1.General Provisions
1.1. Purpose of the Policy
1.1.1. This Policy regarding the processing of personal data in «Keysystems» LLC (hereinafter - the Policy) is developed in accordance with the Federal Law of July 27, 2006 No. 152-FZ «On Personal Data».
1.1.2. The Policy comes into force from the moment of its approval by the General Director of «Keysystems» LLC.
1.1.3. The Policy is subject to revision in the course of periodic analysis by the management of «Keysystems» LLC (hereinafter referred to as the Company), as well as in cases of changes in the legislation of the Russian Federation in the field of personal data.
1.1.4.The Policy shall be published on the Company's official website.
1.2. Objectives of the Policy
1.2.1. The purpose of the Policy is to ensure the protection of the rights and freedoms of personal data subjects during the processing of their personal data by the Company.
1.3. Basic Concepts
1.3.1. For the purposes of the Policy, the following terms are used:
personal data — any information relating to a directly or indirectly identified or identifiable natural person (personal data subject);
operator —state authority, municipal authority, legal or natural person, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data;
personal data authorized by the subject of personal data for dissemination — personal data, access to which is granted to an unlimited number of persons by the subject of personal data by giving consent to the processing of personal data, authorized by the subject of personal data for dissemination in the manner prescribed by the Federal Law «On Personal Data»;
personal data subject — A natural person who is directly or indirectly identified or identifiable through the use of personal data;
operator — state authority, municipal authority, legal or natural person, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data;
processing of personal data — any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of personal data;
automated processing of personal data — processing of personal data by means of computing equipment;
dissemination of personal data — actions aimed at disclosure of personal data to an indefinite number of persons;
provision of personal data — actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
blocking of personal data — temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data);
destruction of personal data — actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
personal data information system — the totality of personal data contained in databases and information technologies and technical means ensuring their processing;
data privacy — a mandatory requirement for a person who has access to certain information not to disclose such information to third parties without the consent of its owner;
cross-border transfer of personal data — transfer of personal data to the territory of a foreign country to an authority of a foreign country, a foreign natural person or a foreign legal entity;
threats to personal data security — a set of conditions and factors that create a risk of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions during their processing in the information system of personal data;
level of personal data protection — a complex indicator characterizing the requirements, the fulfillment of which ensures the neutralization of certain threats to personal data security during their processing in personal data information systems.
1.4. Scope
1.4.1. The provisions of the Policy apply to all relations related to the processing of personal data carried out by the Company:
— with the use of automation tools, including in information and telecommunication networks, or without the use of such tools, if the processing of personal data without the use of such tools corresponds to the nature of the actions (operations) performed with personal data using automation tools, that is, it allows to carry out in accordance with a given algorithm, search for personal data recorded on a tangible medium and contained in file cabinets or other systematized collections of personal data, and (or) access to such personal data;
— without the use of automation.
1.4.2. The policy applies to all employees of the Company.
2. Purposes of personal data processing
2.1. Personal data processing is carried out by the Company for the following purposes:
— fulfilling the requirements of the labor legislation of the Russian Federation; maintaining personnel and military records; organizing preliminary and periodic medical examinations for employees; organizing personalized registration of employees in the mandatory pension insurance system; keeping records of students undergoing internships; implementing a loyalty program; issuing corporate SIM cards; keeping accounting records and preparing financial statements; conducting contractual relations; keeping records of the Company's employees; maintaining accounting records; preparing financial statements; maintaining accounting records of the Company's employees.
— software development and provision of services in the field of software supply; provision of consulting support to software users; conducting training courses; fulfillment of contracts and agreements; maintenance of the official website; realization of other statutory tasks.
3. Legal basis for processing personal data
3.1. The following regulatory acts and documents shall be the basis for personal data processing in the Company:
— Constitution of the Russian Federation;
— Civil Code of the Russian Federation;
— Labor Code of the Russian Federation;
— Tax Code of the Russian Federation;
— Federal Law of 06.12.2011 No. 402-FZ «On Accounting»;
— Federal Law No. 353-FZ «On Consumer Credit (Loan)» dated 21.12.2013;
— Federal Law of 29.12.2012 No. 273-FZ «On Education in the Russian Federation»;
— Federal Law of 29.12.2006 No. 255-FZ «On Compulsory Social Insurance for Temporary Inability to Work and in Connection with Maternity»;
— Federal Law No. 223-FZ dated 18.07.2011 «On Procurement of Goods, Works and Services by Certain Types of Legal Entities»;
— Federal Law of 24.11.1995 No. 181-FZ «On Social Protection of Disabled Persons in the Russian Federation»;
— Federal Law of 17.12.2001 No. 173-FZ «On Labor Pensions in the Russian Federation»;
— Federal Law of 15.12.2001 No. 167-FZ «On Compulsory Pension Insurance in the Russian Federation»;
— Federal Law of 15.12.2001 No. 166-FZ «On State Pension Provision in the Russian Federation»;
— Federal Law of 16.07.1999 No. 165-FZ «On the Fundamentals of Compulsory Social Insurance»;
— Federal Law of 06.04.2011 No. 63-FZ «On Electronic Signature»;
— Federal Law of 28.03.1998 No. 53-FZ «On Military Duty and Military Service»;
— Federal Law No. 44-FZ dated 05.04.2013 «On Contract System in the Sphere of Procurement of Goods, Works and Services for State and Municipal Needs»;
— Federal Law of 26.02.1997 No. 31-FZ «On mobilization preparation and mobilization in the Russian Federation»;
— Federal Law of 01.04.1996 No. 27-FZ «On individual (personified) accounting in the system of compulsory pension insurance»;
— The Charter of Limited Liability Company «Keysystems», approved by Minutes No. 50 of the general meeting of participants dated 25.12.2015;
— Contracts concluded between the operator and the subject of personal data;
— Consents of personal data subjects to the processing of personal data.
3.2. In cases not expressly provided for by the legislation of the Russian Federation but corresponding to the Company's powers, personal data processing shall be carried out with the consent of the personal data subject to the processing of his/her personal data.
3.3. Processing of personal data shall be terminated upon reorganization or liquidation of the Company.
4. Scope and categories of processed personal data, categories of personal data subjects
4.1. In accordance with the purposes of personal data processing specified in clause 2 of this Policy, the Company shall process the following categories of personal data subjects:
— employees of «Keysystems» LLC;
— employees of organizations that are members of the «Keysystems» Group of Companies;
— close relatives of «Keysystems» LLC employees;
— close relatives of employees of organizations that are members of the «Keysystems» Group of Companies;
— persons having civil legal relations with «Keysystems» LLC;
— persons who have civil legal relations with organizations of the «Keysystems» Group of Companies;
— dismissed employees of «Keysystems» LLC;
— dismissed employees of organizations belonging to the «Keysystems» Group of Companies;
— close relatives of dismissed employees of «Keysystems» LLC;
— close relatives of dismissed employees of organizations belonging to the «Keysystems»Group of Companies;
— counterparties (representatives of counterparties and individual entrepreneurs);
— partner representatives;
— borrowers;
— internship students;
— persons who have filled in the feedback form and (or) registered on the Self-Service Portal of the website of «Keysystems» LLC, forum users;
— site visitors;
— mobile app users;
— persons taking refresher courses;
— listeners of the courses conducted by «Keysystems» LLC;
— persons to whom an electronic digital signature has been issued.
4.2. In accordance with the purposes of personal data processing specified in clause 2 of this Policy, the Company shall process the following personal data:
4.2.1. Employees of «Keysystems» LLC:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— date of registration at the place of residence;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to education document;
— information on postgraduate professional education;
— profession;
— position;
— employment contract details;
— nature, type of work;
— place of work;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— information about the dismissal;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— the amount of the salary;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— requisites of orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— hire date;
— field of study or specialty;
— details of the power of attorney;
— information about bonus points under the loyalty program;
— information about the availability of the vehicle;
— the term of the power of attorney;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.2. Employees of organizations that are part of the «Keysystems» group of companies:
— full name;
— name change information;
— date of birth;
— place of birth;
— Gender;
— nationality;
— registration address;
— residential address;
— date of registration at the place of residence;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to the education document;
— information on postgraduate professional education;
— profession;
— position;
— details of the employment contract;
— nature, type of work;
— place of employment;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— dismissal information;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— salary amount;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— requisites of orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— field of study or specialty;
— details of the power of attorney;
— information on bonus points under the loyalty program;
— the term of the power of attorney;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.3. Close relatives of «Keysystems» LLC employees:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability details;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.4. Close relatives of employees of organizations belonging to the «Keysystems» Group of Companies:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability details;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.5. Persons having civil legal relations with «Keysystems» LLC:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— e-mail address;
— photo;
— details of the power of attorney;
— power of attorney validity period;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.6. Persons who have civil legal relations with organizations belonging to the «Keysystems» Group of Companies:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— e-mail address;
— photo;
— details of the power of attorney;
— power of attorney validity period;
— employee status;
— processing condition;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.7. Fired employees of «Keysystems» LLC:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to the education document;
— information on postgraduate professional education;
— profession;
— position;
— details of the employment contract;
— nature, type of work;
— place of work;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— dismissal information;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— salary amount;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— field of study or specialty;
— details of the power of attorney;
— validity period of the power of attorney;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.8. Fired employees of organizations that are part of the «Keysystems» group of companies:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— residential address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— details of the education document;
— educational background;
— qualification according to the education document;
— information on postgraduate professional education;
— profession;
— position;
— details of the employment contract;
— nature, type of work;
— place of work;
— structural unit;
— length of service;
— employment history;
— marital status;
— information on family members;
— information about the children;
— information on military registration;
— employment record book information;
— information on hiring and transfers to other positions;
— dismissal information;
— the basis for termination of the employment contract (dismissal);
— information on professional development;
— information on professional retraining;
— report card number;
— information on awards (incentives);
— information on honorary titles;
— information on social benefits;
— e-mail address;
— salary amount;
— information specified in the writs of execution;
— the information specified in the bailiff's order;
— the information specified in the court order;
— vacation data;
— business travel data;
— information on income, taxes, insurance premiums;
— information on foreign language proficiency;
— photo;
— information contained in the orders;
— disability information;
— criminal record;
— the details of the disability certificate;
— field of study or specialty;
— details of the power of attorney;
— validity period of the power of attorney;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.9. Close relatives of the dismissed employees of «Keysystems» LLC:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability information;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.10. Close relatives of dismissed employees of organizations belonging to the «Keysystems» Group of Companies:
— full name;
— date of birth;
— place of birth;
— place of study;
— degree of kinship;
— information specified in the writs of execution;
— form of education;
— course;
— information specified in the certificate of state registration of an act of civil status;
— disability information;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.11. Counterparties (representatives of counterparties and individual entrepreneurs):
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— position;
— place of work;
— structural unit;
— e-mail address;
— payment amount;
— essence of application;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.12. Partner Representatives:
— full name;
— name change information;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— position;
— place of work;
— structural unit;
— e-mail address;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.13. Borrowers:
— full name;
— date of birth;
— place of birth;
— nationality;
— registration address;
— contact numbers;
— identity document details;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— the interest rate on the loan;
— loan information;
— information required to obtain a loan for the purchase of secondary housing and housing in a house under construction (if a loan is obtained);
— loan term;
— loan amount;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.14. Internship students:
— full name;
— date of birth;
— educational background;
— place of study;
— form of education;
— course;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.15. Persons who have filled in the feedback form and (or) registered on the Self-Service Portal of the website of «Keysystems» LLC, forum users:
— full name;
— contact numbers;
— position;
— place of work;
— structural unit;
— e-mail address;
— information contained in the message.
4.2.16. Site visitors:
— metric data.
4.2.17. Mobile app users:
— full name;
— contact numbers;
— position;
— place of work;
— e-mail address;
— photo.
4.2.18. Persons taking refresher courses:
— full name;
— name change information;
— contact numbers;
— educational background;
— position;
— place of work;
— structural unit;
— e-mail address;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.19. Attendees of courses conducted by «Keysystems» LLC:
— full name;
— contact numbers;
— place of study;
— e-mail address;
— course;
— field of study or specialty;
— other information strictly necessary to achieve the purposes of personal data processing.
4.2.20. Persons to whom an electronic digital signature has been issued:
— full name;
— date of birth;
— place of birth;
— gender;
— nationality;
— registration address;
— contact numbers;
— details of the identity document;
— name of the authority that issued the identity document;
— date of issue of the identity document;
— bank details;
— ITN (TIN);
— SNILS;
— position;
— place of work;
— structural unit;
— e-mail address;
— photo.
5. Procedure and conditions of personal data processing
5.1. Principles of personal data processing
Personal data processing shall be carried out by the Company in accordance with the following principles:
— processing of personal data is carried out on a lawful and fair basis;
— processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes; processing of personal data incompatible with the purposes of personal data collection is not allowed;
— it is not allowed to merge databases containing personal data processed for incompatible purposes;
— only personal data that meet the purposes of their processing are subject to processing;
— the content and scope of processed personal data correspond to the declared purposes of processing; processed personal data are not redundant in relation to the declared purposes of their processing;
— when processing personal data, the accuracy of personal data, their sufficiency and, where necessary, relevance to the purposes of personal data processing shall be ensured; the Company shall take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data;
— personal data shall be stored in a form that allows identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the period of personal data storage is stipulated by federal law, an agreement to which the personal data subject is a party, beneficiary or guarantor; processed personal data shall be destroyed upon achievement of the processing purposes or in case of loss of necessity to achieve these purposes, unless otherwise stipulated by federal law.
5.2. Conditions of personal data processing
The conditions for processing personal data other than obtaining the personal data subject's consent to the processing of his/her personal data are alternative.
5.2.1. Conditions for processing of special categories of personal data
Processing of special categories of personal data shall be carried out by the Company subject to the following conditions:
— personal data processing is carried out in accordance with the legislation on state social assistance, labor legislation, pension legislation of the Russian Federation;
— the personal data subject has consented in writing to the processing of his/her personal data.
5.2.2. Conditions for processing biometric personal data
Information characterizing physiological and biological features of a person, on the basis of which his/her identity can be established (biometric personal data) and which is used by the Company to establish the identity of the personal data subject, is not processed by the Company.
5.2.3. Conditions for processing other categories of personal data
Other categories of personal data shall be processed by the Company subject to the following conditions:
— processing of personal data is necessary to achieve the goals stipulated by the international treaty of the Russian Federation or law, to perform and fulfill the functions, powers and duties assigned to the Company by the legislation of the Russian Federation;
— personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data;
— processing of personal data is necessary for the execution of a contract to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor.
5.2.4. Conditions for processing personal data authorized by the subject of personal data for dissemination
Processing of personal data authorized by the subject of personal data for dissemination is carried out.
5.2.5. Assignment of personal data processing
5.2.5.1. The Company shall have the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided for by federal law, on the basis of an agreement concluded with such person, including a state or municipal contract, or through the adoption of a relevant act by a state or municipal authority (hereinafter referred to as an assignment).
5.2.5.2. The Company entrusts the processing of the following personal data:
— Public Joint Stock Company «Sberbank of Russia» (address: 19 Vavilova St., Moscow, 117997): Full name; date of birth; registration address; details of the identity document; name of the authority that issued the identity document; date of issue of the identity document; bank details; payment amount; place of birth; ITN (TIN); SNILS; loan amount;
— Public Joint Stock Company «VTB Bank» (address: 35, Myasnitskaya Street, Moscow, 101000): Full name; date of birth; registration address; details of the identity document; name of the authority that issued the identity document; date of issue of the identity document; bank details; payment amount; place of birth; ITN (TIN); SNILS; loan amount;
— «Gazprombank» (Joint Stock Company) (address: 16, bldg. 1, Nametkina St., Moscow, 117420): Full name; date of birth; place of birth; registration address; details of the identity document; name of the body that issued the identity document; date of issue of the identity document; ITN (TIN); SNILS; loan amount;
— Open Joint Stock Company Insurance Joint Stock Company «ENERGOGARANT» (address: 23 Sadovnicheskaya Nab., Moscow, 115035): Full name; date of birth; registration address; contact telephone numbers; data of the identity document; name of the body that issued the identity document; date of issue of the identity document; place of work; position;
— Public Joint-Stock Company «VimpelCom» (address: 127083, Moscow, 8 Marta str., 10, page 14): Full name; date of birth; contact telephone numbers; registration address; details of the identity document; name of the body that issued the identity document; date of issue of the identity document; SNILS; position;
— Budgetary institution «Republican Narcological Dispensary» of the Ministry of Health of Chuvashia Ministry of Health of Chuvashia (address: 6 Pirogova St., Cheboksary, 428015, Chuvash Republic): Full name; date of birth; gender; place of work; structural subdivision; position;
— Public institution «Republican Psychiatric Hospital» of the Ministry of Health and Social Development of Chuvashia (address: 6 Pirogova Street, Cheboksary, 428015, Chuvash Republic): Full name; date of birth; gender; place of work; structural unit; position;
— Budgetary institution «City Clinical Hospital No. 1» of the Ministry of Health of Chuvashia Ministry of Health of Chuvashia (address: 46, Tractorostroiteley Ave., Cheboksary, 428028, Chuvash Republic): Full name; date of birth; gender; place of work; structural subdivision; position;
— Budgetary institution «First Cheboksary hospital named after P.N. Osipov» of the Ministry of Health of Chuvashia (address: 14 Konstantina Ivanova St., Cheboksary, 428018, Chuvash Republic): Full name; date of birth; gender; place of work; structural unit; position.
5.2.5.3. A person processing personal data on behalf of the Company shall comply with the principles and rules of personal data processing stipulated by this Policy. The Company's instruction specifies the list of actions (operations) with personal data to be performed by the person processing personal data, methods and purposes of processing, establishes the obligation of such person to maintain confidentiality of personal data and ensure security of personal data during their processing, as well as specifies the requirements for protection of processed personal data.
5.2.5.4. When personal data processing is entrusted to another person, the Company shall be liable to the subject of personal data for the actions of such person. The person who processes personal data on behalf of the Company shall be liable to the Company.
5.2.6. Transfer of personal data
5.2.6.1. The Company shall have the right to transfer personal data to the bodies of inquiry and investigation, other authorized bodies on the grounds provided for by the current legislation of the Russian Federation.
5.3. Confidentiality of personal data
5.3.1. The Company's employees who have access to personal data shall not disclose to third parties or disseminate personal data without the consent of the subject of personal data, unless otherwise provided for by federal law.
5.4. Publicly available sources of personal data
5.4.1. The Company shall create publicly available sources of personal data for information support purposes. Personal data shall be included in publicly available sources on the basis of the personal data subject's consent to the processing of personal data authorized by the personal data subject for dissemination or for the purpose of performing functions, powers and duties assigned by the legislation of the Russian Federation to federal executive authorities, executive authorities of constituent entities of the Russian Federation, local self-government bodies. Information about the subject of personal data shall be excluded from publicly available sources of personal data at the request of the subject of personal data or by decision of the court or other authorized state bodies.
5.4.2. The following information is included in the publicly available sources of personal data:
5.4.2.1. Employees of «Keysystems» LLC:
— full name;
— contact numbers;
— educational background;
— position;
— place of work;
— structural unit;
— employment history;
— e-mail address;
— photo.
5.5. Consent of the personal data subject to the processing of his/her personal data
5.5.1. If it is necessary to ensure the conditions of processing of personal data of the subject, the consent of the subject of personal data to the processing of his/her personal data may be provided.
5.5.2. The personal data subject decides to provide his/her personal data and consents to its processing freely, of his/her own free will and in his/her own interest. Consent to the processing of personal data must be specific, informed and conscious. Consent to the processing of personal data may be given by the subject of personal data or his/her representative in any form allowing to confirm the fact of its receipt, unless otherwise established by federal law. In case of obtaining consent to personal data processing from the representative of the personal data subject, the authority of this representative to give consent on behalf of the personal data subject shall be verified by the Company.
5.5.3. Consent to the processing of personal data may be withdrawn by the subject of personal data. If the subject of personal data withdraws consent to personal data processing, the Company shall have the right to continue processing personal data without the consent of the subject of personal data if alternative conditions of personal data processing are met.
5.5.4. The obligation to provide proof of obtaining the personal data subject's consent to the processing of his/her personal data or proof of fulfillment of alternative conditions of personal data processing shall be imposed on the Company.
5.5.5. In cases stipulated by the federal law, personal data processing is carried out only with the consent in writing of the personal data subject. The consent in the form of an electronic document signed in accordance with the federal law with an electronic signature shall be recognized as equal to the consent in writing on paper containing the handwritten signature of the personal data subject. The written consent of the personal data subject to the processing of his/her personal data shall include, in particular:
1) surname, name, patronymic, address of the personal data subject, number of the main personal identification document, information on the date of issue of the said document and the issuing authority;
2) surname, name, patronymic, address of the representative of the personal data subject, number of the main personal identification document, information on the date of issue of the said document and issuing authority, details of the power of attorney or other document confirming the powers of this representative (in case of obtaining consent from the representative of the personal data subject);
3) the name or surname, first name, patronymic and address of the Company;
4) purpose of personal data processing;
5) list of personal data, for the processing of which the consent of the subject of personal data is given;
6) the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Company, if the processing will be entrusted to such person;
7) list of actions with personal data for which consent is given, general description of the methods of personal data processing used by the Company;
8) the period during which the consent of the personal data subject is valid, as well as the method of its revocation, unless otherwise provided for by the federal law;
9) signature of the personal data subject.
5.5.6. In case of incapacity of the personal data subject, the consent to the processing of his/her personal data shall be given by the legal representative of the personal data subject.
5.5.7. In case of death of the personal data subject, consent to the processing of his/her personal data shall be given by the heirs of the personal data subject, if such consent was not given by the personal data subject during his/her lifetime.
5.5.8. Personal data may be obtained by the Company from a person who is not the subject of personal data, provided that the Company is provided with a confirmation of the availability of alternative conditions for processing the information.
5.5.9. Trans-border transfer of personal data
5.5.10. The Company performs trans-border transfer of personal data of personal data subjects if the personal data subject gives his/her consent. Information on the purpose of trans-border transfer, name and location of persons to whom personal data are transferred, volume of transferred personal data and other information on trans-border transfer is approved by the Company's local act.
5.6. Cross-border transfer of personal data
5.6.1. The Company does not transfer personal data across borders.
5.7. Peculiarities of processing personal data authorized by the subject of personal data for dissemination.
5.7.1. Processing of personal data authorized by the subject of personal data for dissemination is carried out on the basis of the relevant consent of the subject of personal data.
5.7.2. Consent to the processing of personal data authorized by the personal data subject for dissemination is executed separately from other consents of the personal data subject to the processing of his/her personal data.
5.7.3. The consent contains a list of personal data for each category of personal data specified in the consent to the processing of personal data, authorized by the personal data subject for dissemination.
5.7.4. Consent to the processing of personal data authorized by the personal data subject for dissemination shall be provided directly to the Company.
5.7.5. Silence or inaction of the personal data subject shall not be considered consent to the processing of personal data authorized by the personal data subject for dissemination.
5.7.6. In the consent to the processing of personal data authorized by the subject of personal data for dissemination, the subject of personal data has the right to establish prohibitions on the transfer (except for granting access) of such personal data by the Company to an unlimited number of persons, as well as prohibitions on processing or conditions of processing (except for obtaining access) of such personal data by an unlimited number of persons. The Company's refusal to establish by the subject of personal data the prohibitions and conditions stipulated by Article 9 of the Federal Law «On Personal Data» is not allowed.
5.7.7. The prohibitions established by the personal data subject on the transfer (except for granting access), as well as on the processing or conditions of processing (except for obtaining access) of personal data authorized by the personal data subject for dissemination shall not apply to cases of personal data processing in the state, public and other public interests defined by the legislation of the Russian Federation.
5.7.8. The transfer (dissemination, provision, access) of personal data authorized by the subject of personal data for dissemination shall be stopped at any time at the request of the subject of personal data. This request must include the surname, first name, patronymic (if any), contact information (telephone number, e-mail address or postal address) of the personal data subject, as well as a list of personal data whose processing is to be stopped. The personal data specified in this request may be processed only by the operator to whom it is sent.
5.7.9. The validity of the personal data subject's consent to the processing of personal data authorized by the personal data subject for dissemination shall be terminated from the moment the Company receives the relevant request.
5.7.10. The requirements specified above shall not apply in case of personal data processing for the purpose of fulfillment of functions, powers and duties assigned by the legislation of the Russian Federation to federal executive authorities, executive authorities of constituent entities of the Russian Federation, local self-government bodies.
5.8. Processing of personal data carried out without the use of automation tools
5.8.1. General conditions
5.8.1.1. Processing of personal data contained in the personal data information system or extracted from such system is considered to be performed without the use of automation (non-automated), if such actions with personal data, such as the use, clarification, distribution, destruction of personal data in respect of each of the subjects of personal data, are carried out with the direct participation of a person.
5.8.2. Peculiarities of organization of personal data processing carried out without the use of means of automation
5.8.2.1. Personal data, when processed without the use of automation, shall be separated from other information, in particular, by fixing them on separate material carriers of personal data (hereinafter - material carriers), in special sections or in the fields of forms (blanks).
5.8.2.2. When fixing personal data on a tangible medium, it is not allowed to fix on one tangible medium personal data, the purposes of processing of which are obviously incompatible. For the processing of different categories of personal data carried out without the use of means of automation, a separate tangible medium shall be used for each category of personal data.
5.8.2.3. Persons processing personal data without the use of automation (including the Company's employees or persons performing such processing under a contract with the Company) have been informed of the fact that they are processing personal data processed by the Company without the use of automation, the categories of personal data processed, as well as the peculiarities and rules of such processing established by regulatory legal acts of federal executive authorities, bodies of executive power, as well as the Company's employees and persons performing such processing under a contract with the Company.
5.8.2.4. When using standard forms of documents, the nature of information in which presupposes or allows the inclusion of personal data (hereinafter - standard form), the following conditions shall be observed:
a) the standard form or related documents (instructions for its completion, cards, registers and journals) contain information on the purpose of personal data processing carried out without the use of automation, the name and address of the Company, the name, surname, first name, patronymic and address of the personal data subject, the source of personal data receipt, the terms of personal data processing, the list of actions with personal data to be performed in the process of their processing, a general description of the methods of personal data processing used by the Company.
b) the standard form provides for a field in which the personal data subject can put a mark on his/her consent to the processing of personal data carried out without the use of automation means - if it is necessary to obtain a written consent to the processing of personal data;
c) the standard form shall be compiled in such a way that each of the personal data subjects contained in the document has the possibility to familiarize with his/her personal data contained in the document, without violating the rights and legitimate interests of other personal data subjects;
d) the standard form excludes combining fields intended for entering personal data whose processing purposes are obviously incompatible.
5.8.2.5. The following conditions shall be observed when keeping journals (registers, books) containing personal data required for a single entry of a personal data subject to the territory where the Company is located or for other similar purposes:
a) the necessity to keep such journal (register, book) is stipulated by the Company's act, containing information on the purpose of personal data processing carried out without the use of automation, methods of recording and composition of information requested from personal data subjects, list of persons (by name or position) having access to material carriers and responsible for keeping and safekeeping of the journal (register, book), terms of personal data processing, as well as information on the procedure of personal data subject's access to the territory, to which the personal data subject is allowed to enter the territory of the Company, to which the personal data subject is not allowed to enter.
b) copying of information contained in such journals (registers, books) is not allowed;
c) personal data of each personal data subject may be entered into such journal (book, register) not more than once in each case of personal data subject's access to the territory where the Company is located.
5.8.2.6. In case of incompatibility of the purposes of personal data processing recorded on one material medium, if the material medium does not allow processing of personal data separately from other personal data recorded on the same medium, measures shall be taken to ensure separate processing of personal data, in particular:
a) if it is necessary to use or disseminate certain personal data separately from other personal data on the same material medium, the personal data subject to dissemination or use shall be copied in a way that excludes simultaneous copying of personal data not subject to dissemination and use, and a copy of the personal data shall be used (disseminated);
b) if it is necessary to destroy or block a part of personal data, the material carrier shall be destroyed or blocked with preliminary copying of data not subject to destruction or blocking in a way that excludes simultaneous copying of personal data subject to destruction or blocking.
5.8.2.7. Destruction of a part of personal data, if it is allowed by the material medium, may be carried out in a way that excludes further processing of these personal data, while preserving the possibility of processing other data recorded on the material medium (deletion, erasure). These rules are also applied in case it is necessary to ensure separate processing of personal data recorded on one material medium and information that is not personal data.
5.8.2.8. Clarification of personal data during their processing without the use of means of automation is performed by updating or changing the data on a tangible medium, and if this is not allowed by the technical features of the tangible medium - by fixing on the same tangible medium information about the changes made in them or by producing a new tangible medium with the clarified personal data.
5.8.3. Measures to ensure the security of personal data during their processing carried out without the use of means of automation
5.8.3.1. Processing of personal data carried out without the use of means of automation is carried out in such a way that in respect of each category of personal data it is possible to determine the places of storage of personal data (material carriers) and to establish a list of persons processing personal data or having access to them.
5.8.3.2. Separate storage of personal data (material carriers) processed for different purposes is ensured.
5.8.3.3. When storing tangible media, the conditions ensuring the safety of personal data and excluding unauthorized access to them shall be observed. The list of measures necessary to ensure such conditions, the procedure for taking them, as well as the list of persons responsible for the implementation of these measures shall be established by the Company.
5.9. Metric data processing
5.9.1. General conditions
5.9.1.1. The following web analytics tools are used on the Company's website: Yandex.Metrica. Web analytics tools are used to analyze the use of the Company's website and improve its performance.
5.9.1.2. The processing of cookies by the Operator is generalized and never correlates with personal information of Users.
5.9.1.3. A warning is displayed on the Company's website informing users about the processing of metric data.
5.9.1.4. When visiting the site, the User gives consent to the Operator to process the specified data using metric services to analyze the use, measure and improve the level of performance of the Operator's site. The consent is valid from the moment of its provision and during the entire period of the User's use of the site.
5.9.1.5. In case of refusal to process cookies, the User should stop using the Operator's website or disable the use of cookies in the browser settings, and some functions of the Operator's website may become unavailable.
6. Updating, correction, deletion and destruction of personal data, responding to the subjects' requests for access to personal data
6.1. Rights of personal data subjects
6.1.1. The right of the personal data subject to access his/her personal data
6.1.1.1. The subject of personal data has the right to receive information (hereinafter - information requested by the subject) concerning the processing of his/her personal data, including information containing:
1) confirmation of the fact of personal data processing by the Company;
2) legal grounds and purposes of personal data processing;
3) the purposes and methods of personal data processing applied by the Company;
4) name and location of the Company, information about persons (except for employees of the Company) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Company or on the basis of federal law;
5) processed personal data related to the respective personal data subject, the source of their obtaining, unless another procedure for the submission of such data is provided for by the federal law;
6) terms of personal data processing, including the terms of their storage;
7) the procedure for exercising by the subject of personal data the rights provided for by the Federal Law «On Personal Data»;
8) information on realized or suspected cross-border data transfers;
9) the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Company, if the processing is or will be entrusted to such person;
10) other information stipulated by the Federal Law «On Personal Data» or other federal laws.
6.1.1.2. The personal data subject has the right to receive the information requested by the data subject, except in the following cases:
— processing of personal data, including personal data obtained as a result of operative-search, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law enforcement;
— processing of personal data shall be carried out by the authorities that detained the personal data subject on suspicion of committing a crime, or charged the personal data subject in a criminal case, or applied to the personal data subject a preventive measure prior to the indictment, except for cases provided for by the criminal procedural legislation of the Russian Federation, if the familiarization of the suspect or accused with such personal data is allowed;
— personal data processing is carried out in accordance with the legislation on combating legalization (laundering) of proceeds of crime and terrorism financing;
— access of the subject of personal data to his/her personal data violates the rights and legitimate interests of third parties;
— processing of personal data is carried out in cases stipulated by the legislation of the Russian Federation on transport security in order to ensure sustainable and safe functioning of the transport complex, to protect the interests of individuals, society and the state in the sphere of the transport complex from acts of unlawful interference.
6.1.1.3. The subject of personal data has the right to demand from the Company to clarify his/her personal data, block or destroy them in case the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures stipulated by law to protect his/her rights.
6.1.1.4. The information requested by the subject shall be provided to the subject of personal data by the Company in an accessible form and shall not contain personal data relating to other subjects of personal data, unless there are legitimate grounds for disclosure of such personal data.
6.1.1.5. The requested information shall be provided to the personal data subject or his/her representative by the Company upon application or upon receipt of the request of the personal data subject or his/her representative. The request shall contain the number of the main identity document of the personal data subject or his/her representative, information on the date of issue of the said document and the issuing authority, information confirming the participation of the personal data subject in relations with the Company (contract number, date of the contract, word designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Company, signature of the personal data subject or his/her representative (hereinafter referred to as the requested information). The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the laws of the Russian Federation.
6.1.1.6. In case the information requested by the subject, as well as the processed personal data were provided for familiarization to the personal data subject upon his/her request, the personal data subject has the right to reapply to the Company or send a repeated request in order to obtain the information requested by the subject and familiarization with such personal data not earlier than thirty days (hereinafter referred to as the standard term of the request) after the initial application or sending of the initial request, unless a shorter term is established by the Company or the Company.
6.1.1.7. A personal data subject has the right to reapply to the Company or send a repeated request in order to obtain the information requested by the subject, as well as to familiarize himself/herself with the processed personal data prior to the expiration of the standard term of the request, if such information and (or) processed personal data were not provided to him/her for familiarization in full by the results of consideration of the initial request. The repeated request along with the information necessary for the request shall contain the justification for sending the repeated request.
6.1.1.8. The Company shall have the right to refuse to fulfill a repeated request of a personal data subject that does not comply with the conditions of the repeated request. Such refusal shall be motivated. The Company shall be obliged to provide evidence of the reasonableness of the refusal to fulfill the repeated request.
6.1.2. Rights of personal data subjects when processing their personal data in order to promote goods, works, services on the market, as well as for political agitation purposes
6.1.2.1. Processing of personal data for the purpose of promotion of goods, works, services on the market by means of direct contacts with potential consumers through means of communication, as well as for the purposes of political agitation is carried out precisely subject to the prior consent of the subject of personal data. The said processing of personal data shall be recognized as being carried out without prior consent of the personal data subject, unless the Company proves that such consent was obtained. The Company undertakes to immediately cease the said processing of personal data at the request of the personal data subject.
6.1.3. Rights of personal data subjects when making decisions on the basis of exclusively automated processing of their personal data
6.1.3.1. On the basis of exclusively automated processing of personal data, the Company does not make decisions that give rise to legal consequences in respect of the personal data subject or otherwise affect his/her rights and legitimate interests. /p>
6.1.4. Right to appeal against actions or inaction of the Company
6.1.4.1. If a personal data subject believes that the Company processes his/her personal data in violation of the requirements of the Federal Law «On Personal Data» or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal the Company's actions or omissions to the authorized body for the protection of the rights of personal data subjects or in court.
6.1.4.2. The subject of personal data has the right to protect his/her rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
6.2. Operator obligations
6.2.1. Obligations of the operator when collecting personal data
6.2.1.1. When collecting personal data, the Company shall provide the personal data subject, at his/her request, with the requested information concerning the processing of his/her personal data in accordance with part 7 of Article 14 of the Federal Law «On Personal Data».
6.2.1.2. If the provision of personal data is mandatory in accordance with federal law, the Company shall explain to the subject of personal data the legal consequences of refusal to provide his/her personal data.
6.2.1.3. If personal data are not received from a personal data subject, the Company shall provide the personal data subject with the following information (hereinafter referred to as the information to be communicated upon receipt of personal data not from a personal data subject) prior to the commencement of processing of such personal data:
1) name or surname, name, patronymic and address of the Company or the Company's representative;
2) the purpose of personal data processing and its legal basis;
3) the intended users of the personal data;
4) established by the Federal Law «On Personal Data» the rights of the subject of personal data;
5) the source of obtaining the personal data.
6.2.1.4. The Company shall not provide the subject with the information communicated upon receipt of personal data not from the subject of personal data in cases where:
1) the personal data subject is notified of the processing of his/her personal data by the Company;
2)personal data was obtained by the Company on the basis of federal law or in connection with the execution of an agreement to which the personal data subject is a party, beneficiary or guarantor;
3) processing of personal data authorized by the personal data subject for dissemination shall be carried out in compliance with the prohibitions and conditions stipulated in Article 10.1 of the Federal Law «On Personal Data»;
4) The Company processes personal data for statistical or other research purposes, to carry out professional activities of a journalist or scientific, literary or other creative activities, if the rights and legitimate interests of the subject of personal data are not violated;
5) providing the subject of personal data with information communicated upon receipt of personal data not from the subject of personal data violates the rights and legitimate interests of third parties.
6.2.1.5. When collecting personal data, including through the information and telecommunications network «Internet», the Company shall ensure recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation processed in the following information systems:
6.2.1.5.1. Personal data information system «Buhgalterskij i kadrovyj uchet» using databases located in the following countries:
6.2.1.5.1.1. Russia.
6.2.1.5.2. Personal data information system «Osnovnaya deyatelnost» using databases located on the territory of the following countries:
6.2.1.5.2.1. Russia.
6.2.1.6. The location of the data processing center(s) and information on the organization responsible for data storage is determined by the Company's internal documents.
6.2.2. Measures to ensure that the Company fulfills its obligations
6.2.2.1. The Company shall take measures necessary and sufficient to ensure fulfillment of its duties. The Company shall independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of its duties, unless otherwise provided for by federal laws. Such measures, in particular, include:
1) appointment of the person responsible for the organization of personal data processing;
2) issuing the Policy, local acts on personal data processing issues, as well as local acts establishing procedures aimed at prevention and detection of violations of the legislation of the Russian Federation, elimination of consequences of such violations;
3) application of legal, organizational and technical measures to ensure the security of personal data;
4) internal control and (or) audit of compliance of personal data processing with the personal data protection requirements, Policy, local acts of the Company;
5) assessment of the damage that may be caused to personal data subjects in case of violation of the Federal Law «On Personal Data», the correlation between this damage and the measures taken by the Company to ensure the fulfillment of the obligations stipulated by the Federal Law «On Personal Data»;
6) familiarization of the Company's employees directly involved in personal data processing with the provisions of the Russian Federation legislation on personal data, including personal data protection requirements, documents, Policies, local acts on personal data processing, and (or) training of the said employees.
6.2.3. Measures to ensure the security of personal data during their processing
6.2.3.1. When processing personal data, the Company shall take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions in relation to personal data.
6.2.3.2. Ensuring the security of personal data is achieved, in particular:
1) determination of threats to the security of personal data during their processing in personal data information systems;
2) application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to meet the requirements for personal data protection, the implementation of which ensures the levels of personal data protection established by the Government of the Russian Federation;
3) using information protection means that have undergone the conformity assessment procedure in accordance with the established procedure;
4) assessment of the effectiveness of the measures taken to ensure personal data security before putting into operation of the personal data information system;
5) taking into account machine-readable personal data carriers;
6) detecting facts of unauthorized access to personal data and taking measures;
7) recovery of personal data modified or destroyed due to unauthorized access to them;
8) establishing the rules of access to personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with personal data in the personal data information system;
9) control over the measures taken to ensure the security of personal data and the level of protection of personal data information systems.
6.2.3.3 The use and storage of biometric personal data outside personal data information systems may be carried out only on such material data carriers and with the use of such storage technology, which ensure the protection of these data from unauthorized or accidental access to them, their destruction, modification, blocking, copying, provision, dissemination.
6.2.4. Obligations of the operator when the personal data subject contacts him or upon receipt of the request of the personal data subject or his representative, as well as of the authorized body for the protection of the rights of personal data subjects
6.2.4.1. The Company shall inform the personal data subject or his/her representative in accordance with the established procedure about the availability of personal data relating to the respective personal data subject, and shall provide an opportunity to familiarize with such personal data upon request of the personal data subject or his/her representative or within thirty days from the date of receipt of the request of the personal data subject or his/her representative.
6.2.4.2. In case of refusal to provide information on the availability of personal data on the respective personal data subject or personal data to the personal data subject or his/her representative upon their application or upon receipt of the request of the personal data subject or his/her representative, the Company shall provide a reasoned response in writing within a period not exceeding thirty days from the date of application of the personal data subject or his/her representative or from the date of receipt of the request of the personal data subject or his/her representative.
6.2.4.3. The Company shall provide free of charge to the subject of personal data or his/her representative the opportunity to familiarize with personal data related to this subject of personal data. Within a period not exceeding seven business days from the date of submission by the subject of personal data or his/her representative of information confirming that the personal data is incomplete, inaccurate or irrelevant, the Company shall make the necessary changes thereto. Within a period not exceeding seven business days from the date of submission by the personal data subject or his/her representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the Company shall destroy such personal data. The Company shall notify the subject of personal data or his/her representative of the changes made and measures taken, and shall take reasonable measures to notify third parties to whom the personal data of the subject have been transferred.
6.2.4.4. The Company shall report to the authorized body for the protection of the rights of personal data subjects at the request of this body the necessary information within thirty days from the date of receipt of such request.
6.2.5. Obligations of the operator to eliminate violations of legislation committed during the processing of personal data, to clarify, block and destroy personal data
6.2.5.1. In case of detection of unlawful processing of personal data at the personal data subject's or his/her representative's request or at the request of the personal data subject or his/her representative or the authorized body for the protection of the rights of personal data subjects, the Company shall block the unlawfully processed personal data related to this personal data subject or ensure their blocking (if the personal data processing is carried out by another person acting on behalf of the Company) from the moment of the request of the personal data subject or his/her representative or at their request or at the request of the authorized body for the protection of the rights of personal data subjects. In the event that inaccurate personal data is detected upon request of a personal data subject or his/her representative or at their request or at the request of the authorized body for the protection of the rights of personal data subjects, the Company shall block personal data related to this personal data subject or ensure their blocking (if personal data processing is performed by another person acting on behalf of the Company) from the moment of such request or receipt of the said request for the period of verification, if the blocking is performed by another person acting on behalf of the Company).
6.2.5.2. If the fact of inaccuracy of personal data is confirmed, the Company shall, based on the information submitted by the personal data subject or his/her representative or the authorized body for the protection of the rights of personal data subjects, or other necessary documents, clarify personal data or ensure their clarification (if personal data processing is performed by another person acting on behalf of the Company) within seven working days from the date of submission of such information and remove the blocking of personal data.
6.2.5.3. In the fact of detection of unlawful processing of personal data by the Company or by a person acting on behalf of the Company, the Company shall, within a period not exceeding three business days from the date of such detection, cease unlawful processing of personal data or ensure cessation of unlawful processing of personal data by a person acting on behalf of the Company. If it is impossible to ensure the legality of personal data processing, the Company shall, within a period not exceeding ten business days from the date of detection of unlawful processing of personal data, destroy such personal data or ensure their destruction. The Company shall notify the personal data subject or his/her representative on elimination of the admitted violations or destruction of personal data, and if the personal data subject's or his/her representative's appeal or request of the authorized body for protection of the rights of personal data subjects was sent by the authorized body for protection of the rights of personal data subjects, also the said body.
6.2.5.4. If the purpose of processing personal data is achieved, the Company stops the processing of personal data or ensures its termination (if the processing of personal data is carried out by another person acting on behalf of the Company) and destroys personal data or ensures their destruction (if the processing of personal data is carried out by another person acting on behalf of the Company) of the Company) within a period not exceeding thirty days from the date of achievement of the purpose of processing personal data, unless otherwise provided by the agreement to which the subject of personal data is a party, beneficiary or guarantor, another agreement between the Company and the subject of personal data, or if the Company is not entitled to carry out processing of personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law «On Personal Data» or other federal laws.
6.2.5.5. In the event that the subject of personal data withdraws consent to the processing of his personal data, the Company terminates their processing or ensures the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Company) and if the storage of personal data is no longer required for the purposes of processing personal data, destroys personal data or ensures their destruction (if the processing of personal data is carried out by another person acting on behalf of the Company) within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided by the agreement, the party to which, the beneficiary or the guarantor under which is the subject of personal data, another agreement between the Company and the subject of personal data, or if the Company is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law «On Personal Data» or other federal laws.
6.2.5.6. If it is not possible to destroy personal data within the specified period, the Company shall block such personal data or ensure their blocking (if personal data processing is carried out by another person acting on behalf of the Company) and ensure destruction of personal data within a period not exceeding six months, unless another period is established by federal laws.
6.2.6. Notification of personal data processing
6.2.6.1. The Company, except as provided for by the Federal Law «On Personal Data», shall notify the authorized body for the protection of the rights of personal data subjects of its intention to process personal data prior to the commencement of personal data processing.
6.2.6.2. The notification shall be sent in the form of a document on paper or in the form of an electronic document and signed by an authorized person. The notification shall contain the following information:
1) name (surname, first name, patronymic), address of the Company;
2) purpose of personal data processing;
3) categories of personal data;
4) categories of subjects whose personal data are processed;
5) legal basis for the processing of personal data;
6) list of actions with personal data, general description of the methods of personal data processing used by the Company;
7) description of measures, including information on the availability of encryption (cryptographic) means and the names of these means;
8) surname, first name, patronymic of the natural person or name of the legal entity responsible for organizing the processing of personal data and their contact telephone numbers, postal and e-mail addresses;
9) the date of commencement of personal data processing;
10) term or condition for termination of personal data processing;
11) information on the presence or absence of trans-border transfer of personal data in the process of their processing;
12) information on the location of the database of information containing personal data of citizens of the Russian Federation;
13) information on ensuring the security of personal data in accordance with the requirements for the protection of personal data established by the Government of the Russian Federation.
6.2.6.3. In case of changes in the above information, as well as in case of termination of personal data processing, the Company shall notify the authorized body for the protection of the rights of personal data subjects within ten working days from the date of occurrence of such changes or from the date of termination of personal data processing.
6.2.7. Notification of transborder transfer of personal data
6.2.7. Notification of transborder transfer of personal data
6.2.7.1. 6.2.7.1 Prior to the commencement of transborder personal data transfer activities, the Company shall notify the authorized body for the protection of the rights of personal data subjects of its intention to perform transborder transfer of personal data.
6.2.7.2. The notification on transborder transfer of personal data shall be sent separately from the notification on processing (intention to process) of personal data provided for by Article 22 of the Federal Law «On Personal Data».
6.2.7.3. The Notification shall be sent in the form of a paper document or in the form of an electronic document and signed by an authorized person. The notification shall contain the following information:
1) name (surname, first name, patronymic), address of the Company, as well as the date and number of the notice of intention to process personal data previously sent by the Company in accordance with Article 22 of the Federal Law «On Personal Data»;
2) legal basis and purpose of transborder transfer of personal data and further processing of transferred personal data;
3) categories and list of personal data to be transferred;
4) categories of personal data subjects whose personal data are transferred;
5) the list of foreign states on whose territory the transborder transfer of personal data is planned to take place;
6) the date of the Company's assessment of compliance by foreign authorities, foreign individuals, foreign legal entities, to whom trans-border transfer of personal data is planned, of personal data confidentiality and personal data security at their processing.
6.2.7.4. Assessment of compliance by foreign authorities, foreign individuals, foreign legal entities, to whom trans-border transfer of personal data is planned, with the confidentiality of personal data and ensuring the security of personal data during their processing is carried out by the Company on the basis of information requested in accordance with part 5 of Article 12 of the Federal Law «On personal data».
Areas of responsibility
7.1. Persons responsible for organization of personal data processing in organizations
7.1.1. The Company shall appoint a person responsible for organizing the processing of personal data.
7.1.2. The person responsible for the organization of personal data processing receives instructions directly from the executive body of the organization being the operator and reports to it.
7.1.3. The Company shall provide the person responsible for organizing the processing of personal data with the necessary information.
7.1.4. The person responsible for organizing the processing of personal data shall, in particular, perform the following functions:
1) exercises internal control over compliance by the Company and the Company's employees with the legislation of the Russian Federation on personal data, including requirements to personal data protection;
2) brings to the attention of the Company's employees the provisions of the Russian Federation legislation on personal data, local acts on personal data processing, and personal data protection requirements;
3) organizes the reception and processing of appeals and requests of personal data subjects or their representatives and (or) exercises control over the reception and processing of such appeals and requests.
7.2. Responsibility
7.2.1. Persons guilty of violating the requirements of the Federal Law «On Personal Data» shall bear the liability provided for by the legislation of the Russian Federation.
7.2.2. Moral damage caused to the subject of personal data due to violation of his/her rights, violation of the rules of personal data processing established by the Federal Law «On Personal Data», as well as requirements to personal data protection established in accordance with the Federal Law «On Personal Data», shall be compensated in accordance with the legislation of the Russian Federation. Compensation for moral damage shall be made regardless of compensation for property damage and losses incurred by the subject of personal data.
8. Key results
In achieving the objectives, the following results are expected:
— ensuring the protection of the rights and freedoms of personal data subjects during the processing of their personal data by the Company;
— improving the overall level of information security of the Company;
— minimization of the Company's legal risks.
9. Related policies
There are no related policies in place.