Privacy Policy with regard to personal data processing in Keysystems LLC
1.General Provisions
1.1. Purpose of the Policy
1.1.1. This Policy regarding the processing of personal data in «Keysystems» LLC
(hereinafter - the Policy) is developed in accordance with the Federal Law of July 27, 2006
No. 152-FZ «On Personal Data».
1.1.2. The Policy comes into force from the moment of its approval by the General Director
of «Keysystems» LLC.
1.1.3. The Policy is subject to revision in the course of periodic analysis by the management
of «Keysystems» LLC (hereinafter referred to as the Company), as well as in cases of
changes in the legislation of the Russian Federation in the field of personal data.
1.1.4.The Policy shall be published on the Company's official website.
1.2. Objectives of the Policy
1.2.1. The purpose of the Policy is to ensure the protection of the rights and freedoms of
personal data subjects during the processing of their personal data by the Company.
1.3. Basic Concepts
1.3.1. For the purposes of the Policy, the following terms are used:
personal data — any information relating to a directly or indirectly identified or identifiable
natural person (personal data subject);
operator —state authority, municipal authority, legal or natural person, independently or
jointly with other persons organizing and (or) carrying out processing of personal data, as
well as determining the purposes of personal data processing, composition of personal data
subject to processing, actions (operations) performed with personal data;
personal data authorized by the subject of personal data for dissemination —
personal data, access to which is granted to an unlimited number of persons by the subject
of personal data by giving consent to the processing of personal data, authorized by the
subject of personal data for dissemination in the manner prescribed by the Federal Law
«On Personal Data»;
personal data subject — A natural person who is directly or indirectly identified or
identifiable through the use of personal data;
operator — state authority, municipal authority, legal or natural person, independently or
jointly with other persons organizing and (or) carrying out processing of personal data, as
well as determining the purposes of personal data processing, composition of personal data
subject to processing, actions (operations) performed with personal data;
processing of personal data — any action (operation) or set of actions (operations)
performed with or without the use of automation means with personal data, including
collection, recording, systematization, accumulation, storage, clarification (update, change),
extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of
personal data;
automated processing of personal data — processing of personal data by means of
computing equipment;
dissemination of personal data — actions aimed at disclosure of personal data to an
indefinite number of persons;
provision of personal data — actions aimed at disclosure of personal data to a certain
person or a certain circle of persons;
blocking of personal data — temporary cessation of personal data processing (except for
cases when processing is necessary to clarify personal data);
destruction of personal data — actions, as a result of which it becomes impossible to
restore the content of personal data in the personal data information system and (or) as a
result of which material carriers of personal data are destroyed;
personal data information system — the totality of personal data contained in databases
and information technologies and technical means ensuring their processing;
data privacy — a mandatory requirement for a person who has access to certain
information not to disclose such information to third parties without the consent of its owner;
cross-border transfer of personal data — transfer of personal data to the territory of a
foreign country to an authority of a foreign country, a foreign natural person or a foreign
legal entity;
threats to personal data security — a set of conditions and factors that create a risk of
unauthorized, including accidental, access to personal data, which may result in the
destruction, modification, blocking, copying, provision, dissemination of personal data, as
well as other illegal actions during their processing in the information system of personal
data;
level of personal data protection — a complex indicator characterizing the requirements,
the fulfillment of which ensures the neutralization of certain threats to personal data security
during their processing in personal data information systems.
1.4. Scope
1.4.1. The provisions of the Policy apply to all relations related to the processing of personal
data carried out by the Company:
— with the use of automation tools, including in information and telecommunication
networks, or without the use of such tools, if the processing of personal data without the use
of such tools corresponds to the nature of the actions (operations) performed with personal
data using automation tools, that is, it allows to carry out in accordance with a given
algorithm, search for personal data recorded on a tangible medium and contained in file
cabinets or other systematized collections of personal data, and (or) access to such
personal data;
— without the use of automation.
1.4.2. The policy applies to all employees of the Company.
2. Purposes of personal data processing
2.1. Personal data processing is carried out by the Company for the following purposes:
— fulfilling the requirements of the labor legislation of the Russian Federation; maintaining
personnel and military records; organizing preliminary and periodic medical examinations
for employees; organizing personalized registration of employees in the mandatory pension
insurance system; keeping records of students undergoing internships; implementing a
loyalty program; issuing corporate SIM cards; keeping accounting records and preparing
financial statements; conducting contractual relations; keeping records of the Company's
employees; maintaining accounting records; preparing financial statements; maintaining
accounting records of the Company's employees.
— software development and provision of services in the field of software supply; provision
of consulting support to software users; conducting training courses; fulfillment of contracts
and agreements; maintenance of the official website; realization of other statutory tasks.
3. Legal basis for processing personal data
3.1. The following regulatory acts and documents shall be the basis for personal data
processing in the Company:
— Constitution of the Russian Federation;
— Civil Code of the Russian Federation;
— Labor Code of the Russian Federation;
— Tax Code of the Russian Federation;
— Federal Law of 06.12.2011 No. 402-FZ «On Accounting»;
— Federal Law No. 353-FZ «On Consumer Credit (Loan)» dated 21.12.2013;
— Federal Law of 29.12.2012 No. 273-FZ «On Education in the Russian Federation»;
— Federal Law of 29.12.2006 No. 255-FZ «On Compulsory Social Insurance for Temporary
Inability to Work and in Connection with Maternity»;
— Federal Law No. 223-FZ dated 18.07.2011 «On Procurement of Goods, Works and
Services by Certain Types of Legal Entities»;
— Federal Law of 24.11.1995 No. 181-FZ «On Social Protection of Disabled Persons in the
Russian Federation»;
— Federal Law of 17.12.2001 No. 173-FZ «On Labor Pensions in the Russian Federation»;
— Federal Law of 15.12.2001 No. 167-FZ «On Compulsory Pension Insurance in the
Russian Federation»;
— Federal Law of 15.12.2001 No. 166-FZ «On State Pension Provision in the Russian
Federation»;
— Federal Law of 16.07.1999 No. 165-FZ «On the Fundamentals of Compulsory Social
Insurance»;
— Federal Law of 06.04.2011 No. 63-FZ «On Electronic Signature»;
— Federal Law of 28.03.1998 No. 53-FZ «On Military Duty and Military Service»;
— Federal Law No. 44-FZ dated 05.04.2013 «On Contract System in the Sphere of
Procurement of Goods, Works and Services for State and Municipal Needs»;
— Federal Law of 26.02.1997 No. 31-FZ «On mobilization preparation and mobilization in
the Russian Federation»;
— Federal Law of 01.04.1996 No. 27-FZ «On individual (personified) accounting in the
system of compulsory pension insurance»;
— The Charter of Limited Liability Company «Keysystems», approved by Minutes No. 50 of
the general meeting of participants dated 25.12.2015;
— Contracts concluded between the operator and the subject of personal data;
— Consents of personal data subjects to the processing of personal data.
3.2. In cases not expressly provided for by the legislation of the Russian Federation but
corresponding to the Company's powers, personal data processing shall be carried out with
the consent of the personal data subject to the processing of his/her personal data.
3.3. Processing of personal data shall be terminated upon reorganization or liquidation of
the Company.
4. Scope and categories of processed personal data, categories of personal data subjects
4.1. In accordance with the purposes of personal data processing specified in clause 2 of
this Policy, the Company shall process the following categories of personal data subjects:
— employees of «Keysystems» LLC;
— employees of organizations that are members of the «Keysystems» Group of
Companies;
— close relatives of «Keysystems» LLC employees;
— close relatives of employees of organizations that are members of the «Keysystems»
Group of Companies;
— persons having civil legal relations with «Keysystems» LLC;
— persons who have civil legal relations with organizations of the «Keysystems» Group of
Companies;
— dismissed employees of «Keysystems» LLC;
— dismissed employees of organizations belonging to the «Keysystems» Group of
Companies;
— close relatives of dismissed employees of «Keysystems» LLC;
— close relatives of dismissed employees of organizations belonging to the
«Keysystems»Group of Companies;
— counterparties (representatives of counterparties and individual entrepreneurs);
— partner representatives;
— borrowers;
— internship students;
— persons who have filled in the feedback form and (or) registered on the Self-Service
Portal of the website of «Keysystems» LLC, forum users;
— site visitors;
— mobile app users;
— persons taking refresher courses;
— listeners of the courses conducted by «Keysystems» LLC;
— persons to whom an electronic digital signature has been issued.
4.2. In accordance with the purposes of personal data processing specified in clause 2 of
this Policy, the Company shall process the following personal data:
4.2.1. Employees of «Keysystems» LLC:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— date of registration at the place of residence;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to education document;
— information on postgraduate professional education;
— profession;
— position;
— employment contract details;
— nature, type of work;
— place of work;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— information about the dismissal;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— the amount of the salary;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— requisites of orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— hire date;
— field of study or specialty;
— details of the power of attorney;
— information about bonus points under the loyalty program;
— information about the availability of the vehicle;
— the term of the power of attorney;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.2. Employees of organizations that are part of the «Keysystems» group of companies:
— full name;
— name change information;
— date of birth;
— place of birth;
— Gender;
— nationality;
— registration address;
— residential address;
— date of registration at the place of residence;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to the education document;
— information on postgraduate professional education;
— profession;
— position;
— details of the employment contract;
— nature, type of work;
— place of employment;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— dismissal information;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— salary amount;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— requisites of orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— field of study or specialty;
— details of the power of attorney;
— information on bonus points under the loyalty program;
— the term of the power of attorney;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.3. Close relatives of «Keysystems» LLC employees:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability details;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.4. Close relatives of employees of organizations belonging to the «Keysystems» Group
of Companies:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability details;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.5. Persons having civil legal relations with «Keysystems» LLC:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— e-mail address;
— photo;
— details of the power of attorney;
— power of attorney validity period;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.6. Persons who have civil legal relations with organizations belonging to the
«Keysystems» Group of Companies:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— e-mail address;
— photo;
— details of the power of attorney;
— power of attorney validity period;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.7. Fired employees of «Keysystems» LLC:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to the education document;
— information on postgraduate professional education;
— profession;
— position;
— details of the employment contract;
— nature, type of work;
— place of work;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— dismissal information;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— salary amount;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— field of study or specialty;
— details of the power of attorney;
— validity period of the power of attorney;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.8. Fired employees of organizations that are part of the «Keysystems» group of
companies:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to the education document;
— information on postgraduate professional education;
— profession;
— position;
— details of the employment contract;
— nature, type of work;
— place of work;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— dismissal information;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— salary amount;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— field of study or specialty;
— details of the power of attorney;
— validity period of the power of attorney;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.9. Close relatives of the dismissed employees of «Keysystems» LLC:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability information;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.10. Close relatives of dismissed employees of organizations belonging to the
«Keysystems» Group of Companies:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability information;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.11. Counterparties (representatives of counterparties and individual entrepreneurs):
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— position;
— place of work;
— structural unit;
— e-mail address;
— payment amount;
— essence of application;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.12. Partner Representatives:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— position;
— place of work;
— structural unit;
— e-mail address;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.13. Borrowers:
— full name;
— date of birth;
— place of birth;
— nationality;
— registration address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— the interest rate on the loan;
— loan information;
— information required to obtain a loan for the purchase of secondary housing and housing
in a house under construction (if a loan is obtained);
— loan term;
— loan amount;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.14. Internship students:
— full name;
— date of birth;
— educational background;
— place of study;
— form of education;
— course;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.15. Persons who have filled in the feedback form and (or) registered on the Self-Service
Portal of the website of «Keysystems» LLC, forum users:
— full name;
— contact numbers;
— position;
— place of work;
— structural unit;
— e-mail address;
— information contained in the message.
4.2.16. Site visitors:
— metric data.
4.2.17. Mobile app users:
— full name;
— contact numbers;
— position;
— place of work;
— e-mail address;
— photo.
4.2.18. Persons taking refresher courses:
— full name;
— name change information;
— contact numbers;
— educational background;
— position;
— place of work;
— structural unit;
— e-mail address;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.19. Attendees of courses conducted by «Keysystems» LLC:
— full name;
— contact numbers;
— place of study;
— e-mail address;
— course;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.20. Persons to whom an electronic digital signature has been issued:
— full name;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— contact numbers;
— details of the identity document;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— e-mail address;
— photo.
5. Procedure and conditions of personal data processing
5.1. Principles of personal data processing
Personal data processing shall be carried out by the Company in accordance with the
following principles:
— processing of personal data is carried out on a lawful and fair basis;
— processing of personal data is limited to the achievement of specific, predetermined and
legitimate purposes; processing of personal data incompatible with the purposes of
personal data collection is not allowed;
— it is not allowed to merge databases containing personal data processed for incompatible
purposes;
— only personal data that meet the purposes of their processing are subject to processing;
— the content and scope of processed personal data correspond to the declared purposes
of processing; processed personal data are not redundant in relation to the declared
purposes of their processing;
— when processing personal data, the accuracy of personal data, their sufficiency and,
where necessary, relevance to the purposes of personal data processing shall be ensured;
the Company shall take the necessary measures or ensure that they are taken to remove or
clarify incomplete or inaccurate data;
— personal data shall be stored in a form that allows identification of the personal data
subject for no longer than required by the purposes of personal data processing, unless the
period of personal data storage is stipulated by federal law, an agreement to which the
personal data subject is a party, beneficiary or guarantor; processed personal data shall be
destroyed upon achievement of the processing purposes or in case of loss of necessity to
achieve these purposes, unless otherwise stipulated by federal law.
5.2. Conditions of personal data processing
The conditions for processing personal data other than obtaining the personal data subject's
consent to the processing of his/her personal data are alternative.
5.2.1. Conditions for processing of special categories of personal data
Processing of special categories of personal data shall be carried out by the Company
subject to the following conditions:
— personal data processing is carried out in accordance with the legislation on state social
assistance, labor legislation, pension legislation of the Russian Federation;
— the personal data subject has consented in writing to the processing of his/her personal
data.
5.2.2. Conditions for processing biometric personal data
Information characterizing physiological and biological features of a person, on the basis of
which his/her identity can be established (biometric personal data) and which is used by the
Company to establish the identity of the personal data subject, is not processed by the
Company.
5.2.3. Conditions for processing other categories of personal data
Other categories of personal data shall be processed by the Company subject to the
following conditions:
— processing of personal data is necessary to achieve the goals stipulated by the
international treaty of the Russian Federation or law, to perform and fulfill the functions,
powers and duties assigned to the Company by the legislation of the Russian Federation;
— personal data processing is carried out with the consent of the personal data subject to
the processing of his/her personal data;
— processing of personal data is necessary for the execution of a contract to which the
personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion
of a contract at the initiative of the personal data subject or a contract under which the
personal data subject will be a beneficiary or guarantor.
5.2.4. Conditions for processing personal data authorized by the subject of personal data
for dissemination
Processing of personal data authorized by the subject of personal data for dissemination is
carried out.
5.2.5. Assignment of personal data processing
5.2.5.1. The Company shall have the right to entrust the processing of personal data to
another person with the consent of the personal data subject, unless otherwise provided for
by federal law, on the basis of an agreement concluded with such person, including a state
or municipal contract, or through the adoption of a relevant act by a state or municipal
authority (hereinafter referred to as an assignment).
5.2.5.2. The Company entrusts the processing of the following personal data:
— Public Joint Stock Company «Sberbank of Russia» (address: 19 Vavilova St., Moscow,
117997): Full name; date of birth; registration address; details of the identity document;
name of the authority that issued the identity document; date of issue of the identity
document; bank details; payment amount; place of birth; ITN (TIN); SNILS; loan amount;
— Public Joint Stock Company «VTB Bank» (address: 35, Myasnitskaya Street, Moscow,
101000): Full name; date of birth; registration address; details of the identity document;
name of the authority that issued the identity document; date of issue of the identity
document; bank details; payment amount; place of birth; ITN (TIN); SNILS; loan amount;
— «Gazprombank» (Joint Stock Company) (address: 16, bldg. 1, Nametkina St., Moscow,
117420): Full name; date of birth; place of birth; registration address; details of the identity
document; name of the body that issued the identity document; date of issue of the identity
document; ITN (TIN); SNILS; loan amount;
— Open Joint Stock Company Insurance Joint Stock Company «ENERGOGARANT»
(address: 23 Sadovnicheskaya Nab., Moscow, 115035): Full name; date of birth;
registration address; contact telephone numbers; data of the identity document; name of the
body that issued the identity document; date of issue of the identity document; place of
work; position;
— Public Joint-Stock Company «VimpelCom» (address: 127083, Moscow, 8 Marta str., 10,
page 14): Full name; date of birth; contact telephone numbers; registration address; details
of the identity document; name of the body that issued the identity document; date of issue
of the identity document; SNILS; position;
— Budgetary institution «Republican Narcological Dispensary» of the Ministry of Health of
Chuvashia Ministry of Health of Chuvashia (address: 6 Pirogova St., Cheboksary, 428015,
Chuvash Republic): Full name; date of birth; gender; place of work; structural subdivision;
position;
— Public institution «Republican Psychiatric Hospital» of the Ministry of Health and Social
Development of Chuvashia (address: 6 Pirogova Street, Cheboksary, 428015, Chuvash
Republic): Full name; date of birth; gender; place of work; structural unit; position;
— Budgetary institution «City Clinical Hospital No. 1» of the Ministry of Health of Chuvashia
Ministry of Health of Chuvashia (address: 46, Tractorostroiteley Ave., Cheboksary, 428028,
Chuvash Republic): Full name; date of birth; gender; place of work; structural subdivision;
position;
— Budgetary institution «First Cheboksary hospital named after P.N. Osipov» of the
Ministry of Health of Chuvashia (address: 14 Konstantina Ivanova St., Cheboksary, 428018,
Chuvash Republic): Full name; date of birth; gender; place of work; structural unit; position.
5.2.5.3. A person processing personal data on behalf of the Company shall comply with the
principles and rules of personal data processing stipulated by this Policy. The Company's
instruction specifies the list of actions (operations) with personal data to be performed by
the person processing personal data, methods and purposes of processing, establishes the
obligation of such person to maintain confidentiality of personal data and ensure security of
personal data during their processing, as well as specifies the requirements for protection of
processed personal data.
5.2.5.4. When personal data processing is entrusted to another person, the Company shall
be liable to the subject of personal data for the actions of such person. The person who
processes personal data on behalf of the Company shall be liable to the Company.
5.2.6. Transfer of personal data
5.2.6.1. The Company shall have the right to transfer personal data to the bodies of inquiry
and investigation, other authorized bodies on the grounds provided for by the current
legislation of the Russian Federation.
5.3. Confidentiality of personal data
5.3.1. The Company's employees who have access to personal data shall not disclose to
third parties or disseminate personal data without the consent of the subject of personal
data, unless otherwise provided for by federal law.
5.4. Publicly available sources of personal data
5.4.1. The Company shall create publicly available sources of personal data for information
support purposes. Personal data shall be included in publicly available sources on the basis
of the personal data subject's consent to the processing of personal data authorized by the
personal data subject for dissemination or for the purpose of performing functions, powers
and duties assigned by the legislation of the Russian Federation to federal executive
authorities, executive authorities of constituent entities of the Russian Federation, local selfgovernment bodies. Information about the subject of personal data shall be excluded from
publicly available sources of personal data at the request of the subject of personal data or
by decision of the court or other authorized state bodies.
5.4.2. The following information is included in the publicly available sources of personal
data:
5.4.2.1. Employees of «Keysystems» LLC:
— full name;
— contact numbers;
— educational background;
— position;
— place of work;
— structural unit;
— employment history;
— e-mail address;
— photo.
5.5. Consent of the personal data subject to the processing of his/her personal data
5.5.1. If it is necessary to ensure the conditions of processing of personal data of the
subject, the consent of the subject of personal data to the processing of his/her personal
data may be provided.
5.5.2. The personal data subject decides to provide his/her personal data and consents to
its processing freely, of his/her own free will and in his/her own interest. Consent to the
processing of personal data must be specific, informed and conscious. Consent to the
processing of personal data may be given by the subject of personal data or his/her
representative in any form allowing to confirm the fact of its receipt, unless otherwise
established by federal law. In case of obtaining consent to personal data processing from
the representative of the personal data subject, the authority of this representative to give
consent on behalf of the personal data subject shall be verified by the Company.
5.5.3. Consent to the processing of personal data may be withdrawn by the subject of
personal data. If the subject of personal data withdraws consent to personal data
processing, the Company shall have the right to continue processing personal data without
the consent of the subject of personal data if alternative conditions of personal data
processing are met.
5.5.4. The obligation to provide proof of obtaining the personal data subject's consent to the
processing of his/her personal data or proof of fulfillment of alternative conditions of
personal data processing shall be imposed on the Company.
5.5.5. In cases stipulated by the federal law, personal data processing is carried out only
with the consent in writing of the personal data subject. The consent in the form of an
electronic document signed in accordance with the federal law with an electronic signature
shall be recognized as equal to the consent in writing on paper containing the handwritten
signature of the personal data subject. The written consent of the personal data subject to
the processing of his/her personal data shall include, in particular:
1) surname, name, patronymic, address of the personal data subject, number of the main
personal identification document, information on the date of issue of the said document and
the issuing authority;
2) surname, name, patronymic, address of the representative of the personal data subject,
number of the main personal identification document, information on the date of issue of the
said document and issuing authority, details of the power of attorney or other document
confirming the powers of this representative (in case of obtaining consent from the
representative of the personal data subject);
3) the name or surname, first name, patronymic and address of the Company;
4) purpose of personal data processing;
5) list of personal data, for the processing of which the consent of the subject of personal
data is given;
6) the name or surname, first name, patronymic and address of the person processing
personal data on behalf of the Company, if the processing will be entrusted to such person;
7) list of actions with personal data for which consent is given, general description of the
methods of personal data processing used by the Company;
8) the period during which the consent of the personal data subject is valid, as well as the
method of its revocation, unless otherwise provided for by the federal law;
9) signature of the personal data subject.
5.5.6. In case of incapacity of the personal data subject, the consent to the processing of
his/her personal data shall be given by the legal representative of the personal data subject.
5.5.7. In case of death of the personal data subject, consent to the processing of his/her
personal data shall be given by the heirs of the personal data subject, if such consent was
not given by the personal data subject during his/her lifetime.
5.5.8. Personal data may be obtained by the Company from a person who is not the subject
of personal data, provided that the Company is provided with a confirmation of the
availability of alternative conditions for processing the information.
5.5.9. Trans-border transfer of personal data
5.5.10. The Company performs trans-border transfer of personal data of personal data
subjects if the personal data subject gives his/her consent. Information on the purpose of
trans-border transfer, name and location of persons to whom personal data are transferred,
volume of transferred personal data and other information on trans-border transfer is
approved by the Company's local act.
5.6. Cross-border transfer of personal data
5.6.1. The Company does not transfer personal data across borders.
5.7. Peculiarities of processing personal data authorized by the subject of personal data for
dissemination.
5.7.1. Processing of personal data authorized by the subject of personal data for
dissemination is carried out on the basis of the relevant consent of the subject of personal
data.
5.7.2. Consent to the processing of personal data authorized by the personal data subject
for dissemination is executed separately from other consents of the personal data subject to
the processing of his/her personal data.
5.7.3. The consent contains a list of personal data for each category of personal data
specified in the consent to the processing of personal data, authorized by the personal data
subject for dissemination.
5.7.4. Consent to the processing of personal data authorized by the personal data subject
for dissemination shall be provided directly to the Company.
5.7.5. Silence or inaction of the personal data subject shall not be considered consent to the
processing of personal data authorized by the personal data subject for dissemination.
5.7.6. In the consent to the processing of personal data authorized by the subject of
personal data for dissemination, the subject of personal data has the right to establish
prohibitions on the transfer (except for granting access) of such personal data by the
Company to an unlimited number of persons, as well as prohibitions on processing or
conditions of processing (except for obtaining access) of such personal data by an unlimited
number of persons. The Company's refusal to establish by the subject of personal data the
prohibitions and conditions stipulated by Article 9 of the Federal Law «On Personal Data» is
not allowed.
5.7.7. The prohibitions established by the personal data subject on the transfer (except for
granting access), as well as on the processing or conditions of processing (except for
obtaining access) of personal data authorized by the personal data subject for
dissemination shall not apply to cases of personal data processing in the state, public and
other public interests defined by the legislation of the Russian Federation.
5.7.8. The transfer (dissemination, provision, access) of personal data authorized by the
subject of personal data for dissemination shall be stopped at any time at the request of the
subject of personal data. This request must include the surname, first name, patronymic (if
any), contact information (telephone number, e-mail address or postal address) of the
personal data subject, as well as a list of personal data whose processing is to be stopped.
The personal data specified in this request may be processed only by the operator to whom
it is sent.
5.7.9. The validity of the personal data subject's consent to the processing of personal data
authorized by the personal data subject for dissemination shall be terminated from the
moment the Company receives the relevant request.
5.7.10. The requirements specified above shall not apply in case of personal data
processing for the purpose of fulfillment of functions, powers and duties assigned by the
legislation of the Russian Federation to federal executive authorities, executive authorities
of constituent entities of the Russian Federation, local self-government bodies.
5.8. Processing of personal data carried out without the use of automation tools
5.8.1. General conditions
5.8.1.1. Processing of personal data contained in the personal data information system or
extracted from such system is considered to be performed without the use of automation
(non-automated), if such actions with personal data, such as the use, clarification,
distribution, destruction of personal data in respect of each of the subjects of personal data,
are carried out with the direct participation of a person.
5.8.2. Peculiarities of organization of personal data processing carried out without
the use of means of automation
5.8.2.1. Personal data, when processed without the use of automation, shall be separated
from other information, in particular, by fixing them on separate material carriers of personal
data (hereinafter - material carriers), in special sections or in the fields of forms (blanks).
5.8.2.2. When fixing personal data on a tangible medium, it is not allowed to fix on one
tangible medium personal data, the purposes of processing of which are obviously
incompatible. For the processing of different categories of personal data carried out without
the use of means of automation, a separate tangible medium shall be used for each
category of personal data.
5.8.2.3. Persons processing personal data without the use of automation (including the
Company's employees or persons performing such processing under a contract with the
Company) have been informed of the fact that they are processing personal data processed
by the Company without the use of automation, the categories of personal data processed,
as well as the peculiarities and rules of such processing established by regulatory legal acts
of federal executive authorities, bodies of executive power, as well as the Company's
employees and persons performing such processing under a contract with the Company.
5.8.2.4. When using standard forms of documents, the nature of information in which
presupposes or allows the inclusion of personal data (hereinafter - standard form), the
following conditions shall be observed:
a) the standard form or related documents (instructions for its completion, cards, registers
and journals) contain information on the purpose of personal data processing carried out
without the use of automation, the name and address of the Company, the name, surname,
first name, patronymic and address of the personal data subject, the source of personal
data receipt, the terms of personal data processing, the list of actions with personal data to
be performed in the process of their processing, a general description of the methods of
personal data processing used by the Company.
b) the standard form provides for a field in which the personal data subject can put a mark
on his/her consent to the processing of personal data carried out without the use of
automation means - if it is necessary to obtain a written consent to the processing of
personal data;
c) the standard form shall be compiled in such a way that each of the personal data
subjects contained in the document has the possibility to familiarize with his/her personal
data contained in the document, without violating the rights and legitimate interests of other
personal data subjects;
d) the standard form excludes combining fields intended for entering personal data whose
processing purposes are obviously incompatible.
5.8.2.5. The following conditions shall be observed when keeping journals (registers, books)
containing personal data required for a single entry of a personal data subject to the
territory where the Company is located or for other similar purposes:
a) the necessity to keep such journal (register, book) is stipulated by the Company's act,
containing information on the purpose of personal data processing carried out without the
use of automation, methods of recording and composition of information requested from
personal data subjects, list of persons (by name or position) having access to material
carriers and responsible for keeping and safekeeping of the journal (register, book), terms
of personal data processing, as well as information on the procedure of personal data
subject's access to the territory, to which the personal data subject is allowed to enter the
territory of the Company, to which the personal data subject is not allowed to enter.
b) copying of information contained in such journals (registers, books) is not allowed;
c) personal data of each personal data subject may be entered into such journal (book,
register) not more than once in each case of personal data subject's access to the territory
where the Company is located.
5.8.2.6. In case of incompatibility of the purposes of personal data processing recorded on
one material medium, if the material medium does not allow processing of personal data
separately from other personal data recorded on the same medium, measures shall be
taken to ensure separate processing of personal data, in particular:
a) if it is necessary to use or disseminate certain personal data separately from other
personal data on the same material medium, the personal data subject to dissemination or
use shall be copied in a way that excludes simultaneous copying of personal data not
subject to dissemination and use, and a copy of the personal data shall be used
(disseminated);
b) if it is necessary to destroy or block a part of personal data, the material carrier shall be
destroyed or blocked with preliminary copying of data not subject to destruction or blocking
in a way that excludes simultaneous copying of personal data subject to destruction or
blocking.
5.8.2.7. Destruction of a part of personal data, if it is allowed by the material medium, may
be carried out in a way that excludes further processing of these personal data, while
preserving the possibility of processing other data recorded on the material medium
(deletion, erasure). These rules are also applied in case it is necessary to ensure separate
processing of personal data recorded on one material medium and information that is not
personal data.
5.8.2.8. Clarification of personal data during their processing without the use of means of
automation is performed by updating or changing the data on a tangible medium, and if this
is not allowed by the technical features of the tangible medium - by fixing on the same
tangible medium information about the changes made in them or by producing a new
tangible medium with the clarified personal data.
5.8.3. Measures to ensure the security of personal data during their processing
carried out without the use of means of automation
5.8.3.1. Processing of personal data carried out without the use of means of automation is
carried out in such a way that in respect of each category of personal data it is possible to
determine the places of storage of personal data (material carriers) and to establish a list of
persons processing personal data or having access to them.
5.8.3.2. Separate storage of personal data (material carriers) processed for different
purposes is ensured.
5.8.3.3. When storing tangible media, the conditions ensuring the safety of personal data
and excluding unauthorized access to them shall be observed. The list of measures
necessary to ensure such conditions, the procedure for taking them, as well as the list of
persons responsible for the implementation of these measures shall be established by the
Company.
5.9. Metric data processing
5.9.1. General conditions
5.9.1.1. The following web analytics tools are used on the Company's website:
Yandex.Metrica. Web analytics tools are used to analyze the use of the Company's website
and improve its performance.
5.9.1.2. The processing of cookies by the Operator is generalized and never correlates with
personal information of Users.
5.9.1.3. A warning is displayed on the Company's website informing users about the
processing of metric data.
5.9.1.4. When visiting the site, the User gives consent to the Operator to process the
specified data using metric services to analyze the use, measure and improve the level of
performance of the Operator's site. The consent is valid from the moment of its provision
and during the entire period of the User's use of the site.
5.9.1.5. In case of refusal to process cookies, the User should stop using the Operator's
website or disable the use of cookies in the browser settings, and some functions of the
Operator's website may become unavailable.
6. Updating, correction, deletion and destruction of personal data, responding to the
subjects' requests for access to personal data
6.1. Rights of personal data subjects
6.1.1. The right of the personal data subject to access his/her personal data
6.1.1.1. The subject of personal data has the right to receive information (hereinafter -
information requested by the subject) concerning the processing of his/her personal data,
including information containing:
1) confirmation of the fact of personal data processing by the Company;
2) legal grounds and purposes of personal data processing;
3) the purposes and methods of personal data processing applied by the Company;
4) name and location of the Company, information about persons (except for employees of
the Company) who have access to personal data or to whom personal data may be
disclosed on the basis of a contract with the Company or on the basis of federal law;
5) processed personal data related to the respective personal data subject, the source of
their obtaining, unless another procedure for the submission of such data is provided for by
the federal law;
6) terms of personal data processing, including the terms of their storage;
7) the procedure for exercising by the subject of personal data the rights provided for by the
Federal Law «On Personal Data»;
8) information on realized or suspected cross-border data transfers;
9) the name or surname, first name, patronymic and address of the person processing
personal data on behalf of the Company, if the processing is or will be entrusted to such
person;
10) other information stipulated by the Federal Law «On Personal Data» or other federal
laws.
6.1.1.2. The personal data subject has the right to receive the information requested by the
data subject, except in the following cases:
— processing of personal data, including personal data obtained as a result of operativesearch, counterintelligence and intelligence activities, is carried out for the purposes of
national defense, state security and law enforcement;
— processing of personal data shall be carried out by the authorities that detained the
personal data subject on suspicion of committing a crime, or charged the personal data
subject in a criminal case, or applied to the personal data subject a preventive measure
prior to the indictment, except for cases provided for by the criminal procedural legislation of
the Russian Federation, if the familiarization of the suspect or accused with such personal
data is allowed;
— personal data processing is carried out in accordance with the legislation on combating
legalization (laundering) of proceeds of crime and terrorism financing;
— access of the subject of personal data to his/her personal data violates the rights and
legitimate interests of third parties;
— processing of personal data is carried out in cases stipulated by the legislation of the
Russian Federation on transport security in order to ensure sustainable and safe
functioning of the transport complex, to protect the interests of individuals, society and the
state in the sphere of the transport complex from acts of unlawful interference.
6.1.1.3. The subject of personal data has the right to demand from the Company to clarify
his/her personal data, block or destroy them in case the personal data are incomplete,
outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of
processing, as well as to take measures stipulated by law to protect his/her rights.
6.1.1.4. The information requested by the subject shall be provided to the subject of
personal data by the Company in an accessible form and shall not contain personal data
relating to other subjects of personal data, unless there are legitimate grounds for
disclosure of such personal data.
6.1.1.5. The requested information shall be provided to the personal data subject or his/her
representative by the Company upon application or upon receipt of the request of the
personal data subject or his/her representative. The request shall contain the number of the
main identity document of the personal data subject or his/her representative, information
on the date of issue of the said document and the issuing authority, information confirming
the participation of the personal data subject in relations with the Company (contract
number, date of the contract, word designation and (or) other information), or information
otherwise confirming the fact of personal data processing by the Company, signature of the
personal data subject or his/her representative (hereinafter referred to as the requested
information). The request may be sent in the form of an electronic document and signed
with an electronic signature in accordance with the laws of the Russian Federation.
6.1.1.6. In case the information requested by the subject, as well as the processed personal
data were provided for familiarization to the personal data subject upon his/her request, the
personal data subject has the right to reapply to the Company or send a repeated request in
order to obtain the information requested by the subject and familiarization with such
personal data not earlier than thirty days (hereinafter referred to as the standard term of the
request) after the initial application or sending of the initial request, unless a shorter term is
established by the Company or the Company.
6.1.1.7. A personal data subject has the right to reapply to the Company or send a repeated
request in order to obtain the information requested by the subject, as well as to familiarize
himself/herself with the processed personal data prior to the expiration of the standard term
of the request, if such information and (or) processed personal data were not provided to
him/her for familiarization in full by the results of consideration of the initial request. The
repeated request along with the information necessary for the request shall contain the
justification for sending the repeated request.
6.1.1.8. The Company shall have the right to refuse to fulfill a repeated request of a
personal data subject that does not comply with the conditions of the repeated request.
Such refusal shall be motivated. The Company shall be obliged to provide evidence of the
reasonableness of the refusal to fulfill the repeated request.
6.1.2. Rights of personal data subjects when processing their personal data in order to
promote goods, works, services on the market, as well as for political agitation purposes
6.1.2.1. Processing of personal data for the purpose of promotion of goods, works, services
on the market by means of direct contacts with potential consumers through means of
communication, as well as for the purposes of political agitation is carried out precisely
subject to the prior consent of the subject of personal data. The said processing of personal
data shall be recognized as being carried out without prior consent of the personal data
subject, unless the Company proves that such consent was obtained. The Company
undertakes to immediately cease the said processing of personal data at the request of the
personal data subject.
6.1.3. Rights of personal data subjects when making decisions on the basis of exclusively
automated processing of their personal data
6.1.3.1. On the basis of exclusively automated processing of personal data, the Company
does not make decisions that give rise to legal consequences in respect of the personal
data subject or otherwise affect his/her rights and legitimate interests. /p>
6.1.4. Right to appeal against actions or inaction of the Company
6.1.4.1. If a personal data subject believes that the Company processes his/her personal
data in violation of the requirements of the Federal Law «On Personal Data» or otherwise
violates his/her rights and freedoms, the personal data subject has the right to appeal the
Company's actions or omissions to the authorized body for the protection of the rights of
personal data subjects or in court.
6.1.4.2. The subject of personal data has the right to protect his/her rights and legitimate
interests, including compensation for losses and (or) compensation for moral damage in
court.
6.2. Operator obligations
6.2.1. Obligations of the operator when collecting personal data
6.2.1.1. When collecting personal data, the Company shall provide the personal data
subject, at his/her request, with the requested information concerning the processing of
his/her personal data in accordance with part 7 of Article 14 of the Federal Law «On
Personal Data».
6.2.1.2. If the provision of personal data is mandatory in accordance with federal law, the
Company shall explain to the subject of personal data the legal consequences of refusal to
provide his/her personal data.
6.2.1.3. If personal data are not received from a personal data subject, the Company shall
provide the personal data subject with the following information (hereinafter referred to as
the information to be communicated upon receipt of personal data not from a personal data
subject) prior to the commencement of processing of such personal data:
1) name or surname, name, patronymic and address of the Company or the Company's
representative;
2) the purpose of personal data processing and its legal basis;
3) the intended users of the personal data;
4) established by the Federal Law «On Personal Data» the rights of the subject of personal
data;
5) the source of obtaining the personal data.
6.2.1.4. The Company shall not provide the subject with the information communicated
upon receipt of personal data not from the subject of personal data in cases where:
1) the personal data subject is notified of the processing of his/her personal data by the
Company;
2)personal data was obtained by the Company on the basis of federal law or in connection
with the execution of an agreement to which the personal data subject is a party,
beneficiary or guarantor;
3) processing of personal data authorized by the personal data subject for dissemination
shall be carried out in compliance with the prohibitions and conditions stipulated in Article
10.1 of the Federal Law «On Personal Data»;
4) The Company processes personal data for statistical or other research purposes, to carry
out professional activities of a journalist or scientific, literary or other creative activities, if the
rights and legitimate interests of the subject of personal data are not violated;
5) providing the subject of personal data with information communicated upon receipt of
personal data not from the subject of personal data violates the rights and legitimate
interests of third parties.
6.2.1.5. When collecting personal data, including through the information and
telecommunications network «Internet», the Company shall ensure recording,
systematization, accumulation, storage, clarification (update, change), extraction of
personal data of citizens of the Russian Federation processed in the following information
systems:
6.2.1.5.1. Personal data information system «Buhgalterskij i kadrovyj uchet» using
databases located in the following countries:
6.2.1.5.1.1. Russia.
6.2.1.5.2. Personal data information system «Osnovnaya deyatelnost» using databases
located on the territory of the following countries:
6.2.1.5.2.1. Russia.
6.2.1.6. The location of the data processing center(s) and information on the organization
responsible for data storage is determined by the Company's internal documents.
6.2.2. Measures to ensure that the Company fulfills its obligations
6.2.2.1. The Company shall take measures necessary and sufficient to ensure fulfillment of
its duties. The Company shall independently determine the composition and list of
measures necessary and sufficient to ensure fulfillment of its duties, unless otherwise
provided for by federal laws. Such measures, in particular, include:
1) appointment of the person responsible for the organization of personal data processing;
2) issuing the Policy, local acts on personal data processing issues, as well as local acts
establishing procedures aimed at prevention and detection of violations of the legislation of
the Russian Federation, elimination of consequences of such violations;
3) application of legal, organizational and technical measures to ensure the security of
personal data;
4) internal control and (or) audit of compliance of personal data processing with the
personal data protection requirements, Policy, local acts of the Company;
5) assessment of the damage that may be caused to personal data subjects in case of
violation of the Federal Law «On Personal Data», the correlation between this damage and
the measures taken by the Company to ensure the fulfillment of the obligations stipulated
by the Federal Law «On Personal Data»;
6) familiarization of the Company's employees directly involved in personal data processing
with the provisions of the Russian Federation legislation on personal data, including
personal data protection requirements, documents, Policies, local acts on personal data
processing, and (or) training of the said employees.
6.2.3. Measures to ensure the security of personal data during their processing
6.2.3.1. When processing personal data, the Company shall take the necessary legal,
organizational and technical measures or ensure their adoption to protect personal data
from unlawful or accidental access to them, destruction, modification, blocking, copying,
provision, dissemination of personal data, as well as from other unlawful actions in relation
to personal data.
6.2.3.2. Ensuring the security of personal data is achieved, in particular:
1) determination of threats to the security of personal data during their processing in
personal data information systems;
2) application of organizational and technical measures to ensure the security of personal
data during their processing in personal data information systems, necessary to meet the
requirements for personal data protection, the implementation of which ensures the levels
of personal data protection established by the Government of the Russian Federation;
3) using information protection means that have undergone the conformity assessment
procedure in accordance with the established procedure;
4) assessment of the effectiveness of the measures taken to ensure personal data security
before putting into operation of the personal data information system;
5) taking into account machine-readable personal data carriers;
6) detecting facts of unauthorized access to personal data and taking measures;
7) recovery of personal data modified or destroyed due to unauthorized access to them;
8) establishing the rules of access to personal data processed in the personal data
information system, as well as ensuring the registration and recording of all actions
performed with personal data in the personal data information system;
9) control over the measures taken to ensure the security of personal data and the level of
protection of personal data information systems.
6.2.3.3 The use and storage of biometric personal data outside personal data information
systems may be carried out only on such material data carriers and with the use of such
storage technology, which ensure the protection of these data from unauthorized or
accidental access to them, their destruction, modification, blocking, copying, provision,
dissemination.
6.2.4. Obligations of the operator when the personal data subject contacts him or
upon receipt of the request of the personal data subject or his representative, as well
as of the authorized body for the protection of the rights of personal data subjects
6.2.4.1. The Company shall inform the personal data subject or his/her representative in
accordance with the established procedure about the availability of personal data relating to
the respective personal data subject, and shall provide an opportunity to familiarize with
such personal data upon request of the personal data subject or his/her representative or
within thirty days from the date of receipt of the request of the personal data subject or
his/her representative.
6.2.4.2. In case of refusal to provide information on the availability of personal data on the
respective personal data subject or personal data to the personal data subject or his/her
representative upon their application or upon receipt of the request of the personal data
subject or his/her representative, the Company shall provide a reasoned response in writing
within a period not exceeding thirty days from the date of application of the personal data
subject or his/her representative or from the date of receipt of the request of the personal
data subject or his/her representative.
6.2.4.3. The Company shall provide free of charge to the subject of personal data or his/her
representative the opportunity to familiarize with personal data related to this subject of
personal data. Within a period not exceeding seven business days from the date of
submission by the subject of personal data or his/her representative of information
confirming that the personal data is incomplete, inaccurate or irrelevant, the Company shall
make the necessary changes thereto. Within a period not exceeding seven business days
from the date of submission by the personal data subject or his/her representative of
information confirming that such personal data are illegally obtained or are not necessary
for the stated purpose of processing, the Company shall destroy such personal data. The
Company shall notify the subject of personal data or his/her representative of the changes
made and measures taken, and shall take reasonable measures to notify third parties to
whom the personal data of the subject have been transferred.
6.2.4.4. The Company shall report to the authorized body for the protection of the rights of
personal data subjects at the request of this body the necessary information within thirty
days from the date of receipt of such request.
6.2.5. Obligations of the operator to eliminate violations of legislation committed
during the processing of personal data, to clarify, block and destroy personal data
6.2.5.1. In case of detection of unlawful processing of personal data at the personal data
subject's or his/her representative's request or at the request of the personal data subject or
his/her representative or the authorized body for the protection of the rights of personal data
subjects, the Company shall block the unlawfully processed personal data related to this
personal data subject or ensure their blocking (if the personal data processing is carried out
by another person acting on behalf of the Company) from the moment of the request of the
personal data subject or his/her representative or at their request or at the request of the
authorized body for the protection of the rights of personal data subjects. In the event that
inaccurate personal data is detected upon request of a personal data subject or his/her
representative or at their request or at the request of the authorized body for the protection
of the rights of personal data subjects, the Company shall block personal data related to
this personal data subject or ensure their blocking (if personal data processing is performed
by another person acting on behalf of the Company) from the moment of such request or
receipt of the said request for the period of verification, if the blocking is performed by
another person acting on behalf of the Company).
6.2.5.2. If the fact of inaccuracy of personal data is confirmed, the Company shall, based on
the information submitted by the personal data subject or his/her representative or the
authorized body for the protection of the rights of personal data subjects, or other necessary
documents, clarify personal data or ensure their clarification (if personal data processing is
performed by another person acting on behalf of the Company) within seven working days
from the date of submission of such information and remove the blocking of personal data.
6.2.5.3. In the fact of detection of unlawful processing of personal data by the Company or
by a person acting on behalf of the Company, the Company shall, within a period not
exceeding three business days from the date of such detection, cease unlawful processing
of personal data or ensure cessation of unlawful processing of personal data by a person
acting on behalf of the Company. If it is impossible to ensure the legality of personal data
processing, the Company shall, within a period not exceeding ten business days from the
date of detection of unlawful processing of personal data, destroy such personal data or
ensure their destruction. The Company shall notify the personal data subject or his/her
representative on elimination of the admitted violations or destruction of personal data, and
if the personal data subject's or his/her representative's appeal or request of the authorized
body for protection of the rights of personal data subjects was sent by the authorized body
for protection of the rights of personal data subjects, also the said body.
6.2.5.4. If the purpose of processing personal data is achieved, the Company stops the
processing of personal data or ensures its termination (if the processing of personal data is
carried out by another person acting on behalf of the Company) and destroys personal data
or ensures their destruction (if the processing of personal data is carried out by another
person acting on behalf of the Company) of the Company) within a period not exceeding
thirty days from the date of achievement of the purpose of processing personal data, unless
otherwise provided by the agreement to which the subject of personal data is a party,
beneficiary or guarantor, another agreement between the Company and the subject of
personal data, or if the Company is not entitled to carry out processing of personal data
without the consent of the subject of personal data on the grounds provided for by the
Federal Law «On Personal Data» or other federal laws.
6.2.5.5. In the event that the subject of personal data withdraws consent to the processing
of his personal data, the Company terminates their processing or ensures the termination of
such processing (if the processing of personal data is carried out by another person acting
on behalf of the Company) and if the storage of personal data is no longer required for the
purposes of processing personal data, destroys personal data or ensures their destruction
(if the processing of personal data is carried out by another person acting on behalf of the
Company) within a period not exceeding thirty days from the date of receipt of the said
withdrawal, unless otherwise provided by the agreement, the party to which, the beneficiary
or the guarantor under which is the subject of personal data, another agreement between
the Company and the subject of personal data, or if the Company is not entitled to process
personal data without the consent of the subject of personal data on the grounds provided
for by the Federal Law «On Personal Data» or other federal laws.
6.2.5.6. If it is not possible to destroy personal data within the specified period, the
Company shall block such personal data or ensure their blocking (if personal data
processing is carried out by another person acting on behalf of the Company) and ensure
destruction of personal data within a period not exceeding six months, unless another
period is established by federal laws.
6.2.6. Notification of personal data processing
6.2.6.1. The Company, except as provided for by the Federal Law «On Personal Data»,
shall notify the authorized body for the protection of the rights of personal data subjects of
its intention to process personal data prior to the commencement of personal data
processing.
6.2.6.2. The notification shall be sent in the form of a document on paper or in the form of
an electronic document and signed by an authorized person. The notification shall contain
the following information:
1) name (surname, first name, patronymic), address of the Company;
2) purpose of personal data processing;
3) categories of personal data;
4) categories of subjects whose personal data are processed;
5) legal basis for the processing of personal data;
6) list of actions with personal data, general description of the methods of personal data
processing used by the Company;
7) description of measures, including information on the availability of encryption
(cryptographic) means and the names of these means;
8) surname, first name, patronymic of the natural person or name of the legal entity
responsible for organizing the processing of personal data and their contact telephone
numbers, postal and e-mail addresses;
9) the date of commencement of personal data processing;
10) term or condition for termination of personal data processing;
11) information on the presence or absence of trans-border transfer of personal data in the
process of their processing;
12) information on the location of the database of information containing personal data of
citizens of the Russian Federation;
13) information on ensuring the security of personal data in accordance with the
requirements for the protection of personal data established by the Government of the
Russian Federation.
6.2.6.3. In case of changes in the above information, as well as in case of termination of
personal data processing, the Company shall notify the authorized body for the protection of
the rights of personal data subjects within ten working days from the date of occurrence of
such changes or from the date of termination of personal data processing.
6.2.7. Notification of transborder transfer of personal data
6.2.7. Notification of transborder transfer of personal data
6.2.7.1. 6.2.7.1 Prior to the commencement of transborder personal data transfer activities,
the Company shall notify the authorized body for the protection of the rights of personal
data subjects of its intention to perform transborder transfer of personal data.
6.2.7.2. The notification on transborder transfer of personal data shall be sent separately
from the notification on processing (intention to process) of personal data provided for by
Article 22 of the Federal Law «On Personal Data».
6.2.7.3. The Notification shall be sent in the form of a paper document or in the form of an
electronic document and signed by an authorized person. The notification shall contain the
following information:
1) name (surname, first name, patronymic), address of the Company, as well as the date
and number of the notice of intention to process personal data previously sent by the
Company in accordance with Article 22 of the Federal Law «On Personal Data»;
2) legal basis and purpose of transborder transfer of personal data and further processing
of transferred personal data;
3) categories and list of personal data to be transferred;
4) categories of personal data subjects whose personal data are transferred;
5) the list of foreign states on whose territory the transborder transfer of personal data is
planned to take place;
6) the date of the Company's assessment of compliance by foreign authorities, foreign
individuals, foreign legal entities, to whom trans-border transfer of personal data is planned,
of personal data confidentiality and personal data security at their processing.
6.2.7.4. Assessment of compliance by foreign authorities, foreign individuals, foreign legal
entities, to whom trans-border transfer of personal data is planned, with the confidentiality of
personal data and ensuring the security of personal data during their processing is carried
out by the Company on the basis of information requested in accordance with part 5 of
Article 12 of the Federal Law «On personal data».
Areas of responsibility
7.1. Persons responsible for organization of personal data processing in
organizations
7.1.1. The Company shall appoint a person responsible for organizing the processing of
personal data.
7.1.2. The person responsible for the organization of personal data processing receives
instructions directly from the executive body of the organization being the operator and
reports to it.
7.1.3. The Company shall provide the person responsible for organizing the processing of
personal data with the necessary information.
7.1.4. The person responsible for organizing the processing of personal data shall, in
particular, perform the following functions:
1) exercises internal control over compliance by the Company and the Company's
employees with the legislation of the Russian Federation on personal data, including
requirements to personal data protection;
2) brings to the attention of the Company's employees the provisions of the Russian
Federation legislation on personal data, local acts on personal data processing, and
personal data protection requirements;
3) organizes the reception and processing of appeals and requests of personal data
subjects or their representatives and (or) exercises control over the reception and
processing of such appeals and requests.
7.2. Responsibility
7.2.1. Persons guilty of violating the requirements of the Federal Law «On Personal Data»
shall bear the liability provided for by the legislation of the Russian Federation.
7.2.2. Moral damage caused to the subject of personal data due to violation of his/her
rights, violation of the rules of personal data processing established by the Federal Law
«On Personal Data», as well as requirements to personal data protection established in
accordance with the Federal Law «On Personal Data», shall be compensated in
accordance with the legislation of the Russian Federation. Compensation for moral damage
shall be made regardless of compensation for property damage and losses incurred by the
subject of personal data.
8. Key results
In achieving the objectives, the following results are expected:
— ensuring the protection of the rights and freedoms of personal data subjects during the
processing of their personal data by the Company;
— improving the overall level of information security of the Company;
— minimization of the Company's legal risks.
9. Related policies
There are no related policies in place.