LLC “Profil systems”
- General provisions
1.1. The present policy of the personal data processing (hereinafter referred to as Policy) is drawn up in accordance with paragraph 2 Article 18.1 of the Federal Law No 152-FZ “On Personal Data” of July 27th, 2006, and other regulatory acts of the Russian Federation with regards to protection and processing of all personal data. The policy applies to all personal data (hereinafter referred to as the Data), which the Organization (hereinafter referred to as the Operator) can obtain from the personal data subject as a party of a civil-law contract, as well as from the personal data subject, employed by it (hereinafter referred to as the Employee).
1.2. The operator provides protection of processed personal data from an unauthorized access and disclosure, misuse or loss in accordance with the requirements of Federal Law No. 152-FZ “On Personal Data” of July 27th, 2006.
1.3. The Operator has the right to amend the present policy. When amendments are made, the date of the last updated revision shall be indicated in the title of the policy. New version of the Policy comes into force from the moment of its posting on the web-site, unless otherwise provided by this version.
- Terms and abbreviations
Personal data (PD) – any information referring directly or indirectly to a particular or identified individual (hereinafter referred to as “personal data subject”);
Personal data processing – any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including collection, recording, systematization, accumulation, storage, specification (updating, changing), extraction, use, transfer (distribution, provision, access), anonymizing, blocking, deletion and destruction of the personal data.
Automatic processing of personal data – processing of personal data by means of computer technologies.
Personal data information system (PDIS) – a combination of personal data containing in personal databases and information technologies, software and hardware that provide their processing.
Personal data made public to by a personal data subject – personal data for an unlimited access by either the personal data subject or at his request.
Blocking of personal data – a temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification);
Destruction of personal data – actions performed on personal data contained in the respective database that prevent such data from being restored and (or) actions aimed at the physical destruction of the tangible medium of personal data
The Operator is the company that solely or jointly with other legal entities performs processing of personal data and determines purposes of personal data processing, actions (operations) with regards to personal data.
The operator is LLC “Profil Sistems”, located at the address: 214000, Smolensk, Krasina street, 2a
- Personal data processing
3.1. Obtaining personal data.
3.1.1. All personal data shall be obtained directly from the personal data subject. If personal data of the subject can be obtained from the third party only, the personal data subject shall be either notified or give a personal consent.
3.1.2. The operator shall inform the personal data subject about purposes, possible sources and methods of obtaining PD, type of personal data that are subject to obtaining, list of actions with PD, period of validity of consent and order of its withdrawal, as well as about consequences of refusal to give a written consent to PD obtaining.
3.1.3. Documents containing Personal data are drawn up in a following way:
– by copying of an original documents (passport, document on education, INN certificate, certificate of insurance, etc.);
– by entering relevant information in a register;
– by obtaining originals of necessary documents (work record book, medical report, character reference, etc.).
3.2. PD processing.
3.2.1. Personal data processing is carried out:
– with the consent of the data subject to the processing of his personal data;
– for exercise and fulfillment of functions, powers and obligations imposed by the Russian Federation law;
–when public access to the personal data being processed has been granted by or at the request of the personal data subject (hereinafter referred to as “personal data made public by the personal data subject”);
3.2.2. Purposes of personal data processing:
- employment relations ;
- civil-law relations.
3.2.3. Categories of personal data subjects. Personal data of the following PD subjects shall be processed:
– physical persons employed by the Society,
– physical persons resigned from the Society;
– physical persons, applicants for a job;
– physical persons concluded civil-law contracts with the Society.
3.2.4. Personal data processed by the Operator :
– data obtained from the employees;
– data obtained for selection candidates for vacant positions;
– data obtained from persons concluded civil-law contracts.
3.2.5. Personal data processing is carried out:
– by various automation means;
– without automation means.
3.3. Personal data storage.
3.3.1. Personal data of subjects could be obtained, processed and stored either as hard copies or as digital documents.
3.3.2. Personal data on hard copies should be stored in lockers or in lockable premises with a limited access.
3.3.3. Personal data of subjects automatically processed for different purposes shall be stored in different files.
3.3.4. It is not allowed to store and allocate documents containing personal data in public electronic catalogue (share sites) of the personal data information system (PDIS)
3.3.5. Personal data shall be stored in a form that allows verification of the identity of personal data subjects only to the extent necessary for processing purposes. Personal data shall be destroyed upon achieving the set goals as well as when such goals cease to be relevant.
3.4. Personal data destruction.
3.4.1. Documents containing personal data shall be destroyed by burning, crushing, chemical decomposition, smashing into a formless mass or powder. Shredding machine could be also used for destruction of paper documents.
3.4.2. Personal data on electronic media shall be destroyed by erasing or formatting.
3.4.3. A fact of personal data destruction shall be confirmed by an appropriate report.
3.5. Personal data transfer.
3.5.1. The operator can transfer personal data to the third parties in following cases:
– if the personal data subject gave a consent for these actions;
– personal data transfer is envisaged by Russian or any other applicable legislation in the framework of procedure established by law.
3.5.2. List of individuals to whom personal data can be transferred.
Third parties to which personal data can be transferred:
–Pension fund of RF for legal registration (on legal grounds);
–Fiscal bodies of RF (on legal grounds);
– Social Insurance Fund (on legal grounds);
– Territorial compulsory medical insurance fund (on legal grounds);
– Medical insurance organization of compulsory and voluntary medical insurance (on legal grounds);
– Banks for payroll accounting (on basis of agreement);
– Authorities of the Ministry of Internal Affairs of RF in cases stipulated by law.
- Personal data protection
4.1. In accordance with requirement of regulatory documents the operator constructed Personal data protection system (PDPS), consisting of legal, structural and technical protection subsystems.
4.2. Legal protection subsystem is a complex of legal, organizational-administrative documentation and regulatory documents providing formation, function and improvement of PDPS .
4.3. Organizational protection subsystem includes a structure of PDPS management, an authorization system, protection of information in work with employees, partners and third parties.
4.4. Technical protection subsystem comprises technical means, software and hardware providing personal data protection.
4.4. Basic protection measures of the PD, used by the Operator:
4.5.1. Appointment of the person responsible for personal data processing. This person organizes data processing, conducts training and guidance, ensures internal control over observation of the PD protection measures by the employees.
4.5.2. Identification of imminent threat to personal data during their processing in Personal data information system (PDIS), working out measures on personal data protection
4.5.3. Policymaking of personal data processing.
4.5.4. Establishment of rules of access to personal data, processed in Personal data information system, registration and recording all actions performed with personal data in Personal data information system (PDIS)
4.5.5. Providing all employees with individual password for access to information system in accordance with their job duties.
4.5.6. Application of certified information protection systems.
4.5.7. Certified anti-virus software with regularly updated bases.
4.5.8. Observation of conditions, ensuring safety of personal data and excluding an unauthorized access.
4.5.9. Detection of unauthorized access to personal data and appropriate measures.
4.5.10. Restoring personal data, modified or deleted due an unauthorized access.
4.5.11. Ensuring that employees of the operator who are directly involved in the processing of personal data are made aware of the provisions of the legislation of the Russian Federation concerning personal data, including requirements relating to the protection of personal data, documents setting out the operator’s policies in relation to the processing of personal data and by-laws on the processing of personal data, and (or) providing training to those employees.
4.5.12. The conduct of internal control and (or) audit.
- Basic rights of personal data subject and responsibilities of the Operator
5.1. Basic rights of the personal data subject.
Subject has right to access to personal data and such information as:
–confirmation of the fact of personal data processing by the Operator;
–legal reasons and purposes of personal data processing;
–purposes and methods of personal data processing by the Operator;
– the name and location of the Operator, information about persons (except Operator’s employees) either having access to personal data or having this access on the basis of agreement with the Operator or the Federal Law.
– period of personal data processing, including period of storage;
–order of exercising rights of the personal data subject stipulated by the present Federal law;
– the name /surname, name, patronymic and address of the person processing personal data on behalf of the Operator;
– communication with/request to the Operator;
– lodging complaints against actions taken or omitted by the Operator.
5.2. Obligations of the Operator.
The Operator shall be obliged:
– to provide information about personal data processing in case of collecting personal data;
– to notify the personal data subject if personal data were obtained from the third party;
– to explain to the personal data subject the legal consequences of refusing to provide his personal data.
– to publish or provide public access to the document determining policy with regards to processing personal data as well as to information about measures of personal data protection;
– to undertake necessary legal, organizational and technical measures or guarantee these measures of personal data protection from an unauthorized or accidental access, destruction, changing, blocking, copying, provision, distribution and other unlawful actions;
– to provide answer to queries and requests of personal data subjects, their representatives and authorized bodies protecting rights of personal data subjects.