Page 1

COMMISSIONER OF THE VERKHOVNA RADA OF UKRAINE ON HUMAN RIGHTS

ORDER
08.01.2014 № 1 / 02-14

About the statement of documents in the field of protection of personal
data
In compliance with the requirements of Articles 6 , 9 , 22 , 23 , 24 of the Law of Ukraine "On Personal Protection
data » I ORDER:
approve the following:
- Typical procedure for processing personal data ;
- Procedure for exercising control over the Commissioner for Human Rights of the Verkhovna Rada of Ukraine
compliance with legislation on personal data protection ;
- The procedure for notifying the Commissioner of the Verkhovna Rada of Ukraine for Human Rights about
processing of personal data, which poses a special risk to the rights and freedoms of subjects
personal data, about the structural unit or the responsible person who organizes
work related to the protection of personal data during their processing, as well as disclosure
specified information .
Authorized
The Verkhovna Rada of Ukraine
on human rights

VV Lutkovskaya

APPROVED
Order of the Commissioner
The Verkhovna Rada of Ukraine
on human rights
08.01.2014 № 1 / 02-14

TYPICAL ORDER
PROCESSING OF PERSONAL DATA
1. General provisions
1.1. This Procedure for personal data processing (hereinafter - the Procedure) defines the general
requirements for the processing and protection of personal data of personal data subjects that
are processed in whole or in part with the use of automated means, as well as
personal data contained in the file or intended for inclusion in the file, with
using non-automated means.
1.2. Owners, managers of personal data independently determine the order
personal data processing, taking into account the specifics of personal data processing in different
areas, in accordance with the requirements of the Law of Ukraine "On Personal Data Protection"
(hereinafter - the Law) and this Procedure.
1.3. The requirements of this Procedure are taken into account when developing codes of conduct for
processing of personal data by professional, self-governing and other public
associations or legal entities in accordance with Article 27 of the Law .
2. Requirements for personal data processing
2.1. The owner determines:
1) purpose and grounds for personal data processing;
2) categories of personal data subjects;
3) the composition of personal data;
4) the procedure for processing personal data, namely:
- method of collecting, accumulating personal data;
- term and conditions of personal data storage;
- conditions and procedure for changing, deleting or destroying personal data;
- conditions and procedure for the transfer of personal data and a list of third parties to whom they may
transfer personal data;
- the procedure for access to personal data of persons processing, as well as entities
personal data;
- measures to ensure the protection of personal data;
- the procedure for storing information about transactions related to the processing of personal data
and access to them.
2.2. In cases provided by law, the owner also determines the responsibilities and rights of persons
responsible for the organization of work related to the protection of personal data during them
processing.
2.3. Processing procedures, processing time and composition of personal data must be
proportional to the purpose of processing.
2.4. The purpose of the processing of personal data must be clear and lawful.
2.5. The purpose of the processing of personal data must be determined before they are collected.
2.6. In the event of a change in the defined purpose of personal data processing to a new purpose, which is
incompatible with the previous, for further data processing, the owner of personal data,
except in cases specified by law, must obtain the consent of the subject of personal
data for processing his data in accordance with the new purpose.
2.7. The processing of personal data is carried out by the owner of personal data only for
with the consent of the personal data subject, except in cases where such consent is not required
By law.
2.8. The consent of the subject to the processing of his personal data must be voluntary and
informed. Consent may be given by the subject in writing or electronically
will be able to draw a conclusion about its provision. Documents (information) confirming the provision
the subject of consent to the processing of his personal data, stored by the owner for a period of time
processing of such data.
2.9. The owner of personal data, except as provided by the legislation of Ukraine,
informs the subject of personal data about the composition and content of the collected personal data, his
the rights defined by law , the purpose of collecting personal data and third parties to whom they are transferred
his personal data:
- at the time of collection of personal data, if personal data are collected from the subject
personal data;
- in other cases within thirty working days from the date of collection of personal data.
The owner keeps the information (documents) confirming the provision to the applicant
the above information throughout the period of personal data processing.
2.10. Personal data is processed in a form that allows the identification of an individual,
to which they relate, within a period not exceeding that required by the purpose of their processing. IN
in any case, they are processed in a form that allows the identification of the individual whose
they apply, no longer than provided by the legislation in the field of archives and
office work.
2.11. In case of detection of information about a person that does not correspond to reality, such information
must be changed or destroyed immediately.
2.12. The personal data subject has the right to make a reasoned request to the owner
personal data to prohibit the processing of their personal data (parts thereof) and / or
changes in their composition / content. This requirement is considered by the owner within 10 days from the date
receiving.
2.13. If the results of consideration of such a requirement revealed that the personal data of the subject
(part of them) are processed illegally, the owner stops processing personal data
subject (their parts) and informs the subject of personal data.
If the results of consideration of such a requirement revealed that the personal data of the subject (their
part) are unreliable, the owner stops processing personal data of the subject
parts) and / or changes their composition / content and informs the personal data subject.
2.14. If the requirement is not subject to satisfaction, the subject is given a reasoned response
regarding the lack of grounds for its satisfaction.
2.15. The subject of personal data has the right to withdraw consent to the processing of personal data
data without stating the reasons, if the only basis for processing is the consent of the subject
personal data. From the moment of withdrawal of consent, the owner is obliged to stop processing
personal data.
2.16. Deletion and destruction of personal data is carried out in an exclusive way
further possibility to update such personal data.
2.17. Procedure for access to personal data of the personal data subject and third parties
determined by Articles 16-17 of the Law .
2.18. The owner informs the subject of personal data about the actions with his personal
data under the conditions specified in Article 21 of the Law .
3. Protection of personal data
3.1. The owner, the controller of personal data take measures to ensure
protection of personal data at all stages of their processing, including through
organizational and technical measures.
3.2. The owner, the controller of personal data independently determines the list and structure
measures aimed at the security of personal data processing, taking into account the requirements
legislation in the areas of personal data protection, information security.
3.3. The protection of personal data includes measures aimed at preventing them
accidental loss or destruction, illegal processing, including illegal destruction or
access to personal data.
3.4. Organizational activities include:
- determining the procedure for access to personal data of employees of the owner /
manager;
- determining the order of accounting operations related to the processing of personal data
subject and access to them;
- development of an action plan in case of unauthorized access to personal data,
damage to technical equipment, emergencies;
- regular training of employees who work with personal data.
3.5. The owner / manager keeps records of employees who have access to personal
data subjects. The owner / manager determines the level of access of these employees to
personal data of subjects. Each of these employees has access to only those
personal data (their parts) of the subjects that he needs in connection with the implementation of their
professional or official or labor duties.
3.6. All other employees of the owner / manager are entitled to complete information only
regarding their own personal data.
3.7. Employees who have access to personal data give a written commitment
on non-disclosure of personal data entrusted to them or which became known to them in connection
with the performance of professional or official or labor duties.
3.8. The date of granting the right of access to personal data is the date of granting
obligations of the relevant employee.
3.9. The date of deprivation of the right to access personal data is the date of release
employee, the date of transfer to a position where the performance of duties is not related to processing
personal data.
3.10. In the case of dismissal of an employee who had access to personal data, or
transferring him to another position that does not involve working with personal data of subjects,
measures are taken to prevent such a person from accessing personal data, and
documents and other media containing personal data of subjects are transferred to another
employee.
3.11. The owner / manager keeps records of transactions related to the processing of personal
data of the subject and access to them. For this purpose, the owner / manager retains
information about:
- date, time and source of personal data collection of the subject;
- change of personal data;
- viewing personal data;
- any transfer (copying) of personal data of the subject;
- date and time of deletion or destruction of personal data;
- an employee who performed one of these operations;
- purpose and grounds for change, review, transfer and removal or destruction of personal
data.
The owner / controller of personal data independently determines the retention procedure
information on transactions related to the processing of personal data of the subject and access to them.
In the case of processing personal data of subjects using an automated system is as follows
the system automatically captures the specified information. This information is stored by the owner /
by the administrator within one year from the end of the year in which it was carried out
these operations, unless otherwise provided by the legislation of Ukraine.
3.12 Requirements for accounting and storage of information about the review of personal data no
applies to owners / administrators who process personal data in
register, which is open to the general public.
3.13. Personal data, depending on the method of storage (paper, electronic media) have
be processed in such a way as to prevent access to them by third parties.
3.14. In order to ensure the security of personal data processing, special ones are used
technical protection measures, including the exclusion of unauthorized access to
personal data processed and the work of the technical and software complex, for
by which personal data is processed.
3.15. In public authorities, local governments, as well as the owners
or personal data controllers who process personal data, which
subject to notification in accordance with the Law , a structural one is created (determined)
unit or responsible person who organizes work related to the protection of personal
data during their processing.
3.16. Information about the structural unit or responsible person organizing
work related to the protection of personal data during their processing is reported
To the Commissioner for Human Rights of the Verkhovna Rada of Ukraine in accordance with the Law.
3.17. The responsible person / structural unit performs the following tasks:
- informs and advises the owner or controller of personal data on issues
compliance with legislation on personal data protection;
- interacts with the Commissioner for Human Rights of the Verkhovna Rada of Ukraine and designated by him
officials of its Secretariat for the Prevention and Elimination of Violations
legislation on personal data protection.
3.18. In order to perform these tasks, the responsible person / structural unit:
- ensures the implementation of the rights of personal data subjects;
- has access to any data processed by the owner / administrator
and to all premises of the owner / manager where such processing is carried out;
- in case of violations of the legislation on personal data protection and / or this
The procedure informs the head of the owner / manager in order to take the necessary
measures;
- analyzes threats to the security of personal data.
3.19. Requirements of the responsible person for measures to ensure the safety of processing
personal data are mandatory for all employees who process
personal data.
3.20. The facts of violations of the process of processing and protection of personal data must be
documented by the responsible person or structural unit that
organizes work related to the protection of personal data during their processing.
3.21. Interaction with the Commissioner of the Verkhovna Rada of Ukraine for Human Rights is carried out in
in accordance with the procedure established by the Law and the Law of Ukraine “On the Commissioner of the Verkhovna Rada
Of Ukraine on human rights " .
3.22. Organization of work related to the protection of personal data during their processing, those
owners / managers who are not subject to the requirements of part two of Article 24 of the Law ,
relies directly on those persons who process personal data, or, in
if necessary, - to separate structural divisions or officials.

APPROVED
Order of the Commissioner
The Verkhovna Rada of Ukraine
on human rights
08.01.2014 № 1 / 02-14

Order
implementation by the Commissioner of the Verkhovna Rada of Ukraine for Rights
human control over compliance with protection legislation
personal data
1. General provisions
1.1. This Procedure establishes the procedure for implementation by the Commissioner of the Verkhovna Rada
Of Ukraine for Human Rights (hereinafter - the Commissioner) control over compliance with the law
on protection of personal data by conducting inspections of individuals, individuals entrepreneurs, enterprises, institutions and organizations of all forms of ownership, public authorities
and local governments that own and / or manage personal data
(hereinafter - the subject of inspection), as well as registration and consideration of inspection results.
1.2. In this Procedure, the terms are used in the following meaning:
on-site inspection - scheduled or unscheduled inspection of the subject of inspection
Authorized and / or officials authorized by him, which is held in
premises of the Secretariat of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights on the basis of
documents and explanations received from the subject of inspection without leaving the location
the subject of verification and / or at the place of personal data processing;
on-site inspection - scheduled or unscheduled inspection of the subject of inspection
Authorized and / or officials authorized by him, which is conducted by
the location of the subject of inspection and / or directly at the place of processing of personal
data;
scheduled inspection - inspection of the activities of the subject of inspection, which is carried out on the basis
the plan of inspections for the relevant quarter and year;
unscheduled inspection - inspection of the subject of inspection, which is not provided for in the plan
conducting inspections.
inspection report - an official document certifying the fact of inspection of activities
the subject of inspection and the state of compliance with the requirements of the legislation on personal protection
data;
prescription (requirement) is a mandatory written requirement within a specified period
Commissioner for elimination of violations of the requirements of the legislation on personal protection
data, which is handed over (sent) to the subject of verification.
Other terms in this Procedure are used in the meaning given in the Law of Ukraine "About
protection of personal data " .
2. Organization and conduct of inspections
2.1. Control over the observance by the subjects of inspection of the legislation on personal protection
data is carried out by the Commissioner and / or officials authorized by him by
conducting inspections: scheduled, unscheduled, on-site and off-site. Scheduled and unscheduled
inspections can be on-site and off-site.
The subject of the inspection is the observance by the subject of the inspection during the processing
personal data requirements of the Constitution of Ukraine , the Law of Ukraine "On protection of personal
data ", the Standard order of personal data processing, as well as current international
agreements of Ukraine in the field of personal data protection, the consent to the binding nature of which is given
The Verkhovna Rada of Ukraine.
2.2 The on-site inspection is carried out by the Commissioner and / or on the basis of the registered one issued by him
instructions from the following officials (hereinafter - authorized officials):
- Head of the Secretariat and his Deputy;
- Representatives of the Commissioner;
- heads of structural subdivisions of the Secretariat and their deputies;
- employees of the Secretariat of the Commissioner.
The power of attorney is issued in writing for the period specified therein.
2.3. They may be involved in the inspection in the manner prescribed by law
employees of public authorities, including public administration bodies, bodies
executive power and law enforcement agencies. In case of involvement of the specified persons they give
a written commitment not to disclose personal data that will become known to them in
the result of the inspection.
2.4. On-site inspections are carried out during the working hours of the subject of inspection, established
rules of internal labor regulations.
2.5. During the inspection, the Commissioner, the authorized official and the entity
inspections have the rights and obligations provided for in section 6 of this Procedure.
2.6. The subject of the inspection is obliged to provide access to the premises, materials and
documents required for the inspection, provide information and provide explanations
on the factual and legal basis of their actions and decisions and provide appropriate conditions for
verification of this information.
2.7. Off-site inspection is carried out in the manner prescribed by paragraphs. 3.1-3.6 of Section 3 of the Procedure
carrying out proceedings of the Commissioner of the Verkhovna Rada of Ukraine for Human Rights, p
taking into account the provisions of this Procedure by the Commissioner and / or authorized officials
persons.
3. Carrying out a scheduled inspection
3.1. Scheduled inspections are carried out in accordance with annual or quarterly plans, which
approved by the Commissioner by December 1 of the year preceding the planned year, or by the 25th
the last month of the quarter preceding the planned.
3.2. The plan indicates the categories of subjects of inspections. Plan for inspections after
its approval is posted on the official website of the Commissioner.
3.3. Scheduled inspections of the subject of inspection to comply with the requirements of the legislation in the field
protection of personal data is carried out at intervals of not more than once a year.
3.4. The date from which the countdown begins to determine the beginning of the next schedule
inspection, there is a date for the end of the previous scheduled inspection.
4. Carrying out an unscheduled inspection
4.1. Unscheduled inspections of the subjects of inspection may be carried out in the presence of one or
several reasons / reasons, in particular:
on the own initiative of the Commissioner;
at direct detection of violations of requirements of the legislation on protection of personal
data of the Commissioner, including as a result of research of system problems
on ensuring the right to privacy, respect for private and family life;
in the presence of information on violation of the requirements of the legislation on personal protection
data in messages published in the media published on the network
Internet;
substantiated appeals of individuals and legal entities with a notification of violation
natural person, natural person - entrepreneur, enterprise, institution and organization
all forms of ownership, a body of state power or local self-government that exists
owners and / or administrators of personal data of the requirements of the protection legislation
personal data;
detection of inaccuracy in the information (data) provided by the subject of inspection on
a written request of the Commissioner for an on-site inspection, and / or if any
information (data) does not allow to assess the compliance of the subject of the inspection with the requirements of the legislation
on personal data protection;
control over the fulfillment by the subject of inspection of instructions on elimination of violations of requirements
legislation on the protection of personal data issued as a result of inspections.
5. Registration of inspection results
5.1. Based on the results of the scheduled or unscheduled inspection, the Commissioner and /
or the authorized official draws up in two copies an act of verification of compliance with the requirements
legislation on personal data protection (hereinafter - the Act) in the form in accordance with Annex 1 to
of this Order.
5.2. The act must contain the following information:
date, time and place of compilation;
positions, names and initials of the persons who conducted the inspection;
position, surname and initials of the head (authorized person) or surname and initials
an individual of the subject of inspection;
type of inspection (scheduled, unscheduled, on-site, off-site);
for the subject of inspection - a body of state power and local self-government:
name, location;
for the subject of inspection - legal entity: name, location;
for the subject of inspection - a natural person and / or a natural person - entrepreneur: surname, name
and by father, place of residence;
data on the date, time of the beginning and time of the end of the inspection, its total duration;
facts (circumstances) established by the results of the inspection;
conclusion on the results of the inspection.
When drawing up the Act, the objectivity and exhaustiveness of the description of the identified must be observed
facts and figures.
5.3. The act must contain one of the following conclusions:
about the absence in the activity of the subject of inspection of violations of the requirements of the legislation on protection
personal data;
about violations of the requirements of the legislation on protection revealed in the activity of the subject of inspection
personal data, their detailed description with reference to the current legislation, which
violated.
It is prohibited to enter in the inspection report information about violations that have not been confirmed
documented.
5.4. The Act sets out all the facts of non - compliance (improper
execution) by the subject of verification of the requirements of the legislation on personal data protection.
5.5. In case the subject of inspection does not provide the documents required for the inspection
checks, in the Act the record about it with the indication of the reasons is made.
5.6. On-site inspection
5.6.1. Based on the results of the on-site inspection, the Act is drawn up in two copies,
which is signed by the Commissioner or the authorized official (persons) who
conducted an inspection, and the head of the subject of inspection or a person authorized by him.
5.6.2. If the subject of inspection does not agree with the Act, he signs it with comments.
Remarks of the subject of the inspection on the implementation by authorized officials
control over compliance with the requirements of the legislation on personal data protection is integral
part of the Act. Thus, on the last page of all copies of the Act the record becomes: "From
remarks ".
In case of refusal of the head of the subject of inspection or the person authorized by him to sign the Act
the authorized official shall make a corresponding entry in such Act.
5.6.3. The first copy of the Act is handed over to the head of the subject of inspection or the authorized person
him to the person about whom he (she) puts the signature on the second copy of the Act which is stored in
Secretariat of the Commissioner.
In case of refusal of the head of the subject of inspection or the person authorized by him to receive
the second copy of the Act it will be sent to the subject of inspection within 5 working days
by registered letter with acknowledgment of receipt.
A copy of the Act, which is kept in the Secretariat of the Commissioner, is mandatory
inspection materials are attached - copies of documents, extracts from documents, as appropriate
certified by the subject of inspection, explanations, protocols and other documents.
5.7. Off-site inspection
5.7.1. Based on the results of the on-site inspection, an Act is drawn up in two
copies signed by the Commissioner and / or the authorized official
(persons) who conducted the inspection. The first copy is sent to the subject for verification
acquaintance, and the second is stored in the Secretariat of the Commissioner.
5.7.2. A copy of the Act, which is kept in the Secretariat of the Commissioner, shall be attached
inspection materials - copies of documents, extracts from documents, duly certified
subject of inspection, explanations, protocols and other documents.
5.8. Any corrections and additions to the Verification Act after its signing are not
are allowed. About detection of mistakes after signing of the Act of check the subject of check
reported in writing.
5.9. Any information that has become known to the Commissioner and / or the Commissioner
official (persons) during the inspection, not subject to disclosure.
5.10. On the basis of the Act of inspection, during which a violation of the requirements of the legislation on
protection of personal data, there is an order to eliminate violations of the law
in the field of protection of personal data detected during the inspection , in the form in accordance with Annex 2
to this Procedure (hereinafter - the prescription).
5.11. The prescription states:
number, date and place of the order;
for the subject of inspection - a body of state power and local self-government:
name, location;
for the subject of inspection - legal entity: name, location, surname, name
and patronymic of the head of the legal entity;
for the subject of inspection - a natural person and / or a natural person - entrepreneur: surname, name
and by father, place of residence;
grounds for issuing an order;
measures are necessary to eliminate the violations revealed during the inspection;
term of execution of the instruction;
term of informing the subject of inspection of the Commissioner about elimination of the revealed
violation;
signature of the authorized official (persons) who conducted the inspection.
5.12. The order is made in two copies: the first copy no later than 5 workers
days from the date of drawing up the Act of inspection shall be sent to the subject of inspection or authorized by him
to the person by registered letter with acknowledgment of receipt, and the second copy remains
in the Secretariat of the Commissioner.
A copy of the order, which remains in the Secretariat of the Commissioner, shall be affixed
the corresponding source number and date of departure.

5.13. The subject of inspection must within the period specified in the order (not less than 30
calendar days) to take measures to eliminate the violations specified in the order, and in writing
to inform the Commissioner about the elimination of violations together with the provision of copies of documents,
that confirm this.
5.14. Control over the timeliness and completeness of compliance with the requirements specified in the order,
is carried out by studying the specified copies of documents and, if necessary, by
conducting an unscheduled inspection.
5.15. In case of non-compliance with the order within the period specified therein, the Commissioner or
the authorized official draws up a report on an administrative offense,
provided for in Article 18840 of the Code of Ukraine on Administrative Offenses(hereinafter КУпАП) in the form and in the order provided by the legislation and the Procedure of registration
materials on administrative offenses.
5.16. In case of detection during the inspection provided by Article 188 39 or Article 188 40
Administrative Code of an administrative offense committed by the subject of inspection, the Commissioner
or an authorized official in accordance with paragraph 1 of the first part of Article 255 of the Code of Administrative Offenses
draws up a report on an administrative offense in the form and in the manner prescribed
legislation and the Procedure for registration of materials on administrative offenses.
5.17. In case of detection during the inspection of the subject of inspection of signs of criminal
offense The Commissioner sends the necessary materials to law enforcement agencies.
6. Rights and obligations of the authorized official and officials of the subject of inspection
6.1. The authorized official during the inspection has the right to:
6.1.1. It is unimpeded to enter the object of inspection on the basis of the service certificate and to have
unimpeded access to information storage facilities, including computers,
magnetic media, etc.
6.1.2. Receive on request and have access to any information (documents)
owners or controllers of personal data that are necessary to exercise control over
ensuring the protection of personal data, including access to personal data,
relevant databases or files, information with limited access.
If the document exists only in electronic form, provided that the document
created by the subject of inspection, the subject of inspection is obliged to provide its paper copy that
provides a visual form of display of the document, certified by the subject of verification in
established by law. If it is impossible to provide a paper copy of that
provides a visual form of display of the document, an electronic review is performed
document, which is the act of review of the electronic document in the form according to
Annex 3 to this Procedure.
6.1.3. Receive certified copies of documents in the manner prescribed by law.
6.1.4. Require within its competence from the head and / or officials of the entity
verification of the provision of certified written explanations.
6.1.5. Apply in connection with the exercise of their powers and in accordance with the law
to prosecutor's offices, other law enforcement agencies.
6.1.6. Compose and sign instructions on prevention or elimination of violations
legislation on personal data protection.
6.1.7. Draw up and sign protocols on involvement in the administrative
liability for identified violations of personal data protection legislation;
6.1.8. Involve persons present at the detection of the offense to draw up reports.
6.2. The authorized official during the inspection is obliged to:
6.2.1. Carry out a full, objective and impartial inspection within the defined limits
powers;
6.2.2. Inform the head of the subject of inspection or the person authorized by him about his
responsibilities and powers, the reason and purpose of the inspection, the rights, responsibilities of the head and officials
persons of the subject of inspection;
6.2.3. To acquaint the head of the subject of inspection or the person authorized by him with
the results of the inspection and / or the protocol on administrative offenses;
6.2.4. Determine the list of documents required for verification and deadlines for their submission;
6.2.5. Properly draw up the results of inspections;
6.2.6. Strictly adhere to the requirements for drawing up administrative protocols
offenses defined by the Procedure for registration of administrative materials
offense.
6.3. Officials of the audited entity, including the head of the audited entity or
the person authorized by him, during the inspection have the right to:
6.3.1. Check the presence of an authorized official (persons) official
certificates and grounds for inspection;
6.3.2. Be present during the inspection;
6.3.3. Receive and get acquainted with the results of the inspection with the Act and /
or a protocol on an administrative offense;
6.3.4. Provide in writing their explanations and comments to the Act and / or protocol
on administrative offenses;
6.3.5. To appeal in the order established by the law illegal actions of the commissioner
official (persons).
6.4. Officials of the audited entity, including the head of the audited entity or
the person authorized by him, during the inspection are obliged to:
6.4.1. Unobstructed admission of the authorized official (persons) to the object of inspection and
provide access to documents and other materials required for the inspection;
6.4.2. Provide the necessary documents and other written information certified by the signature
explanations, as well as certified in the manner prescribed by law copies of documents that
inspections are required;
6.4.3. Comply with the requirements of the authorized official (persons) on compliance
requirements of the legislation on personal data protection.

Appendix 1

ACT
checks of observance of the legislation on protection of personal data
Annex 2

ORDER
on elimination of violation of requirements of the legislation in the field of protection
personal data found during the verification
Annex 3

ACT
review of the electronic document
APPROVED
Order of the Commissioner
The Verkhovna Rada of Ukraine
on human rights
08.01.2014 № 1 / 02-14

Order
notification of the Commissioner of the Verkhovna Rada of Ukraine for Rights
a person about the processing of personal data, which is
special risk for the rights and freedoms of personal subjects
data on the structural unit or responsible person that
organizes work related to the protection of personal data
during their processing, as well as the publication of this information
1. General provisions
1.1. This Procedure establishes the procedure and approves the notification form
Of the Commissioner for Human Rights of the Verkhovna Rada of Ukraine (hereinafter - the Commissioner) on processing
personal data, which poses a particular risk to the rights and freedoms of personal subjects
data, on the change of the information to be notified, and on the structural subdivision or
the responsible person who organizes the work related to the protection of personal data in them
processing, as well as publication of this information on the official website
The Commissioner.
1.2. For the purposes of this Procedure, the processing of personal data poses a special risk
for the rights and freedoms of subjects - is any action or set of actions, namely the collection, registration,
accumulation, storage, adaptation, modification, renewal, use and distribution
(distribution, sale, transfer), depersonalization, destruction, including using
information (automated) systems, which is carried out in relation to personal data on:
- racial, ethnic and national origin;
- political, religious or ideological beliefs;
- membership in political parties and / or organizations, trade unions, religious
organizations or public organizations of ideological orientation;
- health status;
- sexual life;
- biometric data;
- genetic data;
- bringing to administrative or criminal responsibility;
- application of pre-trial investigation measures against the person;
- taking measures against the person provided by the Law of Ukraine “On operative-search
activity " ;
- committing certain types of violence against a person;
- location and / or means of movement of the person.
Other terms in this Procedure are used in the meaning given in the Law of Ukraine “On
protection of personal data " (hereinafter - the Law).
2. Procedure and form of notification of the Commissioner on personal processing
data, which poses a particular risk to the rights and freedoms of personal data subjects
2.1. The owner of personal data shall notify the Commissioner of any
what types of personal data processing that pose a particular risk to rights and freedoms
personal data subjects, unless:
2.1.1. processing is carried out, the sole purpose of which is to maintain a register for the provision of information
the population, which is open to the general population;
2.1.2. processing is carried out by public associations, political parties and / or
organizations, trade unions, employers' associations, religious organizations,
public organizations of worldview orientation, provided that the processing applies
exclusively personal data of members of these associations and is not transferred without their consent;
2.1.3. processing is necessary to exercise the rights and perform the duties of the owner
personal data in the field of labor relations in accordance with the law.
2.2. For the purpose of notifying the Commissioner, the owner of personal data submits to
The Secretariat of the Commissioner shall complete the application form in the form set out in Annex 1, in
within the time limits established by law. Each page of the application must be numbered and
sealed (if any) and signed by an authorized person.
2.3. The owner of personal data notifies the Commissioner by letter to the address
Secretariat of the Commissioner: st. Institutskaya, 21/8; Kyiv, 01008, or other available
to the applicant in a way (by fax, e - mail, through a box specially placed on 1
floor of the Secretariat of the Commissioner). In case of sending the application by e-mail, the application
must be scanned.
2.4. The application must contain information on:
2.4.1. Owners of personal data:
- Name, registration number of the taxpayer's account card, passport data, place
accommodation for an individual;
- name, USREOU code, registration address and / or location for the legal entity
persons.
2.4.2. Personal data controller:
- Name, registration number of the taxpayer's account card, passport data, place
accommodation for an individual;
- name, USREOU code, registration address and / or location for the legal entity
persons.
2.4.3. Processing of personal data specified in item 1.2. :
- personal data being processed;
- the purpose of personal data processing (with reference to regulations, provisions,
constituent or other documents governing the activities of the owner of personal data);
- category or categories of subjects whose personal data are processed;
- third parties to whom personal data of subjects are transferred;
- cross-border transfer of personal data;
- place (actual address) of personal data processing;
- general description of technical and organizational measures carried out by the owner
personal data to ensure their protection.
2.5. Applicants shall keep a copy of the application submitted to the Secretariat of the Commissioner.
2.6. The Commissioner shall, in the order of receipt of applications, except for situations
specified in paragraph 2.9., publishes on the official website of the Commissioner referred to in paragraph 2.4.
information in a separate section "Notification of the processing of personal data that
poses a particular risk to the rights and freedoms of personal data subjects. "
2.7. Applications received by the Commissioner are stored in the archive / electronic archive
Secretariat of the Commissioner in the manner and within the time limits established by law.
2.8. The application is considered not to have been submitted and is not accepted for consideration if:
- the application form does not correspond to that defined in Annex 1;
- the application contains incomplete and obviously unreliable information;
- the information contained in the application does not contain information that would indicate that
the owner of personal data carries out the processing of personal data, which is
special risk for the rights and freedoms of personal data subjects.
2.9. Information about the owner of personal data who sent the application specified in paragraph 2.8.
The procedure, indicating the relevant grounds, shall be published on the official website
Commissioner in a separate section "Applications not accepted for consideration".
2.10. Statements specified in clause 2.8. The order is formed in separate cases with a stamp «Statements, no
accepted for consideration ", and stored for six months with subsequent destruction in
in the manner prescribed by the legislation of Ukraine.
3. Procedure and form of notification of the Commissioner about the change of information in the process
processing of personal data, which poses a special risk to the rights and freedoms of subjects
personal data
3.1. The owner of personal data who informed the Commissioner about the processing
personal data, which poses a particular risk to the rights and freedoms of personal subjects
data, in the manner prescribed by paragraphs. 2.1.-2.5. of this Procedure, informs the Commissioner about
each change of the information specified in item 2.4.
3.2. For this purpose, the owner of personal data submits to the Secretariat of the Commissioner
the completed application form according to the form given in Annex 2, within the deadlines set
By law , according to the rules specified in paragraphs 2.2-2.3 of this procedure.
3.3. Authorized in the order of priority of receipt of applications specified in paragraph 3.2. Okay,
publishes on the official website of the Commissioner information on changes in information,
sent in the application, in the section "Notification of the processing of personal data that
poses a particular risk to the rights and freedoms of personal data subjects. "
3.4. Applications received by the Commissioner are stored in the archives of the Secretariat of the Commissioner in
order and within the terms established by the legislation.
3.5. The application is considered not to have been submitted and is not accepted for consideration by such
cases:
Page 2

- the application form does not correspond to that defined in Annex 2;
- the application contains incomplete or obviously inaccurate information.
3.6. Applicants shall keep a copy of the application submitted to the Secretariat of the Commissioner.
3.7. Information about the owner who sent the application specified in paragraph 3.5. Order, with indication
the relevant grounds shall be published on the official website of the Commissioner in a separate
section "Applications not accepted for consideration".

3.8. The statements specified in item 3.5., Are formed in separate cases with a stamp «Applications which have not been accepted to
consideration "and stored for six months with subsequent destruction in the order
defined by the legislation of Ukraine.
4. Procedure and form of notification of the Commissioner on termination of processing
personal data, which poses a particular risk to the rights and freedoms of subjects
personal data
4.1. The owner of personal data who informed the Commissioner about the processing
personal data, which poses a particular risk to the rights and freedoms of personal subjects
data, in the manner prescribed by paragraphs. 2.1.-2.5. of this Procedure, informs the Commissioner about
termination of such processing of personal data.
4.2. For this purpose, the owner of personal data submits to the Secretariat of the Commissioner
within 10 days from the moment of termination of processing the application form is filled in the form,
given in Annex 3, according to the rules provided for in paragraphs 2.2.- 2.3. of this Order.
4.3. The Commissioner in the order of priority of receipt of applications specified in paragraph 4.2. Okay,
publishes information on termination on the official website of the Commissioner
the owner of personal data processing of personal data, which poses a special risk
for the rights and freedoms of personal data subjects, in a separate section "Notice of
processing of personal data, which poses a special risk to rights and freedoms
personal data subjects ".
4.4. Applications received by the Commissioner are stored in the archives of the Secretariat of the Commissioner in
order and within the terms established by the legislation.
5. Notification of the structural unit or responsible person organizing
work related to the protection of personal data during their processing, and the publication of such
information
5.1. Public authorities, local governments, as well as owners or
personal data managers who process personal data, information
which is subject to notification to the Commissioner in accordance with this Procedure, shall be reported
The Commissioner for the establishment of a structural unit or the appointment of a responsible person,
organizing work related to the protection of personal data during their processing (hereinafter structural unit or responsible person).
5.2. To this end, the entities specified in paragraph 5.1. The procedure is submitted to the Secretariat
The Commissioner filled in the application form in the form given in Annex 4, with all
supporting documents, within 30 days from the date of creation of the structural
subdivision or appointment of a responsible person according to the rules specified in paragraphs 2.2.-2.3.
of this Order.
5.3. The Commissioner in the order of priority of receipt of applications specified in paragraph 5.2. Okay,
publishes the information sent in a separate section on the official website of the Commissioner
"Information about the structural unit or responsible person who organizes the work,
related to the protection of personal data during their processing. "
5.4. In case the owner sends a notice of termination of processing
personal data, which poses a particular risk to the rights and freedoms of personal subjects
data specified in paragraph 5.3. the information is deleted from the official website of the Commissioner.

Appendix 1

Statement
on the processing of personal data, which poses a special risk
for the rights and freedoms of personal data subjects
Annex 2

Statement
on the change of information on the processing of personal data, which
poses a special risk to the rights and freedoms of personal subjects
data
Annex 3

Statement
on the termination of the processing of personal data, which is
special risk for the rights and freedoms of personal data subjects
Annex 4

Statement
about the structural subdivision or the responsible person organizing
work related to the protection of personal data during their processing
{Text taken from the website of the Verkhovna Rada of Ukraine Commissioner for Human Rights}

