1. GENERAL PROVISIONS
1.1. This Policy regarding the processing of personal data (hereinafter referred to as the Policy) is compiled in accordance with paragraph 2 of Article 18.1 of the Federal Law “On Personal Data” No. 152-FZ of July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data and acts with respect to all personal data (hereinafter referred to as data) which the Organization (hereinafter referred to as the Operator, the Company) can receive from the subject of personal data that is a party to a civil law contract from the user To the Internet (hereinafter – the user) during its use of any of the sites, services, services, programs, products or services, as well as on the subject of personal data held with the Operator in relations governed by labor legislation (hereinafter – the workers).
1.2. The operator provides protection of the processed personal data from unauthorized access and disclosure, misuse or loss in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.
1.3. The operator has the right to make changes to this Policy. When you make changes to the Policy header, the date of the last revision of the edition is indicated. The new version of the Policy comes into force from the moment it is posted on the site, unless otherwise provided for by the new edition of the Policy.
2. TERMS AND ABBREVIATIONS
Personal data – any information related to a directly or indirectly defined or determined individual (subject of personal data).
Personal data processing – any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, updating (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data – processing of personal data by means of computer facilities.
Personal data information system (ISDN) – a set of personal data contained in databases and providing their processing of information technology and technical means.
Personal data made public data subject personal data – personal data, access to an unlimited range of persons to which provided by the subject of personal data or at his request.
Blocking of personal data – temporary termination of processing of personal data (except for cases when processing is necessary for specification of personal data).
Destruction of personal data is an action that makes it impossible to restore the contents of personal data in the personal data information system and (or) as a result of which material data carriers of personal data are destroyed.
Operator – an organization, independently or jointly with other persons organizing the processing of personal data, as well as determining the purposes of processing personal data subject to processing, actions (operations) performed with personal data.
3. PROCESSING OF PERSONAL DATA
3.1. Obtaining personal data.
3.1.1. All personal data should be obtained from the subject itself. If the personal data of the subject can only be obtained from a third party, then the subject must be notified of this or consent must be obtained from him.
3.1.2. The operator must inform the subject about the objectives, the sources and methods of obtaining personal data, the nature of the personal data to be received, the list of actions with personal data, the period during which the consent is in force and the procedure for its withdrawal, as well as the consequences of the subject’s refusal to give written consent to their receipt.
3.1.3. Documents containing personal data are created by:
– copying of the original documents (passport, document of education, certificate of INN, pension certificate, etc.);
– entering information into accounting forms;
– Obtaining the originals of the necessary documents (work record book, medical report, characteristics, etc.).
3.2. Processing of personal data.
3.2.1. Processing of personal data is carried out:
– with the consent of the subject of personal data to the processing of his personal data;
– in cases when the processing of personal data is necessary for the implementation and performance of the functions, powers and duties imposed by the legislation of the Russian Federation;
– in cases where the processing of personal data is carried out, the access of an unlimited circle of persons to which is provided by the subject of personal data or at his request (hereinafter – personal data made by the public entity of personal data).
3.2.2. Objectives of processing personal data:
– implementation of labor relations;
– implementation of civil law relations;
– for communication with the user, in connection with filling out the feedback form on the site, including sending notifications, inquiries and information regarding the use of the store’s website, processing, ordering and delivery, execution of agreements and contracts;
– depersonalization of personal data to obtain impersonal statistics that are transferred to a third party for research, performance of work or the provision of services on behalf of the store.
3.2.3. Categories of subjects of personal data.
Personal data of the following personal data subjects are processed:
– individuals who are with the Company in labor relations;
– individuals who resigned from the Company;
– individuals who are candidates for work;
– individuals who are with the Company in civil law relations;
– individuals who are Users of the Site of the Store.
3.2.4. Personal data processed by the Operator:
– data obtained during the implementation of labor relations;
– data obtained for the selection of candidates for work;
– data obtained during the implementation of civil law relations;
– data received from Users of the Site of the Store.
3.2.5. Processing of personal data is conducted:
– using automation tools;
– without the use of automation.
3.3. Storage of personal data.
3.3.1. The personal data of the subjects can be obtained, processed further and transferred to storage both on paper and in electronic form.
3.3.2. Personal data recorded on hard copies is stored in lockable cabinets or in lockable rooms with limited access rights.
3.3.3. Personal data of subjects, processed using automation tools for different purposes, are stored in different folders.
3.3.4. It is not allowed to store and place documents containing personal data in open electronic catalogs (file sharing) in ISDN.
3.3.5. The storage of personal data in a form that allows the subject of personal data to be identified is no longer than the purpose of processing requires, and they are subject to destruction upon achievement of processing objectives or in the event of a loss of the need to achieve them.
3.4. Destruction of personal data.
3.4.1. Destruction of documents (carriers) containing personal data is carried out by burning, crushing (crushing), chemical decomposition, transformation into a shapeless mass or powder. For the destruction of paper documents, a shredder is allowed.
3.4.2. Personal data on electronic media is destroyed by erasing or formatting the media.
3.4.3. The fact of destruction of personal data is documented by an act of destruction of carriers.
3.5. Transfer of personal data.
3.5.1. The operator transfers personal data to third parties in the following cases:
– the subject expressed his consent to such actions;
– the transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law.
3.5.2. List of persons to whom personal data is transferred.
– Pension Fund of the Russian Federation for accounting (legally);
– tax authorities of the Russian Federation (legally);
– The Social Insurance Fund of the Russian Federation (legally);
4. PROTECTION OF PERSONAL INFORMATION
4.1. In accordance with the requirements of regulatory documents, the Operator has created a system for the protection of personal data (SZPD), consisting of legal, organizational and technical protection subsystems.
4.2. The legal protection subsystem is a set of legal, organizational, regulatory and regulatory documents that ensure the creation, functioning and improvement of the MZAP.
4.3. The organizational protection subsystem includes the organization of the management structure of the MZPD, the permitting system, and the protection of information when working with employees, partners, and third parties.
4.4. The subsystem of technical protection includes a set of technical, software, firmware, which protects personal data.
4.4. The main measures for protecting personal data used by the Operator are:
4.5.1. Appointment of the person responsible for the processing of personal data, which organizes the processing of personal data, training and instruction, internal control over the compliance of the institution and its employees with the requirements for the protection of personal data.
4.5.2. Identification of actual threats to the security of personal data when processing them in the ISDN and the development of measures and measures to protect personal data.
4.5.3. Development of a policy for the processing of personal data.
4.5.4. Establish rules for access to personal data processed in the ISDN, and ensure the registration and recording of all actions performed with personal data in the ISDN.
4.5.5. Establish individual passwords for employees to access the information system in accordance with their production responsibilities.
4.5.6. Application of the procedure for assessing the compliance of information security means that passed in accordance with the established procedure.
4.5.7. Certified antivirus software with regularly updated databases.
4.5.8. Observance of the conditions ensuring the safety of personal data and excluding unauthorized access to them.
4.5.9. Detection of the facts of unauthorized access to personal data and taking measures.
4.5.10. Recovering personal data, modified or destroyed due to unauthorized access to them.
4.5.11. Training of employees of the Operator directly processing personal data, the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents that determine the operator’s policy regarding the processing of personal data, local acts on the processing of personal data.
4.5.12. Implementation of internal control and audit.
5. MAIN RIGHTS OF THE PERSONAL DATA SUBJECT AND RESPONSIBILITIES OF THE OPERATOR
5.1. Basic rights of the subject of personal data.
The subject has the right to access his personal data and the following information:
– confirmation of the fact of personal data processing by the Operator;
– legal grounds and objectives for the processing of personal data;
– purposes and methods of processing personal data used by the Operator;
– the name and location of the Operator, information about the persons (with the exception of the Operator’s employees) who have access to personal data or who can disclose personal data on the basis of a contract with the Operator or on the basis of a federal law;
– the terms of processing of personal data, including the terms of their storage;
– the procedure for the subject of personal data to exercise the rights provided for by the Federal Law;
– name or surname, name, patronymic and address of the person carrying out the processing of personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person;
– contacting the Operator and sending him requests;
– appeal against the actions or omissions of the Operator.
5.2. Obligations of the Operator.
The operator is obliged:
– when collecting personal data, provide information on the processing of personal data;
– in cases where personal data were not obtained from a personal data subject, notify the subject;
– in case of refusal to provide personal data to the subject, the consequences of such refusal are explained;
– publish or otherwise provide unrestricted access to the document that determines its policy regarding the processing of personal data, information on the current requirements for the protection of personal data;
– take the necessary legal, organizational and technical measures or ensure their acceptance to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions in respect of personal data;
– to give answers to inquiries and appeals of subjects of personal data, their representatives and authorized body for protection of the rights of subjects of personal data.