Personal data processing policy
1. General Provisions
1.1. Business activities of JSC “Ukrposhta” (hereinafter referred to as Ukrposhta) involve the processing of personal data of users of postal services, its contractors and employees. Ukrposhta determines the priority obligation to process personal data exclusively on the grounds and in the manner prescribed by the legislation of Ukraine.
1.2. The purpose of the Policy of General Principles of Personal Data Processing of JSC “Ukrposhta” (hereinafter referred to as the Policy) is to ensure an appropriate level of accessibility, transparency and processing of personal data in the course of Ukrposhta’s business activities.
1.4. In this Policy, the terms are used in the meanings set out in the Laws of Ukraine “On Personal Data Protection”, “On Information”, “On Postal Communication”, the Rules for the Provision of Postal Communication Services, approved by the Resolution of the Cabinet of Ministers of Ukraine No. 270 of 05/03/2009 (as amended).
2. Scope and Validity of the Policy
2.1. The Policy shall be mandatory for application in Ukrposhta within the process of personal data processing and shall apply to all structural units of Ukrposhta.
2.2. The validity of the Policy shall not be limited. Ukrposhta shall have the right to make changes to the Policy, which it informs about by posting an updated version on the official website of Ukrposhta http://www.ukrposhta.ua (hereinafter referred to as the website).
3. Purpose of Personal Data Processing
The purpose of processing personal data by Ukrposhta shall be the provision of quality postal services to users of postal services (personal data subjects), processing of information that constitutes the profile of use of services, settlement of issues in the area of employment relations and in the course of business activities in the manner prescribed by law.
4. Principles of Personal Data Processing
4.1. Transparency of the Personal Data Processing Process
The Policy is published on Ukrposhta’s official website.
The grounds for processing personal data by Ukrposhta are:
- consent of the personal data subject to their processing;
- a transaction to which the personal data subject is a party or which is concluded in his/her favour;
- fulfilment of Ukrposhta’s obligations provided by law;
- protection of Ukrposhta’s legitimate interests, except when the need to protect the fundamental rights and freedoms of the personal data subject in connection with the processing of his/her data prevails over such interests.
The terms of processing and storage of personal data shall be determined considering the peculiarities of the processes of postal services, analysis of the quality of such services.
4.2. Accessibility of Personal Data
Personal data shall be available to the subject of these data and access to them shall be provided in the manner prescribed by the legislation on personal data protection.
4.3. Consent of the Personal Data Subject
Ukrposhta shall process personal data of personal data subjects in order to provide them with postal services on the basis of permission to process personal data granted in accordance with the Law of Ukraine “On Postal Communication” for the exercise of its powers and for the execution of a transaction to which the personal data subject is a party.
The subject may voluntarily provide Ukrposhta with consent to the processing of his/her personal data for the purpose of receiving advertising and information materials or for another purpose determined by Ukrposhta. The consent of the subject to the processing of his/her personal data shall be voluntary and informed. The consent may be provided by the subject in writing or electronically, which makes it possible to conclude that it has been provided. Documents (information) confirming the subject’s consent to the processing of his/her personal data shall be stored by Ukrposhta during the processing of such data.
The procedure for access to personal data of third parties is determined by the terms and conditions of the consent of the personal data subject provided to Ukrposhta for the processing of these data, or in accordance with the requirements of the law.
5. Features of Processing and Identification of Personal Data
5.1. Types of personal data processing
Personal data in Ukrposhta shall be processed with the use of automation tools or without the use of such tools, considering the peculiarities of the processes of providing postal services and the level of automation of such processes.
The procedure for processing, protection and access to personal data for various types of processing shall be determined by separate internal regulatory documents of the company.
5.2. Identification of personal data subjects when using Ukrposhta’s web resources
Users who use Ukrposhta’s web resources are personal data subjects only from the date of their registration on the web resource and consent to the processing of their personal data.
5.3. Processing of personal data of subjects who receive postal services
Legal entities are not subjects of personal data.
Personal data of users of postal services (individuals) shall be processed in accordance with this Policy and the law.
5.4. Use of information of the personal data subject
The information received from the user of postal services (personal data subject) shall be used for:
- creating an account by the user of postal services that uses Ukrposhta’s information resources (web resources);
- providing the service or function ordered by the user;
- communication with users in order to inform about personalised unique offers and promotions of Ukrposhta;
- evaluation and analysis of market demand, products and services provided by Ukrposhta;
- effective customer service;
- ensuring the update and technical support of services, including the mobile application;
- other purposes to the extent sufficient for the quality provision of services by Ukrposhta.
5.5. Restrictions on further transfer (distribution) of personal data
Ukrposhta shall transfer the information received from users of postal services (personal data subjects) as part of the provision of services to third parties in order to properly fulfil its obligations, in accordance with the requirements of the law, and to provide personalised notification to users of the relevant services in order to improve them and inform such users.
The transfer of personal data shall be possible only on a contractual basis, provided that they are properly stored and protected by the third party and/or the administrator, as well as a clear definition of his/her responsibility for ensuring proper protection during the processing of personal data, except as expressly provided by law. The agreement shall also define the composition of personal data to be transferred, the method and purpose of their processing, a set of organisational and technical protection measures to be taken by the third party (controller).
The transfer of personal data to foreign parties to relations for the purpose of processing abroad shall be carried out in compliance with the terms and conditions specified in Article 29 of the Law of Ukraine “On Personal Data Protection” (hereinafter referred to as the Law).
The transfer of personal data to third parties as part of the provision of postal services shall be carried out in the manner prescribed by the contractual obligations of Ukrposhta.
The distribution of personal data involves actions to transfer information about an individual with the consent of the personal data subject.
The distribution of personal data by Ukrposhta without the consent of the subject or his/her authorised person shall be allowed in cases determined by law and only (if necessary) in the interests of national security, economic welfare and human rights.
6. Rights and Obligations of the Personal Data Subject
6.1. Rights and obligations of the user of postal services – the personal data subject
The personal data subject shall have the right to receive information on the procedure for processing his/her personal data, as well as other rights specified in Article 8 of the Law.
The personal data subject shall act in accordance with the requirements of the legislation.
Ukrposhta shall not be responsible for the violation by the user of postal services of the legislation on personal data protection, including the distribution of personal data of persons on whose behalf and in whose interests they receive postal services.
6.2. The right to correct, destroy or block access to personal data
The personal data subject shall have the right to free correction or deletion (in whole or in part) of information about him/her in Ukrposhta’s information systems, in electronic versions of databases of Ukrposhta’s information and reference services in accordance with the procedure determined by Ukrposhta, in case they are incorrect, inappropriate or excessive or their storage is carried out beyond the time required to provide the relevant services. If the removal of such data is technically impossible or not provided for by law, then such data shall be protected from processing by blocking access to them or by other technically possible means.
6.3.Right of access to personal data
The personal data subject shall have the right to free access to data about him/her in accordance with the procedure determined by Ukrposhta.
The personal data subject shall have the right to request access to his/her personal data.
The request shall be executed in accordance with Article 16 of the Law.
Ukrposhta shall take the necessary measures to clarify all the circumstances set out in the request.
6.4. Appeal against the decision to postpone or deny access to personal data
Appeal against the decision to postpone or deny access to personal data shall be made in accordance with Article 18 of the Law.
6.5. Withdrawal of consent to personal data processing
The personal data subject shall have the right to withdraw consent to the processing of personal data by submitting a written request.
In case of withdrawal of consent to personal data processing, which was provided during registration in the personal account of Ukrposhta’s web resource, such personal account shall be deleted.
7. Processing and Protection of Personal Data
7.1. The processing and protection of personal data by Ukrposhta shall be based on a risk-oriented approach to prevent, detect and eliminate threats of unauthorised access to personal data and/or their illegal processing.
7.2. Ukrposhta shall ensure the protection of personal data processed as part of the provision of postal services in accordance with the requirements of the law, as well as the provisions of this Policy.
7.3. The Director General of Ukrposhta shall determine the persons and/or structural units responsible for the protection of personal data in accordance with the legislation and this Policy.
7.4. The responsibilities of the structural unit/person responsible for the organisation of work related to the protection of personal data during their processing shall be defined in job descriptions and regulations, other regulatory documents.
7.5. Ukrposhta cooperates with public authorities, officials responsible for the protection of personal data in Ukraine, in accordance with the requirements of the law.
This Policy shall be available for review by users of postal services (personal data subjects) and shall be posted on Ukrposhta’s official website.