Personal data processing agreement
- General provisions
1.1. This personal data processing policy (hereinafter – the Policy) has been developed in accordance with paragraph 2 of Article 18.1 of the Federal Law “On Personal Data” No. 152-FZ dated July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data, and it applies to all personal data (hereinafter – data) that the Organization (hereinafter – the Operator, the Company) can receive from a personal data subject being a party of a civil law contract, from an Internet user (hereinafter – the User) when he uses any of the sites, services, offices, programs, products or services on this site, as well as from a personal data subject being in relations with the Operator regulated by labor law (hereinafter – the Employee).
1.2. The Operator protects processed personal data from unauthorized access and disclosure, unlawful use or loss in accordance with the requirements of the Federal Law “On Personal Data” No. 152-FZ dated July 27, 2006.
1.3. The Operator is entitled to amend this Policy. When the Policy is amended, the date of the last revision is indicated in the heading of the Policy. New revision of the Policy comes into force from the moment it is posted on the website, unless otherwise provided by new revision of the Policy. - Terms and abbreviations used
Personal data – any information that is related to directly or indirectly defined or definable individual (personal data subject).
Personal data processing – any action (operation) or a series of actions (operations) performed with or without the use of means of automation with personal data including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated personal data processing – personal data processing with the use of computer equipment.
Personal data information system (PDIS) – the entirety of personal data contained in databases and the information technologies and technical means ensuring its processing.
Personal data made publicly available by personal data subject – personal data disclosed to indefinite group of persons by personal data subject or at his request.
Blocking of personal data – temporary cessation of personal data processing (except where processing is necessary to specify personal data).
Destruction of personal data – actions resulting in the impossibility to restore the contents of personal data in the personal data information system and (or) in the destruction of personal data physical storage media.
Operator – an organization that independently or jointly with other persons arranges the processing of personal data as well as defines the purposes of processing of personal data to be processed, actions (operations) performed with personal data. - Personal data processing
3.1. Personal data receiving.
3.1.1. All personal data should be received from the subject himself. If personal data of the subject can be received only from a third party, then the subject must be accordingly notified or his consent must be obtained.
3.1.2. The operator must inform the subject about the purposes, potential sources and methods of obtaining personal data, the nature of personal data to be obtained, the list of actions with personal data, the period of consent validity and the procedure for its withdrawal, as well as the consequences of the subject’s refusal to give written consent to its obtaining.
3.1.3. Documents containing personal data are created by:
– copying of original documents (passport, academic certificate, taxpayer identification number certificate, pension certificate, etc.);
– entering information into registration forms;
– obtaining originals of necessary documents (employment book, medical assessment report, letter of recommendation, etc.).
3.2. Personal data processing.
3.2.1. Personal data processing is carried out:
– with consent of personal data subject to the processing of his personal data;
– when personal data processing is necessary for implementing and exercising the functions, powers and duties imposed by the legislation of the Russian Federation;
– in case of processing of personal data that is disclosed to indefinite group of persons by personal data subject or at his request (hereinafter – personal data made publicly available by personal data subject).
3.2.2. Purposes of personal data processing:
– exercising of labor relations;
– exercising of civil-law relations;
– for communication with user, in connection with filling out feedback form on the site, including sending notifications, requests and information regarding the use of the site of the shop, processing, coordinating orders and their delivery, performance of agreements and contracts;
— personal data depersonalization in order to obtain depersonalized statistical data that are transferred to a third party for analysis, performance of work or provision of services on behalf of the shop.
3.2.3. Categories of personal data subjects.
Personal data of the following personal data subjects is processed:
– individuals being in labor relations with the Company;
– individuals who quitted the Company;
– individuals being applicants for a job;
– individuals being in civil-law relations with the Company;
– individuals being the Users of the Site of the Shop.
3.2.4. Personal data processed by the Operator:
– data obtained when exercising labor relations;
– data obtained for selection of job applicants;
– data obtained when exercising civil-law relations;
– data obtained from the Users of the Site of the Shop.
3.2.5. Personal data processing is performed:
– with the use of automation means;
– without the use of automation means.
3.3. Personal data storage.
3.3.1. Personal data of subjects can be obtained, further processed and transferred to storage both in paper and in electronic form.
3.3.2. Personal data recorded in paper form is stored in locked cabinets or in locked rooms with limited access right.
3.3.3. Subjects’ personal data processed using automation means for different purposes is stored in different folders.
3.3.4. It is not allowed to store and place documents containing personal data in open electronic catalogs (file sharing services) in PDIS.
3.3.5. Personal data is stored in a form that makes it possible to determine personal data subject no longer than it is required by processing purposes, and it is subject to destruction upon achievement of processing purposes or in case when it is no longer required to achieve them.
3.4. Personal data destruction.
3.4.1. Destruction of documents (carriers) containing personal data is carried out by burning, chopping (shredding), chemical decomposition, transformation into a shapeless mass or powder. It is allowed to use a shredder for the destruction of paper documents.
3.4.2. Personal data on electronic media is destroyed by erasing or formatting the media.
3.4.3. The fact of personal data destruction is given documentary evidence by media destruction statement.
3.5. Personal data transfer.
3.5.1. The operator transfers personal data to third parties in the following cases:
– the subject has expressed his consent to such actions;
– the transfer is provided for by Russian or other applicable legislation within the procedure established under legislation.
3.5.2. List of entities personal data is transferred to.
– Pension Fund of the RF for accounting (legitimately);
– tax authorities of the RF (legitimately);
– Social Insurance Fund of the RF (legitimately);
– Territorial Fund of Compulsory Medical Insurance (legitimately);
– health insurance organization for compulsory and voluntary health insurance (legitimately);
– payroll accounting banks (pursuant to an agreement);
– authorities of the RF Ministry of Internal Affairs as stipulated by legislation;
– depersonalized personal data of the Users of online shop website is transferred to the counterparties of the Shop. - Personal data protection
4.1. In accordance with the requirements of regulatory documents, the Operator has developed a personal data protection system (PDPS), consisting of subsystems for legal, organizational and technical protection.
4.2. The subsystem of legal protection is a set of legal, organizational/administrative and regulatory documents that ensure the creation, functioning and improvement of the PDPS.
4.3. The subsystem of organizational protection includes the organization of PDPS management structure, authorization system, information protection when working with employees, partners and third parties.
4.4. The subsystem of technical protection includes a set of technical, software, software/hardware means that ensure personal data protection.
4.4. The main measures of personal data protection applied by the Operator are as follows:
4.5.1. Assigning a person responsible for personal data processing who arranges personal data processing, training and briefing, internal control of the organization and its employees’ compliance with the requirements of personal data protection.
4.5.2. Identification of immediate threats to personal data security during its processing in PDIS and development of procedures and measures on personal data protection.
4.5.3. Development of policy regarding the processing of personal data.
4.5.4. Establishing rules for accessing personal data processed in PDIS as well as ensuring registration and accounting of all actions performed with personal data in PDIS.
4.5.5. Creating of individual passwords for employees’ access to the information system in accordance with their job duties.
4.5.6. Use of information protection means that passed a procedure of conformity assessment in due order.
4.5.7. Certified anti-virus software with regularly updated databases.
4.5.8. Compliance with the conditions ensuring the safety of personal data and excluding unauthorized access to it.
4.5.9. Detection of facts of unauthorized access to personal data and taking the measures.
4.5.10. Recovery of personal data modified or destroyed due to unauthorized access to it.
4.5.11. Training of the Operator’s employees directly involved in the processing of personal data on the provisions of the RF legislation on personal data including the requirements to personal data protection, documents defining the Operator’s policy regarding the processing of personal data, local acts on personal data processing.
4.5.12. Internal control and audit. - Basic rights of a personal data subject and the Operator’s obligations
5.1. Basiс rights of personal data subject.
A subject has the right to access his personal data and the following information:
– confirmation of the fact of personal data processing by the Operator;
– legal grounds and purposes of personal data processing;
– the purposes and methods of personal data processing used by the Operator;
– name and location of the Operator, information about persons (with the exception of the Operator’s employees) who have access to personal data or who can receive personal data based on agreement with the Operator or federal law;
– terms of personal data processing, including the terms of its storage;
– the procedure for exercising by personal data subject of the rights provided for by the Federal Law;
– name or last name, first name, patronymic and address of a person processing personal data on behalf of the Operator, if the processing has been entrusted or is going to be entrusted to such a person;
– contacting the Operator and sending him the requests;
– appeal against actions or failure to act of the Operator.
5.2. The Operator’s obligations.
The Operator is obliged:
– to provide information on personal data processing when collecting personal data;
– to notify the subject if personal data was received not from personal data subject;
– in case of refusal to provide personal data, the subject is explained the consequences of such refusal;
– to publish or in any other way provide unrestricted access to the document defining his policy in relation to personal data processing, to information on the implemented requirements for personal data protection;
– to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions with respect to personal data;
– to respond to inquiries and requests from personal data subjects, their representatives and authorized body providing the protection of the rights of personal data subjects.