Page 1

Ukr

Rus

Eng

-A A

A+

Accredited with status "A" - the highest status in accordance with the UN Paris Principles

Annual Report of the Commissioner of the Verkhovna Rada

Authorized
The Verkhovna Rada of Ukraine with
human rights

Secretariat
To the applicant
The Commissioner

Home

Social,
economic and
humanitarian
rights

National
preventive
mechanism

/ Secretariat Commissioner

/ Documents

History
Ombudsman

/ Legislation

Of Ukraine on human rights on the state of observance and
protection of human and civil rights and freedoms
Ukraine for 2020

Protection
personal
data

Right
children

Prevention and
anti-discrimination,
home
violence and trafficking
people

Right to
information

/ TYPICAL PROCEDURE FOR PROCESSING PERSONAL DATA

TYPICAL PROCEDURE FOR PROCESSING PERSONAL
DATA
13/02/2014 17:17

Representatives of the Commissioner
1. General provisions

The structure of the Secretariat
Regional offices
The Commissioner
Documents
Interaction with the Constitutional
Court of Ukraine
The right to judicial protection
international cooperation

1.1. This Procedure for personal data processing (hereinafter - the Procedure) defines the general requirements for
processing and protection of personal data of personal data subjects
in whole or in part with the use of automated means, as well as personal data,
contained in the file or intended for inclusion in the file, with the application
non-automated means.
1.2. Owners, managers of personal data independently determine the order of processing
personal data, taking into account the specifics of personal data processing in various fields,
in accordance with the requirements of the Law of Ukraine "On Personal Data Protection" (hereinafter Law) and this Procedure.
1.3. The requirements of this Procedure are taken into account during the development of codes of conduct for processing
personal data by professional, self-governing and other public associations or
legal entities in accordance with Article 27 of the Law.
2. Requirements for personal data processing
2.1. The owner determines:

Press service
1) purpose and grounds for personal data processing;

Competition to fill vacancies
post

2) categories of personal data subjects;
3) the composition of personal data;

Implementation of the Law of Ukraine "On
purification of power "

4) the procedure for processing personal data, namely:

Information on financial
economic activity
Secretariat

- term and conditions of personal data storage;

- method of collecting, accumulating personal data;

- conditions and procedure for changing, deleting or destroying personal data;
- conditions and procedure for the transfer of personal data and a list of third parties to whom they may
transfer personal data;

Contacts
Anti-corruption activities
Secretariat

- the procedure for access to personal data of persons processing, as well as entities
personal data;
- measures to ensure the protection of personal data;

Report corruption

- the procedure for storing information on transactions related to the processing of personal data and
access to them.

Internal audit

2.2. In cases provided by law, the owner also determines the responsibilities and rights of persons
responsible for the organization of work related to the protection of personal data during them
processing.
2.3. Processing procedures, processing time and composition of personal data must be
proportional to the purpose of processing.
2.4. The purpose of the processing of personal data must be clear and lawful.
2.5. The purpose of the collection of personal data must be determined before they are collected.
2.6. In the event of a change in the defined purpose of personal data processing to a new purpose that is incompatible with
previous, for further data processing the owner of personal data, except in cases
defined by law, must obtain the consent of the subject of personal data for processing
its data in accordance with the new purpose.
2.7. The processing of personal data is carried out by the owner of personal data only for
with the consent of the personal data subject, except in cases where such consent is not required
By law.
2.8. The consent of the subject to the processing of his personal data must be voluntary and
informed. Consent may be given by the subject in writing or electronically
will be able to draw a conclusion about its provision. Documents (information) confirming the provision
the subject of consent to the processing of his personal data, stored by the owner for a period of time
processing of such data.
2.9. The owner of personal data, except as provided by the legislation of Ukraine,
informs the subject of personal data about the composition and content of the collected personal data, his
the rights defined by law, the purpose of collecting personal data and third parties to whom they are transferred
his personal data:
- at the time of collection of personal data, if personal data are collected from the subject
personal data;
- in other cases within thirty working days from the date of collection of personal data.
The owner keeps the information (documents) confirming the provision to the applicant
the above information throughout the period of personal data processing.
2.10. Personal data is processed in a form that allows the identification of the individual
they apply, within a period not exceeding that required by the purpose of their processing. In any
in which case they are processed in a form that allows the identification of the individual they are
apply, not longer than provided by the legislation in the field of archives and
office work.
2.11. If information about a person is found that does not correspond to reality, such information is available
be immediately altered or destroyed.
2.12. The personal data subject has the right to make a reasoned request to the owner
personal data to prohibit the processing of their personal data (parts thereof) and / or
changes in their composition / content. This requirement is considered by the owner within 10 days from the date
receiving.
2.13. If the results of consideration of such a requirement revealed that the personal data of the subject (their
part) are processed illegally by the owner stops processing the personal data of the subject
(parts thereof) and informs the personal data subject.
If the results of consideration of such a requirement revealed that the personal data of the subject (their
part) are unreliable, the owner stops processing personal data of the subject
parts) and / or changes their composition / content and informs the personal data subject.
2.14. If the requirement is not subject to satisfaction, the subject is given a reasoned response
regarding the lack of grounds for its satisfaction.
2.15. The personal data subject has the right to withdraw consent to the processing of personal data
without stating the reasons, if the only basis for processing is the consent of the subject
personal data. From the moment of withdrawal of consent, the owner is obliged to stop processing
personal data.
2.16. Deletion and destruction of personal data is carried out in an exclusive way
further possibility to update such personal data.
2.17. Procedure for access to personal data of the personal data subject and third parties
determined by Articles 16 - 17 of the Law.
2.18. The owner informs the subject of personal data about the actions with his personal data
under the conditions specified in Article 21 of the Law.
3. Protection of personal data
3.1. The owner, the controller of personal data take measures to ensure
protection of personal data at all stages of their processing, including through
organizational and technical measures.
3.2. The owner, the controller of personal data independently determines the list and structure
measures aimed at the security of personal data processing, taking into account the requirements
legislation in the areas of personal data protection, information security.
3.3. The protection of personal data involves measures to prevent their accidental
loss or destruction, illegal processing, including illegal destruction or access to
personal data.
3.4. Organizational activities include:
- determining the procedure for access to personal data of employees of the owner / manager;
- determining the order of accounting operations related to the processing of personal data
subject and access to them;
- development of an action plan in case of unauthorized access to personal data,
damage to technical equipment, emergencies;
- regular training of employees who work with personal data.
3.5. The owner / manager keeps records of employees who have access to personal data
subjects. The owner / manager determines the level of access of these employees to
personal data of subjects. Each of these employees has access to only those
personal data (their parts) of the subjects that he needs in connection with the implementation of their
professional or official or labor duties.
3.6. All other employees of the owner / manager are entitled to complete information only
regarding their own personal data.
3.7. Employees who have access to personal data give a written commitment to
non - disclosure of personal data entrusted to them or which became known to them in connection with
performance of professional or official or labor duties.
3.8. The date of granting the right of access to personal data is the date of granting
obligations of the relevant employee.
3.9. The date of deprivation of the right to access personal data is the date of release
employee, the date of transfer to a position where the performance of duties is not related to processing
personal data.
3.10. In case of dismissal of an employee who had access to personal data, or transfer
it is used for another position that does not involve working with personal data of subjects
measures to prevent such a person from accessing personal data, and documents and others
media containing personal data of subjects are transferred to another employee.
3.11. The owner / manager keeps records of transactions related to the processing of personal data
subject and access to them. For this purpose, the owner / manager keeps the information
about:
- date, time and source of personal data collection of the subject;
- change of personal data;
- viewing personal data;
- any transfer (copying) of personal data of the subject;
- date and time of deletion or destruction of personal data;
- an employee who performed one of these operations;
- purpose and grounds for modification, review, transfer and deletion or destruction of personal data.
The owner / controller of personal data independently determines the retention procedure
information on transactions related to the processing of personal data of the subject and access to them.
In the case of processing personal data of subjects using an automated system is as follows
the system automatically captures the specified information. This information is stored by the owner /
by the administrator within one year from the end of the year in which it was carried out
these operations, unless otherwise provided by the legislation of Ukraine.
3.12 Requirements for accounting and storage of information about the review of personal data no
applies to owners / administrators who process personal data in
register, which is open to the general public.
3.13. Personal data, depending on the method of storage (paper, electronic media) have
be processed in such a way as to prevent access to them by third parties.
3.14. In order to ensure the security of personal data processing, special ones are used
technical protection measures, including the exclusion of unauthorized access to
personal data processed and the work of the technical and software complex, for
by which personal data is processed.
3.15. In public authorities, local governments, as well as the owners or
personal data controllers who process the personal data to be processed
notification in accordance with the Law, a structural subdivision is created (determined) or
responsible person who organizes the work related to the protection of personal data in them
processing.
3.16. Information about the structural unit or responsible person who organizes the work,
related to the protection of personal data during their processing, the Commissioner shall be notified
Of the Verkhovna Rada of Ukraine on Human Rights in accordance with the Law.
3.17. The responsible person / structural unit performs the following tasks:
- informs and advises the owner or controller of personal data on issues
compliance with legislation on personal data protection;
- interacts with the Commissioner for Human Rights of the Verkhovna Rada of Ukraine and designated by him
officials of its Secretariat for the Prevention and Elimination of Violations
legislation on personal data protection.
3.18. In order to perform these tasks, the responsible person / structural unit:
- ensures the implementation of the rights of personal data subjects;
- has access to any data processed by the owner / administrator and
to all premises of the owner / manager, where such processing is carried out;
- in case of violations of the legislation on personal data protection and / or this
The procedure informs the head of the owner / manager in order to take the necessary
measures;
- analyzes threats to the security of personal data.
3.19. Requirements of the responsible person for measures to ensure the safety of processing
personal data are mandatory for all employees who process
personal data.
3.20. The facts of violations of the process of processing and protection of personal data must be
documented by the responsible person or structural unit that
organizes work related to the protection of personal data during their processing.
3.21. Interaction with the Commissioner of the Verkhovna Rada of Ukraine for Human Rights is carried out in
in accordance with the procedure established by the Law and the Law of Ukraine “On the Commissioner of the Verkhovna Rada
Of Ukraine on human rights ".
3.22. Organization of work related to the protection of personal data during their processing, those
owners / managers who are not subject to the requirements of part two of Article 24 of the Law,
relies directly on those persons who process personal data, or, in
if necessary, - to separate structural divisions or officials.
Explanation of the Standard Procedure for Personal Data Processing

OUR PARTNERS

News

Annual and special reports

Video

© Secretariat of the Commissioner for Human Rights of the Verkhovna Rada of Ukraine 2013-2018
Software and technology support - Information Technology Department

Contacts

Electronic application form:

Website development -

