Approved on 01.07.2017
General manager
JSC RC “Fobos”
Chistyakov A.N.
1. Purpose and scope
1.1. This document (hereinafter referred to as the Policy) defines the goals and general principles of personal data processing, as well as the measures implemented to protect personal data in JSC RC “Fobos” (hereinafter referred to as the Operator). The Policy is a publicly available document of the Operator and provides for the possibility of familiarization with it by any person.
1.2. This Policy has been developed in accordance with the current legislation of the Russian Federation on personal data and regulatory and methodological documents of the executive bodies of state power on the security of personal data, including when processing them in personal data information systems.
1.3. The Policy is valid indefinitely after approval and until it is replaced by a new version.
1.4. The Policy uses terms and definitions in accordance with their meanings as defined in Federal Law 152 “On Personal Data”.
1.5. The Policy applies to all employees of the Operator (including employees under employment contracts and employees working under contract agreements). The requirements of the Policy are also taken into account and imposed on other persons if they need to participate in the processing of personal data by the Operator, as well as in cases of transfer of personal data to them in accordance with the established procedure on the basis of agreements, contracts, processing orders.
2. Information about the processing of personal data
2.1. The processing of personal data by the Operator is carried out in a mixed way: with the use of automation tools and without the use of such tools.
2.2. Actions with personal data include collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
2.3. The processing of personal data is carried out by the Operator on a legal and fair basis, the legal grounds for processing are:
The Constitution of the Russian Federation;
Labor Code of the Russian Federation;
Civil Code of the Russian Federation;
Tax Code of the Russian Federation;
Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”;
Federal Law No. 27-FZ of 01.04.1996 “On Individual (Personalized) accounting in the compulsory pension Insurance system”;
Federal Law No. 212-FZ of 24.07.2009 “On Insurance Contributions to the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund and Territorial Compulsory Medical Insurance Funds”;
The Law of the Russian Federation of 10.07.1992 No. 3266-1 “On education”;
2.4. The content and scope of the processed personal data are determined based on the purposes of processing. Personal data that is redundant or incompatible with the following main purposes are not processed:
conclusion of labor relations with individuals;
fulfillment of the Operator’s contractual obligations;
compliance with the current labor, accounting, pension, and other legislation of the Russian Federation.
2.5. The main categories of personal data subjects whose data are processed by the Operator include:
individuals who are in labor and civil relations with the Operator;
individuals who are in labor and civil relations with the Operator’s counterparties;
candidates for vacant positions.
2.6. For the specified categories of subjects, the following may be processed: surname, first name, patronymic; year, month, date of birth; place of birth, address; marital status; social status; property status; education; profession; income; TIN, SNILS, contact information (phone, email address), other information provided by standard forms and the established processing procedure.
2.7. When processing, the accuracy of personal data, their sufficiency and relevance in relation to the purposes of personal data processing are ensured. If inaccurate or incomplete personal data is found, they are clarified and updated.
2.8. Confidentiality is ensured for personal data that are not publicly available.
2.9. The processing and storage of personal data is carried out no longer than the purposes of personal data processing require, if there are no legal grounds for further processing, for example, if a federal law or an agreement with the subject of personal data does not establish an appropriate storage period. The processed personal data is subject to destruction or depersonalization upon the occurrence of the following conditions:
achievement of the purposes of personal data processing or maximum retention periods – within 30 days;
loss of the need to achieve the goals of personal data processing — within 30 days;
provision by the subject of personal data or his legal representative of confirmation that personal data is illegally obtained or is not necessary for the stated purpose of processing — within 7 days;
inability to ensure the legality of the processing of personal data — within 10 days;
withdrawal by the subject of personal data of consent to the processing of personal data, if the storage of personal data is no longer required for the purposes of processing personal data – within 30 days;
revocation by the subject of personal data of consent to the use of personal data for contacts with potential consumers in the promotion of goods and services — within 2 days;
expiration of the limitation period for legal relations within which personal data is being processed or has been processed; liquidation (reorganization) of the Operator.
2.10. Processing of personal data on the basis of contracts and other agreements of the Operator, instructions to the Operator and instructions of the Operator for the processing of personal data is carried out in accordance with the terms of these contracts, agreements of the Operator, as well as agreements with persons who are entrusted with processing or who have entrusted processing legally. Such agreements may determine, in particular:
purposes, conditions, terms of processing of personal data;
obligations of the parties, including confidentiality measures;
rights, obligations and responsibilities of the parties concerning the processing of personal data.
2.11. In cases not explicitly provided for by the current legislation or the contract, processing is carried out after obtaining the consent of the personal data subject. Consent can be expressed in the form of performing actions, accepting the terms of the offer agreement, making appropriate marks, filling in fields in forms (for example, when placing an order through the Operator’s website www.divaeva.ru ), forms, or executed in writing in accordance with the legislation. A mandatory case of obtaining prior consent is, for example, contact with a potential consumer when promoting the Operator’s goods and services on the market.
3. Measures to ensure the security of personal data
3.1. The Operator takes the necessary legal, organizational and technical measures to ensure the security of personal data to protect them from unauthorized (including accidental) access, destruction, modification, blocking of access and other unauthorized actions. Such measures, in particular, include:
appointment of employees responsible for the organization of processing and ensuring the security of personal data;
verification of the presence in contracts and inclusion, if necessary, in contracts of clauses on ensuring the confidentiality of personal data;
publication of local acts on the processing of personal data, familiarization of employees with them, training of users;
ensuring the physical security of premises and processing facilities, access control, security, video surveillance;
restriction and differentiation of access of employees and other persons to personal data and processing tools, monitoring of actions with personal data;
identification of threats to the security of personal data during their processing, the formation of threat models based on them;
the use of security tools (anti-virus tools, firewalls, means of protection against unauthorized access, means of cryptographic protection of information), including those that have passed the conformity assessment procedure in accordance with the established procedure;
accounting and storage of data carriers, excluding their theft, substitution, unauthorized copying and destruction;
backup of information for the possibility of recovery;
implementation of internal control over compliance with the established procedure, checking the effectiveness of measures taken, responding to incidents.
4. Rights of personal data subjects
4.1. The subject of personal data has the right to withdraw consent to the processing of personal data by sending a corresponding request to the Operator by mail or by contacting in person.
4.2. The subject of personal data has the right to receive information concerning the processing of his personal data, including the following:
confirmation of the fact of processing of personal data by the Operator;
legal grounds and purposes of personal data processing;
purposes and methods of personal data processing used by the Operator;
the name and location of the Operator, information about persons (with the exception of employees/employees of the Operator) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
processed personal data relating to the relevant subject of personal data, the source of their receipt, unless another procedure for the submission of such data is provided for by federal law;
terms of processing of personal data, including the terms of their storage;
the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law “On Personal Data”;
information about the transborder data transfer that has been carried out or is expected to be carried out;