POLICY
REGARDING THE PROCESSING OF PERSONAL DATA
1. GENERAL TERMS
1.1. The present Policy of Service-Arsenal Ltd. regarding the Processing of Personal Data (hereinafter referred to as the Policy) is developed in the fulfilment of the requirements of Item 2 Part 1 Article 18.1 of the Federal law of the Russian Federation dd. July 27, 2006 No. 152-FZ "Concerning Personal Data" (hereinafter referred to as the Law on personal data) in order to ensure protection of human and citizens’ rights and freedoms with regards to the processing of their personal data, including protection of the rights for inviolability of private life, personal and family privacy.
1.2. The Policy covers all personal data processed in Service-Arsenal Ltd (hereinafter referred to as the Operator).
1.3. The Policy applies to the relations in the field of Processing of Personal Data that have arisen both before and after approval of the present Policy.
1.4. In the fulfillment of requirements of Part 2 Article 18.1 of the Law on personal data, the present Policy is freely available in the information and tele-communication network Internet on the Operator’s website.
1.5. Basic concepts used in the Policy:
Personal Data is any sort of information directly or indirectly related to a identified or identifiable individual (subject of personal data);
The Operator of Personal data (the Operator) is a state authority or a municipal authority, legal entity or an individual independently in cooperation with others arranging or and (or) carrying out the processing of personal data and determining the aims of processing of personal data, its contents to be processed and actions (operations) performed with the personal data;
Processing of personal data is any action (operation) or set of actions (operations) with personal data that are committed using the means of automatic equipment or without using it. Processing of personal data also includes the following actions:
· Collection
· Recording
· Systematization
· Accumulation
· Storage
· Clarification (updating, changing)
· Extracting
· Use
· Transferring (distribution, provision, giving access)
· Depersonalization
· Blocking
· Deleting
· Elimination;
Automated processing of personal data is a processing of personal data by means of computer technologies;
Distribution of personal data is actions aimed at disclosure of personal data to an indefinite circle of persons;
Provision of personal data is actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
Blocking of personal data is a temporary suspension of the personal data processing (except in cases where the processing is necessary for clarification of personal data);
Elimination of personal data is actions as a result of which it becomes impossible to restore contents of personal data in an information system of personal data and (or) result in a tangible media of personal data being eliminated;
Depersonalization of personal data is actions as a result of which it becomes impossible to identify ownership of personal data by a specific subject of personal data without a use of auxiliary information;
Information system of personal data is a set of personal data collected in databases and providing its processing by means of information technology and technical equipment;
Cross-border transfer of personal data is a transfer of personal data to the territory of a foreign state, a foreign individual or a foreign legal entity.
1.6. Basic rights and obligations of the Operator
1.6.1. The Operator has the right to:
· Determine the structure and list of measures necessary and sufficient to ensure compliance with the obligations under the Law of personal data and regulatory legal acts approved according to it, unless it is otherwise prescribed by the Law of personal data or other federal laws;
· Assign the personal data processing to other persons with the consent of the personal data subject, unless it is otherwise prescribed by federal laws based on a contract signed with this subject. A person carrying out the processing of data on the assignment by the Operator is obligated to follow principles and rules of the personal data processing, that are under the Law on personal data.
· In case of consent for personal data processing being withdrawn by the subject of personal data the Operator has the right to proceed processing the personal data without consent of subject of personal data on the grounds indicated in the Law on personal data.
1.6.2. The Operator is obligated to:
· arrange the processing of personal data according to requirements of the Law on personal data;
· give response to requests and inquiries from personal data subjects and their legal representatives according to requirements of the Law on personal data;
· report to the Data Protection Authority (Federal Service for Supervision of Communications, Information Technologies and Mass Communications (Roskomnadzor) required information on the request of this authority within 30 days after receiving such a request.
1.7. Basic rights of a personal data subject. A personal data subject has the right to:
· Receive information related to processing their personal data except as provided for in federal laws. Information is provided for a personal data subject by the Operator in an accessible form and it should not contain personal data related to other personal data subjects unless there is a legal basis for disclosure of such personal data. The list of information and the procedure for its receipt is established by the Law on personal data;
· Demand of the Operator to clarify their personal data, its blocking or elimination in case if personal data is incomplete, out of date, inaccurate, illegally obtained or not essential for stated purpose of processing and also take legal measures to protect their rights;
· put forward a condition of a preliminary agreement when processing the personal data in order to promote goods, works and services on the market.
· appeal to the Roskomnadzor or in a judicial procedure against unlawful actions or inaction of the Operator when processing their personal data.
1.8. The control over the observance of the present Policy is carried out by an authorized person in charge of arranging processing the personal data at the Operator’s.
1.9. The responsibility for violation of the requirements of Russian legislation and normative acts in the field of processing and protection of personal data is determined according to the legislation of the Russian Federation.
2. PURPOSES OF PERSONAL DATA COLLECTION
2.1. The processing of personal data is confined with achieving specific, determined in advance and legal-based purposes. The personal data processing incompatible with purposes of personal data collection is not permitted.
2.2. The processing shall be subject only to personal data compatible with purposes of processing.
2.3. The purposes of the processing of personal data carried out by the Operator are following:
· Ensuring the compliance with the requirements of Constitution of the Russian Federation, federal laws and other normative acts of the Russian Federation;
· Carrying out their activity in accordance with the stature of Service-Arsenal Ltd.
· HR administration;
· Providing assistance to workers in employment, education and career advancement, ensuring personal safety of workers, control over the scope and quantity of work, ensuring the safety of property;
· Recruitment and selection of job applicants at the Operator’s;
· Arranging individual (personalized) registration of workers in the compulsory pension insurance system;
· Filling out required reporting forms and submitting it to the executive bodies or other authorized organizations;
· Implementation of civil and legal relations and interaction with contractors including for promotional and informational purposes;
· Accounting;
· Implementation of an access regime.
2.4. The processing of personal data can be carried out only in order to ensure the compliance with laws and other regulatory legal acts.
3. LEGAL BASIS FOR THE PERSONAL DATA PROCESSING
3.1. The legal base for the personal data processing is a set of regulatory legal acts in fulfillment of which and in accordance to which the Operator carries out the personal data processing. It includes:
· The constitution of the Russian Federation;
· The Civil Code of the Russian Federation;
· The Labour Code of the Russian Federation;
· The Tax Code of the Russian Federation;
· Federal law of the Russian Federation dd. February 8, 1998 No. 14-FZ “On Limited Liability Companies”
· Federal law of the Russian Federation dd. December 6, 2011 No. 402-FZ “On Accounting”
· Federal law of the Russian Federation dd. December 15, 2001 No. 167-FZ “On Compulsory Pension Insurance in the Russian Federation”
· Other normative legal acts governing relations associated with the Operator’s activity.
3.2. Legal basis for the personal data processing also is:
· Stature of Service-Arsenal Ltd;
· Contracts signed between the Operator and personal data subjects;
· Consents of personal data subjects to processing their personal data.
4. AMOUNT AND CATEGORIES OF PERSONAL DATA BEING PROCESSED, CATEGORIES OF PERSONAL DATA SUBJECTS
4.1. The amount and contents of personal data being processed should match the stated purposes of processing provided for in section 2 of the Present Policy. Personal data being processed should not be excessive in relation to the stated purposes of its processing.
4.2. The Operator can process the personal data of categories of personal data subjects as follows.
4.2.1. Job applicants at the Operator’s:
· Full name;
· Gender;
· Citizenry;
· Contact data;
· Information on education, work experience and qualification;
· Other personal data provided by the applicant in CV and covering letters;
4.2.2. Workers and former workers of the Operator:
· Full name;
· Gender;
· Citizenry;
· Date and place of birth;
· A picture (a photo);
· Passport details;
· Registration address;
· Address of actual residence;
· Contact details;
· Taxpayer identification number;
· Individual insurance account number;
· Information on education, qualification, professional training and improvement of qualification;
· Family status, the presence of children, family connections;
· Information on labour activity including incentivations, awards and (or) disciplinary penalties;
· Information on marriage registration;
· Information on military registration;
· Information on disability;
· Information on the alimony payment;
· Details of the level of income from the previous place of work;
· Other personal data provided by workers in accordance with the requirements of the labour legislation.
4.2.3. Family members of the Operator’s workers:
· Full name;
· Relationship degree;
· Year of birth;
· Work place, position;
· Contact details;
· Other personal data provided by workers in accordance with the requirements of the labour legislation.
4.2.4. Clients and contractors of the Operator (individuals)
· Full name;
· Date and place of birth;
· Passport details;
· Registration address;
· Contact details (including phone number, e-mail and other data);
· Position held;
· Taxpayer identification number;
· Account number;
· Other personal data provided by the clients and contractors (individuals) required for the conclusion and execution of contracts.
4.2.5. Representatives (workers) of clients and contractors of the Operator (legal entities):
· Full name;
· Passport details;
· Contact details (including phone number, e-mail and other data);
· Position held;
· Other personal data provided by the representatives (workers) of clients and contractors required for the conclusion and execution of contracts.
4.3. The processing of the biometric personal data (information on a person’s physiological and biological features on the basis of which their identity can be determined) is carried out by the Operator according to the legislation of the Russian Federation.
4.4. The Operator does not process personal data of special categories related to race, nationality, political views, attitude to religion or philosophy, state of health or intimate life, unless it is otherwise prescribed by the legislation of the Russian Federation.
5. PROCEDURE AND CONDITIONS OF THE PROCESSING OF PERSONAL DATA
5.1. The processing of personal data is carried out by the Operator in accordance with the legislation of the Russian Federation.
5.2. The processing of personal data is carried out only with the consent of the personal data subject for their personal data processing or without it in cases provided for by the legislation of the Russian Federation.
5.3. The Operator carries out both automated and manual personal data processing.
5.4. The Operator’s workers whose job duties include the personal data processing are allowed to carry out the personal data processing.
5.5. The processing of personal data is carried out by the means of:
· Acquiring personal data in oral or written form directly from the personal data subjects;
· Acquiring personal data from publicaly available sources;
· Entering the personal data in journals, registration books and information systems of the Operator;
· Using other methods of personal data processing.
5.6. It is not allowed to disclose personal data to third parties and distribute it without consent of the personal data subject unless it is otherwise prescribed by a federal law. The consent for the personal data processing that is permitted for distribution by the personal data subject is constituted separately from other consents of the personal data subject for the processing of their personal data.
5.7. Personal data transfer to the inquiry bodies and investigation authorities, Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
5.8. The Operator takes legal, organizational and technical measures to protect the personal data from illegal or accidental access, elimination, changing, blocking, distribution and other unauthorized actions including the following measures:
· Determining threats to security of personal data during processing;
· Implementing local normative acts and other documents regulating the relations in the field of protection and processing of personal data;
· Appointing persons in charge of security of personal data in structural departments and information systems of the Operator;
· Creating necessary conditions for working with personal data;
· Organizing accounting of documents containing personal data;
· Organizing work with information systems that are used for personal data processing;
· Storage of personal data in such conditions that provide data security and exclude an unauthorized access to it;
· Organizing the training of the Operator’s workers engaged in the personal data processing.
5.9. The Operator stores the personal data in a form that allows to identify the personal data subject no longer than it is required by the purpose of personal data processing unless the storage period is established by a federal law or a contract.
5.10. When collecting the personal data including through the use of the information and tele-communication network Internet, the Operator provides recording, systematization, storage, clarification (updating, changing), extraction of the personal data of the Russian Federation citizens with the use of databases located in Russian Federation, except as specified in the Law on personal data.
6. ACTUALIZATION, CORRECTION, DELETION AND ELIMINATION OF PERSONAL DATA, RESPONDS TO REQUESTS FOR ACCESS TO PERSONAL DATA
6.1. Confirmation of the fact of personal data processed by the Operator, legal bases and purpose of personal data processing and other information referred to in Part 7 Article 14 of the Law on personal data is provided by the Operator to the personal data subject or their representatives when contacting or receiving a request from the personal data subject or their representative.
The provided information doesn’t include personal data related to other personal data subjects unless there are legal bases for disclosure of such personal data.
The request should contain:
· The number of the main document identifying the personal data subject or their representative, information on the issue date of this document and the body which issued it;
· Information confirming the relationship between the personal data subject and the Operator (Contract number, date of contract, contingent verbal designation and (or) other information) or the information confirming the fact of personal data processed by the Operator;
· Signature of the personal data subject or their representative.
The request can be sent in the form of an electronic document signed by an electronic signature in accordance with the legislation of the Russian Federation.
If the inquiry (request) of the personal data subject doesn’t contain all the necessary information in accordance with the requirements of the Law on personal data or if the subject has not the rights for access to requested information then the reasoned refusal will be sent to them.
The personal data subject’s rights for access to his personal data can be limited in accordance with the Part 8 Article 14 of the Law on personal data including if the personal data subject getting the right for access to his personal data violates the rights and legitimate interests of third parties.
6.2. In case of detection of the personal data inaccuracy when whether the personal data subject or their representative submitting an inquiry, or on their request or the request of Roskomnadzor, the personal data related to this personal data subject is blocked by the Operator from the date of such inquiry or receiving such request for the period of the inspection if the personal data blocking does not violate rights and legitimate interests of the personal data subject or third parties.
If the inaccuracy of personal data is confirmed, based on information provided by the personal data subject, their representative, Roskomnadzor or other required documents, the Operator clarifies the personal data within seven work days after receiving such information and disables the blocking of the personal data.
6.3. In case of detection of unlawful personal data processing, on the inquiry (request) of personal data subject, their representative or Roskomnadzor, the Operator performs the blocking of the personal data being unlawfully processed and that are related to this personal data subject from the date of such inquiry or receiving such request.
6.4. When the purposes of the personal data processing are achieved, as well as in case of the withdrawal of personal data subject’s consent to its processing, the personal data is to be eliminated if:
· It is otherwise prescribed by the contract, the party of which, the beneficiary or the guarantor of which is the personal data subject;
· The Operator does not have the right to perform the personal data processing without the consent of the personal data subject on bases prescribed by the Law on personal data or other federal laws.
· It is otherwise prescribed by other agreements made between the Operator and the personal data subject.
Accept