Policy

regarding the processing of personal data

1. General Provisions

1.1. This Policy regarding the processing of personal data (hereinafter referred to as the Policy) has been developed to comply with the requirements in order to ensure the protection of rights and freedoms
person and citizen when processing his personal data, including the protection of rights to
privacy, personal and family secrets.
1.2. The policy applies to all personal data processed by the company (hereinafter referred to as the Operator)
1.3. The policy applies to relations in the field of processing personal data,
arising from the Operator both before and after the approval of this Policy.
1.4. In pursuance of this, this Policy is published in the public domain on the Internet information and telecommunications network on the Operator’s website.
1.5. Basic concepts used in the Policy:
personal data - any information related to directly or indirectly defined
or to an identified individual (subject of personal data);
personal data operator (operator) ;
processing of personal data - any action (operation) or set of actions
(operations) with personal data performed using automation tools
or without using them. Processing of personal data includes, among other things:
• collection;
• recording;
• systematization;
• accumulation;
• storage;
• clarification (update, change);
• extraction;
• usage;
• transmission (distribution, provision, access);
• depersonalization;
• blocking;
• removal;
• destruction;
automated processing of personal data - processing of personal data with
using computer technology;
dissemination of personal data - actions aimed at disclosing personal data
data to an indefinite number of persons;
provision of personal data - actions aimed at disclosing personal data
data to a certain person or a certain circle of persons;
blocking of personal data - temporary cessation of processing of personal data
data (except for cases where processing is necessary to clarify personal
data);
destruction of personal data - actions as a result of which it becomes impossible
restore the content of personal data in the personal information system
data and (or) as a result of which material media of personal
data;
depersonalization of personal data - actions that result in
impossible to determine ownership without the use of additional information
personal data to a specific subject of personal data;
information system of personal data - a set of data contained in databases
personal data and information technologies ensuring their processing and
technical means.
1.6. Basic rights and obligations of the Operator.
1.6.1. The operator has the right:
1) independently determine the composition and list of measures necessary and sufficient for
ensuring the fulfillment of duties provided for by the Law and
normative legal acts adopted in accordance with it, unless otherwise
provided for by the Law or other laws;
2) entrust the processing of personal data to another person with the consent of the subject of personal data
data, unless otherwise provided by law, on the basis of a contract concluded with
this person of the contract. The person processing personal data according to
on behalf of the Operator, is obliged to comply with the principles and rules for processing personal
data provided for by the Personal Data Law, maintain confidentiality
personal data, take the necessary measures aimed at ensuring
fulfilling the obligations provided for by the Personal Data Law;
3) in case of withdrawal by the subject of personal data of consent to the processing of personal
data The Operator has the right to continue processing personal data without the consent of the subject
personal data if there are grounds specified in the Law.
1.6.2. The operator is obliged:
1) organize the processing of personal data in accordance with the requirements of the Law;
2) respond to requests and requests from subjects of personal data and their legal
representatives in accordance with the requirements of the Law;
3) report the necessary information to the authorized body for the protection of the rights of personal data subjects at the request of this body.
4) in the manner determined by the executive authority authorized in
areas of security, ensure interaction with government
system for detecting, preventing and eliminating the consequences of computer attacks on
information resources, including informing him about computer incidents,
which resulted in unlawful transfer (provision, distribution, access)
personal data.
1.7. Basic rights of the subject of personal data. The subject of personal data has the right:
1) receive information regarding the processing of his personal data, with the exception of
cases provided for by federal laws. Information is provided to the subject
personal data by the Operator in an accessible form, and it should not contain
personal data relating to other subjects of personal data, for
except in cases where there are legal grounds for disclosing such
personal data. The list of information and the procedure for obtaining it is established by law;
2) require the operator to clarify his personal data, block it, or
destruction if personal data is incomplete, outdated,
inaccurate, illegally obtained or not necessary for the stated purpose
processing, as well as take measures provided by law to protect their rights;
3) give prior consent to the processing of personal data in order to promote
market of goods, works and services;
4) appeal unlawful actions in court or
inaction of the Operator when processing his personal data.
1.8. Control over compliance with the requirements of this Policy is carried out by the authorized
the person responsible for organizing the processing of personal data by the Operator.
1.9. Responsibility for violation of legal requirements and
regulations in the field of processing and protection of personal
data is determined in accordance with the law.
2. Purposes of collecting personal data
2.1. The processing of personal data is limited to achieving specific, in advance
specific and legitimate purposes. Processing of personal data incompatible with
for the purposes of collecting personal data.
2.2. Only personal data that meets the purposes of their processing are subject to processing.
2.3. The processing of personal data by the Operator is carried out for the following purposes:
• carrying out its activities in accordance with the charter, in
including the conclusion and execution of contracts with counterparties;
• implementation of labor legislation within the framework of labor and other direct
related relations, including: assistance to employees in finding employment,
obtaining education and career advancement, attracting and selecting candidates for
work, ensuring personal safety, controlling the number and
quality of work performed, ensuring the safety of property, maintaining personnel and
accounting, filling out and submitting required reporting forms to authorized bodies,
organization of individual (personalized) registration of employees in
systems of compulsory insurance and compulsory social insurance;
• implementation of access control.

2.4. Processing of personal data of employees may be carried out solely for the purposes of
ensuring compliance with laws and other regulatory legal acts.
3. Legal grounds for processing personal data
3.1. The legal basis for the processing of personal data is a set of regulatory
legal acts, in pursuance of which and in accordance with which the Operator carries out
processing of personal data
3.2. The legal basis for the processing of personal data is also:
• agreements concluded between the Operator and subjects of personal data;
• consent of personal data subjects to the processing of their personal data.
4. Scope and categories of personal data processed,
categories of personal data subjects
4.1. The content and volume of personal data processed must comply with
the stated purposes of processing provided for in section. 2 of this Policy. Processed
personal data should not be redundant in relation to their stated purposes
processing.
4.2. The operator may process personal data of the following categories of subjects
personal data.
4.2.1. Customers who contacted the Operator - for the purposes of fulfilling the company’s goals according to the statutory documents, as well as for the purposes of legislation within the framework of directly related relations,
• Full Name;
• floor;
• citizenship;
• Date and place of birth;
• Contact details;
• information about education, work experience, qualifications;
• other personal data provided by candidates in resumes and accompanying documents
letters.
• image (photography);
• passport details;
• registration address at the place of residence;
• address of the actual residence;
• Contact details;
• individual taxpayer number;
• insurance number of an individual personal account
• information about education, qualifications, professional training and promotion
qualifications;
• marital status, presence of children, family ties;
• information about work activities, including the availability of incentives, awards and (or)
disciplinary sanctions;
• data on marriage registration;
• information about military registration;
• information about disability;
• information about the withholding of alimony;
• information about income from previous employment;
• other personal data provided by employees in accordance with the requirements
labor legislation.
4.2.4. Clients and counterparties of the Operator (individuals) - for the purposes of carrying out their
activities in accordance with the charter
• Full Name;
• Date and place of birth;
• passport details;
• registration address at the place of residence;
• Contact details;
• position to be filled;
• individual taxpayer number;
• current account number;
• other personal data provided by clients and counterparties (individuals
persons) necessary for the conclusion and execution of contracts.
4.2.5. Representatives (employees) of the Operator’s clients and counterparties (legal entities) - for
purposes of carrying out its activities in accordance with the charter,
implementation of access control:
• Full Name;
• passport details;
• Contact details;
• position to be filled;
• other personal data provided by representatives (employees) of clients and
counterparties necessary for concluding and executing contracts.
4.3. Processing by the Operator of biometric personal data (information that
characterize the physiological and biological characteristics of a person, on the basis of which
it is possible to establish his identity) is carried out in accordance with the law
.
4.4. The operator does not process special categories of personal data,
relating to race, national origin, political opinions, religious or
philosophical beliefs, state of health, intimate life, except in cases
provided for by law.
5. Procedure and conditions for processing personal data
5.1. The processing of personal data is carried out by the Operator in accordance with the requirements
legislation.
5.2. Processing of personal data is carried out with the consent of the subjects of personal data
for the processing of their personal data, as well as without it in cases provided for
legislation.
5.3. The operator processes personal data for each purpose of their processing
in the following ways:
• non-automated processing of personal data;
• automated processing of personal data with transfer of received information
via information and telecommunication networks or without it;
• mixed processing of personal data.
5.4. Employees of the Operator are allowed to process personal data;
whose responsibilities include processing personal data.
5.5. Processing of personal data for each processing purpose specified in clause 2.3 of the Policy,
carried out by:
• receiving personal data in oral and written form directly from
subjects of personal data;
• entering personal data into journals, registers and information systems of the Operator;
• use of other methods of processing personal data.
5.6. Disclosure to third parties and dissemination of personal data without
consent of the subject of personal data, unless otherwise provided by federal law.
Consent to the processing of personal data authorized by the subject of personal data for
distribution, is drawn up separately from other consents of the subject of personal data to
processing of his personal data.
Requirements for the content of consent to the processing of personal data authorized by the subject
personal data for distribution
5.7. Transfer of personal data to government authorities as required by such authorities.
5.8. The operator takes the necessary legal, organizational and technical measures to
protection of personal data from unauthorized or accidental access, destruction,
modification, blocking, distribution and other unauthorized actions, including
number:
• identifies threats to the security of personal data during their processing;
• adopts local regulations and other documents regulating relations in
the field of processing and protection of personal data;
• appoints persons responsible for ensuring the security of personal data in
structural divisions and information systems of the Operator;
• creates the necessary conditions for working with personal data;
• organizes recording of documents containing personal data;
• organizes work with information systems in which personal information is processed
data;
• stores personal data under conditions that ensure their safety and
unauthorized access to them is excluded;
• organizes training for the Operator’s employees processing personal
data.
5.9. The operator stores personal data in a form that allows you to determine
subject of personal data, no longer than required for each purpose of processing
personal data, if the storage period for personal data is not established by the federal
law, contract.
5.9.1. Personal data on paper is stored in
during the storage periods of documents for which these periods are provided for by law, List of standard management archival documents generated
in the process of activities of state bodies, local governments and
organizations, indicating their storage periods.
5.9.2. Storage period for personal data processed in information systems
personal data, corresponds to the period of storage of personal data on paper
media.
5.10. The operator stops processing personal data in the following cases:
• the fact of their unlawful processing has been revealed. Deadline - within three working days from the date
identification;
• the purpose of their processing has been achieved;
• the personal data subject’s consent to processing has expired or been revoked
specified data, when, according to the Personal Data Law, the processing of this data
permitted only with consent.
5.11. Upon achievement of the purposes of processing personal data, as well as in the event of withdrawal by the subject
personal data consent to their processing The Operator stops processing this data,
If:
• otherwise not provided for by the agreement, the party to which, the beneficiary or
the guarantor for which is the subject of personal data;
• The operator has no right to carry out processing without the consent of the subject of personal data on
grounds provided for by the Law on Personal Data or other federal
laws;
• otherwise not provided for in another agreement between the Operator and the subject of personal
data.
5.12. When a personal data subject contacts the Operator with a request to terminate
processing of personal data within a period not exceeding 10 working days from the date of receipt
By the operator of the relevant requirement, the processing of personal data is terminated if
except in cases provided for by the Personal Data Law. The specified period may
be extended, but not more than five working days. To do this, the Operator must send
motivated notification to the personal data subject indicating the reasons for the extension
term.
5.13. When collecting personal data, including through
information and telecommunications network Internet, the Operator provides recording,
systematization, accumulation, storage, clarification (updating, changing), retrieving
personal data of citizens using databases,
located on the territory of the state, except for the cases specified in the Law
about personal data.
6. Updating, correction, deletion, destruction
personal data, responses to subjects’ requests for access
to personal data
6.1. Confirmation of the fact of processing of personal data by the Operator, legal grounds and
the purposes of processing personal data, as well as other information, are provided by the Operator to the subject of personal data or his
to the representative within 10 working days from the date of contact or receipt of the subject’s request
personal data or his representative. This period may be extended, but no more than
for five working days. To do this, the Operator should send the personal data subject
reasoned notification indicating the reasons for extending the deadline for provision
requested information.
The information provided does not include personal data relating to other
subjects of personal data, except in cases where there are legal grounds
to disclose such personal data.
The request must contain:
• number of the main identification document of the subject of personal data or
his representative, information about the date of issue of the specified document and the issuing authority;
• information confirming the participation of the subject of personal data in relations with
Operator (agreement number, date of conclusion of the agreement, symbolic verbal designation and
(or) other information), or information otherwise confirming the fact of processing
personal data by the Operator;
• signature of the subject of personal data or his representative.
The request can be sent in the form of an electronic document and signed electronically
signature in accordance with the law.
Provided to the Personal Data Subject or his representative in the form in which the
relevant appeal or request, unless otherwise specified in the appeal or request.
If the appeal (request) of the personal data subject is not reflected in accordance with
requirements of the Personal Data Law or the subject does not have all the necessary information
rights of access to the requested information, then a reasoned refusal is sent to him.
The right of the personal data subject to access his personal data may be
limited, including if access
of the subject of personal data to his personal data violates the rights and legitimate interests
third parties.
6.2. If inaccurate personal data is identified when contacting the subject of personal
data or its representative or at their request or at the request of the Operator
carries out blocking of personal data relating to this subject of personal
data, from the moment of such application or receipt of the specified request for the period of verification, if
blocking personal data does not violate the rights and legitimate interests of the subject
personal data or third parties.
If the fact of inaccuracy of personal data is confirmed, the Operator based on
information provided by the subject of personal data or his representative, or other necessary documents, clarifies personal data within
seven working days from the date of submission of such information and removes the blocking of personal
data.
6.3. If unlawful processing of personal data is detected when contacting
(request) of the subject of personal data or his representative Operator
carries out blocking of unlawfully processed personal data related to
to this personal data subject, from the moment of such contact or receipt of the request.
6.4. If the Operator or other interested party identifies the fact
unlawful or accidental transfer (provision, distribution) of personal data
(access to personal data), resulting in a violation of the rights of personal data subjects,
6.5. The procedure for destroying personal data by the Operator.
6.5.1. Conditions and terms for the destruction of personal data by the Operator:
• achieving the purpose of processing personal data or losing the need to achieve this
goal - within 30 days;
• achieving maximum storage periods for documents containing personal data,
- within 30 days;
• provision by the subject of personal data (his representative) of confirmation that
that personal data was obtained illegally or is not necessary for
stated purpose of processing - within seven working days;
• withdrawal by the subject of personal data of consent to the processing of his personal data,
if their storage is no longer required for the purpose of their processing, - within 30 days.
6.5.2. When the purpose of processing personal data is achieved, as well as in case of withdrawal by the subject
personal data consent to their processing, personal data is subject to destruction,
If:
• otherwise not provided for by the agreement, the party to which, the beneficiary or
the guarantor for which is the subject of personal data;
• The operator has no right to carry out processing without the consent of the subject of personal data on
grounds provided for by the Law on Personal Data or other
laws;
• otherwise not provided for in another agreement between the Operator and the subject of personal
data.
6.5.3. The destruction of personal data is carried out by the company’s commission.
6.5.4. Methods for destroying personal data are established in local regulations
acts of the Operator.