CLAUSE REGARDING THE PERSONAL DATA PROTECTION

Clause on processing and protecting of personal data

General provisions

Kyiv, November 1, 2024.

Personal data base – a set of organized personal data in electronic format and/or in the format of personal data files.

Responsible person – a certain person who organizes the work related to the protection of personal data during their processing, in accordance with the legislation.

Personal data base owner – a natural or legal person who is authorized by law or by the consent of the personal data subject to process these data, and who approves the purpose of personal data processing in this data base, establishes the composition of the data and the procedure of their processing, unless otherwise defined by law.

Publicly available sources of personal data – directories, address books, registers, lists, catalogs, other systematized collections of public information containing personal data, placed and published with the consent of the personal data subject. Social networks and Internet resources where the personal data subject leaves his/her personal data are not considered publicly available sources of personal data (except when the personal data subject explicitly states that the personal data are posted for the purpose of their free distribution and use).

Personal data depersonalization – removal of information that allows to identify an individual.

Processing of personal data – any action or set of actions performed fully or partially in an information (automated) system and/or in personal data files, related to the collection, registration, accumulation, storage, adaptation, modification, updating, use and dissemination (realization, transfer), depersonalization, destruction of data about an individual.

Special categories of data – personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data relating to health or sex life.

Personal data – information or a set of information about a natural person who is identified or can be specifically identified.

Personal datacontroller – a natural or legal person who is the owner of the personal data base or who is authorized by law to process such data. The personal data base controller is not a person who is authorized by the owner and/or controller of the personal data base to carry out technical works on the personal data base, without access to the content of personal data.

Personal data subject – a natural person in respect of whom his/her personal data is processed in accordance with the law.

Third party – any person, except for the personal data subject, the owner or manager of the personal data base and the authorized state authority for personal data protection, who is not the owner or manager of the personal data base, but who transfers personal data in accordance with the law.

1. Area of application

1.1. The Regulation on the Procedure for Processing and Protection of Personal Data (hereinafter – the Regulation) defines a set of organizational and technical measures to ensure the protection of personal data of individuals who voluntarily provided them (referredІndividuals) to the NGO “War Psychotrauma Institute” (referredProvider) from unlawful processing, including loss, unlawful or accidental destruction, as well as unlawful access to them.

1.2. The Clause was developed based on the Law of Ukraine “On Personal Data Protection” dated 01.06.2010 №2297-VI and Typical Procedure of Personal Data Protection, validated by the order of the Verkhovna Rada Commissioner on Human Rights on 08.01.2014 №1/02-14.

1.3. The Clause is mandatory for all the persons who have access to personal data and are involved in processing personal data.

1.4. All the terms implied in this Clause are defined in accordance with the Law of kraine “On personal data protection”; moreover, in compliance with the terminology implied by the abovementioned Law, the Provider is considered to be the owner of the personal data.

1.5. Personal data imply all data or a set of data regarding the Іndividuals, by which they can be identified, or can facilitate their specific identification.

1.6. In regards to the access mode, the Іndividuals’ personal data are listed as information with restricted access. The Provider assumes obligations to ensure the protection of the Іndividuals’ personal data.

1.7. Іndividuals’ personal data are processed on electronic carriers, with such software as Excel, Word and others.

1.8. Personal data processing implies any action or a sum of actions, such as collection, registration, accumulation, storage, adapting, alteration, resuming, usage and dissemination (including sale and transfer), depersonalization, elimination of personal data.

2. Goal, reasons and/or usage of personal data processing

2.1. Іndividuals’ personal data protection usage is conducted with the view to ensuring the implementation of the contractual relations as Provider conducts his/her consulting activity.

2.2. Personal data are processed based on the Clients’ agreements, and other legal
grounds, in strict compliance with the current Ukrainian legislation in the area of personal data protection, and are stored in paper and/or electronic form.

3. Procedure of personal data processing: obtaining agreement, communicating the rights, and actions with the personal data pertaining to the subject of personal data.

3.1 The consent of the personal data subject must be a voluntary expression of the individual’s will to authorize the processing of his/her personal data, in accordance with the formulated purpose of their processing. The consent of the personal data subject may be provided in the following forms:
– a hard copy document with details allowing to identify this document and the natural person;
– an electronic document, which must contain mandatory requisites allowing to identify the document and the natural person.

The voluntary expression of will of a natural person to authorize the processing of his/her personal data is expediently (not necessarily) certified by the electronic signature of the personal data subject.

3.2. The subject of personal data grants his/her permission at the moment of forming the civil-law relations in accordance with the present legislation.

3.3. In compliance with the defined goal of procession, the legal acts, and the needs of consultation services, the Provider processes the Іndividuals’s personal data:
– name, patronymic, surname;
– electronic mail address (e-mail);
– mobile telephone number;
– document (passport, driver’s license, etc.);
– information about the actions committed on the website.

3.4. The Provider can designate one of the Provider’s employees as a Person in Charge of ensuring the compliance with the Ukrainian legislation regarding personal data protection and processing, as well as conditions of this Clause.

3.5. The Person in Charge fulfils his/her obligations in compliance with the present Clause and the norms of Ukraine’s acting legislation in regards to personal data processing and storage.

4. Location of the personal data base


The personal data bases are located at the Provider’s address.

5. Conditions for disclosing information on personal data to third persons

5.1. The access to personal data for third persons is defined by the conditions set out in the permission to process data, granted to the owner of the personal data, by the personal data subject, or in compliance with the legal requirements. The procedure of the third persons’ access to the personal data, which are owned by the public information manager, is defined by the Law of Ukraine “On access to public information”.

5.2. The access to personal data is not granted to the third person if the aforementioned person refuses to assume obligations to ensure the compliance with the Law of Ukraine “On personal data protection” or is unable to ensure them.

5.3. The subject of the relations tied with personal data, submits a request for access to personal data (to be later referred to as access) to the personal data base owner.

5.4. The request shall contain:
– surname, name, patronymic, residence address (location) and requisites of the document that identifies the physical person who is submitting the request (for the physical person who is applicant);
– title and location of the legal entity that files the request; job title, surname, name, patronymic of the person who verifies the request; the proof that the content of the request lies within the powers of the legal entity (for the applicant who is a legal person);
– surname, name and patronymic, as well as other data that allow to identify the physical person, in whose regard the application is submitted;
– data regarding the personal data base, in whose regards the application is submitted; data regarding the owner or the manager of this data base;
– list of the requested personal data;
– purpose of the request.

5.5. The term for considering this request, with the purpose of satisfying it, shall not exceed ten working days since is receipt. During this time, the owner of the personal data base shall inform the applicant that the request will be satisfied, or that the relevant personal data will not be granted, indicating the grounds for this decision, according to the acting legislation of Ukraine. The request shall be satisfied within 10 calendar days since the day of its receipt, unless the law stipulates otherwise.

5.6. All employees of the owner of the personal data base are obliged to comply with the confidentiality requirements for personal data.

5.7. Deferral of access to personal data of third parties is allowed if the necessary data cannot be provided within ten calendar days from the date of receipt of the request. In this case, the total period for resolving the issues raised in the Request may not exceed 45 calendar days.

5.8. The third party who submitted the Request shall be notified of the delay in writing with an explanation of the procedure for appealing such decision.

5.9. The notice of deferral shall include:
– surname, name and patronymic of the official;
– date of sending the notice;
– the reason for the delay;
– the period within which the Request will be satisfied.

5.10. Denial of access to personal data is allowed if access to them is prohibited by law.

5.11. The following data shall be indicated in the notice of refusal:
surname, name, patronymic of the official who denies access;
date of sending the notification;
reason for refusal.

5.12. The decision to postpone or deny access to personal data may be appealed to the authorized state body for personal data protection, other state authorities and local self-government bodies authorized to protect personal data, or to the court.

6. Personal data protection

The owners and managers of personal data and third persons are obliged to ensure the protection of these data from accidental loss or destruction, from illegal processing, including illegal annihilation or access to personal data according to the legislation of Ukraine.

7. Rights and responsibilities of the Individuals as personal data subjects

Individuals, as personal data subjects, are entitled:to know the sources used for:
– collecting their personal data, their storage location, except for the cases established by the law;
– data, including information about third persons to whom their personal data is transferred to;
– to have access to their personal data;
– receiving, no later than 30 calendar days since receipt of the request;
– unless the law stipulates otherwise, the reply about whether their personal data is being processed, as well as receive the content of these personal data;
– to present to the Provider a motivated objection against their personal data processing;
– to present a motivated demand about the change or destruction of their personal data by the Provider, if this data is processed illegally or is untruthful;
– to have their personal data defended against illegal processing and accidental loss, destruction, damage inflicted by premeditated concealing, untimely presenting, as well as security against the presentation of untruthful data, or the information that undermines dignity, honour and business reputation;
– to file lawsuits with complaints related to their personal data processing;
– to recur to the means of legal defence in the case of law violations, should the law on personal data protection, be violated;
– to input restrictions related to the right to process personal data when consent it granted;
– to recall permission for personal data processing;
– to be aware of the mechanism of automatic personal data processing;
– to be defended against the automated decision that can have legal implications.

8. Individuals’ personal data collection

8.1. Individuals’ personal data procession is part of the process related to processing the aforementioned personal data, which involves the actions needed to collect and arrange personal data.

8.2. The reasons for processing the personal data pertaining to counteractants are:
– activities of the Provider;
– the need to defend the Individualslegal interests, except for the cases when the subject of personal data demands to disengage from his personal data processing (point 6, part 1, article 11 of the Law of Ukraine “On personal data protection”).

8.3. The Individuals confirm being introduced to their rights in the area of personal data protection, by accepting the CLAUSE REGARDING THE PERSONAL DATA PROTECTION.

8.4. Once the CLAUSE REGARDING THE PERSONAL DATA PROTECTION is accepted by the Individuals, their personal data is introduced to the data base “Individuals”.

8.5. In the event that it is discovered that some processed data do not match reality, this data should be corrected or annihilated.

9. Storage and deletion of Individuals’ personal data

9.1. Personal data storage implies the actions necessary to ensure their wholeness, and relevant access regime to be respected.

9.2. Individuals’ personal data is processed in the form that allows for the identification of the physical person that they relate to, and are stored during the time that does not exceed what is necessary in regards to their legal purpose and the goal of their processing, unless law in the area of archiving and office work stipulates otherwise.

9.3. Individuals personal data is deleted or annihilated according to the procedure established in accordance with the law.

9.4. Personal data is subject to annihilation in the following cases:
end of storage term defined in the consent for processing given by subject of personal data, or in the law;
end of legal relations between the Client and the Provider, unless the law stipulates otherwise;
court decision about withdrawing data about a physical person from the personal data base coming into force;
relevant decree is issued by the Verkhovna Rada Commissioner on human rights, or the officials from the Commissioner’s secretariat that he/she designates.

9.5. The personal data collected with the violations of the Law of Ukraine “On personal data protection” are subject to annihilation, in conformity with the law.

9.6. The selection for eventual deletion of documents containing personal data, whose storage time has expired, shall be conducted by an expert commission whose composition shall be defined by the Provider.

9.7. Personal data shall be deleted using the means that excludes the possibility to restore this personal data in the future.

10. Personal data protection when processing them in an automated system

10.1. The right to access an automated system is granted to the Provider’s employees whose job descriptions involve the functions related to data processing in the automated system, and who sign a written obligation of non-disclosure.

10.2. The automatic system shall mandatorily be equipped with anti-virus protection and means of uninterrupted power supply for the system’s elements.

10.3. The access to Individuals’s personal data is granted to the third persons, with whom the Provider has signed an agreement foreseeing contract obligations toward the Individuals.

11. Final Clauses

11.1. The Individuals can receive any clarifications related to their personal data processing by reaching out to the Provider by electronic mail warpsychotrauma@gmail.com.

11.2. This document shall reflect any modifications in the politics of personal data protection and processing practiced by the Provider. Personal data processing and protecting data policy has no time limit and shall be in force until being replaced with a new version that should be published at the Provider’s website 24 hours before coming into force.

11.3. The relevant version of the Policy is publicly available at the Provider’s website at web address:
https://wpi-org.com/privacy_en