndividuals’s personal data:

name, patronymic, surname;
electronic mail address (e-mail);
mobile telephone number;
document (passport, driver’s license, etc.);
information about the actions committed on the website.

3.4. The Provider can designate one of the Provider’s employees as a Person in Charge of ensuring the compliance with the Ukrainian legislation regarding personal data protection and processing, as well as conditions of this Clause.

3.5. The Person in Charge fulfils his/her obligations in compliance with the present Clause and the norms of Ukraine’s acting legislation in regards to personal data processing and storage.

4. Location of the personal data base

The personal data bases are located at the Provider’s address.

5. Conditions for disclosing information on personal data to third persons

5.1. The access to personal data for third persons is defined by the conditions set out in the permission to process data, granted to the owner of the personal data, by the personal data subject, or in compliance with the legal requirements. The procedure of the third persons’ access to the personal data, which are owned by the public information manager, is defined by the Law of Ukraine “On access to public information”.

5.2. The access to personal data is not granted to the third person if the aforementioned person refuses to assume obligations to ensure the compliance with the Law of Ukraine “On personal data protection” or is unable to ensure them.

5.3. The subject of the relations tied with personal data, submits a request for access to personal data (to be later referred to as access) to the personal data base owner.

5.4. The request shall contain:
surname, name, patronymic, residence address (location) and requisites of the document that identifies the physical person who is submitting the request (for the physical person who is applicant);
title and location of the legal entity that files the request; job title, surname, name, patronymic of the person who verifies the request; the proof that the content of the request lies within the powers of the legal entity (for the applicant who is a legal person);
surname, name and patronymic, as well as other data that allow to identify the physical person, in whose regard the application is submitted;
data regarding the personal data base, in whose regards the application is submitted; data regarding the owner or the manager of this data base;
list of the requested personal data;
purpose of the request.

5.5. The term for considering this request, with the purpose of satisfying it, shall not exceed ten working days since is receipt. During this time, the owner of the personal data base shall inform the applicant that the request will be satisfied, or that the relevant personal data will not be granted, indicating the grounds for this decision, according to the acting legislation of Ukraine. The request shall be satisfied within 10 calendar days since the day of its receipt, unless the law stipulates otherwise.

5.6. All employees of the owner of the personal data base are obliged to comply with the confidentiality requirements for personal data.

5.7. Deferral of access to personal data of third parties is allowed if the necessary data cannot be provided within ten calendar days from the date of receipt of the request. In this case, the total period for resolving the issues raised in the Request may not exceed 45 calendar days.

5.8. The third party who submitted the Request shall be notified of the delay in writing with an explanation of the procedure for appealing such decision.

5.9. The notice of deferral shall include:
surname, name and patronymic of the official;
date of sending the notice;
the reason for the delay;
the period within which the Request will be satisfied.

5.10. Denial of access to personal data is allowed if access to them is prohibited by law.

5.11. The following data shall be indicated in the notice of refusal:
surname, name, patronymic of the official who denies access;
date of sending the notification;
reason for refusal.

5.12. The decision to postpone or deny access to personal data may be appealed to the authorized state body for personal data protection, other state authorities and local self-government bodies authorized to protect personal data, or to the court.

6. Personal data protection

The owners and managers of personal data and third persons are obliged to ensure the protection of these data from accidental loss or destruction, from illegal processing, including illegal annihilation or access to personal data according to the legislation of Ukraine.

7. Rights and responsibilities of the Individuals as personal data subjects

Individuals, as personal data subjects, are entitled:to know the sources used for collecting their personal data, their storage location, except for the cases established by the law;
data, including information about third persons to whom their personal data is transferred to;
to have access to their personal data;
receiving, no later than 30 calendar days since receipt of the request;
unless the law stipulates otherwise, the reply about whether their personal data is being processed, as well as receive the content of these personal data;
to present to the Provider a motivated objection against their personal data processing;
to present a motivated demand about the change or destruction of their personal data by the Provider, if this data is processed illegally or is untruthful;
to have their personal data defended against illegal processing and accidental loss, destruction, damage inflicted by premeditated concealing, untimely presenting, as well as security against the presentation of untruthful data, or the information that undermines dignity, honour and business reputation;
to file lawsuits with complaints related to their personal data processing;
to recur to the means of legal defence in the case of law violations, should the law on personal data protection, be violated;
to input restrictions related to the right to process personal data when consent it granted;
to recall permission for personal data processing;
to be aware of the mechanism of automatic personal data processing;
to be defended against the automated decision that can have legal implications.

8. Individuals’ personal data collection

8.1. Individuals’ personal data procession is part of the process related to processing the aforementioned personal data, which involves the actions needed to collect and arrange personal data.

8.2. The reasons for processing the personal data pertaining to counteractants are:
activities of the Provider;
the need to defend the Individualslegal interests, except for the cases when the subject of personal data demands to disengage from his personal data processing (point 6, part 1, article 11 of the Law of Ukraine “On personal data protection”).

8.3. The Individuals confirm being introduced to their rights in the area of personal data protection, by accepting the CLAUSE REGARDING THE PERSONAL DATA PROTECTION.

8.4. Once the CLAUSE REGARDING THE PERSONAL DATA PROTECTION is accepted by the Individuals, their personal data is introduced to the data base “Individuals”.

8.5. In the event that it is discovered that some processed data do not match reality, this data should be corrected or annihilated.

9. Storage and deletion of Individuals’ personal data

9.1. Personal data storage implies the actions necessary to ensure their wholeness, and relevant access regime to be respected.

9.2. Individuals’ personal data is processed in the form that allows for the identification of the physical person that they relate to, and are stored during the time that does not exceed what is necessary in regards to their legal purpose and the goal of their processing, unless law in the area of archiving and office work stipulates otherwise.

9.3. Individuals personal data is deleted or annihilated according to the procedure established in accordance with the law.

9.4. Personal data is subject to annihilation in the following cases:
end of storage term defined in the consent for processing given by subject of personal data, or in the law;
end of legal relations between the Client and the Provider, unless the law stipulates otherwise;
court decision about withdrawing data about a physical person from the personal data base coming into force;
relevant decree is issued by the Verkhovna Rada Commissioner on human rights, or the officials from the Commissioner’s secretariat that he/she designates.

9.5. The personal data collected with the violations of the Law of Ukraine “On personal data protection” are subject to annihilation, in conformity with the law.

9.6. The selection for eventual deletion of documents containing personal data, whose storage time has expired, shall be conducted by an expert commission whose composition shall be defined by the Provider.

9.7. Personal data shall be deleted using the means that excludes the possibility to restore this personal data in the future.

10. Personal data protection when processing them in an automated system

10.1. The right to access an automated system is granted to the Provider’s employees whose job descriptions involve the functions related to data processing in the automated system, and who sign a written obligation of non-disclosure.

10.2. The automatic system shall mandatorily be equipped with anti-virus protection and means of uninterrupted power supply for the system’s elements.

10.3. The access to Individuals’s personal data is granted to the third persons, with whom the Provider has signed an agreement foreseeing contract obligations toward the Individuals.

11. Final Clauses

11.1. The Individuals can receive any clarifications related to their personal data processing by reaching out to the Provider by electronic mail

11.2. This document shall reflect any modifications in the politics of personal data protection and processing practiced by the Provider. Personal data processing and protecting data policy has no time limit and shall be in force until being replaced with a new version that should be published at the Provider’s website 24 hours before coming into force.

11.3. The relevant version of the Policy is publicly available at the Provider’s website at web address: