The policy in relation to personal data treatment

THE POLICY IN RELATION TO PERSONAL DATA TREATMENT

General provisions

1.1. The current Policy in relation to personal data treatment (hereinafter - Policy) was developed in accordance with it.2 art.18.1. the Federal law of the Russian Federation “ On  personal data” No. 152 - FL dd. 27.07.2006, as well as other regulations of the Russian Federation in the field of  personal data protection and treatment. It is applicable to all the personal data which LLC “Managing company “Slavyanka”(hereinafter - Company), as well as other legal entities, whose functions of the Executive authority, Company  carries out [1], may receive from the subject of personal data for the purposes,  described in this Policy. 

1.2. The provisions of the current Policy determines all the processes organizational structure in Company, connected with personal data treatment and protection in order to provide the execution of all the requirements of the current Russian Federation legislation, including:

 -  the Constitution of the Russian Federation;

 - the Federal law of the Russian Federation “On personal data” No. 152-FL dd. 27.07.2006 (hereinafter – FL “On personal data”);

 - the Labor Code of the Russian Federation;

- other regulations, determining rules and particularities of personal data protection and treatment. 

1.3. The basic terms, used in Policy:

Personal data – any information relating directly or implicitly to an identified or identifiable natural entity (a personal data subject).  

Biometrical personal data – details which are indicative of physiological and biological features of an individual, base of his personal identification (biometrical personal data) and which an operator uses to identify a personal data subject.

Personal data special categories – details regarding to race, nationality, political views, religious or philosophical beliefs, health status, sexual life of a personal data subject.

Accessible personal data – data with the unlimited access allowed by a personal data subject in accordance with his request, as well as details which are not subject to the requirements of   protection (confidentiality) in compliance with Federal laws;   

  An operator –  a state authority,  a municipal authority, a legal or natural entity, independently or together with other entities organizing and (or) carrying out personal data treatment, as well as defining the purpose of personal data treatment, personal data content to be treated, actions (operations) committed with personal data.   

Personal data treatment – any action (operation) or a complex of actions (operations), committed with the usage of automation means or without usage of such means with personal data including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, usage, transfer (distribution, providing, access), decontamination, blocking, deletion, abolition of personal data.  

Automated personal data treatment - personal data treatment with the help of information technologies.

Personal data providing - actions aimed at revealing personal data to a certain entity or a certain circle of entities.

Personal data blocking - temporary breakdown of personal data treatment (except if the treatment is necessary for personal data concretization).

Personal data abolition – actions resulting in the impossibility to restore the content of personal data in the information system of personal data and (or) resulting in personal data material carriers abolition.   

Personal data decontamination – actions resulting in the impossibility to define the belonging of personal data to a specific subject of personal data without additional information.

Personal data information system – a complex of personal data contained in databases and their treatment providing information technologies and technical means.

Personal data cross-border transfer – a transfer of personal data to the territory of a foreign country, to authorities of a foreign country, to a foreign natural entity or to a foreign legal entity.

1.4. The Current Policy is subject to posting on an accessible resource – slavjanka.ru in an unlimited access.

1.5. The effect of the current Policy extends to actions (operations) or a complex of actions (operations) carried out with the usage of automation means or without the usage of such means with personal data, including collection, recording, systematization, accumulation, storage, concretization (updating, modification), extraction, usage, transfer (distribution, providing, access), decontamination, blocking, deletion, abolition of personal data.

1.6.   Local regulations of the Company may establish the specifics of employees’ personal data treatment.  Local regulations relating to employees’ personal data treatment and protection cannot contradict this Policy.

Personal data treatment purposes.

2.1. The Company carries out personal data treatment in order to:

- ensuring compliance with the current legislation of the Russian Federation, local regulations of the Company;

- conclusion of contracts (agreements) with the subject of personal data and their execution;

- organization and maintenance of personnel records management in the Company;

- attraction and selection of candidates to work for the Company;

- the Company's economic activities;

- research of consumer demands for goods, works, services of the Company and legal entities under the Company management, under the conditions of personal data decontamination;

- for other purposes, the achievement of which is not prohibited by the legislation of the Russian Federation.

Categories of treated personal data and subjects of personal data.

3.1. The Company treats personal data of the following categories of personal data subjects:

3.2. The Company does not treat special categories of personal data and biometrical personal data.

The procedure and conditions of personal data treatment.

4.1. Personal data are treated in compliance with the principals and rules established by the Federal law dd. 27.07.2006 No. 152-FL “On personal data”, as well as the current Policy.

4.2. Personal data are treated in the Company based on the following principles:

- legal purposes and methods of personal data treated;

- compliance of purposes, content, volume and methods of personal data treatment with the purposes determined in advance and stated during personal data collection;

-  reliability of personal data, their sufficiency for the purposes of treatment, inadmissibility of personal data treatment which are excessive in relation to the purposes stated during the collection of personal data;

- inadmissibility of personal data treatment which are incompatible with the purposes of personal data collection;

- inadmissibility of combining databases containing personal data, the treatment of which is carried out for the purposes incompatible with each other;

- providing of personal data storage no longer than required by the purpose of personal data treatment, if the period of personal data storage is not established by the Federal law, the agreement between the Company and the subject of personal data, or the contract upon which the beneficiary or guarantor is the subject of personal data;

- abolition or decontamination of personal data upon achievement of the purposes of their treatment or in case if the achievement of these purposes is not necessary, if otherwise is not provided by the legislation of the Russian Federation, the agreement upon which the beneficiary or guarantor is the subject of personal data.

4.3. The Company treats personal data with automation means usage, as well as without automation means usage.  

4.4. The Company can include subjects’ personal data into accessible sources of personal data if there is a written approval of a subject for his personal data treatment.

4.5. The Company does not carry out a cross-border personal data transfer.

4.6. The Company does not take decisions causing legal consequences in relation to a personal data subject or otherwise violating his rights and legal interests based on the exclusively automated treatment of personal data. 

4.7. The subject’s consent for personal data treatment can be given to the Company by a personal data subject or by his representative in any form to confirm the receipt of consent. In cases stipulated by the current legislation, a subject of personal data in writing gives the consent for personal data treatment to the Company.

4.8. The Company has the right to entrust personal data treatment to another person with the consent of the subject of personal data, if otherwise is not provided by the federal law, upon the agreement concluded with the natural entity  (hereinafter – operator’s order). At the same time, the Company obliges the person who carries out personal data treatment on behalf of the Company to comply with the principles and rules of personal data treatment stipulated by the current legislation and Policy.

4.9. Public authorities’ access (including control, supervisory, law enforcement and other authorities) to personal data, treated by the Company, is carried out in the volume and in accordance with the procedure established by the relevant legislation of the Russian Federation.

4.10. When personal data treatment, the Company takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, abolition, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions in relation to personal data. The measures to ensure the security of personal data include:

-  personal data safety control and the level of personal data information systems protection;

- evaluating of the effectiveness of the measures taken to ensure personal data safety;

- preventing of unauthorized access to personal data; in case of revealing the facts of unauthorized access to personal data - immediate measures to stop such access;

The rights and obligations of a Personal data subject.

5.1.   A Personal data subject has the right to:

- obtain information regarding his personal data treatment in compliance with the procedure, in the form and in the due time determined by the legislation of the Russian Federation;

- require concretization (updating) of his personal data, their blocking or abolition in case of being incomplete, outdate, unreliable, illegal, unnecessary for the stated purpose of treatment or used for  the purposes not stated earlier when a personal data subject has presented his consent to treat his personal data;

- take permitted by law measures to protect his rights;

- withdraw his consent to treat his personal data.

5.2. A personal data subject shall provide complete, exact and reliable details about his personal data.

The rights and obligations of the Company during personal data treatment.

6.1. The Company has the right to:

- entrust personal data treatment to another person upon the consent of personal data subject.

6.2.      In accordance with the requirements of the Federal Law “On personal data", the Company is obliged to:

- provide at his request a personal data subject with information regarding his personal data treatment, or on the legal basis, refuse to provide such information;

  -  refine at the request of a personal data subject treated personal data, block or delete, if personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of the treatment;

 - keep records of personal data subject’s appeals;

  - notify a personal data subject about the treatment of his personal data in case if personal data have not been obtained from personal data subject (exception is cases provided by the current legislation);

  - in case if the purpose of personal data treatment is achieved, immediately terminate personal data treatment and to abolish the relevant personal data, otherwise provided by an agreement upon which the subject of personal data is  a beneficiary or guarantor, or other agreement between the Company and the personal data subject;

- in case of the personal data subject's withdrawal of the consent to the his personal data treatment,  to terminate personal data treatment and to abolish personal data within a period no longer than thirty days from the date of receipt of the mentioned withdrawal,  if otherwise is not provided by an agreement between the Company and the personal data subject. The Company is obliged to notify the personal data subject about personal data abolition.

6.3. The Сompany undertakes and obligates all the persons involved in personal data treatment not to disclose to third parties and not to distribute the personal data obtained without the consent of the   personal data subject, if otherwise is not provided by the Federal law.

Control and responsibility.

7.1.   The control over the execution of the current Policy requirements, rules and requirements, applicable during personal data treatment in the Company, is carried out by the entities appointed in compliance with the order of the Executive authority of the Company.

7.2.   The Company, as well as its officials and employees bear criminal, civil, administrative and disciplinary responsibility in accordance with the current legislation for non-compliance with the order, principles and conditions of personal data treatment, as well as for disclosure or illegal usage of personal data.

 

[1] At the time of this Policy approval, the Company shall act as the sole Executive authority of the following legal entities (LIST – name, Tax Number). All the provisions of the Policy applicable to the Company shall also apply to legal entities under the management of the Company; the reference to the text of the Company Policy shall also mean the reference to legal entities under the Company management.