Collection, processing and storage of personal data of store customers

Surname, first name, patronymic, date of birth, phone number, email address, delivery address is information that customers often provide to a seller when placing an order. This information is considered personal data. It is methodically collected over the years, processed and stored by the entrepreneur, and is called a database or customer base. However, is it legal to collect such information and store it? Is it possible to sell or buy a database? Are there any requirements to protect the database, read in the article.

What is personal data?

There are two laws in Ukraine that regulate personal data issues: The Law of Ukraine "On Personal Data Protection" and the Law of Ukraine "On Information".

Personal data is information or a set of information that identifies a person or can be used to identify a person.

Personal data includes any information that can be used to identify a person, so the law does not contain an exhaustive list of what information is considered personal. However, in one of its decisions, the Constitutional Court clarified what information about a person can be classified as personal data.

Personal data includes the following information about a person (the list is not exhaustive):

• nationality;
• education;
• marital status;
• religious beliefs;
• health status;
• financial situation;
• addresses;
• date and place of birth;
• place of residence, stay;
• data on personal property and non-property relations of this person with other persons, including family members;
• information about events and phenomena that have occurred or are occurring in the person's domestic, intimate, social, professional, business and other spheres of life.

The information listed is not only personal data, but also confidential information. It is prohibited to collect such data without obtaining the person's consent. The only exception when consent is not required is when such data is collected for the purposes of national security, economic welfare and human rights protection.

What data is prohibited to collect?

There is personal data, the collection of which may result in restriction or violation of the rights and freedoms of others. Such data includes the following information about a person:

• racial, ethnic and national origin;
• political, religious or ideological beliefs;
• membership in political parties and/or organizations, trade unions, religious organizations, or public organizations with a worldview;
• health status;
• statute life;
• biometric data;
• genetic data;
• administrative or criminal liability;
• application of measures against a person within the framework of a pre-trial investigation;
• taking measures provided for by the Law of Ukraine "On Operational Investigative Activity";
• committing certain types of violence against a person;
• location and/or routes of travel.

Sole proprietors or legal entities have no right to collect this data, let alone store it.

How to process personal data?

Personal data processing means the collection, storage, alteration, use, adaptation, and any other actions with data.

Data processing should be open, meaning that people should know:

• what information is collected and where it is stored;
• for what purpose the data is collected;
• location of the data owner;
• how long the data will be stored;
• who has access to the data and under what conditions the data may be transferred to third parties;
• what rights the data owner has.

What is the liability for violation of personal data storage?

The dissemination of personal data is subject to criminal liability under Article 182 of the CCU. Illegal collection, storage, use or dissemination of personal data is punishable by a fine of UAH 8,500 to UAH 17,000, or correctional labor for up to 2 years, or arrest for up to 6 months, or imprisonment for up to 3 years.

Liability for the dissemination of personal data arises regardless of whether a person has suffered damage due to the leakage of their data.

If a person has been harmed by the dissemination of their personal data, the liability will be higher: arrest for 3 to 6 months or imprisonment for 3 to 5 years.

In addition to criminal liability, a person may also be subject to administrative liability in the form of a fine:

• for officials and entrepreneurs - from UAH 5,100 to 17,000;
• for legal entities - from UAH 17,000 to 34,000.

When can data be transferred to third parties?

The Law of Ukraine "On Personal Data Protection" and the General Data Protection Regulation (GDPR), which is in force in the EU, allow data to be transferred to third parties only in the following cases:

• if the transaction cannot be fulfilled without transfer;
• if a person has given consent to transfer data to a third party;
• if the transfer of data is required by law.

Can I buy or sell personal data?

No. The purchase or sale of personal data in Ukraine (and abroad) is prohibited and may result in criminal liability.

How to store customer information in Torgsoft?

1. Post a non-disclosure agreement on your website and social media, which clearly states what information you collect about the client and why.
2. In Torgsoft → Marketing → Customers, store customer information. If you use Torgsoft to synchronize with an online store, Prom.ua, Rozetka, then customer information from the order form is automatically uploaded to Torgsoft.
3. In the role settings, deny access to the Marketing → Customers menu to employees who do not work with the customer base.