Privacy Policy for the Processing and Protection of Personal Data at suprem.com.ua

Contents

1. Basic Concepts and Scope
2. List of Personal Data Databases
3. Purposes of Personal Data Processing
4. Processing Procedure and Obtaining Consent
5. Transfer of Data to Third Parties
6. Protection of Personal Data
7. Rights of the Personal Data Subject
8. Procedure for Handling Requests
9. State Registration of Databases

1. Basic Concepts and Scope

1.1. Definition of Terms

• Personal Data Database — an organized collection of personal data in electronic form and/or in the form of card files.
• Responsible Person — an employee of suprem.com.ua who organizes the work on personal data protection during their processing.
• Owner of the Personal Data Database — suprem.com.ua, which determines the purposes of processing, the composition of data, and the procedures for their processing.
• Publicly Available Sources — directories, address books, catalogs, and other collections of open information. Social networks and online resources are not considered publicly available sources unless the user explicitly stated that the data is intended for free distribution.
• Consent of the Subject — the voluntary expression of a person's will to process their personal data for specified purposes.
• Anonymization — the removal of information that allows for the identification of a person.
• Processing of Personal Data — any actions involving the collection, registration, storage, adaptation, modification, updating, use, and dissemination of information about a person.
• Personal Data — information about a natural person who is identified or can be identified.
• Personal Data Subject — the person whose data is being processed.
• Third Party — any person other than the data subject, the database owner, or the authorized state body.
• Special Categories of Data — information about racial or ethnic origin, political, religious, or philosophical beliefs, membership in parties and trade unions, data concerning health or sex life.

1.2. Mandatory Application

This Regulation is mandatory for responsible persons and employees of suprem.com.ua who have access to personal data or process it as part of their official duties.

2. List of Personal Data Databases

suprem.com.ua is the owner of the following personal data databases:

• Database "Counterparties" — contains information about the company's partners, suppliers, and customers.

3. Purposes of Personal Data Processing

Personal data is processed for the purpose of:

• Ensuring civil law relations (conclusion and execution of contracts).
• Providing and receiving services, as well as making payments for purchased goods/services.
• Maintaining accounting and tax records.
• Storing and maintaining counterparty data.

Processing is carried out in accordance with the Law of Ukraine "On Personal Data Protection".

4. Processing Procedure and Obtaining Consent

4.1. Forms of Consent

Consent of the personal data subject may be provided in one of the following forms:

• A paper document with details allowing for the identification of the person.
• An electronic document with mandatory details (the use of an electronic signature is recommended).
• A mark on an electronic page of a document or in a file processed in the information system (e.g., a consent checkbox on the website).

4.2. Moment of Obtaining Consent

Consent is provided when formalizing civil law relations (registering on the site, placing an order, signing a contract).

4.3. Informing the Subject

When collecting data, the subject is informed about the inclusion of their data in the database, their rights under the law, the purposes of collection, and the persons to whom their data may be transferred.

4.4. Prohibition on Processing Special Categories

Processing of special categories of data (racial origin, political views, religion, health, etc.) is prohibited.

5. Conditions for Transferring Data to Third Parties

5.1. General Rules

Access to personal data for third parties is granted only with the consent of the subject or in accordance with legal requirements. Before granting access, the third party must assume obligations to comply with the Law of Ukraine "On Personal Data Protection".

5.2. Request Procedure from Third Parties

A request for access to data must contain:

• For an individual: full name, place of residence, document details.
• For a legal entity: name, location, position and full name of the signatory.
• Data allowing the identification of the person about whom information is requested.
• Information about the database or its owner.
• The list of requested data and the purpose of the request.

5.3. Deadlines for Consideration of Requests

• Consideration of the request — no more than 10 working days.
• Fulfillment of the request — within 30 calendar days.
• In case of a necessary postponement — the total period cannot exceed 45 calendar days.

5.4. Denial of Access

Denial of access is permitted if access is prohibited by law. The decision to deny or postpone may be appealed in court or to an authorized state body.

6. Protection of Personal Data

6.1. Technical Means of Protection

suprem.com.ua databases are equipped with system and software-technical means that prevent loss, theft, unauthorized destruction, distortion, forgery, and copying of information. The equipment complies with national and international standards.

6.2. Responsible Person

The responsible person is appointed by order of the head of suprem.com.ua and organizes data protection work. Their responsibilities include:

• Knowledge of legislation in the field of data protection.
• Development of procedures for employee access to data.
• Monitoring compliance with legal requirements.
• Implementation of internal control.
• Reporting violations to management.
• Ensuring the storage of documents on the consent of subjects.

6.3. Rights of the Responsible Person

• Receive necessary documents and orders related to data processing.
• Make copies of files and records.
• Make suggestions for improving the protection system.
• Receive clarifications from employees.

6.4. Duties of Employees

Employees who have access to data are obliged to comply with legislation and internal documents, and also prevent the disclosure of data that has become known to them in connection with their work. This obligation continues even after dismissal.

6.5. Responsibility for Violations

Persons who violate the requirements of the Law "On Personal Data Protection" are liable in accordance with the legislation of Ukraine.

6.6. Storage Periods

Personal data is stored no longer than necessary for the purpose of processing, but in any case no longer than the period determined by the consent of the subject.

7. Rights of the Personal Data Subject

Every person whose data is processed has the right:

• To know the location of the database, its purpose, the name and location of the owner.
• To receive information about the conditions for granting access to the data and about third parties to whom the data is transferred.
• To access their personal data.
• To receive a response about whether their data is stored and to familiarize themselves with its content (within 30 days).
• To demand changes or destruction of data if it is processed illegally or is inaccurate.
• To protection from unlawful processing, accidental loss, destruction, damage.
• To seek protection of their rights from authorized state bodies.
• To apply legal remedies in case of violation of the law.

8. Procedure for Handling Subject Requests

8.1. Right to Request

The personal data subject has the right to receive any information about themselves without stating the purpose of the request (except in cases established by law). Access to data about oneself is provided free of charge.

8.2. Content of the Request

The request must contain:

• Full name, place of residence, and document details of the subject.
• Information allowing the identification of the subject.
• Information about the database or its owner.
• The list of requested data.

8.3. Consideration Deadlines

• Consideration of the request — up to 10 working days.
• Fulfillment of the request — up to 30 calendar days.

9. State Registration of the Personal Data Database

State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection". suprem.com.ua fulfills all legal requirements regarding registration and notification of authorized bodies.