1. GENERAL PROVISIONS
1.1. The present Policy on personal data processing (hereinafter referred to as “Policy”) is drafted in accordance with paragraph 2 of Article 18.1 of the Federal Law of 27 July 2006 N 152-FZ “ON PERSONAL DATA” and other laws and regulations of the Russian Federation in the field of protection and processing of personal data and applies in respect of all personal data (hereinafter referred to as “Data”) which Individual Entrepreneur Sazhina L.P. (hereinafter referred to as “Operator”) can obtain from a personal data subject being party to a civil law contract, from an Internet user (hereinafter referred to as “User”) in the course оf using any of the websites, services, programs, products of the Individual Entrepreneur Sazhina L.P., as well as from the personal data subject having employment relations with the Operator, which are regulated by the employment legislation (hereinafter referred to as “Employee”).
1.2. The Operator provides protection of processed personal data against unauthorized access and disclosure, unlawful use or loss in compliance with the requirements of Federal Law of 27 July 2006 N 152-FZ “ON PERSONAL DATA”.
1.3. The Operator has the right to amend the present Policy. When making amendments, the date of the last updated version shall be indicated in the Policy heading. The new version of the Policy shall come into force when posted on the website, except as otherwise provided herein by the new version of the Policy.
2. TERMS AND ABBREVIATIONS USED
Personal data – any information referring directly or indirectly to a particular or identified individual (hereinafter referred to as (“Personal data subject”).
Personal data processing – any action (hereinafter referred to as “Operation”) or a combination of actions (hereinafter referred to as “Operations”) performed both automatically and manually with personal data, including collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, transfer (distribution, presentation, access), anonymizing, blocking and destruction of personal data.
Automated personal data processing - personal data processing by means of computer technology.
Personal data information system (PDIS) – database that contains personal data as well as information technologies and hardware used for data processing.
Personal data made public by the personal data subject – personal data to which public access has been provided by the personal data subject or at his/her request.
Blocking of personal data – temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification).
Destruction of personal data – actions performed on personal data contained in the respective database that make it impossible to restore the personal data and (or) actions aimed at physical destruction of the tangible medium of personal data.
Operator – organization which independently or in cooperation with other entities organizes processing of personal data as well as determines the purposes and scope of personal data processing. The operator is Individual Entrepreneur Sazhina L.P. located at the address: Voronezh, ul.Chapayeva, 1А.
3. PERSONAL DATA PROCESSING
3.1. Personal data obtainment.
3.1.1. All personal data shall be obtained personally from the subject. In case personal data of the subject can be obtained only from a third party, the subject should be notified thereof or should give his/her consent thereto.
3.1.2. The Operator shall inform the subject of the purposes, supposed sources and means of obtaining personal data, nature of personal data subject to collection, actions list with personal data, consent for collection and processing of personal data validity period, consent withdrawal procedure, as well as of consequences of the personal data subject refusal to provide personal data.
3.1.3. Documents containing personal data are produced by means of:
– copying originals of documents (passport, education certificate, INN (Tax Identification Number) certificate, pension insurance certificate etc.);
– entering personal data into account forms;
– obtaining originals of the required documents (employment record book, medical opinion, character reference, etc.).
3.2. Personal data processing.
3.2.1. Personal data shall be processed in the cases below:
– personal data shall be processed with consent of the subject to the processing of his/her personal data;
– personal data processing is required for exercise and fulfillment of functions, powers and obligations imposed by the Russian Federation law;
– personal data processing shall be undertaken, when the access to such data is provided by the personal data subject or at his/her request to an unlimited scope of persons (hereinafter – personal data made public by the personal data subject).
3.2.2. Goals of personal data processing:
– implementation of employment relations;
– implementation of civil legal relations;
– communication with user in respect of completing the feedback form on the website, including without limitation sending of notifications, requests and information in respect to the website usage, processing, approval and delivery of orders, execution of agreements and contracts;
– anonymizing personal data for obtaining anonymized statistic data, which shall be passed to third parties for conducting research, performing work or providing services under instructions of the shop.
3.2.3. Categories of personal data subjects.
Processing of personal data is carried out in regard to following categories of subjects:
– individuals having employment relations;
– resigned individuals;
– individuals being candidates for vacant positions;
– individuals having civil law relations;
– individuals - Users of the website.
3.2.4. Personal data processed by the Operator:
– data obtained in the course of employment relations;
– data obtained in the course of selecting candidates for vacancies;
– data obtained in the course of civil law relations;
– data obtained from Users of the website.
3.2.5. Processing of personal data is carried out:
– with the use of computers;
– without the use of computers.
3.3. Personal data storage.
3.3.1. Personal data of subjects may be obtained, may undergo further processing and be transferred to storage both in paper form and in electronic form.
3.3.2. Personal data of subjects in paper form shall be retained in locked cabinets or locked premises with a restricted access.
3.3.3. Personal data of subjects processed with computers with different purposes shall be stored in different files.
3.3.4. No storage or location of documents containing personal data is allowed in open electronic catalogues (file hosting services) in PDIS.
3.3.5. The storage of personal data in a form allowing to identify a personal data subject shall be as long as it is required for the purposes of processing thereof, and these data shall be destructed upon the achievement of the processing goal or in the case of loss of any need to achieve it.
3.4. Personal data destruction.
3.4.1. Documents (media) containing personal data shall be destructed through burning, breakage (shredding), chemical decomposition, transformation into a formless mass or powder. In order to destruct paper documents, the use of shredder shall be allowed.
3.4.2. Personal data on electronic media shall be destructed through deletion or formatting of a medium.
3.4.3. A statement shall be drawn up upon the destruction of electronic media containing personal data.
3.5. Personal data transfer.
3.5.1. The Operator shall transfer personal data to third parties in the cases below:
– the subject has provided his/her consent thereto;
– transfer is envisaged by the Russian law or another applicable law within the procedure set by the law.
3.5.2. List of third parties to whom the personal data is transferred:
– Pension Fund of the Russian Federation for accounting (on a lawful basis);
– Tax authorities of the Russian Federation (on a lawful basis);
– Social Security Fund of the Russian Federation (on a lawful basis);
– Territorial Compulsory Medical Insurance Fund (on a lawful basis);
– Insurance medial organizations on compulsory and voluntary health insurance (on a lawful basis);
– Banks for salary accrual (under an agreement);
– Internal affairs bodies of Russia in the cases envisaged by the law;
– anonymizing personal data of the Internet shop website Users are transferred to counterparties.
4. PERSONAL DATA PROTECTION
4.1. Pursuant to regulatory requirements the Operator created a personal data protection system (PDPS) consisting of subsystems of the legal, organizational, and technical protection.
4.2. The subsystem of legal protection is a set of legal, organizational/management and regulatory documents providing the creation, functioning, and improvement of the PDPS.
4.3. The subsystem of organizational protection includes the organization of the management structure of the PDPS, authorization system, authorization system, information protection at work with employees, partners and outsiders.
4.4. The subsystem of technical protection includes a set of technical, software, soft hardware means providing the protection of personal data.
4.4. The main personal data protection measures used by the Operator shall include:
4.5.1. Appointment of a person responsible for organization of personal data processing, who arranges personal data processing, training and instructing, internal control of the compliance by the institution and its employees of requirements to personal data protection.
4.5.2. Development of means and measures for ensuring personal data protection. Identification of immediate threats to the personal data security at processing thereof within the PDPS and on provision of personal data security.
4.5.3. Development of policy on personal data processing.
4.5.4. Making access rules for personal data processed in the PDPS, as well as ensuring logging and recording of activities with personal data in the personal data information system.
4.5.5. Setting individual access passwords for access of employees to the information system in accordance with their job duties.
4.5.6. Application of information protection means which underwent the procedure of conformity assessment as applicable.
4.5.7. Certified antivirus protection means with regularly updated bases.
4.5.8. Observance of terms ensuring safety of personal data and excluding unauthorized access thereto.
4.5.9. Identification of facts of unauthorized access to personal data and taking required measures.
4.5.10. Recovery of modified or destructed personal data as a consequence of unauthorized access thereto.
4.5.11. Providing training to the employees of the Operator directly involved in personal data processing, on legislative provisions of the Russian Federation on personal data, including requirements to personal data protection, documents determining the policy of the Operator regarding personal data processing, local acts on personal data processing issues.
4.5.12. Conduct of internal control and auditing.
5. KEY RIGHTS OF THE PERSONAL DATA SUBJECT AND
OBLIGATIONS OF THE OPERATOR
5.1. Key rights of the personal data subject.
The subject shall be entitled to have access to his/her personal data and the information below:
– confirmation of the fact of personal data processing by the Operator;
– legal grounds for and purposes of the personal data processing;
– goals and personal data processing methods applied by the Operator;
– name and address of the Operator, information of persons (except for the employees of the Operator) having access to the personal data or whom the personal data may be disclosed to under an agreement with the Operator or pursuant to the Federal Law;
– time frames for personal data processing, including the period of storage thereof;
– procedure for exercising the rights by personal data subject, which are envisaged by the Federal Law;
– name or full name and address of a person processing personal data on instructions of the Operator, if the processing was or will be instructed to such person;
– address the Operator and filing requests to the Operator;
– appeal of actions or inactions of the Operator.
5.2. Obligations of the Operator.
The Operator shall be obliged:
– when collecting personal data, the Operator shall be obliged to provide the information related to personal data processing;
– in cases if personal data have been obtained other than from the personal data subject, the Operator shall be obliged to notify the subject;
– if a personal data subject refuses to provide his/her personal data, the Operator shall be obliged to explain to the subject the legal consequences of such refusal;
– the Operator shall be obliged to publish or otherwise provide unlimited access to the document setting out its policies in relation to the processing of personal data and to information concerning requirements to be fulfilled with respect to the protection of personal data;
– the Operator shall be obliged to take or arrange for taking of all necessary legal, organizational and technical measures to protect personal data against unlawful or accidental access to them and destruction, alteration, blocking, copying, provision or dissemination of personal data and against other unlawful actions in relation to personal data;
– the Operator shall be obliged to reply to requests and address of personal data subjects, their representatives and authorized body for the protection of rights of personal data subjects.