Page 1

Monday, June 28, 2021

Verkhovna Rada of Ukraine
Previous version

Legislation of Ukraine

Card

Files

History

ConnectionsPublications

Text for printing

UKR

ENG

РУС

Search

On approval of documents in the field of personal data protection
Document v1_02715-14, current version - Adoption from 08.01.2014
Information

Save

Document card

Contents of the document Search in the text

Share

Text for printing

COMMISSIONER OF THE VERKHOVNA RADA OF UKRAINE ON HUMAN RIGHTS

ORDER
08.01.2014 № 1 / 02-14

On approval of documents in the field of personal data protection
In compliance with the requirements of Articles 6 , 9 , 22 , 23 , 24 of the Law of Ukraine "On Personal Data Protection" I ORDER:
approve the following:
- Typical procedure for processing personal data ;
- The procedure for the Commissioner for Human Rights of the Verkhovna Rada of Ukraine to monitor compliance with the legislation on personal data protection ;
- Procedure for notifying the Commissioner of the Verkhovna Rada of Ukraine for Human Rights about the processing of personal data, which poses a special risk to
rights and freedoms of personal data subjects, the structural unit or the responsible person who organizes the work related to the protection of personal data
data during their processing, as well as the publication of this information .
Authorized
The Verkhovna Rada of Ukraine
on human rights

VV Lutkovskaya

APPROVED
Order of the Commissioner
The Verkhovna Rada of Ukraine
on human rights
08.01.2014 № 1 / 02-14

TYPICAL ORDER
PROCESSING OF PERSONAL DATA
1. General provisions
1.1. This Procedure for processing personal data (hereinafter - the Procedure) defines the general requirements for processing and protection of personal data of subjects
personal data processed in whole or in part by automated means, as well as personal data contained in
card files or intended for inclusion in the card file, using non-automated means.
1.2. Owners, managers of personal data independently determine the order of personal data processing, taking into account the specifics of processing
personal data in various areas, in accordance with the requirements of the Law of Ukraine "On Personal Data Protection" (hereinafter - the Law) and this Procedure.
1.3. The requirements of this Procedure are taken into account when developing codes of conduct for the processing of personal data by professional, self-governing and
other public associations or legal entities in accordance with Article 27 of the Law .
2. Requirements for personal data processing
2.1. The owner determines:
1) purpose and grounds for personal data processing;
2) categories of personal data subjects;
3) the composition of personal data;
4) the procedure for processing personal data, namely:
- method of collecting, accumulating personal data;
- term and conditions of personal data storage;
- conditions and procedure for changing, deleting or destroying personal data;
- conditions and procedure for the transfer of personal data and the list of third parties to whom personal data may be transferred;
- the procedure for access to personal data of persons processing, as well as personal data subjects;
- measures to ensure the protection of personal data;
- the procedure for storing information on transactions related to the processing of personal data and access to them.
2.2. In cases provided by law, the owner also determines the responsibilities and rights of persons responsible for the organization of work related to the protection
personal data during their processing.
2.3. The processing procedures, the processing time and the composition of the personal data must be proportionate to the purpose of the processing.
2.4. The purpose of the processing of personal data must be clear and lawful.
2.5. The purpose of the processing of personal data must be determined before they are collected.
2.6. In case of changing the specified purpose of personal data processing to a new purpose, which is incompatible with the previous one, for further data processing the owner
personal data, except as provided by law, must obtain the consent of the personal data subject to the processing of his data accordingly
to a new goal.
2.7. The processing of personal data is carried out by the owner of personal data only with the consent of the personal data subject, except for those
cases when such consent is not required by law.
2.8. The consent of the subject to the processing of his personal data must be voluntary and informed. Consent may be given by the subject in writing
or in electronic form, which allows to make a conclusion about its provision. Documents (information) confirming the subject's consent to its processing
personal data stored by the owner during the processing of such data.
2.9. The owner of personal data, except as provided by the legislation of Ukraine, notifies the subject of personal data of the composition and content
collected personal data, his rights, defined by law , the purpose of collecting personal data and third parties to whom his personal data is transferred:
- at the time of collection of personal data, if personal data is collected from the subject of personal data;
- in other cases within thirty working days from the date of collection of personal data.
The owner keeps the information (documents) that confirm the provision of the above information to the applicant throughout the processing period
personal data.
2.10. Personal data shall be processed in a form that allows the identification of the individual to whom they relate, no longer than necessary
in accordance with the purpose of their processing. In any case, they shall be processed in a form that allows the identification of the natural person to whom they relate, no longer than
than provided by the legislation in the field of archival business and office work.
2.11. If information about a person is found to be untrue, such information must be changed or destroyed immediately.
2.12. The personal data subject has the right to make a reasoned request to the owner of personal data to prohibit the processing of their
personal data (their parts) and / or changes in their composition / content. Such a request is considered by the owner within 10 days of receipt.
2.13. If as a result of consideration of such requirement it is revealed that personal data of the subject (their part) are processed illegally the owner terminates
processing of personal data of the subject (their parts) and informs the personal data subject about it.
If the results of consideration of such a claim reveal that the personal data of the subject (part of them) are inaccurate, the owner terminates the processing
personal data of the subject (or part thereof) and / or changes their composition / content and informs the personal data subject.
2.14. If the claim is not subject to satisfaction, the subject is given a reasoned response on the lack of grounds for its satisfaction.
2.15. The subject of personal data has the right to withdraw consent to the processing of personal data without stating the reasons, if the sole reason
for processing there is the consent of the subject of personal data. From the moment of withdrawal of consent, the owner is obliged to stop processing personal data.
2.16. Deletion and destruction of personal data is carried out in a way that eliminates the possibility of further recovery of such personal data.
2.17. The procedure for access to personal data of the personal data subject and third parties is determined by Articles 16-17 of the Law .
2.18. The owner informs the subject of personal data about the actions with his personal data under the conditions specified in Article 21 of the Law .
3. Protection of personal data
3.1. The owner, the controller of personal data take measures to ensure the protection of personal data at all stages of their processing, including
including through organizational and technical measures.
3.2. The owner, the controller of personal data independently determine the list and composition of measures aimed at the security of personal data processing,
taking into account the requirements of legislation in the fields of personal data protection, information security.
3.3. Protection of personal data includes measures aimed at preventing their accidental loss or destruction, illegal processing, including
illegal destruction or access to personal data.
3.4. Organizational activities include:
- determining the procedure for access to personal data of employees of the owner / manager;
- determination of the procedure for keeping records of transactions related to the processing of personal data of the subject and access to them;
- development of an action plan in case of unauthorized access to personal data, damage to technical equipment, emergencies
situations;
- regular training of employees who work with personal data.
3.5. The owner / manager keeps records of employees who have access to personal data of entities. The owner / manager determines the level
access of the specified workers to personal data of subjects. Each of these employees has access to only those personal data (their
parts) of the subjects, which are necessary for him in connection with the performance of his professional or official or labor duties.
3.6. All other employees of the owner / manager have the right to complete information only regarding their own personal data.
3.7. Employees who have access to personal data give a written commitment not to disclose the personal data entrusted to them.
or which became known to them in connection with the performance of professional or official or labor duties.
3.8. The date of granting the right of access to personal data is the date of granting the obligation by the relevant employee.
3.9. The date of deprivation of the right to access personal data is the date of dismissal of the employee, the date of transfer to office, performance of duties
which is not related to the processing of personal data.
3.10. In the case of dismissal of an employee who had access to personal data, or his transfer to another position that does not involve working with
personal data of subjects, measures are taken to prevent access of such person to personal data, and documents and other media that
contain personal data of subjects, are transferred to other employee.
3.11. The owner / manager keeps records of transactions related to the processing of personal data of the subject and access to them. To this end, the owner /
the administrator stores information about:
- date, time and source of personal data collection of the subject;
- change of personal data;
- viewing personal data;
- any transfer (copying) of personal data of the subject;
- date and time of deletion or destruction of personal data;
- an employee who performed one of these operations;
- purpose and grounds for modification, review, transfer and deletion or destruction of personal data.
The owner / controller of personal data independently determines the procedure for storing information about transactions related to the processing of personal data.
data of the subject and access to them. In the case of processing personal data of subjects using an automated system, such a system is automatic
captures the specified information. This information is kept by the owner / manager for one year from the end of the year in which it was
these operations were performed, unless otherwise provided by the legislation of Ukraine.
3.12 Requirements for accounting and storage of information on the review of personal data do not apply to owners / managers who carry out
processing of personal data in the register, which is open to the general public.
3.13. Personal data, depending on the method of storage (paper, electronic media) should be processed in such a way as to prevent access to
outsiders.
3.14. In order to ensure the security of personal data processing, special technical protection measures are taken, including for exclusion
unauthorized access to personal data processed and the operation of the technical and software complex through which the
personal data processing.
3.15. In public authorities, local governments, as well as the owners or controllers of personal data that carry out
processing of personal data, which is subject to notification in accordance with the Law , a structural subdivision or a responsible person is created (determined),
which organizes work related to the protection of personal data during their processing.
3.16. Information about the structural unit or the responsible person who organizes the work related to the protection of personal data during their processing,
reported to the Commissioner for Human Rights of the Verkhovna Rada of Ukraine in accordance with the Law.
3.17. The responsible person / structural unit performs the following tasks:
- informs and advises the owner or controller of personal data on compliance with legislation on personal data protection;
- interacts with the Commissioner for Human Rights of the Verkhovna Rada of Ukraine and officials of his Secretariat for Prevention
and elimination of violations of personal data protection legislation.
3.18. In order to perform these tasks, the responsible person / structural unit:
- ensures the implementation of the rights of personal data subjects;
- has access to any data processed by the owner / manager and to all premises of the owner / manager where
such processing is carried out;
- in case of violations of the legislation on personal data protection and / or this Procedure notifies the head of the owner / manager
in order to take the necessary measures;
- analyzes threats to the security of personal data.
3.19. The requirements of the responsible person for measures to ensure the security of personal data processing are mandatory for all employees who
carry out the processing of personal data.
3.20. The facts of violations of the process of processing and protection of personal data must be documented by the responsible person or
structural unit that organizes the work related to the protection of personal data during their processing.
3.21. Interaction with the Commissioner of the Verkhovna Rada of Ukraine for Human Rights is carried out in the manner prescribed by the Law and the Law of Ukraine “On
The Commissioner for Human Rights of the Verkhovna Rada of Ukraine . "
3.22. Organization of work related to the protection of personal data during their processing, those owners / managers who are not subject to the requirements
part two of Article 24 of the Law , is entrusted directly to those persons who process personal data, or, if necessary, to individual
structural units or officials.

APPROVED
Order of the Commissioner
The Verkhovna Rada of Ukraine
on human rights
08.01.2014 № 1 / 02-14

Order
exercising control over observance by the Commissioner of the Verkhovna Rada of Ukraine for Human Rights
legislation on personal data protection
1. General provisions
1.1. This Procedure establishes the procedure for exercising control by the Commissioner for Human Rights of the Verkhovna Rada of Ukraine (hereinafter - the Commissioner) for
compliance with the requirements of the legislation on personal data protection by conducting inspections of individuals, individuals - entrepreneurs, enterprises,
institutions and organizations of all forms of ownership, public authorities and local governments that are owners and / or managers of personal
data (hereinafter - the subject of inspection), as well as registration and review of inspection results.
1.2. In this Procedure, the terms are used in the following meaning:
on-site inspection - scheduled or unscheduled inspection of the subject of inspection by the Commissioner and / or his authorized officials
persons, which is held in the premises of the Secretariat of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights on the basis of received from the subject of inspection
documents and explanations without leaving the location of the subject of inspection and / or the place of processing of personal data;
on-site inspection - scheduled or unscheduled inspection of the activity of the subject of inspection by the Commissioner and / or officials authorized by him,
which is carried out at the location of the subject of verification and / or directly at the place of personal data processing;
scheduled inspection - inspection of the activity of the subject of inspection, which is carried out on the basis of the plan of inspections for the relevant quarter and year;
unscheduled inspection - inspection of the subject of inspection, which is not provided in the plan of inspections.
act of inspection - an official document certifying the fact of inspection of the subject of inspection and the state of compliance with the requirements
legislation on personal data protection;
prescription (requirement) is a mandatory written request of the Commissioner to eliminate violations of the law in due time.
on the protection of personal data, which is handed over (sent) to the subject of verification.
Other terms in this Procedure are used in the meaning given in the Law of Ukraine "On Personal Data Protection" .
2. Organization and conduct of inspections
2.1. Control over the observance by the subjects of verification of the legislation on personal data protection is carried out by the Commissioner and / or
officials authorized by him by conducting inspections: scheduled, unscheduled, on-site and off-site. Scheduled and unscheduled inspections
can be on-site and off-site.
The subject of the inspection is the observance by the subject of the inspection during the processing of personal data of the requirements of the Constitution of Ukraine , the Law of Ukraine
"On personal data protection", the Standard procedure for personal data processing, as well as current international agreements of Ukraine in the field of protection
personal data, the consent to the binding nature of which was given by the Verkhovna Rada of Ukraine.
2.2 On-site inspection is carried out by the Commissioner and / or on the basis of a personal order issued by him by such officials (hereinafter authorized officials):
- Head of the Secretariat and his Deputy;
- Representatives of the Commissioner;
- heads of structural subdivisions of the Secretariat and their deputies;
- employees of the Secretariat of the Commissioner.
The power of attorney is issued in writing for the period specified therein.
2.3. Employees of public authorities, including authorities, may be involved in the inspection in the manner prescribed by law
public administration, executive bodies and law enforcement agencies. In case of involvement of the specified persons they give the written undertaking about
non-disclosure of personal data that will become known to them as a result of the inspection.
2.4. On-site inspections are carried out during the working hours of the subject of inspection, established by the rules of internal labor regulations.
2.5. During the inspection, the Commissioner, the authorized official and the subject of the inspection have the rights and obligations provided for in section 6.
of this Order.
2.6. The subject of the inspection is obliged to provide access to the premises, materials and documents necessary for the inspection, to provide
information and provide explanations as to the factual and legal basis for their actions and decisions and provide appropriate conditions for
information.
2.7. Off-site inspection is carried out in the manner prescribed by paragraphs. 3.1-3.6 of Section 3 of the Procedure for Conducting Proceedings of the Commissioner of the Verkhovna Rada
Of Ukraine on human rights, taking into account the provisions of this Procedure by the Commissioner and / or authorized officials.
3. Carrying out a scheduled inspection
3.1. Scheduled inspections are carried out in accordance with annual or quarterly plans, which are approved by the Commissioner by December 1 of the year preceding
planned, or by the 25th of the last month of the quarter preceding the planned.
3.2. The plan indicates the categories of subjects of inspections. The inspection plan after its approval is posted on the official website
The Commissioner.
3.3. Scheduled inspections of the subject of inspection regarding compliance with the requirements of the legislation in the field of personal data protection are carried out with the frequency of
more often than once a year.
3.4. The date from which the period for determining the beginning of the next scheduled inspection begins is the date of the end of the previous scheduled inspection.
4. Carrying out an unscheduled inspection
4.1. Unscheduled inspections of inspection subjects may be carried out in the presence of one or more grounds / reasons, in particular:
on the own initiative of the Commissioner;
at direct detection of violations of requirements of the legislation on protection of personal data by the Commissioner, including as a result of implementation
study of systemic problems in ensuring the right to privacy, respect for private and family life;
in the presence of information on violation of the requirements of the legislation on personal data protection in the messages published in mass media
information published on the Internet;
substantiated appeals of individuals and legal entities with a notification of violation by an individual, an individual - an entrepreneur,
enterprise, institution and organization of all forms of ownership, public authority or local government, which are the owners and / or
personal data managers of the requirements of the legislation on personal data protection;
detection of inaccuracy in the information (data) provided by the subject of inspection at the written request of the Commissioner for the implementation of the exit
verification, and / or if such information (data) does not allow to assess the compliance of the subject of verification with the requirements of the legislation on personal data protection;
control over the execution by the subject of verification of instructions on elimination of violations of the requirements of the legislation on protection of personal data issued for
the results of inspections.
5. Registration of inspection results
5.1. Based on the results of the scheduled or unscheduled inspection, the Commissioner and / or the authorized official shall make two copies.
the act of verification of compliance with the requirements of the legislation on personal data protection (hereinafter - the Act) in the form in accordance with Annex 1 to this Procedure.
5.2. The act must contain the following information:
date, time and place of compilation;
positions, names and initials of the persons who conducted the inspection;
position, surname and initials of the head (the person authorized by him) or surname and initials of the natural person of the subject of inspection;
type of inspection (scheduled, unscheduled, on-site, off-site);
for the subject of inspection - the body of state power and local self-government: name, location;
for the subject of inspection - legal entity: name, location;
for the subject of inspection - a natural person and / or a natural person - entrepreneur: surname, name and patronymic, place of residence;
data on the date, time of the beginning and time of the end of the inspection, its total duration;
facts (circumstances) established by the results of the inspection;
conclusion on the results of the inspection.
When drawing up the Act, the objectivity and completeness of the description of the revealed facts and data must be observed.
5.3. The act must contain one of the following conclusions:
about the absence in the activity of the subject of verification of violations of the requirements of the legislation on personal data protection;
about the violations of the requirements of the legislation on personal data protection revealed in the activity of the subject of inspection, their detailed description with reference to the norms
current legislation that have been violated.
It is prohibited to enter in the inspection report information about violations that have not been documented.
5.4. The Act sets out all the facts of non-compliance (improper performance) revealed during the inspection by the subject of inspection of the requirements of the legislation on
protection of personal data.
5.5. In case the subject of inspection does not provide the documents necessary for the inspection, a record shall be made in the Act indicating the reasons.
5.6. On-site inspection
5.6.1. Based on the results of the on-site inspection, the Act is drawn up in two copies, which is signed by the Commissioner or the Commissioner.
the official (persons) who conducted the inspection and the head of the subject of inspection or a person authorized by him.
5.6.2. If the subject of inspection does not agree with the Act, he signs it with comments. Remarks of the subject of inspection on implementation
authorized officials of control over compliance with the requirements of the legislation on personal data protection are an integral part of the Act. At
to this end, on the last page of all copies of the Act, an entry shall be made: "With remarks".
In case of refusal of the head of the subject of inspection or the person authorized by him to sign the Act, the authorized official shall add to such Act
corresponding entry.
5.6.3. The first copy of the Act shall be handed over to the head of the subject of inspection or to the person authorized by him, about which he (she) shall sign the second
a copy of the Act, which is kept in the Secretariat of the Commissioner.
In case of refusal of the head of the subject of inspection or the person authorized by him to receive the second copy of the Act he will be sent to the subject of inspection
within 5 working days by registered letter with acknowledgment of receipt.
The copy of the Act, which is stored in the Secretariat of the Commissioner, must be accompanied by verification materials - copies of documents, extracts from
documents duly certified by the subject of inspection, explanations, protocols and other documents.
5.7. Off-site inspection
5.7.1. Based on the results of the on-site inspection, an Act shall be drawn up in two copies, which shall be signed by the Commissioner and / or the Commissioner.
the official (persons) who conducted the inspection. The first copy is sent to the subject of inspection for review, and the second is stored in
Secretariat of the Commissioner.
5.7.2. The copy of the Act, which is kept in the Secretariat of the Commissioner, is accompanied by verification materials - copies of documents, extracts from documents,
duly certified by the subject of inspection, explanations, protocols and other documents.
5.8. Any corrections and additions to the Inspection Act after its signing are not allowed. About detection of mistakes after signing of the Act
inspection the subject of inspection shall be notified in writing.
5.9. Any information that became known to the Commissioner and / or the authorized official (persons) during the inspection is not subject to
disclosure.
5.10. On the basis of the Act of verification, during which a violation of the requirements of the legislation on personal data protection was revealed, an order on
elimination of violations of the requirements of the legislation in the field of personal data protection, revealed during the inspection , in the form in accordance with Annex 2 to this Procedure
(hereinafter - the prescription).
5.11. The prescription states:
number, date and place of the order;
for the subject of inspection - the body of state power and local self-government: name, location;
for the subject of inspection - legal entity: name, location, surname, name and patronymic of the head of the legal entity;
for the subject of inspection - a natural person and / or a natural person - entrepreneur: surname, name and patronymic, place of residence;
grounds for issuing an order;
measures are necessary to eliminate the violations revealed during the inspection;
term of execution of the instruction;
term of informing the subject of inspection of the Commissioner about elimination of the revealed violation;
signature of the authorized official (persons) who conducted the inspection.
5.12. The order is made in two copies: the first copy no later than 5 working days from the date of the Act of inspection is sent to the subject
inspection or the person authorized by him by registered letter with acknowledgment of receipt, and the second copy shall remain with the Secretariat.
The Commissioner.
A copy of the order, which remains in the Secretariat of the Commissioner, shall be marked with the appropriate source number and date of dispatch.
5.13. The subject of inspection must take measures to eliminate violations within the period specified in the order (not less than 30 calendar days),
specified in the order, and to inform the Commissioner in writing about the elimination of violations together with the provision of copies of documents confirming this.
5.14. Control over the timeliness and completeness of compliance with the requirements specified in the order is carried out by examining the specified copies of documents and, in the case of
if necessary, by conducting an unscheduled inspection.
5.15. In case of non-fulfillment of the instruction within the term specified therein, the Authorized Person or the authorized official shall draw up a report on
administrative offense provided for in Article 188 40 of the Code of Ukraine on Administrative Offenses (hereinafter - KUpAP) in the form and in the manner
provided by the legislation and the Procedure for registration of materials on administrative offenses.
5.16. In case of detection during the inspection of the administrative offense committed by the subject provided by Article 188 39 or Article 188 40 of the Code of Administrative Offenses
inspection, the Authorized or authorized official in accordance with paragraph 1 of the first part of Article 255 of the Code of Administrative Offenses draws up a report on
administrative offense in the form and in the manner prescribed by law and the Procedure for registration of materials on administrative
offense.
5.17. In case of detection of signs of a criminal offense during the inspection of the subject of inspection, the Commissioner shall send the necessary materials to
law enforcement agencies.
6. Rights and obligations of the authorized official and officials of the subject of inspection
6.1. The authorized official during the inspection has the right to:
6.1.1. Unobstructed access to the object of inspection on the basis of an identity card and have unimpeded access to places of storage of information, including
including computers, magnetic media, etc.
6.1.2. Receive on request and have access to any information (documents) of owners or controllers of personal data that are necessary
to control the protection of personal data, including access to personal data, relevant databases or files,
restricted information.
If the document exists only in electronic form, provided that the document is created by the subject of inspection, the subject of inspection is obliged
provide a paper copy of it, providing a visual form of display of the document, certified by the subject of inspection in the manner prescribed by law
order. If it is impossible to provide a paper copy that provides a visual form of display of the document, an electronic document is reviewed,
about what the act of review of the electronic document on the form according to appendix 3 to this Procedure is made.
6.1.3. Receive certified copies of documents in the manner prescribed by law.
6.1.4. To demand, within the limits of its competence, from the head and / or officials of the subject of the inspection to provide written explanations certified by the signature.
6.1.5. Apply in connection with the exercise of their powers and in accordance with the law to the prosecutor's office and other law enforcement agencies.
6.1.6. Draw up and sign instructions on the prevention or elimination of violations of personal data protection legislation.
6.1.7. Draw up and sign protocols on bringing to administrative responsibility for identified violations of protection legislation
personal data;
6.1.8. Involve persons present at the detection of the offense to draw up reports.
6.2. The authorized official during the inspection is obliged to:
6.2.1. Fully, objectively and impartially carry out the inspection within the defined powers;
6.2.2. Inform the head of the subject of inspection or the person authorized by him about his responsibilities and powers, the reason and purpose of the inspection, rights,
responsibilities of the head and officials of the subject of inspection;
6.2.3. To acquaint the head of the subject of inspection or the person authorized by him with the results of the conducted inspection and / or the protocol on
administrative offenses;
6.2.4. Determine the list of documents required for verification and deadlines for their submission;
6.2.5. Properly draw up the results of inspections;
6.2.6. Strictly adhere to the requirements for drawing up protocols on administrative offenses, defined by the Procedure for registration of materials on
administrative offenses.
6.3. Officials of the subject of inspection, including the head of the subject of inspection or the person authorized by him, during the inspection have
right:
6.3.1. Check the presence of the authorized official (persons) of the service certificate and the grounds for the inspection;
6.3.2. Be present during the inspection;
6.3.3. To receive and get acquainted with the results of the inspection with the Act and / or the protocol on administrative offense;
6.3.4. Provide in writing their explanations and comments to the Act and / or protocol on administrative offenses;
6.3.5. To appeal in the order established by the law illegal actions of the authorized official (persons).
6.4. Officials of the subject of inspection, including the head of the subject of inspection or the person authorized by him, during carrying out inspection are obliged:
6.4.1. Unobstructed access to the authorized official (persons) to the object of inspection and provide access to documents and other materials,
required for the inspection;
6.4.2. Provide the necessary documents and other information, signed written explanations, as well as certified by law
the procedure for copying the documents required for the inspection;
6.4.3. Comply with the requirements of the authorized official (persons) on compliance with the requirements of the legislation on personal data protection.

Appendix 1

ACT
checks of observance of the legislation on protection of personal data
Annex 2

ORDER
on elimination of violation of the requirements of the legislation in the field of personal data protection revealed during the inspection
Annex 3

ACT
review of the electronic document

APPROVED
Order of the Commissioner
The Verkhovna Rada of Ukraine
on human rights
08.01.2014 № 1 / 02-14

Order
notification of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights on the processing of personal data,
which poses a special risk to the rights and freedoms of personal data subjects, about structural
the unit or responsible person that organizes the work related to the protection of personal data in them
processing, as well as disclosure of this information
1. General provisions
1.1. This Procedure establishes the procedure and approves the form of notification of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights (hereinafter Commissioner) on the processing of personal data, which poses a special risk to the rights and freedoms of personal data subjects, on the change of information,
subject to notification, and about the structural unit or responsible person that organizes the work related to the protection of personal data in
their processing, as well as the publication of this information on the official website of the Commissioner.
1.2. For the purposes of this Procedure, the processing of personal data, which poses a special risk to the rights and freedoms of subjects - is any action or combination
actions, namely the collection, registration, accumulation, storage, adaptation, modification, renewal, use and distribution (distribution, implementation,
transfer), depersonalization, destruction, including with the use of information (automated) systems, which is carried out in relation to personal data
about:
- racial, ethnic and national origin;
- political, religious or ideological beliefs;
- membership in political parties and / or organizations, trade unions, religious organizations or public organizations of worldview
orientation;
- health status;
- sexual life;
- biometric data;
- genetic data;
- bringing to administrative or criminal responsibility;
- application of pre-trial investigation measures against the person;
- taking measures against the person, provided by the Law of Ukraine "On operational and investigative activities" ;
- committing certain types of violence against a person;
- location and / or means of movement of the person.
Other terms in this Procedure are used in the meaning given in the Law of Ukraine "On Personal Data Protection" (hereinafter - the Law).
2. Procedure and form of notification of the Commissioner on the processing of personal data, which poses a special risk to rights and freedoms
personal data subjects
2.1. The owner of personal data notifies the Commissioner of the implementation of any types of processing of personal data that constitute
special risk to the rights and freedoms of personal data subjects, unless:
2.1.1. processing is carried out, the sole purpose of which is to maintain a register to provide information to the public, which is open to the general population;
2.1.2. processing is carried out by public associations, political parties and / or organizations, trade unions, associations
employers, religious organizations, public organizations of ideological orientation, provided that the treatment concerns only personal
data of members of these associations and is not transferred without their consent;
2.1.3. processing is necessary for the implementation of the rights and responsibilities of the owner of personal data in the field of labor relations in accordance with
the law.
2.2. For the purpose of notifying the Commissioner, the owner of personal data shall submit to the Secretariat of the Commissioner a completed application form in the form
given in Annex 1, within the time limits established by law. Each page of the application must be numbered and sealed (if any) and
signed by an authorized person.
2.3. The owner of personal data notifies the Commissioner by letter to the address of the Secretariat of the Commissioner: st. Institutskaya, 21/8; m. Kyiv,
01008, or in another way accessible to the applicant (by fax, e-mail, through a box specially placed on the 1st floor of the Secretariat
Commissioner). If the application is sent by e-mail, the application must be scanned.
2.4. The application must contain information on:
2.4.1. Owners of personal data:
- Name, registration number of the taxpayer's account card, passport data, place of residence for an individual;
- name, USREOU code, registration address and / or location for the legal entity.
2.4.2. Personal data controller:
- Name, registration number of the taxpayer's account card, passport data, place of residence for an individual;
- name, USREOU code, registration address and / or location for the legal entity.
2.4.3. Processing of personal data specified in item 1.2. :
- personal data being processed;
- the purpose of personal data processing (with reference to regulations, regulations, constituent or other documents governing the activity
owner of personal data);
- category or categories of subjects whose personal data are processed;
- third parties to whom personal data of subjects are transferred;
- cross-border transfer of personal data;
- place (actual address) of personal data processing;
- a general description of the technical and organizational measures taken by the owner of personal data to ensure their protection.
2.5. Applicants shall keep a copy of the application submitted to the Secretariat of the Commissioner.
2.6. The Commissioner in the order of priority of applications, except for the situations specified in paragraph 2.9., Publishes on the official website
The Commissioner is specified in item 2.4. information in a separate section "Notification of the processing of personal data, which is a special risk
for the rights and freedoms of personal data subjects. "
2.7. Applications received by the Commissioner are stored in the archive / electronic archive of the Secretariat of the Commissioner in the manner and within the time limits,
established by law.
2.8. The application is considered not to have been submitted and is not accepted for consideration if:
- the application form does not correspond to that defined in Annex 1;
- the application contains incomplete and obviously unreliable information;
- the information contained in the application does not contain information that would indicate that the owner of personal data is processing personal
data, which poses a special risk to the rights and freedoms of personal data subjects.
2.9. Information about the owner of personal data who sent the application specified in paragraph 2.8. The procedure, indicating the relevant grounds, shall be made public
on the official website of the Commissioner in a separate section "Applications not accepted for consideration".
2.10. Statements specified in clause 2.8. Procedure, are formed in separate cases marked "Applications not accepted for consideration" and stored for six months from
further destruction in the manner prescribed by the legislation of Ukraine.
3. Procedure and form of notification of the Commissioner about the change of information in the process of personal data processing, which is a special
risk to the rights and freedoms of personal data subjects
3.1. The owner of personal data who has informed the Commissioner about the processing of personal data, which poses a special risk to the rights and
freedoms of personal data subjects, in the manner prescribed by paragraphs. 2.1.-2.5. of this Procedure, notifies the Commissioner of any change in the information specified
in item 2.4.
3.2. To this end, the holder of personal data shall submit to the Secretariat of the Commissioner a completed application form in the form set out in Annex 2, in
within the time limits established by the Law , according to the rules specified in paragraphs 2.2-2.3 of this procedure.
3.3. Authorized in the order of priority of receipt of applications specified in paragraph 3.2. The procedure shall be published on the official website of the Commissioner
information on changes in the information sent in the application in the section "Notification of the processing of personal data, which poses a special risk
for the rights and freedoms of personal data subjects. "
3.4. Applications received by the Commissioner are stored in the archives of the Secretariat of the Commissioner in the manner and within the time limits established by law.
3.5. The application is considered not to have been submitted and is not accepted for consideration in the following cases:
- the application form does not correspond to that defined in Annex 2;
- the application contains incomplete or obviously inaccurate information.
3.6. Applicants shall keep a copy of the application submitted to the Secretariat of the Commissioner.
3.7. Information about the owner who sent the application specified in paragraph 3.5. The procedure, indicating the relevant grounds, shall be published on the official website.
the Commissioner's website in a separate section "Applications not accepted for consideration".
3.8. Applications referred to in paragraph 3.5. Are formed in separate cases marked "Applications not accepted for consideration" and stored for six months from
further destruction in the manner prescribed by the legislation of Ukraine.
4. Procedure and form of notification of the Commissioner on termination of personal data processing, which poses a special risk to the rights and
freedoms of personal data subjects
4.1. The owner of personal data who has informed the Commissioner about the processing of personal data, which poses a special risk to the rights and
freedoms of personal data subjects, in the manner prescribed by paragraphs. 2.1.-2.5. of this Procedure, notifies the Commissioner of the termination of such processing
personal data.
4.2. For this purpose, the owner of personal data submits to the Secretariat of the Commissioner within 10 days from the termination of processing
form application the form set out in Schedule 3, the rules provided for in paragraphs 2.2.- 2.3. of this Order.
4.3. The Commissioner in the order of priority of receipt of applications specified in paragraph 4.2. The procedure shall be published on the official website of the Commissioner
information on termination of personal data processing by the owner of personal data, which poses a special risk to the rights and freedoms of subjects
personal data, in a separate section "Notification of the processing of personal data, which poses a special risk to rights and freedoms
personal data subjects ".
4.4. Applications received by the Commissioner are stored in the archives of the Secretariat of the Commissioner in the manner and within the time limits established by law.
5. Notification of the structural unit or responsible person who organizes the work related to the protection of personal data in their
processing and disclosure of such information
5.1. Public authorities, local governments, as well as owners or controllers of personal data that process
personal data, information about which is subject to notification to the Commissioner in accordance with this Procedure, notify the Commissioner of
creation of a structural subdivision or appointment of a responsible person who organizes the work related to the protection of personal data during their processing
(hereinafter - the structural unit or responsible person).
5.2. To this end, the entities specified in paragraph 5.1. In accordance with the procedure, a completed application form shall be submitted to the Secretariat of the Commissioner in the form provided in
Annex 4, with all supporting documents, within 30 days from the establishment of the structural unit or the appointment of a responsible person for
the rules specified in paragraphs 2.2.-2.3. of this Order.
5.3. The Commissioner in the order of priority of receipt of applications specified in paragraph 5.2. The procedure shall be published on the official website of the Commissioner sent
information in a separate section "Information about the structural unit or responsible person who organizes the work related to the protection of personal
data during their processing ".
5.4. In case the owner sends a notice of termination of personal data processing, which poses a special risk to rights and freedoms
personal data subjects specified in clause 5.3. the information is deleted from the official website of the Commissioner.

Appendix 1

Statement
on the processing of personal data, which poses a special risk to the rights and freedoms of personal data subjects
Annex 2

Statement
on the change of information on the processing of personal data, which poses a special risk to the rights and freedoms of subjects
personal data
Annex 3

Statement
on the termination of the processing of personal data, which poses a special risk to the rights and freedoms of subjects
personal data
Annex 4

Statement
about the structural unit or responsible person that organizes the work related to the protection of personal data
during their processing

Social services and bookmarks:
Facebook

Twitter

LinkedIn

Telegram

To the post office

Remember

Software and technical support - Management
computerized systems

Information content - Database Department

All documents

Groups of documents

Legal classification

New arrivals

Distribution by VRU committees

Calendar of official holidays in Ukraine

Popular documents

Terminology of legislation

Terms of use

Primary legislation

Thesaurus "EUROVOC"

Contact Information

regulatory information

BETA

Some functions are in test mode.
If you see an error in the text, select it with the mouse and
press Ctrl-Enter. We will be grateful!
All content is available under a Creative Commons license
Attribution 4.0 International license, if not specified
other

© The Verkhovna Rada of Ukraine 1994-2021

