Regulation on the processing and protection of personal data in personal data database owned by MYDUTYFREE

1. General concepts and scope

   1. Terms and definitions
      database of personal data — named collection of data in electronic form and/or in form of personal data files;
      responsible person — certain person who organizes the work related to the protection of personal data during their processing, in accordance with the law;
      database controller — natural or legal person, who, by the law or the consent of data subject, was given the right to process these data, who approves the purpose of processing of personal data in this database, sets the data warehouse and procedures of their processing, unless otherwise provided by law;
      state register of databases of personal data — unified state informational system of collection, accumulation and processing of lists of registered personal data;
      public sources of personal data — reference books, address books, registers, lists, catalogs and other systematic collections of public information, which contain personal data posted and published with a consent of the personal data subject.
      Social media and internet resources in which the data subject leaves its personal data (except when the data subject explicitly states that personal data are placed for the purpose of their free dissemination and use) are not considered as public sources of personal data.
      consent of the personal data subject — any documented free will of natural person which grants a permission to process his or her personal data, in accordance with the stated purpose of their processing;
      de-identification of personal data — withdrawal of information that makes it possible to identify a person;
      processing of personal data — any action or set of actions performed in whole or in part in an information (automated) system and/or in personal data files, which is associated with the collection, registration, accumulation, preservation, adaptation, modification, updating, use and dissemination (implementation, transfer), de-personalization, destruction of the data about the natural person;
      personal data — statements or a set of statements about an individual (natural person) who is identified or can be specifically identified;
      processor of the database — natural or legal person to whom, by the controller or the law was given the right to process these data. A person entrusted by the controller and/or processor of the database with work of a technical nature with the database of personal data without access to the content of personal data can not be considered as a processor of the database.
      personal data subject — natural person with regard to whom personal data is processed, in accordance with the law;
      third party — any person, with the exception of the personal data subject, the controller or processor of the personal data database and authorized state body on the protection of personal data, to whom by the controller or processor personal data is disclosed, in accordance with the law;
      special categories of data — personal data about racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to health or sexual life.
   2. This Regulation is mandatory for use by the responsible person and the employees of the seller, who directly process and/or have access to personal data in connection with the performance of their official duties.

2. List of databases of personal data

   The seller is the controller of the following personal data databases:

   • Customer personal data database

3. The purpose of processing of personal data

   The purpose of processing of personal data in the system is storage and maintenance of customer data in accordance with Articles 6, 7 of the Law of Ukraine “On Personal Data Protection”

4. The procedure for processing of personal data: obtaining consent, notification of rights and actions with personal data of the personal data subject

   • The consent of the personal data subject should be a free will of the natural person to grant permission for the processing of his or hers personal data in accordance with the stated purpose of the processing. The consent of the personal data subject can be provided in the following form:
     • mark on the electronic page of the document or in an electronic file that is processed in the information system on the basis of documented software and technical solutions.
   • Notification of the personal data subject about the inclusion of his or hers personal data in personal data databases, rights defined by the Law of Ukraine "On the protection of personal data", the purpose of collection of personal data and the persons to whom his or hers personal data is disclosed takes place during checkout on the website mydutyfree.net.
   • The processing of personal data about racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data relating to health or sexual life (specific data categories) is prohibited.

5. Location of the database of personal data

   The personal data databases specified in section 2 of this regulation are located at the address of «Mydutyfree» company.

6. Privacy and personal data collection, processing and storage policy

   We collect, store and use your personal data in accordance with national legislation and standards of international law in the field of information security, including “Protection of personal data” Law dated 01.06.2010 № 2297-VI, as well as the Rules for the processing of personal data established by the General Data Protection Regulations (EU Regulation 2016/679 of April 27, 2016 or the GDPR - General Data Protection Regulation).

   We collect, store and use personal information with the permission of the user. We provide the user with access to the personal information that we store, and we provide the ability to change and delete information at any time through the personal account or upon request to our support team.

   We only collect and process the minimal amount of personal data required for providing the Service.

   We collect and store the following information:

   Personal data, cookies, and usage data::
   • referral source, utm-tags
   • operating system, browser type and version, IP address
   • country, city, language preferences
   • gender, age, name, surname
   • phone number, email address
   • tokens for push notifications
   • data available from social networks when it is linked to the account (avatar, etc.)
   Special::
   • actions (view history, additions to favorites and shopping cart, search queries, filters applied, order history, etc.)
   • answers from questionnaires, actions associated with additional functions (lotteries, referral systems, etc.)
   • airport, date and time of departure
   • history of email and phone notifications
   • history of chat bot correspondence and technical support operator correspondence

   The statistical information that we collect (for example, information about the session duration) is stored in an impersonal and encrypted form.

   The information is used by us for the purpose of providing the Services, confirming the identity of the user, timely notifying the user of the forced changes in the conditions for providing the Service, for conducting marketing research and activities.

   In order to provide the Services, we can transfer personal data to third parties.

   The data is transferred to third parties in an encrypted form - to the partners of the Service, as well as to the services that operate the working process of the Service.

   Only the minimum amount of information necessary to ensure the provision of the Services is transferred.

   We pass on the name and surname of the customers of TezTour Турагенція, who used the affiliate promo code to increase the discount on our website, to the company TezTour Турагенція. This happens only for those users who are already customers of TezTour Турагенція, and therefore have already given their name and surname to the company, as well as entered the promotional code they previously received from the company representative.

   List of partners and services::
   • Google Analytics, Yandex Analytics, MixPanel
   • authorized locations - cash desks in the stores where customer service is provided
   • Belavia, S7, Natalitours, Ural Airlines, TezTour Турагенція
   • the exchange of user personal data takes place in the process of interaction with external social networks and platforms like Google+, Facebook, Instagram, Twitter, VK

   We collect cookies that are required for Service functioning and providing the Services. Cookies are stored in an encrypted form and are deleted as soon as there is no need for them.

   Please note that EU citizens who are under the age of 16 can use the Service only after obtaining consent for personal data processing of personal data from their parents (or legal representatives), through the authorization of our Service.

   We take all reasonable steps to maintain the appropriate level of security during the use of our Service. An authorized employee of our company is responsible for ensuring the protection of the information.

   We do not transfer personal information to unauthorized third parties and do not store unauthorized copies of informational data.

   In case of revealing the leak of data, we inform the user and the authorized authorities about this leak within 72 hours.

   Using our service, you must agree to our use of your personal data. Granting your consent to the use of your personal data, you guarantee that the information provided is true.

   If you do not agree to provide information that is necessary for us to provide the Services, you may be barred from using the Service.

   Please note that if you voluntarily place your personal data online in an unprotected internet environment – for example, in blog comments, this information can be collected and used by third parties outside our control.

   You have the following rights regarding your personal data:
   • The right to request for access to your personal data and information about how we use your personal information
   • The right to correct your personal data if it is not fully specified or contains inaccuracies
   • The right to remove your personal data we store in full or partially at any time
   • The right to withdraw the consent to the processing your personal data by us in full or partially. Exercise of this right will not mean the illegality of any of our procedures with your personal data, which were carried out on the basis of your previously granted consent
   • The right to send a complaint related to the processing of your personal data by us directly to any local branch of the supervisory authority

   If you have any questions regarding the procedure for the implementation of the abovesaid rights, other questions, suggestions and / or claims regarding the operation of our Service, please contact our support team: support@mydutyfree.net.

7. Terms of disclosure of the information about personal data to the third parties

   1. The procedure for access to personal data by third parties is determined by terms of the consent of the personal data subject provided to the controller of the personal data database for processing this data, or in accordance with the requirements of the law.
   2. Access to personal data is not provided to a third party if the specified person refuses to undertake obligations to fulfill the conditions of the Law of Ukraine “On the protection of personal data” or is unable to provide them.
   3. The subject of relations related to personal data, submits a request for access (hereinafter - the request) to the personal data, to the controller of the personal data database.
   4. The request shall include:
      • last name, first name and patronymic, place of residence (place of stay) and details of the document certifying the individual who makes the request (for the natural person - the applicant);
      • name, location of the legal entity that submits the request, position, last name, first name and patronymic of the person certifying the request; confirmation that the content of the request corresponds to the authority of the legal entity (for a legal entity - the applicant);;
      • last name, first name and patronymic as well as other information that makes it possible to identify the natural person in regard to whom the request is being made;
      • information about the database of personal data in regard to which the request is made, or information about the owner or disposer of this database;
      • list of personal data that is requested;
      • purpose of the request.
   5. The term for studying of a request for its satisfaction may not exceed ten working days from the date of its admission.
      During this period, the controller of the personal data database informs the person who submitted the request that the request will be satisfied or the relevant personal data will not be provided, indicating the grounds specified in the relevant legal act.
      The request is satisfied within thirty calendar days from the date of its admission, unless otherwise provided by law.
   6. All employees of the controller of the personal data database are obliged to adhere to the requirements of confidentiality in regard to personal data.
   7. The postponement of access to personal data to third parties is allowed if the necessary data cannot be provided within thirty calendar days from the day the request is received. At the same time, the total time for resolving the issues raised in the request may not exceed forty five calendar days.
   8. The postponement message shall be brought to knowledge of the third party who submitted the request, in writing, explaining the procedure for appealing such a decision.
   9. The postponement report shall include:
      • last name, first name and patronymic of the official;
      • date of sending of the message;
      • reason of postponement;
      • the period during which the request will be satisfied.
   10. Denial of access to personal data is allowed if access to it is prohibited in accordance with the law.
   11. Rejection message shall include:
       • last name, first name and patronymic of the official who denied access;
       • date of sending of the message;
       • reasons of rejection;
   12. The decision on the removal or denial of access to personal data may be appealed to the authorized state body on the protection of personal data, other state authorities and local governments, whose powers include the protection of personal data, or in court.

8. Protection of personal data: ways of protection, responsible person, employees, who directly process and/or have access to personal data due to the performance of their official duties, terms of storage of personal data

   1. The controller of the personal data database is equipped with system, software and hardware and communication tools that prevent loss, theft, unauthorized destruction, distortion, copying of information and meet the requirements of international and national standards.
   2. The responsible person organizes the work related to the protection of personal data during their processing, in accordance with the law. The responsible person is determined by the decree of the controller of the personal data database.
      The responsibilities of the responsible person in organizing work related to the protection of personal data during their processing are indicated in the job description.
   3. The responsible person must:
      • know the legislation of Ukraine in the field of personal data protection;
      • develop procedures for access to personal data of employees in accordance with their professional, service or work duties;
      • ensure that the employees of the controller of the personal data database comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents regulating the activity of the controller of the personal data database on the processing and protection of personal data in personal data databases;
      • develop a procedure for internal control of compliance with the requirements of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activities of the controller of the personal data database for processing and protecting personal data in personal data databases, which, in particular, should contain standards regarding the frequency of such control;
      • inform the controller of the personal data database about the facts of violations by employees of the conditions of the legislation of Ukraine in the field of personal data protection and internal documents regulating the activity of the controller of the personal data database on personal data processing and protection in the personal data databases no later than one working day from the moment such violations were detected;
      • ensure the storage of documents confirming the provision by the personal data subject of consent to the processing of his or hers personal data and notification of the data subject of his rights.
   4. In order to fulfill the duties, the responsible person has the right to:
      • receive necessary documents, including orders and other administrative documents issued by the controller of the personal data database related to the processing of personal data;
      • make copies of received documents, including copies of files, of any records stored in local computer networks and autonomous computer systems;
      • take part in the discussion of his duties in work organization related to the protection of personal data during their processing;
      • submit proposals for improving activities and improving work methods, submit comments and options for eliminating the identified deficiencies in the process of processing personal data;
      • receive explanations in the matters of the processing of personal data;
      • sign and endorse documents within the competence.
   5. Employees who directly process and/or have access to personal data in connection with the performance of their official (job) duties must comply with the requirements of Ukrainian legislation in the field of personal data protection and internal documents on the processing and protection of personal data in personal data databases.
   6. Employees who have access to personal data, including their processing, are obliged to prevent disclosure of personal data entrusted to them or which have become known in connection with the performance of professional, official or work duties in any way. Such an obligation is valid after the termination of their activities related to personal data, except cases established by law.
   7. Individuals who have access to personal data, including those who process the data, in case of violation of the conditions of the Law of Ukraine «On Personal Data Protection» bear responsibility according to the law of Ukraine.
   8. Personal data should not be stored longer than necessary for the purpose for which such data is stored, but, in any case, no longer than the data retention period determined by the consent of the personal data subject to the processing of this data.

9. Rights of the personal data subject

   The personal data subject has the right to:

   • know about the location of the personal data database, which contains his or hers personal data, its purpose and name, location and/or place of residence (stay) of the controller or processor of this database or give the appropriate instruction to receive this information by persons authorized by him, except for cases stipulated by law;
   • access to his or hers personal data contained in the relevant database of personal data;
   • receive an answer about whether his or hers personal data is stored in the relevant personal data database, as well as receive the contents of his or hers personal data that is stored, no later than in thirty calendar days from the date of the request, except for cases stipulated by law;
   • submit a reasoned request with an objection to the processing of personal data by public authorities, local authorities in the implementation of their duties provided by law;
   • make a reasoned request to replace or destroy the personal data by any controller and processor of this database, if this data is processed illegally or is unreliable;
   • protect personal data from illegal processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely providing, as well as to protect from the providing of statements that are unreliable or discredit the honor, dignity and business reputation of a natural person;
   • apply for the protection of his or hers rights about personal data to state authorities, local governments whose authority is to protect personal data;
   • apply legal remedies in case of violation of personal data protection legislation.

10. Operating procedure with the requests of the personal data subject

    1. The personal data subject has the right to receive any information about himself from any subject of the relationship related to personal data, without specifying the purpose of the request, except for cases stipulated by law.
    2. Access to personal data by the personal data subject is free of charge.
    3. The personal data subject submits a request for access (hereinafter — request) to personal data to the controller of the personal data database.
       The request shall include:
       • last name, first name and patronymic, place of residence (place of stay) and details of the document certifying the identity of the personal data subject;
       • other information that makes it possible to identify the individual of the personal data subject;
       • information about the database of personal data in regard to which the request is made, or information about the owner or disposer of this database;
       • list of requested personal data.
    4. The term for studying of the request for its satisfaction may not exceed ten working days from the receipt date.
    5. During this period, the controller of the personal data database informs the personal data subject that the request will be satisfied or the relevant personal data will not be provided, indicating the basis specified in the relevant legal act.
    6. The request is satisfied within thirty calendar days from the reception date, except for cases stipulated by law.

11. State registration of personal data database

    The state registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine “On Personal Data Protection”.